diff --git a/.backportrc.json b/.backportrc.json index 05c3a60e3625a..89eefb2e3c442 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -2,7 +2,7 @@ "upstream": "elastic/kibana", "targetBranchChoices": [ { "name": "master", "checked": true }, - { "name": "7.x", "checked": true }, + "7.16", "7.15", "7.14", "7.13", @@ -33,7 +33,6 @@ "targetPRLabels": ["backport"], "branchLabelMapping": { "^v8.0.0$": "master", - "^v7.16.0$": "7.x", "^v(\\d+).(\\d+).\\d+$": "$1.$2" }, "autoMerge": true, diff --git a/.buildkite/pull_requests.json b/.buildkite/pull_requests.json index 7f29f0aa11dc6..94c9ce2a0e272 100644 --- a/.buildkite/pull_requests.json +++ b/.buildkite/pull_requests.json @@ -15,7 +15,8 @@ "build_on_comment": true, "trigger_comment_regex": "^(?:(?:buildkite\\W+)?(?:build|test)\\W+(?:this|it))", "always_trigger_comment_regex": "^(?:(?:buildkite\\W+)?(?:build|test)\\W+(?:this|it))", - "labels": ["buildkite-ci"] + "skip_ci_labels": ["skip-ci", "jenkins-ci"], + "skip_target_branches": ["6.8"] } ] } diff --git a/.ci/packer_cache.sh b/.ci/packer_cache.sh index a63c2825816bd..723008d8618d7 100755 --- a/.ci/packer_cache.sh +++ b/.ci/packer_cache.sh @@ -8,4 +8,4 @@ if [[ "$(which docker)" != "" && "$(command uname -m)" != "aarch64" ]]; then fi ./.ci/packer_cache_for_branch.sh master -./.ci/packer_cache_for_branch.sh 7.x +./.ci/packer_cache_for_branch.sh 7.16 diff --git a/docs/apm/agent-configuration.asciidoc b/docs/apm/agent-configuration.asciidoc index 4e4a37067ea10..ac9ce84e78c3e 100644 --- a/docs/apm/agent-configuration.asciidoc +++ b/docs/apm/agent-configuration.asciidoc @@ -23,16 +23,6 @@ However, if APM Server is slow to respond, is offline, reports an error, etc., APM agents will use local defaults until they're able to update the configuration. For this reason, it is still essential to set custom default configurations locally in each of your agents. -[float] -==== APM Server setup - -This feature requires {apm-server-ref}/setup-kibana-endpoint.html[Kibana endpoint configuration] in APM Server. -In addition, if an APM agent is using {apm-server-ref}/configuration-anonymous.html[anonymous authentication] to communicate with the APM Server, -the agent's service name must be included in the `apm-server.auth.anonymous.allow_service` list. - -APM Server acts as a proxy between the agents and Kibana. -Kibana communicates any changed settings to APM Server so that your agents only need to poll APM Server to determine which settings have changed. - [float] ==== Supported configurations diff --git a/docs/apm/api.asciidoc b/docs/apm/api.asciidoc index 5f81a41e93df8..8bf1b38920141 100644 --- a/docs/apm/api.asciidoc +++ b/docs/apm/api.asciidoc @@ -563,9 +563,7 @@ More information on Kibana's API is available in <>. === RUM source map API IMPORTANT: This endpoint is only compatible with the -{apm-server-ref}/apm-integration.html[APM integration for Elastic Agent]. -Users with a standalone APM Server should instead use the APM Server -{apm-server-ref}/sourcemap-api.html[source map upload API]. +{apm-guide-ref}/index.html[APM integration for Elastic Agent]. A source map allows minified files to be mapped back to original source code -- allowing you to maintain the speed advantage of minified code, diff --git a/docs/apm/apm-app-users.asciidoc b/docs/apm/apm-app-users.asciidoc index 7c2cef5b6b39a..41ad67b1696e6 100644 --- a/docs/apm/apm-app-users.asciidoc +++ b/docs/apm/apm-app-users.asciidoc @@ -56,8 +56,8 @@ To create an APM reader user: include::./tab-widgets/apm-app-reader/widget.asciidoc[] -- + -TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]? -Add the privileges under the **Data streams** tab. +TIP: Using the deprecated APM Server binaries? +Add the privileges under the **Classic APM indices** tab above. . Assign the `read-apm` role created in the previous step, and the following built-in roles to any APM reader users: @@ -84,8 +84,8 @@ In some instances, you may wish to restrict certain Kibana apps that a user has include::./tab-widgets/apm-app-reader/widget.asciidoc[] -- + -TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]? -Add the privileges under the **Data streams** tab. +TIP: Using the deprecated APM Server binaries? +Add the privileges under the **Classic APM indices** tab above. . Assign feature privileges to any Kibana feature that the user needs access to. Here are two examples: @@ -184,8 +184,8 @@ Central configuration users need to be able to view, create, update, and delete include::./tab-widgets/central-config-users/widget.asciidoc[] -- + -TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]? -Add the privileges under the **Data streams** tab. +TIP: Using the deprecated APM Server binaries? +Add the privileges under the **Classic APM indices** tab above. . Assign the `central-config-manager` role created in the previous step, and the following Kibana feature privileges to anyone who needs to manage central configurations: @@ -211,8 +211,8 @@ but not create, update, or delete them. include::./tab-widgets/central-config-users/widget.asciidoc[] -- + -TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]? -Add the privileges under the **Data streams** tab. +TIP: Using the deprecated APM Server binaries? +Add the privileges under the **Classic APM indices** tab above. . Assign the `central-config-reader` role created in the previous step, and the following Kibana feature privileges to anyone who needs to read central configurations: diff --git a/docs/apm/errors.asciidoc b/docs/apm/errors.asciidoc index d8fc75bf50340..c47604df03c99 100644 --- a/docs/apm/errors.asciidoc +++ b/docs/apm/errors.asciidoc @@ -2,7 +2,7 @@ [[errors]] === Errors -TIP: {apm-overview-ref-v}/errors.html[Errors] are groups of exceptions with a similar exception or log message. +TIP: {apm-guide-ref}/data-model-errors.html[Errors] are groups of exceptions with a similar exception or log message. The *Errors* overview provides a high-level view of the exceptions that APM agents catch, or that users manually report with APM agent APIs. diff --git a/docs/apm/getting-started.asciidoc b/docs/apm/getting-started.asciidoc index 6b205d0274262..2b4651a9fce97 100644 --- a/docs/apm/getting-started.asciidoc +++ b/docs/apm/getting-started.asciidoc @@ -41,7 +41,7 @@ Notice something awry? Select a service or trace and dive deeper with: * <> TIP: Want to learn more about the Elastic APM ecosystem? -See the {apm-get-started-ref}/overview.html[APM Overview]. +See the {apm-guide-ref}/apm-overview.html[APM Overview]. include::services.asciidoc[] diff --git a/docs/apm/service-maps.asciidoc b/docs/apm/service-maps.asciidoc index f43253d819429..f76b9976dd1d2 100644 --- a/docs/apm/service-maps.asciidoc +++ b/docs/apm/service-maps.asciidoc @@ -41,7 +41,7 @@ We currently surface two types of service maps: === How do service maps work? Service maps rely on distributed traces to draw connections between services. -As {apm-overview-ref-v}/distributed-tracing.html[distributed tracing] is enabled out-of-the-box for supported technologies, so are service maps. +As {apm-guide-ref}/apm-distributed-tracing.html[distributed tracing] is enabled out-of-the-box for supported technologies, so are service maps. However, if a service isn't instrumented, or a `traceparent` header isn't being propagated to it, distributed tracing will not work, and the connection will not be drawn on the map. diff --git a/docs/apm/spans.asciidoc b/docs/apm/spans.asciidoc index 7f29b1f003f1c..afe87efc0df1e 100644 --- a/docs/apm/spans.asciidoc +++ b/docs/apm/spans.asciidoc @@ -16,7 +16,7 @@ You also get a stack trace, which shows the SQL query in your code. Finally, APM knows which files are your code and which are just modules or libraries that you've installed. These library frames will be minimized by default in order to show you the most relevant stack trace. -TIP: A {apm-overview-ref-v}/transaction-spans.html[span] is the duration of a single event. +TIP: A {apm-guide-ref}/data-model-spans.html[span] is the duration of a single event. Spans are automatically captured by APM agents, and you can also define custom spans. Each span has a type and is defined by a different color in the timeline/waterfall visualization. diff --git a/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc b/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc index 51c01367786b6..090cb002bcf27 100644 --- a/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc +++ b/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc @@ -2,37 +2,37 @@
+ id="data-streams-tab" + aria-labelledby="data-streams" + hidden=""> ++++ -include::content.asciidoc[tag=classic-indices] +include::content.asciidoc[tag=data-streams] ++++
diff --git a/docs/apm/tab-widgets/central-config-users/widget.asciidoc b/docs/apm/tab-widgets/central-config-users/widget.asciidoc index 68bef4e50c549..4a36e91e031ef 100644 --- a/docs/apm/tab-widgets/central-config-users/widget.asciidoc +++ b/docs/apm/tab-widgets/central-config-users/widget.asciidoc @@ -2,37 +2,37 @@
+ id="data-streams-tab" + aria-labelledby="data-streams" + hidden=""> ++++ -include::content.asciidoc[tag=classic-indices] +include::content.asciidoc[tag=data-streams] ++++
diff --git a/docs/apm/transactions.asciidoc b/docs/apm/transactions.asciidoc index c0850e4e9d507..e7555a6c3e3d6 100644 --- a/docs/apm/transactions.asciidoc +++ b/docs/apm/transactions.asciidoc @@ -2,7 +2,7 @@ [[transactions]] === Transactions -TIP: A {apm-overview-ref-v}/transactions.html[transaction] describes an event captured by an Elastic APM agent instrumenting a service. +TIP: A {apm-guide-ref}/data-model-transactions.html[transaction] describes an event captured by an Elastic APM agent instrumenting a service. APM agents automatically collect performance metrics on HTTP requests, database queries, and much more. [role="screenshot"] diff --git a/docs/apm/troubleshooting.asciidoc b/docs/apm/troubleshooting.asciidoc index 84cdb9876dc63..d44de3c2efe2f 100644 --- a/docs/apm/troubleshooting.asciidoc +++ b/docs/apm/troubleshooting.asciidoc @@ -12,7 +12,7 @@ https://github.com/elastic/kibana/pulls[pull request] with your proposed changes If your issue is potentially related to other components of the APM ecosystem, don't forget to check our other troubleshooting guides or discussion forum: -* {apm-server-ref}/troubleshooting.html[APM Server troubleshooting] +* {apm-guide-ref}/troubleshoot-apm.html[APM Server troubleshooting] * {apm-dotnet-ref}/troubleshooting.html[.NET agent troubleshooting] * {apm-go-ref}/troubleshooting.html[Go agent troubleshooting] * {apm-ios-ref}/troubleshooting.html[iOS agent troubleshooting] @@ -53,7 +53,7 @@ By default, this index template is created by APM Server on startup. However, this only happens if `setup.template.enabled` is `true` in `apm-server.yml`. You can create the index template manually by running `apm-server setup`. Take note that index templates *cannot* be applied retroactively -- they are only applied at index creation time. -More information is available in {apm-server-ref}/apm-server-configuration.html[Set up and configure]. +More information is available in {apm-guide-ref}/apm-server-configuration.html[Set up and configure]. You can check for the existence of an APM index template using the {ref}/indices-get-template.html[Get index template API]. @@ -68,12 +68,12 @@ GET /_template/apm-{version} *Using Logstash, Kafka, etc.* If you're not outputting data directly from APM Server to Elasticsearch (perhaps you're using Logstash or Kafka), then the index template will not be set up automatically. Instead, you'll need to -{apm-server-ref}/apm-server-template.html[load the template manually]. +{apm-guide-ref}/apm-server-template.html[load the template manually]. *Using a custom index names* This problem can also occur if you've customized the index name that you write APM data to. If you change the default, you must also configure the `setup.template.name` and `setup.template.pattern` options. -See {apm-server-ref}/configuration-template.html[Load the Elasticsearch index template]. +See {apm-guide-ref}/configuration-template.html[Load the Elasticsearch index template]. If the Elasticsearch index template has already been successfully loaded to the index, you can customize the indices that the APM app uses to display data. Navigate to *APM* > *Settings* > *Indices*, and change all `xpack.apm.indices.*` values to @@ -118,8 +118,8 @@ Instead, we should strip away the unique information and group our transactions In this case, that means naming all blog transactions, `/blog`, and all documentation transactions, `/guide`. If you feel like you'd be losing valuable information by following this naming convention, don't fret! -You can always add additional metadata to your transactions using {apm-overview-ref-v}/metadata.html#labels-fields[labels] (indexed) or -{apm-overview-ref-v}/metadata.html#custom-fields[custom context] (non-indexed). +You can always add additional metadata to your transactions using {apm-guide-ref-v}/metadata.html#labels-fields[labels] (indexed) or +{apm-guide-ref-v}/metadata.html#custom-fields[custom context] (non-indexed). After ensuring you've correctly named your transactions, you might still see an error in the APM app related to too many transaction names. @@ -182,10 +182,10 @@ Selecting the `apm-*` index pattern shows a listing of every field defined in th *Ensure a field is searchable* There are two things you can do to if you'd like to ensure a field is searchable: -1. Index your additional data as {apm-overview-ref-v}/metadata.html[labels] instead. +1. Index your additional data as {apm-guide-ref}/metadata.html[labels] instead. These are dynamic by default, which means they will be indexed and become searchable and aggregatable. -2. Use the {apm-server-ref}/configuration-template.html[`append_fields`] feature. As an example, +2. Use the {apm-guide-ref}/configuration-template.html[`append_fields`] feature. As an example, adding the following to `apm-server.yml` will enable dynamic indexing for `http.request.cookies`: [source,yml] diff --git a/docs/settings/apm-settings.asciidoc b/docs/settings/apm-settings.asciidoc index ac6f813ba3a86..d343aa12ec806 100644 --- a/docs/settings/apm-settings.asciidoc +++ b/docs/settings/apm-settings.asciidoc @@ -75,7 +75,7 @@ Changing these settings may disable features of the APM App. | `xpack.apm.searchAggregatedTransactions` {ess-icon} | experimental[] Enables Transaction histogram metrics. Defaults to `never` and aggregated transactions are not used. When set to `auto`, the UI will use metric indices over transaction indices for transactions if aggregated transactions are found. When set to `always`, additional configuration in APM Server is required. - See {apm-server-ref-v}/transaction-metrics.html[Configure transaction metrics] for more information. + See {apm-guide-ref}/transaction-metrics.html[Configure transaction metrics] for more information. | `xpack.apm.metricsInterval` {ess-icon} | Sets a `fixed_interval` for date histograms in metrics aggregations. Defaults to `30`. @@ -84,22 +84,22 @@ Changing these settings may disable features of the APM App. | Set to `false` to disable cloud APM migrations. Defaults to `true`. | `xpack.apm.indices.error` {ess-icon} - | Matcher for all {apm-server-ref}/error-indices.html[error indices]. Defaults to `logs-apm*,apm-*`. + | Matcher for all error indices. Defaults to `logs-apm*,apm-*`. | `xpack.apm.indices.onboarding` {ess-icon} | Matcher for all onboarding indices. Defaults to `apm-*`. | `xpack.apm.indices.span` {ess-icon} - | Matcher for all {apm-server-ref}/span-indices.html[span indices]. Defaults to `traces-apm*,apm-*`. + | Matcher for all span indices. Defaults to `traces-apm*,apm-*`. | `xpack.apm.indices.transaction` {ess-icon} - | Matcher for all {apm-server-ref}/transaction-indices.html[transaction indices]. Defaults to `traces-apm*,apm-*`. + | Matcher for all transaction indices. Defaults to `traces-apm*,apm-*`. | `xpack.apm.indices.metric` {ess-icon} - | Matcher for all {apm-server-ref}/metricset-indices.html[metrics indices]. Defaults to `metrics-apm*,apm-*`. + | Matcher for all metrics indices. Defaults to `metrics-apm*,apm-*`. | `xpack.apm.indices.sourcemap` {ess-icon} - | Matcher for all {apm-server-ref}/sourcemap-indices.html[source map indices]. Defaults to `apm-*`. + | Matcher for all source map indices. Defaults to `apm-*`. |=== diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc index af22ad4ad157f..7235c2a673376 100644 --- a/docs/setup/settings.asciidoc +++ b/docs/setup/settings.asciidoc @@ -395,9 +395,6 @@ override this parameter to use their own Tile Map Service. For example: | `migrations.maxBatchSizeBytes:` | Defines the maximum payload size for indexing batches of upgraded saved objects to avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch. This value should be lower than or equal to your Elasticsearch cluster's `http.max_content_length` configuration option. *Default: `100mb`* -| `migrations.enableV2:` - | experimental[]. Enables the new Saved Objects migration algorithm. For information about the migration algorithm, refer to <>. When `migrations v2` is stable, the setting will be removed in an upcoming release without any further notice. Setting the value to `false` causes {kib} to use the legacy migration algorithm, which shipped in 7.11 and earlier versions. *Default: `true`* - | `migrations.retryAttempts:` | The number of times migrations retry temporary failures, such as a network timeout, 503 status code, or `snapshot_in_progress_exception`. When upgrade migrations frequently fail after exhausting all retry attempts with a message such as `Unable to complete the [...] step after 15 attempts, terminating.`, increase the setting value. *Default: `15`* diff --git a/docs/user/security/tutorials/how-to-secure-access-to-kibana.asciidoc b/docs/user/security/tutorials/how-to-secure-access-to-kibana.asciidoc index f5b799d444102..afe76dcabb844 100644 --- a/docs/user/security/tutorials/how-to-secure-access-to-kibana.asciidoc +++ b/docs/user/security/tutorials/how-to-secure-access-to-kibana.asciidoc @@ -13,7 +13,7 @@ This guide introduces you to three of {kib}'s security features: spaces, roles, Do you have multiple teams or tenants using {kib}? Do you want a “playground” to experiment with new visualizations or alerts? If so, then <> can help. -Think of a space as another instance of {kib}. A space allows you to organize your <>, <>, <>, and much more into their own categories. For example, you might have a Marketing space for your marketeers to track the results of their campaigns, and an Engineering space for your developers to {apm-get-started-ref}/overview.html[monitor application performance]. +Think of a space as another instance of {kib}. A space allows you to organize your <>, <>, <>, and much more into their own categories. For example, you might have a Marketing space for your marketeers to track the results of their campaigns, and an Engineering space for your developers to {apm-guide-ref}/apm-overview.html[monitor application performance]. The assets you create in one space are isolated from other spaces, so when you enter a space, you only see the assets that belong to that space. diff --git a/packages/kbn-dev-utils/src/vscode_config/managed_config_keys.ts b/packages/kbn-dev-utils/src/vscode_config/managed_config_keys.ts index f5bee0ce67fe4..32cc91ad74c50 100644 --- a/packages/kbn-dev-utils/src/vscode_config/managed_config_keys.ts +++ b/packages/kbn-dev-utils/src/vscode_config/managed_config_keys.ts @@ -20,21 +20,23 @@ export const MANAGED_CONFIG_KEYS: ManagedConfigKey[] = [ { key: 'files.watcherExclude', value: { - ['**/.eslintcache']: true, + ['**/.chromium']: true, ['**/.es']: true, + ['**/.eslintcache']: true, ['**/.yarn-local-mirror']: true, - ['**/.chromium']: true, - ['**/packages/kbn-pm/dist/index.js']: true, + ['**/*.log']: true, + ['**/api_docs']: true, ['**/bazel-*']: true, ['**/node_modules']: true, + ['**/packages/kbn-pm/dist/index.js']: true, ['**/target']: true, - ['**/*.log']: true, }, }, { key: 'search.exclude', value: { ['**/packages/kbn-pm/dist/index.js']: true, + ['**/api_docs']: true, }, }, { diff --git a/renovate.json5 b/renovate.json5 index ab33ba7b844ee..69f642712ca6f 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -12,7 +12,7 @@ ], baseBranches: [ 'master', - '7.x', + '7.16', '7.15', ], prConcurrentLimit: 0, @@ -55,7 +55,7 @@ groupName: '@elastic/elasticsearch', packageNames: ['@elastic/elasticsearch'], reviewers: ['team:kibana-operations', 'team:kibana-core'], - matchBaseBranches: ['7.x'], + matchBaseBranches: ['7.16'], labels: ['release_note:skip', 'Team:Operations', 'Team:Core', 'backport:skip'], enabled: true, }, diff --git a/src/core/public/apm_system.ts b/src/core/public/apm_system.ts index 1a653636c54d4..c64c1923f1131 100644 --- a/src/core/public/apm_system.ts +++ b/src/core/public/apm_system.ts @@ -30,6 +30,7 @@ interface StartDeps { export class ApmSystem { private readonly enabled: boolean; + private pageLoadTransaction?: Transaction; /** * `apmConfig` would be populated with relevant APM RUM agent * configuration if server is started with elastic.apm.* config. @@ -49,10 +50,23 @@ export class ApmSystem { this.addHttpRequestNormalization(apm); init(apmConfig); + this.pageLoadTransaction = apm.getCurrentTransaction(); + + // Keep the page load transaction open until all resources finished loading + if (this.pageLoadTransaction && this.pageLoadTransaction.type === 'page-load') { + // @ts-expect-error 2339 + this.pageLoadTransaction.block(true); + this.pageLoadTransaction.mark('apm-setup'); + } } async start(start?: StartDeps) { if (!this.enabled || !start) return; + + if (this.pageLoadTransaction && this.pageLoadTransaction.type === 'page-load') { + this.pageLoadTransaction.mark('apm-start'); + } + /** * Register listeners for navigation changes and capture them as * route-change transactions after Kibana app is bootstrapped @@ -60,6 +74,11 @@ export class ApmSystem { start.application.currentAppId$.subscribe((appId) => { const apmInstance = (window as any).elasticApm; if (appId && apmInstance && typeof apmInstance.startTransaction === 'function') { + // Close the page load transaction + if (this.pageLoadTransaction && this.pageLoadTransaction.type === 'page-load') { + this.pageLoadTransaction.end(); + this.pageLoadTransaction = undefined; + } apmInstance.startTransaction(`/app/${appId}`, 'route-change', { managed: true, canReuse: true, diff --git a/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts b/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts index d7ea73456e236..1f9ca741691d1 100644 --- a/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts +++ b/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts @@ -13,7 +13,6 @@ import { deleteUnknownTypeObjects, getUnknownTypesDeprecations } from './unknown import { typeRegistryMock } from '../saved_objects_type_registry.mock'; import { elasticsearchClientMock } from '../../elasticsearch/client/mocks'; import type { KibanaConfigType } from '../../kibana_config'; -import type { SavedObjectConfig } from '../saved_objects_config'; import { SavedObjectsType } from 'kibana/server'; const createSearchResponse = (count: number): estypes.SearchResponse => { @@ -32,7 +31,6 @@ describe('unknown saved object types deprecation', () => { let typeRegistry: ReturnType; let esClient: ReturnType; let kibanaConfig: KibanaConfigType; - let savedObjectsConfig: SavedObjectConfig; beforeEach(() => { typeRegistry = typeRegistryMock.create(); @@ -48,12 +46,6 @@ describe('unknown saved object types deprecation', () => { index: '.kibana', enabled: true, }; - - savedObjectsConfig = { - migration: { - enableV2: true, - }, - } as SavedObjectConfig; }); afterEach(() => { @@ -69,7 +61,6 @@ describe('unknown saved object types deprecation', () => { it('calls `esClient.asInternalUser.search` with the correct parameters', async () => { await getUnknownTypesDeprecations({ - savedObjectsConfig, esClient, typeRegistry, kibanaConfig, @@ -96,7 +87,6 @@ describe('unknown saved object types deprecation', () => { ); const deprecations = await getUnknownTypesDeprecations({ - savedObjectsConfig, esClient, typeRegistry, kibanaConfig, @@ -112,7 +102,6 @@ describe('unknown saved object types deprecation', () => { ); const deprecations = await getUnknownTypesDeprecations({ - savedObjectsConfig, esClient, typeRegistry, kibanaConfig, @@ -141,7 +130,6 @@ describe('unknown saved object types deprecation', () => { describe('deleteUnknownTypeObjects', () => { it('calls `esClient.asInternalUser.search` with the correct parameters', async () => { await deleteUnknownTypeObjects({ - savedObjectsConfig, esClient, typeRegistry, kibanaConfig, diff --git a/src/core/server/saved_objects/deprecations/unknown_object_types.ts b/src/core/server/saved_objects/deprecations/unknown_object_types.ts index c966e621ca605..8cd650bac8a2d 100644 --- a/src/core/server/saved_objects/deprecations/unknown_object_types.ts +++ b/src/core/server/saved_objects/deprecations/unknown_object_types.ts @@ -13,14 +13,12 @@ import { IScopedClusterClient } from '../../elasticsearch'; import { ISavedObjectTypeRegistry } from '../saved_objects_type_registry'; import { SavedObjectsRawDocSource } from '../serialization'; import type { KibanaConfigType } from '../../kibana_config'; -import type { SavedObjectConfig } from '../saved_objects_config'; import { getIndexForType } from '../service/lib'; interface UnknownTypesDeprecationOptions { typeRegistry: ISavedObjectTypeRegistry; esClient: IScopedClusterClient; kibanaConfig: KibanaConfigType; - savedObjectsConfig: SavedObjectConfig; kibanaVersion: string; } @@ -32,11 +30,9 @@ const getTargetIndices = ({ typeRegistry, kibanaVersion, kibanaConfig, - savedObjectsConfig, }: { types: string[]; typeRegistry: ISavedObjectTypeRegistry; - savedObjectsConfig: SavedObjectConfig; kibanaConfig: KibanaConfigType; kibanaVersion: string; }) => { @@ -46,7 +42,6 @@ const getTargetIndices = ({ getIndexForType({ type, typeRegistry, - migV2Enabled: savedObjectsConfig.migration.enableV2, kibanaVersion, defaultIndex: kibanaConfig.index, }) @@ -69,7 +64,6 @@ const getUnknownSavedObjects = async ({ typeRegistry, esClient, kibanaConfig, - savedObjectsConfig, kibanaVersion, }: UnknownTypesDeprecationOptions) => { const knownTypes = getKnownTypes(typeRegistry); @@ -78,7 +72,6 @@ const getUnknownSavedObjects = async ({ typeRegistry, kibanaConfig, kibanaVersion, - savedObjectsConfig, }); const query = getUnknownTypesQuery(knownTypes); @@ -141,7 +134,6 @@ interface DeleteUnknownTypesOptions { typeRegistry: ISavedObjectTypeRegistry; esClient: IScopedClusterClient; kibanaConfig: KibanaConfigType; - savedObjectsConfig: SavedObjectConfig; kibanaVersion: string; } @@ -149,7 +141,6 @@ export const deleteUnknownTypeObjects = async ({ esClient, typeRegistry, kibanaConfig, - savedObjectsConfig, kibanaVersion, }: DeleteUnknownTypesOptions) => { const knownTypes = getKnownTypes(typeRegistry); @@ -158,7 +149,6 @@ export const deleteUnknownTypeObjects = async ({ typeRegistry, kibanaConfig, kibanaVersion, - savedObjectsConfig, }); const query = getUnknownTypesQuery(knownTypes); diff --git a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.mock.ts b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.mock.ts index 9471bbc1b87a6..660300ea867ff 100644 --- a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.mock.ts +++ b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.mock.ts @@ -42,8 +42,6 @@ const createMigrator = ( scrollDuration: '15m', pollInterval: 1500, skip: false, - // TODO migrationsV2: remove/deprecate once we remove migrations v1 - enableV2: false, retryAttempts: 10, }, runMigrations: jest.fn(), diff --git a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.test.ts b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.test.ts index 6e10349f4b57c..c397559b52570 100644 --- a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.test.ts +++ b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.test.ts @@ -7,7 +7,7 @@ */ import { take } from 'rxjs/operators'; -import { estypes, errors as esErrors } from '@elastic/elasticsearch'; +import { estypes } from '@elastic/elasticsearch'; import { elasticsearchClientMock } from '../../../elasticsearch/client/mocks'; import { KibanaMigratorOptions, KibanaMigrator } from './kibana_migrator'; @@ -125,13 +125,6 @@ describe('KibanaMigrator', () => { it('only runs migrations once if called multiple times', async () => { const options = mockOptions(); - options.client.cat.templates.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise( - // @ts-expect-error - { templates: [] } as CatTemplatesResponse, - { statusCode: 404 } - ) - ); options.client.indices.get.mockReturnValue( elasticsearchClientMock.createSuccessTransportRequestPromise({}, { statusCode: 404 }) ); @@ -144,159 +137,79 @@ describe('KibanaMigrator', () => { migrator.prepareMigrations(); await migrator.runMigrations(); await migrator.runMigrations(); + await migrator.runMigrations(); - expect(options.client.cat.templates).toHaveBeenCalledTimes(1); + // indices.get is called twice during a single migration + expect(options.client.indices.get).toHaveBeenCalledTimes(2); }); - describe('when enableV2 = false', () => { - it('when enableV2 = false creates an IndexMigrator which retries NoLivingConnectionsError errors from ES client', async () => { - const options = mockOptions(); - - options.client.cat.templates.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise( - // @ts-expect-error - { templates: [] } as CatTemplatesResponse, - { statusCode: 404 } - ) - ); - options.client.indices.get.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise({}, { statusCode: 404 }) - ); - options.client.indices.getAlias.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise({}, { statusCode: 404 }) - ); - - options.client.indices.create = jest - .fn() - .mockReturnValueOnce( - elasticsearchClientMock.createErrorTransportRequestPromise( - new esErrors.NoLivingConnectionsError('reason', {} as any) - ) - ) - .mockImplementationOnce(() => - elasticsearchClientMock.createSuccessTransportRequestPromise('success') - ); - - const migrator = new KibanaMigrator(options); - const migratorStatus = migrator.getStatus$().pipe(take(3)).toPromise(); - - migrator.prepareMigrations(); - await migrator.runMigrations(); + it('emits results on getMigratorResult$()', async () => { + const options = mockV2MigrationOptions(); + const migrator = new KibanaMigrator(options); + const migratorStatus = migrator.getStatus$().pipe(take(3)).toPromise(); + migrator.prepareMigrations(); + await migrator.runMigrations(); - expect(options.client.indices.create).toHaveBeenCalledTimes(3); - const { status } = await migratorStatus; - return expect(status).toEqual('completed'); + const { status, result } = await migratorStatus; + expect(status).toEqual('completed'); + expect(result![0]).toMatchObject({ + destIndex: '.my-index_8.2.3_001', + sourceIndex: '.my-index_pre8.2.3_001', + elapsedMs: expect.any(Number), + status: 'migrated', }); - - it('emits results on getMigratorResult$()', async () => { - const options = mockOptions(); - - options.client.cat.templates.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise( - // @ts-expect-error - { templates: [] } as CatTemplatesResponse, - { statusCode: 404 } - ) - ); - options.client.indices.get.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise({}, { statusCode: 404 }) - ); - options.client.indices.getAlias.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise({}, { statusCode: 404 }) - ); - - const migrator = new KibanaMigrator(options); - const migratorStatus = migrator.getStatus$().pipe(take(3)).toPromise(); - migrator.prepareMigrations(); - await migrator.runMigrations(); - const { status, result } = await migratorStatus; - expect(status).toEqual('completed'); - expect(result![0]).toMatchObject({ - destIndex: '.my-index_1', - elapsedMs: expect.any(Number), - sourceIndex: '.my-index', - status: 'migrated', - }); - expect(result![1]).toMatchObject({ - destIndex: 'other-index_1', - elapsedMs: expect.any(Number), - sourceIndex: 'other-index', - status: 'migrated', - }); + expect(result![1]).toMatchObject({ + destIndex: 'other-index_8.2.3_001', + elapsedMs: expect.any(Number), + status: 'patched', }); }); - describe('when enableV2 = true', () => { - beforeEach(() => { - jest.clearAllMocks(); - }); - - it('emits results on getMigratorResult$()', async () => { - const options = mockV2MigrationOptions(); - const migrator = new KibanaMigrator(options); - const migratorStatus = migrator.getStatus$().pipe(take(3)).toPromise(); - migrator.prepareMigrations(); - await migrator.runMigrations(); - - const { status, result } = await migratorStatus; - expect(status).toEqual('completed'); - expect(result![0]).toMatchObject({ - destIndex: '.my-index_8.2.3_001', - sourceIndex: '.my-index_pre8.2.3_001', - elapsedMs: expect.any(Number), - status: 'migrated', - }); - expect(result![1]).toMatchObject({ - destIndex: 'other-index_8.2.3_001', - elapsedMs: expect.any(Number), - status: 'patched', - }); - }); - it('rejects when the migration state machine terminates in a FATAL state', () => { - const options = mockV2MigrationOptions(); - options.client.indices.get.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise( - { - '.my-index_8.2.4_001': { - aliases: { - '.my-index': {}, - '.my-index_8.2.4': {}, - }, - mappings: { properties: {}, _meta: { migrationMappingPropertyHashes: {} } }, - settings: {}, + it('rejects when the migration state machine terminates in a FATAL state', () => { + const options = mockV2MigrationOptions(); + options.client.indices.get.mockReturnValue( + elasticsearchClientMock.createSuccessTransportRequestPromise( + { + '.my-index_8.2.4_001': { + aliases: { + '.my-index': {}, + '.my-index_8.2.4': {}, }, + mappings: { properties: {}, _meta: { migrationMappingPropertyHashes: {} } }, + settings: {}, }, - { statusCode: 200 } - ) - ); + }, + { statusCode: 200 } + ) + ); - const migrator = new KibanaMigrator(options); - migrator.prepareMigrations(); - return expect(migrator.runMigrations()).rejects.toMatchInlineSnapshot( - `[Error: Unable to complete saved object migrations for the [.my-index] index: The .my-index alias is pointing to a newer version of Kibana: v8.2.4]` - ); - }); - it('rejects when an unexpected exception occurs in an action', async () => { - const options = mockV2MigrationOptions(); - options.client.tasks.get.mockReturnValue( - elasticsearchClientMock.createSuccessTransportRequestPromise({ - completed: true, - error: { type: 'elasticsearch_exception', reason: 'task failed with an error' }, - failures: [], - task: { description: 'task description' } as any, - }) - ); + const migrator = new KibanaMigrator(options); + migrator.prepareMigrations(); + return expect(migrator.runMigrations()).rejects.toMatchInlineSnapshot( + `[Error: Unable to complete saved object migrations for the [.my-index] index: The .my-index alias is pointing to a newer version of Kibana: v8.2.4]` + ); + }); - const migrator = new KibanaMigrator(options); - migrator.prepareMigrations(); - await expect(migrator.runMigrations()).rejects.toMatchInlineSnapshot(` - [Error: Unable to complete saved object migrations for the [.my-index] index. Error: Reindex failed with the following error: - {"_tag":"Some","value":{"type":"elasticsearch_exception","reason":"task failed with an error"}}] - `); - expect(loggingSystemMock.collect(options.logger).error[0][0]).toMatchInlineSnapshot(` - [Error: Reindex failed with the following error: - {"_tag":"Some","value":{"type":"elasticsearch_exception","reason":"task failed with an error"}}] - `); - }); + it('rejects when an unexpected exception occurs in an action', async () => { + const options = mockV2MigrationOptions(); + options.client.tasks.get.mockReturnValue( + elasticsearchClientMock.createSuccessTransportRequestPromise({ + completed: true, + error: { type: 'elasticsearch_exception', reason: 'task failed with an error' }, + failures: [], + task: { description: 'task description' } as any, + }) + ); + + const migrator = new KibanaMigrator(options); + migrator.prepareMigrations(); + await expect(migrator.runMigrations()).rejects.toMatchInlineSnapshot(` + [Error: Unable to complete saved object migrations for the [.my-index] index. Error: Reindex failed with the following error: + {"_tag":"Some","value":{"type":"elasticsearch_exception","reason":"task failed with an error"}}] + `); + expect(loggingSystemMock.collect(options.logger).error[0][0]).toMatchInlineSnapshot(` + [Error: Reindex failed with the following error: + {"_tag":"Some","value":{"type":"elasticsearch_exception","reason":"task failed with an error"}}] + `); }); }); }); @@ -306,7 +219,7 @@ type MockedOptions = KibanaMigratorOptions & { }; const mockV2MigrationOptions = () => { - const options = mockOptions({ enableV2: true }); + const options = mockOptions(); options.client.indices.get.mockReturnValue( elasticsearchClientMock.createSuccessTransportRequestPromise( @@ -362,7 +275,7 @@ const mockV2MigrationOptions = () => { return options; }; -const mockOptions = ({ enableV2 }: { enableV2: boolean } = { enableV2: false }) => { +const mockOptions = () => { const options: MockedOptions = { logger: loggingSystemMock.create().get(), kibanaVersion: '8.2.3', @@ -401,7 +314,6 @@ const mockOptions = ({ enableV2 }: { enableV2: boolean } = { enableV2: false }) pollInterval: 20000, scrollDuration: '10m', skip: false, - enableV2, retryAttempts: 20, }, client: elasticsearchClientMock.createElasticsearchClient(), diff --git a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts index 572b2934e49b8..d3755f8c7e666 100644 --- a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts +++ b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts @@ -22,13 +22,7 @@ import { SavedObjectsSerializer, SavedObjectsRawDoc, } from '../../serialization'; -import { - buildActiveMappings, - createMigrationEsClient, - IndexMigrator, - MigrationResult, - MigrationStatus, -} from '../core'; +import { buildActiveMappings, MigrationResult, MigrationStatus } from '../core'; import { DocumentMigrator, VersionedTransformer } from '../core/document_migrator'; import { createIndexMap } from '../core/build_index_map'; import { SavedObjectsMigrationConfigType } from '../../saved_objects_config'; @@ -71,7 +65,6 @@ export class KibanaMigrator { status: 'waiting_to_start', }); private readonly activeMappings: IndexMapping; - private migrationsRetryDelay?: number; // TODO migrationsV2: make private once we remove migrations v1 public readonly kibanaVersion: string; // TODO migrationsV2: make private once we remove migrations v1 @@ -105,7 +98,6 @@ export class KibanaMigrator { // Building the active mappings (and associated md5sums) is an expensive // operation so we cache the result this.activeMappings = buildActiveMappings(this.mappingProperties); - this.migrationsRetryDelay = migrationsRetryDelay; } /** @@ -173,49 +165,28 @@ export class KibanaMigrator { }); const migrators = Object.keys(indexMap).map((index) => { - // TODO migrationsV2: remove old migrations algorithm - if (this.soMigrationsConfig.enableV2) { - return { - migrate: (): Promise => { - return runResilientMigrator({ - client: this.client, - kibanaVersion: this.kibanaVersion, - targetMappings: buildActiveMappings(indexMap[index].typeMappings), - logger: this.log, - preMigrationScript: indexMap[index].script, - transformRawDocs: (rawDocs: SavedObjectsRawDoc[]) => - migrateRawDocsSafely({ - serializer: this.serializer, - knownTypes: new Set(this.typeRegistry.getAllTypes().map((t) => t.name)), - migrateDoc: this.documentMigrator.migrateAndConvert, - rawDocs, - }), - migrationVersionPerType: this.documentMigrator.migrationVersion, - indexPrefix: index, - migrationsConfig: this.soMigrationsConfig, - typeRegistry: this.typeRegistry, - }); - }, - }; - } else { - return new IndexMigrator({ - batchSize: this.soMigrationsConfig.batchSize, - client: createMigrationEsClient(this.client, this.log, this.migrationsRetryDelay), - documentMigrator: this.documentMigrator, - index, - kibanaVersion: this.kibanaVersion, - log: this.log, - mappingProperties: indexMap[index].typeMappings, - setStatus: (status) => this.status$.next(status), - pollInterval: this.soMigrationsConfig.pollInterval, - scrollDuration: this.soMigrationsConfig.scrollDuration, - serializer: this.serializer, - // Only necessary for the migrator of the kibana index. - obsoleteIndexTemplatePattern: - index === kibanaIndexName ? 'kibana_index_template*' : undefined, - convertToAliasScript: indexMap[index].script, - }); - } + return { + migrate: (): Promise => { + return runResilientMigrator({ + client: this.client, + kibanaVersion: this.kibanaVersion, + targetMappings: buildActiveMappings(indexMap[index].typeMappings), + logger: this.log, + preMigrationScript: indexMap[index].script, + transformRawDocs: (rawDocs: SavedObjectsRawDoc[]) => + migrateRawDocsSafely({ + serializer: this.serializer, + knownTypes: new Set(this.typeRegistry.getAllTypes().map((t) => t.name)), + migrateDoc: this.documentMigrator.migrateAndConvert, + rawDocs, + }), + migrationVersionPerType: this.documentMigrator.migrationVersion, + indexPrefix: index, + migrationsConfig: this.soMigrationsConfig, + typeRegistry: this.typeRegistry, + }); + }, + }; }); return Promise.all(migrators.map((migrator) => migrator.migrate())); diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/7.7.2_xpack_100k.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/7.7.2_xpack_100k.test.ts index 41d89e2a01541..c22c6154c2605 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/7.7.2_xpack_100k.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/7.7.2_xpack_100k.test.ts @@ -49,7 +49,6 @@ describe('migration from 7.7.2-xpack with 100k objects', () => { { migrations: { skip: false, - enableV2: true, }, logging: { appenders: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_failed_action_tasks.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_failed_action_tasks.test.ts index d70e034703158..a4ce95a9e0584 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_failed_action_tasks.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_failed_action_tasks.test.ts @@ -113,7 +113,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, batchSize: 250, }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_transform_failures.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_transform_failures.test.ts index fb40bda81cba5..c8e17a64a3fa3 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_transform_failures.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_transform_failures.test.ts @@ -155,7 +155,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, batchSize: 5, }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_unknown_types.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_unknown_types.test.ts index 0be8b1187af71..a04300ffea626 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_unknown_types.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/7_13_0_unknown_types.test.ts @@ -217,7 +217,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, batchSize: 5, }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes.test.ts index b39c0b80cf42b..de25c7b1c6412 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes.test.ts @@ -137,7 +137,6 @@ function createRoot(options: { maxBatchSizeBytes?: number }) { { migrations: { skip: false, - enableV2: true, batchSize: 1000, maxBatchSizeBytes: options.maxBatchSizeBytes, }, diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes_exceeds_es_content_length.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes_exceeds_es_content_length.test.ts index 192321227d4ae..b47156e3a1e9e 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes_exceeds_es_content_length.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/batch_size_bytes_exceeds_es_content_length.test.ts @@ -88,7 +88,6 @@ function createRoot(options: { maxBatchSizeBytes?: number }) { { migrations: { skip: false, - enableV2: true, batchSize: 1000, maxBatchSizeBytes: options.maxBatchSizeBytes, }, diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts index d76bbc786cffc..c84f72b184261 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts @@ -28,7 +28,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, }, logging: { appenders: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/collects_corrupt_docs.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/collects_corrupt_docs.test.ts index 779db252154a3..e330653089c6e 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/collects_corrupt_docs.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/collects_corrupt_docs.test.ts @@ -149,7 +149,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, batchSize: 5, }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts index 7368d856e2c2c..348cbe88cd8a7 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts @@ -153,7 +153,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, batchSize: 5, }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_older_v1.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_older_v1.test.ts index 46fecdf05bbaf..0ed9262017263 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_older_v1.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_older_v1.test.ts @@ -77,7 +77,6 @@ describe('migrating from 7.3.0-xpack which used v1 migrations', () => { { migrations: { skip: false, - enableV2: true, // There are 40 docs in fixtures. Batch size configured to enforce 3 migration steps. batchSize: 15, }, diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_same_v1.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_same_v1.test.ts index 18eb5cc96e496..15d985daccba6 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_same_v1.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/migration_from_same_v1.test.ts @@ -77,7 +77,6 @@ describe('migrating from the same Kibana version that used v1 migrations', () => { migrations: { skip: false, - enableV2: true, // There are 40 docs in fixtures. Batch size configured to enforce 3 migration steps. batchSize: 15, }, diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_es_nodes.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_es_nodes.test.ts index 755bb5f946e4f..6956e53ebc7fa 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_es_nodes.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_es_nodes.test.ts @@ -67,7 +67,6 @@ function createRoot({ logFileName, hosts }: RootConfig) { }, migrations: { skip: false, - enableV2: true, batchSize: 100, // fixture contains 5000 docs }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_kibana_nodes.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_kibana_nodes.test.ts index 11c5b33c0fd3d..ef92c823182d8 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_kibana_nodes.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/multiple_kibana_nodes.test.ts @@ -67,7 +67,6 @@ async function createRoot({ logFileName }: CreateRootConfig) { }, migrations: { skip: false, - enableV2: true, batchSize: 100, // fixture contains 5000 docs }, logging: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/outdated_docs.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/outdated_docs.test.ts index 58ff34913f5d4..506f42cb2e402 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/outdated_docs.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/outdated_docs.test.ts @@ -95,7 +95,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, }, logging: { appenders: { diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/rewriting_id.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/rewriting_id.test.ts index 4564a89ee0816..2fd1ce9b6b14b 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/rewriting_id.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/rewriting_id.test.ts @@ -62,7 +62,6 @@ function createRoot() { { migrations: { skip: false, - enableV2: true, }, logging: { appenders: { diff --git a/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.test.ts b/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.test.ts index 21468d7552320..338eecf151174 100644 --- a/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.test.ts +++ b/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.test.ts @@ -45,7 +45,6 @@ describe('migrationsStateActionMachine', () => { pollInterval: 0, scrollDuration: '0s', skip: false, - enableV2: true, retryAttempts: 5, }, typeRegistry, diff --git a/src/core/server/saved_objects/routes/deprecations/delete_unknown_types.ts b/src/core/server/saved_objects/routes/deprecations/delete_unknown_types.ts index a9e1a41f01d91..2b6d64bef4f1a 100644 --- a/src/core/server/saved_objects/routes/deprecations/delete_unknown_types.ts +++ b/src/core/server/saved_objects/routes/deprecations/delete_unknown_types.ts @@ -9,18 +9,16 @@ import { IRouter } from '../../../http'; import { catchAndReturnBoomErrors } from '../utils'; import { deleteUnknownTypeObjects } from '../../deprecations'; -import { SavedObjectConfig } from '../../saved_objects_config'; import { KibanaConfigType } from '../../../kibana_config'; interface RouteDependencies { - config: SavedObjectConfig; kibanaConfig: KibanaConfigType; kibanaVersion: string; } export const registerDeleteUnknownTypesRoute = ( router: IRouter, - { config, kibanaConfig, kibanaVersion }: RouteDependencies + { kibanaConfig, kibanaVersion }: RouteDependencies ) => { router.post( { @@ -31,7 +29,6 @@ export const registerDeleteUnknownTypesRoute = ( await deleteUnknownTypeObjects({ esClient: context.core.elasticsearch.client, typeRegistry: context.core.savedObjects.typeRegistry, - savedObjectsConfig: config, kibanaConfig, kibanaVersion, }); diff --git a/src/core/server/saved_objects/routes/index.ts b/src/core/server/saved_objects/routes/index.ts index d7cc8af07b0ab..a85070867ae8f 100644 --- a/src/core/server/saved_objects/routes/index.ts +++ b/src/core/server/saved_objects/routes/index.ts @@ -74,5 +74,5 @@ export function registerRoutes({ const internalRouter = http.createRouter('/internal/saved_objects/'); registerMigrateRoute(internalRouter, migratorPromise); - registerDeleteUnknownTypesRoute(internalRouter, { config, kibanaConfig, kibanaVersion }); + registerDeleteUnknownTypesRoute(internalRouter, { kibanaConfig, kibanaVersion }); } diff --git a/src/core/server/saved_objects/routes/integration_tests/delete_unknown_types.test.ts b/src/core/server/saved_objects/routes/integration_tests/delete_unknown_types.test.ts index fef2b2d5870e0..0c7fbdda89fbf 100644 --- a/src/core/server/saved_objects/routes/integration_tests/delete_unknown_types.test.ts +++ b/src/core/server/saved_objects/routes/integration_tests/delete_unknown_types.test.ts @@ -13,7 +13,6 @@ import { elasticsearchServiceMock } from '../../../../../core/server/elasticsear import { typeRegistryMock } from '../../saved_objects_type_registry.mock'; import { setupServer } from '../test_utils'; import { KibanaConfigType } from '../../../kibana_config'; -import { SavedObjectConfig } from '../../saved_objects_config'; import { SavedObjectsType } from 'kibana/server'; type SetupServerReturn = UnwrapPromise>; @@ -24,13 +23,6 @@ describe('POST /internal/saved_objects/deprecations/_delete_unknown_types', () = enabled: true, index: '.kibana', }; - const config: SavedObjectConfig = { - maxImportExportSize: 10000, - maxImportPayloadBytes: 24000000, - migration: { - enableV2: true, - } as SavedObjectConfig['migration'], - }; let server: SetupServerReturn['server']; let httpSetup: SetupServerReturn['httpSetup']; @@ -54,7 +46,6 @@ describe('POST /internal/saved_objects/deprecations/_delete_unknown_types', () = registerDeleteUnknownTypesRoute(router, { kibanaVersion, kibanaConfig, - config, }); await server.start(); diff --git a/src/core/server/saved_objects/saved_objects_config.test.ts b/src/core/server/saved_objects/saved_objects_config.test.ts index 720b28403edf2..06b9e9661b746 100644 --- a/src/core/server/saved_objects/saved_objects_config.test.ts +++ b/src/core/server/saved_objects/saved_objects_config.test.ts @@ -22,7 +22,7 @@ describe('migrations config', function () { const { messages } = applyMigrationsDeprecations({ enableV2: true }); expect(messages).toMatchInlineSnapshot(` Array [ - "\\"migrations.enableV2\\" is deprecated and will be removed in an upcoming release without any further notice.", + "You no longer need to configure \\"migrations.enableV2\\".", ] `); }); @@ -31,7 +31,7 @@ describe('migrations config', function () { const { messages } = applyMigrationsDeprecations({ enableV2: false }); expect(messages).toMatchInlineSnapshot(` Array [ - "\\"migrations.enableV2\\" is deprecated and will be removed in an upcoming release without any further notice.", + "You no longer need to configure \\"migrations.enableV2\\".", ] `); }); diff --git a/src/core/server/saved_objects/saved_objects_config.ts b/src/core/server/saved_objects/saved_objects_config.ts index c9b4b4499fa80..02fbd974da4ae 100644 --- a/src/core/server/saved_objects/saved_objects_config.ts +++ b/src/core/server/saved_objects/saved_objects_config.ts @@ -7,8 +7,8 @@ */ import { schema, TypeOf } from '@kbn/config-schema'; +import { ConfigDeprecationProvider } from '../config'; import type { ServiceConfigDescriptor } from '../internal_types'; -import type { ConfigDeprecationProvider } from '../config'; const migrationSchema = schema.object({ batchSize: schema.number({ defaultValue: 1_000 }), @@ -16,29 +16,12 @@ const migrationSchema = schema.object({ scrollDuration: schema.string({ defaultValue: '15m' }), pollInterval: schema.number({ defaultValue: 1_500 }), skip: schema.boolean({ defaultValue: false }), - enableV2: schema.boolean({ defaultValue: true }), retryAttempts: schema.number({ defaultValue: 15 }), }); export type SavedObjectsMigrationConfigType = TypeOf; -const migrationDeprecations: ConfigDeprecationProvider = () => [ - (settings, fromPath, addDeprecation) => { - const migrationsConfig = settings[fromPath]; - if (migrationsConfig?.enableV2 !== undefined) { - addDeprecation({ - configPath: `${fromPath}.enableV2`, - message: - '"migrations.enableV2" is deprecated and will be removed in an upcoming release without any further notice.', - documentationUrl: 'https://ela.st/kbn-so-migration-v2', - correctiveActions: { - manualSteps: [`Remove "migrations.enableV2" from your kibana configs.`], - }, - }); - } - return settings; - }, -]; +const migrationDeprecations: ConfigDeprecationProvider = ({ unused }) => [unused('enableV2')]; export const savedObjectsMigrationConfig: ServiceConfigDescriptor = { diff --git a/src/core/server/saved_objects/service/lib/get_index_for_type.test.ts b/src/core/server/saved_objects/service/lib/get_index_for_type.test.ts index fa065b02b8050..16e3ba9495f04 100644 --- a/src/core/server/saved_objects/service/lib/get_index_for_type.test.ts +++ b/src/core/server/saved_objects/service/lib/get_index_for_type.test.ts @@ -18,63 +18,27 @@ describe('getIndexForType', () => { typeRegistry = typeRegistryMock.create(); }); - describe('when migV2 is enabled', () => { - const migV2Enabled = true; - - it('returns the correct index for a type specifying a custom index', () => { - typeRegistry.getIndex.mockImplementation((type) => `.${type}-index`); - expect( - getIndexForType({ - type: 'foo', - typeRegistry, - defaultIndex, - kibanaVersion, - migV2Enabled, - }) - ).toEqual('.foo-index_8.0.0'); - }); - - it('returns the correct index for a type not specifying a custom index', () => { - typeRegistry.getIndex.mockImplementation((type) => undefined); - expect( - getIndexForType({ - type: 'foo', - typeRegistry, - defaultIndex, - kibanaVersion, - migV2Enabled, - }) - ).toEqual('.kibana_8.0.0'); - }); + it('returns the correct index for a type specifying a custom index', () => { + typeRegistry.getIndex.mockImplementation((type) => `.${type}-index`); + expect( + getIndexForType({ + type: 'foo', + typeRegistry, + defaultIndex, + kibanaVersion, + }) + ).toEqual('.foo-index_8.0.0'); }); - describe('when migV2 is disabled', () => { - const migV2Enabled = false; - - it('returns the correct index for a type specifying a custom index', () => { - typeRegistry.getIndex.mockImplementation((type) => `.${type}-index`); - expect( - getIndexForType({ - type: 'foo', - typeRegistry, - defaultIndex, - kibanaVersion, - migV2Enabled, - }) - ).toEqual('.foo-index'); - }); - - it('returns the correct index for a type not specifying a custom index', () => { - typeRegistry.getIndex.mockImplementation((type) => undefined); - expect( - getIndexForType({ - type: 'foo', - typeRegistry, - defaultIndex, - kibanaVersion, - migV2Enabled, - }) - ).toEqual('.kibana'); - }); + it('returns the correct index for a type not specifying a custom index', () => { + typeRegistry.getIndex.mockImplementation((type) => undefined); + expect( + getIndexForType({ + type: 'foo', + typeRegistry, + defaultIndex, + kibanaVersion, + }) + ).toEqual('.kibana_8.0.0'); }); }); diff --git a/src/core/server/saved_objects/service/lib/get_index_for_type.ts b/src/core/server/saved_objects/service/lib/get_index_for_type.ts index cef477e6dd840..ae34e6063e0a5 100644 --- a/src/core/server/saved_objects/service/lib/get_index_for_type.ts +++ b/src/core/server/saved_objects/service/lib/get_index_for_type.ts @@ -11,7 +11,6 @@ import { ISavedObjectTypeRegistry } from '../../saved_objects_type_registry'; interface GetIndexForTypeOptions { type: string; typeRegistry: ISavedObjectTypeRegistry; - migV2Enabled: boolean; kibanaVersion: string; defaultIndex: string; } @@ -19,18 +18,8 @@ interface GetIndexForTypeOptions { export const getIndexForType = ({ type, typeRegistry, - migV2Enabled, defaultIndex, kibanaVersion, }: GetIndexForTypeOptions): string => { - // TODO migrationsV2: Remove once we remove migrations v1 - // This is a hacky, but it required the least amount of changes to - // existing code to support a migrations v2 index. Long term we would - // want to always use the type registry to resolve a type's index - // (including the default index). - if (migV2Enabled) { - return `${typeRegistry.getIndex(type) || defaultIndex}_${kibanaVersion}`; - } else { - return typeRegistry.getIndex(type) || defaultIndex; - } + return `${typeRegistry.getIndex(type) || defaultIndex}_${kibanaVersion}`; }; diff --git a/src/core/server/saved_objects/service/lib/repository.test.js b/src/core/server/saved_objects/service/lib/repository.test.js index 84359147fccbc..985d609f2da59 100644 --- a/src/core/server/saved_objects/service/lib/repository.test.js +++ b/src/core/server/saved_objects/service/lib/repository.test.js @@ -613,12 +613,18 @@ describe('SavedObjectsRepository', () => { it(`should use default index`, async () => { await bulkCreateSuccess([obj1, obj2]); - expectClientCallArgsAction([obj1, obj2], { method: 'create', _index: '.kibana-test' }); + expectClientCallArgsAction([obj1, obj2], { + method: 'create', + _index: '.kibana-test_8.0.0-testing', + }); }); it(`should use custom index`, async () => { await bulkCreateSuccess([obj1, obj2].map((x) => ({ ...x, type: CUSTOM_INDEX_TYPE }))); - expectClientCallArgsAction([obj1, obj2], { method: 'create', _index: 'custom' }); + expectClientCallArgsAction([obj1, obj2], { + method: 'create', + _index: 'custom_8.0.0-testing', + }); }); it(`prepends namespace to the id when providing namespace for single-namespace type`, async () => { @@ -2092,7 +2098,7 @@ describe('SavedObjectsRepository', () => { it(`should use default index`, async () => { await createSuccess(type, attributes, { id }); expect(client.create).toHaveBeenCalledWith( - expect.objectContaining({ index: '.kibana-test' }), + expect.objectContaining({ index: '.kibana-test_8.0.0-testing' }), expect.anything() ); }); @@ -2100,7 +2106,7 @@ describe('SavedObjectsRepository', () => { it(`should use custom index`, async () => { await createSuccess(CUSTOM_INDEX_TYPE, attributes, { id }); expect(client.create).toHaveBeenCalledWith( - expect.objectContaining({ index: 'custom' }), + expect.objectContaining({ index: 'custom_8.0.0-testing' }), expect.anything() ); }); @@ -2680,7 +2686,9 @@ describe('SavedObjectsRepository', () => { it(`should use all indices for types that are not namespace-agnostic`, async () => { await deleteByNamespaceSuccess(namespace); expect(client.updateByQuery).toHaveBeenCalledWith( - expect.objectContaining({ index: ['.kibana-test', 'custom'] }), + expect.objectContaining({ + index: ['.kibana-test_8.0.0-testing', 'custom_8.0.0-testing'], + }), expect.anything() ); }); @@ -2774,7 +2782,7 @@ describe('SavedObjectsRepository', () => { await removeReferencesToSuccess(); expect(client.updateByQuery).toHaveBeenCalledWith( expect.objectContaining({ - index: ['.kibana-test', 'custom'], + index: ['.kibana-test_8.0.0-testing', 'custom_8.0.0-testing'], }), expect.anything() ); diff --git a/src/core/server/saved_objects/service/lib/repository.ts b/src/core/server/saved_objects/service/lib/repository.ts index c081c59911405..6798f411d87a9 100644 --- a/src/core/server/saved_objects/service/lib/repository.ts +++ b/src/core/server/saved_objects/service/lib/repository.ts @@ -2089,7 +2089,6 @@ export class SavedObjectsRepository { defaultIndex: this._index, typeRegistry: this._registry, kibanaVersion: this._migrator.kibanaVersion, - migV2Enabled: this._migrator.soMigrationsConfig.enableV2, }); } diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker index 4b5c2e25084ed..235a5fbe1a1a3 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker @@ -94,7 +94,6 @@ kibana_vars=( map.tilemap.url migrations.batchSize migrations.maxBatchSizeBytes - migrations.enableV2 migrations.pollInterval migrations.retryAttempts migrations.scrollDuration diff --git a/src/plugins/telemetry/common/constants.ts b/src/plugins/telemetry/common/constants.ts index 4493d0e3ba31c..d6111d4124a07 100644 --- a/src/plugins/telemetry/common/constants.ts +++ b/src/plugins/telemetry/common/constants.ts @@ -27,21 +27,32 @@ export const PATH_TO_ADVANCED_SETTINGS = '/app/management/kibana/settings'; */ export const PRIVACY_STATEMENT_URL = `https://www.elastic.co/legal/privacy-statement`; +/** + * The telemetry payload content encryption encoding + */ +export const PAYLOAD_CONTENT_ENCODING = 'aes256gcm'; + /** * The endpoint version when hitting the remote telemetry service */ -export const ENDPOINT_VERSION = 'v2'; +export const ENDPOINT_VERSION = 'v3'; + +/** + * The staging telemetry endpoint for the remote telemetry service. + */ + +export const ENDPOINT_STAGING = 'https://telemetry-staging.elastic.co/'; + +/** + * The production telemetry endpoint for the remote telemetry service. + */ + +export const ENDPOINT_PROD = 'https://telemetry.elastic.co/'; /** - * The telemetry endpoints for the remote telemetry service. + * The telemetry channels for the remote telemetry service. */ -export const TELEMETRY_ENDPOINT = { - MAIN_CHANNEL: { - PROD: `https://telemetry.elastic.co/xpack/${ENDPOINT_VERSION}/send`, - STAGING: `https://telemetry-staging.elastic.co/xpack/${ENDPOINT_VERSION}/send`, - }, - OPT_IN_STATUS_CHANNEL: { - PROD: `https://telemetry.elastic.co/opt_in_status/${ENDPOINT_VERSION}/send`, - STAGING: `https://telemetry-staging.elastic.co/opt_in_status/${ENDPOINT_VERSION}/send`, - }, +export const TELEMETRY_CHANNELS = { + SNAPSHOT_CHANNEL: 'kibana-snapshot', + OPT_IN_STATUS_CHANNEL: 'kibana-opt_in_status', }; diff --git a/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.test.ts b/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.test.ts index 74d45f6a9f7d4..c7f9984269581 100644 --- a/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.test.ts +++ b/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.test.ts @@ -6,14 +6,55 @@ * Side Public License, v 1. */ -import { getTelemetryChannelEndpoint } from './get_telemetry_channel_endpoint'; -import { TELEMETRY_ENDPOINT } from '../constants'; +import { + getTelemetryChannelEndpoint, + getChannel, + getBaseUrl, +} from './get_telemetry_channel_endpoint'; + +describe('getBaseUrl', () => { + it('throws on unknown env', () => { + expect(() => + // @ts-expect-error + getBaseUrl('ANY') + ).toThrowErrorMatchingInlineSnapshot(`"Unknown telemetry endpoint env ANY."`); + }); + + it('returns correct prod base url', () => { + const baseUrl = getBaseUrl('prod'); + expect(baseUrl).toMatchInlineSnapshot(`"https://telemetry.elastic.co/"`); + }); + + it('returns correct staging base url', () => { + const baseUrl = getBaseUrl('staging'); + expect(baseUrl).toMatchInlineSnapshot(`"https://telemetry-staging.elastic.co/"`); + }); +}); + +describe('getChannel', () => { + it('throws on unknown channel', () => { + expect(() => + // @ts-expect-error + getChannel('ANY') + ).toThrowErrorMatchingInlineSnapshot(`"Unknown telemetry channel ANY."`); + }); + + it('returns correct snapshot channel name', () => { + const channelName = getChannel('snapshot'); + expect(channelName).toMatchInlineSnapshot(`"kibana-snapshot"`); + }); + + it('returns correct optInStatus channel name', () => { + const channelName = getChannel('optInStatus'); + expect(channelName).toMatchInlineSnapshot(`"kibana-opt_in_status"`); + }); +}); describe('getTelemetryChannelEndpoint', () => { it('throws on unknown env', () => { expect(() => // @ts-expect-error - getTelemetryChannelEndpoint({ env: 'ANY', channelName: 'main' }) + getTelemetryChannelEndpoint({ env: 'ANY', channelName: 'snapshot' }) ).toThrowErrorMatchingInlineSnapshot(`"Unknown telemetry endpoint env ANY."`); }); @@ -24,25 +65,33 @@ describe('getTelemetryChannelEndpoint', () => { ).toThrowErrorMatchingInlineSnapshot(`"Unknown telemetry channel ANY."`); }); - describe('main channel', () => { + describe('snapshot channel', () => { it('returns correct prod endpoint', () => { - const endpoint = getTelemetryChannelEndpoint({ env: 'prod', channelName: 'main' }); - expect(endpoint).toBe(TELEMETRY_ENDPOINT.MAIN_CHANNEL.PROD); + const endpoint = getTelemetryChannelEndpoint({ env: 'prod', channelName: 'snapshot' }); + expect(endpoint).toMatchInlineSnapshot( + `"https://telemetry.elastic.co/v3/send/kibana-snapshot"` + ); }); it('returns correct staging endpoint', () => { - const endpoint = getTelemetryChannelEndpoint({ env: 'staging', channelName: 'main' }); - expect(endpoint).toBe(TELEMETRY_ENDPOINT.MAIN_CHANNEL.STAGING); + const endpoint = getTelemetryChannelEndpoint({ env: 'staging', channelName: 'snapshot' }); + expect(endpoint).toMatchInlineSnapshot( + `"https://telemetry-staging.elastic.co/v3/send/kibana-snapshot"` + ); }); }); describe('optInStatus channel', () => { it('returns correct prod endpoint', () => { const endpoint = getTelemetryChannelEndpoint({ env: 'prod', channelName: 'optInStatus' }); - expect(endpoint).toBe(TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.PROD); + expect(endpoint).toMatchInlineSnapshot( + `"https://telemetry.elastic.co/v3/send/kibana-opt_in_status"` + ); }); it('returns correct staging endpoint', () => { const endpoint = getTelemetryChannelEndpoint({ env: 'staging', channelName: 'optInStatus' }); - expect(endpoint).toBe(TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.STAGING); + expect(endpoint).toMatchInlineSnapshot( + `"https://telemetry-staging.elastic.co/v3/send/kibana-opt_in_status"` + ); }); }); }); diff --git a/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.ts b/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.ts index a0af7878afef6..75d83611b8c8d 100644 --- a/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.ts +++ b/src/plugins/telemetry/common/telemetry_config/get_telemetry_channel_endpoint.ts @@ -6,29 +6,48 @@ * Side Public License, v 1. */ -import { TELEMETRY_ENDPOINT } from '../constants'; +import { + ENDPOINT_VERSION, + ENDPOINT_STAGING, + ENDPOINT_PROD, + TELEMETRY_CHANNELS, +} from '../constants'; +export type ChannelName = 'snapshot' | 'optInStatus'; +export type TelemetryEnv = 'staging' | 'prod'; export interface GetTelemetryChannelEndpointConfig { - channelName: 'main' | 'optInStatus'; - env: 'staging' | 'prod'; + channelName: ChannelName; + env: TelemetryEnv; } -export function getTelemetryChannelEndpoint({ - channelName, - env, -}: GetTelemetryChannelEndpointConfig): string { - if (env !== 'staging' && env !== 'prod') { - throw new Error(`Unknown telemetry endpoint env ${env}.`); - } - - const endpointEnv = env === 'staging' ? 'STAGING' : 'PROD'; - +export function getChannel(channelName: ChannelName): string { switch (channelName) { - case 'main': - return TELEMETRY_ENDPOINT.MAIN_CHANNEL[endpointEnv]; + case 'snapshot': + return TELEMETRY_CHANNELS.SNAPSHOT_CHANNEL; case 'optInStatus': - return TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL[endpointEnv]; + return TELEMETRY_CHANNELS.OPT_IN_STATUS_CHANNEL; default: throw new Error(`Unknown telemetry channel ${channelName}.`); } } + +export function getBaseUrl(env: TelemetryEnv): string { + switch (env) { + case 'prod': + return ENDPOINT_PROD; + case 'staging': + return ENDPOINT_STAGING; + default: + throw new Error(`Unknown telemetry endpoint env ${env}.`); + } +} + +export function getTelemetryChannelEndpoint({ + channelName, + env, +}: GetTelemetryChannelEndpointConfig): string { + const baseUrl = getBaseUrl(env); + const channelPath = getChannel(channelName); + + return `${baseUrl}${ENDPOINT_VERSION}/send/${channelPath}`; +} diff --git a/src/plugins/telemetry/common/telemetry_config/index.ts b/src/plugins/telemetry/common/telemetry_config/index.ts index eb268639cad91..b15475280fe85 100644 --- a/src/plugins/telemetry/common/telemetry_config/index.ts +++ b/src/plugins/telemetry/common/telemetry_config/index.ts @@ -12,4 +12,8 @@ export { getTelemetryAllowChangingOptInStatus } from './get_telemetry_allow_chan export { getTelemetryFailureDetails } from './get_telemetry_failure_details'; export type { TelemetryFailureDetails } from './get_telemetry_failure_details'; export { getTelemetryChannelEndpoint } from './get_telemetry_channel_endpoint'; -export type { GetTelemetryChannelEndpointConfig } from './get_telemetry_channel_endpoint'; +export type { + GetTelemetryChannelEndpointConfig, + ChannelName, + TelemetryEnv, +} from './get_telemetry_channel_endpoint'; diff --git a/src/plugins/telemetry/common/types.ts b/src/plugins/telemetry/common/types.ts new file mode 100644 index 0000000000000..aefbbd2358861 --- /dev/null +++ b/src/plugins/telemetry/common/types.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type EncryptedTelemetryPayload = Array<{ clusterUuid: string; stats: string }>; +export type UnencryptedTelemetryPayload = Array<{ clusterUuid: string; stats: object }>; diff --git a/src/plugins/telemetry/public/services/telemetry_sender.test.ts b/src/plugins/telemetry/public/services/telemetry_sender.test.ts index 50738b11e508d..10da46fe2761d 100644 --- a/src/plugins/telemetry/public/services/telemetry_sender.test.ts +++ b/src/plugins/telemetry/public/services/telemetry_sender.test.ts @@ -171,8 +171,11 @@ describe('TelemetrySender', () => { }); it('sends report if due', async () => { + const mockClusterUuid = 'mk_uuid'; const mockTelemetryUrl = 'telemetry_cluster_url'; - const mockTelemetryPayload = ['hashed_cluster_usage_data1']; + const mockTelemetryPayload = [ + { clusterUuid: mockClusterUuid, stats: 'hashed_cluster_usage_data1' }, + ]; const telemetryService = mockTelemetryService(); const telemetrySender = new TelemetrySender(telemetryService); @@ -184,14 +187,21 @@ describe('TelemetrySender', () => { expect(telemetryService.fetchTelemetry).toBeCalledTimes(1); expect(mockFetch).toBeCalledTimes(1); - expect(mockFetch).toBeCalledWith(mockTelemetryUrl, { - method: 'POST', - headers: { - 'Content-Type': 'application/json', - 'X-Elastic-Stack-Version': telemetryService.currentKibanaVersion, - }, - body: mockTelemetryPayload[0], - }); + expect(mockFetch.mock.calls[0]).toMatchInlineSnapshot(` + Array [ + "telemetry_cluster_url", + Object { + "body": "hashed_cluster_usage_data1", + "headers": Object { + "Content-Type": "application/json", + "X-Elastic-Cluster-ID": "mk_uuid", + "X-Elastic-Content-Encoding": "aes256gcm", + "X-Elastic-Stack-Version": "mockKibanaVersion", + }, + "method": "POST", + }, + ] + `); }); it('sends report separately for every cluster', async () => { diff --git a/src/plugins/telemetry/public/services/telemetry_sender.ts b/src/plugins/telemetry/public/services/telemetry_sender.ts index fa97334495122..87287a420e725 100644 --- a/src/plugins/telemetry/public/services/telemetry_sender.ts +++ b/src/plugins/telemetry/public/services/telemetry_sender.ts @@ -6,9 +6,14 @@ * Side Public License, v 1. */ -import { REPORT_INTERVAL_MS, LOCALSTORAGE_KEY } from '../../common/constants'; +import { + REPORT_INTERVAL_MS, + LOCALSTORAGE_KEY, + PAYLOAD_CONTENT_ENCODING, +} from '../../common/constants'; import { TelemetryService } from './telemetry_service'; import { Storage } from '../../../kibana_utils/public'; +import type { EncryptedTelemetryPayload } from '../../common/types'; export class TelemetrySender { private readonly telemetryService: TelemetryService; @@ -57,18 +62,21 @@ export class TelemetrySender { this.isSending = true; try { const telemetryUrl = this.telemetryService.getTelemetryUrl(); - const telemetryData: string | string[] = await this.telemetryService.fetchTelemetry(); - const clusters: string[] = ([] as string[]).concat(telemetryData); + const telemetryPayload: EncryptedTelemetryPayload = + await this.telemetryService.fetchTelemetry(); + await Promise.all( - clusters.map( - async (cluster) => + telemetryPayload.map( + async ({ clusterUuid, stats }) => await fetch(telemetryUrl, { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Elastic-Stack-Version': this.telemetryService.currentKibanaVersion, + 'X-Elastic-Cluster-ID': clusterUuid, + 'X-Elastic-Content-Encoding': PAYLOAD_CONTENT_ENCODING, }, - body: cluster, + body: stats, }) ) ); diff --git a/src/plugins/telemetry/public/services/telemetry_service.test.ts b/src/plugins/telemetry/public/services/telemetry_service.test.ts index b23ba127c1522..ca4af0a903400 100644 --- a/src/plugins/telemetry/public/services/telemetry_service.test.ts +++ b/src/plugins/telemetry/public/services/telemetry_service.test.ts @@ -10,7 +10,7 @@ /* eslint-disable dot-notation */ import { mockTelemetryService } from '../mocks'; -import { TELEMETRY_ENDPOINT } from '../../common/constants'; + describe('TelemetryService', () => { describe('fetchTelemetry', () => { it('calls expected URL with 20 minutes - now', async () => { @@ -142,7 +142,9 @@ describe('TelemetryService', () => { config: { sendUsageTo: 'staging' }, }); - expect(telemetryService.getTelemetryUrl()).toBe(TELEMETRY_ENDPOINT.MAIN_CHANNEL.STAGING); + expect(telemetryService.getTelemetryUrl()).toMatchInlineSnapshot( + `"https://telemetry-staging.elastic.co/v3/send/kibana-snapshot"` + ); }); it('should return prod endpoint when sendUsageTo is set to prod', async () => { @@ -150,7 +152,9 @@ describe('TelemetryService', () => { config: { sendUsageTo: 'prod' }, }); - expect(telemetryService.getTelemetryUrl()).toBe(TELEMETRY_ENDPOINT.MAIN_CHANNEL.PROD); + expect(telemetryService.getTelemetryUrl()).toMatchInlineSnapshot( + `"https://telemetry.elastic.co/v3/send/kibana-snapshot"` + ); }); }); @@ -160,8 +164,8 @@ describe('TelemetryService', () => { config: { sendUsageTo: 'staging' }, }); - expect(telemetryService.getOptInStatusUrl()).toBe( - TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.STAGING + expect(telemetryService.getOptInStatusUrl()).toMatchInlineSnapshot( + `"https://telemetry-staging.elastic.co/v3/send/kibana-opt_in_status"` ); }); @@ -170,8 +174,8 @@ describe('TelemetryService', () => { config: { sendUsageTo: 'prod' }, }); - expect(telemetryService.getOptInStatusUrl()).toBe( - TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.PROD + expect(telemetryService.getOptInStatusUrl()).toMatchInlineSnapshot( + `"https://telemetry.elastic.co/v3/send/kibana-opt_in_status"` ); }); }); @@ -247,7 +251,7 @@ describe('TelemetryService', () => { const telemetryService = mockTelemetryService({ config: { userCanChangeSettings: undefined }, }); - const mockPayload = ['mock_hashed_opt_in_status_payload']; + const mockPayload = [{ clusterUuid: 'mk_uuid', stats: 'mock_hashed_opt_in_status_payload' }]; const mockUrl = 'mock_telemetry_optin_status_url'; const mockGetOptInStatusUrl = jest.fn().mockReturnValue(mockUrl); @@ -257,21 +261,28 @@ describe('TelemetryService', () => { expect(mockGetOptInStatusUrl).toBeCalledTimes(1); expect(mockFetch).toBeCalledTimes(1); - expect(mockFetch).toBeCalledWith(mockUrl, { - method: 'POST', - headers: { - 'Content-Type': 'application/json', - 'X-Elastic-Stack-Version': 'mockKibanaVersion', - }, - body: JSON.stringify(mockPayload), - }); + expect(mockFetch.mock.calls[0]).toMatchInlineSnapshot(` + Array [ + "mock_telemetry_optin_status_url", + Object { + "body": "mock_hashed_opt_in_status_payload", + "headers": Object { + "Content-Type": "application/json", + "X-Elastic-Cluster-ID": "mk_uuid", + "X-Elastic-Content-Encoding": "aes256gcm", + "X-Elastic-Stack-Version": "mockKibanaVersion", + }, + "method": "POST", + }, + ] + `); }); it('swallows errors if fetch fails', async () => { const telemetryService = mockTelemetryService({ config: { userCanChangeSettings: undefined }, }); - const mockPayload = ['mock_hashed_opt_in_status_payload']; + const mockPayload = [{ clusterUuid: 'mk_uuid', stats: 'mock_hashed_opt_in_status_payload' }]; const mockUrl = 'mock_telemetry_optin_status_url'; const mockGetOptInStatusUrl = jest.fn().mockReturnValue(mockUrl); diff --git a/src/plugins/telemetry/public/services/telemetry_service.ts b/src/plugins/telemetry/public/services/telemetry_service.ts index 4e52ec3a7e6ed..63e9b66a49a92 100644 --- a/src/plugins/telemetry/public/services/telemetry_service.ts +++ b/src/plugins/telemetry/public/services/telemetry_service.ts @@ -10,6 +10,8 @@ import { i18n } from '@kbn/i18n'; import { CoreStart } from 'kibana/public'; import { TelemetryPluginConfig } from '../plugin'; import { getTelemetryChannelEndpoint } from '../../common/telemetry_config'; +import type { UnencryptedTelemetryPayload, EncryptedTelemetryPayload } from '../../common/types'; +import { PAYLOAD_CONTENT_ENCODING } from '../../common/constants'; interface TelemetryServiceConstructor { config: TelemetryPluginConfig; @@ -101,7 +103,7 @@ export class TelemetryService { /** Retrieve the URL to report telemetry **/ public getTelemetryUrl = () => { const { sendUsageTo } = this.config; - return getTelemetryChannelEndpoint({ channelName: 'main', env: sendUsageTo }); + return getTelemetryChannelEndpoint({ channelName: 'snapshot', env: sendUsageTo }); }; /** @@ -137,7 +139,7 @@ export class TelemetryService { }; /** Fetches an unencrypted telemetry payload so we can show it to the user **/ - public fetchExample = async () => { + public fetchExample = async (): Promise => { return await this.fetchTelemetry({ unencrypted: true }); }; @@ -145,11 +147,11 @@ export class TelemetryService { * Fetches telemetry payload * @param unencrypted Default `false`. Whether the returned payload should be encrypted or not. */ - public fetchTelemetry = async ({ unencrypted = false } = {}) => { + public fetchTelemetry = async ({ + unencrypted = false, + } = {}): Promise => { return this.http.post('/api/telemetry/v2/clusters/_stats', { - body: JSON.stringify({ - unencrypted, - }), + body: JSON.stringify({ unencrypted }), }); }; @@ -167,13 +169,16 @@ export class TelemetryService { try { // Report the option to the Kibana server to store the settings. // It returns the encrypted update to send to the telemetry cluster [{cluster_uuid, opt_in_status}] - const optInPayload = await this.http.post('/api/telemetry/v2/optIn', { - body: JSON.stringify({ enabled: optedIn }), - }); + const optInStatusPayload = await this.http.post( + '/api/telemetry/v2/optIn', + { + body: JSON.stringify({ enabled: optedIn }), + } + ); if (this.reportOptInStatusChange) { // Use the response to report about the change to the remote telemetry cluster. // If it's opt-out, this will be the last communication to the remote service. - await this.reportOptInStatus(optInPayload); + await this.reportOptInStatus(optInStatusPayload); } this.isOptedIn = optedIn; } catch (err) { @@ -216,18 +221,26 @@ export class TelemetryService { * Pushes the encrypted payload [{cluster_uuid, opt_in_status}] to the remote telemetry service * @param optInPayload [{cluster_uuid, opt_in_status}] encrypted by the server into an array of strings */ - private reportOptInStatus = async (optInPayload: string[]): Promise => { + private reportOptInStatus = async ( + optInStatusPayload: EncryptedTelemetryPayload + ): Promise => { const telemetryOptInStatusUrl = this.getOptInStatusUrl(); try { - await fetch(telemetryOptInStatusUrl, { - method: 'POST', - headers: { - 'Content-Type': 'application/json', - 'X-Elastic-Stack-Version': this.currentKibanaVersion, - }, - body: JSON.stringify(optInPayload), - }); + await Promise.all( + optInStatusPayload.map(async ({ clusterUuid, stats }) => { + return await fetch(telemetryOptInStatusUrl, { + method: 'POST', + headers: { + 'Content-Type': 'application/json', + 'X-Elastic-Stack-Version': this.currentKibanaVersion, + 'X-Elastic-Cluster-ID': clusterUuid, + 'X-Elastic-Content-Encoding': PAYLOAD_CONTENT_ENCODING, + }, + body: stats, + }); + }) + ); } catch (err) { // Sending the ping is best-effort. Telemetry tries to send the ping once and discards it immediately if sending fails. // swallow any errors diff --git a/src/plugins/telemetry/server/fetcher.test.ts b/src/plugins/telemetry/server/fetcher.test.ts index 15b40d2b3e4e5..8d427808bb5e1 100644 --- a/src/plugins/telemetry/server/fetcher.test.ts +++ b/src/plugins/telemetry/server/fetcher.test.ts @@ -71,7 +71,11 @@ describe('FetcherTask', () => { const initializerContext = coreMock.createPluginInitializerContext({}); const fetcherTask = new FetcherTask(initializerContext); const mockTelemetryUrl = 'mock_telemetry_url'; - const mockClusters = ['cluster_1', 'cluster_2']; + const mockClusters = [ + { clusterUuid: 'mk_uuid_1', stats: 'cluster_1' }, + { clusterUuid: 'mk_uuid_2', stats: 'cluster_2' }, + ]; + const getCurrentConfigs = jest.fn().mockResolvedValue({ telemetryUrl: mockTelemetryUrl, }); @@ -95,9 +99,8 @@ describe('FetcherTask', () => { expect(areAllCollectorsReady).toBeCalledTimes(1); expect(fetchTelemetry).toBeCalledTimes(1); - expect(sendTelemetry).toBeCalledTimes(2); - expect(sendTelemetry).toHaveBeenNthCalledWith(1, mockTelemetryUrl, mockClusters[0]); - expect(sendTelemetry).toHaveBeenNthCalledWith(2, mockTelemetryUrl, mockClusters[1]); + expect(sendTelemetry).toBeCalledTimes(1); + expect(sendTelemetry).toHaveBeenNthCalledWith(1, mockTelemetryUrl, mockClusters); expect(updateReportFailure).toBeCalledTimes(0); }); }); diff --git a/src/plugins/telemetry/server/fetcher.ts b/src/plugins/telemetry/server/fetcher.ts index e15b5be2604ec..02ac428b07667 100644 --- a/src/plugins/telemetry/server/fetcher.ts +++ b/src/plugins/telemetry/server/fetcher.ts @@ -25,7 +25,8 @@ import { getTelemetryFailureDetails, } from '../common/telemetry_config'; import { getTelemetrySavedObject, updateTelemetrySavedObject } from './telemetry_repository'; -import { REPORT_INTERVAL_MS } from '../common/constants'; +import { REPORT_INTERVAL_MS, PAYLOAD_CONTENT_ENCODING } from '../common/constants'; +import type { EncryptedTelemetryPayload } from '../common/types'; import { TelemetryConfigType } from './config'; export interface FetcherTaskDepsStart { @@ -103,7 +104,7 @@ export class FetcherTask { return; } - let clusters: string[] = []; + let clusters: EncryptedTelemetryPayload = []; this.isSending = true; try { @@ -120,9 +121,7 @@ export class FetcherTask { try { const { telemetryUrl } = telemetryConfig; - for (const cluster of clusters) { - await this.sendTelemetry(telemetryUrl, cluster); - } + await this.sendTelemetry(telemetryUrl, clusters); await this.updateLastReported(); } catch (err) { @@ -141,7 +140,7 @@ export class FetcherTask { const allowChangingOptInStatus = config.allowChangingOptInStatus; const configTelemetryOptIn = typeof config.optIn === 'undefined' ? null : config.optIn; const telemetryUrl = getTelemetryChannelEndpoint({ - channelName: 'main', + channelName: 'snapshot', env: config.sendUsageTo, }); const { failureCount, failureVersion } = getTelemetryFailureDetails({ @@ -206,13 +205,16 @@ export class FetcherTask { return false; } - private async fetchTelemetry() { + private async fetchTelemetry(): Promise { return await this.telemetryCollectionManager!.getStats({ unencrypted: false, }); } - private async sendTelemetry(telemetryUrl: string, cluster: string): Promise { + private async sendTelemetry( + telemetryUrl: string, + payload: EncryptedTelemetryPayload + ): Promise { this.logger.debug(`Sending usage stats.`); /** * send OPTIONS before sending usage data. @@ -222,10 +224,18 @@ export class FetcherTask { method: 'options', }); - await fetch(telemetryUrl, { - method: 'post', - body: cluster, - headers: { 'X-Elastic-Stack-Version': this.currentKibanaVersion }, - }); + await Promise.all( + payload.map(async ({ clusterUuid, stats }) => { + await fetch(telemetryUrl, { + method: 'post', + body: stats, + headers: { + 'X-Elastic-Stack-Version': this.currentKibanaVersion, + 'X-Elastic-Cluster-ID': clusterUuid, + 'X-Elastic-Content-Encoding': PAYLOAD_CONTENT_ENCODING, + }, + }); + }) + ); } } diff --git a/src/plugins/telemetry/server/plugin.ts b/src/plugins/telemetry/server/plugin.ts index 21fd85018d6db..aa22410358f72 100644 --- a/src/plugins/telemetry/server/plugin.ts +++ b/src/plugins/telemetry/server/plugin.ts @@ -115,7 +115,10 @@ export class TelemetryPlugin implements Plugin { const { sendUsageTo } = await config$.pipe(take(1)).toPromise(); - const telemetryUrl = getTelemetryChannelEndpoint({ env: sendUsageTo, channelName: 'main' }); + const telemetryUrl = getTelemetryChannelEndpoint({ + env: sendUsageTo, + channelName: 'snapshot', + }); return new URL(telemetryUrl); }, diff --git a/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.test.ts b/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.test.ts index acc9a863af61b..edf9cf5b5e18c 100644 --- a/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.test.ts +++ b/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.test.ts @@ -10,11 +10,14 @@ jest.mock('node-fetch'); import fetch from 'node-fetch'; import { sendTelemetryOptInStatus } from './telemetry_opt_in_stats'; import { StatsGetterConfig } from 'src/plugins/telemetry_collection_manager/server'; -import { TELEMETRY_ENDPOINT } from '../../common/constants'; + describe('sendTelemetryOptInStatus', () => { + const mockClusterUuid = 'mk_uuid'; const mockStatsGetterConfig = { unencrypted: false } as StatsGetterConfig; const mockTelemetryCollectionManager = { - getOptInStats: jest.fn().mockResolvedValue(['mock_opt_in_hashed_value']), + getOptInStats: jest + .fn() + .mockResolvedValue([{ clusterUuid: mockClusterUuid, stats: 'mock_opt_in_hashed_value' }]), }; beforeEach(() => { @@ -35,11 +38,21 @@ describe('sendTelemetryOptInStatus', () => { ); expect(result).toBeUndefined(); expect(fetch).toBeCalledTimes(1); - expect(fetch).toBeCalledWith(TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.PROD, { - method: 'post', - body: '["mock_opt_in_hashed_value"]', - headers: { 'X-Elastic-Stack-Version': mockConfig.currentKibanaVersion }, - }); + expect((fetch as jest.MockedFunction).mock.calls[0]).toMatchInlineSnapshot(` + Array [ + "https://telemetry.elastic.co/v3/send/kibana-opt_in_status", + Object { + "body": "mock_opt_in_hashed_value", + "headers": Object { + "Content-Type": "application/json", + "X-Elastic-Cluster-ID": "mk_uuid", + "X-Elastic-Content-Encoding": "aes256gcm", + "X-Elastic-Stack-Version": "mock_kibana_version", + }, + "method": "post", + }, + ] + `); }); it('sends to staging endpoint on "sendUsageTo: staging"', async () => { @@ -56,10 +69,20 @@ describe('sendTelemetryOptInStatus', () => { ); expect(fetch).toBeCalledTimes(1); - expect(fetch).toBeCalledWith(TELEMETRY_ENDPOINT.OPT_IN_STATUS_CHANNEL.STAGING, { - method: 'post', - body: '["mock_opt_in_hashed_value"]', - headers: { 'X-Elastic-Stack-Version': mockConfig.currentKibanaVersion }, - }); + expect((fetch as jest.MockedFunction).mock.calls[0]).toMatchInlineSnapshot(` + Array [ + "https://telemetry-staging.elastic.co/v3/send/kibana-opt_in_status", + Object { + "body": "mock_opt_in_hashed_value", + "headers": Object { + "Content-Type": "application/json", + "X-Elastic-Cluster-ID": "mk_uuid", + "X-Elastic-Content-Encoding": "aes256gcm", + "X-Elastic-Stack-Version": "mock_kibana_version", + }, + "method": "post", + }, + ] + `); }); }); diff --git a/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.ts b/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.ts index f6b7eddcbe765..2a95665662194 100644 --- a/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.ts +++ b/src/plugins/telemetry/server/routes/telemetry_opt_in_stats.ts @@ -15,6 +15,8 @@ import { StatsGetterConfig, } from 'src/plugins/telemetry_collection_manager/server'; import { getTelemetryChannelEndpoint } from '../../common/telemetry_config'; +import { PAYLOAD_CONTENT_ENCODING } from '../../common/constants'; +import type { UnencryptedTelemetryPayload } from '../../common/types'; interface SendTelemetryOptInStatusConfig { sendUsageTo: 'staging' | 'prod'; @@ -26,23 +28,30 @@ export async function sendTelemetryOptInStatus( telemetryCollectionManager: Pick, config: SendTelemetryOptInStatusConfig, statsGetterConfig: StatsGetterConfig -) { +): Promise { const { sendUsageTo, newOptInStatus, currentKibanaVersion } = config; const optInStatusUrl = getTelemetryChannelEndpoint({ env: sendUsageTo, channelName: 'optInStatus', }); - const optInStatus = await telemetryCollectionManager.getOptInStats( - newOptInStatus, - statsGetterConfig - ); + const optInStatusPayload: UnencryptedTelemetryPayload = + await telemetryCollectionManager.getOptInStats(newOptInStatus, statsGetterConfig); - await fetch(optInStatusUrl, { - method: 'post', - body: JSON.stringify(optInStatus), - headers: { 'X-Elastic-Stack-Version': currentKibanaVersion }, - }); + await Promise.all( + optInStatusPayload.map(async ({ clusterUuid, stats }) => { + return await fetch(optInStatusUrl, { + method: 'post', + body: typeof stats === 'string' ? stats : JSON.stringify(stats), + headers: { + 'Content-Type': 'application/json', + 'X-Elastic-Stack-Version': currentKibanaVersion, + 'X-Elastic-Cluster-ID': clusterUuid, + 'X-Elastic-Content-Encoding': PAYLOAD_CONTENT_ENCODING, + }, + }); + }) + ); } export function registerTelemetryOptInStatsRoutes( diff --git a/src/plugins/telemetry_collection_manager/server/encryption/encrypt.ts b/src/plugins/telemetry_collection_manager/server/encryption/encrypt.ts index 1b80a2c29b362..2ed69c2f8a944 100644 --- a/src/plugins/telemetry_collection_manager/server/encryption/encrypt.ts +++ b/src/plugins/telemetry_collection_manager/server/encryption/encrypt.ts @@ -14,11 +14,11 @@ export function getKID(useProdKey = false): string { } export async function encryptTelemetry( - payload: Payload | Payload[], + payload: Payload, { useProdKey = false } = {} -): Promise { +): Promise { const kid = getKID(useProdKey); const encryptor = await createRequestEncryptor(telemetryJWKS); - const clusters = ([] as Payload[]).concat(payload); - return Promise.all(clusters.map((cluster) => encryptor.encrypt(kid, cluster))); + + return await encryptor.encrypt(kid, payload); } diff --git a/src/plugins/telemetry_collection_manager/server/plugin.test.ts b/src/plugins/telemetry_collection_manager/server/plugin.test.ts index d05799f82c354..6e37ef5ffd4f5 100644 --- a/src/plugins/telemetry_collection_manager/server/plugin.test.ts +++ b/src/plugins/telemetry_collection_manager/server/plugin.test.ts @@ -91,7 +91,9 @@ describe('Telemetry Collection Manager', () => { cluster_uuid: 'clusterUuid', cluster_name: 'clusterName', timestamp: new Date().toISOString(), - cluster_stats: {}, + cluster_stats: { + cluster_uuid: 'clusterUuid', + }, stack_stats: {}, version: 'version', }; @@ -120,7 +122,12 @@ describe('Telemetry Collection Manager', () => { { clusterUuid: 'clusterUuid' }, ]); collectionStrategy.statsGetter.mockResolvedValue([basicStats]); - await expect(setupApi.getStats(config)).resolves.toStrictEqual([expect.any(String)]); + await expect(setupApi.getStats(config)).resolves.toStrictEqual([ + { + clusterUuid: 'clusterUuid', + stats: expect.any(String), + }, + ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient ).toBeInstanceOf(TelemetrySavedObjectsClient); @@ -141,7 +148,10 @@ describe('Telemetry Collection Manager', () => { { clusterUuid: 'clusterUuid' }, ]); await expect(setupApi.getOptInStats(true, config)).resolves.toStrictEqual([ - expect.any(String), + { + clusterUuid: 'clusterUuid', + stats: expect.any(String), + }, ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient @@ -153,7 +163,10 @@ describe('Telemetry Collection Manager', () => { { clusterUuid: 'clusterUuid' }, ]); await expect(setupApi.getOptInStats(false, config)).resolves.toStrictEqual([ - expect.any(String), + { + clusterUuid: 'clusterUuid', + stats: expect.any(String), + }, ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient @@ -181,7 +194,10 @@ describe('Telemetry Collection Manager', () => { ]); collectionStrategy.statsGetter.mockResolvedValue([basicStats]); await expect(setupApi.getStats(config)).resolves.toStrictEqual([ - { ...basicStats, collectionSource: 'test_collection' }, + { + clusterUuid: 'clusterUuid', + stats: { ...basicStats, collectionSource: 'test_collection' }, + }, ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient @@ -203,7 +219,10 @@ describe('Telemetry Collection Manager', () => { { clusterUuid: 'clusterUuid' }, ]); await expect(setupApi.getOptInStats(true, config)).resolves.toStrictEqual([ - { cluster_uuid: 'clusterUuid', opt_in_status: true }, + { + clusterUuid: 'clusterUuid', + stats: { opt_in_status: true, cluster_uuid: 'clusterUuid' }, + }, ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient @@ -215,7 +234,10 @@ describe('Telemetry Collection Manager', () => { { clusterUuid: 'clusterUuid' }, ]); await expect(setupApi.getOptInStats(false, config)).resolves.toStrictEqual([ - { cluster_uuid: 'clusterUuid', opt_in_status: false }, + { + clusterUuid: 'clusterUuid', + stats: { opt_in_status: false, cluster_uuid: 'clusterUuid' }, + }, ]); expect( collectionStrategy.clusterDetailsGetter.mock.calls[0][0].soClient diff --git a/src/plugins/telemetry_collection_manager/server/plugin.ts b/src/plugins/telemetry_collection_manager/server/plugin.ts index 9770395e0ec0c..6dd1de65a8bdc 100644 --- a/src/plugins/telemetry_collection_manager/server/plugin.ts +++ b/src/plugins/telemetry_collection_manager/server/plugin.ts @@ -28,6 +28,7 @@ import type { StatsGetterConfig, StatsCollectionConfig, UsageStatsPayload, + OptInStatsPayload, StatsCollectionContext, UnencryptedStatsGetterConfig, EncryptedStatsGetterConfig, @@ -163,6 +164,14 @@ export class TelemetryCollectionManagerPlugin } } + private async getOptInStats( + optInStatus: boolean, + config: UnencryptedStatsGetterConfig + ): Promise>; + private async getOptInStats( + optInStatus: boolean, + config: EncryptedStatsGetterConfig + ): Promise>; private async getOptInStats(optInStatus: boolean, config: StatsGetterConfig) { if (!this.usageCollection) { return []; @@ -179,13 +188,23 @@ export class TelemetryCollectionManagerPlugin optInStatus, statsCollectionConfig ); - if (optInStats && optInStats.length) { - this.logger.debug(`Got Opt In stats using ${collection.title} collection.`); - if (config.unencrypted) { - return optInStats; - } - return encryptTelemetry(optInStats, { useProdKey: this.isDistributable }); - } + + this.logger.debug(`Received Opt In stats using ${collection.title} collection.`); + + return await Promise.all( + optInStats.map(async (clusterStats) => { + const clusterUuid = clusterStats.cluster_uuid; + + return { + clusterUuid, + stats: config.unencrypted + ? clusterStats + : await encryptTelemetry(clusterStats, { + useProdKey: this.isDistributable, + }), + }; + }) + ); } catch (err) { this.logger.debug( `Failed to collect any opt in stats with collection ${collection.title}.` @@ -205,7 +224,7 @@ export class TelemetryCollectionManagerPlugin collection: CollectionStrategy, optInStatus: boolean, statsCollectionConfig: StatsCollectionConfig - ) => { + ): Promise => { const context: StatsCollectionContext = { logger: this.logger.get(collection.title), version: this.version, @@ -218,8 +237,12 @@ export class TelemetryCollectionManagerPlugin })); }; - private async getStats(config: UnencryptedStatsGetterConfig): Promise; - private async getStats(config: EncryptedStatsGetterConfig): Promise; + private async getStats( + config: UnencryptedStatsGetterConfig + ): Promise>; + private async getStats( + config: EncryptedStatsGetterConfig + ): Promise>; private async getStats(config: StatsGetterConfig) { if (!this.usageCollection) { return []; @@ -231,16 +254,25 @@ export class TelemetryCollectionManagerPlugin if (statsCollectionConfig) { try { const usageData = await this.getUsageForCollection(collection, statsCollectionConfig); - if (usageData.length) { - this.logger.debug(`Got Usage using ${collection.title} collection.`); - if (config.unencrypted) { - return usageData; - } - - return await encryptTelemetry(usageData, { - useProdKey: this.isDistributable, - }); - } + this.logger.debug(`Received Usage using ${collection.title} collection.`); + + return await Promise.all( + usageData.map(async (clusterStats) => { + const { cluster_uuid: clusterUuid } = clusterStats.cluster_stats as Record< + string, + string + >; + + return { + clusterUuid, + stats: config.unencrypted + ? clusterStats + : await encryptTelemetry(clusterStats, { + useProdKey: this.isDistributable, + }), + }; + }) + ); } catch (err) { this.logger.debug( `Failed to collect any usage with registered collection ${collection.title}.` diff --git a/src/plugins/telemetry_collection_manager/server/types.ts b/src/plugins/telemetry_collection_manager/server/types.ts index 985eff409c1de..648e457f9a238 100644 --- a/src/plugins/telemetry_collection_manager/server/types.ts +++ b/src/plugins/telemetry_collection_manager/server/types.ts @@ -74,6 +74,11 @@ export interface UsageStatsPayload extends BasicStatsPayload { collectionSource: string; } +export interface OptInStatsPayload { + cluster_uuid: string; + opt_in_status: boolean; +} + export interface StatsCollectionContext { logger: Logger | Console; version: string; diff --git a/x-pack/plugins/cloud/public/plugin.test.ts b/x-pack/plugins/cloud/public/plugin.test.ts index a19a28d6c4713..c1c94375d7063 100644 --- a/x-pack/plugins/cloud/public/plugin.test.ts +++ b/x-pack/plugins/cloud/public/plugin.test.ts @@ -138,14 +138,22 @@ describe('Cloud Plugin', () => { describe('with memory', () => { beforeAll(() => { - // @ts-expect-error + // @ts-expect-error 2339 window.performance.memory = { - someMetric: 1, + get jsHeapSizeLimit() { + return 3; + }, + get totalJSHeapSize() { + return 2; + }, + get usedJSHeapSize() { + return 1; + }, }; }); afterAll(() => { - // @ts-expect-error + // @ts-expect-error 2339 delete window.performance.memory; }); @@ -159,7 +167,9 @@ describe('Cloud Plugin', () => { expect(fullStoryApiMock.event).toHaveBeenCalledWith('Loaded Kibana', { kibana_version_str: initContext.env.packageInfo.version, - some_metric_int: 1, + memory_js_heap_size_limit_int: 3, + memory_js_heap_size_total_int: 2, + memory_js_heap_size_used_int: 1, }); }); }); diff --git a/x-pack/plugins/cloud/public/plugin.ts b/x-pack/plugins/cloud/public/plugin.ts index 82fabea8b5a56..64b03acdc3ffd 100644 --- a/x-pack/plugins/cloud/public/plugin.ts +++ b/x-pack/plugins/cloud/public/plugin.ts @@ -16,7 +16,6 @@ import { } from 'src/core/public'; import { i18n } from '@kbn/i18n'; import { Subscription } from 'rxjs'; -import { mapKeys, snakeCase } from 'lodash'; import type { AuthenticatedUser, SecurityPluginSetup, @@ -250,11 +249,16 @@ export class CloudPlugin implements Plugin { } // Get performance information from the browser (non standard property - const memoryInfo = mapKeys( - // @ts-expect-error - window.performance.memory || {}, - (_, key) => `${snakeCase(key)}_int` - ); + // @ts-expect-error 2339 + const memory = window.performance.memory; + let memoryInfo = {}; + if (memory) { + memoryInfo = { + memory_js_heap_size_limit_int: memory.jsHeapSizeLimit, + memory_js_heap_size_total_int: memory.totalJSHeapSize, + memory_js_heap_size_used_int: memory.usedJSHeapSize, + }; + } // Record an event that Kibana was opened so we can easily search for sessions that use Kibana fullStory.event('Loaded Kibana', { // `str` suffix is required, see docs: https://help.fullstory.com/hc/en-us/articles/360020623234 diff --git a/x-pack/plugins/data_enhanced/kibana.json b/x-pack/plugins/data_enhanced/kibana.json index d678921e9ac7b..d89e76013ebd4 100644 --- a/x-pack/plugins/data_enhanced/kibana.json +++ b/x-pack/plugins/data_enhanced/kibana.json @@ -8,7 +8,15 @@ "githubTeam": "kibana-app-services" }, "configPath": ["xpack", "data_enhanced"], - "requiredPlugins": ["bfetch", "data", "features", "management", "share", "taskManager"], + "requiredPlugins": [ + "bfetch", + "data", + "features", + "management", + "share", + "taskManager", + "screenshotMode" + ], "optionalPlugins": ["kibanaUtils", "usageCollection", "security"], "server": true, "ui": true, diff --git a/x-pack/plugins/data_enhanced/public/plugin.ts b/x-pack/plugins/data_enhanced/public/plugin.ts index f26c1e8d0b62b..6ec645c932e05 100644 --- a/x-pack/plugins/data_enhanced/public/plugin.ts +++ b/x-pack/plugins/data_enhanced/public/plugin.ts @@ -22,6 +22,7 @@ import { toMountPoint } from '../../../../src/plugins/kibana_react/public'; import { createConnectedSearchSessionIndicator } from './search'; import { ConfigSchema } from '../config'; import { Storage } from '../../../../src/plugins/kibana_utils/public'; +import { ScreenshotModePluginStart } from '../../../../src/plugins/screenshot_mode/public'; export interface DataEnhancedSetupDependencies { bfetch: BfetchPublicSetup; @@ -31,6 +32,7 @@ export interface DataEnhancedSetupDependencies { export interface DataEnhancedStartDependencies { data: DataPublicPluginStart; share: SharePluginStart; + screenshotMode: ScreenshotModePluginStart; } export type DataEnhancedSetup = ReturnType; @@ -77,6 +79,7 @@ export class DataEnhancedPlugin .duration(this.config.search.sessions.notTouchedTimeout) .asMilliseconds(), usageCollector: this.usageCollector, + tourDisabled: plugins.screenshotMode.isScreenshotMode(), }) ) ), diff --git a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.test.tsx b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.test.tsx index 893f352b5d828..2fcdd8a7a6745 100644 --- a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.test.tsx +++ b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.test.tsx @@ -39,6 +39,7 @@ timeFilter.getRefreshIntervalUpdate$.mockImplementation(() => refreshInterval$); timeFilter.getRefreshInterval.mockImplementation(() => refreshInterval$.getValue()); const disableSaveAfterSessionCompletesTimeout = 5 * 60 * 1000; +const tourDisabled = false; function Container({ children }: { children?: ReactNode }) { return {children}; @@ -64,6 +65,7 @@ test("shouldn't show indicator in case no active search session", async () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const { getByTestId, container } = render( @@ -92,6 +94,7 @@ test("shouldn't show indicator in case app hasn't opt-in", async () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const { getByTestId, container } = render( @@ -122,6 +125,7 @@ test('should show indicator in case there is an active search session', async () disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const { getByTestId } = render( @@ -147,6 +151,7 @@ test('should be disabled in case uiConfig says so ', async () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); render( @@ -170,6 +175,7 @@ test('should be disabled in case not enough permissions', async () => { storage, disableSaveAfterSessionCompletesTimeout, basePath, + tourDisabled, }); render( @@ -203,6 +209,7 @@ describe('Completed inactivity', () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); render( @@ -264,6 +271,7 @@ describe('tour steps', () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const rendered = render( @@ -305,6 +313,7 @@ describe('tour steps', () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const rendered = render( @@ -329,6 +338,51 @@ describe('tour steps', () => { expect(usageCollector.trackSessionIndicatorTourLoading).toHaveBeenCalledTimes(0); expect(usageCollector.trackSessionIndicatorTourRestored).toHaveBeenCalledTimes(0); }); + + test("doesn't show tour step on slow loading when tour is disabled", async () => { + const state$ = new BehaviorSubject(SearchSessionState.Loading); + const SearchSessionIndicator = createConnectedSearchSessionIndicator({ + sessionService: { ...sessionService, state$ }, + application, + storage, + disableSaveAfterSessionCompletesTimeout, + usageCollector, + basePath, + tourDisabled: true, + }); + const rendered = render( + + + + ); + + await waitFor(() => rendered.getByTestId('searchSessionIndicator')); + + expect(() => screen.getByTestId('searchSessionIndicatorPopoverContainer')).toThrow(); + + act(() => { + jest.advanceTimersByTime(10001); + }); + + expect( + screen.queryByTestId('searchSessionIndicatorPopoverContainer') + ).not.toBeInTheDocument(); + + act(() => { + jest.advanceTimersByTime(5000); + state$.next(SearchSessionState.Completed); + }); + + expect( + screen.queryByTestId('searchSessionIndicatorPopoverContainer') + ).not.toBeInTheDocument(); + + expect(storage.get(TOUR_RESTORE_STEP_KEY)).toBeFalsy(); + expect(storage.get(TOUR_TAKING_TOO_LONG_STEP_KEY)).toBeFalsy(); + + expect(usageCollector.trackSessionIndicatorTourLoading).toHaveBeenCalledTimes(0); + expect(usageCollector.trackSessionIndicatorTourRestored).toHaveBeenCalledTimes(0); + }); }); test('shows tour step for restored', async () => { @@ -340,6 +394,7 @@ describe('tour steps', () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const rendered = render( @@ -367,6 +422,7 @@ describe('tour steps', () => { disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }); const rendered = render( diff --git a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.tsx b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.tsx index eed85a9d84ba8..f1ce93181f1ac 100644 --- a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.tsx +++ b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/connected_search_session_indicator.tsx @@ -31,6 +31,7 @@ export interface SearchSessionIndicatorDeps { * after the last search in the session has completed */ disableSaveAfterSessionCompletesTimeout: number; + tourDisabled: boolean; usageCollector?: SearchUsageCollector; } @@ -41,6 +42,7 @@ export const createConnectedSearchSessionIndicator = ({ disableSaveAfterSessionCompletesTimeout, usageCollector, basePath, + tourDisabled, }: SearchSessionIndicatorDeps): React.FC => { const searchSessionsManagementUrl = basePath.prepend('/app/management/kibana/search_sessions'); @@ -113,6 +115,7 @@ export const createConnectedSearchSessionIndicator = ({ searchSessionIndicator, state, saveDisabled, + tourDisabled, usageCollector ); diff --git a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/search_session_tour.tsx b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/search_session_tour.tsx index 1568d54962eca..50ee3737ad92b 100644 --- a/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/search_session_tour.tsx +++ b/x-pack/plugins/data_enhanced/public/search/ui/connected_search_session_indicator/search_session_tour.tsx @@ -23,6 +23,7 @@ export function useSearchSessionTour( searchSessionIndicatorRef: SearchSessionIndicatorRef | null, state: SearchSessionState, searchSessionsDisabled: boolean, + disableSearchSessionsTour: boolean, usageCollector?: SearchUsageCollector ) { const markOpenedDone = useCallback(() => { @@ -55,6 +56,7 @@ export function useSearchSessionTour( useEffect(() => { if (searchSessionsDisabled) return; + if (disableSearchSessionsTour) return; if (!searchSessionIndicatorRef) return; let timeoutHandle: number; @@ -82,6 +84,7 @@ export function useSearchSessionTour( searchSessionIndicatorRef, state, searchSessionsDisabled, + disableSearchSessionsTour, markOpenedDone, markRestoredDone, usageCollector, diff --git a/x-pack/plugins/data_enhanced/tsconfig.json b/x-pack/plugins/data_enhanced/tsconfig.json index 544b50c21224f..5627951c3d9eb 100644 --- a/x-pack/plugins/data_enhanced/tsconfig.json +++ b/x-pack/plugins/data_enhanced/tsconfig.json @@ -22,6 +22,7 @@ { "path": "../../../src/plugins/kibana_utils/tsconfig.json" }, { "path": "../../../src/plugins/usage_collection/tsconfig.json" }, { "path": "../../../src/plugins/management/tsconfig.json" }, + { "path": "../../../src/plugins/screenshot_mode/tsconfig.json"}, { "path": "../security/tsconfig.json" }, { "path": "../task_manager/tsconfig.json" }, diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.test.ts index 0d02fbe413870..42c3985e4dcf1 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.test.ts @@ -107,17 +107,6 @@ describe('CurationsLogic', () => { describe('listeners', () => { describe('loadCurations', () => { - it('should set dataLoading state', () => { - mount({ dataLoading: false }); - - CurationsLogic.actions.loadCurations(); - - expect(CurationsLogic.values).toEqual({ - ...DEFAULT_VALUES, - dataLoading: true, - }); - }); - it('should make an API call and set curations & meta state', async () => { http.get.mockReturnValueOnce(Promise.resolve(MOCK_CURATIONS_RESPONSE)); mount(); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.ts index 04d04b297050a..4419603efddf0 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_logic.ts @@ -61,7 +61,6 @@ export const CurationsLogic = kea true, onCurationsLoad: () => false, }, ], diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.test.tsx index 9598212d3e0c9..a0fd778ac7dde 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.test.tsx @@ -5,6 +5,9 @@ * 2.0. */ +import '../../../__mocks__/shallow_useeffect.mock'; +import '../../../__mocks__/react_router'; +import { setMockActions, setMockValues } from '../../../__mocks__/kea_logic'; import '../../__mocks__/engine_logic.mock'; import React from 'react'; @@ -12,13 +15,110 @@ import { Route, Switch } from 'react-router-dom'; import { shallow } from 'enzyme'; +import { LogRetentionOptions } from '../log_retention'; + import { CurationsRouter } from './'; +const MOCK_VALUES = { + // CurationsSettingsLogic + dataLoading: false, + curationsSettings: { + enabled: true, + mode: 'automatic', + }, + // LogRetentionLogic + logRetention: { + [LogRetentionOptions.Analytics]: { + enabled: true, + }, + }, + // LicensingLogic + hasPlatinumLicense: true, +}; + +const MOCK_ACTIONS = { + // CurationsSettingsLogic + loadCurationsSettings: jest.fn(), + onSkipLoadingCurationsSettings: jest.fn(), + // LogRetentionLogic + fetchLogRetention: jest.fn(), +}; + describe('CurationsRouter', () => { + beforeEach(() => { + jest.clearAllMocks(); + setMockActions(MOCK_ACTIONS); + }); + it('renders', () => { const wrapper = shallow(); expect(wrapper.find(Switch)).toHaveLength(1); expect(wrapper.find(Route)).toHaveLength(4); }); + + it('loads log retention settings', () => { + setMockValues(MOCK_VALUES); + shallow(); + + expect(MOCK_ACTIONS.fetchLogRetention).toHaveBeenCalled(); + }); + + describe('when the user has no platinum license', () => { + beforeEach(() => { + setMockValues({ + ...MOCK_VALUES, + hasPlatinumLicense: false, + }); + }); + + it('it does not fetch log retention', () => { + shallow(); + expect(MOCK_ACTIONS.fetchLogRetention).toHaveBeenCalledTimes(0); + }); + }); + + describe('loading curation settings based on log retention', () => { + it('loads curation settings when log retention is enabled', () => { + setMockValues({ + ...MOCK_VALUES, + logRetention: { + [LogRetentionOptions.Analytics]: { + enabled: true, + }, + }, + }); + + shallow(); + + expect(MOCK_ACTIONS.loadCurationsSettings).toHaveBeenCalledTimes(1); + }); + + it('skips loading curation settings when log retention is enabled', () => { + setMockValues({ + ...MOCK_VALUES, + logRetention: { + [LogRetentionOptions.Analytics]: { + enabled: false, + }, + }, + }); + + shallow(); + + expect(MOCK_ACTIONS.onSkipLoadingCurationsSettings).toHaveBeenCalledTimes(1); + }); + + it('takes no action if log retention has not yet been loaded', () => { + setMockValues({ + ...MOCK_VALUES, + logRetention: null, + }); + + shallow(); + + expect(MOCK_ACTIONS.loadCurationsSettings).toHaveBeenCalledTimes(0); + expect(MOCK_ACTIONS.onSkipLoadingCurationsSettings).toHaveBeenCalledTimes(0); + }); + }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.tsx index 693e5406b714b..a3b000ea5054a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/curations_router.tsx @@ -5,20 +5,53 @@ * 2.0. */ -import React from 'react'; +import React, { useEffect } from 'react'; import { Route, Switch } from 'react-router-dom'; +import { useValues, useActions } from 'kea'; + +import { LicensingLogic } from '../../../shared/licensing'; import { ENGINE_CURATIONS_PATH, ENGINE_CURATIONS_NEW_PATH, ENGINE_CURATION_PATH, ENGINE_CURATION_SUGGESTION_PATH, } from '../../routes'; +import { LogRetentionLogic, LogRetentionOptions } from '../log_retention'; import { Curation } from './curation'; import { Curations, CurationCreation, CurationSuggestion } from './views'; +import { CurationsSettingsLogic } from './views/curations_settings'; export const CurationsRouter: React.FC = () => { + // We need to loadCurationsSettings here so they are available across all views + + const { hasPlatinumLicense } = useValues(LicensingLogic); + + const { loadCurationsSettings, onSkipLoadingCurationsSettings } = + useActions(CurationsSettingsLogic); + + const { logRetention } = useValues(LogRetentionLogic); + const { fetchLogRetention } = useActions(LogRetentionLogic); + + const analyticsDisabled = !logRetention?.[LogRetentionOptions.Analytics].enabled; + + useEffect(() => { + if (hasPlatinumLicense) { + fetchLogRetention(); + } + }, [hasPlatinumLicense]); + + useEffect(() => { + if (logRetention) { + if (!analyticsDisabled) { + loadCurationsSettings(); + } else { + onSkipLoadingCurationsSettings(); + } + } + }, [logRetention]); + return ( diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.test.tsx index 42d808da6d9ee..aacabf0ac7303 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.test.tsx @@ -126,14 +126,14 @@ describe('Curations', () => { describe('loading state', () => { it('renders a full-page loading state on initial page load', () => { - setMockValues({ ...values, dataLoading: true, curations: [] }); + setMockValues({ ...values, dataLoading: true }); const wrapper = shallow(); expect(wrapper.prop('isLoading')).toEqual(true); }); - it('does not re-render a full-page loading state after initial page load (uses component-level loading state instead)', () => { - setMockValues({ ...values, dataLoading: true, curations: [{}] }); + it('does not re-render a full-page loading state when data is loaded', () => { + setMockValues({ ...values, dataLoading: false }); const wrapper = shallow(); expect(wrapper.prop('isLoading')).toEqual(false); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.tsx index 7440e0cf42b44..3d4751fcb343f 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations.tsx @@ -25,12 +25,13 @@ import { getCurationsBreadcrumbs } from '../utils'; import { CurationsHistory } from './curations_history/curations_history'; import { CurationsOverview } from './curations_overview'; -import { CurationsSettings } from './curations_settings'; +import { CurationsSettings, CurationsSettingsLogic } from './curations_settings'; export const Curations: React.FC = () => { - const { dataLoading, curations, meta, selectedPageTab } = useValues(CurationsLogic); + const { dataLoading: curationsDataLoading, meta, selectedPageTab } = useValues(CurationsLogic); const { loadCurations, onSelectPageTab } = useActions(CurationsLogic); const { hasPlatinumLicense } = useValues(LicensingLogic); + const { dataLoading: curationsSettingsDataLoading } = useValues(CurationsSettingsLogic); const OVERVIEW_TAB = { label: i18n.translate( @@ -92,7 +93,7 @@ export const Curations: React.FC = () => { ], tabs: pageTabs, }} - isLoading={dataLoading && !curations.length} + isLoading={curationsSettingsDataLoading || curationsDataLoading} > {selectedPageTab === 'overview' && } {selectedPageTab === 'history' && } diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.test.tsx index ff6ee66d8cb10..809157704a14e 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.test.tsx @@ -19,13 +19,32 @@ import { SuggestionsTable } from '../components/suggestions_table'; import { CurationsOverview } from './curations_overview'; +const MOCK_VALUES = { + // CurationsSettingsLogic + curationsSettings: { + enabled: true, + }, + // CurationsLogic + curations: [ + { + id: 'cur-id-1', + }, + { + id: 'cur-id-2', + }, + ], + // LicensingLogics + hasPlatinumLicense: true, +}; + describe('CurationsOverview', () => { beforeEach(() => { jest.clearAllMocks(); + setMockValues(MOCK_VALUES); }); it('renders an empty message when there are no curations', () => { - setMockValues({ curations: [] }); + setMockValues({ ...MOCK_VALUES, curations: [] }); const wrapper = shallow(); expect(wrapper.find(EmptyState).exists()).toBe(true); @@ -33,6 +52,7 @@ describe('CurationsOverview', () => { it('renders a curations table when there are curations present', () => { setMockValues({ + ...MOCK_VALUES, curations: [ { id: 'cur-id-1', @@ -47,15 +67,36 @@ describe('CurationsOverview', () => { expect(wrapper.find(CurationsTable)).toHaveLength(1); }); - it('renders a suggestions table when the user has a platinum license', () => { - setMockValues({ curations: [], hasPlatinumLicense: true }); + it('renders a suggestions table when the user has a platinum license and curations suggestions enabled', () => { + setMockValues({ + ...MOCK_VALUES, + hasPlatinumLicense: true, + curationsSettings: { + enabled: true, + }, + }); const wrapper = shallow(); expect(wrapper.find(SuggestionsTable).exists()).toBe(true); }); it('doesn\t render a suggestions table when the user has no platinum license', () => { - setMockValues({ curations: [], hasPlatinumLicense: false }); + setMockValues({ + ...MOCK_VALUES, + hasPlatinumLicense: false, + }); + const wrapper = shallow(); + + expect(wrapper.find(SuggestionsTable).exists()).toBe(false); + }); + + it('doesn\t render a suggestions table when the user has disabled suggestions', () => { + setMockValues({ + ...MOCK_VALUES, + curationsSettings: { + enabled: false, + }, + }); const wrapper = shallow(); expect(wrapper.find(SuggestionsTable).exists()).toBe(false); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.tsx index 079f0046cb9bf..00593403b08cf 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_overview.tsx @@ -16,11 +16,17 @@ import { CurationsTable, EmptyState } from '../components'; import { SuggestionsTable } from '../components/suggestions_table'; import { CurationsLogic } from '../curations_logic'; +import { CurationsSettingsLogic } from './curations_settings'; + export const CurationsOverview: React.FC = () => { const { curations } = useValues(CurationsLogic); const { hasPlatinumLicense } = useValues(LicensingLogic); - const shouldShowSuggestions = hasPlatinumLicense; + const { + curationsSettings: { enabled }, + } = useValues(CurationsSettingsLogic); + + const shouldShowSuggestions = enabled && hasPlatinumLicense; return ( <> diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.test.tsx index 4b4e11c31d4b8..3b01d1e41c271 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.test.tsx @@ -17,8 +17,6 @@ import { shallow, ShallowWrapper } from 'enzyme'; import { EuiButtonEmpty, EuiCallOut, EuiSwitch } from '@elastic/eui'; -import { mountWithIntl } from '@kbn/test/jest'; - import { Loading } from '../../../../../shared/loading'; import { EuiButtonTo } from '../../../../../shared/react_router_helpers'; import { DataPanel } from '../../../data_panel'; @@ -46,8 +44,6 @@ const MOCK_VALUES = { const MOCK_ACTIONS = { // CurationsSettingsLogic - loadCurationsSettings: jest.fn(), - onSkipLoadingCurationsSettings: jest.fn(), toggleCurationsEnabled: jest.fn(), toggleCurationsMode: jest.fn(), // LogRetentionLogic @@ -60,14 +56,6 @@ describe('CurationsSettings', () => { setMockActions(MOCK_ACTIONS); }); - it('loads curations and log retention settings on load', () => { - setMockValues(MOCK_VALUES); - mountWithIntl(); - - expect(MOCK_ACTIONS.loadCurationsSettings).toHaveBeenCalled(); - expect(MOCK_ACTIONS.fetchLogRetention).toHaveBeenCalled(); - }); - it('contains a switch to toggle curations settings', () => { let wrapper: ShallowWrapper; @@ -166,50 +154,6 @@ describe('CurationsSettings', () => { expect(wrapper.is(Loading)).toBe(true); }); - describe('loading curation settings based on log retention', () => { - it('loads curation settings when log retention is enabled', () => { - setMockValues({ - ...MOCK_VALUES, - logRetention: { - [LogRetentionOptions.Analytics]: { - enabled: true, - }, - }, - }); - - shallow(); - - expect(MOCK_ACTIONS.loadCurationsSettings).toHaveBeenCalledTimes(1); - }); - - it('skips loading curation settings when log retention is enabled', () => { - setMockValues({ - ...MOCK_VALUES, - logRetention: { - [LogRetentionOptions.Analytics]: { - enabled: false, - }, - }, - }); - - shallow(); - - expect(MOCK_ACTIONS.onSkipLoadingCurationsSettings).toHaveBeenCalledTimes(1); - }); - - it('takes no action if log retention has not yet been loaded', () => { - setMockValues({ - ...MOCK_VALUES, - logRetention: null, - }); - - shallow(); - - expect(MOCK_ACTIONS.loadCurationsSettings).toHaveBeenCalledTimes(0); - expect(MOCK_ACTIONS.onSkipLoadingCurationsSettings).toHaveBeenCalledTimes(0); - }); - }); - describe('when the user has no platinum license', () => { beforeEach(() => { setMockValues({ @@ -218,11 +162,6 @@ describe('CurationsSettings', () => { }); }); - it('it does not fetch log retention', () => { - shallow(); - expect(MOCK_ACTIONS.fetchLogRetention).toHaveBeenCalledTimes(0); - }); - it('shows a CTA to upgrade your license when the user when the user', () => { const wrapper = shallow(); expect(wrapper.is(DataPanel)).toBe(true); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.tsx index de669298b11d9..a5d4a33d8b870 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/views/curations_settings/curations_settings.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { useEffect } from 'react'; +import React from 'react'; import { useActions, useValues } from 'kea'; @@ -43,34 +43,12 @@ export const CurationsSettings: React.FC = () => { curationsSettings: { enabled, mode }, dataLoading, } = useValues(CurationsSettingsLogic); - const { - loadCurationsSettings, - onSkipLoadingCurationsSettings, - toggleCurationsEnabled, - toggleCurationsMode, - } = useActions(CurationsSettingsLogic); + const { toggleCurationsEnabled, toggleCurationsMode } = useActions(CurationsSettingsLogic); const { isLogRetentionUpdating, logRetention } = useValues(LogRetentionLogic); - const { fetchLogRetention } = useActions(LogRetentionLogic); const analyticsDisabled = !logRetention?.[LogRetentionOptions.Analytics].enabled; - useEffect(() => { - if (hasPlatinumLicense) { - fetchLogRetention(); - } - }, [hasPlatinumLicense]); - - useEffect(() => { - if (logRetention) { - if (!analyticsDisabled) { - loadCurationsSettings(); - } else { - onSkipLoadingCurationsSettings(); - } - } - }, [logRetention]); - if (!hasPlatinumLicense) return ( = ({ clusters } render={({ flyoutComponent, bottomBarComponent }: SetupModeProps) => ( {flyoutComponent} - + {bottomBarComponent} )} diff --git a/x-pack/plugins/monitoring/public/application/pages/elasticsearch/index_page.tsx b/x-pack/plugins/monitoring/public/application/pages/elasticsearch/index_page.tsx index 422f051c7d718..db8c40ba22943 100644 --- a/x-pack/plugins/monitoring/public/application/pages/elasticsearch/index_page.tsx +++ b/x-pack/plugins/monitoring/public/application/pages/elasticsearch/index_page.tsx @@ -11,7 +11,7 @@ import { find } from 'lodash'; import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; import { GlobalStateContext } from '../../contexts/global_state_context'; // @ts-ignore -import { IndexReact } from '../../../components/elasticsearch/index/index_react'; +import { Index } from '../../../components/elasticsearch/index/index'; import { ComponentProps } from '../../route_init'; import { SetupModeRenderer, SetupModeProps } from '../../../components/renderers/setup_mode'; import { SetupModeContext } from '../../../components/setup_mode/setup_mode_context'; @@ -118,7 +118,7 @@ export const ElasticsearchIndexPage: React.FC = ({ clusters }) = render={({ setupMode, flyoutComponent, bottomBarComponent }: SetupModeProps) => ( {flyoutComponent} - = ({ clusters }) => render={({ setupMode, flyoutComponent, bottomBarComponent }: SetupModeProps) => ( {flyoutComponent} - = ({ clusters } const shardActivityData = shardActivity && filterShardActivityData(shardActivity); // no filter on data = null return ( -

- September 27, 2018 1:32:09 PM + September 27, 2018 9:32:09 AM

diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/__snapshots__/ccr_shard_react.test.js.snap b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/__snapshots__/ccr_shard_react.test.js.snap deleted file mode 100644 index 65794e4e07418..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/__snapshots__/ccr_shard_react.test.js.snap +++ /dev/null @@ -1,187 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`CcrShardReact that is renders an exception properly 1`] = ` - - - -`; - -exports[`CcrShardReact that it renders normally 1`] = ` - - - - - - - - - - - - - - - - - - - - - - -

- -

- - } - buttonElement="button" - element="div" - id="ccrLatestStat" - initialIsOpen={false} - isLoading={false} - isLoadingMessage={false} - paddingSize="l" - > - -

- September 27, 2018 9:32:09 AM -

- - - - { - "read_exceptions": [], - "follower_global_checkpoint": 3049, - "follower_index": "follower", - "follower_max_seq_no": 3049, - "last_requested_seq_no": 3049, - "leader_global_checkpoint": 3049, - "leader_index": "leader", - "leader_max_seq_no": 3049, - "mapping_version": 2, - "number_of_concurrent_reads": 1, - "number_of_concurrent_writes": 0, - "number_of_failed_bulk_operations": 0, - "failed_read_requests": 0, - "operations_written": 3050, - "number_of_queued_writes": 0, - "number_of_successful_bulk_operations": 3050, - "number_of_successful_fetches": 3050, - "operations_received": 3050, - "shard_id": 0, - "time_since_last_read_millis": 9402, - "total_fetch_time_millis": 44128980, - "total_index_time_millis": 41827, - "total_transferred_bytes": 234156 -} - - - - -`; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.js b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.js index ef16c119d8613..9765d83e31f41 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.js @@ -5,8 +5,8 @@ * 2.0. */ -import React, { Fragment, PureComponent } from 'react'; -import { Legacy } from '../../../legacy_shims'; +import React, { Fragment } from 'react'; +import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; import { EuiPage, EuiPageBody, @@ -28,9 +28,11 @@ import { FormattedMessage } from '@kbn/i18n/react'; import { i18n } from '@kbn/i18n'; import { AlertsCallout } from '../../../alerts/callout'; -export class CcrShard extends PureComponent { - renderCharts() { - const { metrics } = this.props; +export function CcrShard(props) { + const { services } = useKibana(); + const timezone = services.uiSettings?.get('dateFormat:tz'); + const { metrics, stat, timestamp, oldestStat, formattedLeader, alerts } = props; + const renderCharts = () => { const seriesToShow = [metrics.ccr_sync_lag_ops, metrics.ccr_sync_lag_time]; const charts = seriesToShow.map((data, index) => ( @@ -42,10 +44,9 @@ export class CcrShard extends PureComponent { )); return {charts}; - } + }; - renderErrors() { - const { stat } = this.props; + const renderErrors = () => { if (stat.read_exceptions && stat.read_exceptions.length > 0) { return ( @@ -91,13 +92,9 @@ export class CcrShard extends PureComponent { ); } return null; - } - - renderLatestStat() { - const { stat, timestamp } = this.props; - const injector = Legacy.shims.getAngularInjector(); - const timezone = injector.get('config').get('dateFormat:tz'); + }; + const renderLatestStat = () => { return ( ); - } - - render() { - const { stat, oldestStat, formattedLeader, alerts } = this.props; + }; - return ( - - - - - - - - - {this.renderErrors()} - {this.renderCharts()} - - {this.renderLatestStat()} - - - ); - } + return ( + + + + + + + + + {renderErrors()} + {renderCharts()} + + {renderLatestStat()} + + + ); } diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.test.js b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.test.js index 90d9efecce40a..6b7b43016baf9 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.test.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard.test.js @@ -9,14 +9,6 @@ import React from 'react'; import { shallow } from 'enzyme'; import { CcrShard } from './ccr_shard'; -jest.mock('../../../legacy_shims', () => { - return { - Legacy: { - shims: { getAngularInjector: () => ({ get: () => ({ get: () => 'utc' }) }) }, - }, - }; -}); - jest.mock('../../chart', () => ({ MonitoringTimeseriesContainer: () => 'MonitoringTimeseriesContainer', })); diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.js deleted file mode 100644 index 65586d602c85e..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.js +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { Fragment } from 'react'; -import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; -import { - EuiPage, - EuiPageBody, - EuiPanel, - EuiFlexGroup, - EuiFlexItem, - EuiSpacer, - EuiTitle, - EuiBasicTable, - EuiCodeBlock, - EuiTextColor, - EuiHorizontalRule, - EuiAccordion, -} from '@elastic/eui'; -import { MonitoringTimeseriesContainer } from '../../chart'; -import { Status } from './status'; -import { formatDateTimeLocal } from '../../../../common/formatting'; -import { FormattedMessage } from '@kbn/i18n/react'; -import { i18n } from '@kbn/i18n'; -import { AlertsCallout } from '../../../alerts/callout'; - -export function CcrShardReact(props) { - const { services } = useKibana(); - const timezone = services.uiSettings?.get('dateFormat:tz'); - const { metrics, stat, timestamp, oldestStat, formattedLeader, alerts } = props; - const renderCharts = () => { - const seriesToShow = [metrics.ccr_sync_lag_ops, metrics.ccr_sync_lag_time]; - - const charts = seriesToShow.map((data, index) => ( - - - - - - )); - - return {charts}; - }; - - const renderErrors = () => { - if (stat.read_exceptions && stat.read_exceptions.length > 0) { - return ( - - - -

- - - -

- - - - - - - ); - } - return null; - }; - - const renderLatestStat = () => { - return ( - -

- -

- - } - paddingSize="l" - > - - -

{formatDateTimeLocal(timestamp, timezone)}

- - - {JSON.stringify(stat, null, 2)} - - - ); - }; - - return ( - - - - - - - - - {renderErrors()} - {renderCharts()} - - {renderLatestStat()} - - - ); -} diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.test.js b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.test.js deleted file mode 100644 index afd289a33457a..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/ccr_shard_react.test.js +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { shallow } from 'enzyme'; -import { CcrShardReact } from './ccr_shard_react'; - -jest.mock('../../../legacy_shims', () => { - return { - Legacy: { - shims: { getAngularInjector: () => ({ get: () => ({ get: () => 'utc' }) }) }, - }, - }; -}); - -jest.mock('../../chart', () => ({ - MonitoringTimeseriesContainer: () => 'MonitoringTimeseriesContainer', -})); - -describe('CcrShardReact', () => { - const props = { - formattedLeader: 'leader on remote', - metrics: [], - stat: { - read_exceptions: [], - follower_global_checkpoint: 3049, - follower_index: 'follower', - follower_max_seq_no: 3049, - last_requested_seq_no: 3049, - leader_global_checkpoint: 3049, - leader_index: 'leader', - leader_max_seq_no: 3049, - mapping_version: 2, - number_of_concurrent_reads: 1, - number_of_concurrent_writes: 0, - number_of_failed_bulk_operations: 0, - failed_read_requests: 0, - operations_written: 3050, - number_of_queued_writes: 0, - number_of_successful_bulk_operations: 3050, - number_of_successful_fetches: 3050, - operations_received: 3050, - shard_id: 0, - time_since_last_read_millis: 9402, - total_fetch_time_millis: 44128980, - total_index_time_millis: 41827, - total_transferred_bytes: 234156, - }, - oldestStat: { - failed_read_requests: 0, - operations_written: 2976, - }, - timestamp: '2018-09-27T13:32:09.412Z', - }; - - test('that it renders normally', () => { - const component = shallow(); - expect(component).toMatchSnapshot(); - }); - - test('that is renders an exception properly', () => { - const localProps = { - ...props, - stat: { - ...props.stat, - read_exceptions: [ - { - type: 'something_is_wrong', - reason: 'not sure but something happened', - }, - ], - }, - }; - - const component = shallow(); - expect(component.find('EuiPanel').get(0)).toMatchSnapshot(); - }); -}); diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/index.js b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/index.js index 036a21e9b8a72..4cfd362b8ab0c 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/index.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/ccr_shard/index.js @@ -6,4 +6,3 @@ */ export { CcrShard } from './ccr_shard'; -export { CcrShardReact } from './ccr_shard_react'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/index.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/index.ts index 657617c698696..2cb688689438c 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/index.ts +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/index.ts @@ -6,8 +6,7 @@ */ export { ElasticsearchOverview } from './overview'; -export { ElasticsearchOverviewReact } from './overview'; export { ElasticsearchNodes } from './nodes'; -export { NodeReact } from './node'; +export { Node } from './node'; export { ElasticsearchIndices } from './indices'; export { ElasticsearchMLJobs } from './ml_jobs'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/index/index.js b/x-pack/plugins/monitoring/public/components/elasticsearch/index/index.js index 294fc15ce4c47..9bdaa513998b5 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/index/index.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/index/index.js @@ -22,7 +22,6 @@ import { Logs } from '../../logs'; import { AlertsCallout } from '../../../alerts/callout'; export const Index = ({ - scope, indexSummary, metrics, clusterUuid, @@ -63,7 +62,7 @@ export const Index = ({ - + diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/index/index_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/index/index_react.js deleted file mode 100644 index 70bac52a0926c..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/index/index_react.js +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { - EuiPage, - EuiPageContent, - EuiPageBody, - EuiPanel, - EuiSpacer, - EuiFlexGrid, - EuiFlexItem, -} from '@elastic/eui'; -import { IndexDetailStatus } from '../index_detail_status'; -import { MonitoringTimeseriesContainer } from '../../chart'; -import { ShardAllocationReact } from '../shard_allocation/shard_allocation_react'; -import { Logs } from '../../logs'; -import { AlertsCallout } from '../../../alerts/callout'; - -export const IndexReact = ({ - indexSummary, - metrics, - clusterUuid, - indexUuid, - logs, - alerts, - ...props -}) => { - const metricsToShow = [ - metrics.index_mem, - metrics.index_size, - metrics.index_search_request_rate, - metrics.index_request_rate, - metrics.index_segment_count, - metrics.index_document_count, - ]; - - return ( - - - - - - - - - - - {metricsToShow.map((metric, index) => ( - - - - - ))} - - - - - - - - - - - ); -}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/node/index.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/node/index.ts index 3b7153c5940d9..074749ae06e83 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/node/index.ts +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/node/index.ts @@ -7,4 +7,3 @@ export { NodeStatusIcon } from './status_icon'; export { Node } from './node'; -export { NodeReact } from './node_react'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.d.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.d.ts index 9d7a062e942bb..17f05d98ee042 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.d.ts +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.d.ts @@ -15,6 +15,5 @@ export interface NodeProps { alerts: unknown; nodeId: unknown; clusterUuid: unknown; - scope: unknown; [key: string]: any; } diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.js b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.js index 3f7318fe6d5c9..0b03f1077f9cb 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node.js @@ -16,23 +16,14 @@ import { EuiPanel, EuiScreenReaderOnly, } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n/react'; import { NodeDetailStatus } from '../node_detail_status'; -import { Logs } from '../../logs/'; +import { Logs } from '../../logs'; import { MonitoringTimeseriesContainer } from '../../chart'; -import { ShardAllocation } from '../shard_allocation/shard_allocation'; -import { FormattedMessage } from '@kbn/i18n/react'; import { AlertsCallout } from '../../../alerts/callout'; +import { ShardAllocation } from '../shard_allocation'; -export const Node = ({ - nodeSummary, - metrics, - logs, - alerts, - nodeId, - clusterUuid, - scope, - ...props -}) => { +export const Node = ({ nodeSummary, metrics, logs, alerts, nodeId, clusterUuid, ...props }) => { /* // This isn't doing anything due to a possible bug. https://github.com/elastic/kibana/issues/106309 if (alerts) { @@ -92,7 +83,7 @@ export const Node = ({ - + diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.d.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.d.ts deleted file mode 100644 index e0c4f6b301fdb..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.d.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FunctionComponent } from 'react'; - -export const NodeReact: FunctionComponent; -export interface NodeReactProps { - nodeSummary: unknown; - metrics: unknown; - logs: unknown; - alerts: unknown; - nodeId: unknown; - clusterUuid: unknown; - [key: string]: any; -} diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.js deleted file mode 100644 index 38b03d1aa748f..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/node/node_react.js +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { - EuiPage, - EuiPageContent, - EuiPageBody, - EuiSpacer, - EuiFlexGrid, - EuiFlexItem, - EuiPanel, - EuiScreenReaderOnly, -} from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n/react'; -import { NodeDetailStatus } from '../node_detail_status'; -import { Logs } from '../../logs'; -import { MonitoringTimeseriesContainer } from '../../chart'; -import { AlertsCallout } from '../../../alerts/callout'; -import { ShardAllocationReact } from '../shard_allocation'; - -export const NodeReact = ({ - nodeSummary, - metrics, - logs, - alerts, - nodeId, - clusterUuid, - ...props -}) => { - /* - // This isn't doing anything due to a possible bug. https://github.com/elastic/kibana/issues/106309 - if (alerts) { - for (const alertTypeId of Object.keys(alerts)) { - const alertInstance = alerts[alertTypeId]; - for (const { meta } of alertInstance.states) { - const metricList = get(meta, 'metrics', []); - for (const metric of metricList) { - if (metrics[metric]) { - metrics[metric].alerts = metrics[metric].alerts || {}; - metrics[metric].alerts[alertTypeId] = alertInstance; - } - } - } - } - } - */ - const metricsToShow = [ - metrics.node_jvm_mem, - metrics.node_mem, - metrics.node_total_io, - metrics.node_cpu_metric, - metrics.node_load_average, - metrics.node_latency, - metrics.node_segment_count, - ]; - - return ( - - - -

- -

- - - - - - - - - {metricsToShow.map((metric, index) => ( - - - - - ))} - - - - - - - - - - - - - ); -}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/index.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/overview/index.ts index dd7e63c14fc53..b56c381395ef7 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/index.ts +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/overview/index.ts @@ -5,6 +5,5 @@ * 2.0. */ -export { ElasticsearchOverview } from './overview'; // @ts-ignore -export { ElasticsearchOverviewReact } from './overview_react'; +export { ElasticsearchOverview } from './overview'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview.d.ts b/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview.d.ts deleted file mode 100644 index d4c893f87cbd2..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview.d.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FunctionComponent } from 'react'; - -export const ElasticsearchOverview: FunctionComponent; -export interface ElasticsearchOverviewProps { - clusterStatus: unknown; - metrics: unknown; - logs: unknown; - cluster: unknown; - shardActivity: unknown; - [key: string]: any; -} diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview_react.js deleted file mode 100644 index ff4e531e31744..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/overview/overview_react.js +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { ClusterStatus } from '../cluster_status'; -import { ShardActivityReact } from '../shard_activity'; -import { MonitoringTimeseriesContainer } from '../../chart'; -import { - EuiPage, - EuiFlexGrid, - EuiFlexItem, - EuiPanel, - EuiSpacer, - EuiPageBody, - EuiPageContent, -} from '@elastic/eui'; -import { Logs } from '../../logs/logs'; - -export function ElasticsearchOverviewReact({ - clusterStatus, - metrics, - logs, - cluster, - shardActivity, - ...props -}) { - const metricsToShow = [ - metrics.cluster_search_request_rate, - metrics.cluster_query_latency, - metrics.cluster_index_request_rate, - metrics.cluster_index_latency, - ]; - - return ( - - - - - - - - - {metricsToShow.map((metric, index) => ( - - - - - ))} - - - - - - - - - - - - - ); -} diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/index.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/index.js index 8c0b8b4c9c82d..bcdbbe715f86e 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/index.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/index.js @@ -6,4 +6,3 @@ */ export { ShardActivity } from './shard_activity'; -export { ShardActivityReact } from './shard_activity_react'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/parse_props.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/parse_props.js index 1f0ed47adf387..9a102c52aa1f1 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/parse_props.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/parse_props.js @@ -5,7 +5,6 @@ * 2.0. */ -import { Legacy } from '../../../legacy_shims'; import { capitalize } from 'lodash'; import { formatMetric } from '../../../lib/format_number'; import { formatDateTimeLocal } from '../../../../common/formatting'; @@ -42,21 +41,12 @@ export const parseProps = (props) => { const { files, size } = index; - let thisTimezone; - // react version passes timezone while Angular uses injector - if (!timezone) { - const injector = Legacy.shims.getAngularInjector(); - thisTimezone = injector.get('config').get('dateFormat:tz'); - } else { - thisTimezone = timezone; - } - return { name: indexName || index.name, shard: `${id} / ${isPrimary ? 'Primary' : 'Replica'}`, relocationType: type === 'PRIMARY_RELOCATION' ? 'Primary Relocation' : normalizeString(type), stage: normalizeString(stage), - startTime: formatDateTimeLocal(startTimeInMillis, thisTimezone), + startTime: formatDateTimeLocal(startTimeInMillis, timezone), totalTime: formatMetric(Math.floor(totalTimeInMillis / 1000), '00:00:00'), isCopiedFromPrimary: !isPrimary || type === 'PRIMARY_RELOCATION', sourceName: source.name === undefined ? 'n/a' : source.name, diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity.js index 7b939f0fee8e6..e55cb793574a9 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity.js @@ -15,6 +15,7 @@ import { FilesProgress, BytesProgress, TranslogProgress } from './progress'; import { parseProps } from './parse_props'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; +import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; const columns = [ { @@ -67,14 +68,19 @@ const columns = [ }, ]; -export class ShardActivity extends React.Component { - constructor(props) { - super(props); - this.getNoDataMessage = this.getNoDataMessage.bind(this); - } - - getNoDataMessage() { - if (this.props.showShardActivityHistory) { +export const ShardActivity = (props) => { + const { + data: rawData, + sorting, + pagination, + onTableChange, + toggleShardActivityHistory, + showShardActivityHistory, + } = props; + const { services } = useKibana(); + const timezone = services.uiSettings?.get('dateFormat:tz'); + const getNoDataMessage = () => { + if (showShardActivityHistory) { return i18n.translate('xpack.monitoring.elasticsearch.shardActivity.noDataMessage', { defaultMessage: 'There are no historical shard activity records for the selected time range.', @@ -92,7 +98,7 @@ export class ShardActivity extends React.Component { defaultMessage="Try viewing {shardActivityHistoryLink}." values={{ shardActivityHistoryLink: ( - + ); - } - - render() { - // data prop is an array of table row data, or null (which triggers no data message) - const { - data: rawData, - sorting, - pagination, - onTableChange, - toggleShardActivityHistory, - showShardActivityHistory, - } = this.props; - - if (rawData === null) { - return null; - } + }; - const rows = rawData.map(parseProps); + const rows = rawData.map((data) => parseProps({ ...data, timezone })); - return ( - - - -

- -

- - - - + + +

- } - onChange={toggleShardActivityHistory} - checked={showShardActivityHistory} - /> - - - - ); - } -} +

+ + + + + } + onChange={toggleShardActivityHistory} + checked={showShardActivityHistory} + /> + + + + ); +}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity_react.js deleted file mode 100644 index cc219ff0fff32..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_activity/shard_activity_react.js +++ /dev/null @@ -1,156 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { Fragment } from 'react'; -import { EuiText, EuiTitle, EuiLink, EuiSpacer, EuiSwitch } from '@elastic/eui'; -import { EuiMonitoringTable } from '../../table'; -import { RecoveryIndex } from './recovery_index'; -import { TotalTime } from './total_time'; -import { SourceDestination } from './source_destination'; -import { FilesProgress, BytesProgress, TranslogProgress } from './progress'; -import { parseProps } from './parse_props'; -import { i18n } from '@kbn/i18n'; -import { FormattedMessage } from '@kbn/i18n/react'; -import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; - -const columns = [ - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.indexTitle', { - defaultMessage: 'Index', - }), - field: 'name', - render: (_name, shard) => , - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.stageTitle', { - defaultMessage: 'Stage', - }), - field: 'stage', - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.totalTimeTitle', { - defaultMessage: 'Total Time', - }), - field: null, - render: (shard) => , - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.sourceDestinationTitle', { - defaultMessage: 'Source / Destination', - }), - field: null, - render: (shard) => , - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.filesTitle', { - defaultMessage: 'Files', - }), - field: null, - render: (shard) => , - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.bytesTitle', { - defaultMessage: 'Bytes', - }), - field: null, - render: (shard) => , - }, - { - name: i18n.translate('xpack.monitoring.kibana.shardActivity.translogTitle', { - defaultMessage: 'Translog', - }), - field: null, - render: (shard) => , - }, -]; - -export const ShardActivityReact = (props) => { - const { - data: rawData, - sorting, - pagination, - onTableChange, - toggleShardActivityHistory, - showShardActivityHistory, - } = props; - const { services } = useKibana(); - const timezone = services.uiSettings?.get('dateFormat:tz'); - const getNoDataMessage = () => { - if (showShardActivityHistory) { - return i18n.translate('xpack.monitoring.elasticsearch.shardActivity.noDataMessage', { - defaultMessage: - 'There are no historical shard activity records for the selected time range.', - }); - } - return ( - - -
- - - - ), - }} - /> - - ); - }; - - const rows = rawData.map((data) => parseProps({ ...data, timezone })); - - return ( - - - -

- -

- - - - - } - onChange={toggleShardActivityHistory} - checked={showShardActivityHistory} - /> - - - - ); -}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view.js index a637703a98cdc..a004c7fae8e95 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view.js @@ -8,67 +8,22 @@ import React from 'react'; import { TableHead } from './table_head'; import { TableBody } from './table_body'; -import { i18n } from '@kbn/i18n'; -export class ClusterView extends React.Component { - static displayName = i18n.translate( - 'xpack.monitoring.elasticsearch.shardAllocation.clusterViewDisplayName', - { - defaultMessage: 'ClusterView', - } +export const ClusterView = (props) => { + return ( + + + +
); - - constructor(props) { - super(props); - - this.state = { - labels: props.scope.labels || [], - showing: props.scope.showing || [], - shardStats: props.scope.pageData.shardStats, - showSystemIndices: props.showSystemIndices, - toggleShowSystemIndices: props.toggleShowSystemIndices, - }; - } - - setShowing = (data) => { - if (data) { - this.setState({ showing: data }); - } - }; - - setShardStats = (stats) => { - this.setState({ shardStats: stats }); - }; - - UNSAFE_componentWillMount() { - this.props.scope.$watch('showing', this.setShowing); - this.props.scope.$watch(() => this.props.scope.pageData.shardStats, this.setShardStats); - } - - hasUnassigned = () => { - return ( - this.state.showing.length && - this.state.showing[0].unassigned && - this.state.showing[0].unassigned.length - ); - }; - - render() { - return ( - - - -
- ); - } -} +}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view_react.js deleted file mode 100644 index 2d0c4b59df4b8..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/cluster_view_react.js +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { TableHeadReact } from './table_head_react'; -import { TableBody } from './table_body'; - -export const ClusterViewReact = (props) => { - return ( - - - -
- ); -}; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head.js index d4d4da050d37a..b5316bb624a80 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head.js @@ -14,18 +14,15 @@ class IndexLabel extends React.Component { constructor(props) { super(props); this.state = { - showSystemIndices: props.scope.showSystemIndices, + showSystemIndices: props.showSystemIndices, }; this.toggleShowSystemIndicesState = this.toggleShowSystemIndicesState.bind(this); } - // See also public/directives/index_listing/index toggleShowSystemIndicesState(e) { const isChecked = e.target.checked; this.setState({ showSystemIndices: isChecked }); - this.props.scope.$evalAsync(() => { - this.props.toggleShowSystemIndices(isChecked); - }); + this.props.toggleShowSystemIndices(isChecked); } render() { @@ -70,7 +67,7 @@ export class TableHead extends React.Component { } render() { - const propLabels = this.props.scope.labels || []; + const propLabels = this.props.labels || []; const labelColumns = propLabels .map((label) => { const column = { @@ -81,8 +78,8 @@ export class TableHead extends React.Component { // override text label content with a JSX component column.content = ( ); } else { diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head_react.js deleted file mode 100644 index 5f914792ec70b..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/components/table_head_react.js +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { i18n } from '@kbn/i18n'; -import { EuiFlexGroup, EuiFlexItem, EuiSwitch } from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n/react'; - -class IndexLabel extends React.Component { - constructor(props) { - super(props); - this.state = { - showSystemIndices: props.showSystemIndices, - }; - this.toggleShowSystemIndicesState = this.toggleShowSystemIndicesState.bind(this); - } - - toggleShowSystemIndicesState(e) { - const isChecked = e.target.checked; - this.setState({ showSystemIndices: isChecked }); - this.props.toggleShowSystemIndices(isChecked); - } - - render() { - return ( - - - - - - - - - ); - } -} - -// eslint-disable-next-line react/no-multi-comp -export class TableHeadReact extends React.Component { - constructor(props) { - super(props); - } - - createColumn({ key, content }) { - return ( - - {content} - - ); - } - - render() { - const propLabels = this.props.labels || []; - const labelColumns = propLabels - .map((label) => { - const column = { - key: label.content.toLowerCase(), - }; - - if (label.showToggleSystemIndicesComponent) { - // override text label content with a JSX component - column.content = ( - - ); - } else { - column.content = label.content; - } - - return column; - }) - .map(this.createColumn); - - return ( - - {labelColumns} - - ); - } -} diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/index.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/index.js index dd4121b69574c..247bad7527846 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/index.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/index.js @@ -6,4 +6,3 @@ */ export { ShardAllocation } from './shard_allocation'; -export { ShardAllocationReact } from './shard_allocation_react'; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation.js index f02b93eba8f90..7ca24853a9ccb 100644 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation.js +++ b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation.js @@ -9,10 +9,10 @@ import React from 'react'; import { EuiTitle, EuiBadge, EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; import { i18n } from '@kbn/i18n'; -import { ClusterView } from './components/cluster_view'; import './shard_allocation.scss'; +import { ClusterView } from './components/cluster_view'; -export const ShardAllocation = ({ scope, type, shardStats }) => { +export const ShardAllocation = (props) => { const types = [ { label: i18n.translate('xpack.monitoring.elasticsearch.shardAllocation.primaryLabel', { @@ -77,13 +77,7 @@ export const ShardAllocation = ({ scope, type, shardStats }) => { ))} - +
); }; diff --git a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation_react.js b/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation_react.js deleted file mode 100644 index 502d93d5411d2..0000000000000 --- a/x-pack/plugins/monitoring/public/components/elasticsearch/shard_allocation/shard_allocation_react.js +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiTitle, EuiBadge, EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n/react'; -import { i18n } from '@kbn/i18n'; -import './shard_allocation.scss'; -import { ClusterViewReact } from './components/cluster_view_react'; - -export const ShardAllocationReact = (props) => { - const types = [ - { - label: i18n.translate('xpack.monitoring.elasticsearch.shardAllocation.primaryLabel', { - defaultMessage: 'Primary', - }), - color: 'primary', - }, - { - label: i18n.translate('xpack.monitoring.elasticsearch.shardAllocation.replicaLabel', { - defaultMessage: 'Replica', - }), - color: 'secondary', - }, - { - label: i18n.translate('xpack.monitoring.elasticsearch.shardAllocation.relocatingLabel', { - defaultMessage: 'Relocating', - }), - color: 'accent', - }, - { - label: i18n.translate('xpack.monitoring.elasticsearch.shardAllocation.initializingLabel', { - defaultMessage: 'Initializing', - }), - color: 'default', - }, - { - label: i18n.translate( - 'xpack.monitoring.elasticsearch.shardAllocation.unassignedPrimaryLabel', - { - defaultMessage: 'Unassigned Primary', - } - ), - color: 'danger', - }, - { - label: i18n.translate( - 'xpack.monitoring.elasticsearch.shardAllocation.unassignedReplicaLabel', - { - defaultMessage: 'Unassigned Replica', - } - ), - color: 'warning', - }, - ]; - - return ( -
- -

- -

- - - - {types.map((type) => ( - - {type.label} - - ))} - - - -
- ); -}; diff --git a/x-pack/plugins/monitoring/public/components/index.ts b/x-pack/plugins/monitoring/public/components/index.ts index 6f0b9bb88667f..b8e9adbf27fa3 100644 --- a/x-pack/plugins/monitoring/public/components/index.ts +++ b/x-pack/plugins/monitoring/public/components/index.ts @@ -12,4 +12,4 @@ export { NoData } from './no_data'; export { License } from './license'; export { PageLoading } from './page_loading'; -export { ElasticsearchOverview, ElasticsearchNodes, ElasticsearchIndices } from './elasticsearch'; +export { ElasticsearchNodes, ElasticsearchIndices } from './elasticsearch'; diff --git a/x-pack/plugins/monitoring/public/components/logs/logs.js b/x-pack/plugins/monitoring/public/components/logs/logs.js index 3021240a157d3..52c1c1373caf5 100644 --- a/x-pack/plugins/monitoring/public/components/logs/logs.js +++ b/x-pack/plugins/monitoring/public/components/logs/logs.js @@ -16,18 +16,8 @@ import { FormattedMessage } from '@kbn/i18n/react'; import { Reason } from './reason'; const getFormattedDateTimeLocal = (timestamp) => { - try { - const injector = Legacy.shims.getAngularInjector(); - const timezone = injector.get('config').get('dateFormat:tz'); - return formatDateTimeLocal(timestamp, timezone); - } catch (error) { - if (error.message === 'Angular has been removed.') { - const timezone = Legacy.shims.uiSettings?.get('dateFormat:tz'); - return formatDateTimeLocal(timestamp, timezone); - } else { - throw error; - } - } + const timezone = Legacy.shims.uiSettings?.get('dateFormat:tz'); + return formatDateTimeLocal(timestamp, timezone); }; const columnTimestampTitle = i18n.translate('xpack.monitoring.logs.listing.timestampTitle', { diff --git a/x-pack/plugins/monitoring/public/legacy_shims.ts b/x-pack/plugins/monitoring/public/legacy_shims.ts index 48484421839bd..7c7e7642cac81 100644 --- a/x-pack/plugins/monitoring/public/legacy_shims.ts +++ b/x-pack/plugins/monitoring/public/legacy_shims.ts @@ -37,14 +37,9 @@ export interface KFetchKibanaOptions { prependBasePath?: boolean; } -const angularNoop = () => { - throw new Error('Angular has been removed.'); -}; - export interface IShims { toastNotifications: CoreStart['notifications']['toasts']; capabilities: CoreStart['application']['capabilities']; - getAngularInjector: typeof angularNoop; getBasePath: () => string; getInjected: (name: string, defaultValue?: unknown) => unknown; breadcrumbs: { @@ -84,7 +79,6 @@ export class Legacy { this._shims = { toastNotifications: core.notifications.toasts, capabilities: core.application.capabilities, - getAngularInjector: angularNoop, getBasePath: (): string => core.http.basePath.get(), getInjected: (name: string, defaultValue?: unknown): string | unknown => core.injectedMetadata.getInjectedVar(name, defaultValue), diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 442718e0975ee..515f2beb53980 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -31,6 +31,7 @@ export const DEFAULT_APP_TIME_RANGE = 'securitySolution:timeDefaults'; export const DEFAULT_APP_REFRESH_INTERVAL = 'securitySolution:refreshIntervalDefaults'; export const DEFAULT_ALERTS_INDEX = '.alerts-security.alerts'; export const DEFAULT_SIGNALS_INDEX = '.siem-signals'; +export const DEFAULT_PREVIEW_INDEX = '.siem-preview-signals'; export const DEFAULT_LISTS_INDEX = '.lists'; export const DEFAULT_ITEMS_INDEX = '.items'; // The DEFAULT_MAX_SIGNALS value exists also in `x-pack/plugins/cases/common/constants.ts` @@ -248,6 +249,8 @@ export const DETECTION_ENGINE_TAGS_URL = `${DETECTION_ENGINE_URL}/tags`; export const DETECTION_ENGINE_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/_find_statuses`; export const DETECTION_ENGINE_PREPACKAGED_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/prepackaged/_status`; export const DETECTION_ENGINE_RULES_BULK_ACTION = `${DETECTION_ENGINE_RULES_URL}/_bulk_action`; +export const DETECTION_ENGINE_RULES_PREVIEW = `${DETECTION_ENGINE_RULES_URL}/preview`; +export const DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL = `${DETECTION_ENGINE_RULES_PREVIEW}/index`; export const TIMELINE_RESOLVE_URL = '/api/timeline/resolve'; export const TIMELINE_URL = '/api/timeline'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 12e72fb6fc697..524302b0050dd 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -362,6 +362,11 @@ export type MachineLearningCreateSchema = CreateSchema< export const createRulesSchema = t.intersection([sharedCreateSchema, createTypeSpecific]); export type CreateRulesSchema = t.TypeOf; +export const previewRulesSchema = t.intersection([ + sharedCreateSchema, + createTypeSpecific, + t.type({ invocationCount: t.number }), +]); type UpdateSchema = SharedUpdateSchema & T; export type EqlUpdateSchema = UpdateSchema>; diff --git a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts index 825abc6185947..78bb13395f79b 100644 --- a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts +++ b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts @@ -5,18 +5,18 @@ * 2.0. */ -import { ALERT_FLYOUT, JSON_LINES } from '../../screens/alerts_details'; +import { JSON_TEXT } from '../../screens/alerts_details'; import { expandFirstAlert, waitForAlertsIndexToBeCreated, waitForAlertsPanelToBeLoaded, } from '../../tasks/alerts'; -import { openJsonView, scrollJsonViewToBottom } from '../../tasks/alerts_details'; +import { openJsonView } from '../../tasks/alerts_details'; import { createCustomRuleActivated } from '../../tasks/api_calls/rules'; import { cleanKibana } from '../../tasks/common'; +import { esArchiverCCSLoad } from '../../tasks/es_archiver'; import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login'; -import { esArchiverCCSLoad, esArchiverCCSUnload } from '../../tasks/es_archiver'; import { getUnmappedCCSRule } from '../../objects/rule'; @@ -35,24 +35,14 @@ describe('Alert details with unmapped fields', () => { expandFirstAlert(); }); - afterEach(() => { - esArchiverCCSUnload('unmapped_fields'); - }); - it('Displays the unmapped field on the JSON view', () => { - const expectedUnmappedField = { line: 2, text: ' "unmapped": "This is the unmapped field"' }; + const expectedUnmappedValue = 'This is the unmapped field'; openJsonView(); - scrollJsonViewToBottom(); - - cy.get(ALERT_FLYOUT) - .find(JSON_LINES) - .then((elements) => { - const length = elements.length; - cy.wrap(elements) - .eq(length - expectedUnmappedField.line) - .invoke('text') - .should('include', expectedUnmappedField.text); - }); + + cy.get(JSON_TEXT).then((x) => { + const parsed = JSON.parse(x.text()); + expect(parsed._source.unmapped).to.equal(expectedUnmappedValue); + }); }); }); diff --git a/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx b/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx index c5b866129df49..47ba9e1e9cb8f 100644 --- a/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx +++ b/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { useCallback, useRef, useState } from 'react'; +import React, { useCallback, useRef } from 'react'; import { useDispatch } from 'react-redux'; import { getCaseDetailsUrl, @@ -28,7 +28,6 @@ import { InvestigateInTimelineAction } from '../../../detections/components/aler import { useFetchAlertData } from './helpers'; import { SEND_ALERT_TO_TIMELINE } from './translations'; import { useInsertTimeline } from '../use_insert_timeline'; -import { SpyRoute } from '../../../common/utils/route/spy_routes'; import * as timelineMarkdownPlugin from '../../../common/components/markdown_editor/plugins/timeline'; import { CaseDetailsRefreshContext } from '../../../common/components/endpoint/host_isolation/endpoint_host_isolation_cases_context'; import { getEndpointDetailsPath } from '../../../management/common/routing'; @@ -37,6 +36,7 @@ interface Props { caseId: string; subCaseId?: string; userCanCrud: boolean; + onCaseDataSuccess: (data: Case) => void; } export interface OnUpdateFields { @@ -78,175 +78,163 @@ const InvestigateInTimelineActionComponent = (alertIds: string[]) => { ); }; -export const CaseView = React.memo(({ caseId, subCaseId, userCanCrud }: Props) => { - const [spyState, setSpyState] = useState<{ caseTitle: string | undefined }>({ - caseTitle: undefined, - }); - - const onCaseDataSuccess = useCallback( - (data: Case) => { - if (spyState.caseTitle === undefined || spyState.caseTitle !== data.title) { - setSpyState({ caseTitle: data.title }); - } - }, - [spyState.caseTitle] - ); - - const { - cases: casesUi, - application: { navigateToApp }, - } = useKibana().services; - const dispatch = useDispatch(); - const { formatUrl, search } = useFormatUrl(SecurityPageName.case); - const { formatUrl: detectionsFormatUrl, search: detectionsUrlSearch } = useFormatUrl( - SecurityPageName.rules - ); - - const allCasesLink = getCaseUrl(search); - const formattedAllCasesLink = formatUrl(allCasesLink); - const configureCasesHref = formatUrl(getConfigureCasesUrl()); +export const CaseView = React.memo( + ({ caseId, subCaseId, userCanCrud, onCaseDataSuccess }: Props) => { + const { + cases: casesUi, + application: { navigateToApp }, + } = useKibana().services; + const dispatch = useDispatch(); + const { formatUrl, search } = useFormatUrl(SecurityPageName.case); + const { formatUrl: detectionsFormatUrl, search: detectionsUrlSearch } = useFormatUrl( + SecurityPageName.rules + ); - const caseDetailsLink = formatUrl(getCaseDetailsUrl({ id: caseId }), { absolute: true }); - const getCaseDetailHrefWithCommentId = (commentId: string) => - formatUrl(getCaseDetailsUrlWithCommentId({ id: caseId, commentId, subCaseId }), { - absolute: true, - }); + const allCasesLink = getCaseUrl(search); + const formattedAllCasesLink = formatUrl(allCasesLink); + const configureCasesHref = formatUrl(getConfigureCasesUrl()); - const getDetectionsRuleDetailsHref = useCallback( - (ruleId) => detectionsFormatUrl(getRuleDetailsUrl(ruleId ?? '', detectionsUrlSearch)), - [detectionsFormatUrl, detectionsUrlSearch] - ); - - const showAlertDetails = useCallback( - (alertId: string, index: string) => { - dispatch( - timelineActions.toggleDetailPanel({ - panelView: 'eventDetail', - timelineId: TimelineId.casePage, - params: { - eventId: alertId, - indexName: index, - }, - }) - ); - }, - [dispatch] - ); + const caseDetailsLink = formatUrl(getCaseDetailsUrl({ id: caseId }), { absolute: true }); + const getCaseDetailHrefWithCommentId = (commentId: string) => + formatUrl(getCaseDetailsUrlWithCommentId({ id: caseId, commentId, subCaseId }), { + absolute: true, + }); - const endpointDetailsHref = (endpointId: string) => - formatUrl( - getEndpointDetailsPath({ - name: 'endpointActivityLog', - selected_endpoint: endpointId, - }) + const getDetectionsRuleDetailsHref = useCallback( + (ruleId) => detectionsFormatUrl(getRuleDetailsUrl(ruleId ?? '', detectionsUrlSearch)), + [detectionsFormatUrl, detectionsUrlSearch] ); - const onComponentInitialized = useCallback(() => { - dispatch( - timelineActions.createTimeline({ - id: TimelineId.casePage, - columns: [], - indexNames: [], - expandedDetail: {}, - show: false, - }) + const showAlertDetails = useCallback( + (alertId: string, index: string) => { + dispatch( + timelineActions.toggleDetailPanel({ + panelView: 'eventDetail', + timelineId: TimelineId.casePage, + params: { + eventId: alertId, + indexName: index, + }, + }) + ); + }, + [dispatch] ); - }, [dispatch]); - const refreshRef = useRef(null); + const endpointDetailsHref = (endpointId: string) => + formatUrl( + getEndpointDetailsPath({ + name: 'endpointActivityLog', + selected_endpoint: endpointId, + }) + ); - return ( - - {casesUi.getCaseView({ - refreshRef, - allCasesNavigation: { - href: formattedAllCasesLink, - onClick: async (e) => { - if (e) { - e.preventDefault(); - } - return navigateToApp(APP_ID, { - deepLinkId: SecurityPageName.case, - path: allCasesLink, - }); - }, - }, - caseDetailsNavigation: { - href: caseDetailsLink, - onClick: async (e) => { - if (e) { - e.preventDefault(); - } - return navigateToApp(APP_ID, { - deepLinkId: SecurityPageName.case, - path: getCaseDetailsUrl({ id: caseId }), - }); - }, - }, - caseId, - configureCasesNavigation: { - href: configureCasesHref, - onClick: async (e) => { - if (e) { - e.preventDefault(); - } - return navigateToApp(APP_ID, { - deepLinkId: SecurityPageName.case, - path: getConfigureCasesUrl(search), - }); + const onComponentInitialized = useCallback(() => { + dispatch( + timelineActions.createTimeline({ + id: TimelineId.casePage, + columns: [], + indexNames: [], + expandedDetail: {}, + show: false, + }) + ); + }, [dispatch]); + + const refreshRef = useRef(null); + + return ( + + {casesUi.getCaseView({ + refreshRef, + allCasesNavigation: { + href: formattedAllCasesLink, + onClick: async (e) => { + if (e) { + e.preventDefault(); + } + return navigateToApp(APP_ID, { + deepLinkId: SecurityPageName.case, + path: allCasesLink, + }); + }, }, - }, - getCaseDetailHrefWithCommentId, - onCaseDataSuccess, - onComponentInitialized, - actionsNavigation: { - href: endpointDetailsHref, - onClick: (endpointId: string, e) => { - if (e) { - e.preventDefault(); - } - return navigateToApp(APP_ID, { - path: getEndpointDetailsPath({ - name: 'endpointActivityLog', - selected_endpoint: endpointId, - }), - }); + caseDetailsNavigation: { + href: caseDetailsLink, + onClick: async (e) => { + if (e) { + e.preventDefault(); + } + return navigateToApp(APP_ID, { + deepLinkId: SecurityPageName.case, + path: getCaseDetailsUrl({ id: caseId }), + }); + }, }, - }, - ruleDetailsNavigation: { - href: getDetectionsRuleDetailsHref, - onClick: async (ruleId: string | null | undefined, e) => { - if (e) { - e.preventDefault(); - } - return navigateToApp(APP_ID, { - deepLinkId: SecurityPageName.rules, - path: getRuleDetailsUrl(ruleId ?? ''), - }); + caseId, + configureCasesNavigation: { + href: configureCasesHref, + onClick: async (e) => { + if (e) { + e.preventDefault(); + } + return navigateToApp(APP_ID, { + deepLinkId: SecurityPageName.case, + path: getConfigureCasesUrl(search), + }); + }, }, - }, - showAlertDetails, - subCaseId, - timelineIntegration: { - editor_plugins: { - parsingPlugin: timelineMarkdownPlugin.parser, - processingPluginRenderer: timelineMarkdownPlugin.renderer, - uiPlugin: timelineMarkdownPlugin.plugin, + getCaseDetailHrefWithCommentId, + onCaseDataSuccess, + onComponentInitialized, + actionsNavigation: { + href: endpointDetailsHref, + onClick: (endpointId: string, e) => { + if (e) { + e.preventDefault(); + } + return navigateToApp(APP_ID, { + path: getEndpointDetailsPath({ + name: 'endpointActivityLog', + selected_endpoint: endpointId, + }), + }); + }, }, - hooks: { - useInsertTimeline, + ruleDetailsNavigation: { + href: getDetectionsRuleDetailsHref, + onClick: async (ruleId: string | null | undefined, e) => { + if (e) { + e.preventDefault(); + } + return navigateToApp(APP_ID, { + deepLinkId: SecurityPageName.rules, + path: getRuleDetailsUrl(ruleId ?? ''), + }); + }, }, - ui: { - renderInvestigateInTimelineActionComponent: InvestigateInTimelineActionComponent, - renderTimelineDetailsPanel: TimelineDetailsPanel, + showAlertDetails, + subCaseId, + timelineIntegration: { + editor_plugins: { + parsingPlugin: timelineMarkdownPlugin.parser, + processingPluginRenderer: timelineMarkdownPlugin.renderer, + uiPlugin: timelineMarkdownPlugin.plugin, + }, + hooks: { + useInsertTimeline, + }, + ui: { + renderInvestigateInTimelineActionComponent: InvestigateInTimelineActionComponent, + renderTimelineDetailsPanel: TimelineDetailsPanel, + }, }, - }, - useFetchAlertData, - userCanCrud, - })} - - - ); -}); + useFetchAlertData, + userCanCrud, + })} + + ); + } +); CaseView.displayName = 'CaseView'; diff --git a/x-pack/plugins/security_solution/public/cases/pages/case_details.tsx b/x-pack/plugins/security_solution/public/cases/pages/case_details.tsx index e8680b148f940..ea8205cddad59 100644 --- a/x-pack/plugins/security_solution/public/cases/pages/case_details.tsx +++ b/x-pack/plugins/security_solution/public/cases/pages/case_details.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { useEffect } from 'react'; +import React, { useCallback, useEffect, useState } from 'react'; import { useParams } from 'react-router-dom'; import { SecurityPageName } from '../../app/types'; @@ -17,6 +17,7 @@ import { getCaseUrl } from '../../common/components/link_to'; import { navTabs } from '../../app/home/home_navigations'; import { CaseView } from '../components/case_view'; import { APP_ID } from '../../../common/constants'; +import { Case } from '../../../../cases/common'; export const CaseDetailsPage = React.memo(() => { const { @@ -38,6 +39,19 @@ export const CaseDetailsPage = React.memo(() => { } }, [userPermissions, navigateToApp, search]); + const [spyState, setSpyState] = useState<{ caseTitle: string | undefined }>({ + caseTitle: undefined, + }); + + const onCaseDataSuccess = useCallback( + (data: Case) => { + if (spyState.caseTitle === undefined || spyState.caseTitle !== data.title) { + setSpyState({ caseTitle: data.title }); + } + }, + [spyState.caseTitle] + ); + return caseId != null ? ( <> @@ -45,9 +59,10 @@ export const CaseDetailsPage = React.memo(() => { caseId={caseId} subCaseId={subCaseId} userCanCrud={userPermissions?.crud ?? false} + onCaseDataSuccess={onCaseDataSuccess} /> - + ) : null; }); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/helpers.ts b/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/helpers.ts index 1d3135b8cb34a..3d1ac8a185a59 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/helpers.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/helpers.ts @@ -29,6 +29,8 @@ export const isNoisy = (hits: number, timeframe: Unit): boolean => { return hits > 1; } else if (timeframe === 'd') { return hits / 24 > 1; + } else if (timeframe === 'w') { + return hits / 168 > 1; } else if (timeframe === 'M') { return hits / 730 > 1; } @@ -48,6 +50,12 @@ export const getTimeframeOptions = (ruleType: Type): EuiSelectOption[] => { { value: 'h', text: 'Last hour' }, { value: 'd', text: 'Last day' }, ]; + } else if (ruleType === 'threat_match') { + return [ + { value: 'h', text: i18n.LAST_HOUR }, + { value: 'd', text: i18n.LAST_DAY }, + { value: 'w', text: i18n.LAST_WEEK }, + ]; } else { return [ { value: 'h', text: 'Last hour' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/translations.ts index 4809a39ef2937..1722a0bdb46d6 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/query_preview/translations.ts @@ -7,6 +7,22 @@ import { i18n } from '@kbn/i18n'; +export const LAST_HOUR = i18n.translate('xpack.securitySolution.stepDefineRule.lastHour', { + defaultMessage: 'Last hour', +}); + +export const LAST_DAY = i18n.translate('xpack.securitySolution.stepDefineRule.lastDay', { + defaultMessage: 'Last day', +}); + +export const LAST_WEEK = i18n.translate('xpack.securitySolution.stepDefineRule.lastWeek', { + defaultMessage: 'Last week', +}); + +export const LAST_MONTH = i18n.translate('xpack.securitySolution.stepDefineRule.lastMonth', { + defaultMessage: 'Last month', +}); + export const QUERY_PREVIEW_BUTTON = i18n.translate( 'xpack.securitySolution.stepDefineRule.previewQueryButton', { diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.test.tsx index 7936c24e8635f..26ea6e67e7a47 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.test.tsx @@ -11,6 +11,7 @@ import { shallow } from 'enzyme'; import { StepDefineRule } from './index'; jest.mock('../../../../common/lib/kibana'); +jest.mock('../../../containers/detection_engine/alerts/use_preview_index'); describe('StepDefineRule', () => { it('renders correctly', () => { diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx index 785afa49c9791..8379d21714124 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx @@ -57,6 +57,7 @@ import { EqlQueryBar } from '../eql_query_bar'; import { ThreatMatchInput } from '../threatmatch_input'; import { BrowserField, BrowserFields, useFetchIndex } from '../../../../common/containers/source'; import { PreviewQuery } from '../query_preview'; +import { usePreviewIndex } from '../../../containers/detection_engine/alerts/use_preview_index'; const CommonUseField = getUseField({ component: Field }); @@ -136,6 +137,7 @@ const StepDefineRuleComponent: FC = ({ onSubmit, setForm, }) => { + usePreviewIndex(); const mlCapabilities = useMlCapabilities(); const [openTimelineSearch, setOpenTimelineSearch] = useState(false); const [indexModified, setIndexModified] = useState(false); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts index fa850ce6b36ea..eab916f2cf85b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts @@ -21,6 +21,7 @@ import { getUserPrivilege, createSignalIndex, createHostIsolation, + createPreviewIndex, } from './api'; import { coreMock } from '../../../../../../../../src/core/public/mocks'; @@ -165,6 +166,25 @@ describe('Detections Alerts API', () => { }); }); + describe('createPreviewIndex', () => { + beforeEach(() => { + fetchMock.mockClear(); + fetchMock.mockResolvedValue({ acknowledged: true }); + }); + + test('check parameter url', async () => { + await createPreviewIndex(); + expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/rules/preview/index', { + method: 'POST', + }); + }); + + test('happy path', async () => { + const previewResp = await createPreviewIndex(); + expect(previewResp).toEqual({ acknowledged: true }); + }); + }); + describe('createHostIsolation', () => { const postMock = coreStartMock.http.post; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.ts index 88882131fed03..98be810fa264f 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.ts @@ -14,6 +14,7 @@ import { DETECTION_ENGINE_INDEX_URL, DETECTION_ENGINE_PRIVILEGES_URL, ALERTS_AS_DATA_FIND_URL, + DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL, } from '../../../../../common/constants'; import { HOST_METADATA_GET_ROUTE } from '../../../../../common/endpoint/constants'; import { KibanaServices } from '../../../../common/lib/kibana'; @@ -132,6 +133,18 @@ export const createSignalIndex = async ({ signal }: BasicSignals): Promise => + KibanaServices.get().http.fetch(DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL, { + method: 'POST', + }); + /** * Get Host Isolation index * diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_preview_index.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_preview_index.tsx new file mode 100644 index 0000000000000..7a35e35acefe8 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_preview_index.tsx @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect } from 'react'; +import { createPreviewIndex } from './api'; + +export const usePreviewIndex = () => { + useEffect(() => { + createPreviewIndex(); + }, []); +}; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/index.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/index.test.tsx index 45713b6b0667f..7baf3231f9bee 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/index.test.tsx @@ -27,6 +27,7 @@ jest.mock('react-router-dom', () => { }); jest.mock('../../../../../common/lib/kibana'); jest.mock('../../../../containers/detection_engine/lists/use_lists_config'); +jest.mock('../../../../containers/detection_engine/alerts/use_preview_index'); jest.mock('../../../../../common/components/link_to'); jest.mock('../../../../components/user_info'); jest.mock('../../../../../common/hooks/use_app_toasts'); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx index 9c1667e7b4910..006e497a20a7b 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx @@ -85,6 +85,7 @@ jest.mock('react-router-dom', () => { }); jest.mock('../../../../../common/lib/kibana'); +jest.mock('../../../../containers/detection_engine/alerts/use_preview_index'); const mockRedirectLegacyUrl = jest.fn(); const mockGetLegacyUrlConflict = jest.fn(); diff --git a/x-pack/plugins/security_solution/server/client/client.ts b/x-pack/plugins/security_solution/server/client/client.ts index a94a0fa920c65..12a13e06c2ffe 100644 --- a/x-pack/plugins/security_solution/server/client/client.ts +++ b/x-pack/plugins/security_solution/server/client/client.ts @@ -6,18 +6,22 @@ */ import { ConfigType } from '../config'; +import { DEFAULT_PREVIEW_INDEX } from '../../common/constants'; export class AppClient { private readonly signalsIndex: string; private readonly spaceId: string; + private readonly previewIndex: string; constructor(_spaceId: string, private config: ConfigType) { const configuredSignalsIndex = this.config.signalsIndex; this.signalsIndex = `${configuredSignalsIndex}-${_spaceId}`; + this.previewIndex = `${DEFAULT_PREVIEW_INDEX}-${_spaceId}`; this.spaceId = _spaceId; } public getSignalsIndex = (): string => this.signalsIndex; + public getPreviewIndex = (): string => this.previewIndex; public getSpaceId = (): string => this.spaceId; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_preview_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_preview_index_route.ts new file mode 100644 index 0000000000000..f6f5d394c6a90 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_preview_index_route.ts @@ -0,0 +1,88 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + transformError, + getIndexExists, + getPolicyExists, + setPolicy, + createBootstrapIndex, +} from '@kbn/securitysolution-es-utils'; +import type { + AppClient, + SecuritySolutionPluginRouter, + SecuritySolutionRequestHandlerContext, +} from '../../../../types'; +import { DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL } from '../../../../../common/constants'; +import { buildSiemResponse } from '../utils'; +import { getSignalsTemplate, SIGNALS_TEMPLATE_VERSION } from './get_signals_template'; +import previewPolicy from './preview_policy.json'; +import { getIndexVersion } from './get_index_version'; +import { isOutdated } from '../../migrations/helpers'; +import { templateNeedsUpdate } from './check_template_version'; + +export const createPreviewIndexRoute = (router: SecuritySolutionPluginRouter) => { + router.post( + { + path: DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL, + validate: false, + options: { + tags: ['access:securitySolution'], + }, + }, + async (context, request, response) => { + const siemResponse = buildSiemResponse(response); + + try { + const siemClient = context.securitySolution?.getAppClient(); + if (!siemClient) { + return siemResponse.error({ statusCode: 404 }); + } + await createPreviewIndex(context, siemClient); + + return response.ok({ body: { acknowledged: true } }); + } catch (err) { + const error = transformError(err); + return siemResponse.error({ + body: error.message, + statusCode: error.statusCode, + }); + } + } + ); +}; + +export const createPreviewIndex = async ( + context: SecuritySolutionRequestHandlerContext, + siemClient: AppClient +) => { + const esClient = context.core.elasticsearch.client.asCurrentUser; + const index = siemClient.getPreviewIndex(); + + const indexExists = await getIndexExists(esClient, index); + + const policyExists = await getPolicyExists(esClient, index); + if (!policyExists) { + await setPolicy(esClient, index, previewPolicy); + } + + if (await templateNeedsUpdate({ alias: index, esClient })) { + await esClient.indices.putIndexTemplate({ + name: index, + body: getSignalsTemplate(index) as Record, + }); + } + + if (indexExists) { + const indexVersion = await getIndexVersion(esClient, index); + if (isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION })) { + await esClient.indices.rollover({ alias: index }); + } + } else { + await createBootstrapIndex(esClient, index); + } +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index b7a0521e5c3ce..2c4a1e43cd4b9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -24,8 +24,8 @@ import signalExtraFields from './signal_extra_fields.json'; @description This value represents the template version assumed by app code. If this number is greater than the user's signals index version, the detections UI will attempt to update the signals template and roll over to - a new signals index. - + a new signals index. + Since we create a new index for new versions, this version on an existing index should never change. If making mappings changes in a patch release, this number should be incremented by 1. @@ -43,8 +43,8 @@ export const SIGNALS_TEMPLATE_VERSION = 57; This version number can change over time on existing indices as we add backwards compatibility fields. - If any .siem-signals- indices have an aliases_version less than this value, the detections - UI will call create_index_route and and go through the index update process. Increment this number if + If any .siem-signals- indices have an aliases_version less than this value, the detections + UI will call create_index_route and and go through the index update process. Increment this number if making changes to the field aliases we use to make signals forwards-compatible. */ export const SIGNALS_FIELD_ALIASES_VERSION = 1; @@ -52,14 +52,14 @@ export const SIGNALS_FIELD_ALIASES_VERSION = 1; /** @constant @type {number} - @description This value represents the minimum required index version (SIGNALS_TEMPLATE_VERSION) for EQL + @description This value represents the minimum required index version (SIGNALS_TEMPLATE_VERSION) for EQL rules to write signals correctly. If the write index has a `version` less than this value, the EQL rule will throw an error on execution. */ export const MIN_EQL_RULE_INDEX_VERSION = 2; export const ALIAS_VERSION_FIELD = 'aliases_version'; -export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => { +export const getSignalsTemplate = (index: string, spaceId?: string, aadIndexAliasName?: string) => { const fieldAliases = createSignalsFieldAliases(); const template = { index_patterns: [`${index}-*`], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/preview_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/preview_policy.json new file mode 100644 index 0000000000000..d04983095b172 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/preview_policy.json @@ -0,0 +1,21 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "1d", + "max_primary_shard_size": "50gb" + } + }, + "min_age": "0ms" + }, + "delete": { + "min_age": "1d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts new file mode 100644 index 0000000000000..7af4127848bb1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts @@ -0,0 +1,226 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import moment from 'moment'; +import uuid from 'uuid'; +import { transformError } from '@kbn/securitysolution-es-utils'; +import { buildSiemResponse } from '../utils'; +import { convertCreateAPIToInternalSchema } from '../../schemas/rule_converters'; +import { RuleParams } from '../../schemas/rule_schemas'; +import { signalRulesAlertType } from '../../signals/signal_rule_alert_type'; +import { createWarningsAndErrors } from '../../signals/preview/preview_rule_execution_log_client'; +import { parseInterval } from '../../signals/utils'; +import { buildMlAuthz } from '../../../machine_learning/authz'; +import { throwHttpError } from '../../../machine_learning/validation'; +import { buildRouteValidation } from '../../../../utils/build_validation/route_validation'; +import { SetupPlugins } from '../../../../plugin'; +import type { SecuritySolutionPluginRouter } from '../../../../types'; +import { createRuleValidateTypeDependents } from '../../../../../common/detection_engine/schemas/request/create_rules_type_dependents'; +import { DETECTION_ENGINE_RULES_PREVIEW } from '../../../../../common/constants'; +import { previewRulesSchema } from '../../../../../common/detection_engine/schemas/request'; +import { RuleExecutionStatus } from '../../../../../common/detection_engine/schemas/common/schemas'; + +import { + AlertInstanceContext, + AlertInstanceState, + AlertTypeState, + parseDuration, +} from '../../../../../../alerting/common'; +// eslint-disable-next-line @kbn/eslint/no-restricted-paths +import { ExecutorType } from '../../../../../../alerting/server/types'; +import { AlertInstance } from '../../../../../../alerting/server'; +import { ConfigType } from '../../../../config'; +import { IEventLogService } from '../../../../../../event_log/server'; +import { alertInstanceFactoryStub } from '../../signals/preview/alert_instance_factory_stub'; +import { CreateRuleOptions } from '../../rule_types/types'; + +enum InvocationCount { + HOUR = 1, + DAY = 24, + WEEK = 168, +} + +export const previewRulesRoute = async ( + router: SecuritySolutionPluginRouter, + config: ConfigType, + ml: SetupPlugins['ml'], + security: SetupPlugins['security'], + ruleOptions: CreateRuleOptions +) => { + router.post( + { + path: DETECTION_ENGINE_RULES_PREVIEW, + validate: { + body: buildRouteValidation(previewRulesSchema), + }, + options: { + tags: ['access:securitySolution'], + }, + }, + async (context, request, response) => { + const siemResponse = buildSiemResponse(response); + const validationErrors = createRuleValidateTypeDependents(request.body); + if (validationErrors.length) { + return siemResponse.error({ statusCode: 400, body: validationErrors }); + } + try { + const savedObjectsClient = context.core.savedObjects.client; + const siemClient = context.securitySolution?.getAppClient(); + if (!siemClient) { + return siemResponse.error({ statusCode: 404 }); + } + + if (request.body.type !== 'threat_match') { + return response.ok({ body: { errors: ['Not an indicator match rule'] } }); + } + + let invocationCount = request.body.invocationCount; + if ( + ![InvocationCount.HOUR, InvocationCount.DAY, InvocationCount.WEEK].includes( + invocationCount + ) + ) { + return response.ok({ body: { errors: ['Invalid invocation count'] } }); + } + + const internalRule = convertCreateAPIToInternalSchema(request.body, siemClient, false); + const previewRuleParams = internalRule.params; + + const mlAuthz = buildMlAuthz({ + license: context.licensing.license, + ml, + request, + savedObjectsClient, + }); + throwHttpError(await mlAuthz.validateRuleType(internalRule.params.type)); + await context.lists?.getExceptionListClient().createEndpointList(); + + const spaceId = siemClient.getSpaceId(); + const previewIndex = siemClient.getPreviewIndex(); + const previewId = uuid.v4(); + const username = security?.authc.getCurrentUser(request)?.username; + const { previewRuleExecutionLogClient, warningsAndErrorsStore } = createWarningsAndErrors(); + const runState: Record = {}; + + const runExecutors = async < + TParams extends RuleParams, + TState extends AlertTypeState, + TInstanceState extends AlertInstanceState, + TInstanceContext extends AlertInstanceContext, + TActionGroupIds extends string = '' + >( + executor: ExecutorType< + TParams, + TState, + TInstanceState, + TInstanceContext, + TActionGroupIds + >, + ruleTypeId: string, + ruleTypeName: string, + params: TParams, + alertInstanceFactory: ( + id: string + ) => Pick< + AlertInstance, + 'getState' | 'replaceState' | 'scheduleActions' | 'scheduleActionsWithSubGroup' + > + ) => { + let statePreview = runState as TState; + + const startedAt = moment(); + const parsedDuration = parseDuration(internalRule.schedule.interval) ?? 0; + startedAt.subtract(moment.duration(parsedDuration * invocationCount)); + + let previousStartedAt = null; + + const rule = { + ...internalRule, + createdAt: new Date(), + createdBy: username ?? 'preview-created-by', + producer: 'preview-producer', + ruleTypeId, + ruleTypeName, + updatedAt: new Date(), + updatedBy: username ?? 'preview-updated-by', + }; + + while (invocationCount > 0) { + statePreview = (await executor({ + alertId: previewId, + createdBy: rule.createdBy, + name: rule.name, + params, + previousStartedAt, + rule, + services: { + alertInstanceFactory, + savedObjectsClient: context.core.savedObjects.client, + scopedClusterClient: context.core.elasticsearch.client, + }, + spaceId, + startedAt: startedAt.toDate(), + state: statePreview, + tags: [], + updatedBy: rule.updatedBy, + })) as TState; + previousStartedAt = startedAt.toDate(); + startedAt.add(parseInterval(internalRule.schedule.interval)); + invocationCount--; + } + }; + + const signalRuleAlertType = signalRulesAlertType({ + ...ruleOptions, + lists: context.lists, + config, + indexNameOverride: previewIndex, + ruleExecutionLogClientOverride: previewRuleExecutionLogClient, + // unused as we override the ruleExecutionLogClient + eventLogService: {} as unknown as IEventLogService, + eventsTelemetry: undefined, + ml: undefined, + }); + + await runExecutors( + signalRuleAlertType.executor, + signalRuleAlertType.id, + signalRuleAlertType.name, + previewRuleParams, + alertInstanceFactoryStub + ); + + const errors = warningsAndErrorsStore + .filter((item) => item.newStatus === RuleExecutionStatus.failed) + .map((item) => item.message); + + const warnings = warningsAndErrorsStore + .filter( + (item) => + item.newStatus === RuleExecutionStatus['partial failure'] || + item.newStatus === RuleExecutionStatus.warning + ) + .map((item) => item.message); + + return response.ok({ + body: { + previewId, + errors, + warnings, + }, + }); + } catch (err) { + const error = transformError(err as Error); + return siemResponse.error({ + body: { + errors: [error.message], + }, + statusCode: error.statusCode, + }); + } + } + ); +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts index c2e4b926d6375..cda5a82aa8bc4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts @@ -36,7 +36,6 @@ import { bulkCreateFactory, wrapHitsFactory, wrapSequencesFactory } from './fact import { RuleExecutionLogClient, truncateMessageList } from '../rule_execution_log'; import { RuleExecutionStatus } from '../../../../common/detection_engine/schemas/common/schemas'; import { scheduleThrottledNotificationActions } from '../notifications/schedule_throttle_notification_actions'; -import { AlertAttributes } from '../signals/types'; /* eslint-disable complexity */ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = @@ -56,6 +55,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = spaceId, state, updatedBy: updatedByUser, + rule, } = options; let runState = state; const { from, maxSignals, meta, ruleId, timestampOverride, to } = params; @@ -69,17 +69,20 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = eventLogService, underlyingClient: config.ruleExecutionLog.underlyingClient, }); - const ruleSO = await savedObjectsClient.get>( - 'alert', - alertId - ); + + const completeRule = { + ruleConfig: rule, + ruleParams: params, + alertId, + }; const { actions, name, - alertTypeId, schedule: { interval }, - } = ruleSO.attributes; + ruleTypeId, + } = completeRule.ruleConfig; + const refresh = actions.length ? 'wait_for' : false; const buildRuleMessage = buildRuleMessageFactory({ @@ -97,7 +100,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = spaceId, ruleId: alertId, ruleName: name, - ruleType: alertTypeId, + ruleType: ruleTypeId, }; await ruleStatusClient.logStatusChange({ ...basicLogArguments, @@ -108,8 +111,8 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = const notificationRuleParams: NotificationRuleTypeParams = { ...params, - name: name as string, - id: ruleSO.id as string, + name, + id: alertId, } as unknown as NotificationRuleTypeParams; // check if rule has permissions to access given index pattern @@ -181,7 +184,9 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = interval, maxSignals: DEFAULT_MAX_SIGNALS, buildRuleMessage, + startedAt, }); + if (remainingGap.asMilliseconds() > 0) { const gapString = remainingGap.humanize(); const gapMessage = buildRuleMessage( @@ -220,18 +225,18 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = ); const wrapHits = wrapHitsFactory({ - logger, ignoreFields, mergeStrategy, - ruleSO, + completeRule, spaceId, + signalsIndex: '', }); const wrapSequences = wrapSequencesFactory({ logger, ignoreFields, mergeStrategy, - ruleSO, + completeRule, spaceId, }); @@ -245,7 +250,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = bulkCreate, exceptionItems, listClient, - rule: ruleSO, + completeRule, searchAfterSize, tuple, wrapHits, @@ -290,7 +295,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = const resultsLink = getNotificationResultsLink({ from: fromInMs, to: toInMs, - id: ruleSO.id, + id: alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, }); @@ -299,12 +304,12 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = buildRuleMessage(`Found ${createdSignalsCount} signals for notification.`) ); - if (ruleSO.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: ruleSO.attributes.throttle, + throttle: completeRule.ruleConfig.throttle ?? '', startedAt, - id: ruleSO.id, + id: alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, outputIndex: ruleDataClient.indexName, @@ -358,12 +363,12 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = ); } else { // NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early - if (ruleSO.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: ruleSO.attributes.throttle, + throttle: completeRule.ruleConfig.throttle ?? '', startedAt, - id: ruleSO.id, + id: completeRule.alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, outputIndex: ruleDataClient.indexName, @@ -392,12 +397,12 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = } } catch (error) { // NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early - if (ruleSO.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: ruleSO.attributes.throttle, + throttle: completeRule.ruleConfig.throttle ?? '', startedAt, - id: ruleSO.id, + id: completeRule.alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, outputIndex: ruleDataClient.indexName, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts index f09f013301dea..8b4f50248b5dd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts @@ -7,7 +7,7 @@ import { validateNonExact } from '@kbn/securitysolution-io-ts-utils'; import { EQL_RULE_TYPE_ID } from '../../../../../common/constants'; -import { EqlRuleParams, eqlRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, eqlRuleParams, EqlRuleParams } from '../../schemas/rule_schemas'; import { eqlExecutor } from '../../signals/executors/eql'; import { CreateRuleOptions, SecurityAlertType } from '../types'; @@ -50,7 +50,7 @@ export const createEqlAlertType = ( runOpts: { bulkCreate, exceptionItems, - rule, + completeRule, searchAfterSize, tuple, wrapHits, @@ -65,7 +65,7 @@ export const createEqlAlertType = ( exceptionItems, experimentalFeatures, logger, - rule, + completeRule: completeRule as CompleteRule, searchAfterSize, services, tuple, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts index a7accc4ae8a0f..3f6d419e6ddd0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts @@ -9,9 +9,8 @@ import { Logger } from 'kibana/server'; import { ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; -import { sampleDocNoSortId } from '../../../signals/__mocks__/es_results'; +import { sampleDocNoSortId, sampleRuleGuid } from '../../../signals/__mocks__/es_results'; import { buildAlertGroupFromSequence } from './build_alert_group_from_sequence'; -import { getRulesSchemaMock } from '../../../../../../common/detection_engine/schemas/response/rules_schema.mocks'; import { ALERT_ANCESTORS, ALERT_BUILDING_BLOCK_TYPE, @@ -19,7 +18,8 @@ import { ALERT_GROUP_ID, } from '../../field_maps/field_names'; import { SERVER_APP_ID } from '../../../../../../common/constants'; -import { getQueryRuleParams } from '../../../schemas/rule_schemas.mock'; +import { getCompleteRuleMock, getQueryRuleParams } from '../../../schemas/rule_schemas.mock'; +import { QueryRuleParams } from '../../../schemas/rule_schemas'; const SPACE_ID = 'space'; @@ -40,24 +40,7 @@ describe('buildAlert', () => { }); test('it builds an alert as expected without original_event if event does not exist', () => { - const rule = getRulesSchemaMock(); - const ruleSO = { - attributes: { - actions: [], - alertTypeId: 'siem.signals', - createdAt: new Date().toISOString(), - createdBy: 'gandalf', - params: getQueryRuleParams(), - schedule: { interval: '1m' }, - throttle: 'derp', - updatedAt: new Date().toISOString(), - updatedBy: 'galadriel', - ...rule, - }, - id: 'abcd', - references: [], - type: 'rule', - }; + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const eqlSequence = { join_keys: [], events: [ @@ -68,7 +51,7 @@ describe('buildAlert', () => { const alertGroup = buildAlertGroupFromSequence( loggerMock, eqlSequence, - ruleSO, + completeRule, 'allFields', SPACE_ID, jest.fn() @@ -128,14 +111,14 @@ describe('buildAlert', () => { depth: 1, id: alertGroup[0]._id, index: '', - rule: 'abcd', + rule: sampleRuleGuid, type: 'signal', }, { depth: 1, id: alertGroup[1]._id, index: '', - rule: 'abcd', + rule: sampleRuleGuid, type: 'signal', }, ]), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts index 14e0411522a19..18c02e5bd0804 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts @@ -9,10 +9,9 @@ import { ALERT_INSTANCE_ID } from '@kbn/rule-data-utils'; import { Logger } from 'kibana/server'; -import { SavedObject } from 'src/core/types'; import type { ConfigType } from '../../../../../config'; import { buildRuleWithoutOverrides } from '../../../signals/build_rule'; -import { AlertAttributes, Ancestor, SignalSource } from '../../../signals/types'; +import { Ancestor, SignalSource } from '../../../signals/types'; import { RACAlert, WrappedRACAlert } from '../../types'; import { buildAlert, buildAncestors, generateAlertId } from './build_alert'; import { buildBulkBody } from './build_bulk_body'; @@ -25,31 +24,32 @@ import { ALERT_GROUP_ID, ALERT_GROUP_INDEX, } from '../../field_maps/field_names'; +import { CompleteRule, RuleParams } from '../../../schemas/rule_schemas'; /** * Takes N raw documents from ES that form a sequence and builds them into N+1 signals ready to be indexed - * one signal for each event in the sequence, and a "shell" signal that ties them all together. All N+1 signals * share the same signal.group.id to make it easy to query them. * @param sequence The raw ES documents that make up the sequence - * @param ruleSO SavedObject representing the rule that found the sequence + * @param completeRule object representing the rule that found the sequence */ export const buildAlertGroupFromSequence = ( logger: Logger, sequence: EqlSequence, - ruleSO: SavedObject, + completeRule: CompleteRule, mergeStrategy: ConfigType['alertMergeStrategy'], spaceId: string | null | undefined, buildReasonMessage: BuildReasonMessage ): WrappedRACAlert[] => { const ancestors: Ancestor[] = sequence.events.flatMap((event) => buildAncestors(event)); - if (ancestors.some((ancestor) => ancestor?.rule === ruleSO.id)) { + if (ancestors.some((ancestor) => ancestor?.rule === completeRule.alertId)) { return []; } let buildingBlocks: RACAlert[] = []; try { buildingBlocks = sequence.events.map((event) => ({ - ...buildBulkBody(spaceId, ruleSO, event, mergeStrategy, [], false, buildReasonMessage), + ...buildBulkBody(spaceId, completeRule, event, mergeStrategy, [], false, buildReasonMessage), [ALERT_BUILDING_BLOCK_TYPE]: 'default', })); } catch (error) { @@ -70,7 +70,7 @@ export const buildAlertGroupFromSequence = ( // Now that we have an array of building blocks for the events in the sequence, // we can build the signal that links the building blocks together // and also insert the group id (which is also the "shell" signal _id) in each building block - const doc = buildAlertRoot(wrappedBuildingBlocks, ruleSO, spaceId, buildReasonMessage); + const doc = buildAlertRoot(wrappedBuildingBlocks, completeRule, spaceId, buildReasonMessage); const sequenceAlert = { _id: generateAlertId(doc), _index: '', @@ -87,11 +87,11 @@ export const buildAlertGroupFromSequence = ( export const buildAlertRoot = ( wrappedBuildingBlocks: WrappedRACAlert[], - ruleSO: SavedObject, + completeRule: CompleteRule, spaceId: string | null | undefined, buildReasonMessage: BuildReasonMessage ): RACAlert => { - const rule = buildRuleWithoutOverrides(ruleSO); + const rule = buildRuleWithoutOverrides(completeRule); const reason = buildReasonMessage({ rule }); const doc = buildAlert(wrappedBuildingBlocks, rule, spaceId, reason); const mergedAlerts = objectArrayIntersection(wrappedBuildingBlocks.map((alert) => alert._source)); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts index 56ad78594e9fd..d127c3e3bbaad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts @@ -6,16 +6,16 @@ */ import { TIMESTAMP } from '@kbn/rule-data-utils'; -import { SavedObject } from 'src/core/types'; import { BaseHit } from '../../../../../../common/detection_engine/types'; import type { ConfigType } from '../../../../../config'; import { buildRuleWithOverrides, buildRuleWithoutOverrides } from '../../../signals/build_rule'; import { BuildReasonMessage } from '../../../signals/reason_formatters'; import { getMergeStrategy } from '../../../signals/source_fields_merging/strategies'; -import { AlertAttributes, SignalSource, SignalSourceHit, SimpleHit } from '../../../signals/types'; +import { SignalSource, SignalSourceHit, SimpleHit } from '../../../signals/types'; import { RACAlert } from '../../types'; import { additionalAlertFields, buildAlert } from './build_alert'; import { filterSource } from './filter_source'; +import { CompleteRule, RuleParams } from '../../../schemas/rule_schemas'; const isSourceDoc = ( hit: SignalSourceHit @@ -28,13 +28,13 @@ const isSourceDoc = ( * "best effort" merged "fields" with the "_source" object, then build the signal object, * then the event object, and finally we strip away any additional temporary data that was added * such as the "threshold_result". - * @param ruleSO The rule saved object to build overrides + * @param completeRule The rule saved object to build overrides * @param doc The SignalSourceHit with "_source", "fields", and additional data such as "threshold_result" * @returns The body that can be added to a bulk call for inserting the signal. */ export const buildBulkBody = ( spaceId: string | null | undefined, - ruleSO: SavedObject, + completeRule: CompleteRule, doc: SimpleHit, mergeStrategy: ConfigType['alertMergeStrategy'], ignoreFields: ConfigType['alertIgnoreFields'], @@ -43,8 +43,8 @@ export const buildBulkBody = ( ): RACAlert => { const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields }); const rule = applyOverrides - ? buildRuleWithOverrides(ruleSO, mergedDoc._source ?? {}) - : buildRuleWithoutOverrides(ruleSO); + ? buildRuleWithOverrides(completeRule, mergedDoc._source ?? {}) + : buildRuleWithoutOverrides(completeRule); const filteredSource = filterSource(mergedDoc); const timestamp = new Date().toISOString(); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts index 69c1821a35edd..744e74a135920 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts @@ -5,54 +5,49 @@ * 2.0. */ -import { Logger } from 'kibana/server'; - -import type { ConfigType } from '../../../../config'; -import { filterDuplicateSignals } from '../../signals/filter_duplicate_signals'; -import { SearchAfterAndBulkCreateParams, SimpleHit, WrapHits } from '../../signals/types'; +import { CompleteRule, RuleParams } from '../../schemas/rule_schemas'; +import { ConfigType } from '../../../../config'; +import { SimpleHit, WrapHits } from '../../signals/types'; import { generateId } from '../../signals/utils'; import { buildBulkBody } from './utils/build_bulk_body'; +import { filterDuplicateSignals } from '../../signals/filter_duplicate_signals'; +import { WrappedRACAlert } from '../types'; export const wrapHitsFactory = ({ - logger, + completeRule, ignoreFields, mergeStrategy, - ruleSO, + signalsIndex, spaceId, }: { - logger: Logger; - ruleSO: SearchAfterAndBulkCreateParams['ruleSO']; - mergeStrategy: ConfigType['alertMergeStrategy']; + completeRule: CompleteRule; ignoreFields: ConfigType['alertIgnoreFields']; + mergeStrategy: ConfigType['alertMergeStrategy']; + signalsIndex: string; spaceId: string | null | undefined; }): WrapHits => (events, buildReasonMessage) => { - try { - const wrappedDocs = events.map((event) => { - return { - _index: '', - _id: generateId( - event._index, - event._id, - String(event._version), - ruleSO.attributes.params.ruleId ?? '' - ), - _source: buildBulkBody( - spaceId, - ruleSO, - event as SimpleHit, - mergeStrategy, - ignoreFields, - true, - buildReasonMessage - ), - }; - }); + const wrappedDocs: WrappedRACAlert[] = events.flatMap((event) => [ + { + _index: signalsIndex, + _id: generateId( + event._index, + event._id, + String(event._version), + completeRule.ruleParams.ruleId ?? '' + ), + _source: buildBulkBody( + spaceId, + completeRule, + event as SimpleHit, + mergeStrategy, + ignoreFields, + true, + buildReasonMessage + ), + }, + ]); - return filterDuplicateSignals(ruleSO.id, wrappedDocs, true); - } catch (error) { - logger.error(error); - return []; - } + return filterDuplicateSignals(completeRule.alertId, wrappedDocs, false); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_sequences_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_sequences_factory.ts index 9315f096552d8..916b7f4801e8e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_sequences_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_sequences_factory.ts @@ -7,21 +7,22 @@ import { Logger } from 'kibana/server'; -import { SearchAfterAndBulkCreateParams, WrapSequences } from '../../signals/types'; +import { WrapSequences } from '../../signals/types'; import { buildAlertGroupFromSequence } from './utils/build_alert_group_from_sequence'; import { ConfigType } from '../../../../config'; import { WrappedRACAlert } from '../types'; +import { CompleteRule, RuleParams } from '../../schemas/rule_schemas'; export const wrapSequencesFactory = ({ logger, - ruleSO, + completeRule, ignoreFields, mergeStrategy, spaceId, }: { logger: Logger; - ruleSO: SearchAfterAndBulkCreateParams['ruleSO']; + completeRule: CompleteRule; ignoreFields: ConfigType['alertIgnoreFields']; mergeStrategy: ConfigType['alertMergeStrategy']; spaceId: string | null | undefined; @@ -33,7 +34,7 @@ export const wrapSequencesFactory = ...buildAlertGroupFromSequence( logger, sequence, - ruleSO, + completeRule, mergeStrategy, spaceId, buildReasonMessage diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts index 1bd3d411adf11..89e8e7f70e4aa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts @@ -50,6 +50,8 @@ describe('Indicator Match Alerts', () => { threatQuery: '*:*', to: 'now', type: 'threat_match', + query: '*:*', + language: 'kuery', }; const { services, dependencies, executor } = createRuleTypeMocks('threat_match', params); const securityRuleTypeWrapper = createSecurityRuleTypeWrapper({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts index ee0688840811a..ae2a1d4165938 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts @@ -7,7 +7,7 @@ import { validateNonExact } from '@kbn/securitysolution-io-ts-utils'; import { INDICATOR_RULE_TYPE_ID } from '../../../../../common/constants'; -import { ThreatRuleParams, threatRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, threatRuleParams, ThreatRuleParams } from '../../schemas/rule_schemas'; import { threatMatchExecutor } from '../../signals/executors/threat_match'; import { CreateRuleOptions, SecurityAlertType } from '../types'; @@ -52,7 +52,7 @@ export const createIndicatorMatchAlertType = ( bulkCreate, exceptionItems, listClient, - rule, + completeRule, searchAfterSize, tuple, wrapHits, @@ -69,7 +69,7 @@ export const createIndicatorMatchAlertType = ( eventsTelemetry: undefined, listClient, logger, - rule, + completeRule: completeRule as CompleteRule, searchAfterSize, services, tuple, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts index 756757c7c9956..afc6995c748c0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts @@ -7,7 +7,11 @@ import { validateNonExact } from '@kbn/securitysolution-io-ts-utils'; import { ML_RULE_TYPE_ID } from '../../../../../common/constants'; -import { MachineLearningRuleParams, machineLearningRuleParams } from '../../schemas/rule_schemas'; +import { + CompleteRule, + machineLearningRuleParams, + MachineLearningRuleParams, +} from '../../schemas/rule_schemas'; import { mlExecutor } from '../../signals/executors/ml'; import { CreateRuleOptions, SecurityAlertType } from '../types'; @@ -52,7 +56,7 @@ export const createMlAlertType = ( bulkCreate, exceptionItems, listClient, - rule, + completeRule, tuple, wrapHits, }, @@ -67,7 +71,7 @@ export const createMlAlertType = ( listClient, logger, ml, - rule, + completeRule: completeRule as CompleteRule, services, tuple, wrapHits, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.test.ts index 638c40c13cfe2..40ef2b46ed8d9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.test.ts @@ -51,6 +51,7 @@ describe('Custom Query Alerts', () => { index: ['*'], from: 'now-1m', to: 'now', + language: 'kuery', }; services.scopedClusterClient.asCurrentUser.search.mockReturnValue( @@ -95,6 +96,8 @@ describe('Custom Query Alerts', () => { index: ['*'], from: 'now-1m', to: 'now', + language: 'kuery', + type: 'query', }; services.scopedClusterClient.asCurrentUser.search.mockReturnValue( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.ts index aa2b25c422221..1830b6900de22 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.ts @@ -7,7 +7,7 @@ import { validateNonExact } from '@kbn/securitysolution-io-ts-utils'; import { QUERY_RULE_TYPE_ID } from '../../../../../common/constants'; -import { QueryRuleParams, queryRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, queryRuleParams, QueryRuleParams } from '../../schemas/rule_schemas'; import { queryExecutor } from '../../signals/executors/query'; import { CreateRuleOptions, SecurityAlertType } from '../types'; @@ -52,7 +52,7 @@ export const createQueryAlertType = ( bulkCreate, exceptionItems, listClient, - rule, + completeRule, searchAfterSize, tuple, wrapHits, @@ -69,7 +69,7 @@ export const createQueryAlertType = ( eventsTelemetry: undefined, listClient, logger, - rule, + completeRule: completeRule as CompleteRule, searchAfterSize, services, tuple, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts index 2b3c1c0a8965b..3fcf5e36709ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts @@ -7,7 +7,7 @@ import { validateNonExact } from '@kbn/securitysolution-io-ts-utils'; import { THRESHOLD_RULE_TYPE_ID } from '../../../../../common/constants'; -import { thresholdRuleParams, ThresholdRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, thresholdRuleParams, ThresholdRuleParams } from '../../schemas/rule_schemas'; import { thresholdExecutor } from '../../signals/executors/threshold'; import { ThresholdAlertState } from '../../signals/types'; import { CreateRuleOptions, SecurityAlertType } from '../types'; @@ -48,7 +48,7 @@ export const createThresholdAlertType = ( producer: 'security-solution', async executor(execOptions) { const { - runOpts: { buildRuleMessage, bulkCreate, exceptionItems, rule, tuple, wrapHits }, + runOpts: { buildRuleMessage, bulkCreate, exceptionItems, completeRule, tuple, wrapHits }, services, startedAt, state, @@ -60,7 +60,7 @@ export const createThresholdAlertType = ( exceptionItems, experimentalFeatures, logger, - rule, + completeRule: completeRule as CompleteRule, services, startedAt, state, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index 393cb00939b24..545f00ddeacd8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -12,7 +12,6 @@ import { Logger } from '@kbn/logging'; import { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { AlertExecutorOptions, AlertType } from '../../../../../alerting/server'; -import { SavedObject } from '../../../../../../../src/core/server'; import { AlertInstanceContext, AlertInstanceState, @@ -26,10 +25,9 @@ import { PersistenceServices, IRuleDataClient } from '../../../../../rule_regist import { BaseHit } from '../../../../common/detection_engine/types'; import { ConfigType } from '../../../config'; import { SetupPlugins } from '../../../plugin'; -import { RuleParams } from '../schemas/rule_schemas'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; import { BuildRuleMessage } from '../signals/rule_messages'; import { - AlertAttributes, BulkCreate, SearchAfterAndBulkCreateReturnType, WrapHits, @@ -57,7 +55,7 @@ export interface RunOpts { bulkCreate: BulkCreate; exceptionItems: ExceptionListItemSchema[]; listClient: ListClient; - rule: SavedObject>; + completeRule: CompleteRule; searchAfterSize: number; tuple: { to: Moment; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts index 506f40af2ee79..47b66e7cc3bbb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts @@ -10,12 +10,16 @@ import { getListArrayMock } from '../../../../common/detection_engine/schemas/ty import { getThreatMappingMock } from '../signals/threat_mapping/build_threat_mapping_filter.mock'; import { BaseRuleParams, + CompleteRule, EqlRuleParams, MachineLearningRuleParams, QueryRuleParams, + RuleParams, ThreatRuleParams, ThresholdRuleParams, } from './rule_schemas'; +import { SanitizedRuleConfig } from '../../../../../alerting/common'; +import { sampleRuleGuid } from '../signals/__mocks__/es_results'; const getBaseRuleParams = (): BaseRuleParams => { return { @@ -132,3 +136,29 @@ export const getThreatRuleParams = (): ThreatRuleParams => { itemsPerSearch: undefined, }; }; + +export const getRuleConfigMock = (type: string = 'rule-type'): SanitizedRuleConfig => ({ + actions: [], + enabled: true, + name: 'rule-name', + tags: ['some fake tag 1', 'some fake tag 2'], + createdBy: 'sample user', + createdAt: new Date('2020-03-27T22:55:59.577Z'), + updatedAt: new Date('2020-03-27T22:55:59.577Z'), + updatedBy: 'sample user', + schedule: { + interval: '5m', + }, + throttle: 'no_actions', + consumer: 'sample consumer', + notifyWhen: null, + producer: 'sample producer', + ruleTypeId: `${type}-id`, + ruleTypeName: type, +}); + +export const getCompleteRuleMock = (params: T): CompleteRule => ({ + alertId: sampleRuleGuid, + ruleParams: params, + ruleConfig: getRuleConfigMock(), +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts index 578d8c4926b69..365fa962f6277 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts @@ -72,6 +72,7 @@ import { EQL_RULE_TYPE_ID, THRESHOLD_RULE_TYPE_ID, } from '../../../../common/constants'; +import { SanitizedRuleConfig } from '../../../../../alerting/common'; const nonEqlLanguages = t.keyof({ kuery: null, lucene: null }); export const baseRuleParams = t.exact( @@ -199,6 +200,12 @@ export type TypeSpecificRuleParams = t.TypeOf; export const ruleParams = t.intersection([baseRuleParams, typeSpecificRuleParams]); export type RuleParams = t.TypeOf; +export interface CompleteRule { + alertId: string; + ruleParams: T; + ruleConfig: SanitizedRuleConfig; +} + export const notifyWhen = t.union([ t.literal('onActionGroupChange'), t.literal('onActiveAlert'), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/post_rule_preview.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/post_rule_preview.sh new file mode 100644 index 0000000000000..276e66e588189 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/post_rule_preview.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. +# + +set -e +./check_env_variables.sh + +# Uses a default if no argument is specified +RULES=(${@:-./rules/queries/query_preview_threat_match.json}) + +# Example: ./post_rule.sh +# Example: ./post_rule.sh ./rules/queries/query_with_rule_id.json +# Example glob: ./post_rule.sh ./rules/queries/* +for RULE in "${RULES[@]}" +do { + [ -e "$RULE" ] || continue + curl -s -k \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: 123' \ + -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ + -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/preview \ + -d @${RULE} \ + | jq -S .; +} & +done + +wait diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_preview_threat_match.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_preview_threat_match.json new file mode 100644 index 0000000000000..64ec976da769b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_preview_threat_match.json @@ -0,0 +1,49 @@ +{ + "name": "preview query", + "description": "preview query for custom query rule", + "false_positives": [ + "https://www.example.com/some-article-about-a-false-positive", + "some text string about why another condition could be a false positive" + ], + "rule_id": "preview-placeholder-rule-id", + "filters": [ + { + "exists": { + "field": "file.hash.md5" + } + } + ], + "enabled": false, + "invocationCount": 500, + "index": ["custom-events"], + "interval": "5m", + "query": "file.hash.md5 : *", + "language": "kuery", + "risk_score": 1, + "tags": ["tag 1", "tag 2", "any tag you want"], + "to": "now", + "from": "now-6m", + "severity": "high", + "type": "threat_match", + "references": [ + "http://www.example.com/some-article-about-attack", + "Some plain text string here explaining why this is a valid thing to look out for" + ], + "timeline_id": "timeline_id", + "timeline_title": "timeline_title", + "threat_index": ["custom-threats"], + "threat_query": "*:*", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + } + ], + "note": "# note markdown", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts index 00286e9f0d3c9..f7c8f1ffd6de7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -9,7 +9,6 @@ import { sampleDocNoSortId, sampleIdGuid, sampleDocWithAncestors, - sampleRuleSO, sampleWrappedSignalHit, expectedRule, } from './__mocks__/es_results'; @@ -22,7 +21,12 @@ import { } from './build_bulk_body'; import { SignalHit, SignalSourceHit } from './types'; import { SIGNALS_TEMPLATE_VERSION } from '../routes/index/get_signals_template'; -import { getQueryRuleParams, getThresholdRuleParams } from '../schemas/rule_schemas.mock'; +import { + getCompleteRuleMock, + getQueryRuleParams, + getThresholdRuleParams, +} from '../schemas/rule_schemas.mock'; +import { QueryRuleParams, ThresholdRuleParams } from '../schemas/rule_schemas'; // This allows us to not have to use ts-expect-error with delete in the code. type SignalHitOptionalTimestamp = Omit & { @@ -35,12 +39,12 @@ describe('buildBulkBody', () => { }); test('bulk body builds well-defined body', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const doc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete doc._source.source; const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -93,7 +97,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds well-defined body with threshold results', () => { - const ruleSO = sampleRuleSO(getThresholdRuleParams()); + const completeRule = getCompleteRuleMock(getThresholdRuleParams()); const baseDoc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); const doc: SignalSourceHit & { _source: Required['_source'] } = { @@ -112,7 +116,7 @@ describe('buildBulkBody', () => { }; delete doc._source.source; const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -187,7 +191,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds original_event if it exists on the event to begin with', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const doc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete doc._source.source; @@ -198,7 +202,7 @@ describe('buildBulkBody', () => { kind: 'event', }; const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -260,7 +264,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds original_event if it exists on the event to begin with but no kind information', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const doc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete doc._source.source; @@ -270,7 +274,7 @@ describe('buildBulkBody', () => { dataset: 'socket', }; const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -331,7 +335,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds original_event if it exists on the event to begin with with only kind information', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const doc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete doc._source.source; @@ -339,7 +343,7 @@ describe('buildBulkBody', () => { kind: 'event', }; const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -395,7 +399,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds "original_signal" if it exists already as a numeric', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const sampleDoc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete sampleDoc._source.source; @@ -407,7 +411,7 @@ describe('buildBulkBody', () => { }, } as unknown as SignalSourceHit; const { '@timestamp': timestamp, ...fakeSignalSourceHit } = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -459,7 +463,7 @@ describe('buildBulkBody', () => { }); test('bulk body builds "original_signal" if it exists already as an object', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const sampleDoc = sampleDocNoSortId(); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); delete sampleDoc._source.source; @@ -471,7 +475,7 @@ describe('buildBulkBody', () => { }, } as unknown as SignalSourceHit; const { '@timestamp': timestamp, ...fakeSignalSourceHit } = buildBulkBody( - ruleSO, + completeRule, doc, 'missingFields', [], @@ -531,11 +535,11 @@ describe('buildSignalFromSequence', () => { const block2 = sampleWrappedSignalHit(); block2._source.new_key = 'new_key_value'; const blocks = [block1, block2]; - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); const signal: SignalHitOptionalTimestamp = buildSignalFromSequence( blocks, - ruleSO, + completeRule, buildReasonMessage ); // Timestamp will potentially always be different so remove it for the test @@ -622,11 +626,11 @@ describe('buildSignalFromSequence', () => { const block2 = sampleWrappedSignalHit(); block2._source['@timestamp'] = '2021-05-20T22:28:46+0000'; block2._source.someKey = 'someOtherValue'; - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); const signal: SignalHitOptionalTimestamp = buildSignalFromSequence( [block1, block2], - ruleSO, + completeRule, buildReasonMessage ); // Timestamp will potentially always be different so remove it for the test @@ -712,11 +716,11 @@ describe('buildSignalFromEvent', () => { test('builds a basic signal from a single event', () => { const ancestor = sampleDocWithAncestors().hits.hits[0]; delete ancestor._source.source; - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const completeRule = getCompleteRuleMock(getQueryRuleParams()); const buildReasonMessage = jest.fn().mockReturnValue('reasonable reason'); const signal: SignalHitOptionalTimestamp = buildSignalFromEvent( ancestor, - ruleSO, + completeRule, true, 'missingFields', [], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts index f62e6cebf719b..bccd1f498372e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts @@ -6,10 +6,8 @@ */ import { TIMESTAMP } from '@kbn/rule-data-utils'; -import { SavedObject } from 'src/core/types'; import { getMergeStrategy } from './source_fields_merging/strategies'; import { - AlertAttributes, SignalSourceHit, SignalHit, Signal, @@ -24,25 +22,26 @@ import { EqlSequence } from '../../../../common/detection_engine/types'; import { generateSignalId, wrapBuildingBlocks, wrapSignal } from './utils'; import type { ConfigType } from '../../../config'; import { BuildReasonMessage } from './reason_formatters'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; /** * Formats the search_after result for insertion into the signals index. We first create a * "best effort" merged "fields" with the "_source" object, then build the signal object, * then the event object, and finally we strip away any additional temporary data that was added * such as the "threshold_result". - * @param ruleSO The rule saved object to build overrides + * @param completeRule The rule object to build overrides * @param doc The SignalSourceHit with "_source", "fields", and additional data such as "threshold_result" * @returns The body that can be added to a bulk call for inserting the signal. */ export const buildBulkBody = ( - ruleSO: SavedObject, + completeRule: CompleteRule, doc: SignalSourceHit, mergeStrategy: ConfigType['alertMergeStrategy'], ignoreFields: ConfigType['alertIgnoreFields'], buildReasonMessage: BuildReasonMessage ): SignalHit => { const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields }); - const rule = buildRuleWithOverrides(ruleSO, mergedDoc._source ?? {}); + const rule = buildRuleWithOverrides(completeRule, mergedDoc._source ?? {}); const timestamp = new Date().toISOString(); const reason = buildReasonMessage({ mergedDoc, rule }); const signal: Signal = { @@ -74,12 +73,12 @@ export const buildBulkBody = ( * one signal for each event in the sequence, and a "shell" signal that ties them all together. All N+1 signals * share the same signal.group.id to make it easy to query them. * @param sequence The raw ES documents that make up the sequence - * @param ruleSO SavedObject representing the rule that found the sequence + * @param completeRule rule object representing the rule that found the sequence * @param outputIndex Index to write the resulting signals to */ export const buildSignalGroupFromSequence = ( sequence: EqlSequence, - ruleSO: SavedObject, + completeRule: CompleteRule, outputIndex: string, mergeStrategy: ConfigType['alertMergeStrategy'], ignoreFields: ConfigType['alertIgnoreFields'], @@ -89,7 +88,7 @@ export const buildSignalGroupFromSequence = ( sequence.events.map((event) => { const signal = buildSignalFromEvent( event, - ruleSO, + completeRule, false, mergeStrategy, ignoreFields, @@ -103,7 +102,7 @@ export const buildSignalGroupFromSequence = ( if ( wrappedBuildingBlocks.some((block) => - block._source.signal?.ancestors.some((ancestor) => ancestor.rule === ruleSO.id) + block._source.signal?.ancestors.some((ancestor) => ancestor.rule === completeRule.alertId) ) ) { return []; @@ -113,7 +112,7 @@ export const buildSignalGroupFromSequence = ( // we can build the signal that links the building blocks together // and also insert the group id (which is also the "shell" signal _id) in each building block const sequenceSignal = wrapSignal( - buildSignalFromSequence(wrappedBuildingBlocks, ruleSO, buildReasonMessage), + buildSignalFromSequence(wrappedBuildingBlocks, completeRule, buildReasonMessage), outputIndex ); wrappedBuildingBlocks.forEach((block, idx) => { @@ -130,10 +129,10 @@ export const buildSignalGroupFromSequence = ( export const buildSignalFromSequence = ( events: WrappedSignalHit[], - ruleSO: SavedObject, + completeRule: CompleteRule, buildReasonMessage: BuildReasonMessage ): SignalHit => { - const rule = buildRuleWithoutOverrides(ruleSO); + const rule = buildRuleWithoutOverrides(completeRule); const timestamp = new Date().toISOString(); const mergedEvents = objectArrayIntersection(events.map((event) => event._source)); const reason = buildReasonMessage({ rule, mergedDoc: mergedEvents as SignalSourceHit }); @@ -157,7 +156,7 @@ export const buildSignalFromSequence = ( export const buildSignalFromEvent = ( event: BaseSignalHit, - ruleSO: SavedObject, + completeRule: CompleteRule, applyOverrides: boolean, mergeStrategy: ConfigType['alertMergeStrategy'], ignoreFields: ConfigType['alertIgnoreFields'], @@ -165,8 +164,8 @@ export const buildSignalFromEvent = ( ): SignalHit => { const mergedEvent = getMergeStrategy(mergeStrategy)({ doc: event, ignoreFields }); const rule = applyOverrides - ? buildRuleWithOverrides(ruleSO, mergedEvent._source ?? {}) - : buildRuleWithoutOverrides(ruleSO); + ? buildRuleWithOverrides(completeRule, mergedEvent._source ?? {}) + : buildRuleWithoutOverrides(completeRule); const timestamp = new Date().toISOString(); const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule }); const signal: Signal = { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts index 012977da2a00f..9ae51688ee676 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts @@ -6,38 +6,47 @@ */ import { buildRuleWithOverrides, buildRuleWithoutOverrides } from './build_rule'; -import { - sampleDocNoSortId, - expectedRule, - sampleDocSeverity, - sampleRuleSO, -} from './__mocks__/es_results'; +import { sampleDocNoSortId, expectedRule, sampleDocSeverity } from './__mocks__/es_results'; import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema'; import { INTERNAL_RULE_ID_KEY, INTERNAL_IMMUTABLE_KEY } from '../../../../common/constants'; -import { getQueryRuleParams, getThreatRuleParams } from '../schemas/rule_schemas.mock'; -import { ThreatRuleParams } from '../schemas/rule_schemas'; +import { + getCompleteRuleMock, + getQueryRuleParams, + getThreatRuleParams, +} from '../schemas/rule_schemas.mock'; +import { + CompleteRule, + QueryRuleParams, + RuleParams, + ThreatRuleParams, +} from '../schemas/rule_schemas'; describe('buildRuleWithoutOverrides', () => { + let params: RuleParams; + let completeRule: CompleteRule; + + beforeEach(() => { + params = getQueryRuleParams(); + completeRule = getCompleteRuleMock(params); + }); + test('builds a rule using rule alert', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); - const rule = buildRuleWithoutOverrides(ruleSO); + const rule = buildRuleWithoutOverrides(completeRule); expect(rule).toEqual(expectedRule()); }); test('builds a rule and removes internal tags', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); - ruleSO.attributes.tags = [ + completeRule.ruleConfig.tags = [ 'some fake tag 1', 'some fake tag 2', `${INTERNAL_RULE_ID_KEY}:rule-1`, `${INTERNAL_IMMUTABLE_KEY}:true`, ]; - const rule = buildRuleWithoutOverrides(ruleSO); + const rule = buildRuleWithoutOverrides(completeRule); expect(rule.tags).toEqual(['some fake tag 1', 'some fake tag 2']); }); test('it builds a rule as expected with filters present', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); const ruleFilters = [ { query: 'host.name: Rebecca', @@ -49,8 +58,8 @@ describe('buildRuleWithoutOverrides', () => { query: 'host.name: Braden', }, ]; - ruleSO.attributes.params.filters = ruleFilters; - const rule = buildRuleWithoutOverrides(ruleSO); + completeRule.ruleParams.filters = ruleFilters; + const rule = buildRuleWithoutOverrides(completeRule); expect(rule.filters).toEqual(ruleFilters); }); @@ -90,8 +99,8 @@ describe('buildRuleWithoutOverrides', () => { threatIndex: ['threat_index'], threatLanguage: 'kuery', }; - const ruleSO = sampleRuleSO(ruleParams); - const threatMatchRule = buildRuleWithoutOverrides(ruleSO); + const threatMatchCompleteRule = getCompleteRuleMock(ruleParams); + const threatMatchRule = buildRuleWithoutOverrides(threatMatchCompleteRule); const expected: Partial = { threat_mapping: ruleParams.threatMapping, threat_filters: ruleParams.threatFilters, @@ -105,10 +114,17 @@ describe('buildRuleWithoutOverrides', () => { }); describe('buildRuleWithOverrides', () => { + let params: RuleParams; + let completeRule: CompleteRule; + + beforeEach(() => { + params = getQueryRuleParams(); + completeRule = getCompleteRuleMock(params); + }); + test('it applies rule name override in buildRule', () => { - const ruleSO = sampleRuleSO(getQueryRuleParams()); - ruleSO.attributes.params.ruleNameOverride = 'someKey'; - const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source); + completeRule.ruleParams.ruleNameOverride = 'someKey'; + const rule = buildRuleWithOverrides(completeRule, sampleDocNoSortId()._source!); const expected = { ...expectedRule(), name: 'someValue', @@ -123,8 +139,7 @@ describe('buildRuleWithOverrides', () => { test('it applies risk score override in buildRule', () => { const newRiskScore = 79; - const ruleSO = sampleRuleSO(getQueryRuleParams()); - ruleSO.attributes.params.riskScoreMapping = [ + completeRule.ruleParams.riskScoreMapping = [ { field: 'new_risk_score', // value and risk_score aren't used for anything but are required in the schema @@ -135,11 +150,11 @@ describe('buildRuleWithOverrides', () => { ]; const doc = sampleDocNoSortId(); doc._source.new_risk_score = newRiskScore; - const rule = buildRuleWithOverrides(ruleSO, doc._source); + const rule = buildRuleWithOverrides(completeRule, doc._source!); const expected = { ...expectedRule(), risk_score: newRiskScore, - risk_score_mapping: ruleSO.attributes.params.riskScoreMapping, + risk_score_mapping: completeRule.ruleParams.riskScoreMapping, meta: { riskScoreOverridden: true, someMeta: 'someField', @@ -150,8 +165,7 @@ describe('buildRuleWithOverrides', () => { test('it applies severity override in buildRule', () => { const eventSeverity = '42'; - const ruleSO = sampleRuleSO(getQueryRuleParams()); - ruleSO.attributes.params.severityMapping = [ + completeRule.ruleParams.severityMapping = [ { field: 'event.severity', value: eventSeverity, @@ -160,11 +174,11 @@ describe('buildRuleWithOverrides', () => { }, ]; const doc = sampleDocSeverity(Number(eventSeverity)); - const rule = buildRuleWithOverrides(ruleSO, doc._source!); + const rule = buildRuleWithOverrides(completeRule, doc._source!); const expected = { ...expectedRule(), severity: 'critical', - severity_mapping: ruleSO.attributes.params.severityMapping, + severity_mapping: completeRule.ruleParams.severityMapping, meta: { severityOverrideField: 'event.severity', someMeta: 'someField', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts index 55f22188a7ec8..ab40ce330370c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts @@ -5,41 +5,53 @@ * 2.0. */ -import { SavedObject } from 'src/core/types'; import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema'; import { buildRiskScoreFromMapping } from './mappings/build_risk_score_from_mapping'; -import { AlertAttributes, SignalSource } from './types'; +import { SignalSource } from './types'; import { buildSeverityFromMapping } from './mappings/build_severity_from_mapping'; import { buildRuleNameFromMapping } from './mappings/build_rule_name_from_mapping'; -import { RuleParams } from '../schemas/rule_schemas'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; import { commonParamsCamelToSnake, typeSpecificCamelToSnake } from '../schemas/rule_converters'; import { transformTags } from '../routes/rules/utils'; +import { transformAlertToRuleAction } from '../../../../common/detection_engine/transform_actions'; -export const buildRuleWithoutOverrides = (ruleSO: SavedObject): RulesSchema => { - const ruleParams = ruleSO.attributes.params; +export const buildRuleWithoutOverrides = (completeRule: CompleteRule): RulesSchema => { + const ruleParams = completeRule.ruleParams; + const { + actions, + schedule, + name, + tags, + enabled, + createdBy, + updatedBy, + throttle, + createdAt, + updatedAt, + } = completeRule.ruleConfig; return { - id: ruleSO.id, - actions: ruleSO.attributes.actions, - interval: ruleSO.attributes.schedule.interval, - name: ruleSO.attributes.name, - tags: transformTags(ruleSO.attributes.tags), - enabled: ruleSO.attributes.enabled, - created_by: ruleSO.attributes.createdBy, - updated_by: ruleSO.attributes.updatedBy, - throttle: ruleSO.attributes.throttle, - created_at: ruleSO.attributes.createdAt, - updated_at: ruleSO.updated_at ?? '', + actions: actions.map(transformAlertToRuleAction), + created_at: createdAt.toISOString(), + created_by: createdBy ?? '', + enabled, + id: completeRule.alertId, + interval: schedule.interval, + name, + tags: transformTags(tags), + throttle: throttle ?? undefined, + updated_at: updatedAt.toISOString(), + updated_by: updatedBy ?? '', ...commonParamsCamelToSnake(ruleParams), ...typeSpecificCamelToSnake(ruleParams), }; }; export const buildRuleWithOverrides = ( - ruleSO: SavedObject, + completeRule: CompleteRule, eventSource: SignalSource ): RulesSchema => { - const ruleWithoutOverrides = buildRuleWithoutOverrides(ruleSO); - return applyRuleOverrides(ruleWithoutOverrides, eventSource, ruleSO.attributes.params); + const ruleWithoutOverrides = buildRuleWithoutOverrides(completeRule); + return applyRuleOverrides(ruleWithoutOverrides, eventSource, completeRule.ruleParams); }; export const applyRuleOverrides = ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_factory.ts index 29790bb08b8f8..0d08008be72bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_factory.ts @@ -27,7 +27,8 @@ export const bulkCreateFactory = logger: Logger, esClient: ElasticsearchClient, buildRuleMessage: BuildRuleMessage, - refreshForBulkCreate: RefreshTypes + refreshForBulkCreate: RefreshTypes, + indexNameOverride?: string ) => async (wrappedDocs: Array>): Promise> => { if (wrappedDocs.length === 0) { @@ -43,7 +44,7 @@ export const bulkCreateFactory = const bulkBody = wrappedDocs.flatMap((wrappedDoc) => [ { create: { - _index: wrappedDoc._index, + _index: indexNameOverride ?? wrappedDoc._index, _id: wrappedDoc._id, }, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts index c2ac2a031ca9b..00acd55234ad2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts @@ -8,7 +8,7 @@ import type { estypes } from '@elastic/elasticsearch'; import { flow, omit } from 'lodash/fp'; import set from 'set-value'; -import { Logger, SavedObject } from '../../../../../../../src/core/server'; +import { Logger } from '../../../../../../../src/core/server'; import { AlertInstanceContext, AlertInstanceState, @@ -17,13 +17,13 @@ import { import { GenericBulkCreateResponse } from './bulk_create_factory'; import { AnomalyResults, Anomaly } from '../../machine_learning'; import { BuildRuleMessage } from './rule_messages'; -import { AlertAttributes, BulkCreate, WrapHits } from './types'; -import { MachineLearningRuleParams } from '../schemas/rule_schemas'; +import { BulkCreate, WrapHits } from './types'; +import { CompleteRule, MachineLearningRuleParams } from '../schemas/rule_schemas'; import { buildReasonMessageForMlAlert } from './reason_formatters'; interface BulkCreateMlSignalsParams { someResult: AnomalyResults; - ruleSO: SavedObject>; + completeRule: CompleteRule; services: AlertServices; logger: Logger; id: string; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.test.ts index e9ca2daa22b08..2f5aaec5ea43f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.test.ts @@ -11,12 +11,13 @@ import { alertsMock, AlertServicesMock } from '../../../../../../alerting/server import { eqlExecutor } from './eql'; import { getExceptionListItemSchemaMock } from '../../../../../../lists/common/schemas/response/exception_list_item_schema.mock'; import { getEntryListMock } from '../../../../../../lists/common/schemas/types/entry_list.mock'; -import { getEqlRuleParams } from '../../schemas/rule_schemas.mock'; +import { getCompleteRuleMock, getEqlRuleParams } from '../../schemas/rule_schemas.mock'; import { getIndexVersion } from '../../routes/index/get_index_version'; import { SIGNALS_TEMPLATE_VERSION } from '../../routes/index/get_signals_template'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { elasticsearchClientMock } from 'src/core/server/elasticsearch/client/mocks'; import { allowedExperimentalValues } from '../../../../../common/experimental_features'; +import { EqlRuleParams } from '../../schemas/rule_schemas'; jest.mock('../../routes/index/get_index_version'); @@ -26,28 +27,7 @@ describe('eql_executor', () => { let alertServices: AlertServicesMock; (getIndexVersion as jest.Mock).mockReturnValue(SIGNALS_TEMPLATE_VERSION); const params = getEqlRuleParams(); - const eqlSO = { - id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd', - type: 'alert', - version: '1', - updated_at: '2020-03-27T22:55:59.577Z', - attributes: { - actions: [], - alertTypeId: 'siem.signals', - enabled: true, - name: 'rule-name', - tags: ['some fake tag 1', 'some fake tag 2'], - createdBy: 'sample user', - createdAt: '2020-03-27T22:55:59.577Z', - updatedBy: 'sample user', - schedule: { - interval: '5m', - }, - throttle: 'no_actions', - params, - }, - references: [], - }; + const eqlCompleteRule = getCompleteRuleMock(params); const tuple = { from: dateMath.parse(params.from)!, to: dateMath.parse(params.to)!, @@ -72,7 +52,7 @@ describe('eql_executor', () => { it('should set a warning when exception list for eql rule contains value list exceptions', async () => { const exceptionItems = [getExceptionListItemSchemaMock({ entries: [getEntryListMock()] })]; const response = await eqlExecutor({ - rule: eqlSO, + completeRule: eqlCompleteRule, tuple, exceptionItems, experimentalFeatures: allowedExperimentalValues, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.ts index 047495031a6df..5317c508b203e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.ts @@ -7,7 +7,6 @@ import { ApiResponse } from '@elastic/elasticsearch'; import { performance } from 'perf_hooks'; -import { SavedObject } from 'src/core/types'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { Logger } from 'src/core/server'; import { @@ -20,11 +19,9 @@ import { hasLargeValueItem } from '../../../../../common/detection_engine/utils' import { isOutdated } from '../../migrations/helpers'; import { getIndexVersion } from '../../routes/index/get_index_version'; import { MIN_EQL_RULE_INDEX_VERSION } from '../../routes/index/get_signals_template'; -import { EqlRuleParams } from '../../schemas/rule_schemas'; import { getInputIndex } from '../get_input_output_index'; import { - AlertAttributes, BulkCreate, WrapHits, WrapSequences, @@ -36,9 +33,10 @@ import { import { createSearchAfterReturnType, makeFloatString } from '../utils'; import { ExperimentalFeatures } from '../../../../../common/experimental_features'; import { buildReasonMessageForEqlAlert } from '../reason_formatters'; +import { CompleteRule, EqlRuleParams } from '../../schemas/rule_schemas'; export const eqlExecutor = async ({ - rule, + completeRule, tuple, exceptionItems, experimentalFeatures, @@ -50,7 +48,7 @@ export const eqlExecutor = async ({ wrapHits, wrapSequences, }: { - rule: SavedObject>; + completeRule: CompleteRule; tuple: RuleRangeTuple; exceptionItems: ExceptionListItemSchema[]; experimentalFeatures: ExperimentalFeatures; @@ -63,7 +61,9 @@ export const eqlExecutor = async ({ wrapSequences: WrapSequences; }): Promise => { const result = createSearchAfterReturnType(); - const ruleParams = rule.attributes.params; + + const ruleParams = completeRule.ruleParams; + if (hasLargeValueItem(exceptionItems)) { result.warningMessages.push( 'Exceptions that use "is in list" or "is not in list" operators are not applied to EQL rules' diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts index 89c1392cb67ba..9b93ba182785f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts @@ -10,13 +10,13 @@ import { loggingSystemMock } from 'src/core/server/mocks'; import { alertsMock, AlertServicesMock } from '../../../../../../alerting/server/mocks'; import { mlExecutor } from './ml'; import { getExceptionListItemSchemaMock } from '../../../../../../lists/common/schemas/response/exception_list_item_schema.mock'; -import { getMlRuleParams } from '../../schemas/rule_schemas.mock'; +import { getCompleteRuleMock, getMlRuleParams } from '../../schemas/rule_schemas.mock'; import { buildRuleMessageFactory } from '../rule_messages'; import { getListClientMock } from '../../../../../../lists/server/services/lists/list_client.mock'; import { findMlSignals } from '../find_ml_signals'; import { bulkCreateMlSignals } from '../bulk_create_ml_signals'; import { mlPluginServerMock } from '../../../../../../ml/server/mocks'; -import { sampleRuleSO } from '../__mocks__/es_results'; +import { MachineLearningRuleParams } from '../../schemas/rule_schemas'; jest.mock('../find_ml_signals'); jest.mock('../bulk_create_ml_signals'); @@ -28,17 +28,18 @@ describe('ml_executor', () => { let logger: ReturnType; let alertServices: AlertServicesMock; const params = getMlRuleParams(); - const mlSO = sampleRuleSO(params); + const mlCompleteRule = getCompleteRuleMock(params); + const tuple = { from: dateMath.parse(params.from)!, to: dateMath.parse(params.to)!, maxSignals: params.maxSignals, }; const buildRuleMessage = buildRuleMessageFactory({ - id: mlSO.id, - ruleId: mlSO.attributes.params.ruleId, - name: mlSO.attributes.name, - index: mlSO.attributes.params.outputIndex, + id: mlCompleteRule.alertId, + ruleId: mlCompleteRule.ruleParams.ruleId, + name: mlCompleteRule.ruleConfig.name, + index: mlCompleteRule.ruleParams.outputIndex, }); beforeEach(() => { @@ -66,7 +67,7 @@ describe('ml_executor', () => { it('should throw an error if ML plugin was not available', async () => { await expect( mlExecutor({ - rule: mlSO, + completeRule: mlCompleteRule, tuple, ml: undefined, exceptionItems, @@ -83,7 +84,7 @@ describe('ml_executor', () => { it('should record a partial failure if Machine learning job summary was null', async () => { jobsSummaryMock.mockResolvedValue([]); const response = await mlExecutor({ - rule: mlSO, + completeRule: mlCompleteRule, tuple, ml: mlMock, exceptionItems, @@ -109,7 +110,7 @@ describe('ml_executor', () => { ]); const response = await mlExecutor({ - rule: mlSO, + completeRule: mlCompleteRule, tuple, ml: mlMock, exceptionItems, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts index e5776899e4942..155334709e980 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts @@ -6,7 +6,6 @@ */ import { KibanaRequest, Logger } from 'src/core/server'; -import { SavedObject } from 'src/core/types'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { AlertInstanceContext, @@ -15,17 +14,17 @@ import { } from '../../../../../../alerting/server'; import { ListClient } from '../../../../../../lists/server'; import { isJobStarted } from '../../../../../common/machine_learning/helpers'; -import { SetupPlugins } from '../../../../plugin'; -import { MachineLearningRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, MachineLearningRuleParams } from '../../schemas/rule_schemas'; import { bulkCreateMlSignals } from '../bulk_create_ml_signals'; import { filterEventsAgainstList } from '../filters/filter_events_against_list'; import { findMlSignals } from '../find_ml_signals'; import { BuildRuleMessage } from '../rule_messages'; -import { AlertAttributes, BulkCreate, RuleRangeTuple, WrapHits } from '../types'; +import { BulkCreate, RuleRangeTuple, WrapHits } from '../types'; import { createErrorsFromShard, createSearchAfterReturnType, mergeReturns } from '../utils'; +import { SetupPlugins } from '../../../../plugin'; export const mlExecutor = async ({ - rule, + completeRule, tuple, ml, listClient, @@ -36,7 +35,7 @@ export const mlExecutor = async ({ bulkCreate, wrapHits, }: { - rule: SavedObject>; + completeRule: CompleteRule; tuple: RuleRangeTuple; ml: SetupPlugins['ml']; listClient: ListClient; @@ -48,7 +47,7 @@ export const mlExecutor = async ({ wrapHits: WrapHits; }) => { const result = createSearchAfterReturnType(); - const ruleParams = rule.attributes.params; + const ruleParams = completeRule.ruleParams; if (ml == null) { throw new Error('ML plugin unavailable during rule execution'); } @@ -110,10 +109,10 @@ export const mlExecutor = async ({ const { success, errors, bulkCreateDuration, createdItemsCount, createdItems } = await bulkCreateMlSignals({ someResult: filteredAnomalyResults, - ruleSO: rule, + completeRule, services, logger, - id: rule.id, + id: completeRule.alertId, signalsIndex: ruleParams.outputIndex, buildRuleMessage, bulkCreate, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/query.ts index f281475fe59eb..2bee175f357f3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/query.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { SavedObject } from 'src/core/types'; import { Logger } from 'src/core/server'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { @@ -17,15 +16,15 @@ import { ListClient } from '../../../../../../lists/server'; import { getFilter } from '../get_filter'; import { getInputIndex } from '../get_input_output_index'; import { searchAfterAndBulkCreate } from '../search_after_bulk_create'; -import { AlertAttributes, RuleRangeTuple, BulkCreate, WrapHits } from '../types'; +import { RuleRangeTuple, BulkCreate, WrapHits } from '../types'; import { TelemetryEventsSender } from '../../../telemetry/sender'; import { BuildRuleMessage } from '../rule_messages'; -import { QueryRuleParams, SavedQueryRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, SavedQueryRuleParams, QueryRuleParams } from '../../schemas/rule_schemas'; import { ExperimentalFeatures } from '../../../../../common/experimental_features'; import { buildReasonMessageForQueryAlert } from '../reason_formatters'; export const queryExecutor = async ({ - rule, + completeRule, tuple, listClient, exceptionItems, @@ -39,7 +38,7 @@ export const queryExecutor = async ({ bulkCreate, wrapHits, }: { - rule: SavedObject>; + completeRule: CompleteRule; tuple: RuleRangeTuple; listClient: ListClient; exceptionItems: ExceptionListItemSchema[]; @@ -53,7 +52,8 @@ export const queryExecutor = async ({ bulkCreate: BulkCreate; wrapHits: WrapHits; }) => { - const ruleParams = rule.attributes.params; + const ruleParams = completeRule.ruleParams; + const inputIndex = await getInputIndex({ experimentalFeatures, services, @@ -76,11 +76,11 @@ export const queryExecutor = async ({ tuple, listClient, exceptionsList: exceptionItems, - ruleSO: rule, + completeRule, services, logger, eventsTelemetry, - id: rule.id, + id: completeRule.alertId, inputIndexPattern: inputIndex, signalsIndex: ruleParams.outputIndex, filter: esFilter, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threat_match.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threat_match.ts index 37b2c53636cfd..f2e2590ac1e2d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threat_match.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threat_match.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { SavedObject } from 'src/core/types'; import { Logger } from 'src/core/server'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { @@ -15,15 +14,15 @@ import { } from '../../../../../../alerting/server'; import { ListClient } from '../../../../../../lists/server'; import { getInputIndex } from '../get_input_output_index'; -import { RuleRangeTuple, AlertAttributes, BulkCreate, WrapHits } from '../types'; +import { RuleRangeTuple, BulkCreate, WrapHits } from '../types'; import { TelemetryEventsSender } from '../../../telemetry/sender'; import { BuildRuleMessage } from '../rule_messages'; import { createThreatSignals } from '../threat_mapping/create_threat_signals'; -import { ThreatRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, ThreatRuleParams } from '../../schemas/rule_schemas'; import { ExperimentalFeatures } from '../../../../../common/experimental_features'; export const threatMatchExecutor = async ({ - rule, + completeRule, tuple, listClient, exceptionItems, @@ -37,7 +36,7 @@ export const threatMatchExecutor = async ({ bulkCreate, wrapHits, }: { - rule: SavedObject>; + completeRule: CompleteRule; tuple: RuleRangeTuple; listClient: ListClient; exceptionItems: ExceptionListItemSchema[]; @@ -51,7 +50,7 @@ export const threatMatchExecutor = async ({ bulkCreate: BulkCreate; wrapHits: WrapHits; }) => { - const ruleParams = rule.attributes.params; + const ruleParams = completeRule.ruleParams; const inputIndex = await getInputIndex({ experimentalFeatures, services, @@ -59,32 +58,32 @@ export const threatMatchExecutor = async ({ index: ruleParams.index, }); return createThreatSignals({ - tuple, - threatMapping: ruleParams.threatMapping, - query: ruleParams.query, - inputIndex, - type: ruleParams.type, + alertId: completeRule.alertId, + buildRuleMessage, + bulkCreate, + completeRule, + concurrentSearches: ruleParams.concurrentSearches ?? 1, + eventsTelemetry, + exceptionItems, filters: ruleParams.filters ?? [], + inputIndex, + itemsPerSearch: ruleParams.itemsPerSearch ?? 9000, language: ruleParams.language, - savedId: ruleParams.savedId, - services, - exceptionItems, listClient, logger, - eventsTelemetry, - alertId: rule.id, outputIndex: ruleParams.outputIndex, - ruleSO: rule, + query: ruleParams.query, + savedId: ruleParams.savedId, searchAfterSize, + services, threatFilters: ruleParams.threatFilters ?? [], - threatQuery: ruleParams.threatQuery, - threatLanguage: ruleParams.threatLanguage, - buildRuleMessage, threatIndex: ruleParams.threatIndex, threatIndicatorPath: ruleParams.threatIndicatorPath, - concurrentSearches: ruleParams.concurrentSearches ?? 1, - itemsPerSearch: ruleParams.itemsPerSearch ?? 9000, - bulkCreate, + threatLanguage: ruleParams.threatLanguage, + threatMapping: ruleParams.threatMapping, + threatQuery: ruleParams.threatQuery, + tuple, + type: ruleParams.type, wrapHits, }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts index 11145405dcc99..e01e3498c2c7a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts @@ -13,48 +13,30 @@ import { alertsMock, AlertServicesMock } from '../../../../../../alerting/server import { thresholdExecutor } from './threshold'; import { getExceptionListItemSchemaMock } from '../../../../../../lists/common/schemas/response/exception_list_item_schema.mock'; import { getEntryListMock } from '../../../../../../lists/common/schemas/types/entry_list.mock'; -import { getThresholdRuleParams } from '../../schemas/rule_schemas.mock'; +import { getThresholdRuleParams, getCompleteRuleMock } from '../../schemas/rule_schemas.mock'; import { buildRuleMessageFactory } from '../rule_messages'; import { sampleEmptyDocSearchResults } from '../__mocks__/es_results'; import { allowedExperimentalValues } from '../../../../../common/experimental_features'; +import { ThresholdRuleParams } from '../../schemas/rule_schemas'; describe('threshold_executor', () => { const version = '8.0.0'; let logger: ReturnType; let alertServices: AlertServicesMock; const params = getThresholdRuleParams(); - const thresholdSO = { - id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd', - type: 'alert', - version: '1', - updated_at: '2020-03-27T22:55:59.577Z', - attributes: { - actions: [], - alertTypeId: 'siem.signals', - enabled: true, - name: 'rule-name', - tags: ['some fake tag 1', 'some fake tag 2'], - createdBy: 'sample user', - createdAt: '2020-03-27T22:55:59.577Z', - updatedBy: 'sample user', - schedule: { - interval: '5m', - }, - throttle: 'no_actions', - params, - }, - references: [], - }; + + const thresholdCompleteRule = getCompleteRuleMock(params); + const tuple = { from: dateMath.parse(params.from)!, to: dateMath.parse(params.to)!, maxSignals: params.maxSignals, }; const buildRuleMessage = buildRuleMessageFactory({ - id: thresholdSO.id, - ruleId: thresholdSO.attributes.params.ruleId, - name: thresholdSO.attributes.name, - index: thresholdSO.attributes.params.outputIndex, + id: thresholdCompleteRule.alertId, + ruleId: thresholdCompleteRule.ruleParams.ruleId, + name: thresholdCompleteRule.ruleConfig.name, + index: thresholdCompleteRule.ruleParams.outputIndex, }); beforeEach(() => { @@ -69,7 +51,7 @@ describe('threshold_executor', () => { it('should set a warning when exception list for threshold rule contains value list exceptions', async () => { const exceptionItems = [getExceptionListItemSchemaMock({ entries: [getEntryListMock()] })]; const response = await thresholdExecutor({ - rule: thresholdSO, + completeRule: thresholdCompleteRule, tuple, exceptionItems, experimentalFeatures: allowedExperimentalValues, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts index 02cad1e8e508c..1550caba9434a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts @@ -9,7 +9,6 @@ import { SearchHit } from '@elastic/elasticsearch/api/types'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { Logger } from 'src/core/server'; -import { SavedObject } from 'src/core/types'; import { AlertInstanceContext, @@ -17,7 +16,7 @@ import { AlertServices, } from '../../../../../../alerting/server'; import { hasLargeValueItem } from '../../../../../common/detection_engine/utils'; -import { ThresholdRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, ThresholdRuleParams } from '../../schemas/rule_schemas'; import { getFilter } from '../get_filter'; import { getInputIndex } from '../get_input_output_index'; import { @@ -27,7 +26,6 @@ import { getThresholdSignalHistory, } from '../threshold'; import { - AlertAttributes, BulkCreate, RuleRangeTuple, SearchAfterAndBulkCreateReturnType, @@ -44,7 +42,7 @@ import { ExperimentalFeatures } from '../../../../../common/experimental_feature import { buildThresholdSignalHistory } from '../threshold/build_signal_history'; export const thresholdExecutor = async ({ - rule, + completeRule, tuple, exceptionItems, experimentalFeatures, @@ -57,7 +55,7 @@ export const thresholdExecutor = async ({ bulkCreate, wrapHits, }: { - rule: SavedObject>; + completeRule: CompleteRule; tuple: RuleRangeTuple; exceptionItems: ExceptionListItemSchema[]; experimentalFeatures: ExperimentalFeatures; @@ -71,7 +69,7 @@ export const thresholdExecutor = async ({ wrapHits: WrapHits; }): Promise => { let result = createSearchAfterReturnType(); - const ruleParams = rule.attributes.params; + const ruleParams = completeRule.ruleParams; // Get state or build initial state (on upgrade) const { signalHistory, searchErrors: previousSearchErrors } = state.initialized @@ -150,7 +148,7 @@ export const thresholdExecutor = async ({ const { success, bulkCreateDuration, createdItemsCount, createdItems, errors } = await bulkCreateThresholdSignals({ someResult: thresholdResults, - ruleSO: rule, + completeRule, filter: esFilter, services, logger, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/alert_instance_factory_stub.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/alert_instance_factory_stub.ts new file mode 100644 index 0000000000000..d09314312c78d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/alert_instance_factory_stub.ts @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RuleParams } from '../../schemas/rule_schemas'; +import { + AlertInstanceContext, + AlertInstanceState, + AlertTypeState, +} from '../../../../../../alerting/common'; +// eslint-disable-next-line @kbn/eslint/no-restricted-paths +import { AlertInstance } from '../../../../../../alerting/server/alert_instance'; + +export const alertInstanceFactoryStub = < + TParams extends RuleParams, + TState extends AlertTypeState, + TInstanceState extends AlertInstanceState, + TInstanceContext extends AlertInstanceContext, + TActionGroupIds extends string = '' +>( + id: string +) => ({ + getState() { + return {} as unknown as TInstanceState; + }, + replaceState(state: TInstanceState) { + return new AlertInstance({ + state: {} as TInstanceState, + meta: { lastScheduledActions: { group: 'default', date: new Date() } }, + }); + }, + scheduleActions(actionGroup: TActionGroupIds, alertcontext: TInstanceContext) { + return new AlertInstance({ + state: {} as TInstanceState, + meta: { lastScheduledActions: { group: 'default', date: new Date() } }, + }); + }, + scheduleActionsWithSubGroup( + actionGroup: TActionGroupIds, + subgroup: string, + alertcontext: TInstanceContext + ) { + return new AlertInstance({ + state: {} as TInstanceState, + meta: { lastScheduledActions: { group: 'default', date: new Date() } }, + }); + }, +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/preview_rule_execution_log_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/preview_rule_execution_log_client.ts new file mode 100644 index 0000000000000..d3ccafddab6e4 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/preview/preview_rule_execution_log_client.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsFindResult } from 'kibana/server'; +import { + LogExecutionMetricsArgs, + IRuleExecutionLogClient, + FindBulkExecutionLogArgs, + FindBulkExecutionLogResponse, + FindExecutionLogArgs, + LogStatusChangeArgs, + UpdateExecutionLogArgs, +} from '../../rule_execution_log'; +import { IRuleStatusSOAttributes } from '../../rules/types'; + +export const createWarningsAndErrors = () => { + const warningsAndErrorsStore: LogStatusChangeArgs[] = []; + + const previewRuleExecutionLogClient: IRuleExecutionLogClient = { + async delete(id: string): Promise { + return Promise.resolve(undefined); + }, + async find( + args: FindExecutionLogArgs + ): Promise>> { + return Promise.resolve([]); + }, + async findBulk(args: FindBulkExecutionLogArgs): Promise { + return Promise.resolve({}); + }, + async logStatusChange(args: LogStatusChangeArgs): Promise { + warningsAndErrorsStore.push(args); + return Promise.resolve(undefined); + }, + async update(args: UpdateExecutionLogArgs): Promise { + return Promise.resolve(undefined); + }, + async logExecutionMetrics(args: LogExecutionMetricsArgs): Promise { + return Promise.resolve(undefined); + }, + }; + + return { previewRuleExecutionLogClient, warningsAndErrorsStore }; +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts index 1f46654e855b2..92b66873396ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts @@ -8,7 +8,6 @@ import { sampleEmptyDocSearchResults, sampleRuleGuid, - sampleRuleSO, mockLogger, repeatedSearchResultsWithSortId, repeatedSearchResultsWithNoSortId, @@ -27,12 +26,13 @@ import { getSearchListItemResponseMock } from '../../../../../lists/common/schem import { getRuleRangeTuples } from './utils'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { elasticsearchClientMock } from 'src/core/server/elasticsearch/client/mocks'; -import { getQueryRuleParams } from '../schemas/rule_schemas.mock'; +import { getCompleteRuleMock, getQueryRuleParams } from '../schemas/rule_schemas.mock'; import { bulkCreateFactory } from './bulk_create_factory'; import { wrapHitsFactory } from './wrap_hits_factory'; import { mockBuildRuleMessage } from './__mocks__/build_rule_message.mock'; import { ResponseError } from '@elastic/elasticsearch/lib/errors'; import { BuildReasonMessage } from './reason_formatters'; +import { QueryRuleParams } from '../schemas/rule_schemas'; const buildRuleMessage = mockBuildRuleMessage; @@ -45,7 +45,7 @@ describe('searchAfterAndBulkCreate', () => { let listClient = listMock.getListClient(); const someGuids = Array.from({ length: 13 }).map(() => uuid.v4()); const sampleParams = getQueryRuleParams(); - const ruleSO = sampleRuleSO(getQueryRuleParams()); + const queryCompleteRule = getCompleteRuleMock(sampleParams); sampleParams.maxSignals = 30; let tuple: RuleRangeTuple; beforeEach(() => { @@ -58,6 +58,7 @@ describe('searchAfterAndBulkCreate', () => { tuple = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: new Date(), + startedAt: new Date(), from: sampleParams.from, to: sampleParams.to, interval: '5m', @@ -71,7 +72,7 @@ describe('searchAfterAndBulkCreate', () => { false ); wrapHits = wrapHitsFactory({ - ruleSO, + completeRule: queryCompleteRule, signalsIndex: DEFAULT_SIGNALS_INDEX, mergeStrategy: 'missingFields', ignoreFields: [], @@ -184,7 +185,7 @@ describe('searchAfterAndBulkCreate', () => { const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ tuple, - ruleSO, + completeRule: queryCompleteRule, listClient, exceptionsList: [exceptionItem], services: mockService, @@ -288,7 +289,7 @@ describe('searchAfterAndBulkCreate', () => { }, ]; const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [exceptionItem], @@ -367,7 +368,7 @@ describe('searchAfterAndBulkCreate', () => { }, ]; const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [exceptionItem], @@ -427,7 +428,7 @@ describe('searchAfterAndBulkCreate', () => { }, ]; const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [exceptionItem], @@ -507,7 +508,7 @@ describe('searchAfterAndBulkCreate', () => { ); const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [], @@ -563,7 +564,7 @@ describe('searchAfterAndBulkCreate', () => { }, ]; const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [exceptionItem], @@ -636,7 +637,7 @@ describe('searchAfterAndBulkCreate', () => { }, ]; const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [exceptionItem], @@ -711,7 +712,7 @@ describe('searchAfterAndBulkCreate', () => { ) ); const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [], @@ -766,7 +767,7 @@ describe('searchAfterAndBulkCreate', () => { listClient, exceptionsList: [exceptionItem], tuple, - ruleSO, + completeRule: queryCompleteRule, services: mockService, logger: mockLogger, eventsTelemetry: undefined, @@ -814,7 +815,7 @@ describe('searchAfterAndBulkCreate', () => { listClient, exceptionsList: [exceptionItem], tuple, - ruleSO, + completeRule: queryCompleteRule, services: mockService, logger: mockLogger, eventsTelemetry: undefined, @@ -876,7 +877,7 @@ describe('searchAfterAndBulkCreate', () => { listClient, exceptionsList: [exceptionItem], tuple, - ruleSO, + completeRule: queryCompleteRule, services: mockService, logger: mockLogger, eventsTelemetry: undefined, @@ -996,7 +997,7 @@ describe('searchAfterAndBulkCreate', () => { ); const { success, createdSignalsCount, lastLookBackDate, errors } = await searchAfterAndBulkCreate({ - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [], @@ -1093,7 +1094,7 @@ describe('searchAfterAndBulkCreate', () => { const mockEnrichment = jest.fn((a) => a); const { success, createdSignalsCount, lastLookBackDate } = await searchAfterAndBulkCreate({ enrichment: mockEnrichment, - ruleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionsList: [], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts index 52b0799f5fe33..09b64fc2b654c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -23,25 +23,25 @@ import { SearchAfterAndBulkCreateParams, SearchAfterAndBulkCreateReturnType } fr // search_after through documents and re-index using bulk endpoint. export const searchAfterAndBulkCreate = async ({ - tuple, - ruleSO, + buildReasonMessage, + buildRuleMessage, + bulkCreate, + completeRule, + enrichment = identity, + eventsTelemetry, exceptionsList, - services, + filter, + inputIndexPattern, listClient, logger, - eventsTelemetry, - inputIndexPattern, - filter, pageSize, - buildRuleMessage, - buildReasonMessage, - enrichment = identity, - bulkCreate, - wrapHits, + services, sortOrder, trackTotalHits, + tuple, + wrapHits, }: SearchAfterAndBulkCreateParams): Promise => { - const ruleParams = ruleSO.attributes.params; + const ruleParams = completeRule.ruleParams; let toReturn = createSearchAfterReturnType(); // sortId tells us where to start our next consecutive search_after query diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts index f9a2f5cfc0bfe..c55b3e2a297a3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts @@ -92,9 +92,9 @@ const getPayload = ( ruleTypeName: 'Name of rule', enabled: true, schedule: { - interval: '1h', + interval: '5m', }, - actions: [], + actions: ruleAlert.actions, createdBy: 'elastic', updatedBy: 'elastic', createdAt: new Date('2019-12-13T16:50:33.400Z'), @@ -216,7 +216,7 @@ describe('signal_rule_alert_type', () => { }); it('should warn about the gap between runs if gap is very large', async () => { - payload.previousStartedAt = moment().subtract(100, 'm').toDate(); + payload.previousStartedAt = moment(payload.startedAt).subtract(100, 'm').toDate(); await alert.executor(payload); expect(logger.warn).toHaveBeenCalled(); expect(mockRuleExecutionLogClient.logStatusChange).toHaveBeenNthCalledWith( @@ -357,20 +357,16 @@ describe('signal_rule_alert_type', () => { }, ]; - alertServices.savedObjectsClient.get.mockResolvedValue({ - id: 'rule-id', - type: 'type', - references: [], - attributes: ruleAlert, - }); - payload.params.meta = {}; + const modifiedPayload = getPayload( + ruleAlert, + alertServices + ) as jest.Mocked; - await alert.executor(payload); + await alert.executor(modifiedPayload); expect(scheduleNotificationActions).toHaveBeenCalledWith( expect.objectContaining({ - resultsLink: - '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))', + resultsLink: `/app/security/detections/rules/id/${ruleAlert.id}?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))`, }) ); }); @@ -390,20 +386,16 @@ describe('signal_rule_alert_type', () => { }, ]; - alertServices.savedObjectsClient.get.mockResolvedValue({ - id: 'rule-id', - type: 'type', - references: [], - attributes: ruleAlert, - }); - delete payload.params.meta; + const modifiedPayload = getPayload( + ruleAlert, + alertServices + ) as jest.Mocked; - await alert.executor(payload); + await alert.executor(modifiedPayload); expect(scheduleNotificationActions).toHaveBeenCalledWith( expect.objectContaining({ - resultsLink: - '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))', + resultsLink: `/app/security/detections/rules/id/${ruleAlert.id}?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))`, }) ); }); @@ -423,20 +415,16 @@ describe('signal_rule_alert_type', () => { }, ]; - alertServices.savedObjectsClient.get.mockResolvedValue({ - id: 'rule-id', - type: 'type', - references: [], - attributes: ruleAlert, - }); - payload.params.meta = { kibana_siem_app_url: 'http://localhost' }; + const modifiedPayload = getPayload( + ruleAlert, + alertServices + ) as jest.Mocked; - await alert.executor(payload); + await alert.executor(modifiedPayload); expect(scheduleNotificationActions).toHaveBeenCalledWith( expect.objectContaining({ - resultsLink: - 'http://localhost/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))', + resultsLink: `http://localhost/detections/rules/id/${ruleAlert.id}?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))`, }) ); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 0b1524a5682ab..18cdef3048011 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -6,7 +6,7 @@ */ /* eslint-disable complexity */ -import { Logger, SavedObject } from 'src/core/server'; +import { Logger } from 'src/core/server'; import isEmpty from 'lodash/isEmpty'; import * as t from 'io-ts'; @@ -26,7 +26,7 @@ import { } from '../../../../common/detection_engine/utils'; import { SetupPlugins } from '../../../plugin'; import { getInputIndex } from './get_input_output_index'; -import { AlertAttributes, SignalRuleAlertTypeDefinition, ThresholdAlertState } from './types'; +import { SignalRuleAlertTypeDefinition, ThresholdAlertState } from './types'; import { getListsClient, getExceptions, @@ -59,6 +59,7 @@ import { ruleParams, RuleParams, savedQueryRuleParams, + CompleteRule, } from '../schemas/rule_schemas'; import { bulkCreateFactory } from './bulk_create_factory'; import { wrapHitsFactory } from './wrap_hits_factory'; @@ -66,7 +67,11 @@ import { wrapSequencesFactory } from './wrap_sequences_factory'; import { ConfigType } from '../../../config'; import { ExperimentalFeatures } from '../../../../common/experimental_features'; import { injectReferences, extractReferences } from './saved_object_references'; -import { RuleExecutionLogClient, truncateMessageList } from '../rule_execution_log'; +import { + IRuleExecutionLogClient, + RuleExecutionLogClient, + truncateMessageList, +} from '../rule_execution_log'; import { RuleExecutionStatus } from '../../../../common/detection_engine/schemas/common/schemas'; import { scheduleThrottledNotificationActions } from '../notifications/schedule_throttle_notification_actions'; import { IEventLogService } from '../../../../../event_log/server'; @@ -80,15 +85,19 @@ export const signalRulesAlertType = ({ lists, config, eventLogService, + indexNameOverride, + ruleExecutionLogClientOverride, }: { logger: Logger; eventsTelemetry: TelemetryEventsSender | undefined; experimentalFeatures: ExperimentalFeatures; version: string; - ml: SetupPlugins['ml']; + ml: SetupPlugins['ml'] | undefined; lists: SetupPlugins['lists'] | undefined; config: ConfigType; eventLogService: IEventLogService; + indexNameOverride?: string; + ruleExecutionLogClientOverride?: IRuleExecutionLogClient; }): SignalRuleAlertTypeDefinition => { const { alertMergeStrategy: mergeStrategy, alertIgnoreFields: ignoreFields } = config; return { @@ -127,31 +136,40 @@ export const signalRulesAlertType = ({ params, spaceId, updatedBy: updatedByUser, + rule, }) { const { ruleId, maxSignals, meta, outputIndex, timestampOverride, type } = params; const searchAfterSize = Math.min(maxSignals, DEFAULT_SEARCH_AFTER_PAGE_SIZE); let hasError: boolean = false; let result = createSearchAfterReturnType(); - const ruleStatusClient = new RuleExecutionLogClient({ - eventLogService, - savedObjectsClient: services.savedObjectsClient, - underlyingClient: config.ruleExecutionLog.underlyingClient, - }); + const ruleStatusClient = ruleExecutionLogClientOverride + ? ruleExecutionLogClientOverride + : new RuleExecutionLogClient({ + eventLogService, + savedObjectsClient: services.savedObjectsClient, + underlyingClient: config.ruleExecutionLog.underlyingClient, + }); + + const completeRule: CompleteRule = { + alertId, + ruleConfig: rule, + ruleParams: params, + }; - const savedObject = await services.savedObjectsClient.get('alert', alertId); const { actions, name, - alertTypeId, schedule: { interval }, - } = savedObject.attributes; + ruleTypeId, + } = completeRule.ruleConfig; + const refresh = actions.length ? 'wait_for' : false; const buildRuleMessage = buildRuleMessageFactory({ id: alertId, ruleId, name, - index: outputIndex, + index: indexNameOverride ?? outputIndex, }); logger.debug(buildRuleMessage('[+] Starting Signal Rule execution')); @@ -161,7 +179,7 @@ export const signalRulesAlertType = ({ spaceId, ruleId: alertId, ruleName: name, - ruleType: alertTypeId, + ruleType: ruleTypeId, }; await ruleStatusClient.logStatusChange({ @@ -172,7 +190,7 @@ export const signalRulesAlertType = ({ const notificationRuleParams: NotificationRuleTypeParams = { ...params, name, - id: savedObject.id, + id: alertId, }; // check if rule has permissions to access given index pattern @@ -235,7 +253,9 @@ export const signalRulesAlertType = ({ interval, maxSignals, buildRuleMessage, + startedAt, }); + if (remainingGap.asMilliseconds() > 0) { const gapString = remainingGap.humanize(); const gapMessage = buildRuleMessage( @@ -268,28 +288,32 @@ export const signalRulesAlertType = ({ logger, services.scopedClusterClient.asCurrentUser, buildRuleMessage, - refresh + refresh, + indexNameOverride ); const wrapHits = wrapHitsFactory({ - ruleSO: savedObject, - signalsIndex: params.outputIndex, + completeRule, + signalsIndex: indexNameOverride ?? params.outputIndex, mergeStrategy, ignoreFields, }); const wrapSequences = wrapSequencesFactory({ - ruleSO: savedObject, + completeRule, signalsIndex: params.outputIndex, mergeStrategy, ignoreFields, }); if (isMlRule(type)) { - const mlRuleSO = asTypeSpecificSO(savedObject, machineLearningRuleParams); + const mlRuleCompleteRule = asTypeSpecificCompleteRule( + completeRule, + machineLearningRuleParams + ); for (const tuple of tuples) { result = await mlExecutor({ - rule: mlRuleSO, + completeRule: mlRuleCompleteRule, tuple, ml, listClient, @@ -302,10 +326,13 @@ export const signalRulesAlertType = ({ }); } } else if (isThresholdRule(type)) { - const thresholdRuleSO = asTypeSpecificSO(savedObject, thresholdRuleParams); + const thresholdCompleteRule = asTypeSpecificCompleteRule( + completeRule, + thresholdRuleParams + ); for (const tuple of tuples) { result = await thresholdExecutor({ - rule: thresholdRuleSO, + completeRule: thresholdCompleteRule, tuple, exceptionItems, experimentalFeatures, @@ -320,10 +347,10 @@ export const signalRulesAlertType = ({ }); } } else if (isThreatMatchRule(type)) { - const threatRuleSO = asTypeSpecificSO(savedObject, threatRuleParams); + const threatCompleteRule = asTypeSpecificCompleteRule(completeRule, threatRuleParams); for (const tuple of tuples) { result = await threatMatchExecutor({ - rule: threatRuleSO, + completeRule: threatCompleteRule, tuple, listClient, exceptionItems, @@ -339,10 +366,10 @@ export const signalRulesAlertType = ({ }); } } else if (isQueryRule(type)) { - const queryRuleSO = validateQueryRuleTypes(savedObject); + const queryCompleteRule = validateQueryRuleTypes(completeRule); for (const tuple of tuples) { result = await queryExecutor({ - rule: queryRuleSO, + completeRule: queryCompleteRule, tuple, listClient, exceptionItems, @@ -358,10 +385,10 @@ export const signalRulesAlertType = ({ }); } } else if (isEqlRule(type)) { - const eqlRuleSO = asTypeSpecificSO(savedObject, eqlRuleParams); + const eqlCompleteRule = asTypeSpecificCompleteRule(completeRule, eqlRuleParams); for (const tuple of tuples) { result = await eqlExecutor({ - rule: eqlRuleSO, + completeRule: eqlCompleteRule, tuple, exceptionItems, experimentalFeatures, @@ -395,7 +422,7 @@ export const signalRulesAlertType = ({ const resultsLink = getNotificationResultsLink({ from: fromInMs, to: toInMs, - id: savedObject.id, + id: alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, }); @@ -404,15 +431,15 @@ export const signalRulesAlertType = ({ buildRuleMessage(`Found ${result.createdSignalsCount} signals for notification.`) ); - if (savedObject.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: savedObject.attributes.throttle, + throttle: completeRule.ruleConfig.throttle, startedAt, - id: savedObject.id, + id: alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, - outputIndex, + outputIndex: indexNameOverride ?? outputIndex, ruleId, signals: result.createdSignals, esClient: services.scopedClusterClient.asCurrentUser, @@ -434,7 +461,9 @@ export const signalRulesAlertType = ({ logger.debug(buildRuleMessage('[+] Signal Rule execution completed.')); logger.debug( buildRuleMessage( - `[+] Finished indexing ${result.createdSignalsCount} signals into ${outputIndex}` + `[+] Finished indexing ${result.createdSignalsCount} signals into ${ + indexNameOverride ?? outputIndex + }` ) ); if (!hasError && !wroteWarningStatus && !result.warning) { @@ -462,12 +491,12 @@ export const signalRulesAlertType = ({ ); } else { // NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early - if (savedObject.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: savedObject.attributes.throttle, + throttle: completeRule.ruleConfig.throttle ?? '', startedAt, - id: savedObject.id, + id: completeRule.alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, outputIndex, @@ -496,12 +525,12 @@ export const signalRulesAlertType = ({ } } catch (error) { // NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early - if (savedObject.attributes.throttle != null) { + if (completeRule.ruleConfig.throttle != null) { await scheduleThrottledNotificationActions({ alertInstance: services.alertInstanceFactory(alertId), - throttle: savedObject.attributes.throttle, + throttle: completeRule.ruleConfig.throttle ?? '', startedAt, - id: savedObject.id, + id: completeRule.alertId, kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined) ?.kibana_siem_app_url, outputIndex, @@ -534,11 +563,11 @@ export const signalRulesAlertType = ({ }; }; -const validateQueryRuleTypes = (ruleSO: SavedObject) => { - if (ruleSO.attributes.params.type === 'query') { - return asTypeSpecificSO(ruleSO, queryRuleParams); +const validateQueryRuleTypes = (completeRule: CompleteRule) => { + if (completeRule.ruleParams.type === 'query') { + return asTypeSpecificCompleteRule(completeRule, queryRuleParams); } else { - return asTypeSpecificSO(ruleSO, savedQueryRuleParams); + return asTypeSpecificCompleteRule(completeRule, savedQueryRuleParams); } }; @@ -549,22 +578,19 @@ const validateQueryRuleTypes = (ruleSO: SavedObject) => { * checks if the required type specific fields actually exist on the SO and prevents rule executors from * accessing fields that only exist on other rule types. * - * @param ruleSO SavedObject typed as an object with all fields from all different rule types + * @param completeRule rule typed as an object with all fields from all different rule types * @param schema io-ts schema for the specific rule type the SavedObject claims to be */ -export const asTypeSpecificSO = ( - ruleSO: SavedObject, +export const asTypeSpecificCompleteRule = ( + completeRule: CompleteRule, schema: T ) => { - const [validated, errors] = validateNonExact(ruleSO.attributes.params, schema); + const [validated, errors] = validateNonExact(completeRule.ruleParams, schema); if (validated == null || errors != null) { throw new Error(`Rule attempted to execute with invalid params: ${errors}`); } return { - ...ruleSO, - attributes: { - ...ruleSO.attributes, - params: validated, - }, + ...completeRule, + ruleParams: validated, }; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signal.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signal.ts index 33ba4723d82b2..bf72a13ba0450 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signal.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signal.ts @@ -14,28 +14,28 @@ import { CreateThreatSignalOptions } from './types'; import { SearchAfterAndBulkCreateReturnType } from '../types'; export const createThreatSignal = async ({ - tuple, - threatMapping, - threatEnrichment, - query, - inputIndex, - type, + alertId, + buildRuleMessage, + bulkCreate, + completeRule, + currentResult, + currentThreatList, + eventsTelemetry, + exceptionItems, filters, + inputIndex, language, - savedId, - services, - exceptionItems, listClient, logger, - eventsTelemetry, - alertId, outputIndex, - ruleSO, + query, + savedId, searchAfterSize, - buildRuleMessage, - currentThreatList, - currentResult, - bulkCreate, + services, + threatEnrichment, + threatMapping, + tuple, + type, wrapHits, }: CreateThreatSignalOptions): Promise => { const threatFilter = buildThreatMappingFilter({ @@ -71,25 +71,25 @@ export const createThreatSignal = async ({ ); const result = await searchAfterAndBulkCreate({ - tuple, - listClient, - exceptionsList: exceptionItems, - ruleSO, - services, - logger, + buildReasonMessage: buildReasonMessageForThreatMatchAlert, + buildRuleMessage, + bulkCreate, + completeRule, + enrichment: threatEnrichment, eventsTelemetry, + exceptionsList: exceptionItems, + filter: esFilter, id: alertId, inputIndexPattern: inputIndex, - signalsIndex: outputIndex, - filter: esFilter, + listClient, + logger, pageSize: searchAfterSize, - buildRuleMessage, - buildReasonMessage: buildReasonMessageForThreatMatchAlert, - enrichment: threatEnrichment, - bulkCreate, - wrapHits, + services, + signalsIndex: outputIndex, sortOrder: 'desc', trackTotalHits: false, + tuple, + wrapHits, }); logger.debug( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signals.ts index 677a2028acdf7..777445ca67ca8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signals.ts @@ -15,39 +15,39 @@ import { buildExecutionIntervalValidator, combineConcurrentResults } from './uti import { buildThreatEnrichment } from './build_threat_enrichment'; export const createThreatSignals = async ({ - tuple, - threatMapping, - query, - inputIndex, - type, + alertId, + buildRuleMessage, + bulkCreate, + completeRule, + concurrentSearches, + eventsTelemetry, + exceptionItems, filters, + inputIndex, + itemsPerSearch, language, - savedId, - services, - exceptionItems, listClient, logger, - eventsTelemetry, - alertId, outputIndex, - ruleSO, + query, + savedId, searchAfterSize, + services, threatFilters, - threatQuery, - threatLanguage, - buildRuleMessage, threatIndex, threatIndicatorPath, - concurrentSearches, - itemsPerSearch, - bulkCreate, + threatLanguage, + threatMapping, + threatQuery, + tuple, + type, wrapHits, }: CreateThreatSignalsOptions): Promise => { - const params = ruleSO.attributes.params; + const params = completeRule.ruleParams; logger.debug(buildRuleMessage('Indicator matching rule starting')); const perPage = concurrentSearches * itemsPerSearch; const verifyExecutionCanProceed = buildExecutionIntervalValidator( - ruleSO.attributes.schedule.interval + completeRule.ruleConfig.schedule.interval ); let results: SearchAfterAndBulkCreateReturnType = { @@ -108,28 +108,28 @@ export const createThreatSignals = async ({ const concurrentSearchesPerformed = chunks.map>( (slicedChunk) => createThreatSignal({ - tuple, - threatEnrichment, - threatMapping, - query, - inputIndex, - type, + alertId, + buildRuleMessage, + bulkCreate, + completeRule, + currentResult: results, + currentThreatList: slicedChunk, + eventsTelemetry, + exceptionItems, filters, + inputIndex, language, - savedId, - services, - exceptionItems, listClient, logger, - eventsTelemetry, - alertId, outputIndex, - ruleSO, + query, + savedId, searchAfterSize, - buildRuleMessage, - currentThreatList: slicedChunk, - currentResult: results, - bulkCreate, + services, + threatEnrichment, + threatMapping, + tuple, + type, wrapHits, }) ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts index 38d9d42a4602c..07baa353dddb7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts @@ -24,107 +24,106 @@ import { AlertInstanceState, AlertServices, } from '../../../../../../alerting/server'; -import { ElasticsearchClient, Logger, SavedObject } from '../../../../../../../../src/core/server'; +import { ElasticsearchClient, Logger } from '../../../../../../../../src/core/server'; import { TelemetryEventsSender } from '../../../telemetry/sender'; import { BuildRuleMessage } from '../rule_messages'; import { - AlertAttributes, BulkCreate, RuleRangeTuple, SearchAfterAndBulkCreateReturnType, SignalsEnrichment, WrapHits, } from '../types'; -import { ThreatRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, ThreatRuleParams } from '../../schemas/rule_schemas'; export type SortOrderOrUndefined = 'asc' | 'desc' | undefined; export interface CreateThreatSignalsOptions { - tuple: RuleRangeTuple; - threatMapping: ThreatMapping; - query: string; - inputIndex: string[]; - type: Type; + alertId: string; + buildRuleMessage: BuildRuleMessage; + bulkCreate: BulkCreate; + completeRule: CompleteRule; + concurrentSearches: ConcurrentSearches; + eventsTelemetry: TelemetryEventsSender | undefined; + exceptionItems: ExceptionListItemSchema[]; filters: unknown[]; + inputIndex: string[]; + itemsPerSearch: ItemsPerSearch; language: LanguageOrUndefined; - savedId: string | undefined; - services: AlertServices; - exceptionItems: ExceptionListItemSchema[]; listClient: ListClient; logger: Logger; - eventsTelemetry: TelemetryEventsSender | undefined; - alertId: string; outputIndex: string; - ruleSO: SavedObject>; + query: string; + savedId: string | undefined; searchAfterSize: number; + services: AlertServices; threatFilters: unknown[]; - threatQuery: ThreatQuery; - buildRuleMessage: BuildRuleMessage; threatIndex: ThreatIndex; threatIndicatorPath: ThreatIndicatorPathOrUndefined; threatLanguage: ThreatLanguageOrUndefined; - concurrentSearches: ConcurrentSearches; - itemsPerSearch: ItemsPerSearch; - bulkCreate: BulkCreate; + threatMapping: ThreatMapping; + threatQuery: ThreatQuery; + tuple: RuleRangeTuple; + type: Type; wrapHits: WrapHits; } export interface CreateThreatSignalOptions { - tuple: RuleRangeTuple; - threatMapping: ThreatMapping; - threatEnrichment: SignalsEnrichment; - query: string; - inputIndex: string[]; - type: Type; + alertId: string; + buildRuleMessage: BuildRuleMessage; + bulkCreate: BulkCreate; + completeRule: CompleteRule; + currentResult: SearchAfterAndBulkCreateReturnType; + currentThreatList: ThreatListItem[]; + eventsTelemetry: TelemetryEventsSender | undefined; + exceptionItems: ExceptionListItemSchema[]; filters: unknown[]; + inputIndex: string[]; language: LanguageOrUndefined; - savedId: string | undefined; - services: AlertServices; - exceptionItems: ExceptionListItemSchema[]; listClient: ListClient; logger: Logger; - eventsTelemetry: TelemetryEventsSender | undefined; - alertId: string; outputIndex: string; - ruleSO: SavedObject>; + query: string; + savedId: string | undefined; searchAfterSize: number; - buildRuleMessage: BuildRuleMessage; - currentThreatList: ThreatListItem[]; - currentResult: SearchAfterAndBulkCreateReturnType; - bulkCreate: BulkCreate; + services: AlertServices; + threatEnrichment: SignalsEnrichment; + threatMapping: ThreatMapping; + tuple: RuleRangeTuple; + type: Type; wrapHits: WrapHits; } export interface BuildThreatMappingFilterOptions { - threatMapping: ThreatMapping; - threatList: ThreatListItem[]; chunkSize?: number; + threatList: ThreatListItem[]; + threatMapping: ThreatMapping; } export interface FilterThreatMappingOptions { - threatMapping: ThreatMapping; threatListItem: ThreatListItem; + threatMapping: ThreatMapping; } export interface CreateInnerAndClausesOptions { - threatMappingEntries: ThreatMappingEntries; threatListItem: ThreatListItem; + threatMappingEntries: ThreatMappingEntries; } export interface CreateAndOrClausesOptions { - threatMapping: ThreatMapping; threatListItem: ThreatListItem; + threatMapping: ThreatMapping; } export interface BuildEntriesMappingFilterOptions { - threatMapping: ThreatMapping; - threatList: ThreatListItem[]; chunkSize: number; + threatList: ThreatListItem[]; + threatMapping: ThreatMapping; } export interface SplitShouldClausesOptions { - should: BooleanFilter[]; chunkSize: number; + should: BooleanFilter[]; } export interface BooleanFilter { @@ -132,35 +131,35 @@ export interface BooleanFilter { } export interface GetThreatListOptions { + buildRuleMessage: BuildRuleMessage; esClient: ElasticsearchClient; - query: string; - language: ThreatLanguageOrUndefined; + exceptionItems: ExceptionListItemSchema[]; index: string[]; + language: ThreatLanguageOrUndefined; + listClient: ListClient; + logger: Logger; perPage?: number; + query: string; searchAfter: string[] | undefined; sortField: string | undefined; sortOrder: SortOrderOrUndefined; threatFilters: unknown[]; - exceptionItems: ExceptionListItemSchema[]; - listClient: ListClient; - buildRuleMessage: BuildRuleMessage; - logger: Logger; } export interface ThreatListCountOptions { esClient: ElasticsearchClient; - query: string; + exceptionItems: ExceptionListItemSchema[]; + index: string[]; language: ThreatLanguageOrUndefined; + query: string; threatFilters: unknown[]; - index: string[]; - exceptionItems: ExceptionListItemSchema[]; } export interface GetSortWithTieBreakerOptions { - sortField: string | undefined; - sortOrder: SortOrderOrUndefined; index: string[]; listItemIndex: string; + sortField: string | undefined; + sortOrder: SortOrderOrUndefined; } export interface ThreatListDoc { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/bulk_create_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/bulk_create_threshold_signals.ts index e2ef2cb6c841d..4dbe1577365d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/bulk_create_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/bulk_create_threshold_signals.ts @@ -13,7 +13,7 @@ import { ThresholdNormalized, TimestampOverrideOrUndefined, } from '../../../../../common/detection_engine/schemas/common/schemas'; -import { Logger, SavedObject } from '../../../../../../../../src/core/server'; +import { Logger } from '../../../../../../../../src/core/server'; import { AlertInstanceContext, AlertInstanceState, @@ -33,15 +33,14 @@ import type { SignalSource, SignalSearchResponse, ThresholdSignalHistory, - AlertAttributes, BulkCreate, WrapHits, } from '../types'; -import { ThresholdRuleParams } from '../../schemas/rule_schemas'; +import { CompleteRule, ThresholdRuleParams } from '../../schemas/rule_schemas'; interface BulkCreateThresholdSignalsParams { someResult: SignalSearchResponse; - ruleSO: SavedObject>; + completeRule: CompleteRule; services: AlertServices; inputIndexPattern: string[]; logger: Logger; @@ -228,7 +227,7 @@ export const transformThresholdResultsToEcs = ( export const bulkCreateThresholdSignals = async ( params: BulkCreateThresholdSignalsParams ): Promise> => { - const ruleParams = params.ruleSO.attributes.params; + const ruleParams = params.completeRule.ruleParams; const thresholdResults = params.someResult; const ecsResults = transformThresholdResultsToEcs( thresholdResults, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts index 82b4a46f482b6..c831fb7f00cff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts @@ -28,10 +28,10 @@ import { EqlSequence, } from '../../../../common/detection_engine/types'; import { ListClient } from '../../../../../lists/server'; -import { Logger, SavedObject } from '../../../../../../../src/core/server'; +import { Logger } from '../../../../../../../src/core/server'; import { BuildRuleMessage } from './rule_messages'; import { TelemetryEventsSender } from '../../telemetry/sender'; -import { RuleParams } from '../schemas/rule_schemas'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; import { GenericBulkCreateResponse } from './bulk_create_factory'; import { EcsFieldMap } from '../../../../../rule_registry/common/assets/field_maps/ecs_field_map'; import { TypeOfFieldMap } from '../../../../../rule_registry/common/field_map'; @@ -300,7 +300,7 @@ export interface SearchAfterAndBulkCreateParams { from: moment.Moment; maxSignals: number; }; - ruleSO: SavedObject; + completeRule: CompleteRule; services: AlertServices; listClient: ListClient; exceptionsList: ExceptionListItemSchema[]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts index ce2b15a46ef6f..840b897997ddc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts @@ -22,7 +22,6 @@ moment.suppressDeprecationWarnings = true; import { generateId, parseInterval, - getDriftTolerance, getGapBetweenRuns, getNumCatchupIntervals, errorAggregator, @@ -112,105 +111,13 @@ describe('utils', () => { }); }); - describe('getDriftTolerance', () => { - test('it returns a drift tolerance in milliseconds of 1 minute when "from" overlaps "to" by 1 minute and the interval is 5 minutes', () => { - const drift = getDriftTolerance({ - from: 'now-6m', - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); - - test('it returns a drift tolerance of 0 when "from" equals the interval', () => { - const drift = getDriftTolerance({ - from: 'now-5m', - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift?.asMilliseconds()).toEqual(0); - }); - - test('it returns a drift tolerance of 5 minutes when "from" is 10 minutes but the interval is 5 minutes', () => { - const drift = getDriftTolerance({ - from: 'now-10m', - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(5, 'minutes').asMilliseconds()); - }); - - test('it returns a drift tolerance of 10 minutes when "from" is 10 minutes ago and the interval is 0', () => { - const drift = getDriftTolerance({ - from: 'now-10m', - to: 'now', - intervalDuration: moment.duration(0, 'milliseconds'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(10, 'minutes').asMilliseconds()); - }); - - test('returns a drift tolerance of 1 minute when "from" is invalid and defaults to "now-6m" and interval is 5 minutes', () => { - const drift = getDriftTolerance({ - from: 'invalid', - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); - - test('returns a drift tolerance of 1 minute when "from" does not include `now` and defaults to "now-6m" and interval is 5 minutes', () => { - const drift = getDriftTolerance({ - from: '10m', - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); - - test('returns a drift tolerance of 4 minutes when "to" is "now-x", from is a valid input and interval is 5 minute', () => { - const drift = getDriftTolerance({ - from: 'now-10m', - to: 'now-1m', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(4, 'minutes').asMilliseconds()); - }); - - test('it returns expected drift tolerance when "from" is an ISO string', () => { - const drift = getDriftTolerance({ - from: moment().subtract(10, 'minutes').toISOString(), - to: 'now', - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(5, 'minutes').asMilliseconds()); - }); - - test('it returns expected drift tolerance when "to" is an ISO string', () => { - const drift = getDriftTolerance({ - from: 'now-6m', - to: moment().toISOString(), - intervalDuration: moment.duration(5, 'minutes'), - }); - expect(drift).not.toBeNull(); - expect(drift?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); - }); - describe('getGapBetweenRuns', () => { test('it returns a gap of 0 when "from" and interval match each other and the previous started was from the previous interval time', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(5, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-5m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(5, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(0); @@ -219,10 +126,9 @@ describe('utils', () => { test('it returns a negative gap of 1 minute when "from" overlaps to by 1 minute and the previousStartedAt was 5 minutes ago', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(5, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(6, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(-1, 'minute').asMilliseconds()); @@ -231,10 +137,9 @@ describe('utils', () => { test('it returns a negative gap of 5 minutes when "from" overlaps to by 1 minute and the previousStartedAt was 5 minutes ago', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(5, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-10m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(10, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(-5, 'minute').asMilliseconds()); @@ -243,10 +148,9 @@ describe('utils', () => { test('it returns a negative gap of 1 minute when "from" overlaps to by 1 minute and the previousStartedAt was 10 minutes ago and so was the interval', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(10, 'minutes').toDate(), - intervalDuration: moment.duration(10, 'minutes'), - from: 'now-11m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(11, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(-1, 'minute').asMilliseconds()); @@ -255,10 +159,9 @@ describe('utils', () => { test('it returns a gap of only -30 seconds when the from overlaps with now by 1 minute, the interval is 5 minutes but the previous started is 30 seconds more', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(5, 'minutes').subtract(30, 'seconds').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(6, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(-30, 'seconds').asMilliseconds()); @@ -267,10 +170,9 @@ describe('utils', () => { test('it returns an exact 0 gap when the from overlaps with now by 1 minute, the interval is 5 minutes but the previous started is one minute late', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(6, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(6, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(0, 'minute').asMilliseconds()); @@ -279,10 +181,9 @@ describe('utils', () => { test('it returns a gap of 30 seconds when the from overlaps with now by 1 minute, the interval is 5 minutes but the previous started is one minute and 30 seconds late', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(6, 'minutes').subtract(30, 'seconds').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(6, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(30, 'seconds').asMilliseconds()); @@ -291,10 +192,9 @@ describe('utils', () => { test('it returns a gap of 1 minute when the from overlaps with now by 1 minute, the interval is 5 minutes but the previous started is two minutes late', () => { const gap = getGapBetweenRuns({ previousStartedAt: nowDate.clone().subtract(7, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(6, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap?.asMilliseconds()).not.toBeNull(); expect(gap?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); @@ -303,37 +203,12 @@ describe('utils', () => { test('it returns 0 if given a previousStartedAt of null', () => { const gap = getGapBetweenRuns({ previousStartedAt: null, - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-5m', - to: 'now', - now: nowDate.clone(), + startedAt: nowDate.clone().toDate(), + originalFrom: nowDate.clone().subtract(5, 'minutes'), + originalTo: nowDate.clone(), }); expect(gap.asMilliseconds()).toEqual(0); }); - - test('it returns the expected result when "from" is an invalid string such as "invalid"', () => { - const gap = getGapBetweenRuns({ - previousStartedAt: nowDate.clone().subtract(7, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'invalid', - to: 'now', - now: nowDate.clone(), - }); - expect(gap?.asMilliseconds()).not.toBeNull(); - expect(gap?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); - - test('it returns the expected result when "to" is an invalid string such as "invalid"', () => { - const gap = getGapBetweenRuns({ - previousStartedAt: nowDate.clone().subtract(7, 'minutes').toDate(), - intervalDuration: moment.duration(5, 'minutes'), - from: 'now-6m', - to: 'invalid', - now: nowDate.clone(), - }); - expect(gap?.asMilliseconds()).not.toBeNull(); - expect(gap?.asMilliseconds()).toEqual(moment.duration(1, 'minute').asMilliseconds()); - }); }); describe('errorAggregator', () => { @@ -572,6 +447,7 @@ describe('utils', () => { const { tuples, remainingGap } = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: moment().subtract(30, 's').toDate(), + startedAt: moment().subtract(30, 's').toDate(), interval: '30s', from: 'now-30s', to: 'now', @@ -588,6 +464,7 @@ describe('utils', () => { const { tuples, remainingGap } = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: moment().subtract(30, 's').toDate(), + startedAt: moment().subtract(30, 's').toDate(), interval: 'invalid', from: 'now-30s', to: 'now', @@ -604,6 +481,7 @@ describe('utils', () => { const { tuples, remainingGap } = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: moment().subtract(65, 's').toDate(), + startedAt: moment().toDate(), interval: '50s', from: 'now-55s', to: 'now', @@ -619,6 +497,7 @@ describe('utils', () => { const { tuples, remainingGap } = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: moment().subtract(65, 's').toDate(), // 64 is 5 times the interval + lookback, which will trigger max lookback + startedAt: moment().toDate(), interval: '10s', from: 'now-13s', to: 'now', @@ -641,6 +520,7 @@ describe('utils', () => { const { tuples, remainingGap } = getRuleRangeTuples({ logger: mockLogger, previousStartedAt: moment().subtract(-15, 's').toDate(), + startedAt: moment().subtract(-15, 's').toDate(), interval: '10s', from: 'now-13s', to: 'now', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts index 0a3eda70bbd87..c7145ec27701b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts @@ -16,7 +16,6 @@ import { ALERT_INSTANCE_ID, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import type { ListArray, ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { MAX_EXCEPTION_LIST_SIZE } from '@kbn/securitysolution-list-constants'; import { hasLargeValueList } from '@kbn/securitysolution-list-utils'; -import { parseScheduleDates } from '@kbn/securitysolution-io-ts-utils'; import { TimestampOverrideOrUndefined, @@ -414,46 +413,23 @@ export const parseInterval = (intervalString: string): moment.Duration | null => } }; -export const getDriftTolerance = ({ - from, - to, - intervalDuration, - now = moment(), -}: { - from: string; - to: string; - intervalDuration: moment.Duration; - now?: moment.Moment; -}): moment.Duration => { - const toDate = parseScheduleDates(to) ?? now; - const fromDate = parseScheduleDates(from) ?? dateMath.parse('now-6m'); - const timeSegment = toDate.diff(fromDate); - const duration = moment.duration(timeSegment); - - return duration.subtract(intervalDuration); -}; - export const getGapBetweenRuns = ({ previousStartedAt, - intervalDuration, - from, - to, - now = moment(), + originalFrom, + originalTo, + startedAt, }: { previousStartedAt: Date | undefined | null; - intervalDuration: moment.Duration; - from: string; - to: string; - now?: moment.Moment; + originalFrom: moment.Moment; + originalTo: moment.Moment; + startedAt: Date; }): moment.Duration => { if (previousStartedAt == null) { return moment.duration(0); } - const driftTolerance = getDriftTolerance({ from, to, intervalDuration }); - - const diff = moment.duration(now.diff(previousStartedAt)); - const drift = diff.subtract(intervalDuration); - return drift.subtract(driftTolerance); + const driftTolerance = moment.duration(originalTo.diff(originalFrom)); + const currentDuration = moment.duration(moment(startedAt).diff(previousStartedAt)); + return currentDuration.subtract(driftTolerance); }; export const makeFloatString = (num: number): string => Number(num).toFixed(2); @@ -508,6 +484,7 @@ export const getRuleRangeTuples = ({ interval, maxSignals, buildRuleMessage, + startedAt, }: { logger: Logger; previousStartedAt: Date | null | undefined; @@ -516,9 +493,10 @@ export const getRuleRangeTuples = ({ interval: string; maxSignals: number; buildRuleMessage: BuildRuleMessage; + startedAt: Date; }) => { - const originalTo = dateMath.parse(to); - const originalFrom = dateMath.parse(from); + const originalTo = dateMath.parse(to, { forceNow: startedAt }); + const originalFrom = dateMath.parse(from, { forceNow: startedAt }); if (originalTo == null || originalFrom == null) { throw new Error(buildRuleMessage('dateMath parse failed')); } @@ -534,14 +512,19 @@ export const getRuleRangeTuples = ({ logger.error(`Failed to compute gap between rule runs: could not parse rule interval`); return { tuples, remainingGap: moment.duration(0) }; } - const gap = getGapBetweenRuns({ previousStartedAt, intervalDuration, from, to }); + const gap = getGapBetweenRuns({ + previousStartedAt, + originalTo, + originalFrom, + startedAt, + }); const catchup = getNumCatchupIntervals({ gap, intervalDuration, }); const catchupTuples = getCatchupTuples({ - to: originalTo, - from: originalFrom, + originalTo, + originalFrom, ruleParamsMaxSignals: maxSignals, catchup, intervalDuration, @@ -564,22 +547,22 @@ export const getRuleRangeTuples = ({ * @param intervalDuration moment.Duration the interval which the rule runs */ export const getCatchupTuples = ({ - to, - from, + originalTo, + originalFrom, ruleParamsMaxSignals, catchup, intervalDuration, }: { - to: moment.Moment; - from: moment.Moment; + originalTo: moment.Moment; + originalFrom: moment.Moment; ruleParamsMaxSignals: number; catchup: number; intervalDuration: moment.Duration; }): RuleRangeTuple[] => { const catchupTuples: RuleRangeTuple[] = []; const intervalInMilliseconds = intervalDuration.asMilliseconds(); - let currentTo = to; - let currentFrom = from; + let currentTo = originalTo; + let currentFrom = originalFrom; // This loop will create tuples with overlapping time ranges, the same way rule runs have overlapping time // ranges due to the additional lookback. We could choose to create tuples that don't overlap here by using the // "from" value from one tuple as "to" in the next one, however, the overlap matters for rule types like EQL and @@ -719,6 +702,20 @@ export const createSearchAfterReturnTypeFromResponse = ({ }); }; +export interface PreviewReturnType { + totalCount: number; + matrixHistogramData: unknown[]; + errors?: string[] | undefined; + warningMessages?: string[] | undefined; +} + +export const createPreviewReturnType = (): PreviewReturnType => ({ + matrixHistogramData: [], + totalCount: 0, + errors: [], + warningMessages: [], +}); + export const createSearchAfterReturnType = ({ success, warning, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_hits_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_hits_factory.ts index 6f040465389fc..22af4dcdb9f4a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_hits_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_hits_factory.ts @@ -5,20 +5,21 @@ * 2.0. */ -import { SearchAfterAndBulkCreateParams, WrapHits, WrappedSignalHit } from './types'; +import { WrapHits, WrappedSignalHit } from './types'; import { generateId } from './utils'; import { buildBulkBody } from './build_bulk_body'; import { filterDuplicateSignals } from './filter_duplicate_signals'; import type { ConfigType } from '../../../config'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; export const wrapHitsFactory = ({ - ruleSO, + completeRule, signalsIndex, mergeStrategy, ignoreFields, }: { - ruleSO: SearchAfterAndBulkCreateParams['ruleSO']; + completeRule: CompleteRule; signalsIndex: string; mergeStrategy: ConfigType['alertMergeStrategy']; ignoreFields: ConfigType['alertIgnoreFields']; @@ -27,15 +28,10 @@ export const wrapHitsFactory = const wrappedDocs: WrappedSignalHit[] = events.flatMap((doc) => [ { _index: signalsIndex, - _id: generateId( - doc._index, - doc._id, - String(doc._version), - ruleSO.attributes.params.ruleId ?? '' - ), - _source: buildBulkBody(ruleSO, doc, mergeStrategy, ignoreFields, buildReasonMessage), + _id: generateId(doc._index, doc._id, String(doc._version), completeRule.alertId ?? ''), + _source: buildBulkBody(completeRule, doc, mergeStrategy, ignoreFields, buildReasonMessage), }, ]); - return filterDuplicateSignals(ruleSO.id, wrappedDocs, false); + return filterDuplicateSignals(completeRule.alertId, wrappedDocs, false); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_sequences_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_sequences_factory.ts index f62992f550787..3b93ae824849a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_sequences_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_sequences_factory.ts @@ -5,18 +5,19 @@ * 2.0. */ -import { SearchAfterAndBulkCreateParams, WrappedSignalHit, WrapSequences } from './types'; +import { WrappedSignalHit, WrapSequences } from './types'; import { buildSignalGroupFromSequence } from './build_bulk_body'; import { ConfigType } from '../../../config'; +import { CompleteRule, RuleParams } from '../schemas/rule_schemas'; export const wrapSequencesFactory = ({ - ruleSO, + completeRule, signalsIndex, mergeStrategy, ignoreFields, }: { - ruleSO: SearchAfterAndBulkCreateParams['ruleSO']; + completeRule: CompleteRule; signalsIndex: string; mergeStrategy: ConfigType['alertMergeStrategy']; ignoreFields: ConfigType['alertIgnoreFields']; @@ -27,7 +28,7 @@ export const wrapSequencesFactory = ...acc, ...buildSignalGroupFromSequence( sequence, - ruleSO, + completeRule, signalsIndex, mergeStrategy, ignoreFields, diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index f2aa4927a7688..14cf6f0a48799 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -176,6 +176,14 @@ export class Plugin implements ISecuritySolutionPlugin { const { ruleDataService } = plugins.ruleRegistry; let ruleDataClient: IRuleDataClient | null = null; + // rule options are used both to create and preview rules. + const ruleOptions: CreateRuleOptions = { + experimentalFeatures, + logger: this.logger, + ml: plugins.ml, + version: pluginContext.env.packageInfo.version, + }; + if (isRuleRegistryEnabled) { // NOTE: this is not used yet // TODO: convert the aliases to FieldMaps. Requires enhancing FieldMap to support alias path. @@ -203,14 +211,6 @@ export class Plugin implements ISecuritySolutionPlugin { secondaryAlias: config.signalsIndex, }); - // Register rule types via rule-registry - const createRuleOptions: CreateRuleOptions = { - experimentalFeatures, - logger, - ml: plugins.ml, - version: pluginContext.env.packageInfo.version, - }; - const securityRuleTypeWrapper = createSecurityRuleTypeWrapper({ lists: plugins.lists, logger: this.logger, @@ -219,17 +219,13 @@ export class Plugin implements ISecuritySolutionPlugin { eventLogService, }); - plugins.alerting.registerType(securityRuleTypeWrapper(createEqlAlertType(createRuleOptions))); - plugins.alerting.registerType( - securityRuleTypeWrapper(createIndicatorMatchAlertType(createRuleOptions)) - ); - plugins.alerting.registerType(securityRuleTypeWrapper(createMlAlertType(createRuleOptions))); - plugins.alerting.registerType( - securityRuleTypeWrapper(createQueryAlertType(createRuleOptions)) - ); + plugins.alerting.registerType(securityRuleTypeWrapper(createEqlAlertType(ruleOptions))); plugins.alerting.registerType( - securityRuleTypeWrapper(createThresholdAlertType(createRuleOptions)) + securityRuleTypeWrapper(createIndicatorMatchAlertType(ruleOptions)) ); + plugins.alerting.registerType(securityRuleTypeWrapper(createMlAlertType(ruleOptions))); + plugins.alerting.registerType(securityRuleTypeWrapper(createQueryAlertType(ruleOptions))); + plugins.alerting.registerType(securityRuleTypeWrapper(createThresholdAlertType(ruleOptions))); } // TODO We need to get the endpoint routes inside of initRoutes @@ -240,7 +236,8 @@ export class Plugin implements ISecuritySolutionPlugin { plugins.security, plugins.ml, logger, - isRuleRegistryEnabled + isRuleRegistryEnabled, + ruleOptions ); registerEndpointRoutes(router, endpointContext); registerLimitedConcurrencyRoutes(core); diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts index 9d31684907f86..26dbd80a03db4 100644 --- a/x-pack/plugins/security_solution/server/routes/index.ts +++ b/x-pack/plugins/security_solution/server/routes/index.ts @@ -6,7 +6,6 @@ */ import { Logger } from 'src/core/server'; - import { SecuritySolutionPluginRouter } from '../types'; import { createRulesRoute } from '../lib/detection_engine/routes/rules/create_rules_route'; @@ -57,8 +56,11 @@ import { persistPinnedEventRoute } from '../lib/timeline/routes/pinned_events'; import { SetupPlugins } from '../plugin'; import { ConfigType } from '../config'; import { installPrepackedTimelinesRoute } from '../lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines'; +import { previewRulesRoute } from '../lib/detection_engine/routes/rules/preview_rules_route'; +import { CreateRuleOptions } from '../lib/detection_engine/rule_types/types'; // eslint-disable-next-line no-restricted-imports import { legacyCreateLegacyNotificationRoute } from '../lib/detection_engine/routes/rules/legacy_create_legacy_notification'; +import { createPreviewIndexRoute } from '../lib/detection_engine/routes/index/create_preview_index_route'; export const initRoutes = ( router: SecuritySolutionPluginRouter, @@ -67,7 +69,8 @@ export const initRoutes = ( security: SetupPlugins['security'], ml: SetupPlugins['ml'], logger: Logger, - isRuleRegistryEnabled: boolean + isRuleRegistryEnabled: boolean, + ruleOptions: CreateRuleOptions ) => { // Detection Engine Rule routes that have the REST endpoints of /api/detection_engine/rules // All REST rule creation, deletion, updating, etc...... @@ -77,6 +80,7 @@ export const initRoutes = ( patchRulesRoute(router, ml, isRuleRegistryEnabled); deleteRulesRoute(router, isRuleRegistryEnabled); findRulesRoute(router, logger, isRuleRegistryEnabled); + previewRulesRoute(router, config, ml, security, ruleOptions); // Once we no longer have the legacy notifications system/"side car actions" this should be removed. legacyCreateLegacyNotificationRoute(router, logger); @@ -129,6 +133,9 @@ export const initRoutes = ( readIndexRoute(router, config); deleteIndexRoute(router); + // Detection Engine Preview Index /api/detection_engine/preview/index + createPreviewIndexRoute(router); + // Detection Engine tags routes that have the REST endpoints of /api/detection_engine/tags readTagsRoute(router, isRuleRegistryEnabled); diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index c54512203677d..d4193453afb4f 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -18033,7 +18033,6 @@ "xpack.monitoring.elasticsearch.shardActivity.totalTimeTooltip": "開始:{startTime}", "xpack.monitoring.elasticsearch.shardActivity.unknownTargetAddressContent": "不明", "xpack.monitoring.elasticsearch.shardActivityTitle": "シャードアクティビティ", - "xpack.monitoring.elasticsearch.shardAllocation.clusterViewDisplayName": "ClusterView", "xpack.monitoring.elasticsearch.shardAllocation.decorateShards.relocatingFromTextMessage": "{nodeName} から移動しています", "xpack.monitoring.elasticsearch.shardAllocation.decorateShards.relocatingToTextMessage": "{nodeName} に移動しています", "xpack.monitoring.elasticsearch.shardAllocation.initializingLabel": "初期化中", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index fbc65161a47f8..0cc687b17fcd2 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -18308,7 +18308,6 @@ "xpack.monitoring.elasticsearch.shardActivity.totalTimeTooltip": "已启动:{startTime}", "xpack.monitoring.elasticsearch.shardActivity.unknownTargetAddressContent": "未知", "xpack.monitoring.elasticsearch.shardActivityTitle": "分片活动", - "xpack.monitoring.elasticsearch.shardAllocation.clusterViewDisplayName": "ClusterView", "xpack.monitoring.elasticsearch.shardAllocation.decorateShards.relocatingFromTextMessage": "正在从 {nodeName} 迁移", "xpack.monitoring.elasticsearch.shardAllocation.decorateShards.relocatingToTextMessage": "正在迁移至 {nodeName}", "xpack.monitoring.elasticsearch.shardAllocation.initializingLabel": "正在初始化", diff --git a/x-pack/plugins/uptime/e2e/config.ts b/x-pack/plugins/uptime/e2e/config.ts index c5d573afccd96..d2c7a691e0a49 100644 --- a/x-pack/plugins/uptime/e2e/config.ts +++ b/x-pack/plugins/uptime/e2e/config.ts @@ -43,7 +43,6 @@ async function config({ readConfigFile }: FtrConfigProviderContext) { `--uiSettings.overrides.theme:darkMode=true`, `--elasticsearch.username=kibana_system`, `--elasticsearch.password=changeme`, - '--migrations.enableV2=false', '--xpack.reporting.enabled=false', ], }, diff --git a/x-pack/test/api_integration/apis/metrics_ui/constants.ts b/x-pack/test/api_integration/apis/metrics_ui/constants.ts index 2ca89f2f9ab87..90db71ae08130 100644 --- a/x-pack/test/api_integration/apis/metrics_ui/constants.ts +++ b/x-pack/test/api_integration/apis/metrics_ui/constants.ts @@ -39,4 +39,8 @@ export const DATES = { max: 1609545900000, // '2021-01-02T00:05:00Z' }, }, + ten_thousand_plus: { + min: 1634604480001, // 2021-10-19T00:48:00.001Z + max: 1634604839997, // 2021-10-19T00:53:59.997Z + }, }; diff --git a/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts b/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts index 66c40e2e6e92d..880d73a236c3b 100644 --- a/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts +++ b/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts @@ -81,10 +81,95 @@ export default function ({ getService }: FtrProviderContext) { }; describe('Metric Threshold Alerts Executor', () => { - before(() => esArchiver.load('x-pack/test/functional/es_archives/infra/alerts_test_data')); - after(() => esArchiver.unload('x-pack/test/functional/es_archives/infra/alerts_test_data')); - + describe('with 10K plus docs', () => { + before(() => esArchiver.load('x-pack/test/functional/es_archives/infra/ten_thousand_plus')); + after(() => esArchiver.unload('x-pack/test/functional/es_archives/infra/ten_thousand_plus')); + describe('without group by', () => { + it('should alert on document count', async () => { + const params = { + ...baseParams, + criteria: [ + { + timeSize: 5, + timeUnit: 'm', + threshold: [10000], + comparator: Comparator.LT_OR_EQ, + aggType: Aggregators.COUNT, + } as CountMetricExpressionParams, + ], + }; + const config = { + ...configuration, + metricAlias: 'filebeat-*', + }; + const timeFrame = { end: DATES.ten_thousand_plus.max }; + const results = await evaluateAlert(esClient, params, config, [], timeFrame); + expect(results).to.eql([ + { + '*': { + timeSize: 5, + timeUnit: 'm', + threshold: [10000], + comparator: '<=', + aggType: 'count', + metric: 'Document count', + currentValue: 20895, + timestamp: '2021-10-19T00:48:59.997Z', + shouldFire: [false], + shouldWarn: [false], + isNoData: [false], + isError: false, + }, + }, + ]); + }); + }); + describe('with group by', () => { + it('should alert on document count', async () => { + const params = { + ...baseParams, + groupBy: ['event.category'], + criteria: [ + { + timeSize: 5, + timeUnit: 'm', + threshold: [10000], + comparator: Comparator.LT_OR_EQ, + aggType: Aggregators.COUNT, + } as CountMetricExpressionParams, + ], + }; + const config = { + ...configuration, + metricAlias: 'filebeat-*', + }; + const timeFrame = { end: DATES.ten_thousand_plus.max }; + const results = await evaluateAlert(esClient, params, config, [], timeFrame); + expect(results).to.eql([ + { + web: { + timeSize: 5, + timeUnit: 'm', + threshold: [10000], + comparator: '<=', + aggType: 'count', + metric: 'Document count', + currentValue: 20895, + timestamp: '2021-10-19T00:48:59.997Z', + shouldFire: [false], + shouldWarn: [false], + isNoData: [false], + isError: false, + }, + }, + ]); + }); + }); + }); describe('with gauge data', () => { + before(() => esArchiver.load('x-pack/test/functional/es_archives/infra/alerts_test_data')); + after(() => esArchiver.unload('x-pack/test/functional/es_archives/infra/alerts_test_data')); + describe('without groupBy', () => { it('should alert on document count', async () => { const params = { @@ -285,6 +370,8 @@ export default function ({ getService }: FtrProviderContext) { }); describe('with rate data', () => { + before(() => esArchiver.load('x-pack/test/functional/es_archives/infra/alerts_test_data')); + after(() => esArchiver.unload('x-pack/test/functional/es_archives/infra/alerts_test_data')); describe('without groupBy', () => { it('should alert on rate', async () => { const params = { diff --git a/x-pack/test/api_integration/apis/telemetry/telemetry.ts b/x-pack/test/api_integration/apis/telemetry/telemetry.ts index c5b8b40368302..527d755123f26 100644 --- a/x-pack/test/api_integration/apis/telemetry/telemetry.ts +++ b/x-pack/test/api_integration/apis/telemetry/telemetry.ts @@ -19,6 +19,7 @@ import monitoringRootTelemetrySchema from '../../../../plugins/telemetry_collect import ossPluginsTelemetrySchema from '../../../../../src/plugins/telemetry/schema/oss_plugins.json'; import xpackPluginsTelemetrySchema from '../../../../plugins/telemetry_collection_xpack/schema/xpack_plugins.json'; import { assertTelemetryPayload } from '../../../../../test/api_integration/apis/telemetry/utils'; +import type { UnencryptedTelemetryPayload } from '../../../../../src/plugins/telemetry/common/types'; /** * Update the .monitoring-* documents loaded via the archiver to the recent `timestamp` @@ -92,15 +93,16 @@ export default function ({ getService }: FtrProviderContext) { await esArchiver.load(archive); await updateMonitoringDates(esSupertest, fromTimestamp, toTimestamp, timestamp); - const { body } = await supertest + const { body }: { body: UnencryptedTelemetryPayload } = await supertest .post('/api/telemetry/v2/clusters/_stats') .set('kbn-xsrf', 'xxx') .send({ unencrypted: true }) .expect(200); expect(body.length).to.be.greaterThan(1); - localXPack = body.shift(); - monitoring = body; + const telemetryStats = body.map(({ stats }) => stats); + localXPack = telemetryStats.shift() as Record; + monitoring = telemetryStats as Array>; }); after(() => esArchiver.unload(archive)); @@ -142,15 +144,17 @@ export default function ({ getService }: FtrProviderContext) { }); after(() => esArchiver.unload(archive)); it('should load non-expiring basic cluster', async () => { - const { body } = await supertest + const { body }: { body: UnencryptedTelemetryPayload } = await supertest .post('/api/telemetry/v2/clusters/_stats') .set('kbn-xsrf', 'xxx') .send({ unencrypted: true }) .expect(200); expect(body).length(2); - const [localXPack, ...monitoring] = body; - expect(localXPack.collectionSource).to.eql('local_xpack'); + const telemetryStats = body.map(({ stats }) => stats); + + const [localXPack, ...monitoring] = telemetryStats; + expect((localXPack as Record).collectionSource).to.eql('local_xpack'); expect(monitoring).to.eql(basicClusterFixture.map((item) => ({ ...item, timestamp }))); }); }); diff --git a/x-pack/test/api_integration/apis/telemetry/telemetry_local.ts b/x-pack/test/api_integration/apis/telemetry/telemetry_local.ts index 508a6584e9246..e34e0fff25888 100644 --- a/x-pack/test/api_integration/apis/telemetry/telemetry_local.ts +++ b/x-pack/test/api_integration/apis/telemetry/telemetry_local.ts @@ -47,7 +47,7 @@ export default function ({ getService }: FtrProviderContext) { .expect(200); expect(body.length).to.be(1); - stats = body[0]; + stats = body[0].stats; }); it('should pass the schema validation', () => { diff --git a/x-pack/test/apm_api_integration/configs/index.ts b/x-pack/test/apm_api_integration/configs/index.ts index ad1f897debe32..3bc03eb5b4259 100644 --- a/x-pack/test/apm_api_integration/configs/index.ts +++ b/x-pack/test/apm_api_integration/configs/index.ts @@ -11,22 +11,13 @@ import { createTestConfig, CreateTestConfig } from '../common/config'; const apmFtrConfigs = { basic: { license: 'basic' as const, - kibanaConfig: { - // disable v2 migrations to prevent issue where kibana index is deleted - // during a migration - 'migrations.enableV2': 'false', - }, }, trial: { license: 'trial' as const, - kibanaConfig: { - 'migrations.enableV2': 'false', - }, }, rules: { license: 'trial' as const, kibanaConfig: { - 'migrations.enableV2': 'false', 'xpack.ruleRegistry.write.enabled': 'true', }, }, diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts index c78ef18635de7..b495df7570d38 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts @@ -162,7 +162,6 @@ export default ({ getService }: FtrProviderContext) => { enabled: true, created_by: 'elastic', updated_by: 'elastic', - throttle: null, description: 'Test ML rule description', risk_score: 50, severity: 'critical', diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts index c954d8aa5721d..b3f89d206bd46 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts @@ -235,7 +235,7 @@ export default ({ getService }: FtrProviderContext) => { parents: [ { rule: signalNoRule.parents[0].rule, // rule id is always changing so skip testing it - id: '82421e2f4e96058baaa2ed87abbe565403b45edf36348c2b79a4f0e8cc1cd055', + id: signalNoRule.parents[0].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -250,7 +250,7 @@ export default ({ getService }: FtrProviderContext) => { }, { rule: signalNoRule.ancestors[1].rule, // rule id is always changing so skip testing it - id: '82421e2f4e96058baaa2ed87abbe565403b45edf36348c2b79a4f0e8cc1cd055', + id: signalNoRule.ancestors[1].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -260,7 +260,7 @@ export default ({ getService }: FtrProviderContext) => { depth: 2, parent: { rule: signalNoRule.parent?.rule, // parent.rule is always changing so skip testing it - id: '82421e2f4e96058baaa2ed87abbe565403b45edf36348c2b79a4f0e8cc1cd055', + id: signalNoRule.parent?.id, // parent.id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1248,7 +1248,7 @@ export default ({ getService }: FtrProviderContext) => { parents: [ { rule: signalNoRule.parents[0].rule, // rule id is always changing so skip testing it - id: 'c4db4921f2d9152865fd6518c2a2ef3471738e49f607a21319048c69a303f83f', + id: signalNoRule.parents[0].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1263,7 +1263,7 @@ export default ({ getService }: FtrProviderContext) => { }, { rule: signalNoRule.ancestors[1].rule, // rule id is always changing so skip testing it - id: 'c4db4921f2d9152865fd6518c2a2ef3471738e49f607a21319048c69a303f83f', + id: signalNoRule.ancestors[1].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1273,7 +1273,7 @@ export default ({ getService }: FtrProviderContext) => { depth: 2, parent: { rule: signalNoRule.parent?.rule, // parent.rule is always changing so skip testing it - id: 'c4db4921f2d9152865fd6518c2a2ef3471738e49f607a21319048c69a303f83f', + id: signalNoRule.parent?.id, // parent.id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1408,7 +1408,7 @@ export default ({ getService }: FtrProviderContext) => { parents: [ { rule: signalNoRule.parents[0].rule, // rule id is always changing so skip testing it - id: '0733d5d2eaed77410a65eec95cfb2df099abc97289b78e2b0b406130e2dbdb33', + id: signalNoRule.parents[0].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1423,7 +1423,7 @@ export default ({ getService }: FtrProviderContext) => { }, { rule: signalNoRule.ancestors[1].rule, // rule id is always changing so skip testing it - id: '0733d5d2eaed77410a65eec95cfb2df099abc97289b78e2b0b406130e2dbdb33', + id: signalNoRule.ancestors[1].id, // id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, @@ -1433,7 +1433,7 @@ export default ({ getService }: FtrProviderContext) => { depth: 2, parent: { rule: signalNoRule.parent?.rule, // parent.rule is always changing so skip testing it - id: '0733d5d2eaed77410a65eec95cfb2df099abc97289b78e2b0b406130e2dbdb33', + id: signalNoRule.parent?.id, // parent.id is always changing so skip testing it type: 'signal', index: '.siem-signals-default-000001', depth: 1, diff --git a/x-pack/test/fleet_api_integration/apis/fleet_telemetry.ts b/x-pack/test/fleet_api_integration/apis/fleet_telemetry.ts index ed79d7200c4ed..0d8f38c55c7f8 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_telemetry.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_telemetry.ts @@ -107,7 +107,7 @@ export default function (providerContext: FtrProviderContext) { it('should return the correct telemetry values for fleet', async () => { const { - body: [apiResponse], + body: [{ stats: apiResponse }], } = await supertest .post(`/api/telemetry/v2/clusters/_stats`) .set('kbn-xsrf', 'xxxx') diff --git a/x-pack/test/functional/apps/infra/logs_source_configuration.ts b/x-pack/test/functional/apps/infra/logs_source_configuration.ts index dcbe30864640b..34a50530df993 100644 --- a/x-pack/test/functional/apps/infra/logs_source_configuration.ts +++ b/x-pack/test/functional/apps/infra/logs_source_configuration.ts @@ -113,7 +113,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { await logsUi.logStreamPage.getStreamEntries(); - const resp = await supertest + const [{ stats }] = await supertest .post(`/api/telemetry/v2/clusters/_stats`) .set(COMMON_REQUEST_HEADERS) .set('Accept', 'application/json') @@ -123,9 +123,9 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { .expect(200) .then((res: any) => res.body); - expect( - resp[0].stack_stats.kibana.plugins.infraops.last_24_hours.hits.logs - ).to.be.greaterThan(0); + expect(stats.stack_stats.kibana.plugins.infraops.last_24_hours.hits.logs).to.be.greaterThan( + 0 + ); }); it('can change the log columns', async () => { diff --git a/x-pack/test/functional/es_archives/infra/ten_thousand_plus/data.json.gz b/x-pack/test/functional/es_archives/infra/ten_thousand_plus/data.json.gz new file mode 100644 index 0000000000000..d407dbea7cdcb Binary files /dev/null and b/x-pack/test/functional/es_archives/infra/ten_thousand_plus/data.json.gz differ diff --git a/x-pack/test/functional/es_archives/infra/ten_thousand_plus/mappings.json b/x-pack/test/functional/es_archives/infra/ten_thousand_plus/mappings.json new file mode 100644 index 0000000000000..3a29ce69921ed --- /dev/null +++ b/x-pack/test/functional/es_archives/infra/ten_thousand_plus/mappings.json @@ -0,0 +1,21724 @@ +{ + "type": "index", + "value": { + "aliases": { + }, + "index": "filebeat-2021-10-18", + "mappings": { + "_meta": { + "beat": "filebeat", + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "docker.attrs": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.attrs.*" + } + }, + { + "azure.activitylogs.identity.claims.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "azure.activitylogs.identity.claims.*" + } + }, + { + "kibana.log.meta": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "kibana.log.meta.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activemq": { + "properties": { + "audit": { + "type": "object" + }, + "caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "path": "agent.name", + "type": "alias" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "apache": { + "properties": { + "access": { + "properties": { + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "error": { + "properties": { + "module": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "apache2": { + "properties": { + "access": { + "properties": { + "geoip": { + "type": "object" + }, + "http_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_code": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "type": "object" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "type": "object" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "auditd": { + "properties": { + "log": { + "properties": { + "a0": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "geoip": { + "type": "object" + }, + "item": { + "ignore_above": 1024, + "type": "keyword" + }, + "items": { + "ignore_above": 1024, + "type": "keyword" + }, + "laddr": { + "type": "ip" + }, + "lport": { + "type": "long" + }, + "new_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "rport": { + "type": "long" + }, + "sequence": { + "type": "long" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "aws": { + "properties": { + "cloudtrail": { + "properties": { + "additional_eventdata": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "console_login": { + "properties": { + "additional_eventdata": { + "properties": { + "login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mfa_used": { + "type": "boolean" + }, + "mobile_version": { + "type": "boolean" + } + } + } + } + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "flattened": { + "properties": { + "additional_eventdata": { + "type": "flattened" + }, + "request_parameters": { + "type": "flattened" + }, + "response_elements": { + "type": "flattened" + }, + "service_event_details": { + "type": "flattened" + } + } + }, + "management_event": { + "ignore_above": 1024, + "type": "keyword" + }, + "read_only": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_parameters": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response_elements": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "service_event_details": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_identity": { + "properties": { + "access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_context": { + "properties": { + "creation_date": { + "type": "date" + }, + "mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_issuer": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloudwatch": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "ec2": { + "properties": { + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elb": { + "properties": { + "action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend": { + "properties": { + "http": { + "properties": { + "response": { + "properties": { + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "backend_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "connection_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "error": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "response_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls_handshake_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "tls_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3access": { + "properties": { + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "awscloudwatch": { + "properties": { + "ingestion_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_stream": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "properties": { + "*": { + "type": "object" + } + } + }, + "claims_initiated_by_user": { + "properties": { + "fullname": { + "ignore_above": 1024, + "type": "keyword" + }, + "givenname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "surname": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "service_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "appId": { + "ignore_above": 1024, + "type": "keyword" + }, + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "consumer_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "enqueued_time": { + "type": "date" + }, + "eventhub": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "partition_id": { + "type": "long" + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence_number": { + "type": "long" + }, + "signinlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_ms": { + "type": "float" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signin": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "token_issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bucket_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cef": { + "properties": { + "device": { + "properties": { + "event_class_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extensions": { + "properties": { + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentAddress": { + "type": "ip" + }, + "agentDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentReceiptTime": { + "type": "date" + }, + "agentTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedAddress": { + "type": "ip" + }, + "agentTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentType": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "applicationProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "baseEventCount": { + "type": "long" + }, + "bytesIn": { + "type": "long" + }, + "bytesOut": { + "type": "long" + }, + "categoryBehavior": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryObject": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "categorySignificance": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryTechnique": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationAddress": { + "type": "ip" + }, + "destinationDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationGeoLatitude": { + "type": "double" + }, + "destinationGeoLongitude": { + "type": "double" + }, + "destinationHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationPort": { + "type": "long" + }, + "destinationProcessId": { + "type": "long" + }, + "destinationProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedAddress": { + "type": "ip" + }, + "destinationTranslatedPort": { + "type": "long" + }, + "destinationTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAddress": { + "type": "ip" + }, + "deviceCustomDate1": { + "type": "date" + }, + "deviceCustomDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomDate2": { + "type": "date" + }, + "deviceCustomDate2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint1": { + "type": "double" + }, + "deviceCustomFloatingPoint1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint2": { + "type": "double" + }, + "deviceCustomFloatingPoint2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint3": { + "type": "double" + }, + "deviceCustomFloatingPoint3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint4": { + "type": "double" + }, + "deviceCustomFloatingPoint4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address1": { + "type": "ip" + }, + "deviceCustomIPv6Address1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address2": { + "type": "ip" + }, + "deviceCustomIPv6Address2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address3": { + "type": "ip" + }, + "deviceCustomIPv6Address3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address4": { + "type": "ip" + }, + "deviceCustomIPv6Address4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber1": { + "type": "long" + }, + "deviceCustomNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber2": { + "type": "long" + }, + "deviceCustomNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber3": { + "type": "long" + }, + "deviceCustomNumber3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceDirection": { + "type": "long" + }, + "deviceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceEventCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceExternalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFacility": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber1": { + "type": "long" + }, + "deviceFlexNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber2": { + "type": "long" + }, + "deviceFlexNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceInboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceOutboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "devicePayloadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceProcessId": { + "type": "long" + }, + "deviceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceReceiptTime": { + "type": "date" + }, + "deviceTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedAddress": { + "type": "ip" + }, + "deviceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "endTime": { + "type": "date" + }, + "eventId": { + "type": "long" + }, + "eventOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "externalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileCreateTime": { + "type": "date" + }, + "fileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileModificationTime": { + "type": "date" + }, + "filePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileSize": { + "type": "long" + }, + "fileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexDate1": { + "type": "date" + }, + "flexDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "ifname": { + "ignore_above": 1024, + "type": "keyword" + }, + "inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "managerReceiptTime": { + "type": "date" + }, + "match_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileCreateTime": { + "type": "date" + }, + "oldFileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileModificationTime": { + "type": "date" + }, + "oldFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileSize": { + "type": "long" + }, + "oldFileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "originsicname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawEvent": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestClientApplication": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestContext": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestCookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestMethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceAddress": { + "type": "ip" + }, + "sourceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceGeoLatitude": { + "type": "double" + }, + "sourceGeoLongitude": { + "type": "double" + }, + "sourceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcePort": { + "type": "long" + }, + "sourceProcessId": { + "type": "long" + }, + "sourceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedAddress": { + "type": "ip" + }, + "sourceTranslatedPort": { + "type": "long" + }, + "sourceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "transportProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "checkpoint": { + "properties": { + "action_reason": { + "type": "long" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocated_ports": { + "type": "long" + }, + "analyzed_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "answer_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "anti_virus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_package": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_repackaged": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sid_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "appi_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "arrival_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "attachments_num": { + "type": "long" + }, + "attack_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "authority_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "authorization": { + "ignore_above": 1024, + "type": "keyword" + }, + "bcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "blade_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "broker_publisher": { + "type": "ip" + }, + "browse_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "calc_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "capacity": { + "type": "long" + }, + "capture_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "chunk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "type": "long" + }, + "connection_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conns_amount": { + "type": "long" + }, + "content_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_risk": { + "type": "long" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "type": "long" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieI": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieR": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_message": { + "type": "long" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce-rpc_interface_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "developer_certificate_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "diameter_app_ID": { + "type": "long" + }, + "diameter_cmd_code": { + "type": "long" + }, + "diameter_msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_additional_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_files_number": { + "type": "long" + }, + "dlp_fingerprint_long_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_short_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_recipients": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_related_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_relevant_data_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_directories_number": { + "type": "long" + }, + "dlp_repository_files_number": { + "type": "long" + }, + "dlp_repository_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_not_scanned_directories_percentage": { + "type": "long" + }, + "dlp_repository_reached_directories_number": { + "type": "long" + }, + "dlp_repository_root_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_scan_progress": { + "type": "long" + }, + "dlp_repository_scanned_directories_number": { + "type": "long" + }, + "dlp_repository_scanned_files_number": { + "type": "long" + }, + "dlp_repository_scanned_total_size": { + "type": "long" + }, + "dlp_repository_skipped_files_number": { + "type": "long" + }, + "dlp_repository_total_size": { + "type": "long" + }, + "dlp_repository_unreachable_directories_number": { + "type": "long" + }, + "dlp_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_template_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_transint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_violation_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_watermark_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_word_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_incoming": { + "type": "long" + }, + "dropped_outgoing": { + "type": "long" + }, + "dropped_total": { + "type": "long" + }, + "drops_amount": { + "type": "long" + }, + "dst_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstkeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duplicate": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control_analysis": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_recipients_num": { + "type": "long" + }, + "email_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spam_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "emulated_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_user_firewall_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_associated_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_noncompliance_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_scan_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_count": { + "type": "long" + }, + "expire_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_hit_time": { + "type": "long" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs-proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "hide_ip": { + "type": "ip" + }, + "hit": { + "type": "long" + }, + "host_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_more_info": { + "type": "long" + }, + "icap_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_server_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_service_id": { + "type": "long" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "impacted_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "information": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_item": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_settings_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed_products": { + "ignore_above": 1024, + "type": "keyword" + }, + "int_end": { + "type": "long" + }, + "int_start": { + "type": "long" + }, + "integrity_av_invoke_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalid_file_size": { + "type": "long" + }, + "ip_option": { + "type": "long" + }, + "isp_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_hit_time": { + "type": "long" + }, + "last_rematch_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit_applied": { + "type": "long" + }, + "limit_requested": { + "type": "long" + }, + "link_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "links_num": { + "type": "long" + }, + "log_delay": { + "type": "long" + }, + "log_id": { + "type": "long" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_fk": { + "type": "long" + }, + "match_id": { + "type": "long" + }, + "matched_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_file_percentage": { + "type": "long" + }, + "matched_file_text_segments": { + "type": "long" + }, + "media_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_size": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mirror_and_decrypt_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_collection": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_command_and_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_credential_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_defense_evasion": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_discovery": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_exfiltration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_initial_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_lateral_movement": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_persistence": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_privilege_escalation": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat46": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_exhausted_pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "needs_browse_time": { + "type": "long" + }, + "next_hop_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_scheduled_scan_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_of_errors": { + "type": "long" + }, + "objecttable": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_amount": { + "type": "long" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "peer_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ip_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "type": "long" + }, + "policy_mgmt": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ports_usage": { + "type": "long" + }, + "ppp": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_machine_name": { + "type": "long" + }, + "proxy_src_ip": { + "type": "ip" + }, + "proxy_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "question_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_parent_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_self_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_ip-phones": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rematch_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediated_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_status": { + "type": "long" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpc_prog": { + "type": "long" + }, + "rule": { + "type": "long" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rulebase_id": { + "type": "long" + }, + "scan_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_hosts_day": { + "type": "long" + }, + "scan_hosts_hour": { + "type": "long" + }, + "scan_hosts_week": { + "type": "long" + }, + "scan_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_mail": { + "type": "long" + }, + "scan_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_download_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_total_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrubbed_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_association_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "securexl_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_communication": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_hashes": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "similiar_iocs": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_object": { + "type": "long" + }, + "source_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "type": "long" + }, + "specific_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "spyware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "srckeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "type": "date" + }, + "subscriber": { + "type": "ip" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "type": "long" + }, + "sync": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_end_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "te_verdict_determined_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ticket_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_server_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_archive_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_attachments": { + "type": "long" + }, + "triggered_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_detected_day": { + "type": "long" + }, + "unique_detected_hour": { + "type": "long" + }, + "unique_detected_week": { + "type": "long" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "via": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_action_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_sz": { + "type": "long" + }, + "voip_call_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_term_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_config": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_est_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_exp": { + "type": "long" + }, + "voip_from_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_ipp": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reason_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reg_int": { + "type": "long" + }, + "voip_reg_ipp": { + "type": "long" + }, + "voip_reg_period": { + "type": "long" + }, + "voip_reg_server": { + "type": "ip" + }, + "voip_reg_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reject_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_to_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "watermark": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_server_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "word_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cisco": { + "properties": { + "asa": { + "properties": { + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ftd": { + "properties": { + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "type": "object" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client-ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "controller": { + "ignore_above": 1024, + "type": "keyword" + }, + "coredns": { + "properties": { + "dnssec_ok": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + } + }, + "crowdstrike": { + "properties": { + "event": { + "properties": { + "AuditKeyValues": { + "type": "nested" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "Commands": { + "ignore_above": 1024, + "type": "keyword" + }, + "ComputerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ConnectionDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomerId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EndTimestamp": { + "type": "date" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExecutablesWritten": { + "type": "nested" + }, + "FalconHostLink": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "FineScore": { + "type": "float" + }, + "Flags": { + "properties": { + "Audit": { + "type": "boolean" + }, + "Log": { + "type": "boolean" + }, + "Monitor": { + "type": "boolean" + } + } + }, + "GrandparentCommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "GrandparentImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "HostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "HostnameField": { + "ignore_above": 1024, + "type": "keyword" + }, + "ICMPCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ICMPType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IOCType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IOCValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentEndTime": { + "type": "date" + }, + "IncidentStartTime": { + "type": "date" + }, + "Ipv": { + "ignore_above": 1024, + "type": "keyword" + }, + "LateralMovement": { + "type": "long" + }, + "LocalAddress": { + "type": "ip" + }, + "LocalIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "LocalPort": { + "type": "long" + }, + "MACAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "MD5String": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MatchCount": { + "type": "long" + }, + "MatchCountSinceLastReport": { + "type": "long" + }, + "NetworkProfile": { + "ignore_above": 1024, + "type": "keyword" + }, + "Objective": { + "ignore_above": 1024, + "type": "keyword" + }, + "OperationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PID": { + "type": "long" + }, + "ParentCommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessId": { + "type": "long" + }, + "PatternDispositionDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "PatternDispositionFlags": { + "type": "object" + }, + "PatternDispositionValue": { + "type": "long" + }, + "PolicyID": { + "ignore_above": 1024, + "type": "keyword" + }, + "PolicyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessEndTime": { + "type": "date" + }, + "ProcessId": { + "type": "long" + }, + "ProcessStartTime": { + "type": "date" + }, + "Protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "RemoteAddress": { + "type": "ip" + }, + "RemotePort": { + "type": "long" + }, + "RuleAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleFamilyID": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SHA1String": { + "ignore_above": 1024, + "type": "keyword" + }, + "SHA256String": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensorId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "type": "long" + }, + "SeverityName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTimestamp": { + "type": "date" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "Success": { + "type": "boolean" + }, + "Tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "Technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "Timestamp": { + "type": "date" + }, + "TreeID": { + "ignore_above": 1024, + "type": "keyword" + }, + "UTCTimestamp": { + "type": "date" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserIp": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "metadata": { + "properties": { + "customerIDString": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventCreationTime": { + "type": "date" + }, + "eventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "customer_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "type": "long" + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "attrs": { + "type": "object" + }, + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "duration": { + "type": "long" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elasticsearch": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "indices": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "origin": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "params": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "deprecation": { + "type": "object" + }, + "gc": { + "properties": { + "heap": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "jvm_runtime_sec": { + "type": "float" + }, + "old_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "phase": { + "properties": { + "class_unload_time_sec": { + "type": "float" + }, + "cpu_time": { + "properties": { + "real_sec": { + "type": "float" + }, + "sys_sec": { + "type": "float" + }, + "user_sec": { + "type": "float" + } + } + }, + "duration_sec": { + "type": "float" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parallel_rescan_time_sec": { + "type": "float" + }, + "scrub_string_table_time_sec": { + "type": "float" + }, + "scrub_symbol_table_time_sec": { + "type": "float" + }, + "weak_refs_processing_time_sec": { + "type": "float" + } + } + }, + "stopping_threads_time_sec": { + "type": "float" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threads_total_stop_time_sec": { + "type": "float" + }, + "young_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + } + } + }, + "index": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "node": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "gc": { + "properties": { + "collection_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "observation_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "overhead_seq": { + "type": "long" + }, + "young": { + "properties": { + "one": { + "type": "long" + }, + "two": { + "type": "long" + } + } + } + } + }, + "stacktrace": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + } + } + }, + "shard": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "extra_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing": { + "ignore_above": 1024, + "type": "keyword" + }, + "search_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "stats": { + "ignore_above": 1024, + "type": "keyword" + }, + "took": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_hits": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_shards": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "envoyproxy": { + "properties": { + "authority": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "upstream_service_time": { + "type": "long" + } + } + }, + "err": { + "properties": { + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "errno": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "exc_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "fileset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forcepoint": { + "properties": { + "virus_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "format": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortinet": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "crc32": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "acct_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "acktime": { + "ignore_above": 1024, + "type": "keyword" + }, + "act": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "addr_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "adgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "type": "long" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmid": { + "type": "long" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "type": "long" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "type": "ip" + }, + "assignip": { + "type": "ip" + }, + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontextid": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "type": "long" + }, + "auditid": { + "type": "long" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "authid": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "banword": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetip": { + "type": "ip" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier_ep": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cdrcontent": { + "ignore_above": 1024, + "type": "keyword" + }, + "centralnatid": { + "type": "long" + }, + "cert": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "certhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtxpower": { + "type": "long" + }, + "channel": { + "type": "long" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassisid": { + "type": "long" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "chgheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "clouduser": { + "ignore_above": 1024, + "type": "keyword" + }, + "column": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "configcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "conserve": { + "ignore_above": 1024, + "type": "keyword" + }, + "constraint": { + "ignore_above": 1024, + "type": "keyword" + }, + "contentdisarmed": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpu": { + "type": "long" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crl": { + "ignore_above": 1024, + "type": "keyword" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "cveid": { + "ignore_above": 1024, + "type": "keyword" + }, + "daemon": { + "ignore_above": 1024, + "type": "keyword" + }, + "datarange": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "ddnsserver": { + "type": "ip" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devintfname": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "dintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "ignore_above": 1024, + "type": "keyword" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "docsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthstate": { + "type": "long" + }, + "domainctrlauthtype": { + "type": "long" + }, + "domainctrldomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlip": { + "type": "ip" + }, + "domainctrlname": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "type": "long" + }, + "domainctrlusername": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "domainfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "ds": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstunauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eapolcnt": { + "type": "long" + }, + "eapoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "encrypt": { + "type": "long" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "espauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "esptransform": { + "ignore_above": 1024, + "type": "keyword" + }, + "exch": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "expectedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiry": { + "ignore_above": 1024, + "type": "keyword" + }, + "fams_pause": { + "type": "long" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "filefilter": { + "ignore_above": 1024, + "type": "keyword" + }, + "filehashsrc": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortiguardresp": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "frametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "type": "long" + }, + "fsaverdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "fwserver_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "type": "ip" + }, + "green": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupid": { + "type": "long" + }, + "ha-prio": { + "type": "long" + }, + "ha_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hbdn_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "type": "long" + }, + "in_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infected": { + "type": "long" + }, + "infectedfilelevel": { + "type": "long" + }, + "informationsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "intf": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "iptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "keyword": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "lease": { + "type": "long" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit": { + "type": "long" + }, + "line": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "type": "long" + }, + "local": { + "type": "ip" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "malform_data": { + "type": "long" + }, + "malform_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "meshmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmtcnt": { + "type": "long" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-name": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mpsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "type": "long" + }, + "newchassisid": { + "type": "long" + }, + "newslot": { + "type": "long" + }, + "nextstat": { + "type": "long" + }, + "nf_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "type": "long" + }, + "old_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "type": "long" + }, + "oldchassisid": { + "type": "long" + }, + "oldslot": { + "type": "long" + }, + "oldsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldwprof": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "opercountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "opertxpower": { + "type": "long" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "osversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "passwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase2_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poolname": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "portbegin": { + "type": "long" + }, + "portend": { + "type": "long" + }, + "probeproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "profilegroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "profiletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaexceeded": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotatype": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioid": { + "type": "long" + }, + "radioidclosest": { + "type": "long" + }, + "radioiddetected": { + "type": "long" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "type": "long" + }, + "receivedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "red": { + "ignore_above": 1024, + "type": "keyword" + }, + "referralurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "type": "ip" + }, + "remotewtptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "reporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "rsso_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruledata": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanned": { + "type": "long" + }, + "scantime": { + "type": "long" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensitivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "serialno": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "type": "long" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperdroprcvdbyte": { + "type": "long" + }, + "shaperdropsentbyte": { + "type": "long" + }, + "shaperperipdropbyte": { + "type": "long" + }, + "shaperperipname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperrcvdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapersentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapingpolicyid": { + "type": "long" + }, + "signal": { + "type": "long" + }, + "size": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmeshparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sscname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssllocal": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslremote": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "type": "long" + }, + "stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stitch": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "submodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "subservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious": { + "type": "long" + }, + "switchproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "tamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "threattype": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "type": "long" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "type": "long" + }, + "translationid": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "type": "ip" + }, + "tunnelid": { + "type": "long" + }, + "tunnelip": { + "type": "ip" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "type": "long" + }, + "urlfilteridx": { + "type": "long" + }, + "urlfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "urltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "vapmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "vdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendorurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "type": "long" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "vrf": { + "type": "long" + }, + "vulncat": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnid": { + "type": "long" + }, + "vulnname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "type": "long" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwpvlanid": { + "type": "long" + }, + "wanin": { + "type": "long" + }, + "wanoptapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "weakwepiv": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + }, + "xid": { + "type": "long" + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "googlecloud": { + "properties": { + "audit": { + "properties": { + "authentication_info": { + "properties": { + "authority_selector": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_email": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "num_response_items": { + "type": "long" + }, + "request": { + "properties": { + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_metadata": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_supplied_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_location": { + "properties": { + "current_locations": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vpcflow": { + "properties": { + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gsuite": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + } + } + }, + "haproxy": { + "properties": { + "backend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_queue": { + "type": "long" + }, + "bind_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_read": { + "type": "long" + }, + "client": { + "type": "object" + }, + "connection_wait_time_ms": { + "type": "long" + }, + "connections": { + "properties": { + "active": { + "type": "long" + }, + "backend": { + "type": "long" + }, + "frontend": { + "type": "long" + }, + "retries": { + "type": "long" + }, + "server": { + "type": "long" + } + } + }, + "destination": { + "type": "object" + }, + "error_message": { + "norms": false, + "type": "text" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "type": "object" + }, + "http": { + "properties": { + "request": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_request_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_wait_ms": { + "type": "long" + }, + "time_wait_without_data_ms": { + "type": "long" + } + } + }, + "response": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_queue": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp": { + "properties": { + "connection_waiting_time_ms": { + "type": "long" + } + } + }, + "termination_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_backend_connect": { + "type": "long" + }, + "time_queue": { + "type": "long" + }, + "total_waiting_time_ms": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ibmmq": { + "properties": { + "errorlog": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "arithinsert": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "commentinsert": { + "ignore_above": 1024, + "type": "keyword" + }, + "errordescription": { + "norms": false, + "type": "text" + }, + "explanation": { + "ignore_above": 1024, + "type": "keyword" + }, + "installation": { + "ignore_above": 1024, + "type": "keyword" + }, + "qmgr": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "icinga": { + "properties": { + "debug": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "main": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startup": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "icmp": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "igmp": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iis": { + "properties": { + "access": { + "properties": { + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "type": "object" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "type": "long" + }, + "user_agent": { + "type": "object" + }, + "win32_status": { + "type": "long" + } + } + }, + "error": { + "properties": { + "geoip": { + "type": "object" + }, + "queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iptables": { + "properties": { + "ether_type": { + "type": "long" + }, + "flow_label": { + "type": "long" + }, + "fragment_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment_offset": { + "type": "long" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "id": { + "type": "long" + }, + "parameter": { + "type": "long" + }, + "redirect": { + "type": "ip" + }, + "seq": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "incomplete_bytes": { + "type": "long" + }, + "input_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "output_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "precedence_bits": { + "type": "short" + }, + "tcp": { + "properties": { + "ack": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "reserved_bits": { + "type": "short" + }, + "seq": { + "type": "long" + }, + "window": { + "type": "long" + } + } + }, + "tos": { + "type": "long" + }, + "ttl": { + "type": "long" + }, + "ubiquiti": { + "properties": { + "input_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_set": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "udp": { + "properties": { + "length": { + "type": "long" + } + } + } + } + }, + "jolokia": { + "properties": { + "agent": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "secured": { + "type": "boolean" + }, + "server": { + "properties": { + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kafka": { + "properties": { + "block_timestamp": { + "type": "date" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + } + } + } + } + }, + "offset": { + "type": "long" + }, + "partition": { + "type": "long" + }, + "topic": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "log": { + "properties": { + "meta": { + "properties": { + "error": { + "properties": { + "message": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "stack": { + "type": "keyword" + } + } + }, + "level": { + "type": "keyword" + }, + "prevMsg": { + "type": "keyword" + }, + "prevState": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "href": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pathname": { + "type": "keyword" + }, + "query": { + "properties": { + "end": { + "type": "keyword" + }, + "filterNames": { + "type": "keyword" + }, + "serviceName": { + "type": "keyword" + }, + "start": { + "type": "keyword" + }, + "transactionName": { + "type": "keyword" + }, + "transactionType": { + "type": "keyword" + }, + "uiFilters": { + "type": "keyword" + } + } + }, + "search": { + "type": "keyword" + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "kubernetes": { + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + }, + "app": { + "type": "keyword" + }, + "chart": { + "type": "keyword" + }, + "component": { + "type": "keyword" + }, + "controller-revision-hash": { + "type": "keyword" + }, + "controller-uid": { + "type": "keyword" + }, + "heritage": { + "type": "keyword" + }, + "job-name": { + "type": "keyword" + }, + "pod-template-hash": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "role": { + "type": "keyword" + }, + "service": { + "type": "keyword" + }, + "statefulset_kubernetes_io/pod-name": { + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "type": "object" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "microsoft": { + "properties": { + "defender_atp": { + "properties": { + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "aadUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "type": "ip" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdateTime": { + "type": "date" + }, + "rbacGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "misp": { + "properties": { + "attack_pattern": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "campaign": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "objective": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "course_of_action": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "contact_information": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sectors": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "intrusion_set": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "note": { + "properties": { + "authors": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observed_data": { + "properties": { + "first_observed": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed": { + "type": "date" + }, + "number_observed": { + "type": "long" + }, + "objects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "report": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "norms": false, + "type": "text" + }, + "published": { + "type": "date" + } + } + }, + "threat_actor": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_motivations": { + "norms": false, + "type": "text" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "roles": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + }, + "sophistication": { + "norms": false, + "type": "text" + } + } + }, + "threat_indicator": { + "properties": { + "attack_pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_pattern_kql": { + "ignore_above": 1024, + "type": "keyword" + }, + "campaign": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "feed": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "intrusion_set": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "negate": { + "type": "boolean" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_actor": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + }, + "valid_until": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "norms": false, + "type": "text" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mongodb": { + "properties": { + "log": { + "properties": { + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "mssql": { + "properties": { + "log": { + "properties": { + "origin": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mysql": { + "properties": { + "error": { + "type": "object" + }, + "slowlog": { + "properties": { + "bytes_received": { + "type": "long" + }, + "bytes_sent": { + "type": "long" + }, + "current_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesort": { + "type": "boolean" + }, + "filesort_on_disk": { + "type": "boolean" + }, + "full_join": { + "type": "boolean" + }, + "full_scan": { + "type": "boolean" + }, + "innodb": { + "properties": { + "io_r_bytes": { + "type": "long" + }, + "io_r_ops": { + "type": "long" + }, + "io_r_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "pages_distinct": { + "type": "long" + }, + "queue_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "rec_lock_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "trx_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "killed": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_errno": { + "ignore_above": 1024, + "type": "keyword" + }, + "lock_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "log_slow_rate_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_slow_rate_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "merge_passes": { + "type": "long" + }, + "priority_queue": { + "type": "boolean" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_cache_hit": { + "type": "boolean" + }, + "read_first": { + "type": "long" + }, + "read_key": { + "type": "long" + }, + "read_last": { + "type": "long" + }, + "read_next": { + "type": "long" + }, + "read_prev": { + "type": "long" + }, + "read_rnd": { + "type": "long" + }, + "read_rnd_next": { + "type": "long" + }, + "rows_affected": { + "type": "long" + }, + "rows_examined": { + "type": "long" + }, + "rows_sent": { + "type": "long" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "sort_merge_passes": { + "type": "long" + }, + "sort_range_count": { + "type": "long" + }, + "sort_rows": { + "type": "long" + }, + "sort_scan_count": { + "type": "long" + }, + "tmp_disk_tables": { + "type": "long" + }, + "tmp_table": { + "type": "boolean" + }, + "tmp_table_on_disk": { + "type": "boolean" + }, + "tmp_table_sizes": { + "type": "long" + }, + "tmp_tables": { + "type": "long" + } + } + }, + "thread_id": { + "type": "long" + } + } + }, + "nats": { + "properties": { + "log": { + "properties": { + "client": { + "properties": { + "id": { + "type": "long" + } + } + }, + "msg": { + "properties": { + "bytes": { + "type": "long" + }, + "error": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "max_messages": { + "type": "long" + }, + "queue_group": { + "norms": false, + "type": "text" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "type": "long" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "interface": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "nginx": { + "properties": { + "access": { + "properties": { + "geoip": { + "type": "object" + }, + "http_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_code": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "type": "object" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "connection_id": { + "type": "long" + } + } + }, + "ingress_controller": { + "properties": { + "geoip": { + "type": "object" + }, + "http": { + "properties": { + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "time": { + "type": "double" + } + } + } + } + }, + "upstream": { + "properties": { + "alternative_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "response": { + "properties": { + "length": { + "type": "long" + }, + "status_code": { + "type": "long" + }, + "time": { + "type": "double" + } + } + } + } + }, + "user_agent": { + "type": "object" + } + } + } + } + }, + "o365": { + "properties": { + "audit": { + "properties": { + "ActorContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorIpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorYammerUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertEntityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AzureActiveDirectoryEventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIPAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfoString": { + "ignore_above": 1024, + "type": "keyword" + }, + "Comments": { + "norms": false, + "type": "text" + }, + "CorrelationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Data": { + "ignore_above": 1024, + "type": "keyword" + }, + "DataType": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventData": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExceptionInfo": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExchangeMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExtendedProperties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExternalAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImplicitShare": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InterSystemsId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InternalLogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntraSystemId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Item": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "ItemName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ItemType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListItemUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonError": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerMasterAccountSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerUPN": { + "ignore_above": 1024, + "type": "keyword" + }, + "Members": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ModifiedProperties": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginatingServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "Parameters": { + "properties": { + "*": { + "type": "object" + } + } + }, + "PolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RecordType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResultStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensitiveInfoDetectionIsIncluded": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "SharePointMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "Site": { + "ignore_above": 1024, + "type": "keyword" + }, + "SiteUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Source": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileExtension": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceRelativeUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "SupportTicketId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UniqueSharingId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAgent": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "WebId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workload": { + "ignore_above": 1024, + "type": "keyword" + }, + "YammerNetworkId": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "object_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "okta": { + "properties": { + "actor": { + "properties": { + "alternate_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authentication_context": { + "properties": { + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_step": { + "type": "long" + }, + "credential_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "credential_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user_agent": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "debug_context": { + "properties": { + "debug_data": { + "properties": { + "device_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_suspected": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "display_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "ip_chain": { + "properties": { + "geographical_context": { + "properties": { + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "type": "geo_point" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "security_context": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_proxy": { + "type": "boolean" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "osquery": { + "properties": { + "result": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "calendar_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "unix_time": { + "type": "long" + } + } + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "panw": { + "properties": { + "panos": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination": { + "properties": { + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "endreason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "nat": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pcap_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_number": { + "type": "long" + }, + "source": { + "properties": { + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "passed": { + "type": "boolean" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid": { + "type": "long" + }, + "postgresql": { + "properties": { + "log": { + "properties": { + "core_id": { + "type": "long" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + } + } + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_step": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "probability": { + "type": "float" + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rabbitmq": { + "properties": { + "log": { + "properties": { + "pid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "random_val": { + "type": "float" + }, + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "req": { + "properties": { + "headers": { + "properties": { + "accept": { + "ignore_above": 1024, + "type": "keyword" + }, + "accept-encoding": { + "ignore_above": 1024, + "type": "keyword" + }, + "accept-language": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "content-length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "elastic-apm-traceparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "if-none-match": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy-connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "traceparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "transfer-encoding": { + "ignore_above": 1024, + "type": "keyword" + }, + "user-agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-forwarded-for": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-real-ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "remoteAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "remotePort": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "res": { + "properties": { + "headers": { + "properties": { + "allow": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache-control": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "content-length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer-policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "transfer-encoding": { + "ignore_above": 1024, + "type": "keyword" + }, + "vary": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-content-type-options": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-download-options": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-frame-options": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-permitted-cross-domain-policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-powered-by": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-request-id": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "x-xss-protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statusCode": { + "type": "long" + } + } + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "responseTime": { + "type": "long" + }, + "rsa": { + "properties": { + "counters": { + "properties": { + "dclass_c1": { + "type": "long" + }, + "dclass_c1_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_c2": { + "type": "long" + }, + "dclass_c2_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_c3": { + "type": "long" + }, + "dclass_c3_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r1": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r1_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r2": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r2_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r3": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r3_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_counter": { + "type": "long" + } + } + }, + "crypto": { + "properties": { + "cert_ca": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_common": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_host_cat": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_keysize": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher_size_dst": { + "type": "long" + }, + "cipher_size_src": { + "type": "long" + }, + "cipher_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "crypto": { + "ignore_above": 1024, + "type": "keyword" + }, + "d_certauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_insact": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_valid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_cookie1": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_cookie2": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "s_certauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_ver_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_ver_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "db": { + "properties": { + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "db_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "db_pid": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "lread": { + "type": "long" + }, + "lwrite": { + "type": "long" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "pread": { + "type": "long" + }, + "table_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "transact_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "endpoint": { + "properties": { + "host_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_entropy": { + "type": "double" + }, + "file_vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_tmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "ignore_above": 1024, + "type": "keyword" + }, + "task_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "healthcare": { + "properties": { + "patient_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_lname": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_mname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "accesses": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "federated_idp": { + "ignore_above": 1024, + "type": "keyword" + }, + "federated_sp": { + "ignore_above": 1024, + "type": "keyword" + }, + "firstname": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap_response": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_type_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "middlename": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dept": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_sid_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_sid_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "internal": { + "properties": { + "audit_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "cid": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "dead": { + "type": "long" + }, + "device_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_ip": { + "type": "ip" + }, + "device_ipv6": { + "type": "ip" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type_id": { + "type": "long" + }, + "did": { + "ignore_above": 1024, + "type": "keyword" + }, + "entropy_req": { + "type": "long" + }, + "entropy_res": { + "type": "long" + }, + "entry": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "forward_ip": { + "type": "ip" + }, + "forward_ipv6": { + "type": "ip" + }, + "hcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "header_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "type": "long" + }, + "lc_cid": { + "ignore_above": 1024, + "type": "keyword" + }, + "lc_ctime": { + "type": "date" + }, + "level": { + "type": "long" + }, + "mcb_req": { + "type": "long" + }, + "mcb_res": { + "type": "long" + }, + "mcbc_req": { + "type": "long" + }, + "mcbc_res": { + "type": "long" + }, + "medium": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "messageid": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_vid": { + "ignore_above": 1024, + "type": "keyword" + }, + "node_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nwe_callback_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "parse_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_req": { + "type": "long" + }, + "payload_res": { + "type": "long" + }, + "process_vid_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_vid_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "rid": { + "type": "long" + }, + "session_split": { + "ignore_above": 1024, + "type": "keyword" + }, + "site": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "sourcefile": { + "ignore_above": 1024, + "type": "keyword" + }, + "statement": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + }, + "ubc_req": { + "type": "long" + }, + "ubc_res": { + "type": "long" + }, + "word": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "investigations": { + "properties": { + "analysis_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "analysis_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "analysis_session": { + "ignore_above": 1024, + "type": "keyword" + }, + "boc": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_theme": { + "ignore_above": 1024, + "type": "keyword" + }, + "eoc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_cat": { + "type": "long" + }, + "event_cat_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_vcat": { + "ignore_above": 1024, + "type": "keyword" + }, + "inv_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inv_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "misc": { + "properties": { + "OS": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_op": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_pos": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_table": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarm_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmname": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "auditdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "autorun_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "benchmark": { + "ignore_above": 1024, + "type": "keyword" + }, + "bypass": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache_hit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc_number": { + "type": "long" + }, + "cefversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_attr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_attrib": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_new": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_old": { + "ignore_above": 1024, + "type": "keyword" + }, + "changes": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "clustermembers": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_acttimeout": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_asn_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_bgpv4nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ctr_dst_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_dst_tos": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_dst_vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_engine_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_engine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_f_switch": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampintv": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inacttimeout": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inpermbyts": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inpermpckts": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_invalid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ip_proto_ver": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ipv4_ident": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_l_switch": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_log_did": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_log_rid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_max_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_maxpcktlen": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_min_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_minpcktlen": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_1": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_10": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_2": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_3": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_4": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_5": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_7": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_8": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_9": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mplstoplabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mplstoplabip": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mul_dst_byt": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mul_dst_pks": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_muligmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sampalgo": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sampint": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_seqctr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_spackets": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_src_tos": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_src_vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_template_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totbytsexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totflowexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totpcktsexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_unixnanosecs": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_v6flowlabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_v6optheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "comments": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_rbytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_sbytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "type": "long" + }, + "cpu_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "criticality": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_agency_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_analyzedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_other": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_primary": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_secondary": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_bgpv6nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_bit9status": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_datecret": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_dst_tld": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_eth_dst_ven": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_eth_src_ven": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_event_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_if_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_if_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ip_next_hop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ipv4dstpre": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ipv4srcpre": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_lifetime": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_log_medium": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_loginname": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_modulescore": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_modulesign": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_opswatresult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_payload": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_registrant": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_registrar": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_represult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_rpayload": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_sourcemodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_streams": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_targetmodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_v6nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_whois_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_yararesult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "devvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "distance": { + "ignore_above": 1024, + "type": "keyword" + }, + "doc_number": { + "type": "long" + }, + "dstburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "edomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "edomaub": { + "ignore_above": 1024, + "type": "keyword" + }, + "ein_number": { + "type": "long" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "euid": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_computer": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "expected_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "facilityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "fcatnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "finterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "forensic_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "found": { + "ignore_above": 1024, + "type": "keyword" + }, + "fresult": { + "type": "long" + }, + "gaddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "hardware_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id3": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_buddyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_buddyname": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_croomid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_croomtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_members": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_userid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "inout": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipkt": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipscat": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipspri": { + "ignore_above": 1024, + "type": "keyword" + }, + "job_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "jobname": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "latitude": { + "ignore_above": 1024, + "type": "keyword" + }, + "library": { + "ignore_above": 1024, + "type": "keyword" + }, + "lifetime": { + "type": "long" + }, + "linenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "list_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "listnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "load_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "location_floor": { + "ignore_above": 1024, + "type": "keyword" + }, + "location_mark": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_session_id1": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logip": { + "ignore_above": 1024, + "type": "keyword" + }, + "logname": { + "ignore_above": 1024, + "type": "keyword" + }, + "longitude": { + "ignore_above": 1024, + "type": "keyword" + }, + "lport": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "match": { + "ignore_above": 1024, + "type": "keyword" + }, + "mbug_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_body": { + "ignore_above": 1024, + "type": "keyword" + }, + "misc": { + "ignore_above": 1024, + "type": "keyword" + }, + "misc_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart1": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart2": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart3": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart4": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netsessid": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "num": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + }, + "number1": { + "ignore_above": 1024, + "type": "keyword" + }, + "number2": { + "ignore_above": 1024, + "type": "keyword" + }, + "nwwn": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + }, + "observed_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "opkt": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_group_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid1": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid2": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_result1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param": { + "ignore_above": 1024, + "type": "keyword" + }, + "param_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "param_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_node": { + "ignore_above": 1024, + "type": "keyword" + }, + "password_chg": { + "ignore_above": 1024, + "type": "keyword" + }, + "password_expire": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "permgranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "permwanted": { + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "policyUUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_waiver": { + "ignore_above": 1024, + "type": "keyword" + }, + "pool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_id_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "prog_asp_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "real_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_asp_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_asp_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_library": { + "ignore_above": 1024, + "type": "keyword" + }, + "recordnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id1": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id2": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_num": { + "type": "double" + }, + "risk_num_comm": { + "type": "double" + }, + "risk_num_next": { + "type": "double" + }, + "risk_num_sand": { + "type": "double" + }, + "risk_num_static": { + "type": "double" + }, + "risk_suspicious": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_warning": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_template": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "sdomain_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "search_text": { + "ignore_above": 1024, + "type": "keyword" + }, + "sec": { + "ignore_above": 1024, + "type": "keyword" + }, + "second": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensorname": { + "ignore_above": 1024, + "type": "keyword" + }, + "seqnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "session": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sigUUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "type": "long" + }, + "sig_id1": { + "type": "long" + }, + "sig_id_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sigcat": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmp_oid": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmp_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "space": { + "ignore_above": 1024, + "type": "keyword" + }, + "space1": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "sql": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcdom": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status1": { + "ignore_above": 1024, + "type": "keyword" + }, + "streams": { + "type": "long" + }, + "subcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "svcno": { + "ignore_above": 1024, + "type": "keyword" + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "tbdstr1": { + "ignore_above": 1024, + "type": "keyword" + }, + "tbdstr2": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "type": "long" + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + }, + "tgtdom": { + "ignore_above": 1024, + "type": "keyword" + }, + "tgtdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "threshold": { + "ignore_above": 1024, + "type": "keyword" + }, + "tos": { + "type": "long" + }, + "trigger_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type1": { + "ignore_above": 1024, + "type": "keyword" + }, + "udb_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_div": { + "ignore_above": 1024, + "type": "keyword" + }, + "userid": { + "ignore_above": 1024, + "type": "keyword" + }, + "username_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "utcstamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "v_instafname": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "virt_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpnid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vsys": { + "ignore_above": 1024, + "type": "keyword" + }, + "vuln_ref": { + "ignore_above": 1024, + "type": "keyword" + }, + "workspace": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "ad_computer_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "alias_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "dinterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "dmask": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_a_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_cname_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_ptr_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain1": { + "ignore_above": 1024, + "type": "keyword" + }, + "eth_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "eth_type": { + "type": "long" + }, + "faddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "fhost": { + "ignore_above": 1024, + "type": "keyword" + }, + "fport": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_proto": { + "type": "long" + }, + "laddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "lhost": { + "ignore_above": 1024, + "type": "keyword" + }, + "linterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "mask": { + "ignore_above": 1024, + "type": "keyword" + }, + "netname": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_port": { + "type": "long" + }, + "network_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "paddr": { + "type": "ip" + }, + "phost": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "protocol_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_domain_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpayload": { + "ignore_above": 1024, + "type": "keyword" + }, + "sinterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "smask": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + }, + "vlan_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "physical": { + "properties": { + "org_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "storage": { + "properties": { + "disk_volume": { + "ignore_above": 1024, + "type": "keyword" + }, + "lun": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwwn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "time": { + "properties": { + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "datetime": { + "ignore_above": 1024, + "type": "keyword" + }, + "day": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration_time": { + "type": "double" + }, + "effective_time": { + "type": "date" + }, + "endtime": { + "type": "date" + }, + "event_queue_time": { + "type": "date" + }, + "event_time": { + "type": "date" + }, + "event_time_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "expire_time": { + "type": "date" + }, + "expire_time_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "gmtdate": { + "ignore_above": 1024, + "type": "keyword" + }, + "gmttime": { + "ignore_above": 1024, + "type": "keyword" + }, + "hour": { + "ignore_above": 1024, + "type": "keyword" + }, + "min": { + "ignore_above": 1024, + "type": "keyword" + }, + "month": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_month": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time1": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time2": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_year": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "recorded_time": { + "type": "date" + }, + "stamp": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "tzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "year": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "web": { + "properties": { + "alias_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_asn_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_rpackets": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "reputation_num": { + "type": "double" + }, + "urlpage": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlroot": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_extension_tmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_page": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_page": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_root": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wireless": { + "properties": { + "access_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel": { + "type": "long" + }, + "wlan_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "santa": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decision": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "properties": { + "bsdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "bus": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sophos": { + "properties": { + "xg": { + "properties": { + "Configuration": { + "type": "float" + }, + "FTP_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "FTP_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "Mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "PHPSESSID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reports": { + "type": "float" + }, + "Signature": { + "type": "float" + }, + "SysLog_SERVER_NAME": { + "ignore_above": 1024, + "type": "keyword" + }, + "Temp": { + "type": "float" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_is_cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "appfilter_policy_id": { + "type": "long" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_filter_policy": { + "type": "long" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "appresolvedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_mechanism": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backup_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "branch_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_physical_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "clients_conn_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "collisions": { + "type": "long" + }, + "con_id": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "connectionname": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "connevent": { + "ignore_above": 1024, + "type": "keyword" + }, + "connid": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_match": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "destinationip": { + "type": "ip" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dictionary_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dir_disp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_ip": { + "type": "ip" + }, + "dst_port": { + "type": "long" + }, + "dstdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ep_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "type": "date" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exceptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "execution_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesize": { + "type": "long" + }, + "free": { + "type": "long" + }, + "from_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftpcommand": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_rule_id": { + "type": "long" + }, + "hb_health": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpresponsecode": { + "type": "long" + }, + "iap": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "idle_cpu": { + "type": "float" + }, + "idp_policy_id": { + "type": "long" + }, + "idp_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ips_policy_id": { + "type": "long" + }, + "localgateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "localnetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_component": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailsize": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "newversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_authorizer": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "querystring": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received_pkts": { + "type": "long" + }, + "receiveddrops": { + "type": "long" + }, + "receivederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "receivedkbits": { + "type": "long" + }, + "recv_bytes": { + "type": "long" + }, + "red_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remotenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsetime": { + "type": "long" + }, + "rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_bytes": { + "type": "long" + }, + "sent_pkts": { + "type": "long" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1sum": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "type": "ip" + }, + "spamaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_ip": { + "type": "ip" + }, + "src_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_port": { + "type": "long" + }, + "srczone": { + "ignore_above": 1024, + "type": "keyword" + }, + "srczonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_cpu": { + "type": "float" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatname": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_memory": { + "type": "long" + }, + "trans_dst_ip": { + "type": "ip" + }, + "trans_dst_port": { + "type": "long" + }, + "trans_src_ ip": { + "type": "ip" + }, + "trans_src_port": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transactionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmitteddrops": { + "type": "long" + }, + "transmittederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmittedkbits": { + "type": "long" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedip": { + "type": "ip" + }, + "upload_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_cpu": { + "type": "float" + }, + "user_gp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "vconn_id": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "website": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stack": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "type": "long" + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "action": { + "path": "event.outcome", + "type": "alias" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "rev": { + "type": "long" + }, + "severity": { + "path": "event.severity", + "type": "alias" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + } + } + }, + "app_proto": { + "path": "network.protocol", + "type": "alias" + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dest_ip": { + "path": "destination.ip", + "type": "alias" + }, + "dest_port": { + "path": "destination.port", + "type": "alias" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "filename": { + "path": "file.path", + "type": "alias" + }, + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "path": "file.size", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flags": { + "type": "object" + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "bytes_toclient": { + "path": "destination.bytes", + "type": "alias" + }, + "bytes_toserver": { + "path": "source.bytes", + "type": "alias" + }, + "end": { + "type": "date" + }, + "pkts_toclient": { + "path": "destination.packets", + "type": "alias" + }, + "pkts_toserver": { + "path": "source.packets", + "type": "alias" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "path": "event.start", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "hostname": { + "path": "url.domain", + "type": "alias" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_method": { + "path": "http.request.method", + "type": "alias" + }, + "http_refer": { + "path": "http.request.referrer", + "type": "alias" + }, + "http_user_agent": { + "path": "user_agent.original", + "type": "alias" + }, + "length": { + "path": "http.response.body.bytes", + "type": "alias" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "path": "http.response.status_code", + "type": "alias" + }, + "url": { + "path": "url.original", + "type": "alias" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "proto": { + "path": "network.transport", + "type": "alias" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_ip": { + "path": "source.ip", + "type": "alias" + }, + "src_port": { + "path": "source.port", + "type": "alias" + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "path": "@timestamp", + "type": "alias" + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + }, + "syscall": { + "ignore_above": 1024, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "auth": { + "properties": { + "groupadd": { + "type": "object" + }, + "ssh": { + "properties": { + "dropped_ip": { + "type": "ip" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "home": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "syslog": { + "type": "object" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tracing": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "traefik": { + "properties": { + "access": { + "properties": { + "backend_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "properties": { + "city_name": { + "path": "source.geo.city_name", + "type": "alias" + }, + "continent_name": { + "path": "source.geo.continent_name", + "type": "alias" + }, + "country_iso_code": { + "path": "source.geo.country_iso_code", + "type": "alias" + }, + "location": { + "path": "source.geo.location", + "type": "alias" + }, + "region_iso_code": { + "path": "source.geo.region_iso_code", + "type": "alias" + }, + "region_name": { + "path": "source.geo.region_name", + "type": "alias" + } + } + }, + "request_count": { + "type": "long" + }, + "user_agent": { + "properties": { + "device": { + "path": "user_agent.device.name", + "type": "alias" + }, + "name": { + "path": "user_agent.name", + "type": "alias" + }, + "original": { + "path": "user_agent.original", + "type": "alias" + }, + "os": { + "path": "user_agent.os.full_name", + "type": "alias" + }, + "os_name": { + "path": "user_agent.os.name", + "type": "alias" + } + } + }, + "user_identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "audit": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesystem": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "v": { + "type": "long" + }, + "view": { + "type": "float" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1" + } + } + } +} \ No newline at end of file diff --git a/x-pack/test/saved_object_tagging/api_integration/tagging_api/apis/usage_collection.ts b/x-pack/test/saved_object_tagging/api_integration/tagging_api/apis/usage_collection.ts index b6ec4aa8dcfa5..03494edccd648 100644 --- a/x-pack/test/saved_object_tagging/api_integration/tagging_api/apis/usage_collection.ts +++ b/x-pack/test/saved_object_tagging/api_integration/tagging_api/apis/usage_collection.ts @@ -40,11 +40,11 @@ export default function ({ getService }: FtrProviderContext) { * - vis-3: ref to tag-3 */ it('collects the expected data', async () => { - const telemetryStats = (await usageAPI.getTelemetryStats({ + const [{ stats: telemetryStats }] = (await usageAPI.getTelemetryStats({ unencrypted: true, })) as any; - const taggingStats = telemetryStats[0].stack_stats.kibana.plugins.saved_objects_tagging; + const taggingStats = telemetryStats.stack_stats.kibana.plugins.saved_objects_tagging; expect(taggingStats).to.eql({ usedTags: 4, taggedObjects: 5,