diff --git a/x-pack/plugins/rule_registry/common/field_map/es_field_type_map.ts b/x-pack/plugins/rule_registry/common/field_map/es_field_type_map.ts index df41a020d274b..4abd060391ac5 100644 --- a/x-pack/plugins/rule_registry/common/field_map/es_field_type_map.ts +++ b/x-pack/plugins/rule_registry/common/field_map/es_field_type_map.ts @@ -19,5 +19,6 @@ export const esFieldTypeMap = { float: t.number, scaled_float: t.number, unsigned_long: t.number, + nested: t.boolean, flattened: t.record(t.string, t.array(t.string)), }; diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts index 039424d34bfa1..dc5b4e276323a 100644 --- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts +++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts @@ -22,6 +22,7 @@ const esFieldTypeMap = { float: t.number, scaled_float: t.number, unsigned_long: t.number, + nested: t.boolean, flattened: t.record(t.string, t.array(t.string)), }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/assets/cti_field_map.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/cti_field_map.ts new file mode 100644 index 0000000000000..daf54e4f7cf5c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/cti_field_map.ts @@ -0,0 +1,154 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const ctiFieldMap = { + 'threat.indicator': { + type: 'nested', + array: false, + required: false, + }, + 'threat.indicator.as.number': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.confidence': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.dataset': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.email.address': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.first_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'threat.indicator.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.ip': { + type: 'ip', + array: false, + required: false, + }, + 'threat.indicator.last_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.marking.tlp': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.matched.atomic': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.matched.field': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.matched.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.module': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.scanner_stats': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.sightings': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.type': { + type: 'keyword', + array: false, + required: false, + }, +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_component_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_component_template.ts new file mode 100644 index 0000000000000..f78c641412d3d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_component_template.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { merge } from 'lodash'; +import { ClusterPutComponentTemplateBody } from '../../../../../rule_registry/common/types'; +import { mappingFromFieldMap } from '../../../../../rule_registry/common/mapping_from_field_map'; +import { ctiFieldMap } from './cti_field_map'; +import { securityFieldMap } from './security_field_map'; + +export const securityComponentTemplate: ClusterPutComponentTemplateBody = { + template: { + settings: { + number_of_shards: 1, + }, + mappings: merge({}, mappingFromFieldMap(ctiFieldMap), mappingFromFieldMap(securityFieldMap)), + }, +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_field_map.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_field_map.ts new file mode 100644 index 0000000000000..7c1a6c7bc2e87 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_field_map.ts @@ -0,0 +1,184 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const securityFieldMap = { + 'as.number': { + type: 'long', + array: false, + required: false, + }, + 'as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'interface.alias': { + type: 'keyword', + array: false, + required: false, + }, + 'interface.id': { + type: 'keyword', + array: false, + required: false, + }, + 'interface.name': { + type: 'keyword', + array: false, + required: false, + }, + 'os.family': { + type: 'keyword', + array: false, + required: false, + }, + 'os.full': { + type: 'keyword', + array: false, + required: false, + }, + 'os.kernel': { + type: 'keyword', + array: false, + required: false, + }, + 'os.name': { + type: 'keyword', + array: false, + required: false, + }, + 'os.platform': { + type: 'keyword', + array: false, + required: false, + }, + 'os.version': { + type: 'keyword', + array: false, + required: false, + }, + 'pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'vlan.id': { + type: 'keyword', + array: false, + required: false, + }, + 'vlan.name': { + type: 'keyword', + array: false, + required: false, + }, +}; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 4bcbcb71d048c..9afc9f8ebba7e 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -92,6 +92,7 @@ import { licenseService } from './lib/license'; import { PolicyWatcher } from './endpoint/lib/policy/license_watch'; import { parseExperimentalConfigValue } from '../common/experimental_features'; import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet'; +import { securityComponentTemplate } from './lib/detection_engine/assets/security_component_template'; export interface SetupPlugins { alerting: AlertingSetup; @@ -229,14 +230,7 @@ export class Plugin implements IPlugin