From bf359e6e2d6c434cd7888c970d3bd565af2bc0e9 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Mon, 28 Mar 2022 09:24:08 -0700 Subject: [PATCH 01/31] - --- .../body/renderers/auditd/generic_details.tsx | 1 + .../timeline/factory/events/all/index.ts | 1 - .../events/all/query.events_all.dsl.test.ts | 77 +++++++++++++++++++ .../events/all/query.events_all.dsl.ts | 18 ++--- .../timeline/factory/events/details/index.ts | 16 ++-- .../details/query.events_details.dsl.test.ts | 2 +- .../details/query.events_details.dsl.ts | 2 +- .../factory/events/last_event_time/index.ts | 7 +- .../query.events_last_event_time.dsl.test.ts | 64 +++++++++++++++ .../query.events_last_event_time.dsl.ts | 12 ++- .../factory/helpers/build_ecs_objects.ts | 5 +- ...test.ts => build_object_recursive.test.ts} | 22 +++--- ...ield_path.ts => build_object_recursive.ts} | 15 +--- .../factory/helpers/format_timeline_data.ts | 12 +-- .../timeline/factory/helpers/get_timestamp.ts | 2 - 15 files changed, 188 insertions(+), 68 deletions(-) create mode 100644 x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts create mode 100644 x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts rename x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/{build_object_for_field_path.test.ts => build_object_recursive.test.ts} (82%) rename x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/{build_object_for_field_path.ts => build_object_recursive.ts} (65%) diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx index c4e0915810970..a24e2b3a77e0c 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx @@ -139,6 +139,7 @@ export const AuditdGenericDetails = React.memo( const primary: string | null | undefined = get('auditd.summary.actor.primary[0]', data); const secondary: string | null | undefined = get('auditd.summary.actor.secondary[0]', data); const args: string[] | null | undefined = get('process.args', data); + console.log(session); if (data.process != null) { return (
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/index.ts index 3cec04f52b671..0afb840fbc582 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/index.ts @@ -37,7 +37,6 @@ export const timelineEventsAll: TimelineFactory = { ): Promise => { // eslint-disable-next-line prefer-const let { fieldRequested, ...queryOptions } = cloneDeep(options); - queryOptions.fields = buildFieldsRequest(fieldRequested, queryOptions.excludeEcsData); const { activePage, querySize } = options.pagination; const producerBuckets = getOr([], 'aggregations.producers.buckets', response.rawResponse); const totalCount = response.rawResponse.hits.total || 0; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts new file mode 100644 index 0000000000000..4e451a4dc4cd7 --- /dev/null +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + Direction, +} from '../../../../../../common/search_strategy'; +import { buildTimelineEventsAllQuery } from './query.events_all.dsl'; + +describe('buildTimelineEventsAllQuery', () => { + it('should return ip details query if index key is ipDetails', () => { + const defaultIndex = ['.siem-signals-default']; + const docValueFields = [ + { field: '@timestamp' }, + { field: 'agent.ephemeral_id' }, + { field: 'agent.id' }, + { field: 'agent.name' }, + ]; + + const query = buildTimelineEventsAllQuery({ + fields: [], defaultIndex, docValueFields, filterQuery: '', language: 'eql', pagination: { + activePage: 0, + querySize: 100, + }, runtimeMappings: {}, sort: [{ + direction: Direction.asc, + field: '@timestamp', + type: 'datetime' + }], timerange: { + from: '', + interval: '5m', + to: '', + } + }); + expect(query).toMatchInlineSnapshot(` + Object { + "allow_no_indices": true, + "body": Object { + "_source": true, + "docvalue_fields": Array [ + Object { + "field": "@timestamp", + }, + Object { + "field": "agent.ephemeral_id", + }, + Object { + "field": "agent.id", + }, + Object { + "field": "agent.name", + }, + ], + "fields": Array [ + Object { + "field": "*", + "include_unmapped": true, + }, + ], + "query": Object { + "terms": Object { + "_id": Array [ + "f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3", + ], + }, + }, + "runtime_mappings": Object {}, + }, + "ignore_unavailable": true, + "index": ".siem-signals-default", + "size": 1, + } + `); + }); +}); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts index 53009e797e82f..236628220f4bf 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts @@ -35,16 +35,16 @@ export const buildTimelineEventsAllQuery = ({ const { to, from } = timerangeOption; return !isEmpty(to) && !isEmpty(from) ? [ - { - range: { - '@timestamp': { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, + { + range: { + '@timestamp': { + gte: from, + lte: to, + format: 'strict_date_optional_time', }, }, - ] + }, + ] : []; } return []; @@ -86,7 +86,7 @@ export const buildTimelineEventsAllQuery = ({ track_total_hits: true, sort: getSortField(sort), fields, - _source: ['signal.*', 'kibana.alert.*'], + _source: false, }, }; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts index e0fe70af27c25..7eee054ca2718 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { cloneDeep, merge, unionBy } from 'lodash/fp'; +import { cloneDeep, merge } from 'lodash/fp'; import type { IEsSearchResponse } from '@kbn/data-plugin/common'; import { @@ -14,14 +14,12 @@ import { TimelineEventsDetailsStrategyResponse, TimelineEventsDetailsRequestOptions, TimelineEventsDetailsItem, - EventSource, } from '../../../../../../common/search_strategy'; import { inspectStringifyObject } from '../../../../../utils/build_query'; import { TimelineFactory } from '../../types'; import { buildTimelineDetailsQuery } from './query.events_details.dsl'; import { getDataFromFieldsHits, - getDataFromSourceHits, getDataSafety, } from '../../../../../../common/utils/field_formatters'; import { buildEcsObjects } from '../../helpers/build_ecs_objects'; @@ -42,7 +40,8 @@ export const timelineEventsDetails: TimelineFactory ): Promise => { const { indexName, eventId, docValueFields = [], runtimeMappings = {} } = options; - const { _source, fields, ...hitsData } = cloneDeep(response.rawResponse.hits.hits[0] ?? {}); + const { fields, ...hitsData } = cloneDeep(response.rawResponse.hits.hits[0] ?? {}); + const inspect = { dsl: [ inspectStringifyObject( @@ -57,23 +56,18 @@ export const timelineEventsDetails: TimelineFactory( - getDataFromSourceHits, - // @ts-expect-error @elastic/elasticsearch _source is optional - _source - ); + const fieldsData = await getDataSafety( getDataFromFieldsHits, merge(fields, hitsData) ); - const data = unionBy('field', fieldsData, sourceData); const rawEventData = response.rawResponse.hits.hits[0]; const ecs = buildEcsObjects(rawEventData as EventHit); return { ...response, - data, + data: fieldsData, ecs, inspect, rawEventData, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts index f34b54f3029a5..fa9376d2c61ba 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts @@ -29,7 +29,7 @@ describe('buildTimelineDetailsQuery', () => { Object { "allow_no_indices": true, "body": Object { - "_source": true, + "_source": false, "docvalue_fields": Array [ Object { "field": "@timestamp", diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts index 5baa471e5c526..ab19df737e233 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts @@ -50,7 +50,7 @@ export const buildTimelineDetailsQuery = ({ fields: [{ field: '*', include_unmapped: true }], // Remove and instead pass index_pattern.id once issue resolved: https://github.com/elastic/kibana/issues/111762 runtime_mappings: runtimeMappings, - _source: true, + _source: false, }, size: 1, }; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/index.ts index b83441900a41a..a6425737d6de0 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/index.ts @@ -28,15 +28,14 @@ export const timelineEventsLastEventTime: TimelineFactory { + it('should return ip details query if index key is ipDetails', () => { + const defaultIndex = ['.siem-signals-default']; + const docValueFields = [ + { field: '@timestamp' }, + { field: 'agent.ephemeral_id' }, + { field: 'agent.id' }, + { field: 'agent.name' }, + ]; + + const query = buildLastEventTimeQuery({ indexKey: LastEventIndexKey.ipDetails, details: { ip: '12345567'}, defaultIndex, docValueFields}); + expect(query).toMatchInlineSnapshot(` + Object { + "allow_no_indices": true, + "body": Object { + "_source": true, + "docvalue_fields": Array [ + Object { + "field": "@timestamp", + }, + Object { + "field": "agent.ephemeral_id", + }, + Object { + "field": "agent.id", + }, + Object { + "field": "agent.name", + }, + ], + "fields": Array [ + Object { + "field": "*", + "include_unmapped": true, + }, + ], + "query": Object { + "terms": Object { + "_id": Array [ + "f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3", + ], + }, + }, + "runtime_mappings": Object {}, + }, + "ignore_unavailable": true, + "index": ".siem-signals-default", + "size": 1, + } + `); + }); +}); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts index 4f50ef11ff4f8..880914fcd6c84 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts @@ -46,7 +46,8 @@ export const buildLastEventTimeQuery = ({ body: { ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: { bool: { should: getIpDetailsFilter(details.ip) } } } }, - _source: ['@timestamp'], + _source: false, + fields: ['@timestamp'], size: 1, sort: [ { @@ -69,7 +70,8 @@ export const buildLastEventTimeQuery = ({ body: { ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: getHostDetailsFilter(details.hostName) } }, - _source: ['@timestamp'], + _source: false, + fields: ['@timestamp'], size: 1, sort: [ { @@ -92,7 +94,8 @@ export const buildLastEventTimeQuery = ({ body: { ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: getUserDetailsFilter(details.userName) } }, - _source: ['@timestamp'], + _source: false, + fields: ['@timestamp'], size: 1, sort: [ { @@ -116,7 +119,8 @@ export const buildLastEventTimeQuery = ({ body: { ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { match_all: {} }, - _source: ['@timestamp'], + _source: false, + fields: ['@timestamp'], size: 1, sort: [ { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_ecs_objects.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_ecs_objects.ts index 866a52ca41e12..621fa656cb406 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_ecs_objects.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_ecs_objects.ts @@ -10,7 +10,7 @@ import { EventHit } from '../../../../../common/search_strategy'; import { ECS_METADATA_FIELDS, TIMELINE_EVENTS_FIELDS } from './constants'; import { Ecs } from '../../../../../common/ecs'; import { getTimestamp } from './get_timestamp'; -import { buildObjectForFieldPath } from './build_object_for_field_path'; +import { buildObjectRecursive } from './build_object_recursive'; import { getNestedParentPath } from './get_nested_parent_path'; export const buildEcsObjects = (hit: EventHit): Ecs => { @@ -20,11 +20,10 @@ export const buildEcsObjects = (hit: EventHit): Ecs => { const nestedParentPath = getNestedParentPath(field, hit.fields); if ( nestedParentPath != null || - has(field, hit._source) || has(field, hit.fields) || ECS_METADATA_FIELDS.includes(field) ) { - return merge(acc, buildObjectForFieldPath(field, hit)); + return merge(acc, buildObjectRecursive(field, hit.fields)); } return acc; }, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.test.ts similarity index 82% rename from x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.test.ts rename to x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.test.ts index f7e4c1bfbaaf6..3d05a42f527b4 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.test.ts @@ -7,11 +7,11 @@ import { eventHit } from '@kbn/securitysolution-t-grid'; import { EventHit } from '../../../../../common/search_strategy'; -import { buildObjectForFieldPath } from './build_object_for_field_path'; +import { buildObjectRecursive } from './build_object_recursive'; -describe('buildObjectForFieldPath', () => { +describe('buildObjectRecursive', () => { it('builds an object from a single non-nested field', () => { - expect(buildObjectForFieldPath('@timestamp', eventHit)).toEqual({ + expect(buildObjectRecursive('@timestamp', eventHit.fields)).toEqual({ '@timestamp': ['2020-11-17T14:48:08.922Z'], }); }); @@ -19,7 +19,7 @@ describe('buildObjectForFieldPath', () => { it('builds an object with no fields response', () => { const { fields, ...fieldLessHit } = eventHit; // @ts-expect-error fieldLessHit is intentionally missing fields - expect(buildObjectForFieldPath('@timestamp', fieldLessHit)).toEqual({ + expect(buildObjectRecursive('@timestamp', fieldLessHit)).toEqual({ '@timestamp': [], }); }); @@ -33,7 +33,7 @@ describe('buildObjectForFieldPath', () => { }, }; - expect(buildObjectForFieldPath('foo.barBaz', hit)).toEqual({ + expect(buildObjectRecursive('foo.barBaz', hit.fields)).toEqual({ foo: { barBaz: ['foo'] }, }); }); @@ -45,7 +45,7 @@ describe('buildObjectForFieldPath', () => { foo: [{ bar: ['baz'] }], }, }; - expect(buildObjectForFieldPath('foo.bar', hit)).toEqual({ + expect(buildObjectRecursive('foo.bar', hit.fields)).toEqual({ foo: [{ bar: ['baz'] }], }); }); @@ -61,7 +61,7 @@ describe('buildObjectForFieldPath', () => { ], }, }; - expect(buildObjectForFieldPath('foo.bar.baz', nestedHit)).toEqual({ + expect(buildObjectRecursive('foo.bar.baz', nestedHit.fields)).toEqual({ foo: { bar: [ { @@ -73,7 +73,7 @@ describe('buildObjectForFieldPath', () => { }); it('builds intermediate objects at multiple levels', () => { - expect(buildObjectForFieldPath('threat.enrichments.matched.atomic', eventHit)).toEqual({ + expect(buildObjectRecursive('threat.enrichments.matched.atomic', eventHit.fields)).toEqual({ threat: { enrichments: [ { @@ -92,7 +92,7 @@ describe('buildObjectForFieldPath', () => { }); it('preserves multiple values for a single leaf', () => { - expect(buildObjectForFieldPath('threat.enrichments.matched.field', eventHit)).toEqual({ + expect(buildObjectRecursive('threat.enrichments.matched.field', eventHit.fields)).toEqual({ threat: { enrichments: [ { @@ -136,7 +136,7 @@ describe('buildObjectForFieldPath', () => { }); it('includes objects without the field', () => { - expect(buildObjectForFieldPath('nested_1.foo.nested_2.bar.leaf', nestedHit)).toEqual({ + expect(buildObjectRecursive('nested_1.foo.nested_2.bar.leaf', nestedHit.fields)).toEqual({ nested_1: { foo: [ { @@ -155,7 +155,7 @@ describe('buildObjectForFieldPath', () => { }); it('groups multiple leaf values', () => { - expect(buildObjectForFieldPath('nested_1.foo.nested_2.bar.leaf_2', nestedHit)).toEqual({ + expect(buildObjectRecursive('nested_1.foo.nested_2.bar.leaf_2', nestedHit.fields)).toEqual({ nested_1: { foo: [ { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts similarity index 65% rename from x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.ts rename to x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts index b27b7029887db..c02e8eb2f4487 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_for_field_path.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts @@ -6,13 +6,13 @@ */ import { set } from '@elastic/safer-lodash-set'; -import { get, has } from 'lodash/fp'; +import { get } from 'lodash/fp'; import { Ecs } from '../../../../../common/ecs'; -import { EventHit, Fields } from '../../../../../common/search_strategy'; +import { Fields } from '../../../../../common/search_strategy'; import { toStringArray } from '../../../../../common/utils/to_array'; import { getNestedParentPath } from './get_nested_parent_path'; -const buildObjectRecursive = (fieldPath: string, fields: Fields): Partial => { +export const buildObjectRecursive = (fieldPath: string, fields: Fields): Partial => { const nestedParentPath = getNestedParentPath(fieldPath, fields); if (!nestedParentPath) { return set({}, fieldPath, toStringArray(get(fieldPath, fields))); @@ -26,12 +26,3 @@ const buildObjectRecursive = (fieldPath: string, fields: Fields): Partial = subFields.map((subField) => buildObjectRecursive(subPath, subField)) ); }; - -export const buildObjectForFieldPath = (fieldPath: string, hit: EventHit): Partial => { - if (has(fieldPath, hit._source)) { - const value = get(fieldPath, hit._source); - return set({}, fieldPath, toStringArray(value)); - } - - return buildObjectRecursive(fieldPath, hit.fields); -}; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts index 1650dab073a4d..1750f5cc9b123 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts @@ -11,7 +11,7 @@ import { toStringArray } from '../../../../../common/utils/to_array'; import { getDataFromFieldsHits, getDataSafety } from '../../../../../common/utils/field_formatters'; import { getTimestamp } from './get_timestamp'; import { getNestedParentPath } from './get_nested_parent_path'; -import { buildObjectForFieldPath } from './build_object_for_field_path'; +import { buildObjectRecursive } from './build_object_recursive'; import { ECS_METADATA_FIELDS } from './constants'; export const formatTimelineData = async ( @@ -59,11 +59,7 @@ const getValuesFromFields = async ( } let fieldToEval; - if (has(fieldName, hit._source)) { - fieldToEval = { - [fieldName]: get(fieldName, hit._source), - }; - } else { + if (nestedParentFieldName == null) { fieldToEval = { [fieldName]: hit.fields[fieldName], @@ -73,7 +69,6 @@ const getValuesFromFields = async ( [nestedParentFieldName]: hit.fields[nestedParentFieldName], }; } - } const formattedData = await getDataSafety(getDataFromFieldsHits, fieldToEval); return formattedData.reduce( (acc: TimelineNonEcsData[], { field, values }) => @@ -94,7 +89,6 @@ const mergeTimelineFieldsWithHit = async ( const nestedParentPath = getNestedParentPath(fieldName, hit.fields); if ( nestedParentPath != null || - has(fieldName, hit._source) || has(fieldName, hit.fields) || ECS_METADATA_FIELDS.includes(fieldName) ) { @@ -110,7 +104,7 @@ const mergeTimelineFieldsWithHit = async ( ecs: ecsFields.includes(fieldName) ? { ...get('node.ecs', flattenedFields), - ...buildObjectForFieldPath(fieldName, hit), + ...buildObjectRecursive(fieldName, hit.fields), } : get('node.ecs', flattenedFields), }, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts index c278b7efd64d1..bccb5b377edb5 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts @@ -10,8 +10,6 @@ import { EventHit } from '../../../../../common/search_strategy'; export const getTimestamp = (hit: EventHit): string => { if (hit.fields && hit.fields['@timestamp']) { return `${hit.fields['@timestamp'][0] ?? ''}`; - } else if (hit._source && hit._source['@timestamp']) { - return hit._source['@timestamp']; } return ''; }; From 625914cc0df9eaab569722bfadfb234336abd26c Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 29 Mar 2022 22:05:03 -0700 Subject: [PATCH 02/31] fixed tests --- .../timeline/eql/__mocks__/index.ts | 2417 +++++++++-------- .../events/all/query.events_all.dsl.test.ts | 71 +- .../events/all/query.events_all.dsl.ts | 16 +- .../query.events_last_event_time.dsl.test.ts | 54 +- .../helpers/format_timeline_data.test.ts | 74 +- 5 files changed, 1378 insertions(+), 1254 deletions(-) diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts index 9439f7a6423fb..9b6edd2093988 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts @@ -27,218 +27,337 @@ export const sequenceResponse = { { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qhymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - name: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377092Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293866, - ingested: '2021-02-08T21:57:26.417559711Z', - created: '2021-02-08T21:50:28.3377092Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/O', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377092Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293866], + 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], + 'event.created': ['2021-02-08T21:50:28.3377092Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'rBymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377142Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293867, - ingested: '2021-02-08T21:57:26.417596906Z', - created: '2021-02-08T21:50:28.3377142Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/P', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3381013Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293868, - ingested: '2021-02-08T21:57:26.417632166Z', - created: '2021-02-08T21:50:28.3381013Z', - kind: 'event', - module: 'endpoint', - id: 'LzzWB9jjGmCwGMvk++++FG/Q', - category: [], - type: [], - dataset: 'endpoint.events.security', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', + _id: 'pxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3446355Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.Ext.code_signature': [{ + 'trusted': true, + 'subject_name': 'Microsoft Corporation', + 'exists': true, + 'status': 'trusted', + } + ], + 'process.Ext.token.integrity_level_name': ['high'], + 'process.Ext.token.elevation_level': ['default'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', + ], + 'process.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], + 'process.parent.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], + 'process.parent.name': ['sshd.exe'], + 'process.parent.pid': [5284], + 'process.parent.args_count': [2], + 'process.parent.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.code_signature.trusted': [true], + 'process.code_signature.subject_name': ['Microsoft Corporation'], + 'process.code_signature.exists': [true], + 'process.code_signature.status': ['trusted'], + 'process.name': ['sshd.exe'], + 'process.pid': [6368], + 'process.args_count': [2], + 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], + 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], + 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293863], + 'event.ingested': ['2021-02-08T21:57:26.417387865Z'], + 'event.created': ['2021-02-08T21:50:28.3446355Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': [''], + 'user.name': [''], }, }, ], @@ -246,258 +365,340 @@ export const sequenceResponse = { { join_keys: ['win2019-endpoint-mr-pedro'], events: [ + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qhymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377092Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293866], + 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], + 'event.created': ['2021-02-08T21:50:28.3377092Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'rBymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377142Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293867, - ingested: '2021-02-08T21:57:26.417596906Z', - created: '2021-02-08T21:50:28.3377142Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/P', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3381013Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293868, - ingested: '2021-02-08T21:57:26.417632166Z', - created: '2021-02-08T21:50:28.3381013Z', - kind: 'event', - module: 'endpoint', - id: 'LzzWB9jjGmCwGMvk++++FG/Q', - category: [], - type: [], - dataset: 'endpoint.events.security', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', _id: 'pxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - code_signature: [ - { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - ], - token: { - integrity_level_name: 'high', - elevation_level: 'default', - }, - }, - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], - parent: { - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], - name: 'sshd.exe', - pid: 5284, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - }, - code_signature: { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - name: 'sshd.exe', - pid: 6368, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - hash: { - sha1: '631244d731f406394c17c7dfd85203e317c74814', - sha256: 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', - md5: '331ba0e529810ef718dd3efbd1242302', - }, - }, - message: 'Endpoint process event', - '@timestamp': '2021-02-08T21:50:28.3446355Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.process', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293863, - ingested: '2021-02-08T21:57:26.417387865Z', - created: '2021-02-08T21:50:28.3446355Z', - kind: 'event', - module: 'endpoint', - action: 'start', - id: 'LzzWB9jjGmCwGMvk++++FG/K', - category: ['process'], - type: ['start'], - dataset: 'endpoint.events.process', - }, - user: { - domain: '', - name: '', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3446355Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.Ext.code_signature': [{ + 'trusted': true, + 'subject_name': 'Microsoft Corporation', + 'exists': true, + 'status': 'trusted', + } + ], + 'process.Ext.token.integrity_level_name': ['high'], + 'process.Ext.token.elevation_level': ['default'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', + ], + 'process.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], + 'process.parent.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], + 'process.parent.name': ['sshd.exe'], + 'process.parent.pid': [5284], + 'process.parent.args_count': [2], + 'process.parent.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.code_signature.trusted': [true], + 'process.code_signature.subject_name': ['Microsoft Corporation'], + 'process.code_signature.exists': [true], + 'process.code_signature.status': ['trusted'], + 'process.name': ['sshd.exe'], + 'process.pid': [6368], + 'process.args_count': [2], + 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], + 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], + 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293863], + 'event.ingested': ['2021-02-08T21:57:26.417387865Z'], + 'event.created': ['2021-02-08T21:50:28.3446355Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': [''], + 'user.name': [''], }, }, ], @@ -505,277 +706,340 @@ export const sequenceResponse = { { join_keys: ['win2019-endpoint-mr-pedro'], events: [ + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qhymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377092Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293866], + 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], + 'event.created': ['2021-02-08T21:50:28.3377092Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3381013Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293868, - ingested: '2021-02-08T21:57:26.417632166Z', - created: '2021-02-08T21:50:28.3381013Z', - kind: 'event', - module: 'endpoint', - id: 'LzzWB9jjGmCwGMvk++++FG/Q', - category: [], - type: [], - dataset: 'endpoint.events.security', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { - _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', - _id: 'pxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - code_signature: [ - { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - ], - token: { - integrity_level_name: 'high', - elevation_level: 'default', - }, - }, - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], - parent: { - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], - name: 'sshd.exe', - pid: 5284, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - }, - code_signature: { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - name: 'sshd.exe', - pid: 6368, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - hash: { - sha1: '631244d731f406394c17c7dfd85203e317c74814', - sha256: 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', - md5: '331ba0e529810ef718dd3efbd1242302', - }, - }, - message: 'Endpoint process event', - '@timestamp': '2021-02-08T21:50:28.3446355Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.process', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293863, - ingested: '2021-02-08T21:57:26.417387865Z', - created: '2021-02-08T21:50:28.3446355Z', - kind: 'event', - module: 'endpoint', - action: 'start', - id: 'LzzWB9jjGmCwGMvk++++FG/K', - category: ['process'], - type: ['start'], - dataset: 'endpoint.events.process', - }, - user: { - domain: '', - name: '', - }, + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'qxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], + }, + }, + { + _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', + _id: 'rBymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { - _index: '.ds-logs-endpoint.events.network-default-2021.02.02-000005', - _id: 'qBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - name: 'svchost.exe', - pid: 968, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTk2OC0xMzI1NTA3ODY3My4yNjQyNDcyMDA=', - executable: 'C:\\Windows\\System32\\svchost.exe', - }, - destination: { - address: '10.128.0.57', - port: 3389, - bytes: 1681, - ip: '10.128.0.57', - }, - source: { - address: '142.202.189.139', - port: 16151, - bytes: 1224, - ip: '142.202.189.139', - }, - message: 'Endpoint network event', - network: { - transport: 'tcp', - type: 'ipv4', - direction: 'incoming', - }, - '@timestamp': '2021-02-08T21:50:28.5553532Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.network', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293864, - ingested: '2021-02-08T21:57:26.417451347Z', - created: '2021-02-08T21:50:28.5553532Z', - kind: 'event', - module: 'endpoint', - action: 'disconnect_received', - id: 'LzzWB9jjGmCwGMvk++++FG/L', - category: ['network'], - type: ['end'], - dataset: 'endpoint.events.network', - }, - user: { - domain: 'NT AUTHORITY', - name: 'NETWORK SERVICE', - }, + _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', + _id: 'pxymg3cBX5UUcOOYP3Ec', + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3446355Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.Ext.code_signature': [{ + 'trusted': true, + 'subject_name': 'Microsoft Corporation', + 'exists': true, + 'status': 'trusted', + } + ], + 'process.Ext.token.integrity_level_name': ['high'], + 'process.Ext.token.elevation_level': ['default'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', + ], + 'process.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], + 'process.parent.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], + 'process.parent.name': ['sshd.exe'], + 'process.parent.pid': [5284], + 'process.parent.args_count': [2], + 'process.parent.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.code_signature.trusted': [true], + 'process.code_signature.subject_name': ['Microsoft Corporation'], + 'process.code_signature.exists': [true], + 'process.code_signature.status': ['trusted'], + 'process.name': ['sshd.exe'], + 'process.pid': [6368], + 'process.args_count': [2], + 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], + 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], + 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293863], + 'event.ingested': ['2021-02-08T21:57:26.417387865Z'], + 'event.created': ['2021-02-08T21:50:28.3446355Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': [''], + 'user.name': [''], }, }, ], @@ -806,472 +1070,337 @@ export const eventsResponse = { { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qhymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - name: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377092Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293866, - ingested: '2021-02-08T21:57:26.417559711Z', - created: '2021-02-08T21:50:28.3377092Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/O', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377092Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293866], + 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], + 'event.created': ['2021-02-08T21:50:28.3377092Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377142Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293867, - ingested: '2021-02-08T21:57:26.417596906Z', - created: '2021-02-08T21:50:28.3377142Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/P', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3381013Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293868, - ingested: '2021-02-08T21:57:26.417632166Z', - created: '2021-02-08T21:50:28.3381013Z', - kind: 'event', - module: 'endpoint', - id: 'LzzWB9jjGmCwGMvk++++FG/Q', - category: [], - type: [], - dataset: 'endpoint.events.security', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3377142Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293867, - ingested: '2021-02-08T21:57:26.417596906Z', - created: '2021-02-08T21:50:28.3377142Z', - kind: 'event', - module: 'endpoint', - action: 'log_on', - id: 'LzzWB9jjGmCwGMvk++++FG/P', - category: ['authentication', 'session'], - type: ['start'], - dataset: 'endpoint.events.security', - outcome: 'success', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3377142Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293867], + 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], + 'event.created': ['2021-02-08T21:50:28.3377142Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - }, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - executable: 'C:\\Windows\\System32\\lsass.exe', - }, - message: 'Endpoint security event', - '@timestamp': '2021-02-08T21:50:28.3381013Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.security', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293868, - ingested: '2021-02-08T21:57:26.417632166Z', - created: '2021-02-08T21:50:28.3381013Z', - kind: 'event', - module: 'endpoint', - id: 'LzzWB9jjGmCwGMvk++++FG/Q', - category: [], - type: [], - dataset: 'endpoint.events.security', - }, - user: { - domain: 'NT AUTHORITY', - name: 'SYSTEM', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3381013Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', + ], + 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293868], + 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], + 'event.created': ['2021-02-08T21:50:28.3381013Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': ['NT AUTHORITY'], + 'user.name': ['SYSTEM'], }, }, { _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', _id: 'pxymg3cBX5UUcOOYP3Ec', - _source: { - agent: { - id: '1d15cf9e-3dc7-5b97-f586-743f7c2518b2', - type: 'endpoint', - version: '7.10.0', - }, - process: { - Ext: { - ancestry: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - code_signature: [ - { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - ], - token: { - integrity_level_name: 'high', - elevation_level: 'default', - }, - }, - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], - parent: { - args: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], - name: 'sshd.exe', - pid: 5284, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - }, - code_signature: { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - name: 'sshd.exe', - pid: 6368, - args_count: 2, - entity_id: - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', - command_line: '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y', - executable: 'C:\\Program Files\\OpenSSH-Win64\\sshd.exe', - hash: { - sha1: '631244d731f406394c17c7dfd85203e317c74814', - sha256: 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', - md5: '331ba0e529810ef718dd3efbd1242302', - }, - }, - message: 'Endpoint process event', - '@timestamp': '2021-02-08T21:50:28.3446355Z', - ecs: { - version: '1.5.0', - }, - data_stream: { - namespace: 'default', - type: 'logs', - dataset: 'endpoint.events.process', - }, - elastic: { - agent: { - id: 'f5dec71e-438c-424e-ac9b-0281f10412b9', - }, - }, - host: { - hostname: 'win2019-endpoint-mr-pedro', - os: { - Ext: { - variant: 'Windows Server 2019 Datacenter', - }, - kernel: '1809 (10.0.17763.1697)', - name: 'Windows', - family: 'windows', - version: '1809 (10.0.17763.1697)', - platform: 'windows', - full: 'Windows Server 2019 Datacenter 1809 (10.0.17763.1697)', - }, - ip: ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - name: 'win2019-endpoint-mr-pedro', - id: 'd8ad572e-d224-4044-a57d-f5a84c0dfe5d', - mac: ['42:01:0a:80:00:39'], - architecture: 'x86_64', - }, - event: { - sequence: 3293863, - ingested: '2021-02-08T21:57:26.417387865Z', - created: '2021-02-08T21:50:28.3446355Z', - kind: 'event', - module: 'endpoint', - action: 'start', - id: 'LzzWB9jjGmCwGMvk++++FG/K', - category: ['process'], - type: ['start'], - dataset: 'endpoint.events.process', - }, - user: { - domain: '', - name: '', - }, + _source: {}, + fields: { + 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], + 'agent.type': ['endpoint'], + 'agent.version': ['7.10.0'], + '@timestamp': ['2021-02-08T21:50:28.3446355Z'], + message: ['Endpoint security event'], + 'process.Ext.ancestry': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', + ], + 'process.Ext.code_signature': [{ + 'trusted': true, + 'subject_name': 'Microsoft Corporation', + 'exists': true, + 'status': 'trusted', + } + ], + 'process.Ext.token.integrity_level_name': ['high'], + 'process.Ext.token.elevation_level': ['default'], + 'process.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', + ], + 'process.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], + 'process.parent.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], + 'process.parent.name': ['sshd.exe'], + 'process.parent.pid': [5284], + 'process.parent.args_count': [2], + 'process.parent.entity_id': [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + ], + 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.code_signature.trusted': [true], + 'process.code_signature.subject_name': ['Microsoft Corporation'], + 'process.code_signature.exists': [true], + 'process.code_signature.status': ['trusted'], + 'process.name': ['sshd.exe'], + 'process.pid': [6368], + 'process.args_count': [2], + 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], + 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], + 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], + 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'ecs.version': ['1.5.0'], + 'data_stream.namespace': ['default'], + 'data_stream.type': ['logs'], + 'data_stream.dataset': ['endpoint.events.security'], + 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], + 'host.hostname': ['win2019-endpoint-mr-pedro'], + 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], + 'host.os.name': ['Windows'], + 'host.os.kernel': ['1809 (10.0.17763.1697)'], + 'host.os.family': ['windows'], + 'host.os.version': ['1809 (10.0.17763.1697)'], + 'host.os.platform': ['windows'], + 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], + 'host.name': ['win2019-endpoint-mr-pedro'], + 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + 'host.mac': ['42:01:0a:80:00:39'], + 'host.architecture': ['x86_64'], + 'event.sequence': [3293863], + 'event.ingested': ['2021-02-08T21:57:26.417387865Z'], + 'event.created': ['2021-02-08T21:50:28.3446355Z'], + 'event.kind': ['event'], + 'event.module': ['endpoint'], + 'event.action': ['log_on'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], + 'event.category': ['authentication', 'session'], + 'event.type': ['start'], + 'event.dataset': ['endpoint.events.security'], + 'event.outcome': ['success'], + 'user.domain': [''], + 'user.name': [''], }, }, ], diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts index 4e451a4dc4cd7..f6e7c69740b27 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts @@ -5,9 +5,7 @@ * 2.0. */ -import { - Direction, -} from '../../../../../../common/search_strategy'; +import { Direction } from '../../../../../../common/search_strategy'; import { buildTimelineEventsAllQuery } from './query.events_all.dsl'; describe('buildTimelineEventsAllQuery', () => { @@ -21,24 +19,44 @@ describe('buildTimelineEventsAllQuery', () => { ]; const query = buildTimelineEventsAllQuery({ - fields: [], defaultIndex, docValueFields, filterQuery: '', language: 'eql', pagination: { + fields: [], + defaultIndex, + docValueFields, + filterQuery: '', + language: 'eql', + pagination: { activePage: 0, querySize: 100, - }, runtimeMappings: {}, sort: [{ - direction: Direction.asc, - field: '@timestamp', - type: 'datetime' - }], timerange: { + }, + runtimeMappings: {}, + sort: [ + { + direction: Direction.asc, + field: '@timestamp', + type: 'datetime', + }, + ], + timerange: { from: '', interval: '5m', to: '', - } + }, }); expect(query).toMatchInlineSnapshot(` Object { "allow_no_indices": true, "body": Object { - "_source": true, + "_source": false, + "aggregations": Object { + "producers": Object { + "terms": Object { + "exclude": Array [ + "alerts", + ], + "field": "kibana.alert.rule.producer", + }, + }, + }, "docvalue_fields": Array [ Object { "field": "@timestamp", @@ -53,24 +71,33 @@ describe('buildTimelineEventsAllQuery', () => { "field": "agent.name", }, ], - "fields": Array [ - Object { - "field": "*", - "include_unmapped": true, - }, - ], + "fields": Array [], + "from": 0, "query": Object { - "terms": Object { - "_id": Array [ - "f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3", + "bool": Object { + "filter": Array [ + Object { + "match_all": Object {}, + }, ], }, }, "runtime_mappings": Object {}, + "size": 100, + "sort": Array [ + Object { + "@timestamp": Object { + "order": "asc", + "unmapped_type": "datetime", + }, + }, + ], + "track_total_hits": true, }, "ignore_unavailable": true, - "index": ".siem-signals-default", - "size": 1, + "index": Array [ + ".siem-signals-default", + ], } `); }); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts index 236628220f4bf..5fa1e2bb34007 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts @@ -35,16 +35,16 @@ export const buildTimelineEventsAllQuery = ({ const { to, from } = timerangeOption; return !isEmpty(to) && !isEmpty(from) ? [ - { - range: { - '@timestamp': { - gte: from, - lte: to, - format: 'strict_date_optional_time', + { + range: { + '@timestamp': { + gte: from, + lte: to, + format: 'strict_date_optional_time', + }, }, }, - }, - ] + ] : []; } return []; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts index 4e8b499d33954..32553b37d0542 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts @@ -5,9 +5,7 @@ * 2.0. */ -import { - LastEventIndexKey, -} from '../../../../../../common/search_strategy'; +import { LastEventIndexKey } from '../../../../../../common/search_strategy'; import { buildLastEventTimeQuery } from './query.events_last_event_time.dsl'; describe('buildLastEventTimeQuery', () => { @@ -20,12 +18,17 @@ describe('buildLastEventTimeQuery', () => { { field: 'agent.name' }, ]; - const query = buildLastEventTimeQuery({ indexKey: LastEventIndexKey.ipDetails, details: { ip: '12345567'}, defaultIndex, docValueFields}); + const query = buildLastEventTimeQuery({ + indexKey: LastEventIndexKey.ipDetails, + details: { ip: '12345567' }, + defaultIndex, + docValueFields, + }); expect(query).toMatchInlineSnapshot(` Object { "allow_no_indices": true, "body": Object { - "_source": true, + "_source": false, "docvalue_fields": Array [ Object { "field": "@timestamp", @@ -41,23 +44,42 @@ describe('buildLastEventTimeQuery', () => { }, ], "fields": Array [ - Object { - "field": "*", - "include_unmapped": true, - }, + "@timestamp", ], "query": Object { - "terms": Object { - "_id": Array [ - "f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3", - ], + "bool": Object { + "filter": Object { + "bool": Object { + "should": Array [ + Object { + "term": Object { + "source.ip": "12345567", + }, + }, + Object { + "term": Object { + "destination.ip": "12345567", + }, + }, + ], + }, + }, }, }, - "runtime_mappings": Object {}, + "size": 1, + "sort": Array [ + Object { + "@timestamp": Object { + "order": "desc", + }, + }, + ], }, "ignore_unavailable": true, - "index": ".siem-signals-default", - "size": 1, + "index": Array [ + ".siem-signals-default", + ], + "track_total_hits": false, } `); }); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts index 4c850665a903b..1f085de94b201 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts @@ -132,70 +132,7 @@ describe('formatTimelineData', () => { _index: '.siem-signals-patrykkopycinski-default-000007', _id: 'a77040f198355793c35bf22b900902371309be615381f0a2ec92c208b6132562', _score: 0, - _source: { - kibana: { - alert: { - threshold_result: { - count: 10000, - value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - }, - depth: 1, - _meta: { - version: 14, - }, - severity: 'low', - risk_score: 21, - rule: { - note: null, - throttle: null, - references: [], - description: 'asdasd', - created_at: '2021-01-09T11:25:45.046Z', - building_block_type: null, - type: 'threshold', - rule_name_override: null, - enabled: true, - exceptions_list: [], - updated_at: '2021-01-09T13:36:39.204Z', - timestamp_override: null, - from: 'now-360s', - uuid: '696c24e0-526d-11eb-836c-e1620268b945', - timeline_id: null, - max_signals: 100, - author: [], - created_by: 'patryk_test_user', - version: 1, - tags: [], - rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - license: '', - immutable: false, - timeline_title: null, - meta: { - from: '1m', - kibana_siem_app_url: 'http://localhost:5601/app/security', - }, - name: 'Threshold test', - updated_by: 'patryk_test_user', - interval: '5m', - false_positives: [], - to: 'now', - threat: [], - actions: [], - }, - original_time: '2021-01-09T13:39:32.595Z', - ancestors: [ - { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', - }, - ], - workflow_status: 'open', - }, - }, - }, + _source: {}, fields: { 'kibana.alert.rule.from': ['now-360s'], '@timestamp': ['2021-01-09T13:41:40.517Z'], @@ -209,6 +146,15 @@ describe('formatTimelineData', () => { 'kibana.alert.rule.version': ['1'], 'kibana.alert.rule.name': ['Threshold test'], 'kibana.alert.rule.to': ['now'], + 'kibana.alert.rule.building_block_type': [], + 'kibana.alert.rule.note': [], + 'kibana.alert.rule.timeline_id': [], + 'kibana.alert.rule.timeline_title': [], + 'kibana.alert.rule.exceptions_list': [], + 'kibana.alert.threshold_result': [{ + 'count': 10000, + 'value': '2a990c11-f61b-4c8e-b210-da2574e9f9db' + }], }, sort: ['1610199700517'], }; From a324fd13ac9617d111226b481fb7e49b1ced9c85 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 30 Mar 2022 07:02:03 -0700 Subject: [PATCH 03/31] fixed linting rules --- .../timeline/eql/__mocks__/index.ts | 80 ++++++++++++------- .../helpers/format_timeline_data.test.ts | 10 ++- .../factory/helpers/format_timeline_data.ts | 20 ++--- 3 files changed, 65 insertions(+), 45 deletions(-) diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts index 9b6edd2093988..7c399c5ad4800 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts @@ -293,12 +293,13 @@ export const sequenceResponse = { 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', ], - 'process.Ext.code_signature': [{ - 'trusted': true, - 'subject_name': 'Microsoft Corporation', - 'exists': true, - 'status': 'trusted', - } + 'process.Ext.code_signature': [ + { + trusted: true, + subject_name: 'Microsoft Corporation', + exists: true, + status: 'trusted', + }, ], 'process.Ext.token.integrity_level_name': ['high'], 'process.Ext.token.elevation_level': ['default'], @@ -313,7 +314,9 @@ export const sequenceResponse = { 'process.parent.entity_id': [ 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', ], - 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.command_line': [ + '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', + ], 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'process.code_signature.trusted': [true], 'process.code_signature.subject_name': ['Microsoft Corporation'], @@ -324,7 +327,9 @@ export const sequenceResponse = { 'process.args_count': [2], 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], - 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.sha256': [ + 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', + ], 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'ecs.version': ['1.5.0'], @@ -634,12 +639,13 @@ export const sequenceResponse = { 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', ], - 'process.Ext.code_signature': [{ - 'trusted': true, - 'subject_name': 'Microsoft Corporation', - 'exists': true, - 'status': 'trusted', - } + 'process.Ext.code_signature': [ + { + trusted: true, + subject_name: 'Microsoft Corporation', + exists: true, + status: 'trusted', + }, ], 'process.Ext.token.integrity_level_name': ['high'], 'process.Ext.token.elevation_level': ['default'], @@ -654,7 +660,9 @@ export const sequenceResponse = { 'process.parent.entity_id': [ 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', ], - 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.command_line': [ + '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', + ], 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'process.code_signature.trusted': [true], 'process.code_signature.subject_name': ['Microsoft Corporation'], @@ -665,7 +673,9 @@ export const sequenceResponse = { 'process.args_count': [2], 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], - 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.sha256': [ + 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', + ], 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'ecs.version': ['1.5.0'], @@ -975,12 +985,13 @@ export const sequenceResponse = { 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', ], - 'process.Ext.code_signature': [{ - 'trusted': true, - 'subject_name': 'Microsoft Corporation', - 'exists': true, - 'status': 'trusted', - } + 'process.Ext.code_signature': [ + { + trusted: true, + subject_name: 'Microsoft Corporation', + exists: true, + status: 'trusted', + }, ], 'process.Ext.token.integrity_level_name': ['high'], 'process.Ext.token.elevation_level': ['default'], @@ -995,7 +1006,9 @@ export const sequenceResponse = { 'process.parent.entity_id': [ 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', ], - 'process.parent.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R'], + 'process.parent.command_line': [ + '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', + ], 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'process.code_signature.trusted': [true], 'process.code_signature.subject_name': ['Microsoft Corporation'], @@ -1006,7 +1019,9 @@ export const sequenceResponse = { 'process.args_count': [2], 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], - 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.sha256': [ + 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', + ], 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'ecs.version': ['1.5.0'], @@ -1336,12 +1351,13 @@ export const eventsResponse = { 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', ], - 'process.Ext.code_signature': [{ - 'trusted': true, - 'subject_name': 'Microsoft Corporation', - 'exists': true, - 'status': 'trusted', - } + 'process.Ext.code_signature': [ + { + trusted: true, + subject_name: 'Microsoft Corporation', + exists: true, + status: 'trusted', + }, ], 'process.Ext.token.integrity_level_name': ['high'], 'process.Ext.token.elevation_level': ['default'], @@ -1367,7 +1383,9 @@ export const eventsResponse = { 'process.args_count': [2], 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], - 'process.hash.sha256': ['e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0'], + 'process.hash.sha256': [ + 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', + ], 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], 'ecs.version': ['1.5.0'], diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts index 1f085de94b201..746b71198ee66 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts @@ -151,10 +151,12 @@ describe('formatTimelineData', () => { 'kibana.alert.rule.timeline_id': [], 'kibana.alert.rule.timeline_title': [], 'kibana.alert.rule.exceptions_list': [], - 'kibana.alert.threshold_result': [{ - 'count': 10000, - 'value': '2a990c11-f61b-4c8e-b210-da2574e9f9db' - }], + 'kibana.alert.threshold_result': [ + { + count: 10000, + value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', + }, + ], }, sort: ['1610199700517'], }; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts index 1750f5cc9b123..e2ac37c12b669 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts @@ -59,16 +59,16 @@ const getValuesFromFields = async ( } let fieldToEval; - - if (nestedParentFieldName == null) { - fieldToEval = { - [fieldName]: hit.fields[fieldName], - }; - } else { - fieldToEval = { - [nestedParentFieldName]: hit.fields[nestedParentFieldName], - }; - } + + if (nestedParentFieldName == null) { + fieldToEval = { + [fieldName]: hit.fields[fieldName], + }; + } else { + fieldToEval = { + [nestedParentFieldName]: hit.fields[nestedParentFieldName], + }; + } const formattedData = await getDataSafety(getDataFromFieldsHits, fieldToEval); return formattedData.reduce( (acc: TimelineNonEcsData[], { field, values }) => From b4dff092ed17bac4cf69b341424f54c5d4d3f249 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 30 Mar 2022 10:59:34 -0700 Subject: [PATCH 04/31] fixed mocks --- .../body/renderers/auditd/generic_details.tsx | 2 +- .../timeline/eql/__mocks__/index.ts | 561 ++---------------- 2 files changed, 39 insertions(+), 524 deletions(-) diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx index a24e2b3a77e0c..0122c4a719a4a 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx @@ -139,7 +139,7 @@ export const AuditdGenericDetails = React.memo( const primary: string | null | undefined = get('auditd.summary.actor.primary[0]', data); const secondary: string | null | undefined = get('auditd.summary.actor.secondary[0]', data); const args: string[] | null | undefined = get('process.args', data); - console.log(session); + if (data.process != null) { return (
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts index 7c399c5ad4800..47bd1d27d0dc5 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/__mocks__/index.ts @@ -177,9 +177,14 @@ export const sequenceResponse = { 'user.name': ['SYSTEM'], }, }, + ], + }, + { + join_keys: ['win2019-endpoint-mr-pedro'], + events: [ { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qxymg3cBX5UUcOOYP3Ec', + _id: 'qhymg3cBX5UUcOOYP3Ec', _source: {}, fields: { 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], @@ -370,209 +375,6 @@ export const sequenceResponse = { { join_keys: ['win2019-endpoint-mr-pedro'], events: [ - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qhymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377092Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - ], - 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293866], - 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], - 'event.created': ['2021-02-08T21:50:28.3377092Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377142Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293867], - 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], - 'event.created': ['2021-02-08T21:50:28.3377142Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3381013Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293868], - 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], - 'event.created': ['2021-02-08T21:50:28.3381013Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377142Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293867], - 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], - 'event.created': ['2021-02-08T21:50:28.3377142Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, { _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', _id: 'rBymg3cBX5UUcOOYP3Ec', @@ -613,12 +415,10 @@ export const sequenceResponse = { 'event.created': ['2021-02-08T21:50:28.3381013Z'], 'event.kind': ['event'], 'event.module': ['endpoint'], - 'event.action': ['log_on'], 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], + 'event.category': [], + 'event.type': [], 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], 'user.domain': ['NT AUTHORITY'], 'user.name': ['SYSTEM'], }, @@ -632,7 +432,7 @@ export const sequenceResponse = { 'agent.type': ['endpoint'], 'agent.version': ['7.10.0'], '@timestamp': ['2021-02-08T21:50:28.3446355Z'], - message: ['Endpoint security event'], + message: ['Endpoint process event'], 'process.Ext.ancestry': [ 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', @@ -681,7 +481,7 @@ export const sequenceResponse = { 'ecs.version': ['1.5.0'], 'data_stream.namespace': ['default'], 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], + 'data_stream.dataset': ['endpoint.events.process'], 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], 'host.hostname': ['win2019-endpoint-mr-pedro'], 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], @@ -701,42 +501,46 @@ export const sequenceResponse = { 'event.created': ['2021-02-08T21:50:28.3446355Z'], 'event.kind': ['event'], 'event.module': ['endpoint'], - 'event.action': ['log_on'], + 'event.action': ['start'], 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], - 'event.category': ['authentication', 'session'], + 'event.category': ['process'], 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], + 'event.dataset': ['endpoint.events.process'], 'user.domain': [''], 'user.name': [''], }, }, - ], - }, - { - join_keys: ['win2019-endpoint-mr-pedro'], - events: [ { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qhymg3cBX5UUcOOYP3Ec', + _index: '.ds-logs-endpoint.events.network-default-2021.02.02-000005', + _id: 'qBymg3cBX5UUcOOYP3Ec', _source: {}, fields: { 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], 'agent.type': ['endpoint'], 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377092Z'], - message: ['Endpoint security event'], + '@timestamp': ['2021-02-08T21:50:28.5553532Z'], + message: ['Endpoint network event'], 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', ], - 'process.name': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.name': ['svchost.exe'], 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTk2OC0xMzI1NTA3ODY3My4yNjQyNDcyMDA=', ], - 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + 'process.executable': ['C:\\Windows\\System32\\svchost.exe'], 'ecs.version': ['1.5.0'], + 'destination.address': ['10.128.0.57'], + 'destination.port': [3389], + 'destination.bytes': [1681], + 'destination.ip': ['10.128.0.57'], + 'source.address': ['142.202.189.139'], + 'source.port': [16151], + 'source.bytes': [1224], + 'source.ip': ['142.202.189.139'], + 'network.transport': ['tcp'], + 'network.type': ['ipv4'], + 'network.direction': ['incoming'], 'data_stream.namespace': ['default'], 'data_stream.type': ['logs'], 'data_stream.dataset': ['endpoint.events.security'], @@ -754,309 +558,20 @@ export const sequenceResponse = { 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], 'host.mac': ['42:01:0a:80:00:39'], 'host.architecture': ['x86_64'], - 'event.sequence': [3293866], - 'event.ingested': ['2021-02-08T21:57:26.417559711Z'], - 'event.created': ['2021-02-08T21:50:28.3377092Z'], + 'event.sequence': [3293864], + 'event.ingested': ['2021-02-08T21:57:26.417451347Z'], + 'event.created': ['2021-02-08T21:50:28.5553532Z'], 'event.kind': ['event'], 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/O'], - 'event.category': ['authentication', 'session'], + 'event.action': ['disconnect_received'], + 'event.id': ['LzzWB9jjGmCwGMvk++++FG/L'], + 'event.category': ['network'], 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], + 'event.dataset': ['endpoint.events.network'], 'user.domain': ['NT AUTHORITY'], 'user.name': ['SYSTEM'], }, }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377142Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293867], - 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], - 'event.created': ['2021-02-08T21:50:28.3377142Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3381013Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293868], - 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], - 'event.created': ['2021-02-08T21:50:28.3381013Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'qxymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3377142Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293867], - 'event.ingested': ['2021-02-08T21:57:26.417596906Z'], - 'event.created': ['2021-02-08T21:50:28.3377142Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/P'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.security-default-2021.02.05-000005', - _id: 'rBymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3381013Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=', - ], - 'process.executable': ['C:\\Windows\\System32\\lsass.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293868], - 'event.ingested': ['2021-02-08T21:57:26.417632166Z'], - 'event.created': ['2021-02-08T21:50:28.3381013Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/Q'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': ['NT AUTHORITY'], - 'user.name': ['SYSTEM'], - }, - }, - { - _index: '.ds-logs-endpoint.events.process-default-2021.02.02-000005', - _id: 'pxymg3cBX5UUcOOYP3Ec', - _source: {}, - fields: { - 'agent.id': ['1d15cf9e-3dc7-5b97-f586-743f7c2518b2'], - 'agent.type': ['endpoint'], - 'agent.version': ['7.10.0'], - '@timestamp': ['2021-02-08T21:50:28.3446355Z'], - message: ['Endpoint security event'], - 'process.Ext.ancestry': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTIzODAtMTMyNTUwNzg2ODkuOTY1Nzg1NTAw', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU2OC0xMzI1NTA3ODY2Ny4zMjk3MDY2MDA=', - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTQ2OC0xMzI1NTA3ODY2NS42Mzg5MzY1MDA=', - ], - 'process.Ext.code_signature': [ - { - trusted: true, - subject_name: 'Microsoft Corporation', - exists: true, - status: 'trusted', - }, - ], - 'process.Ext.token.integrity_level_name': ['high'], - 'process.Ext.token.elevation_level': ['default'], - 'process.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw', - ], - 'process.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-y'], - 'process.parent.args': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe', '-R'], - 'process.parent.name': ['sshd.exe'], - 'process.parent.pid': [5284], - 'process.parent.args_count': [2], - 'process.parent.entity_id': [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw', - ], - 'process.parent.command_line': [ - '"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -R', - ], - 'process.parent.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], - 'process.code_signature.trusted': [true], - 'process.code_signature.subject_name': ['Microsoft Corporation'], - 'process.code_signature.exists': [true], - 'process.code_signature.status': ['trusted'], - 'process.name': ['sshd.exe'], - 'process.pid': [6368], - 'process.args_count': [2], - 'process.command_line': ['"C:\\Program Files\\OpenSSH-Win64\\sshd.exe" -y'], - 'process.hash.sha1': ['631244d731f406394c17c7dfd85203e317c74814'], - 'process.hash.sha256': [ - 'e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0', - ], - 'process.hash.md5': ['331ba0e529810ef718dd3efbd1242302'], - 'process.executable': ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], - 'ecs.version': ['1.5.0'], - 'data_stream.namespace': ['default'], - 'data_stream.type': ['logs'], - 'data_stream.dataset': ['endpoint.events.security'], - 'elastic.agent.id': ['f5dec71e-438c-424e-ac9b-0281f10412b9'], - 'host.hostname': ['win2019-endpoint-mr-pedro'], - 'host.os.Ext.variant': ['Windows Server 2019 Datacenter'], - 'host.os.name': ['Windows'], - 'host.os.kernel': ['1809 (10.0.17763.1697)'], - 'host.os.family': ['windows'], - 'host.os.version': ['1809 (10.0.17763.1697)'], - 'host.os.platform': ['windows'], - 'host.os.full': ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - 'host.ip': ['10.128.0.57', 'fe80::9ced:8f1c:880b:3e1f', '127.0.0.1', '::1'], - 'host.name': ['win2019-endpoint-mr-pedro'], - 'host.id': ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - 'host.mac': ['42:01:0a:80:00:39'], - 'host.architecture': ['x86_64'], - 'event.sequence': [3293863], - 'event.ingested': ['2021-02-08T21:57:26.417387865Z'], - 'event.created': ['2021-02-08T21:50:28.3446355Z'], - 'event.kind': ['event'], - 'event.module': ['endpoint'], - 'event.action': ['log_on'], - 'event.id': ['LzzWB9jjGmCwGMvk++++FG/K'], - 'event.category': ['authentication', 'session'], - 'event.type': ['start'], - 'event.dataset': ['endpoint.events.security'], - 'event.outcome': ['success'], - 'user.domain': [''], - 'user.name': [''], - }, - }, ], }, ], From 66db221b5c34be5a1233ff980b3e03fd9aac75ef Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 27 Apr 2022 20:28:08 -0700 Subject: [PATCH 05/31] removed docValueFields --- .../body/renderers/auditd/generic_details.tsx | 1 - .../common/search_strategy/timeline/index.ts | 2 -- x-pack/plugins/timelines/server/plugin.ts | 6 ----- .../plugins/timelines/server/routes/index.ts | 24 ------------------- .../search_strategy/timeline/eql/helpers.ts | 7 ++++++ .../timeline/factory/events/all/index.ts | 1 + .../events/all/query.events_all.dsl.test.ts | 22 ----------------- .../events/all/query.events_all.dsl.ts | 12 +++++++--- .../timeline/factory/events/details/index.ts | 7 +++--- .../details/query.events_details.dsl.test.ts | 21 ---------------- .../details/query.events_details.dsl.ts | 11 +++++---- .../query.events_last_event_time.dsl.ts | 5 ---- 12 files changed, 27 insertions(+), 92 deletions(-) delete mode 100644 x-pack/plugins/timelines/server/routes/index.ts diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx index 0122c4a719a4a..c4e0915810970 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx @@ -139,7 +139,6 @@ export const AuditdGenericDetails = React.memo( const primary: string | null | undefined = get('auditd.summary.actor.primary[0]', data); const secondary: string | null | undefined = get('auditd.summary.actor.secondary[0]', data); const args: string[] | null | undefined = get('process.args', data); - if (data.process != null) { return (
diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts index 7e37d1d092edf..baa9de15f55ea 100644 --- a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts +++ b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts @@ -20,7 +20,6 @@ import { EntityType, } from './events'; import { - DocValueFields, PaginationInputPaginated, TimerangeInput, SortField, @@ -41,7 +40,6 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest { timerange: TimerangeInput; filterQuery: ESQuery | string | undefined; defaultIndex: string[]; - docValueFields?: DocValueFields[]; factoryQueryType?: TimelineFactoryQueryTypes; entityType?: EntityType; runtimeMappings: MappingRuntimeFields; diff --git a/x-pack/plugins/timelines/server/plugin.ts b/x-pack/plugins/timelines/server/plugin.ts index 3cc8356a90280..e7af669344d12 100644 --- a/x-pack/plugins/timelines/server/plugin.ts +++ b/x-pack/plugins/timelines/server/plugin.ts @@ -9,7 +9,6 @@ import { PluginInitializerContext, CoreSetup, CoreStart, Plugin, Logger } from ' import { SecurityPluginSetup } from '@kbn/security-plugin/server'; import { SetupPlugins, StartPlugins, TimelinesPluginUI, TimelinesPluginStart } from './types'; -import { defineRoutes } from './routes'; import { timelineSearchStrategyProvider } from './search_strategy/timeline'; import { timelineEqlSearchStrategyProvider } from './search_strategy/timeline/eql'; import { indexFieldsProvider } from './search_strategy/index_fields'; @@ -28,11 +27,6 @@ export class TimelinesPlugin this.logger.debug('timelines: Setup'); this.security = plugins.security; - const router = core.http.createRouter(); - - // Register server side APIs - defineRoutes(router); - const IndexFields = indexFieldsProvider(core.getStartServices); // Register search strategy core.getStartServices().then(([_, depsStart]) => { diff --git a/x-pack/plugins/timelines/server/routes/index.ts b/x-pack/plugins/timelines/server/routes/index.ts deleted file mode 100644 index c4cd611ca6719..0000000000000 --- a/x-pack/plugins/timelines/server/routes/index.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { IRouter } from '@kbn/core/server'; - -export function defineRoutes(router: IRouter) { - router.get( - { - path: '/api/timeline/example', - validate: false, - }, - async (context, request, response) => { - return response.ok({ - body: { - time: new Date().toISOString(), - }, - }); - } - ); -} diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts index c30a11ef76f1e..bec9eb8739680 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts @@ -58,6 +58,13 @@ export const buildEqlDsl = (options: TimelineEqlRequestOptions): Record = { ): Promise => { // eslint-disable-next-line prefer-const let { fieldRequested, ...queryOptions } = cloneDeep(options); + queryOptions.fields = buildFieldsRequest(fieldRequested, queryOptions.excludeEcsData); const { activePage, querySize } = options.pagination; const producerBuckets = getOr([], 'aggregations.producers.buckets', response.rawResponse); const totalCount = response.rawResponse.hits.total || 0; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts index f6e7c69740b27..e68785feeb0ea 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts @@ -11,17 +11,9 @@ import { buildTimelineEventsAllQuery } from './query.events_all.dsl'; describe('buildTimelineEventsAllQuery', () => { it('should return ip details query if index key is ipDetails', () => { const defaultIndex = ['.siem-signals-default']; - const docValueFields = [ - { field: '@timestamp' }, - { field: 'agent.ephemeral_id' }, - { field: 'agent.id' }, - { field: 'agent.name' }, - ]; - const query = buildTimelineEventsAllQuery({ fields: [], defaultIndex, - docValueFields, filterQuery: '', language: 'eql', pagination: { @@ -57,20 +49,6 @@ describe('buildTimelineEventsAllQuery', () => { }, }, }, - "docvalue_fields": Array [ - Object { - "field": "@timestamp", - }, - Object { - "field": "agent.ephemeral_id", - }, - Object { - "field": "agent.id", - }, - Object { - "field": "agent.name", - }, - ], "fields": Array [], "from": 0, "query": Object { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts index 5fa1e2bb34007..9f6902c65f639 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts @@ -20,7 +20,6 @@ import { getPreferredEsType } from './helpers'; export const buildTimelineEventsAllQuery = ({ authFilter, defaultIndex, - docValueFields, fields, filterQuery, pagination: { activePage, querySize }, @@ -69,7 +68,6 @@ export const buildTimelineEventsAllQuery = ({ index: defaultIndex, ignore_unavailable: true, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), aggregations: { producers: { terms: { field: ALERT_RULE_PRODUCER, exclude: ['alerts'] }, @@ -85,7 +83,15 @@ export const buildTimelineEventsAllQuery = ({ size: querySize, track_total_hits: true, sort: getSortField(sort), - fields, + fields: [ + 'signal.*', + 'kibana.alert.*', + ...fields, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], _source: false, }, }; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts index 7eee054ca2718..28a9a4d116cad 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts @@ -26,11 +26,10 @@ import { buildEcsObjects } from '../../helpers/build_ecs_objects'; export const timelineEventsDetails: TimelineFactory = { buildDsl: ({ authFilter, ...options }: TimelineEventsDetailsRequestOptions) => { - const { indexName, eventId, docValueFields = [], runtimeMappings = {} } = options; + const { indexName, eventId, runtimeMappings = {} } = options; return buildTimelineDetailsQuery({ indexName, id: eventId, - docValueFields, runtimeMappings, authFilter, }); @@ -39,13 +38,13 @@ export const timelineEventsDetails: TimelineFactory ): Promise => { - const { indexName, eventId, docValueFields = [], runtimeMappings = {} } = options; + const { indexName, eventId, runtimeMappings = {} } = options; const { fields, ...hitsData } = cloneDeep(response.rawResponse.hits.hits[0] ?? {}); const inspect = { dsl: [ inspectStringifyObject( - buildTimelineDetailsQuery({ indexName, id: eventId, docValueFields, runtimeMappings }) + buildTimelineDetailsQuery({ indexName, id: eventId, runtimeMappings }) ), ], }; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts index fa9376d2c61ba..5d2c32ca1aa37 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts @@ -11,17 +11,10 @@ describe('buildTimelineDetailsQuery', () => { it('returns the expected query', () => { const indexName = '.siem-signals-default'; const eventId = 'f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3'; - const docValueFields = [ - { field: '@timestamp' }, - { field: 'agent.ephemeral_id' }, - { field: 'agent.id' }, - { field: 'agent.name' }, - ]; const query = buildTimelineDetailsQuery({ indexName, id: eventId, - docValueFields, runtimeMappings: {}, }); @@ -30,20 +23,6 @@ describe('buildTimelineDetailsQuery', () => { "allow_no_indices": true, "body": Object { "_source": false, - "docvalue_fields": Array [ - Object { - "field": "@timestamp", - }, - Object { - "field": "agent.ephemeral_id", - }, - Object { - "field": "agent.id", - }, - Object { - "field": "agent.name", - }, - ], "fields": Array [ Object { "field": "*", diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts index ab19df737e233..084e6cf2e39c2 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts @@ -11,13 +11,11 @@ import { DocValueFields } from '../../../../../../common/search_strategy'; export const buildTimelineDetailsQuery = ({ authFilter, - docValueFields, id, indexName, runtimeMappings, }: { authFilter?: JsonObject; - docValueFields: DocValueFields[]; id: string; indexName: string; runtimeMappings: MappingRuntimeFields; @@ -45,9 +43,14 @@ export const buildTimelineDetailsQuery = ({ index: indexName, ignore_unavailable: true, body: { - docvalue_fields: docValueFields, query, - fields: [{ field: '*', include_unmapped: true }], + fields: [ + { field: '*', include_unmapped: true }, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], // Remove and instead pass index_pattern.id once issue resolved: https://github.com/elastic/kibana/issues/111762 runtime_mappings: runtimeMappings, _source: false, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts index 880914fcd6c84..45f6ee3d198d0 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts @@ -22,7 +22,6 @@ export const buildLastEventTimeQuery = ({ indexKey, details, defaultIndex, - docValueFields, }: TimelineEventsLastEventTimeRequestOptions) => { const indicesToQuery: EventIndices = { hosts: defaultIndex, @@ -44,7 +43,6 @@ export const buildLastEventTimeQuery = ({ ignore_unavailable: true, track_total_hits: false, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: { bool: { should: getIpDetailsFilter(details.ip) } } } }, _source: false, fields: ['@timestamp'], @@ -68,7 +66,6 @@ export const buildLastEventTimeQuery = ({ ignore_unavailable: true, track_total_hits: false, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: getHostDetailsFilter(details.hostName) } }, _source: false, fields: ['@timestamp'], @@ -92,7 +89,6 @@ export const buildLastEventTimeQuery = ({ ignore_unavailable: true, track_total_hits: false, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { bool: { filter: getUserDetailsFilter(details.userName) } }, _source: false, fields: ['@timestamp'], @@ -117,7 +113,6 @@ export const buildLastEventTimeQuery = ({ ignore_unavailable: true, track_total_hits: false, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), query: { match_all: {} }, _source: false, fields: ['@timestamp'], From 2ed5ca72094b778e6d1fd3b1b8523395f8a8a71e Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Sun, 1 May 2022 17:49:33 -0700 Subject: [PATCH 06/31] - --- .../components/last_event_time/index.test.tsx | 8 +- .../components/last_event_time/index.tsx | 8 +- .../events/last_event_time/index.ts | 9 +- .../public/hosts/pages/details/index.tsx | 1 - .../public/hosts/pages/hosts.tsx | 1 - .../public/network/pages/details/index.tsx | 1 - .../public/network/pages/network.tsx | 1 - .../side_panel/event_details/index.tsx | 261 ++++++++++++------ .../timelines/components/side_panel/index.tsx | 12 +- .../timeline/eql_tab_content/index.tsx | 3 - .../timeline/pinned_tab_content/index.tsx | 2 - .../timeline/query_tab_content/index.tsx | 3 - .../timelines/containers/details/index.tsx | 29 +- .../public/timelines/containers/index.tsx | 5 - .../public/users/pages/details/index.tsx | 4 +- .../public/users/pages/details/types.ts | 1 - .../public/users/pages/users.tsx | 1 - .../components/t_grid/integrated/index.tsx | 4 - .../components/t_grid/standalone/index.tsx | 1 - .../timelines/public/container/index.tsx | 5 - .../details/query.events_details.dsl.test.ts | 12 + .../details/query.events_details.dsl.ts | 10 +- .../query.events_last_event_time.dsl.test.ts | 25 +- .../query.events_last_event_time.dsl.ts | 29 +- 24 files changed, 258 insertions(+), 178 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx index bee5f6d3f7e89..8e1970c36235f 100644 --- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx @@ -38,7 +38,7 @@ describe('Last Event Time Stat', () => { ]); const wrapper = mount( - + ); // Removed strict equality as the EuiLoader has been converted to Emotion and will no longer have the euiLoadingSpinner--medium class @@ -54,7 +54,7 @@ describe('Last Event Time Stat', () => { ]); const wrapper = mount( - + ); expect(wrapper.find(LastEventTime).html()).toBe( @@ -71,7 +71,7 @@ describe('Last Event Time Stat', () => { ]); const wrapper = mount( - + ); @@ -87,7 +87,7 @@ describe('Last Event Time Stat', () => { ]); const wrapper = mount( - + ); expect(wrapper.find(LastEventTime).html()).toContain(getEmptyValue()); diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx index f5e24ddc072cf..2aca3b321d705 100644 --- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx @@ -9,13 +9,16 @@ import { EuiIcon, EuiLoadingSpinner, EuiToolTip } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import React, { memo } from 'react'; +<<<<<<< HEAD import type { DocValueFields, LastEventIndexKey } from '../../../../common/search_strategy'; +======= +import { LastEventIndexKey } from '../../../../common/search_strategy'; +>>>>>>> 438edfc81dd (removed docvalueFields props and deps) import { useTimelineLastEventTime } from '../../containers/events/last_event_time'; import { getEmptyTagValue } from '../empty_value'; import { FormattedRelativePreferenceDate } from '../formatted_date'; export interface LastEventTimeProps { - docValueFields: DocValueFields[]; hostName?: string; userName?: string; indexKey: LastEventIndexKey; @@ -24,9 +27,8 @@ export interface LastEventTimeProps { } export const LastEventTime = memo( - ({ docValueFields, hostName, userName, indexKey, ip, indexNames }) => { + ({ hostName, userName, indexKey, ip, indexNames }) => { const [loading, { lastSeen, errorMessage }] = useTimelineLastEventTime({ - docValueFields, indexKey, indexNames, details: { diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts index 6b5d064e9f4fa..8577eb9ad4cec 100644 --- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts +++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts @@ -21,7 +21,10 @@ import type { } from '../../../../../common/search_strategy/timeline'; import { TimelineEventsQueries } from '../../../../../common/search_strategy/timeline'; import * as i18n from './translations'; +<<<<<<< HEAD import type { DocValueFields } from '../../../../../common/search_strategy'; +======= +>>>>>>> 438edfc81dd (removed docvalueFields props and deps) import { useAppToasts } from '../../../hooks/use_app_toasts'; export interface UseTimelineLastEventTimeArgs { @@ -31,14 +34,12 @@ export interface UseTimelineLastEventTimeArgs { } interface UseTimelineLastEventTimeProps { - docValueFields: DocValueFields[]; indexKey: LastEventIndexKey; indexNames: string[]; details: LastTimeDetails; } export const useTimelineLastEventTime = ({ - docValueFields, indexKey, indexNames, details, @@ -51,7 +52,6 @@ export const useTimelineLastEventTime = ({ const [TimelineLastEventTimeRequest, setTimelineLastEventTimeRequest] = useState({ defaultIndex: indexNames, - docValueFields, factoryQueryType: TimelineEventsQueries.lastEventTime, indexKey, details, @@ -119,7 +119,6 @@ export const useTimelineLastEventTime = ({ const myRequest = { ...prevRequest, defaultIndex: indexNames, - docValueFields, indexKey, details, }; @@ -128,7 +127,7 @@ export const useTimelineLastEventTime = ({ } return prevRequest; }); - }, [indexNames, details, docValueFields, indexKey]); + }, [indexNames, details, indexKey]); useEffect(() => { timelineLastEventTimeSearch(TimelineLastEventTimeRequest); diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx index 1352c5d6ca504..81b01d3bd47d4 100644 --- a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx @@ -141,7 +141,6 @@ const HostDetailsComponent: React.FC = ({ detailName, hostDeta border subtitle={ { diff --git a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx index 2828d7cedc6dc..52d31ad735adb 100644 --- a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx @@ -141,7 +141,6 @@ const NetworkDetailsComponent: React.FC = () => { draggableArguments={headerDraggableArguments} subtitle={ ( diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 4463d397b9564..8efe49110c3d1 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -5,26 +5,53 @@ * 2.0. */ -import { EuiSpacer } from '@elastic/eui'; -import React from 'react'; - +import { some } from 'lodash/fp'; +import { + EuiButtonEmpty, + EuiFlyoutHeader, + EuiFlyoutBody, + EuiSpacer, + EuiTitle, + EuiText, +} from '@elastic/eui'; +import React, { useState, useCallback, useMemo } from 'react'; +import styled from 'styled-components'; import deepEqual from 'fast-deep-equal'; -import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import type { EntityType } from '@kbn/timelines-plugin/common'; -import type { BrowserFields, DocValueFields } from '../../../../common/containers/source'; +import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { EntityType } from '@kbn/timelines-plugin/common'; +import { BrowserFields } from '../../../../common/containers/source'; import { ExpandableEvent, ExpandableEventTitle } from './expandable_event'; import { useTimelineEventsDetails } from '../../../containers/details'; -import type { TimelineTabs } from '../../../../../common/types/timeline'; +import { TimelineTabs } from '../../../../../common/types/timeline'; +import { HostIsolationPanel } from '../../../../detections/components/host_isolation'; +import { EndpointIsolateSuccess } from '../../../../common/components/endpoint/host_isolation'; +import { + ISOLATE_HOST, + UNISOLATE_HOST, +} from '../../../../detections/components/host_isolation/translations'; +import { getFieldValue } from '../../../../detections/components/host_isolation/helpers'; +import { ALERT_DETAILS } from './translations'; +import { useWithCaseDetailsRefresh } from '../../../../common/components/endpoint/host_isolation/endpoint_host_isolation_cases_context'; +import { EventDetailsFooter } from './footer'; import { buildHostNamesFilter } from '../../../../../common/search_strategy'; -import type { HostRisk } from '../../../../risk_score/containers'; -import { useHostRiskScore } from '../../../../risk_score/containers'; -import { useHostIsolationTools } from './use_host_isolation_tools'; -import { FlyoutBody, FlyoutHeader, FlyoutFooter } from './flyout'; -import { useBasicDataFromDetailsData } from './helpers'; +import { useHostRiskScore, HostRisk } from '../../../../risk_score/containers'; + +const StyledEuiFlyoutBody = styled(EuiFlyoutBody)` + .euiFlyoutBody__overflow { + display: flex; + flex: 1; + overflow: hidden; + + .euiFlyoutBody__overflowContent { + flex: 1; + overflow: hidden; + padding: ${({ theme }) => `0 ${theme.eui.paddingSizes.m} ${theme.eui.paddingSizes.m}`}; + } + } +`; interface EventDetailsPanelProps { browserFields: BrowserFields; - docValueFields: DocValueFields[]; entityType?: EntityType; expandedEvent: { eventId: string; @@ -42,7 +69,6 @@ interface EventDetailsPanelProps { const EventDetailsPanelComponent: React.FC = ({ browserFields, - docValueFields, entityType = 'events', // Default to events so only alerts have to pass entityType in expandedEvent, handleOnEventClosed, @@ -55,7 +81,6 @@ const EventDetailsPanelComponent: React.FC = ({ }) => { const [loading, detailsData, rawEventData, ecsData, refetchFlyoutData] = useTimelineEventsDetails( { - docValueFields, entityType, indexName: expandedEvent.indexName ?? '', eventId: expandedEvent.eventId ?? '', @@ -64,17 +89,43 @@ const EventDetailsPanelComponent: React.FC = ({ } ); - const { - isolateAction, - isHostIsolationPanelOpen, - isIsolateActionSuccessBannerVisible, - handleIsolationActionSuccess, - showAlertDetails, - showHostIsolationPanel, - } = useHostIsolationTools(); + const [isHostIsolationPanelOpen, setIsHostIsolationPanel] = useState(false); + + const [isolateAction, setIsolateAction] = useState<'isolateHost' | 'unisolateHost'>( + 'isolateHost' + ); + + const [isIsolateActionSuccessBannerVisible, setIsIsolateActionSuccessBannerVisible] = + useState(false); + + const showAlertDetails = useCallback(() => { + setIsHostIsolationPanel(false); + setIsIsolateActionSuccessBannerVisible(false); + }, []); + + const showHostIsolationPanel = useCallback((action) => { + if (action === 'isolateHost' || action === 'unisolateHost') { + setIsHostIsolationPanel(true); + setIsolateAction(action); + } + }, []); + + const isAlert = some({ category: 'kibana', field: 'kibana.alert.rule.uuid' }, detailsData); + + const ruleName = useMemo( + () => getFieldValue({ category: 'kibana', field: 'kibana.alert.rule.name' }, detailsData), + [detailsData] + ); + + const alertId = useMemo( + () => getFieldValue({ category: '_id', field: '_id' }, detailsData), + [detailsData] + ); - const { alertId, isAlert, hostName, ruleName, timestamp } = - useBasicDataFromDetailsData(detailsData); + const hostName = useMemo( + () => getFieldValue({ category: 'host', field: 'host.name' }, detailsData), + [detailsData] + ); const [hostRiskLoading, { data, isModuleEnabled }] = useHostRiskScore({ filterQuery: hostName ? buildHostNamesFilter([hostName]) : undefined, @@ -92,53 +143,105 @@ const EventDetailsPanelComponent: React.FC = ({ } : null; + const timestamp = useMemo( + () => getFieldValue({ category: 'base', field: '@timestamp' }, detailsData), + [detailsData] + ); + + const backToAlertDetailsLink = useMemo(() => { + return ( + <> + showAlertDetails()} + > + +

{ALERT_DETAILS}

+ + + +

{isolateAction === 'isolateHost' ? ISOLATE_HOST : UNISOLATE_HOST}

+ + + ); + }, [showAlertDetails, isolateAction]); + + const caseDetailsRefresh = useWithCaseDetailsRefresh(); + + const handleIsolationActionSuccess = useCallback(() => { + setIsIsolateActionSuccessBannerVisible(true); + // If a case details refresh ref is defined, then refresh actions and comments + if (caseDetailsRefresh) { + caseDetailsRefresh.refreshCase(); + } + }, [caseDetailsRefresh]); + if (!expandedEvent?.eventId) { return null; } return isFlyoutView ? ( <> - - - + + {isHostIsolationPanelOpen ? ( + backToAlertDetailsLink + ) : ( + + )} + + {isIsolateActionSuccessBannerVisible && ( + + )} + + {isHostIsolationPanelOpen ? ( + + ) : ( + + )} + + + {!isReadOnly && ( + + )} ) : ( <> @@ -162,18 +265,19 @@ const EventDetailsPanelComponent: React.FC = ({ hostRisk={hostRisk} handleOnEventClosed={handleOnEventClosed} /> - + {!isReadOnly && ( + + )} ); }; @@ -182,7 +286,6 @@ export const EventDetailsPanel = React.memo( EventDetailsPanelComponent, (prevProps, nextProps) => deepEqual(prevProps.browserFields, nextProps.browserFields) && - deepEqual(prevProps.docValueFields, nextProps.docValueFields) && deepEqual(prevProps.expandedEvent, nextProps.expandedEvent) && prevProps.timelineId === nextProps.timelineId && prevProps.isDraggable === nextProps.isDraggable diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx index 1d261875a1f18..59a6dc07cfc48 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx @@ -7,14 +7,13 @@ import React, { useCallback, useMemo } from 'react'; import { useDispatch } from 'react-redux'; -import type { EuiFlyoutProps } from '@elastic/eui'; -import { EuiFlyout } from '@elastic/eui'; +import { EuiFlyout, EuiFlyoutProps } from '@elastic/eui'; -import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import type { EntityType } from '@kbn/timelines-plugin/common'; +import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { EntityType } from '@kbn/timelines-plugin/common'; import { timelineActions, timelineSelectors } from '../../store/timeline'; import { timelineDefaults } from '../../store/timeline/defaults'; -import type { BrowserFields, DocValueFields } from '../../../common/containers/source'; +import { BrowserFields } from '../../../common/containers/source'; import { TimelineId, TimelineTabs } from '../../../../common/types/timeline'; import { useDeepEqualSelector } from '../../../common/hooks/use_selector'; import { EventDetailsPanel } from './event_details'; @@ -24,7 +23,6 @@ import { UserDetailsPanel } from './user_details'; interface DetailsPanelProps { browserFields: BrowserFields; - docValueFields: DocValueFields[]; entityType?: EntityType; handleOnPanelClosed?: () => void; isFlyoutView?: boolean; @@ -42,7 +40,6 @@ interface DetailsPanelProps { export const DetailsPanel = React.memo( ({ browserFields, - docValueFields, entityType, handleOnPanelClosed, isFlyoutView, @@ -84,7 +81,6 @@ export const DetailsPanel = React.memo( visiblePanel = ( = ({ const { browserFields, dataViewId, - docValueFields, loading: loadingSourcerer, runtimeMappings, selectedPatterns, @@ -211,7 +210,6 @@ export const EqlTabContentComponent: React.FC = ({ const [isQueryLoading, { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch }] = useTimelineEvents({ dataViewId, - docValueFields, endDate: end, eqlOptions: restEqlOption, fields: getTimelineQueryFields(), @@ -355,7 +353,6 @@ export const EqlTabContentComponent: React.FC = ({ = ({ const [isQueryLoading, { events, totalCount, pageInfo, loadPage, updatedAt, refetch }] = useTimelineEvents({ - docValueFields, endDate: '', id: `pinned-${timelineId}`, indexNames: selectedPatterns, @@ -276,7 +275,6 @@ export const PinnedTabContentComponent: React.FC = ({ = ({ const { browserFields, dataViewId, - docValueFields, loading: loadingSourcerer, indexPattern, runtimeMappings, @@ -286,7 +285,6 @@ export const QueryTabContentComponent: React.FC = ({ const [isQueryLoading, { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch }] = useTimelineEvents({ dataViewId, - docValueFields, endDate: end, fields: getTimelineQueryFields(), filterQuery: combinedQueries?.filterQuery, @@ -445,7 +443,6 @@ export const QueryTabContentComponent: React.FC = ({ { if (isCompleteResponse(response)) { - Promise.resolve().then(() => { - ReactDOM.unstable_batchedUpdates(() => { - setLoading(false); - setTimelineDetailsResponse(response.data || []); - setRawEventData(response.rawResponse.hits.hits[0]); - setEcsData(response.ecs || null); - searchSubscription$.current.unsubscribe(); - }); - }); + setLoading(false); + setTimelineDetailsResponse(response.data || []); + setRawEventData(response.rawResponse.hits.hits[0]); + setEcsData(response.ecs || null); + searchSubscription$.current.unsubscribe(); } else if (isErrorResponse(response)) { setLoading(false); addWarning(i18n.FAIL_TIMELINE_DETAILS); @@ -125,7 +117,6 @@ export const useTimelineEventsDetails = ({ setTimelineDetailsRequest((prevRequest) => { const myRequest = { ...(prevRequest ?? {}), - docValueFields, entityType, indexName, eventId, @@ -137,7 +128,7 @@ export const useTimelineEventsDetails = ({ } return prevRequest; }); - }, [docValueFields, entityType, eventId, indexName, runtimeMappings]); + }, [entityType, eventId, indexName, runtimeMappings]); useEffect(() => { timelineDetailsSearch(timelineDetailsRequest); diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx index 4fb4be47c4bf2..989a8c73a418e 100644 --- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx @@ -29,7 +29,6 @@ import type { TimelineEdges, TimelineItem, TimelineRequestSortField, - DocValueFields, } from '../../../common/search_strategy'; import { Direction, TimelineEventsQueries } from '../../../common/search_strategy'; import type { InspectResponse } from '../../types'; @@ -76,7 +75,6 @@ type TimelineResponse = T extends 'kuery' export interface UseTimelineEventsProps { dataViewId: string | null; - docValueFields?: DocValueFields[]; endDate: string; eqlOptions?: EqlOptionsSelected; fields: string[]; @@ -130,7 +128,6 @@ const deStructureEqlOptions = (eqlOptions?: EqlOptionsSelected) => ({ export const useTimelineEvents = ({ dataViewId, - docValueFields, endDate, eqlOptions = undefined, id = ID, @@ -366,7 +363,6 @@ export const useTimelineEvents = ({ const currentRequest = { defaultIndex: indexNames, - docValueFields: docValueFields ?? [], factoryQueryType: TimelineEventsQueries.all, fieldRequested: fields, fields: [], @@ -401,7 +397,6 @@ export const useTimelineEvents = ({ dispatch, indexNames, activePage, - docValueFields, endDate, eqlOptions, filterQuery, diff --git a/x-pack/plugins/security_solution/public/users/pages/details/index.tsx b/x-pack/plugins/security_solution/public/users/pages/details/index.tsx index 4fca3261e5d00..e0fe59d9a1667 100644 --- a/x-pack/plugins/security_solution/public/users/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/users/pages/details/index.tsx @@ -83,7 +83,7 @@ const UsersDetailsComponent: React.FC = ({ ); const getFilters = () => [...usersDetailsPageFilters, ...filters]; - const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView(); + const { indicesExist, indexPattern, selectedPatterns } = useSourcererDataView(); const [filterQuery, kqlError] = convertToBuildEsQuery({ config: getEsQueryConfig(kibana.services.uiSettings), @@ -132,7 +132,6 @@ const UsersDetailsComponent: React.FC = ({ border subtitle={ = ({ ; export type UsersDetailsTabsProps = UserBodyComponentDispatchProps & UsersQueryProps & { - docValueFields?: DocValueFields[]; indexNames: string[]; pageFilters?: Filter[]; filterQuery?: string; diff --git a/x-pack/plugins/security_solution/public/users/pages/users.tsx b/x-pack/plugins/security_solution/public/users/pages/users.tsx index 4aac53838661d..bf81b6dc1817b 100644 --- a/x-pack/plugins/security_solution/public/users/pages/users.tsx +++ b/x-pack/plugins/security_solution/public/users/pages/users.tsx @@ -187,7 +187,6 @@ const UsersComponent = () => { diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx index 0798012821e1e..c6a212628c9ff 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx @@ -19,7 +19,6 @@ import type { CoreStart } from '@kbn/core/public'; import type { DataPublicPluginStart } from '@kbn/data-plugin/public'; import { getEsQueryConfig } from '@kbn/data-plugin/common'; import { Direction, EntityType } from '../../../../common/search_strategy'; -import type { DocValueFields } from '../../../../common/search_strategy'; import type { BrowserFields } from '../../../../common/search_strategy/index_fields'; import { BulkActionsProp, @@ -105,7 +104,6 @@ export interface TGridIntegratedProps { defaultCellActions?: TGridCellAction[]; deletedEventIds: Readonly; disabledCellActions: string[]; - docValueFields: DocValueFields[]; end: string; entityType: EntityType; fieldBrowserOptions?: FieldBrowserOptions; @@ -151,7 +149,6 @@ const TGridIntegratedComponent: React.FC = ({ defaultCellActions, deletedEventIds, disabledCellActions, - docValueFields, end, entityType, fieldBrowserOptions, @@ -241,7 +238,6 @@ const TGridIntegratedComponent: React.FC = ({ alertConsumers: SECURITY_ALERTS_CONSUMERS, data, dataViewId, - docValueFields, endDate: end, entityType, fields, diff --git a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx index 396e64faa166b..1eb327d95827a 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx @@ -218,7 +218,6 @@ const TGridStandaloneComponent: React.FC = ({ { consumers, events, updatedAt, loadPage, pageInfo, refetch, totalCount = 0, inspect }, ] = useTimelineEvents({ dataViewId, - docValueFields: [], entityType, excludeEcsData: true, fields, diff --git a/x-pack/plugins/timelines/public/container/index.tsx b/x-pack/plugins/timelines/public/container/index.tsx index 4ab6856c6df49..9e41932990ca9 100644 --- a/x-pack/plugins/timelines/public/container/index.tsx +++ b/x-pack/plugins/timelines/public/container/index.tsx @@ -28,7 +28,6 @@ import { EntityType, } from '../../common/search_strategy'; import type { - DocValueFields, Inspect, PaginationInputPaginated, TimelineStrategyResponseType, @@ -75,7 +74,6 @@ export interface UseTimelineEventsProps { alertConsumers?: AlertConsumers[]; data?: DataPublicPluginStart; dataViewId: string | null; - docValueFields?: DocValueFields[]; endDate: string; entityType: EntityType; excludeEcsData?: boolean; @@ -121,7 +119,6 @@ const NO_CONSUMERS: AlertConsumers[] = []; export const useTimelineEvents = ({ alertConsumers = NO_CONSUMERS, dataViewId, - docValueFields, endDate, entityType, excludeEcsData = false, @@ -298,7 +295,6 @@ export const useTimelineEvents = ({ const currentRequest = { alertConsumers, defaultIndex: indexNames, - docValueFields: docValueFields ?? [], excludeEcsData, factoryQueryType: TimelineEventsQueries.all, fieldRequested: fields, @@ -331,7 +327,6 @@ export const useTimelineEvents = ({ dispatch, indexNames, activePage, - docValueFields, endDate, excludeEcsData, filterQuery, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts index 5d2c32ca1aa37..373effdbe3fc1 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts @@ -28,6 +28,18 @@ describe('buildTimelineDetailsQuery', () => { "field": "*", "include_unmapped": true, }, + Object { + "field": "@timestamp", + "format": "strict_date_optional_time", + }, + Object { + "field": "code_signature.timestamp", + "format": "strict_date_optional_time", + }, + Object { + "field": "dll.code_signature.timestamp", + "format": "strict_date_optional_time", + }, ], "query": Object { "terms": Object { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts index 084e6cf2e39c2..33ec6d02d6a1a 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts @@ -7,7 +7,6 @@ import { JsonObject } from '@kbn/utility-types'; import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { DocValueFields } from '../../../../../../common/search_strategy'; export const buildTimelineDetailsQuery = ({ authFilter, @@ -50,9 +49,18 @@ export const buildTimelineDetailsQuery = ({ field: '@timestamp', format: 'strict_date_optional_time', }, + { + field: 'code_signature.timestamp', + format: 'strict_date_optional_time', + }, + { + field: 'dll.code_signature.timestamp', + format: 'strict_date_optional_time', + }, ], // Remove and instead pass index_pattern.id once issue resolved: https://github.com/elastic/kibana/issues/111762 runtime_mappings: runtimeMappings, + stored_fields: ['*'], _source: false, }, size: 1, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts index 32553b37d0542..fc7d2341f1781 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts @@ -11,40 +11,21 @@ import { buildLastEventTimeQuery } from './query.events_last_event_time.dsl'; describe('buildLastEventTimeQuery', () => { it('should return ip details query if index key is ipDetails', () => { const defaultIndex = ['.siem-signals-default']; - const docValueFields = [ - { field: '@timestamp' }, - { field: 'agent.ephemeral_id' }, - { field: 'agent.id' }, - { field: 'agent.name' }, - ]; - const query = buildLastEventTimeQuery({ indexKey: LastEventIndexKey.ipDetails, details: { ip: '12345567' }, defaultIndex, - docValueFields, }); expect(query).toMatchInlineSnapshot(` Object { "allow_no_indices": true, "body": Object { "_source": false, - "docvalue_fields": Array [ + "fields": Array [ Object { "field": "@timestamp", - }, - Object { - "field": "agent.ephemeral_id", - }, - Object { - "field": "agent.id", - }, - Object { - "field": "agent.name", - }, - ], - "fields": Array [ - "@timestamp", + "format": "strict_date_optional_time", + } ], "query": Object { "bool": Object { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts index 45f6ee3d198d0..24bd1aa6b9971 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { isEmpty } from 'lodash/fp'; import type { ISearchRequestParams } from '@kbn/data-plugin/common'; import { TimelineEventsLastEventTimeRequestOptions, @@ -45,7 +44,12 @@ export const buildLastEventTimeQuery = ({ body: { query: { bool: { filter: { bool: { should: getIpDetailsFilter(details.ip) } } } }, _source: false, - fields: ['@timestamp'], + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, sort: [ { @@ -68,7 +72,12 @@ export const buildLastEventTimeQuery = ({ body: { query: { bool: { filter: getHostDetailsFilter(details.hostName) } }, _source: false, - fields: ['@timestamp'], + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, sort: [ { @@ -91,7 +100,12 @@ export const buildLastEventTimeQuery = ({ body: { query: { bool: { filter: getUserDetailsFilter(details.userName) } }, _source: false, - fields: ['@timestamp'], + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, sort: [ { @@ -115,7 +129,12 @@ export const buildLastEventTimeQuery = ({ body: { query: { match_all: {} }, _source: false, - fields: ['@timestamp'], + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, sort: [ { From 9d92dea510678ef93628774f25b200cd4244d3bb Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Mon, 16 May 2022 16:29:31 -0700 Subject: [PATCH 07/31] fixed tests --- .../events/last_event_time/index.test.ts | 4 ---- .../components/side_panel/index.test.tsx | 2 -- .../plugins/timelines/public/mock/t_grid.tsx | 1 - .../timeline/eql/helpers.test.ts | 22 +++++++++++++++++++ .../events/all/query.events_all.dsl.test.ts | 9 +++++++- .../details/query.events_details.dsl.test.ts | 3 +++ .../query.events_last_event_time.dsl.test.ts | 2 +- 7 files changed, 34 insertions(+), 9 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.test.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.test.ts index 3f81a24b619f3..6fb6a2bcedbd8 100644 --- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.test.ts +++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.test.ts @@ -67,7 +67,6 @@ describe('useTimelineLastEventTime', () => { useTimelineLastEventTime({ indexKey: LastEventIndexKey.hostDetails, details: {}, - docValueFields: [], indexNames: [], }) ); @@ -86,7 +85,6 @@ describe('useTimelineLastEventTime', () => { useTimelineLastEventTime({ indexKey: LastEventIndexKey.hostDetails, details: {}, - docValueFields: [], indexNames: [], }) ); @@ -95,7 +93,6 @@ describe('useTimelineLastEventTime', () => { expect(mockSearchStrategy.mock.calls[0][0]).toEqual({ defaultIndex: [], details: {}, - docValueFields: [], factoryQueryType: 'eventsLastEventTime', indexKey: 'hostDetails', }); @@ -111,7 +108,6 @@ describe('useTimelineLastEventTime', () => { useTimelineLastEventTime({ indexKey: LastEventIndexKey.hostDetails, details: {}, - docValueFields: [], indexNames: [], }) ); diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx index be52507d1ba07..375df66f0ad5c 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx @@ -91,7 +91,6 @@ describe('Details Panel Component', () => { const mockProps = { browserFields: {}, - docValueFields: [], handleOnPanelClosed: jest.fn(), isFlyoutView: false, runtimeMappings: {}, @@ -151,7 +150,6 @@ describe('Details Panel Component', () => { expect(wrapper.find('DetailsPanel')).toMatchSnapshot(` { Object { "allow_no_indices": true, "body": Object { + "_source": false, "event_category_field": "event.category", + "fields": Array [ + Object { + "field": "*", + "include_unmapped": true, + }, + Object { + "field": "@timestamp", + "format": "strict_date_optional_time", + }, + ], "filter": Object { "bool": Object { "filter": Array [ @@ -105,7 +116,18 @@ describe('Search Strategy EQL helper', () => { Object { "allow_no_indices": true, "body": Object { + "_source": false, "event_category_field": "event.super.category", + "fields": Array [ + Object { + "field": "*", + "include_unmapped": true, + }, + Object { + "field": "@timestamp", + "format": "strict_date_optional_time", + }, + ], "filter": Object { "bool": Object { "filter": Array [ diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts index e68785feeb0ea..b10344eff9e98 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.test.ts @@ -49,7 +49,14 @@ describe('buildTimelineEventsAllQuery', () => { }, }, }, - "fields": Array [], + "fields": Array [ + "signal.*", + "kibana.alert.*", + Object { + "field": "@timestamp", + "format": "strict_date_optional_time", + }, + ], "from": 0, "query": Object { "bool": Object { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts index 373effdbe3fc1..81dd5580b5c24 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts @@ -49,6 +49,9 @@ describe('buildTimelineDetailsQuery', () => { }, }, "runtime_mappings": Object {}, + "stored_fields": Array [ + "*", + ], }, "ignore_unavailable": true, "index": ".siem-signals-default", diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts index fc7d2341f1781..5a17afbdd96d5 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.test.ts @@ -25,7 +25,7 @@ describe('buildLastEventTimeQuery', () => { Object { "field": "@timestamp", "format": "strict_date_optional_time", - } + }, ], "query": Object { "bool": Object { From e346db3431376acb8d39607c2c3253dda086e5ca Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Mon, 16 May 2022 22:22:04 -0700 Subject: [PATCH 08/31] - --- .../public/cases/pages/index.tsx | 3 +- .../common/components/events_viewer/index.tsx | 2 - .../components/alerts_table/actions.tsx | 1 - .../rules/rule_preview/preview_histogram.tsx | 3 - .../__snapshots__/index.test.tsx.snap | 2868 +++++++++++++---- .../side_panel/hooks/use_detail_panel.tsx | 4 +- .../timeline/notes_tab_content/index.tsx | 4 +- .../timeline/pinned_tab_content/index.tsx | 1 - .../timelines/containers/index.test.tsx | 1 - 9 files changed, 2325 insertions(+), 562 deletions(-) diff --git a/x-pack/plugins/security_solution/public/cases/pages/index.tsx b/x-pack/plugins/security_solution/public/cases/pages/index.tsx index 081f9a62ef96a..b89727ac864fc 100644 --- a/x-pack/plugins/security_solution/public/cases/pages/index.tsx +++ b/x-pack/plugins/security_solution/public/cases/pages/index.tsx @@ -27,13 +27,12 @@ import { DetailsPanel } from '../../timelines/components/side_panel'; import { useFetchAlertData } from './use_fetch_alert_data'; const TimelineDetailsPanel = () => { - const { browserFields, docValueFields, runtimeMappings } = useSourcererDataView( + const { browserFields, runtimeMappings } = useSourcererDataView( SourcererScopeName.detections ); return ( = ({ const { browserFields, dataViewId, - docValueFields, indexPattern, runtimeMappings, selectedPatterns, @@ -225,7 +224,6 @@ const StatefulEventsViewerComponent: React.FC = ({ defaultCellActions, deletedEventIds, disabledCellActions: FIELDS_WITHOUT_CELL_ACTIONS, - docValueFields, end, entityType, fieldBrowserOptions, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index e45232ef56791..81925ec0eed56 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -542,7 +542,6 @@ export const sendAlertToTimelineAction = async ({ >( { defaultIndex: [], - docValueFields: [], indexName: ecsData._index ?? '', eventId: ecsData._id, factoryQueryType: TimelineEventsQueries.details, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/preview_histogram.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/preview_histogram.tsx index 57ce7b1d305a7..36e765119e5e7 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/preview_histogram.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/preview_histogram.tsx @@ -109,7 +109,6 @@ export const PreviewHistogram = ({ const { browserFields, - docValueFields, indexPattern, runtimeMappings, dataViewId: selectedDataViewId, @@ -205,7 +204,6 @@ export const PreviewHistogram = ({ dataProviders, deletedEventIds, disabledCellActions: FIELDS_WITHOUT_CELL_ACTIONS, - docValueFields, end: endDate, entityType: 'events', filters: [], @@ -235,7 +233,6 @@ export const PreviewHistogram = ({ ,
, + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + + class="euiLoadingContent__singleLine" + > + + , +
+
+
+
+
+
+
`; exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should render the Host Details view in the Details Panel when the panelView is hostDetail and the hostName is set 1`] = ` @@ -748,6 +254,10 @@ exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should r color: #535966; } +.c2 { + word-break: break-word; +} + .c2 dt { font-size: 12px !important; } @@ -804,7 +314,7 @@ exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should r } .c4 { - padding: 16px; + padding: 12px; background: rgba(250,251,253,0.9); bottom: 0; left: 0; @@ -818,1070 +328,263 @@ exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should r height: 100%; } - - - - - +
+ Host ID +
+
- -
- - -
- - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - key="0" - > - -
- - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - > - - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - > -
- -
- Host ID -
- - -
- - - — - - -
- - -
- First seen -
- - -
- - - — - - -
- - -
- Last seen -
- - -
- - - — - - -
- -
- - -
- - - , - "title": "IP addresses", - }, - Object { - "description": , - "title": "MAC addresses", - }, - Object { - "description": , - "title": "Platform", - }, - ] - } - key="1" - > - -
- , - "title": "IP addresses", - }, - Object { - "description": , - "title": "MAC addresses", - }, - Object { - "description": , - "title": "Platform", - }, - ] - } - > - , - "title": "IP addresses", - }, - Object { - "description": , - "title": "MAC addresses", - }, - Object { - "description": , - "title": "Platform", - }, - ] - } - > -
- -
- IP addresses -
- - -
- - - - — - - - -
- - -
- MAC addresses -
- - -
- - - - — - - - -
- - -
- Platform -
- - -
- - - - — - - - -
- -
- - -
- - - , - "title": "Operating system", - }, - Object { - "description": , - "title": "Family", - }, - Object { - "description": , - "title": "Version", - }, - Object { - "description": , - "title": "Architecture", - }, - ] - } - key="2" - > - -
- , - "title": "Operating system", - }, - Object { - "description": , - "title": "Family", - }, - Object { - "description": , - "title": "Version", - }, - Object { - "description": , - "title": "Architecture", - }, - ] - } - > - , - "title": "Operating system", - }, - Object { - "description": , - "title": "Family", - }, - Object { - "description": , - "title": "Version", - }, - Object { - "description": , - "title": "Architecture", - }, - ] - } - > -
- -
- Operating system -
- - -
- - - - — - - - -
- - -
- Family -
- - -
- - - - — - - - -
- - -
- Version -
- - -
- - - - — - - - -
- - -
- Architecture -
- - -
- - - - — - - - -
- -
- - -
- - - , - "title": "Cloud provider", - }, - Object { - "description": , - "title": "Region", - }, - Object { - "description": , - "title": "Instance ID", - }, - Object { - "description": , - "title": "Machine type", - }, - ] - } - key="3" - > - -
- , - "title": "Cloud provider", - }, - Object { - "description": , - "title": "Region", - }, - Object { - "description": , - "title": "Instance ID", - }, - Object { - "description": , - "title": "Machine type", - }, - ] - } - > - , - "title": "Cloud provider", - }, - Object { - "description": , - "title": "Region", - }, - Object { - "description": , - "title": "Instance ID", - }, - Object { - "description": , - "title": "Machine type", - }, - ] - } - > -
- -
- Cloud provider -
- - -
- - - - — - - - -
- - -
- Region -
- - -
- - - - — - - - -
- - -
- Instance ID -
- - -
- - - - — - - - -
- - -
- Machine type -
- - -
- - - - — - - - -
- -
- - -
- - - - - -
- - -
- - - - - - + — + +
+
+ First seen +
+
+ + — + +
+
+ Last seen +
+
+ + — + +
+ + +
+
+
+ IP addresses +
+
+ + — + +
+
+ MAC addresses +
+
+ + — + +
+
+ Platform +
+
+ + — + +
+
+
+
+
+
+ Operating system +
+
+ + — + +
+
+ Family +
+
+ + — + +
+
+ Version +
+
+ + — + +
+
+ Architecture +
+
+ + — + +
+
+
+
+
+
+ Cloud provider +
+
+ + — + +
+
+ Region +
+
+ + — + +
+
+ Instance ID +
+
+ + — + +
+
+ Machine type +
+
+ + — + +
+
+
+ + + `; exports[`Details Panel Component DetailsPanel:NetworkDetails: rendering it should render the Network Details view in the Details Panel when the panelView is networkDetail and the ip is set 1`] = ` @@ -1889,6 +592,10 @@ exports[`Details Panel Component DetailsPanel:NetworkDetails: rendering it shoul color: #535966; } +.c2 { + word-break: break-word; +} + .c2 dt { font-size: 12px !important; } @@ -1945,7 +652,7 @@ exports[`Details Panel Component DetailsPanel:NetworkDetails: rendering it shoul } .c4 { - padding: 16px; + padding: 12px; background: rgba(250,251,253,0.9); bottom: 0; left: 0; @@ -1959,671 +666,189 @@ exports[`Details Panel Component DetailsPanel:NetworkDetails: rendering it shoul height: 100%; } - - - - +
- + Location + +
+ + — + +
+
+ Autonomous system +
+
+ + — + +
+
+ +
+
+
+ First seen +
+
-
- +
+
+ Last seen +
+
+ + — + +
+
+
+
+
+
+ Host ID +
+
+ + — + +
+
+ Host name +
+
+ + — + +
+
+
+
+
+
+ WhoIs +
+
+ + - + External link + + -
- - — - , - "title": "Location", - }, - Object { - "description": - — - , - "title": "Autonomous system", - }, - ] - } - key="0" - > - -
- - — - , - "title": "Location", - }, - Object { - "description": - — - , - "title": "Autonomous system", - }, - ] - } - > - - — - , - "title": "Location", - }, - Object { - "description": - — - , - "title": "Autonomous system", - }, - ] - } - > -
- -
- Location -
- - -
- - - — - - -
- - -
- Autonomous system -
- - -
- - - — - - -
- -
- - -
- - - - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - key="1" - > - -
- - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - > - - — - , - "title": "First seen", - }, - Object { - "description": - — - , - "title": "Last seen", - }, - ] - } - > -
- -
- First seen -
- - -
- - - — - - -
- - -
- Last seen -
- - -
- - - — - - -
- -
- - -
- - - - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "Host name", - }, - ] - } - key="2" - > - -
- - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "Host name", - }, - ] - } - > - - — - , - "title": "Host ID", - }, - Object { - "description": - — - , - "title": "Host name", - }, - ] - } - > -
- -
- Host ID -
- - -
- - - — - - -
- - -
- Host name -
- - -
- - - — - - -
- -
- - -
- - - - iana.org - , - "title": "WhoIs", - }, - Object { - "description": , - "title": "Reputation", - }, - ] - } - key="3" - > - - - - - - - -
- - -
- - - - - + (opens in a new tab or window) + + + + +
+ Reputation +
+
+ + + + + `; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx index d306d914b2146..0873daf9d9566 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx @@ -26,7 +26,7 @@ export { FlyoutHeader } from './header'; export { FlyoutFooter } from './footer'; export const useToGetInternalFlyout = () => { - const { browserFields, docValueFields, runtimeMappings } = useSourcererDataView( + const { browserFields, runtimeMappings } = useSourcererDataView( SourcererScopeName.detections ); const [alert, setAlert] = useState<{ id?: string; indexName?: string }>({ @@ -36,7 +36,6 @@ export const useToGetInternalFlyout = () => { const [loading, detailsData, rawEventData, ecsData, refetchFlyoutData] = useTimelineEventsDetails( { - docValueFields, entityType: EntityType.EVENTS, indexName: alert.indexName ?? '', eventId: alert.id ?? '', diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx index 996a0b6820466..255b524782a43 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx @@ -20,7 +20,6 @@ import { } from '../../../../common/lib/kibana'; import { mockBrowserFields, - mockDocValueFields, mockRuntimeMappings, } from '../../../../common/containers/source/mock'; import { coreMock } from '@kbn/core/public/mocks'; @@ -113,7 +112,6 @@ const defaultProps = { detailsData: mockAlertDetailsDataWithIsObject, tabType: TimelineTabs.query, browserFields: mockBrowserFields, - docValueFields: mockDocValueFields, runtimeMappings: mockRuntimeMappings, }; From 3f445c25980a2c19545d32af6e32e9ee8c02dca7 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Tue, 5 Jul 2022 16:16:14 -0700 Subject: [PATCH 22/31] Fixed threat enrichment --- .../cti_details/helpers.test.tsx | 191 +++++--- .../event_details/cti_details/helpers.tsx | 35 +- .../event_details/event_details.tsx | 2 +- x-pack/plugins/timelines/common/constants.ts | 1 + .../common/utils/field_formatters.test.ts | 459 +++++++++++++++--- .../common/utils/field_formatters.ts | 39 +- .../timeline/factory/helpers/constants.ts | 4 +- 7 files changed, 564 insertions(+), 167 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.test.tsx index f3030e75f4750..0d3f911f497be 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.test.tsx @@ -120,93 +120,152 @@ describe('parseExistingEnrichments', () => { ]; expect(parseExistingEnrichments(data)).toEqual([ + [ + { + category: 'indicator', + field: 'indicator.first_seen', + isObjectArray: false, + originalValue: ['2021-03-21T19:40:19.000Z'], + values: ['2021-03-21T19:40:19.000Z'], + }, + { + category: 'indicator', + field: 'indicator.provider', + isObjectArray: false, + originalValue: ['provider'], + values: ['provider'], + }, + { + category: 'indicator', + field: 'indicator.reference', + isObjectArray: false, + originalValue: ['http://reference.url'], + values: ['http://reference.url'], + }, + { + category: 'indicator', + field: 'indicator.ip', + isObjectArray: false, + originalValue: ['192.168.1.19'], + values: ['192.168.1.19'], + }, + { + category: 'indicator', + field: 'indicator.type', + isObjectArray: false, + originalValue: ['ip'], + values: ['ip'], + }, + { + category: 'matched', + field: 'matched.atomic', + isObjectArray: false, + originalValue: ['192.168.1.19'], + values: ['192.168.1.19'], + }, + { + category: 'matched', + field: 'matched.field', + isObjectArray: false, + originalValue: ['host.ip'], + values: ['host.ip'], + }, + { + category: 'matched', + field: 'matched.id', + isObjectArray: false, + originalValue: ['0SIZMnoB_Blp1Ib9ZYHU'], + values: ['0SIZMnoB_Blp1Ib9ZYHU'], + }, + { + category: 'matched', + field: 'matched.index', + isObjectArray: false, + originalValue: ['filebeat-8.0.0-2021.05.28-000001'], + values: ['filebeat-8.0.0-2021.05.28-000001'], + }, + { + category: 'matched', + field: 'matched.type', + isObjectArray: false, + originalValue: [ENRICHMENT_TYPES.IndicatorMatchRule], + values: [ENRICHMENT_TYPES.IndicatorMatchRule], + }, + ], + ]); + }); + + it('returns multiple arrays for multiple enrichments', () => { + const data = [ { - category: 'indicator', - field: 'indicator.first_seen', - isObjectArray: false, - originalValue: ['2021-03-21T19:40:19.000Z'], - values: ['2021-03-21T19:40:19.000Z'], - }, - { - category: 'indicator', - field: 'indicator.provider', - isObjectArray: false, - originalValue: ['provider'], - values: ['provider'], + category: 'threat', + field: 'threat.enrichments.indicator.first_seen', + isObjectArray: true, + originalValue: ['2021-03-21T19:40:19.000Z', '2021-03-21T19:40:19.000Z'], + values: ['2021-03-21T19:40:19.000Z', '2021-03-21T19:40:19.000Z'], }, { - category: 'indicator', - field: 'indicator.reference', - isObjectArray: false, - originalValue: ['http://reference.url'], - values: ['http://reference.url'], + category: 'threat', + field: 'threat.enrichments.indicator.provider', + isObjectArray: true, + originalValue: ['provider', 'other'], + values: ['provider', 'other'], }, { - category: 'indicator', - field: 'indicator.ip', - isObjectArray: false, - originalValue: ['192.168.1.19'], - values: ['192.168.1.19'], + category: 'threat', + field: 'threat.enrichments.indicator.reference', + isObjectArray: true, + originalValue: ['http://reference.url', 'http://reference.url'], + values: ['http://reference.url', 'http://reference.url'], }, { - category: 'indicator', - field: 'indicator.type', - isObjectArray: false, - originalValue: ['ip'], - values: ['ip'], + category: 'threat', + field: 'threat.enrichments.indicator.ip', + isObjectArray: true, + originalValue: ['192.168.1.19', '192.168.1.19'], + values: ['192.168.1.19', '192.168.1.19'], }, { - category: 'matched', - field: 'matched.atomic', - isObjectArray: false, - originalValue: ['192.168.1.19'], - values: ['192.168.1.19'], + category: 'threat', + field: 'threat.enrichments.indicator.type', + isObjectArray: true, + originalValue: ['ip', 'ip'], + values: ['ip', 'ip'], }, { - category: 'matched', - field: 'matched.field', - isObjectArray: false, - originalValue: ['host.ip'], - values: ['host.ip'], + category: 'threat', + field: 'threat.enrichments.matched.atomic', + isObjectArray: true, + originalValue: ['192.168.1.19', '192.168.1.19'], + values: ['192.168.1.19', '192.168.1.19'], }, { - category: 'matched', - field: 'matched.id', - isObjectArray: false, - originalValue: ['0SIZMnoB_Blp1Ib9ZYHU'], - values: ['0SIZMnoB_Blp1Ib9ZYHU'], + category: 'threat', + field: 'threat.enrichments.matched.field', + isObjectArray: true, + originalValue: ['host.ip', 'host.ip'], + values: ['host.ip', 'host.ip'], }, { - category: 'matched', - field: 'matched.index', - isObjectArray: false, - originalValue: ['filebeat-8.0.0-2021.05.28-000001'], - values: ['filebeat-8.0.0-2021.05.28-000001'], + category: 'threat', + field: 'threat.enrichments.matched.id', + isObjectArray: true, + originalValue: ['0SIZMnoB_Blp1Ib9ZYHU', 'iiL9NHoB_Blp1Ib9yoJo'], + values: ['0SIZMnoB_Blp1Ib9ZYHU', 'iiL9NHoB_Blp1Ib9yoJo'], }, { - category: 'matched', - field: 'matched.type', - isObjectArray: false, - originalValue: [ENRICHMENT_TYPES.IndicatorMatchRule], - values: [ENRICHMENT_TYPES.IndicatorMatchRule], + category: 'threat', + field: 'threat.enrichments.matched.index', + isObjectArray: true, + originalValue: ['filebeat-8.0.0-2021.05.28-000001', 'filebeat-8.0.0-2021.05.28-000001'], + values: ['filebeat-8.0.0-2021.05.28-000001', 'filebeat-8.0.0-2021.05.28-000001'], }, - ]); - }); - - it('returns multiple arrays for multiple enrichments', () => { - const data = [ { category: 'threat', - field: 'threat.enrichments', + field: 'threat.enrichments.matched.type', isObjectArray: true, - originalValue: [ - `{"indicator.first_seen":"2021-03-21T19:40:19.000Z","indicator.provider":"provider","indicator.reference":"http://reference.url","indicator.ip":"192.168.1.19","indicator.type":"ip","matched.atomic":"192.168.1.19","matched.field":"host.ip","matched.id":"0SIZMnoB_Blp1Ib9ZYHU","matched.index":"filebeat-8.0.0-2021.05.28-000001","matched.type":"indicator_match_rule"}`, - `{"indicator.first_seen":"2021-03-21T19:40:19.000Z","indicator.provider":"other","indicator.reference":"http://reference.url","indicator.ip":"192.168.1.19","indicator.type":"ip","matched.atomic":"192.168.1.19","matched.field":"host.ip","matched.id":"iiL9NHoB_Blp1Ib9yoJo","matched.index":"filebeat-8.0.0-2021.05.28-000001","matched.type":"indicator_match_rule"}`, - ], - values: [ - `{"indicator.first_seen":"2021-03-21T19:40:19.000Z","indicator.provider":"provider","indicator.reference":"http://reference.url","indicator.ip":"192.168.1.19","indicator.type":"ip","matched.atomic":"192.168.1.19","matched.field":"host.ip","matched.id":"0SIZMnoB_Blp1Ib9ZYHU","matched.index":"filebeat-8.0.0-2021.05.28-000001","matched.type":"indicator_match_rule"}`, - `{"indicator.first_seen":"2021-03-21T19:40:19.000Z","indicator.provider":"other","indicator.reference":"http://reference.url","indicator.ip":"192.168.1.19","indicator.type":"ip","matched.atomic":"192.168.1.19","matched.field":"host.ip","matched.id":"iiL9NHoB_Blp1Ib9yoJo","matched.index":"filebeat-8.0.0-2021.05.28-000001","matched.type":"indicator_match_rule"}`, - ], + originalValue: ['indicator_match_rule', 'indicator_match_rule'], + values: ['indicator_match_rule', 'indicator_match_rule'], }, ]; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx index 7ec6cfce4c361..827db98f6d326 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { groupBy } from 'lodash'; +import { groupBy, isArray } from 'lodash'; import { ENRICHMENT_DESTINATION_PATH } from '../../../../../common/constants'; import { ENRICHMENT_TYPES, @@ -24,7 +24,6 @@ import type { } from '../../../../../common/search_strategy/security_solution/cti'; import { isValidEventField } from '../../../../../common/search_strategy/security_solution/cti'; import { getFirstElement } from '../../../../../common/utils/data_retrieval'; -import { getDataFromFieldsHits } from '../../../../../common/utils/field_formatters'; export const isInvestigationTimeEnrichment = (type: string | undefined) => type === ENRICHMENT_TYPES.InvestigationTime; @@ -33,10 +32,38 @@ export const parseExistingEnrichments = ( data: TimelineEventsDetailsItem[] ): TimelineEventsDetailsItem[][] => { const threatIndicatorFields = data.filter( - ({ field, originalValue }) => field.startsWith(ENRICHMENT_DESTINATION_PATH) && originalValue + ({ field, originalValue }) => + field.startsWith(`${ENRICHMENT_DESTINATION_PATH}.`) && originalValue ); + if (threatIndicatorFields.length === 0) { + return []; + } - return threatIndicatorFields; + return threatIndicatorFields.reduce( + (enrichments, enrichmentData) => { + try { + if (isArray(enrichmentData.values)) { + for (let i = 0; i < enrichmentData.values.length; i++) { + if (!isArray(enrichments[i])) { + enrichments[i] = []; + } + enrichments[i].push({ + ...enrichmentData, + isObjectArray: false, + field: enrichmentData.field.replace(`${ENRICHMENT_DESTINATION_PATH}.`, ''), + category: enrichmentData.field.split('.')[2], + values: [enrichmentData.values[i]], + originalValue: [enrichmentData.originalValue[i]], + }); + } + } + } catch (e) { + // omit failed parse + } + return enrichments; + }, + [] + ); }; export const timelineDataToEnrichment = (data: TimelineEventsDetailsItem[]): CtiEnrichment => diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx index 97b38b740ef7c..ea9dc050cc32b 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx @@ -320,7 +320,7 @@ const EventDetailsComponent: React.FC = ({ <> - + ), diff --git a/x-pack/plugins/timelines/common/constants.ts b/x-pack/plugins/timelines/common/constants.ts index bc22c761c24e0..e41333eb03697 100644 --- a/x-pack/plugins/timelines/common/constants.ts +++ b/x-pack/plugins/timelines/common/constants.ts @@ -24,3 +24,4 @@ export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update'; export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signals/status'; export const DELETED_SECURITY_SOLUTION_DATA_VIEW = 'DELETED_SECURITY_SOLUTION_DATA_VIEW'; +export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 8f417baf8378d..2e566f452c7f2 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -6,8 +6,8 @@ */ import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; -import { EventHit, EventSource } from '../search_strategy'; -import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters'; +import { EventHit } from '../search_strategy'; +import { getDataFromFieldsHits, getDataSafety } from './field_formatters'; describe('Events Details Helpers', () => { const fields: EventHit['fields'] = eventHit.fields; @@ -238,65 +238,410 @@ describe('Events Details Helpers', () => { const result = getDataFromFieldsHits(ruleParameterFields); expect(result).toEqual(ruleParametersResultFields); }); - }); - it('#getDataFromSourceHits', () => { - const _source: EventSource = { - '@timestamp': '2021-02-24T00:41:06.527Z', - 'kibana.alert.workflow_status': 'open', - 'kibana.alert.rule.name': 'Rawr', - 'threat.indicator': [ - { - provider: 'yourself', - type: 'custom', - first_seen: ['2021-02-22T17:29:25.195Z'], - matched: { atomic: 'atom', field: 'field', type: 'type' }, - }, - { - provider: 'other_you', - type: 'custom', - first_seen: '2021-02-22T17:29:25.195Z', - matched: { atomic: 'atom', field: 'field', type: 'type' }, - }, - ], - }; - expect(getDataFromSourceHits(_source)).toEqual([ - { - category: 'base', - field: '@timestamp', - values: ['2021-02-24T00:41:06.527Z'], - originalValue: ['2021-02-24T00:41:06.527Z'], - isObjectArray: false, - }, - { - category: 'kibana', - field: 'kibana.alert.workflow_status', - values: ['open'], - originalValue: ['open'], - isObjectArray: false, - }, - { - category: 'kibana', - field: 'kibana.alert.rule.name', - values: ['Rawr'], - originalValue: ['Rawr'], - isObjectArray: false, - }, - { - category: 'threat', - field: 'threat.indicator', - values: [ - '{"provider":"yourself","type":"custom","first_seen":["2021-02-22T17:29:25.195Z"],"matched":{"atomic":"atom","field":"field","type":"type"}}', - '{"provider":"other_you","type":"custom","first_seen":"2021-02-22T17:29:25.195Z","matched":{"atomic":"atom","field":"field","type":"type"}}', + it('get data from threat enrichments', () => { + const data = { + 'kibana.alert.rule.parameters': [ + { + severity_mapping: [], + references: [], + threat_language: 'kuery', + description: 'The threat indicator rule description.', + language: 'kuery', + threat_mapping: [ + { + entries: [ + { + field: 'myhash.mysha256', + type: 'mapping', + value: 'threat.indicator.file.hash.sha256', + }, + ], + }, + ], + type: 'threat_match', + threat_filters: [], + exceptions_list: [], + from: 'now-50000h', + timeline_id: '495ad7a7-316e-4544-8a0f-9c098daee76e', + severity: 'critical', + max_signals: 100, + risk_score: 20, + risk_score_mapping: [], + author: [], + threat_indicator_path: 'threat.indicator', + query: '*:*', + index: ['suspicious-*'], + version: 1, + threat_query: '*:*', + rule_id: 'rule_testing', + required_fields: [], + immutable: false, + related_integrations: [], + timeline_title: 'Generic Threat Match Timeline', + threat_index: ['filebeat-*'], + setup: '', + false_positives: [], + threat: [], + to: 'now', + }, ], - originalValue: [ - '{"provider":"yourself","type":"custom","first_seen":["2021-02-22T17:29:25.195Z"],"matched":{"atomic":"atom","field":"field","type":"type"}}', - '{"provider":"other_you","type":"custom","first_seen":"2021-02-22T17:29:25.195Z","matched":{"atomic":"atom","field":"field","type":"type"}}', + 'signal.rule.version': ['1'], + 'kibana.alert.status': ['active'], + 'signal.ancestors.index': ['suspicious-source-event-001'], + 'signal.depth': [1], + 'signal.rule.immutable': ['false'], + 'kibana.alert.rule.rule_type_id': ['siem.indicatorRule'], + 'signal.rule.name': ['Threat Indicator Rule Test'], + 'signal.rule.rule_id': ['rule_testing'], + 'kibana.alert.rule.timeline_id': ['495ad7a7-316e-4544-8a0f-9c098daee76e'], + 'threat.enrichments': [ + { + 'matched.field': ['myhash.mysha256'], + 'matched.index': ['logs-ti_abusech.malware'], + 'matched.type': ['indicator_match_rule'], + 'feed.name': ['AbuseCH malware'], + 'matched.atomic': ['a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3'], + }, ], - isObjectArray: true, - }, - ]); + }; + + const ruleParametersResultFields = [ + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.severity_mapping', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.references', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_language', + isObjectArray: false, + originalValue: ['kuery'], + values: ['kuery'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.description', + isObjectArray: false, + originalValue: ['The threat indicator rule description.'], + values: ['The threat indicator rule description.'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.language', + isObjectArray: false, + originalValue: ['kuery'], + values: ['kuery'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_mapping.entries.field', + isObjectArray: false, + originalValue: ['myhash.mysha256'], + values: ['myhash.mysha256'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_mapping.entries.type', + isObjectArray: false, + originalValue: ['mapping'], + values: ['mapping'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_mapping.entries.value', + isObjectArray: false, + originalValue: ['threat.indicator.file.hash.sha256'], + values: ['threat.indicator.file.hash.sha256'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.type', + isObjectArray: false, + originalValue: ['threat_match'], + values: ['threat_match'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_filters', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.exceptions_list', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.from', + isObjectArray: false, + originalValue: ['now-50000h'], + values: ['now-50000h'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.timeline_id', + isObjectArray: false, + originalValue: ['495ad7a7-316e-4544-8a0f-9c098daee76e'], + values: ['495ad7a7-316e-4544-8a0f-9c098daee76e'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.severity', + isObjectArray: false, + originalValue: ['critical'], + values: ['critical'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.max_signals', + isObjectArray: false, + originalValue: ['100'], + values: ['100'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.risk_score', + isObjectArray: false, + originalValue: ['20'], + values: ['20'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.risk_score_mapping', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.author', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_indicator_path', + isObjectArray: false, + originalValue: ['threat.indicator'], + values: ['threat.indicator'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.query', + isObjectArray: false, + originalValue: ['*:*'], + values: ['*:*'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.index', + isObjectArray: false, + originalValue: ['suspicious-*'], + values: ['suspicious-*'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.version', + isObjectArray: false, + originalValue: ['1'], + values: ['1'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_query', + isObjectArray: false, + originalValue: ['*:*'], + values: ['*:*'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.rule_id', + isObjectArray: false, + originalValue: ['rule_testing'], + values: ['rule_testing'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.required_fields', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.immutable', + isObjectArray: false, + originalValue: ['false'], + values: ['false'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.related_integrations', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.timeline_title', + isObjectArray: false, + originalValue: ['Generic Threat Match Timeline'], + values: ['Generic Threat Match Timeline'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat_index', + isObjectArray: false, + originalValue: ['filebeat-*'], + values: ['filebeat-*'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.setup', + isObjectArray: false, + originalValue: [''], + values: [''], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.false_positives', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.threat', + isObjectArray: false, + originalValue: [], + values: [], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.to', + isObjectArray: false, + originalValue: ['now'], + values: ['now'], + }, + { + category: 'signal', + field: 'signal.rule.version', + isObjectArray: false, + originalValue: ['1'], + values: ['1'], + }, + { + category: 'kibana', + field: 'kibana.alert.status', + isObjectArray: false, + originalValue: ['active'], + values: ['active'], + }, + { + category: 'signal', + field: 'signal.ancestors.index', + isObjectArray: false, + originalValue: ['suspicious-source-event-001'], + values: ['suspicious-source-event-001'], + }, + { + category: 'signal', + field: 'signal.depth', + isObjectArray: false, + originalValue: ['1'], + values: ['1'], + }, + { + category: 'signal', + field: 'signal.rule.immutable', + isObjectArray: false, + originalValue: ['false'], + values: ['false'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.rule_type_id', + isObjectArray: false, + originalValue: ['siem.indicatorRule'], + values: ['siem.indicatorRule'], + }, + { + category: 'signal', + field: 'signal.rule.name', + isObjectArray: false, + originalValue: ['Threat Indicator Rule Test'], + values: ['Threat Indicator Rule Test'], + }, + { + category: 'signal', + field: 'signal.rule.rule_id', + isObjectArray: false, + originalValue: ['rule_testing'], + values: ['rule_testing'], + }, + { + category: 'kibana', + field: 'kibana.alert.rule.timeline_id', + isObjectArray: false, + originalValue: ['495ad7a7-316e-4544-8a0f-9c098daee76e'], + values: ['495ad7a7-316e-4544-8a0f-9c098daee76e'], + }, + { + category: 'threat', + field: 'threat.enrichments.matched.field', + isObjectArray: false, + originalValue: ['myhash.mysha256'], + values: ['myhash.mysha256'], + }, + { + category: 'threat', + field: 'threat.enrichments.matched.index', + isObjectArray: false, + originalValue: ['logs-ti_abusech.malware'], + values: ['logs-ti_abusech.malware'], + }, + { + category: 'threat', + field: 'threat.enrichments.matched.type', + isObjectArray: false, + originalValue: ['indicator_match_rule'], + values: ['indicator_match_rule'], + }, + { + category: 'threat', + field: 'threat.enrichments.feed.name', + isObjectArray: false, + originalValue: ['AbuseCH malware'], + values: ['AbuseCH malware'], + }, + { + category: 'threat', + field: 'threat.enrichments.matched.atomic', + isObjectArray: false, + originalValue: ['a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3'], + values: ['a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3'], + }, + ]; + const result = getDataFromFieldsHits(data); + expect(result).toEqual(ruleParametersResultFields); + }); }); + it('#getDataSafety', async () => { const result = await getDataSafety(getDataFromFieldsHits, fields); expect(result).toEqual(resultFields); diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.ts b/x-pack/plugins/timelines/common/utils/field_formatters.ts index 6730802d80e08..5508a47dc74ed 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.ts @@ -5,10 +5,10 @@ * 2.0. */ -import { get, isEmpty, isNumber, isObject, isString } from 'lodash/fp'; +import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils'; -import { EventHit, EventSource, TimelineEventsDetailsItem } from '../search_strategy'; +import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; import { toObjectArrayOfStrings, toStringArray } from './to_array'; export const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags']; @@ -41,40 +41,6 @@ export const isGeoField = (field: string) => export const isRuleParametersFieldOrSubfield = (field: string, prependField?: string) => prependField?.includes(ALERT_RULE_PARAMETERS) || field === ALERT_RULE_PARAMETERS; -export const getDataFromSourceHits = ( - sources: EventSource, - category?: string, - path?: string -): TimelineEventsDetailsItem[] => - Object.keys(sources ?? {}).reduce((accumulator, source) => { - const item: EventSource = get(source, sources); - if (Array.isArray(item) || isString(item) || isNumber(item)) { - const field = path ? `${path}.${source}` : source; - const fieldCategory = getFieldCategory(field); - - const objArrStr = toObjectArrayOfStrings(item); - const strArr = objArrStr.map(({ str }) => str); - const isObjectArray = objArrStr.some((o) => o.isObjectArray); - - return [ - ...accumulator, - { - category: fieldCategory, - field, - values: strArr, - originalValue: strArr, - isObjectArray, - } as TimelineEventsDetailsItem, - ]; - } else if (isObject(item)) { - return [ - ...accumulator, - ...getDataFromSourceHits(item, category || source, path ? `${path}.${source}` : source), - ]; - } - return accumulator; - }, []); - export const getDataFromFieldsHits = ( fields: EventHit['fields'], prependField?: string, @@ -96,6 +62,7 @@ export const getDataFromFieldsHits = ( }, ]; } + const objArrStr = toObjectArrayOfStrings(item); const strArr = objArrStr.map(({ str }) => str); const isObjectArray = objArrStr.some((o) => o.isObjectArray); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts index 068b52b8cd821..fe07732e4731d 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts @@ -6,9 +6,7 @@ */ import { ALERT_RULE_CONSUMER, ALERT_RISK_SCORE, ALERT_SEVERITY } from '@kbn/rule-data-utils'; - -// TODO: share with security_solution/common/cti/constants.ts -export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; +import { ENRICHMENT_DESTINATION_PATH } from '../../../../../common/constants'; export const MATCHED_ATOMIC = 'matched.atomic'; export const MATCHED_FIELD = 'matched.field'; From c8ff32d972a9bc5353dcf598e7e3b5d331c81557 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Tue, 5 Jul 2022 21:36:36 -0700 Subject: [PATCH 23/31] Fixed unmapped alert details test --- .../cypress/integration/detection_alerts/alerts_details.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts index f4fdd795225d7..865be928e832e 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts @@ -61,7 +61,7 @@ describe('Alert details with unmapped fields', () => { }; openTable(); - cy.get(ALERT_FLYOUT).find(pageSelector(5)).click({ force: true }); + cy.get(ALERT_FLYOUT).find(pageSelector(4)).click({ force: true }); cy.get(ALERT_FLYOUT) .find(TABLE_ROWS) .within(() => { From e298ca85450d3e1473786992d0d07dd2db25dbc9 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Tue, 5 Jul 2022 22:08:18 -0700 Subject: [PATCH 24/31] improved naming --- .../event_details/cti_details/helpers.tsx | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx index 827db98f6d326..eee4b731b2831 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx @@ -43,17 +43,22 @@ export const parseExistingEnrichments = ( (enrichments, enrichmentData) => { try { if (isArray(enrichmentData.values)) { - for (let i = 0; i < enrichmentData.values.length; i++) { - if (!isArray(enrichments[i])) { - enrichments[i] = []; + for ( + let enrichmentIndex = 0; + enrichmentIndex < enrichmentData.values.length; + enrichmentIndex++ + ) { + if (!isArray(enrichments[enrichmentIndex])) { + enrichments[enrichmentIndex] = []; } - enrichments[i].push({ + const fieldParts = enrichmentData.field.split('.'); + enrichments[enrichmentIndex].push({ ...enrichmentData, isObjectArray: false, field: enrichmentData.field.replace(`${ENRICHMENT_DESTINATION_PATH}.`, ''), - category: enrichmentData.field.split('.')[2], - values: [enrichmentData.values[i]], - originalValue: [enrichmentData.originalValue[i]], + category: fieldParts.length > 3 ? fieldParts[2] : enrichmentData.category, + values: [enrichmentData.values[enrichmentIndex]], + originalValue: [enrichmentData.originalValue[enrichmentIndex]], }); } } From 13a9ad4b95bc294d9d9dec78068c37562731e995 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Sun, 10 Jul 2022 19:05:32 -0700 Subject: [PATCH 25/31] Fixed rule detections tests, by parsing nested structure only for ECS objects --- .../common/utils/field_formatters.ts | 13 +++++++++++-- .../public/hosts/pages/details/index.tsx | 2 +- .../timelines/common/utils/field_formatters.ts | 13 ++++++++++--- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.ts index e2480ce05f978..68785f2a71bda 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.ts @@ -5,6 +5,9 @@ * 2.0. */ +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; +import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { isEmpty } from 'lodash/fp'; import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; @@ -60,13 +63,19 @@ export const getDataFromFieldsHits = ( }, ]; } + const objArrStr = toObjectArrayOfStrings(item); const strArr = objArrStr.map(({ str }) => str); const isObjectArray = objArrStr.some((o) => o.isObjectArray); const dotField = prependField ? `${prependField}.${field}` : field; - // return simple field value (non-object, non-array) - if (!isObjectArray) { + // return simple field value (non-esc object, non-array) + if ( + !isObjectArray || + Object.keys({ ...ecsFieldMap, ...technicalRuleFieldMap, ...experimentalRuleFieldMap }).find( + (ecsField) => ecsField === field + ) === undefined + ) { return [ ...accumulator, { diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx index 81b01d3bd47d4..d0525b5814864 100644 --- a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx @@ -100,7 +100,7 @@ const HostDetailsComponent: React.FC = ({ detailName, hostDeta [dispatch] ); - const { docValueFields, indexPattern, indicesExist, selectedPatterns } = useSourcererDataView(); + const { indexPattern, indicesExist, selectedPatterns } = useSourcererDataView(); const [loading, { inspect, hostDetails: hostOverview, id, refetch }] = useHostDetails({ endDate: to, startDate: from, diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.ts b/x-pack/plugins/timelines/common/utils/field_formatters.ts index 5508a47dc74ed..cb99b38860539 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.ts @@ -8,6 +8,9 @@ import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils'; +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; +import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; import { toObjectArrayOfStrings, toStringArray } from './to_array'; export const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags']; @@ -62,14 +65,18 @@ export const getDataFromFieldsHits = ( }, ]; } - const objArrStr = toObjectArrayOfStrings(item); const strArr = objArrStr.map(({ str }) => str); const isObjectArray = objArrStr.some((o) => o.isObjectArray); const dotField = prependField ? `${prependField}.${field}` : field; - // return simple field value (non-object, non-array) - if (!isObjectArray) { + // return simple field value (non-ecs object, non-array) + if ( + !isObjectArray || + Object.keys({ ...ecsFieldMap, ...technicalRuleFieldMap, ...experimentalRuleFieldMap }).find( + (ecsField) => ecsField === field + ) === undefined + ) { return [ ...accumulator, { From ffca4a16a0e73ee5444cf2948f119a3682ff0729 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Mon, 11 Jul 2022 16:33:32 -0700 Subject: [PATCH 26/31] Fixed tests --- .../src/mock/mock_event_details.ts | 44 ++--- .../common/utils/field_formatters.test.ts | 61 +------ .../common/utils/field_formatters.test.ts | 151 +++--------------- 3 files changed, 40 insertions(+), 216 deletions(-) diff --git a/packages/kbn-securitysolution-t-grid/src/mock/mock_event_details.ts b/packages/kbn-securitysolution-t-grid/src/mock/mock_event_details.ts index 93e3cd2a4ce02..8f756842e4b5b 100644 --- a/packages/kbn-securitysolution-t-grid/src/mock/mock_event_details.ts +++ b/packages/kbn-securitysolution-t-grid/src/mock/mock_event_details.ts @@ -292,37 +292,17 @@ export const eventDetailsFormattedFields = [ }, { category: 'threat', - field: 'threat.enrichments.lazer.great.field', - values: ['grrrrr', 'grrrrr_2'], - originalValue: ['grrrrr', 'grrrrr_2'], - isObjectArray: false, - }, - { - category: 'threat', - field: 'threat.enrichments.lazer.great.field.wowoe.fooooo', - values: ['grrrrr'], - originalValue: ['grrrrr'], - isObjectArray: false, - }, - { - category: 'threat', - field: 'threat.enrichments.lazer.great.field.astring', - values: ['cool'], - originalValue: ['cool'], - isObjectArray: false, - }, - { - category: 'threat', - field: 'threat.enrichments.lazer.great.field.aNumber', - values: ['1'], - originalValue: ['1'], - isObjectArray: false, - }, - { - category: 'threat', - field: 'threat.enrichments.lazer.great.field.neat', - values: ['true'], - originalValue: ['true'], - isObjectArray: false, + field: 'threat.enrichments.lazer', + values: [ + '{"great.field":["grrrrr"]}', + '{"great.field":["grrrrr_2"]}', + '{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}', + ], + originalValue: [ + '{"great.field":["grrrrr"]}', + '{"great.field":["grrrrr_2"]}', + '{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}', + ], + isObjectArray: true, }, ]; diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index 2c22d0838162f..5cc087a23cef3 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -73,59 +73,14 @@ describe('Events Details Helpers', () => { const whackResultFields = [ { category: 'crazy', - field: 'crazy.pants.matched.field', - values: ['matched_field'], - originalValue: ['matched_field'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.first_seen', - values: ['2021-02-22T17:29:25.195Z'], - originalValue: ['2021-02-22T17:29:25.195Z'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.provider', - values: ['yourself'], - originalValue: ['yourself'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.type', - values: ['custom'], - originalValue: ['custom'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.matched.atomic', - values: ['matched_atomic'], - originalValue: ['matched_atomic'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.great.field', - values: ['grrrrr', 'grrrrr_2'], - originalValue: ['grrrrr', 'grrrrr_2'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.lazer.lazer.cool', - values: ['true', 'false'], - originalValue: ['true', 'false'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.lazer.lazer.lazer.lazer.lazer.lazer.whoa', - values: ['false'], - originalValue: ['false'], - isObjectArray: false, + field: 'crazy.pants', + values: [ + '{"matched.field":["matched_field"],"first_seen":["2021-02-22T17:29:25.195Z"],"provider":["yourself"],"type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"],"lazer":[{"lazer":[{"cool":true,"lazer":[{"lazer":[{"lazer":[{"lazer":[{"whoa":false}]}]}]}]}]},{"lazer":[{"cool":false}]}]},{"great.field":["grrrrr_2"]}]}', + ], + originalValue: [ + '{"matched.field":["matched_field"],"first_seen":["2021-02-22T17:29:25.195Z"],"provider":["yourself"],"type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"],"lazer":[{"lazer":[{"cool":true,"lazer":[{"lazer":[{"lazer":[{"lazer":[{"whoa":false}]}]}]}]}]},{"lazer":[{"cool":false}]}]},{"great.field":["grrrrr_2"]}]}', + ], + isObjectArray: true, }, ]; const result = getDataFromFieldsHits(whackFields); diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 2e566f452c7f2..44837eecfe0c8 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -73,59 +73,14 @@ describe('Events Details Helpers', () => { const whackResultFields = [ { category: 'crazy', - field: 'crazy.pants.matched.field', - values: ['matched_field'], - originalValue: ['matched_field'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.first_seen', - values: ['2021-02-22T17:29:25.195Z'], - originalValue: ['2021-02-22T17:29:25.195Z'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.provider', - values: ['yourself'], - originalValue: ['yourself'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.type', - values: ['custom'], - originalValue: ['custom'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.matched.atomic', - values: ['matched_atomic'], - originalValue: ['matched_atomic'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.great.field', - values: ['grrrrr', 'grrrrr_2'], - originalValue: ['grrrrr', 'grrrrr_2'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.lazer.lazer.cool', - values: ['true', 'false'], - originalValue: ['true', 'false'], - isObjectArray: false, - }, - { - category: 'crazy', - field: 'crazy.pants.lazer.lazer.lazer.lazer.lazer.lazer.lazer.whoa', - values: ['false'], - originalValue: ['false'], - isObjectArray: false, + field: 'crazy.pants', + values: [ + '{"matched.field":["matched_field"],"first_seen":["2021-02-22T17:29:25.195Z"],"provider":["yourself"],"type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"],"lazer":[{"lazer":[{"cool":true,"lazer":[{"lazer":[{"lazer":[{"lazer":[{"whoa":false}]}]}]}]}]},{"lazer":[{"cool":false}]}]},{"great.field":["grrrrr_2"]}]}', + ], + originalValue: [ + '{"matched.field":["matched_field"],"first_seen":["2021-02-22T17:29:25.195Z"],"provider":["yourself"],"type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"],"lazer":[{"lazer":[{"cool":true,"lazer":[{"lazer":[{"lazer":[{"lazer":[{"whoa":false}]}]}]}]}]},{"lazer":[{"cool":false}]}]},{"great.field":["grrrrr_2"]}]}', + ], + isObjectArray: true, }, ]; const result = getDataFromFieldsHits(whackFields); @@ -165,66 +120,10 @@ describe('Events Details Helpers', () => { }, { category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.metric', - isObjectArray: false, - originalValue: ['cpu'], - values: ['cpu'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.comparator', - values: ['>'], - originalValue: ['>'], - isObjectArray: false, - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.threshold', - isObjectArray: false, - originalValue: ['3'], - values: ['3'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.timeSize', - isObjectArray: false, - originalValue: ['1'], - values: ['1'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.timeUnit', - values: ['m'], - originalValue: ['m'], - isObjectArray: false, - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.customMetric.type', - isObjectArray: false, - originalValue: ['custom'], - values: ['custom'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.customMetric.id', - isObjectArray: false, - originalValue: ['alert-custom-metric'], - values: ['alert-custom-metric'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.customMetric.field', - isObjectArray: false, - originalValue: [''], - values: [''], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.criteria.customMetric.aggregation', - isObjectArray: false, - originalValue: ['avg'], - values: ['avg'], + field: 'kibana.alert.rule.parameters.criteria', + isObjectArray: true, + originalValue: ['{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}'], + values: ['{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}'], }, { category: 'kibana', @@ -344,24 +243,14 @@ describe('Events Details Helpers', () => { }, { category: 'kibana', - field: 'kibana.alert.rule.parameters.threat_mapping.entries.field', - isObjectArray: false, - originalValue: ['myhash.mysha256'], - values: ['myhash.mysha256'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.threat_mapping.entries.type', - isObjectArray: false, - originalValue: ['mapping'], - values: ['mapping'], - }, - { - category: 'kibana', - field: 'kibana.alert.rule.parameters.threat_mapping.entries.value', - isObjectArray: false, - originalValue: ['threat.indicator.file.hash.sha256'], - values: ['threat.indicator.file.hash.sha256'], + field: 'kibana.alert.rule.parameters.threat_mapping', + isObjectArray: true, + originalValue: [ + '{"entries":[{"field":"myhash.mysha256","type":"mapping","value":"threat.indicator.file.hash.sha256"}]}', + ], + values: [ + '{"entries":[{"field":"myhash.mysha256","type":"mapping","value":"threat.indicator.file.hash.sha256"}]}', + ], }, { category: 'kibana', From b879b72bb7763b35daa505ff873c66dee3db8e9d Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 12 Jul 2022 02:09:36 +0000 Subject: [PATCH 27/31] [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix' --- .../common/utils/field_formatters.test.ts | 2 +- .../timelines/common/utils/field_formatters.test.ts | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index 5cc087a23cef3..33d0c226fc44e 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { EventHit } from '../search_strategy'; +import type { EventHit } from '../search_strategy'; import { getDataFromFieldsHits, getDataSafety } from './field_formatters'; import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 44837eecfe0c8..5cc339bc04e67 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -122,8 +122,12 @@ describe('Events Details Helpers', () => { category: 'kibana', field: 'kibana.alert.rule.parameters.criteria', isObjectArray: true, - originalValue: ['{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}'], - values: ['{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}'], + originalValue: [ + '{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}', + ], + values: [ + '{"metric":"cpu","comparator":">","threshold":[3],"timeSize":1,"timeUnit":"m","customMetric":{"type":"custom","id":"alert-custom-metric","field":"","aggregation":"avg"}}', + ], }, { category: 'kibana', From 574f80c74cfd27ba7eebf510e3c9bb269c45a9bd Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Mon, 11 Jul 2022 19:39:47 -0700 Subject: [PATCH 28/31] Fixed type checks --- .../common/components/last_event_time/index.tsx | 6 +----- .../common/containers/events/last_event_time/index.ts | 4 ---- .../components/side_panel/event_details/index.tsx | 11 ++++++----- .../public/timelines/components/side_panel/index.tsx | 9 +++++---- .../public/timelines/containers/details/index.tsx | 8 ++++---- .../common/search_strategy/timeline/index.ts | 9 ++------- .../public/components/t_grid/integrated/index.tsx | 2 +- .../plugins/timelines/public/mock/browser_fields.ts | 2 +- 8 files changed, 20 insertions(+), 31 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx index 2aca3b321d705..f6349a3ddd2f4 100644 --- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx @@ -9,11 +9,7 @@ import { EuiIcon, EuiLoadingSpinner, EuiToolTip } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import React, { memo } from 'react'; -<<<<<<< HEAD -import type { DocValueFields, LastEventIndexKey } from '../../../../common/search_strategy'; -======= -import { LastEventIndexKey } from '../../../../common/search_strategy'; ->>>>>>> 438edfc81dd (removed docvalueFields props and deps) +import type { LastEventIndexKey } from '../../../../common/search_strategy'; import { useTimelineLastEventTime } from '../../containers/events/last_event_time'; import { getEmptyTagValue } from '../empty_value'; import { FormattedRelativePreferenceDate } from '../formatted_date'; diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts index 8577eb9ad4cec..b55c566084528 100644 --- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts +++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts @@ -21,10 +21,6 @@ import type { } from '../../../../../common/search_strategy/timeline'; import { TimelineEventsQueries } from '../../../../../common/search_strategy/timeline'; import * as i18n from './translations'; -<<<<<<< HEAD -import type { DocValueFields } from '../../../../../common/search_strategy'; -======= ->>>>>>> 438edfc81dd (removed docvalueFields props and deps) import { useAppToasts } from '../../../hooks/use_app_toasts'; export interface UseTimelineLastEventTimeArgs { diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 8efe49110c3d1..fa2581cb8dcb0 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -17,12 +17,12 @@ import { import React, { useState, useCallback, useMemo } from 'react'; import styled from 'styled-components'; import deepEqual from 'fast-deep-equal'; -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { EntityType } from '@kbn/timelines-plugin/common'; -import { BrowserFields } from '../../../../common/containers/source'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { EntityType } from '@kbn/timelines-plugin/common'; +import type { BrowserFields } from '../../../../common/containers/source'; import { ExpandableEvent, ExpandableEventTitle } from './expandable_event'; import { useTimelineEventsDetails } from '../../../containers/details'; -import { TimelineTabs } from '../../../../../common/types/timeline'; +import type { TimelineTabs } from '../../../../../common/types/timeline'; import { HostIsolationPanel } from '../../../../detections/components/host_isolation'; import { EndpointIsolateSuccess } from '../../../../common/components/endpoint/host_isolation'; import { @@ -34,7 +34,8 @@ import { ALERT_DETAILS } from './translations'; import { useWithCaseDetailsRefresh } from '../../../../common/components/endpoint/host_isolation/endpoint_host_isolation_cases_context'; import { EventDetailsFooter } from './footer'; import { buildHostNamesFilter } from '../../../../../common/search_strategy'; -import { useHostRiskScore, HostRisk } from '../../../../risk_score/containers'; +import type { HostRisk } from '../../../../risk_score/containers'; +import { useHostRiskScore } from '../../../../risk_score/containers'; const StyledEuiFlyoutBody = styled(EuiFlyoutBody)` .euiFlyoutBody__overflow { diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx index 59a6dc07cfc48..cd2efa5809087 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx @@ -7,13 +7,14 @@ import React, { useCallback, useMemo } from 'react'; import { useDispatch } from 'react-redux'; -import { EuiFlyout, EuiFlyoutProps } from '@elastic/eui'; +import type { EuiFlyoutProps } from '@elastic/eui'; +import { EuiFlyout } from '@elastic/eui'; -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { EntityType } from '@kbn/timelines-plugin/common'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { EntityType } from '@kbn/timelines-plugin/common'; import { timelineActions, timelineSelectors } from '../../store/timeline'; import { timelineDefaults } from '../../store/timeline/defaults'; -import { BrowserFields } from '../../../common/containers/source'; +import type { BrowserFields } from '../../../common/containers/source'; import { TimelineId, TimelineTabs } from '../../../../common/types/timeline'; import { useDeepEqualSelector } from '../../../common/hooks/use_selector'; import { EventDetailsPanel } from './event_details'; diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx index 9f544da4769d1..b855a0aebb28e 100644 --- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx @@ -10,19 +10,19 @@ import { useCallback, useEffect, useRef, useState } from 'react'; import deepEqual from 'fast-deep-equal'; import { Subscription } from 'rxjs'; -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { isCompleteResponse, isErrorResponse } from '@kbn/data-plugin/common'; import { EntityType } from '@kbn/timelines-plugin/common'; import { useKibana } from '../../../common/lib/kibana'; -import { +import type { TimelineEventsDetailsItem, - TimelineEventsQueries, TimelineEventsDetailsRequestOptions, TimelineEventsDetailsStrategyResponse, } from '../../../../common/search_strategy'; +import { TimelineEventsQueries } from '../../../../common/search_strategy'; import { useAppToasts } from '../../../common/hooks/use_app_toasts'; import * as i18n from './translations'; -import { Ecs } from '../../../../common/ecs'; +import type { Ecs } from '../../../../common/ecs'; export interface EventsArgs { detailsData: TimelineEventsDetailsItem[] | null; diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts index baa9de15f55ea..dfdc1ed3eabd4 100644 --- a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts +++ b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { IEsSearchRequest } from '@kbn/data-plugin/common'; import { ESQuery } from '../../typed_json'; import { @@ -19,12 +19,7 @@ import { TimelineKpiStrategyResponse, EntityType, } from './events'; -import { - PaginationInputPaginated, - TimerangeInput, - SortField, - Maybe, -} from '../common'; +import { PaginationInputPaginated, TimerangeInput, SortField, Maybe } from '../common'; import { DataProviderType, TimelineType, diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx index c6a212628c9ff..7183c164a24be 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx @@ -12,7 +12,7 @@ import React, { useEffect, useMemo, useRef, useState } from 'react'; import styled from 'styled-components'; import { useDispatch } from 'react-redux'; -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { DataViewBase, Filter, Query } from '@kbn/es-query'; import { useKibana } from '@kbn/kibana-react-plugin/public'; import type { CoreStart } from '@kbn/core/public'; diff --git a/x-pack/plugins/timelines/public/mock/browser_fields.ts b/x-pack/plugins/timelines/public/mock/browser_fields.ts index 948d1e1f68081..e38a435d1a4fb 100644 --- a/x-pack/plugins/timelines/public/mock/browser_fields.ts +++ b/x-pack/plugins/timelines/public/mock/browser_fields.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { DocValueFields } from '../../common/search_strategy'; import type { BrowserFields } from '../../common/search_strategy/index_fields'; From 428be2bbd2606fca42b434744fcf32a7917b99ed Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Mon, 11 Jul 2022 20:10:20 -0700 Subject: [PATCH 29/31] Fixed merge issues --- .../__snapshots__/index.test.tsx.snap | 58 ++--- .../side_panel/event_details/index.tsx | 246 +++++------------- .../timelines/containers/details/index.tsx | 15 +- 3 files changed, 100 insertions(+), 219 deletions(-) diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap index f073c78d8125b..b7dd50555de88 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap @@ -20,26 +20,6 @@ exports[`Details Panel Component DetailsPanel: rendering it should not render th /> `; -exports[`Details Panel Component DetailsPanel: rendering it should not render the DetailsPanel if an expanded detail with a panelView, but not params have been set: - - 1`] = ` - -`; - exports[`Details Panel Component DetailsPanel: rendering it should not render the DetailsPanel if no expanded detail has been set in the reducer 1`] = ` - — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + />
- — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + />
- — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + /> @@ -401,10 +384,11 @@ exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should r class="euiDescriptionList__description" > - — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + />
(opens in a new tab or window) diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index fa2581cb8dcb0..8859b6f20ab33 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -5,17 +5,9 @@ * 2.0. */ -import { some } from 'lodash/fp'; -import { - EuiButtonEmpty, - EuiFlyoutHeader, - EuiFlyoutBody, - EuiSpacer, - EuiTitle, - EuiText, -} from '@elastic/eui'; -import React, { useState, useCallback, useMemo } from 'react'; -import styled from 'styled-components'; +import { EuiSpacer } from '@elastic/eui'; +import React from 'react'; + import deepEqual from 'fast-deep-equal'; import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { EntityType } from '@kbn/timelines-plugin/common'; @@ -23,33 +15,12 @@ import type { BrowserFields } from '../../../../common/containers/source'; import { ExpandableEvent, ExpandableEventTitle } from './expandable_event'; import { useTimelineEventsDetails } from '../../../containers/details'; import type { TimelineTabs } from '../../../../../common/types/timeline'; -import { HostIsolationPanel } from '../../../../detections/components/host_isolation'; -import { EndpointIsolateSuccess } from '../../../../common/components/endpoint/host_isolation'; -import { - ISOLATE_HOST, - UNISOLATE_HOST, -} from '../../../../detections/components/host_isolation/translations'; -import { getFieldValue } from '../../../../detections/components/host_isolation/helpers'; -import { ALERT_DETAILS } from './translations'; -import { useWithCaseDetailsRefresh } from '../../../../common/components/endpoint/host_isolation/endpoint_host_isolation_cases_context'; -import { EventDetailsFooter } from './footer'; import { buildHostNamesFilter } from '../../../../../common/search_strategy'; import type { HostRisk } from '../../../../risk_score/containers'; import { useHostRiskScore } from '../../../../risk_score/containers'; - -const StyledEuiFlyoutBody = styled(EuiFlyoutBody)` - .euiFlyoutBody__overflow { - display: flex; - flex: 1; - overflow: hidden; - - .euiFlyoutBody__overflowContent { - flex: 1; - overflow: hidden; - padding: ${({ theme }) => `0 ${theme.eui.paddingSizes.m} ${theme.eui.paddingSizes.m}`}; - } - } -`; +import { useHostIsolationTools } from './use_host_isolation_tools'; +import { FlyoutBody, FlyoutHeader, FlyoutFooter } from './flyout'; +import { useBasicDataFromDetailsData } from './helpers'; interface EventDetailsPanelProps { browserFields: BrowserFields; @@ -90,43 +61,17 @@ const EventDetailsPanelComponent: React.FC = ({ } ); - const [isHostIsolationPanelOpen, setIsHostIsolationPanel] = useState(false); - - const [isolateAction, setIsolateAction] = useState<'isolateHost' | 'unisolateHost'>( - 'isolateHost' - ); - - const [isIsolateActionSuccessBannerVisible, setIsIsolateActionSuccessBannerVisible] = - useState(false); - - const showAlertDetails = useCallback(() => { - setIsHostIsolationPanel(false); - setIsIsolateActionSuccessBannerVisible(false); - }, []); - - const showHostIsolationPanel = useCallback((action) => { - if (action === 'isolateHost' || action === 'unisolateHost') { - setIsHostIsolationPanel(true); - setIsolateAction(action); - } - }, []); - - const isAlert = some({ category: 'kibana', field: 'kibana.alert.rule.uuid' }, detailsData); - - const ruleName = useMemo( - () => getFieldValue({ category: 'kibana', field: 'kibana.alert.rule.name' }, detailsData), - [detailsData] - ); - - const alertId = useMemo( - () => getFieldValue({ category: '_id', field: '_id' }, detailsData), - [detailsData] - ); + const { + isolateAction, + isHostIsolationPanelOpen, + isIsolateActionSuccessBannerVisible, + handleIsolationActionSuccess, + showAlertDetails, + showHostIsolationPanel, + } = useHostIsolationTools(); - const hostName = useMemo( - () => getFieldValue({ category: 'host', field: 'host.name' }, detailsData), - [detailsData] - ); + const { alertId, isAlert, hostName, ruleName, timestamp } = + useBasicDataFromDetailsData(detailsData); const [hostRiskLoading, { data, isModuleEnabled }] = useHostRiskScore({ filterQuery: hostName ? buildHostNamesFilter([hostName]) : undefined, @@ -144,105 +89,53 @@ const EventDetailsPanelComponent: React.FC = ({ } : null; - const timestamp = useMemo( - () => getFieldValue({ category: 'base', field: '@timestamp' }, detailsData), - [detailsData] - ); - - const backToAlertDetailsLink = useMemo(() => { - return ( - <> - showAlertDetails()} - > - -

{ALERT_DETAILS}

- - - -

{isolateAction === 'isolateHost' ? ISOLATE_HOST : UNISOLATE_HOST}

- - - ); - }, [showAlertDetails, isolateAction]); - - const caseDetailsRefresh = useWithCaseDetailsRefresh(); - - const handleIsolationActionSuccess = useCallback(() => { - setIsIsolateActionSuccessBannerVisible(true); - // If a case details refresh ref is defined, then refresh actions and comments - if (caseDetailsRefresh) { - caseDetailsRefresh.refreshCase(); - } - }, [caseDetailsRefresh]); - if (!expandedEvent?.eventId) { return null; } return isFlyoutView ? ( <> - - {isHostIsolationPanelOpen ? ( - backToAlertDetailsLink - ) : ( - - )} - - {isIsolateActionSuccessBannerVisible && ( - - )} - - {isHostIsolationPanelOpen ? ( - - ) : ( - - )} - - - {!isReadOnly && ( - - )} + + + ) : ( <> @@ -266,19 +159,18 @@ const EventDetailsPanelComponent: React.FC = ({ hostRisk={hostRisk} handleOnEventClosed={handleOnEventClosed} /> - {!isReadOnly && ( - - )} + ); }; diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx index b855a0aebb28e..851190d5a2d7d 100644 --- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx @@ -7,6 +7,7 @@ import { isEmpty } from 'lodash/fp'; import { useCallback, useEffect, useRef, useState } from 'react'; +import ReactDOM from 'react-dom'; import deepEqual from 'fast-deep-equal'; import { Subscription } from 'rxjs'; @@ -87,11 +88,15 @@ export const useTimelineEventsDetails = ({ .subscribe({ next: (response) => { if (isCompleteResponse(response)) { - setLoading(false); - setTimelineDetailsResponse(response.data || []); - setRawEventData(response.rawResponse.hits.hits[0]); - setEcsData(response.ecs || null); - searchSubscription$.current.unsubscribe(); + Promise.resolve().then(() => { + ReactDOM.unstable_batchedUpdates(() => { + setLoading(false); + setTimelineDetailsResponse(response.data || []); + setRawEventData(response.rawResponse.hits.hits[0]); + setEcsData(response.ecs || null); + searchSubscription$.current.unsubscribe(); + }); + }); } else if (isErrorResponse(response)) { setLoading(false); addWarning(i18n.FAIL_TIMELINE_DETAILS); From bf0136516c1f1fdba6f4e361b8a1e9e5727f84bb Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 12 Jul 2022 04:06:49 +0000 Subject: [PATCH 30/31] [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix' --- .../common/utils/field_formatters.ts | 2 +- .../security_solution/public/cases/pages/index.tsx | 4 +--- .../security_solution/public/hosts/pages/hosts.tsx | 8 ++------ .../side_panel/event_details/flyout/index.tsx | 4 +--- .../side_panel/event_details/index.test.tsx | 5 +---- .../components/side_panel/hooks/use_detail_panel.tsx | 3 +-- .../components/timeline/notes_tab_content/index.tsx | 12 ++---------- .../public/users/pages/details/types.ts | 2 -- .../security_solution/public/users/pages/users.tsx | 5 +---- .../factory/cti/event_enrichment/query.ts | 4 ++-- x-pack/plugins/timelines/public/mock/t_grid.tsx | 2 +- 11 files changed, 13 insertions(+), 38 deletions(-) diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.ts index 68785f2a71bda..635a82004516d 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.ts @@ -10,7 +10,7 @@ import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/asset import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { isEmpty } from 'lodash/fp'; -import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; +import type { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; import { toObjectArrayOfStrings, toStringArray } from './to_array'; export const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags']; diff --git a/x-pack/plugins/security_solution/public/cases/pages/index.tsx b/x-pack/plugins/security_solution/public/cases/pages/index.tsx index b89727ac864fc..fc4a990c45082 100644 --- a/x-pack/plugins/security_solution/public/cases/pages/index.tsx +++ b/x-pack/plugins/security_solution/public/cases/pages/index.tsx @@ -27,9 +27,7 @@ import { DetailsPanel } from '../../timelines/components/side_panel'; import { useFetchAlertData } from './use_fetch_alert_data'; const TimelineDetailsPanel = () => { - const { browserFields, runtimeMappings } = useSourcererDataView( - SourcererScopeName.detections - ); + const { browserFields, runtimeMappings } = useSourcererDataView(SourcererScopeName.detections); return ( { }, [dispatch] ); - const { indicesExist, indexPattern, selectedPatterns, loading } = - useSourcererDataView(); + const { indicesExist, indexPattern, selectedPatterns, loading } = useSourcererDataView(); const [filterQuery, kqlError] = useMemo( () => convertToBuildEsQuery({ @@ -197,10 +196,7 @@ const HostsComponent = () => { + } title={i18n.PAGE_TITLE} border diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx index 0873daf9d9566..a6b38e0382e5f 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/flyout/index.tsx @@ -26,9 +26,7 @@ export { FlyoutHeader } from './header'; export { FlyoutFooter } from './footer'; export const useToGetInternalFlyout = () => { - const { browserFields, runtimeMappings } = useSourcererDataView( - SourcererScopeName.detections - ); + const { browserFields, runtimeMappings } = useSourcererDataView(SourcererScopeName.detections); const [alert, setAlert] = useState<{ id?: string; indexName?: string }>({ id: undefined, indexName: undefined, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx index 255b524782a43..e99072a759949 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx @@ -18,10 +18,7 @@ import { useKibana, useGetUserCasesPermissions, } from '../../../../common/lib/kibana'; -import { - mockBrowserFields, - mockRuntimeMappings, -} from '../../../../common/containers/source/mock'; +import { mockBrowserFields, mockRuntimeMappings } from '../../../../common/containers/source/mock'; import { coreMock } from '@kbn/core/public/mocks'; import { mockCasesContext } from '@kbn/cases-plugin/public/mocks/mock_cases_context'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/hooks/use_detail_panel.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/hooks/use_detail_panel.tsx index 96298ef1fbc36..0a2eaa8178222 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/hooks/use_detail_panel.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/hooks/use_detail_panel.tsx @@ -40,8 +40,7 @@ export const useDetailPanel = ({ timelineId, tabType, }: UseDetailPanelConfig): UseDetailPanelReturn => { - const { browserFields, selectedPatterns, runtimeMappings } = - useSourcererDataView(sourcererScope); + const { browserFields, selectedPatterns, runtimeMappings } = useSourcererDataView(sourcererScope); const getTimeline = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []); const dispatch = useDispatch(); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx index 9b76067c44847..ea813f516abd0 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx @@ -147,9 +147,7 @@ const NotesTabContentComponent: React.FC = ({ timelineId } noteIds, status: timelineStatus, } = useDeepEqualSelector((state) => getTimelineNotes(state, timelineId)); - const { browserFields, runtimeMappings } = useSourcererDataView( - SourcererScopeName.timeline - ); + const { browserFields, runtimeMappings } = useSourcererDataView(SourcererScopeName.timeline); const getNotesAsCommentsList = useMemo( () => appSelectors.selectNotesAsCommentsListSelector(), @@ -195,13 +193,7 @@ const NotesTabContentComponent: React.FC = ({ timelineId } timelineId={timelineId} /> ) : null, - [ - browserFields, - expandedDetail, - handleOnPanelClosed, - runtimeMappings, - timelineId, - ] + [browserFields, expandedDetail, handleOnPanelClosed, runtimeMappings, timelineId] ); const SidebarContent = useMemo( diff --git a/x-pack/plugins/security_solution/public/users/pages/details/types.ts b/x-pack/plugins/security_solution/public/users/pages/details/types.ts index 09a4e08269191..3c6f105e4a072 100644 --- a/x-pack/plugins/security_solution/public/users/pages/details/types.ts +++ b/x-pack/plugins/security_solution/public/users/pages/details/types.ts @@ -11,8 +11,6 @@ import type { InputsModelId } from '../../../common/store/inputs/constants'; import type { UsersQueryProps } from '../types'; import type { NavTab } from '../../../common/components/navigation/types'; -import type { DocValueFields } from '../../../common/containers/source'; - import type { UsersTableType } from '../../store/model'; import type { usersModel } from '../../store'; diff --git a/x-pack/plugins/security_solution/public/users/pages/users.tsx b/x-pack/plugins/security_solution/public/users/pages/users.tsx index bf81b6dc1817b..878324f3b55d1 100644 --- a/x-pack/plugins/security_solution/public/users/pages/users.tsx +++ b/x-pack/plugins/security_solution/public/users/pages/users.tsx @@ -186,10 +186,7 @@ const UsersComponent = () => { + } border title={i18n.PAGE_TITLE} diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.ts index a14fce4fe7853..cef953b5fb557 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.ts @@ -5,9 +5,9 @@ * 2.0. */ -import { CtiQueries } from '../../../../../../common/search_strategy/security_solution/cti'; +import type { CtiQueries } from '../../../../../../common/search_strategy/security_solution/cti'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; -import { SecuritySolutionFactory } from '../../types'; +import type { SecuritySolutionFactory } from '../../types'; import { buildIndicatorShouldClauses } from './helpers'; export const buildEventEnrichmentQuery: SecuritySolutionFactory['buildDsl'] = diff --git a/x-pack/plugins/timelines/public/mock/t_grid.tsx b/x-pack/plugins/timelines/public/mock/t_grid.tsx index 349cdcae1ca64..f0db0e3912773 100644 --- a/x-pack/plugins/timelines/public/mock/t_grid.tsx +++ b/x-pack/plugins/timelines/public/mock/t_grid.tsx @@ -8,7 +8,7 @@ import React from 'react'; import { ALERT_START, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TGridIntegratedProps } from '../components/t_grid/integrated'; -import { mockBrowserFields, mockDocValueFields, mockRuntimeMappings } from './browser_fields'; +import { mockBrowserFields, mockRuntimeMappings } from './browser_fields'; import { mockDataProviders } from './mock_data_providers'; import { mockTimelineData } from './mock_timeline_data'; import { ColumnHeaderOptions, TimelineId } from '../../common/types'; From 2270f4ee955a7353281af55567571e08505498a6 Mon Sep 17 00:00:00 2001 From: YulNaumenko Date: Tue, 12 Jul 2022 08:46:42 -0700 Subject: [PATCH 31/31] Fixed snapshot --- .../__snapshots__/index.test.tsx.snap | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap index b7dd50555de88..cece572fdb839 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap @@ -331,11 +331,10 @@ exports[`Details Panel Component DetailsPanel:HostDetails: rendering it should r class="euiDescriptionList__description" > + class="c3" + > + — +
+ class="c3" + > + — +
- — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + />
- — - + aria-label="Loading" + class="euiLoadingSpinner emotion-euiLoadingSpinner-m" + data-test-subj="loading-spinner" + role="progressbar" + />