diff --git a/.buildkite/scripts/steps/storybooks/build_and_upload.ts b/.buildkite/scripts/steps/storybooks/build_and_upload.ts
index 483a5c28a295b..b1135490a2023 100644
--- a/.buildkite/scripts/steps/storybooks/build_and_upload.ts
+++ b/.buildkite/scripts/steps/storybooks/build_and_upload.ts
@@ -18,15 +18,16 @@ const STORYBOOKS = [
'canvas',
'cases',
'cell_actions',
- 'coloring',
'chart_icons',
+ 'cloud_security_posture_packages',
+ 'coloring',
'content_management_examples',
'custom_integrations',
'dashboard_enhanced',
'dashboard',
'data',
- 'logs_explorer',
'embeddable',
+ 'esql_editor',
'expression_error',
'expression_image',
'expression_metric',
@@ -34,28 +35,28 @@ const STORYBOOKS = [
'expression_reveal_image',
'expression_shape',
'expression_tagcloud',
- 'management',
'fleet',
'grouping',
'home',
'infra',
'kibana_react',
+ 'language_documentation_popover',
'lists',
- 'observability',
+ 'logs_explorer',
+ 'management',
'observability_ai_assistant',
'observability_inventory',
'observability_shared',
+ 'observability',
'presentation',
- 'security_solution',
+ 'random_sampling',
'security_solution_packages',
+ 'security_solution',
'serverless',
'shared_ux',
'triggers_actions_ui',
'ui_actions_enhanced',
- 'language_documentation_popover',
'unified_search',
- 'random_sampling',
- 'esql_editor',
];
const GITHUB_CONTEXT = 'Build and Publish Storybooks';
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 2992878434c37..42a007776a961 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1911,10 +1911,10 @@ x-pack/plugins/osquery @elastic/security-defend-workflows
/x-pack/plugins/security_solution/public/detections/components/osquery @elastic/security-defend-workflows
# Cloud Defend
-/x-pack/plugins/cloud_defend/ @elastic/kibana-cloud-security-posture
/x-pack/plugins/security_solution/public/cloud_defend @elastic/kibana-cloud-security-posture
# Cloud Security Posture
+x-pack/packages/kbn-cloud-security-posture @elastic/kibana-cloud-security-posture
/x-pack/test_serverless/functional/test_suites/security/config.cloud_security_posture.* @elastic/kibana-cloud-security-posture
/x-pack/plugins/security_solution/public/cloud_security_posture @elastic/kibana-cloud-security-posture
/x-pack/test/api_integration/apis/cloud_security_posture/ @elastic/kibana-cloud-security-posture
diff --git a/packages/kbn-optimizer/src/worker/webpack.config.ts b/packages/kbn-optimizer/src/worker/webpack.config.ts
index 52a837724480d..96a17a6ae7229 100644
--- a/packages/kbn-optimizer/src/worker/webpack.config.ts
+++ b/packages/kbn-optimizer/src/worker/webpack.config.ts
@@ -259,6 +259,27 @@ export function getWebpackConfig(
},
},
},
+ {
+ test: /\.js$/,
+ include: /node_modules[\\\/]@dagrejs/,
+ use: {
+ loader: 'babel-loader',
+ options: {
+ envName: worker.dist ? 'production' : 'development',
+ presets: ['@babel/preset-env'], // Doesn't work with BABEL_PRESET
+ plugins: ['@babel/plugin-proposal-class-properties'],
+ },
+ },
+ },
+ {
+ test: /node_modules[\/\\]@?xyflow[\/\\].*.js$/,
+ loaders: 'babel-loader',
+ options: {
+ envName: worker.dist ? 'production' : 'development',
+ presets: [BABEL_PRESET],
+ plugins: ['@babel/plugin-transform-logical-assignment-operators'],
+ },
+ },
{
test: /\.(html|md|txt|tmpl)$/,
use: {
diff --git a/packages/kbn-storybook/src/webpack.config.ts b/packages/kbn-storybook/src/webpack.config.ts
index b03d78dbbc190..fad795a1e4619 100644
--- a/packages/kbn-storybook/src/webpack.config.ts
+++ b/packages/kbn-storybook/src/webpack.config.ts
@@ -136,6 +136,25 @@ export default ({ config: storybookConfig }: { config: Configuration }) => {
},
},
},
+ {
+ test: /\.js$/,
+ include: /node_modules[\\\/]@dagrejs/,
+ use: {
+ loader: 'babel-loader',
+ options: {
+ presets: ['@babel/preset-env'], // Doesn't work with @kbn/babel-preset/webpack_preset
+ plugins: ['@babel/plugin-proposal-class-properties'],
+ },
+ },
+ },
+ {
+ test: /node_modules[\/\\]@?xyflow[\/\\].*.js$/,
+ loaders: 'babel-loader',
+ options: {
+ presets: [require.resolve('@kbn/babel-preset/webpack_preset')],
+ plugins: ['@babel/plugin-transform-logical-assignment-operators'],
+ },
+ },
],
},
plugins: [new IgnoreNotFoundExportPlugin()],
diff --git a/x-pack/packages/kbn-cloud-security-posture/common/kibana.jsonc b/x-pack/packages/kbn-cloud-security-posture/common/kibana.jsonc
index 21721cfb69f44..f3bd18f10c7a8 100644
--- a/x-pack/packages/kbn-cloud-security-posture/common/kibana.jsonc
+++ b/x-pack/packages/kbn-cloud-security-posture/common/kibana.jsonc
@@ -1,6 +1,5 @@
-
{
- "id": "@kbn/cloud-security-posture-common",
- "owner": "@elastic/kibana-cloud-security-posture",
- "type": "shared-common"
- }
\ No newline at end of file
+ "id": "@kbn/cloud-security-posture-common",
+ "owner": "@elastic/kibana-cloud-security-posture",
+ "type": "shared-common"
+}
diff --git a/x-pack/packages/kbn-cloud-security-posture/common/package.json b/x-pack/packages/kbn-cloud-security-posture/common/package.json
index 8ead7b37ceeb6..37276e735987d 100644
--- a/x-pack/packages/kbn-cloud-security-posture/common/package.json
+++ b/x-pack/packages/kbn-cloud-security-posture/common/package.json
@@ -1,8 +1,8 @@
{
- "name": "@kbn/cloud-security-posture-common",
- "private": true,
- "version": "1.0.0",
- "license": "Elastic License 2.0",
- "description": "Shared components for cloud security posture, both client and server side",
- "sideEffects": false
- }
\ No newline at end of file
+ "name": "@kbn/cloud-security-posture-common",
+ "private": true,
+ "version": "1.0.0",
+ "license": "Elastic License 2.0",
+ "description": "Shared components for cloud security posture, both client and server side",
+ "sideEffects": false
+}
diff --git a/x-pack/packages/kbn-cloud-security-posture/common/schema/graph/v1.ts b/x-pack/packages/kbn-cloud-security-posture/common/schema/graph/v1.ts
index f27ddb397c57c..3d37331b4cc5d 100644
--- a/x-pack/packages/kbn-cloud-security-posture/common/schema/graph/v1.ts
+++ b/x-pack/packages/kbn-cloud-security-posture/common/schema/graph/v1.ts
@@ -71,8 +71,6 @@ export const groupNodeDataSchema = schema.allOf([
export const labelNodeDataSchema = schema.allOf([
nodeBaseDataSchema,
schema.object({
- source: schema.string(),
- target: schema.string(),
shape: schema.literal('label'),
parentId: schema.maybe(schema.string()),
color: colorSchema,
@@ -82,8 +80,6 @@ export const labelNodeDataSchema = schema.allOf([
export const edgeDataSchema = schema.object({
id: schema.string(),
source: schema.string(),
- sourceShape: nodeShapeSchema,
target: schema.string(),
- targetShape: nodeShapeSchema,
color: colorSchema,
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/README.md b/x-pack/packages/kbn-cloud-security-posture/graph/README.md
index c67ca622fe414..bde99acb4e7a6 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/README.md
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/README.md
@@ -7,11 +7,104 @@ security solution plugin.
## How to use this
-Standalone examples will follow. In the meantime check out storybook to view the graph's progress.
+### Step 1: Import the Component
-## The most important public api members
+First, import the `Graph` component into your desired file.
-- GraphComponent itself (comming soon..)
+```tsx
+import { Graph } from '@kbn/cloud-security-posture-graph';
+```
+
+### Step 2: Prepare the Data
+
+Create the nodes and edges data models. These should follow the `NodeViewModel` and `EdgeViewModel` interfaces.
+
+```tsx
+const nodes: NodeViewModel[] = [
+ {
+ id: 'node1',
+ label: 'Node 1',
+ color: 'primary',
+ shape: 'ellipse',
+ icon: 'user',
+ },
+ {
+ id: 'node2',
+ label: 'Node 2',
+ color: 'primary',
+ shape: 'hexagon',
+ icon: 'questionInCircle',
+ },
+];
+
+const edges: EdgeViewModel[] = [
+ {
+ id: 'edge1',
+ source: 'node1',
+ target: 'node2',
+ color: 'primary',
+ },
+];
+```
+
+### Step 3: Render the Component
+
+Use the `Graph` component in your JSX/TSX, passing the nodes, edges, and interactivity flag as props.
+
+```tsx
+
+```
+
+### Example Usage
+
+Here is a complete example of how to use the `Graph` component in a React component.
+
+```tsx
+import React from 'react';
+import { Graph } from '@kbn/cloud-security-posture-graph';
+import type { NodeViewModel, EdgeViewModel } from '@kbn/cloud-security-posture-graph';
+
+const App: React.FC = () => {
+ const nodes: NodeViewModel[] = [
+ {
+ id: 'node1',
+ label: 'Node 1',
+ color: 'primary',
+ shape: 'ellipse',
+ icon: 'user',
+ },
+ {
+ id: 'node2',
+ label: 'Node 2',
+ color: 'primary',
+ shape: 'hexagon',
+ icon: 'questionInCircle',
+ },
+ ];
+
+ const edges: EdgeViewModel[] = [
+ {
+ id: 'edge1',
+ source: 'node1',
+ target: 'node2',
+ color: 'primary',
+ },
+ ];
+
+ return (
+
+
Graph Visualization
+
+
+ );
+};
+
+export default App;
+```
+
+### Storybook Example
+
+You can also see how the `Graph` component is used in the Storybook file `graph_layout.stories.tsx`.
### Extras
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/index.ts b/x-pack/packages/kbn-cloud-security-posture/graph/index.ts
index 1fec1c76430eb..c50969cfd6402 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/index.ts
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/index.ts
@@ -4,3 +4,5 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
+
+export * from './src/components';
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/jest.config.js b/x-pack/packages/kbn-cloud-security-posture/graph/jest.config.js
index 9e295d0f4d626..3b8fbbd9384a4 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/jest.config.js
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/jest.config.js
@@ -9,4 +9,6 @@ module.exports = {
preset: '@kbn/test',
roots: ['/x-pack/packages/kbn-cloud-security-posture/graph'],
rootDir: '../../../..',
+ setupFiles: ['jest-canvas-mock'],
+ setupFilesAfterEnv: ['/x-pack/packages/kbn-cloud-security-posture/graph/setup_tests.ts'],
};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/kibana.jsonc b/x-pack/packages/kbn-cloud-security-posture/graph/kibana.jsonc
index 455f1607a22a2..513861b347059 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/kibana.jsonc
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/kibana.jsonc
@@ -1,5 +1,5 @@
{
- "type": "shared-browser",
"id": "@kbn/cloud-security-posture-graph",
- "owner": "@elastic/kibana-cloud-security-posture"
+ "owner": "@elastic/kibana-cloud-security-posture",
+ "type": "shared-browser"
}
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/setup_tests.ts b/x-pack/packages/kbn-cloud-security-posture/graph/setup_tests.ts
new file mode 100644
index 0000000000000..7f6858c0fd40d
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/setup_tests.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// eslint-disable-next-line @kbn/imports/no_boundary_crossing
+import { mockReactFlow } from './src/components/mock/react_flow';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import '@testing-library/jest-dom';
+
+mockReactFlow();
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.test.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.test.tsx
new file mode 100644
index 0000000000000..18ba84207f962
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.test.tsx
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { Graph, type GraphProps } from './graph';
+import { TestProviders } from '../mock/test_providers';
+
+const renderGraphPreview = (props: GraphProps) =>
+ render(
+
+
+
+ );
+
+describe('', () => {
+ it('should render empty graph', () => {
+ const { container } = renderGraphPreview({
+ nodes: [],
+ edges: [],
+ interactive: false,
+ });
+
+ expect(container).not.toBeNull();
+ const nodes = container.querySelectorAll('.react-flow__nodes .react-flow__node');
+ expect(nodes).toHaveLength(0);
+ });
+
+ it('should render hexagon node', () => {
+ const { container } = renderGraphPreview({
+ nodes: [
+ {
+ id: '1',
+ label: 'Node 1',
+ color: 'primary',
+ shape: 'hexagon',
+ },
+ ],
+ edges: [],
+ interactive: false,
+ });
+
+ const nodeEl = container.querySelector('[data-id="1"]');
+ expect(nodeEl).not.toBeNull();
+ expect(nodeEl?.textContent).toBe('Node 1');
+ });
+
+ it('should render label node', () => {
+ const { container } = renderGraphPreview({
+ nodes: [
+ {
+ id: '2',
+ label: 'Node 2',
+ color: 'primary',
+ shape: 'label',
+ },
+ ],
+ edges: [],
+ interactive: false,
+ });
+
+ const nodeEl = container.querySelector('[data-id="2"]');
+ expect(nodeEl).not.toBeNull();
+ expect(nodeEl?.textContent).toBe('Node 2');
+ });
+
+ it('should render 2 nodes connected', () => {
+ const { container } = renderGraphPreview({
+ nodes: [
+ {
+ id: '1',
+ label: 'Node 1',
+ color: 'primary',
+ shape: 'hexagon',
+ },
+ {
+ id: '2',
+ label: 'Node 2',
+ color: 'primary',
+ shape: 'label',
+ },
+ ],
+ edges: [
+ {
+ id: 'a(1)-b(2)',
+ color: 'primary',
+ source: '1',
+ target: '2',
+ },
+ ],
+ interactive: false,
+ });
+
+ const srcNodeEl = container.querySelector('[data-id="1"]');
+ expect(srcNodeEl).not.toBeNull();
+ expect(srcNodeEl?.textContent).toBe('Node 1');
+
+ const targetNodeEl = container.querySelector('[data-id="2"]');
+ expect(targetNodeEl).not.toBeNull();
+ expect(targetNodeEl?.textContent).toBe('Node 2');
+
+ // TODO: Fix this test (currently it is not rendered in xyflow version 12) https://github.com/xyflow/xyflow/issues/716#issuecomment-2414721074
+ // const edgeEl = container.querySelector('[data-id="a(1)-b(2)"]');
+ // expect(edgeEl).not.toBeNull();
+ });
+});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.tsx
new file mode 100644
index 0000000000000..eca9872d73897
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/graph.tsx
@@ -0,0 +1,204 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useMemo, useRef, useState, useCallback } from 'react';
+import {
+ Background,
+ Controls,
+ Position,
+ ReactFlow,
+ useEdgesState,
+ useNodesState,
+} from '@xyflow/react';
+import type { Edge, Node } from '@xyflow/react';
+import type { CommonProps } from '@elastic/eui';
+import { SvgDefsMarker } from '../edge/styles';
+import {
+ HexagonNode,
+ PentagonNode,
+ EllipseNode,
+ RectangleNode,
+ DiamondNode,
+ LabelNode,
+ EdgeGroupNode,
+} from '../node';
+import { layoutGraph } from './layout_graph';
+import { DefaultEdge } from '../edge';
+import type { EdgeViewModel, NodeViewModel } from '../types';
+
+import '@xyflow/react/dist/style.css';
+
+export interface GraphProps extends CommonProps {
+ nodes: NodeViewModel[];
+ edges: EdgeViewModel[];
+ interactive: boolean;
+}
+
+const nodeTypes = {
+ hexagon: HexagonNode,
+ pentagon: PentagonNode,
+ ellipse: EllipseNode,
+ rectangle: RectangleNode,
+ diamond: DiamondNode,
+ label: LabelNode,
+ group: EdgeGroupNode,
+};
+
+const edgeTypes = {
+ default: DefaultEdge,
+};
+
+/**
+ * Graph component renders a graph visualization using ReactFlow.
+ * It takes nodes and edges as input and provides interactive controls
+ * for panning, zooming, and manipulating the graph.
+ *
+ * @component
+ * @param {GraphProps} props - The properties for the Graph component.
+ * @param {NodeViewModel[]} props.nodes - Array of node view models to be rendered in the graph.
+ * @param {EdgeViewModel[]} props.edges - Array of edge view models to be rendered in the graph.
+ * @param {boolean} props.interactive - Flag to enable or disable interactivity (panning, zooming, etc.).
+ * @param {CommonProps} [props.rest] - Additional common properties.
+ *
+ * @returns {JSX.Element} The rendered Graph component.
+ */
+export const Graph: React.FC = ({ nodes, edges, interactive, ...rest }) => {
+ const layoutCalled = useRef(false);
+ const [isGraphLocked, setIsGraphLocked] = useState(interactive);
+ const { initialNodes, initialEdges } = useMemo(
+ () => processGraph(nodes, edges, isGraphLocked),
+ [nodes, edges, isGraphLocked]
+ );
+
+ const [nodesState, setNodes, onNodesChange] = useNodesState(initialNodes);
+ const [edgesState, _setEdges, onEdgesChange] = useEdgesState(initialEdges);
+
+ if (!layoutCalled.current) {
+ const { nodes: layoutedNodes } = layoutGraph(nodesState, edgesState);
+ setNodes(layoutedNodes);
+ layoutCalled.current = true;
+ }
+
+ const onInteractiveStateChange = useCallback(
+ (interactiveStatus: boolean): void => {
+ setIsGraphLocked(interactiveStatus);
+ setNodes((prevNodes) =>
+ prevNodes.map((node) => ({
+ ...node,
+ data: {
+ ...node.data,
+ interactive: interactiveStatus,
+ },
+ }))
+ );
+ },
+ [setNodes]
+ );
+
+ return (
+
+
+ {
+ window.requestAnimationFrame(() => xyflow.fitView());
+
+ // When the graph is not initialized as interactive, we need to fit the view on resize
+ if (!interactive) {
+ const resizeObserver = new ResizeObserver(() => {
+ xyflow.fitView();
+ });
+ resizeObserver.observe(document.querySelector('.react-flow') as Element);
+ return () => resizeObserver.disconnect();
+ }
+ }}
+ nodeTypes={nodeTypes}
+ edgeTypes={edgeTypes}
+ nodes={nodesState}
+ edges={edgesState}
+ onNodesChange={onNodesChange}
+ onEdgesChange={onEdgesChange}
+ proOptions={{ hideAttribution: true }}
+ panOnDrag={isGraphLocked}
+ zoomOnScroll={isGraphLocked}
+ zoomOnPinch={isGraphLocked}
+ zoomOnDoubleClick={isGraphLocked}
+ preventScrolling={isGraphLocked}
+ nodesDraggable={interactive && isGraphLocked}
+ maxZoom={1.3}
+ >
+ {interactive && }
+
+
+
+ );
+};
+
+const processGraph = (
+ nodesModel: NodeViewModel[],
+ edgesModel: EdgeViewModel[],
+ interactive: boolean
+): {
+ initialNodes: Array>;
+ initialEdges: Array>;
+} => {
+ const nodesById: { [key: string]: NodeViewModel } = {};
+
+ const initialNodes = nodesModel.map((nodeData) => {
+ nodesById[nodeData.id] = nodeData;
+
+ const node: Node = {
+ id: nodeData.id,
+ type: nodeData.shape,
+ data: { ...nodeData, interactive },
+ position: { x: 0, y: 0 }, // Default position, should be updated later
+ };
+
+ if (node.type === 'group' && nodeData.shape === 'group') {
+ node.sourcePosition = Position.Right;
+ node.targetPosition = Position.Left;
+ node.resizing = false;
+ node.focusable = false;
+ } else if (nodeData.shape === 'label' && nodeData.parentId) {
+ node.parentId = nodeData.parentId;
+ node.extent = 'parent';
+ node.expandParent = false;
+ node.draggable = false;
+ }
+
+ return node;
+ });
+
+ const initialEdges: Array> = edgesModel.map((edgeData) => {
+ const isIn =
+ nodesById[edgeData.source].shape !== 'label' && nodesById[edgeData.target].shape === 'group';
+ const isInside =
+ nodesById[edgeData.source].shape === 'group' && nodesById[edgeData.target].shape === 'label';
+ const isOut =
+ nodesById[edgeData.source].shape === 'label' && nodesById[edgeData.target].shape === 'group';
+ const isOutside =
+ nodesById[edgeData.source].shape === 'group' && nodesById[edgeData.target].shape !== 'label';
+
+ return {
+ id: edgeData.id,
+ type: 'default',
+ source: edgeData.source,
+ sourceHandle: isInside ? 'inside' : isOutside ? 'outside' : undefined,
+ target: edgeData.target,
+ targetHandle: isIn ? 'in' : isOut ? 'out' : undefined,
+ focusable: false,
+ selectable: false,
+ data: {
+ ...edgeData,
+ sourceShape: nodesById[edgeData.source].shape,
+ targetShape: nodesById[edgeData.target].shape,
+ },
+ };
+ });
+
+ return { initialNodes, initialEdges };
+};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/layout_graph.ts b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/layout_graph.ts
index d9f637483c115..868461f99cdee 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/layout_graph.ts
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph/layout_graph.ts
@@ -6,18 +6,16 @@
*/
import Dagre from '@dagrejs/dagre';
-import type {
- EdgeDataModel,
- NodeDataModel,
-} from '@kbn/cloud-security-posture-common/types/graph/latest';
-import type { NodeViewModel, Size } from '../types';
+import type { Node, Edge } from '@xyflow/react';
+import type { EdgeViewModel, NodeViewModel, Size } from '../types';
import { calcLabelSize } from './utils';
+import { GroupStyleOverride, NODE_HEIGHT, NODE_WIDTH } from '../node/styles';
export const layoutGraph = (
- nodes: NodeDataModel[],
- edges: EdgeDataModel[]
-): { nodes: NodeViewModel[] } => {
- const nodesById: { [key: string]: NodeViewModel } = {};
+ nodes: Array>,
+ edges: Array>
+): { nodes: Array> } => {
+ const nodesById: { [key: string]: Node } = {};
const graphOpts = {
compound: true,
};
@@ -29,28 +27,27 @@ export const layoutGraph = (
edges.forEach((edge) => g.setEdge(edge.source, edge.target));
nodes.forEach((node) => {
- let size = { width: 90, height: 90 };
- const position = { x: 0, y: 0 };
+ let size = { width: NODE_WIDTH, height: node.measured?.height ?? NODE_HEIGHT };
- if (node.shape === 'label') {
- size = calcLabelSize(node.label);
+ if (node.data.shape === 'label') {
+ size = calcLabelSize(node.data.label);
// TODO: waiting for a fix: https://github.com/dagrejs/dagre/issues/238
// if (node.parentId) {
// g.setParent(node.id, node.parentId);
// }
- } else if (node.shape === 'group') {
+ } else if (node.data.shape === 'group') {
const res = layoutGroupChildren(node, nodes);
size = res.size;
res.children.forEach((child) => {
- nodesById[child.id] = { ...child };
+ nodesById[child.data.id] = child;
});
}
if (!nodesById[node.id]) {
- nodesById[node.id] = { ...node, position };
+ nodesById[node.id] = node;
}
g.setNode(node.id, {
@@ -61,8 +58,8 @@ export const layoutGraph = (
Dagre.layout(g);
- const nodesViewModel: NodeViewModel[] = nodes.map((nodeData) => {
- const dagreNode = g.node(nodeData.id);
+ const layoutedNodes = nodes.map((node) => {
+ const dagreNode = g.node(node.data.id);
// We are shifting the dagre node position (anchor=center center) to the top left
// so it matches the React Flow node anchor point (top left).
@@ -70,37 +67,43 @@ export const layoutGraph = (
const y = dagreNode.y - (dagreNode.height ?? 0) / 2;
// For grouped nodes, we want to keep the original position relative to the parent
- if (nodeData.shape === 'label' && nodeData.parentId) {
+ if (node.data.shape === 'label' && node.data.parentId) {
return {
- ...nodeData,
- position: nodesById[nodeData.id].position,
+ ...node,
+ position: nodesById[node.data.id].position,
};
- } else if (nodeData.shape === 'group') {
+ } else if (node.data.shape === 'group') {
return {
- ...nodeData,
+ ...node,
position: { x, y },
- size: {
+ style: GroupStyleOverride({
width: dagreNode.width,
height: dagreNode.height,
- },
+ }),
+ };
+ } else if (node.data.shape === 'label') {
+ return {
+ ...node,
+ position: { x, y },
+ };
+ } else {
+ // Align nodes to labels by shifting the node position by it's label height
+ return {
+ ...node,
+ position: { x, y: y + (dagreNode.height - NODE_HEIGHT) / 2 },
};
}
-
- return {
- ...nodeData,
- position: { x, y },
- };
});
- return { nodes: nodesViewModel };
+ return { nodes: layoutedNodes };
};
const layoutGroupChildren = (
- groupNode: NodeDataModel,
- nodes: NodeDataModel[]
-): { size: Size; children: NodeViewModel[] } => {
+ groupNode: Node,
+ nodes: Array>
+): { size: Size; children: Array> } => {
const children = nodes.filter(
- (child) => child.shape === 'label' && child.parentId === groupNode.id
+ (child) => child.data.shape === 'label' && child.parentId === groupNode.id
);
const STACK_VERTICAL_PADDING = 20;
@@ -108,7 +111,7 @@ const layoutGroupChildren = (
const PADDING = 20;
const stackSize = children.length;
const allChildrenHeight = children.reduce(
- (prevHeight, node) => prevHeight + calcLabelSize(node.label).height,
+ (prevHeight, node) => prevHeight + calcLabelSize(node.data.label).height,
0
);
const stackHeight = Math.max(
@@ -118,23 +121,21 @@ const layoutGroupChildren = (
const space = (stackHeight - allChildrenHeight) / (stackSize - 1);
const groupNodeWidth = children.reduce((acc, child) => {
- const currLblWidth = PADDING * 2 + calcLabelSize(child.label).width;
+ const currLblWidth = PADDING * 2 + calcLabelSize(child.data.label).width;
return Math.max(acc, currLblWidth);
}, 0);
// Layout children relative to parent
- const positionedChildren: NodeViewModel[] = children.map((child, index) => {
- const childSize = calcLabelSize(child.label);
- const childPosition = {
+ children.forEach((child, index) => {
+ const childSize = calcLabelSize(child.data.label);
+ child.position = {
x: groupNodeWidth / 2 - childSize.width / 2,
y: index * (childSize.height * 2 + space),
};
-
- return { ...child, position: childPosition };
});
return {
size: { width: groupNodeWidth, height: stackHeight },
- children: positionedChildren,
+ children,
};
};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/dagree_layout_graph.stories.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph_layout.stories.tsx
similarity index 76%
rename from x-pack/packages/kbn-cloud-security-posture/graph/src/components/dagree_layout_graph.stories.tsx
rename to x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph_layout.stories.tsx
index 94bc7e8af353b..140e81238d390 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/dagree_layout_graph.stories.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/graph_layout.stories.tsx
@@ -7,68 +7,40 @@
import React from 'react';
import { ThemeProvider } from '@emotion/react';
-import {
- ReactFlow,
- Controls,
- Background,
- Node,
- Edge,
- Position,
- useNodesState,
- useEdgesState,
-} from '@xyflow/react';
import { Story } from '@storybook/react';
-import type {
- EdgeDataModel,
- LabelNodeDataModel,
- NodeDataModel,
-} from '@kbn/cloud-security-posture-common/types/graph/latest';
import { Writable } from '@kbn/utility-types';
-import {
- HexagonNode,
- PentagonNode,
- EllipseNode,
- RectangleNode,
- DiamondNode,
- LabelNode,
- EdgeGroupNode,
-} from './node';
-import type { NodeViewModel } from './types';
-import { DefaultEdge } from './edge';
-import { SvgDefsMarker } from './edge/styles';
-import { GroupStyleOverride } from './node/styles';
-
-import '@xyflow/react/dist/style.css';
-import { layoutGraph } from './graph/layout_graph';
+import { css } from '@emotion/react';
+import type {
+ EdgeViewModel,
+ LabelNodeViewModel,
+ NodeViewModel,
+ EntityNodeViewModel,
+ GroupNodeViewModel,
+} from '.';
+import { Graph } from '.';
export default {
- title: 'Components/Graph Components/Dagree Layout Graph',
+ title: 'Components/Graph Components/Graph Layout',
description: 'CDR - Graph visualization',
-};
-
-const nodeTypes = {
- hexagon: HexagonNode,
- pentagon: PentagonNode,
- ellipse: EllipseNode,
- rectangle: RectangleNode,
- diamond: DiamondNode,
- label: LabelNode,
- group: EdgeGroupNode,
-};
-
-const edgeTypes = {
- default: DefaultEdge,
+ argTypes: {
+ interactive: { control: 'boolean', defaultValue: true },
+ },
};
interface GraphData {
- nodes: NodeDataModel[];
- edges: EdgeDataModel[];
+ nodes: NodeViewModel[];
+ edges: EdgeViewModel[];
interactive: boolean;
}
+type EnhancedNodeViewModel =
+ | EntityNodeViewModel
+ | GroupNodeViewModel
+ | (LabelNodeViewModel & { source: string; target: string });
+
const extractEdges = (
- graphData: NodeDataModel[]
-): { nodes: NodeDataModel[]; edges: EdgeDataModel[] } => {
+ graphData: EnhancedNodeViewModel[]
+): { nodes: NodeViewModel[]; edges: EdgeViewModel[] } => {
// Process nodes, transform nodes of id in the format of a(source)-b(target) to edges from a to label and from label to b
// If there are multiple edges from a to b, create a parent node and group the labels under it. The parent node will be a group node.
// Connect from a to the group node and from the group node to all the labels. and from the labels to the group again and from the group to b.
@@ -77,14 +49,14 @@ const extractEdges = (
[key: string]: { source: string; target: string; edgesStacked: number; edges: string[] };
} = {};
const labelsMetadata: {
- [key: string]: { source: string; target: string; labelsNodes: LabelNodeDataModel[] };
+ [key: string]: { source: string; target: string; labelsNodes: LabelNodeViewModel[] };
} = {};
- const nodes: { [key: string]: NodeDataModel } = {};
- const edges: EdgeDataModel[] = [];
+ const nodes: { [key: string]: NodeViewModel } = {};
+ const edges: EdgeViewModel[] = [];
graphData.forEach((node) => {
if (node.shape === 'label') {
- const labelNode = { ...node, id: `${node.id}label(${node.label})` };
+ const labelNode: LabelNodeViewModel = { ...node, id: `${node.id}label(${node.label})` };
const { source, target } = node;
if (labelsMetadata[node.id]) {
@@ -119,7 +91,7 @@ const extractEdges = (
Object.values(labelsMetadata).forEach((edge) => {
if (edge.labelsNodes.length > 1) {
- const groupNode: NodeDataModel = {
+ const groupNode: NodeViewModel = {
id: `grp(a(${edge.source})-b(${edge.target}))`,
shape: 'group',
};
@@ -143,7 +115,7 @@ const extractEdges = (
color: edge.labelsNodes[0].color,
});
- edge.labelsNodes.forEach((labelNode: Writable) => {
+ edge.labelsNodes.forEach((labelNode: Writable) => {
labelNode.parentId = groupNode.id;
edges.push({
@@ -189,28 +161,18 @@ const extractEdges = (
return { nodes: Object.values(nodes).reverse(), edges };
};
-const Template: Story = ({ nodes, edges }: GraphData) => {
- const { initialNodes, initialEdges } = processGraph(nodes, edges);
-
- const [nodesState, _setNodes, onNodesChange] = useNodesState(initialNodes);
- const [edgesState, _setEdges, onEdgesChange] = useEdgesState(initialEdges);
-
+const Template: Story = ({ nodes, edges, interactive }: GraphData) => {
return (
-
-
-
-
-
+
);
};
@@ -359,8 +321,8 @@ GroupWithWarningAPIMock.args = {
],
};
-export const Graph = Template.bind({});
-const baseGraph: NodeDataModel[] = [
+export const LargeGraph = Template.bind({});
+const baseGraph: EnhancedNodeViewModel[] = [
{
id: 'siem-windows',
label: '',
@@ -483,7 +445,7 @@ const baseGraph: NodeDataModel[] = [
},
];
-Graph.args = {
+LargeGraph.args = {
...extractEdges(baseGraph),
};
@@ -541,67 +503,3 @@ GraphStackedEdgeCases.args = {
},
]),
};
-
-function processGraph(
- nodesModel: NodeDataModel[],
- edgesModel: EdgeDataModel[]
-): {
- initialNodes: Node[];
- initialEdges: Edge[];
-} {
- const { nodes: nodesViewModel } = layoutGraph(nodesModel, edgesModel);
-
- const nodesById: { [key: string]: NodeViewModel } = {};
-
- const initialNodes = nodesViewModel.map((nodeData) => {
- nodesById[nodeData.id] = nodeData;
-
- const node: Node = {
- id: nodeData.id,
- type: nodeData.shape,
- data: { ...nodeData, interactive: true },
- position: nodeData.position,
- draggable: true,
- };
-
- if (node.type === 'group' && nodeData.shape === 'group') {
- node.sourcePosition = Position.Right;
- node.targetPosition = Position.Left;
- node.resizing = false;
- node.style = GroupStyleOverride({
- width: nodeData.size?.width ?? 0,
- height: nodeData.size?.height ?? 0,
- });
- } else if (nodeData.shape === 'label' && nodeData.parentId) {
- node.parentId = nodeData.parentId;
- node.extent = 'parent';
- node.expandParent = false;
- node.draggable = false;
- }
-
- return node;
- });
-
- const initialEdges: Edge[] = edgesModel.map((edgeData) => {
- const isIn =
- nodesById[edgeData.source].shape !== 'label' && nodesById[edgeData.target].shape === 'group';
- const isInside =
- nodesById[edgeData.source].shape === 'group' && nodesById[edgeData.target].shape === 'label';
- const isOut =
- nodesById[edgeData.source].shape === 'label' && nodesById[edgeData.target].shape === 'group';
- const isOutside =
- nodesById[edgeData.source].shape === 'group' && nodesById[edgeData.target].shape !== 'label';
-
- return {
- id: edgeData.id,
- type: 'default',
- source: edgeData.source,
- sourceHandle: isInside ? 'inside' : isOutside ? 'outside' : undefined,
- target: edgeData.target,
- targetHandle: isIn ? 'in' : isOut ? 'out' : undefined,
- data: { ...edgeData },
- };
- });
-
- return { initialNodes, initialEdges };
-}
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/index.ts b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/index.ts
index 1fec1c76430eb..5b2f8d71323bb 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/index.ts
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/index.ts
@@ -4,3 +4,14 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
+
+export { Graph } from './graph/graph';
+export type { GraphProps } from './graph/graph';
+export type {
+ NodeViewModel,
+ EdgeViewModel,
+ GroupNodeViewModel,
+ LabelNodeViewModel,
+ EntityNodeViewModel,
+ NodeProps,
+} from './types';
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/react_flow.ts b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/react_flow.ts
new file mode 100644
index 0000000000000..35282dedcc6de
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/react_flow.ts
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/* eslint-disable max-classes-per-file */
+
+// Copied from https://reactflow.dev/learn/advanced-use/testing#using-jest
+
+// To make sure that the tests are working, it's important that you are using
+// this implementation of ResizeObserver and DOMMatrixReadOnly
+class ResizeObserver {
+ callback: globalThis.ResizeObserverCallback;
+
+ constructor(callback: globalThis.ResizeObserverCallback) {
+ this.callback = callback;
+ }
+
+ observe(target: Element) {
+ this.callback([{ target } as globalThis.ResizeObserverEntry], this);
+ }
+
+ unobserve() {}
+
+ disconnect() {}
+}
+
+class DOMMatrixReadOnly {
+ m22: number;
+ constructor(transform: string) {
+ const scale = transform?.match(/scale\(([1-9.])\)/)?.[1];
+ this.m22 = scale !== undefined ? +scale : 1;
+ }
+}
+
+// Only run the shim once when requested
+let init = false;
+
+export const mockReactFlow = () => {
+ if (init) return;
+ init = true;
+
+ global.ResizeObserver = ResizeObserver;
+
+ // @ts-ignore
+ global.DOMMatrixReadOnly = DOMMatrixReadOnly;
+
+ Object.defineProperties(global.HTMLElement.prototype, {
+ offsetHeight: {
+ get() {
+ return parseFloat(this.style.height) || 1;
+ },
+ },
+ offsetWidth: {
+ get() {
+ return parseFloat(this.style.width) || 1;
+ },
+ },
+ });
+
+ (global.SVGElement as any).prototype.getBBox = () => ({
+ x: 0,
+ y: 0,
+ width: 0,
+ height: 0,
+ });
+};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/test_providers.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/test_providers.tsx
new file mode 100644
index 0000000000000..3d07c1c6037ed
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/mock/test_providers.tsx
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { euiDarkVars } from '@kbn/ui-theme';
+import { ThemeProvider } from '@emotion/react';
+
+interface Props {
+ children?: React.ReactNode;
+}
+
+/** A utility for wrapping children in the providers required to run most tests */
+export const TestProvidersComponent: React.FC = ({ children }) => {
+ return (
+ ({ eui: euiDarkVars, darkMode: true })}>{children}
+ );
+};
+
+export const TestProviders = React.memo(TestProvidersComponent);
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/button.stories.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/button.stories.tsx
index 5e6e4cd37b432..4a034c05ee166 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/button.stories.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/button.stories.tsx
@@ -8,7 +8,7 @@
import React from 'react';
import { ThemeProvider } from '@emotion/react';
import { Story } from '@storybook/react';
-import { NodeButton, type NodeButtonProps, NodeContainer } from './styles';
+import { NodeButton, type NodeButtonProps, NodeShapeContainer } from './styles';
export default {
title: 'Components/Graph Components',
@@ -20,10 +20,10 @@ export default {
const Template: Story = (args) => (
-
+
Hover me
-
+
);
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/diamond_node.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/diamond_node.tsx
index 76e7a3cd9eeeb..f96068061a433 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/diamond_node.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/diamond_node.tsx
@@ -10,7 +10,7 @@ import { useEuiBackgroundColor, useEuiTheme } from '@elastic/eui';
import { Handle, Position } from '@xyflow/react';
import type { EntityNodeViewModel, NodeProps } from '../types';
import {
- NodeContainer,
+ NodeShapeContainer,
NodeLabel,
NodeShapeOnHoverSvg,
NodeShapeSvg,
@@ -18,6 +18,7 @@ import {
NodeButton,
HandleStyleOverride,
} from './styles';
+import { DiamondHoverShape, DiamondShape } from './shapes/diamond_shape';
const NODE_WIDTH = 99;
const NODE_HEIGHT = 98;
@@ -27,59 +28,55 @@ export const DiamondNode: React.FC = memo((props: NodeProps) => {
props.data as EntityNodeViewModel;
const { euiTheme } = useEuiTheme();
return (
-
- {interactive && (
-
+
+ {interactive && (
+
+
+
+ )}
+
-
-
- )}
-
- }
+
+ {interactive && (
+ expandButtonClick?.(e, props)}
+ x={`${NODE_WIDTH - NodeButton.ExpandButtonSize}px`}
+ y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2 - 4}px`}
+ />
+ )}
+
- {icon && }
-
- {interactive && (
- expandButtonClick?.(e, props)}
- x={`${NODE_WIDTH - NodeButton.ExpandButtonSize}px`}
- y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2 - 4}px`}
+
- )}
-
-
+
{Boolean(label) ? label : id}
-
+ >
);
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/ellipse_node.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/ellipse_node.tsx
index 3359905196b9d..987b9d7577812 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/ellipse_node.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/ellipse_node.tsx
@@ -9,7 +9,7 @@ import React, { memo } from 'react';
import { useEuiBackgroundColor, useEuiTheme } from '@elastic/eui';
import { Handle, Position } from '@xyflow/react';
import {
- NodeContainer,
+ NodeShapeContainer,
NodeLabel,
NodeShapeOnHoverSvg,
NodeShapeSvg,
@@ -18,6 +18,7 @@ import {
HandleStyleOverride,
} from './styles';
import type { EntityNodeViewModel, NodeProps } from '../types';
+import { EllipseHoverShape, EllipseShape } from './shapes/ellipse_shape';
const NODE_WIDTH = 90;
const NODE_HEIGHT = 90;
@@ -27,63 +28,55 @@ export const EllipseNode: React.FC = memo((props: NodeProps) => {
props.data as EntityNodeViewModel;
const { euiTheme } = useEuiTheme();
return (
-
- {interactive && (
-
+
+ {interactive && (
+
+
+
+ )}
+
-
-
- )}
-
- }
+
+ {interactive && (
+ expandButtonClick?.(e, props)}
+ x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2}px`}
+ y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2}px`}
+ />
+ )}
+
- {icon && }
-
- {interactive && (
- expandButtonClick?.(e, props)}
- x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2}px`}
- y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2}px`}
+
- )}
-
-
+
{Boolean(label) ? label : id}
-
+ >
);
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/hexagon_node.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/hexagon_node.tsx
index dee8df697c844..0bd8c33fc6484 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/hexagon_node.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/hexagon_node.tsx
@@ -9,7 +9,7 @@ import React, { memo } from 'react';
import { useEuiBackgroundColor, useEuiTheme } from '@elastic/eui';
import { Handle, Position } from '@xyflow/react';
import {
- NodeContainer,
+ NodeShapeContainer,
NodeLabel,
NodeShapeOnHoverSvg,
NodeShapeSvg,
@@ -18,6 +18,7 @@ import {
HandleStyleOverride,
} from './styles';
import type { EntityNodeViewModel, NodeProps } from '../types';
+import { HexagonHoverShape, HexagonShape } from './shapes/hexagon_shape';
const NODE_WIDTH = 87;
const NODE_HEIGHT = 96;
@@ -27,59 +28,55 @@ export const HexagonNode: React.FC = memo((props: NodeProps) => {
props.data as EntityNodeViewModel;
const { euiTheme } = useEuiTheme();
return (
-
- {interactive && (
-
+
+ {interactive && (
+
+
+
+ )}
+
-
-
- )}
-
- }
+
+ {interactive && (
+ expandButtonClick?.(e, props)}
+ x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2 + 2}px`}
+ y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2 - 2}px`}
+ />
+ )}
+
- {icon && }
-
- {interactive && (
- expandButtonClick?.(e, props)}
- x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2 + 2}px`}
- y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2 - 2}px`}
+
- )}
-
-
+
{Boolean(label) ? label : id}
-
+ >
);
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/pentagon_node.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/pentagon_node.tsx
index 74ea8c05b5940..f2282e9fa2d7d 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/pentagon_node.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/pentagon_node.tsx
@@ -10,7 +10,7 @@ import { useEuiBackgroundColor, useEuiTheme } from '@elastic/eui';
import styled from '@emotion/styled';
import { Handle, Position } from '@xyflow/react';
import {
- NodeContainer,
+ NodeShapeContainer,
NodeLabel,
NodeShapeOnHoverSvg,
NodeShapeSvg,
@@ -19,6 +19,7 @@ import {
HandleStyleOverride,
} from './styles';
import type { EntityNodeViewModel, NodeProps } from '../types';
+import { PentagonHoverShape, PentagonShape } from './shapes/pentagon_shape';
const PentagonShapeOnHover = styled(NodeShapeOnHoverSvg)`
transform: translate(-50%, -51.5%);
@@ -32,59 +33,55 @@ export const PentagonNode: React.FC = memo((props: NodeProps) => {
props.data as EntityNodeViewModel;
const { euiTheme } = useEuiTheme();
return (
-
- {interactive && (
-
+
+ {interactive && (
+
+
+
+ )}
+
-
-
- )}
-
- }
+
+ {interactive && (
+ expandButtonClick?.(e, props)}
+ x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2}px`}
+ y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2}px`}
+ />
+ )}
+
- {icon && }
-
- {interactive && (
- expandButtonClick?.(e, props)}
- x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 2}px`}
- y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize) / 2}px`}
+
- )}
-
-
+
{Boolean(label) ? label : id}
-
+ >
);
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/rectangle_node.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/rectangle_node.tsx
index 22d9fbf25a4eb..7a5fc14855bc9 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/rectangle_node.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/rectangle_node.tsx
@@ -9,7 +9,7 @@ import React, { memo } from 'react';
import { useEuiBackgroundColor, useEuiTheme } from '@elastic/eui';
import { Handle, Position } from '@xyflow/react';
import {
- NodeContainer,
+ NodeShapeContainer,
NodeLabel,
NodeShapeOnHoverSvg,
NodeShapeSvg,
@@ -18,6 +18,7 @@ import {
HandleStyleOverride,
} from './styles';
import type { EntityNodeViewModel, NodeProps } from '../types';
+import { RectangleHoverShape, RectangleShape } from './shapes/rectangle_shape';
const NODE_WIDTH = 81;
const NODE_HEIGHT = 80;
@@ -27,67 +28,55 @@ export const RectangleNode: React.FC = memo((props: NodeProps) => {
props.data as EntityNodeViewModel;
const { euiTheme } = useEuiTheme();
return (
-
- {interactive && (
-
+
+ {interactive && (
+
+
+
+ )}
+
-
-
- )}
-
- }
+
+ {interactive && (
+ expandButtonClick?.(e, props)}
+ x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 4}px`}
+ y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize / 2) / 2}px`}
+ />
+ )}
+
- {icon && }
-
- {interactive && (
- expandButtonClick?.(e, props)}
- x={`${NODE_WIDTH - NodeButton.ExpandButtonSize / 4}px`}
- y={`${(NODE_HEIGHT - NodeButton.ExpandButtonSize / 2) / 2}px`}
+
- )}
-
-
+
{Boolean(label) ? label : id}
-
+ >
);
});
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/diamond_shape.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/diamond_shape.tsx
new file mode 100644
index 0000000000000..126a5702cf5d0
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/diamond_shape.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import type { HoverShapeProps, ShapeProps } from './types';
+
+export const DiamondHoverShape: React.FC = memo(({ stroke }) => (
+
+));
+
+export const DiamondShape: React.FC = memo(({ stroke, fill }) => (
+
+));
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/ellipse_shape.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/ellipse_shape.tsx
new file mode 100644
index 0000000000000..18fe56440c5f5
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/ellipse_shape.tsx
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import type { HoverShapeProps, ShapeProps } from './types';
+
+export const EllipseHoverShape: React.FC = memo(({ stroke }) => (
+
+));
+
+export const EllipseShape: React.FC = memo(({ stroke, fill }) => (
+
+));
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/hexagon_shape.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/hexagon_shape.tsx
new file mode 100644
index 0000000000000..12aeebec88605
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/hexagon_shape.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import type { HoverShapeProps, ShapeProps } from './types';
+
+export const HexagonHoverShape: React.FC = memo(({ stroke }) => (
+
+));
+
+export const HexagonShape: React.FC = memo(({ stroke, fill }) => (
+
+));
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/pentagon_shape.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/pentagon_shape.tsx
new file mode 100644
index 0000000000000..f4d07fc69db79
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/pentagon_shape.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import type { HoverShapeProps, ShapeProps } from './types';
+
+export const PentagonHoverShape: React.FC = memo(({ stroke }) => (
+
+));
+
+export const PentagonShape: React.FC = memo(({ stroke, fill }) => (
+
+));
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/rectangle_shape.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/rectangle_shape.tsx
new file mode 100644
index 0000000000000..7d019ce331baf
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/rectangle_shape.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import type { HoverShapeProps, ShapeProps } from './types';
+
+export const RectangleHoverShape: React.FC = memo(({ stroke }) => (
+
+));
+
+export const RectangleShape: React.FC = memo(({ stroke, fill }) => (
+
+));
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/types.ts b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/types.ts
new file mode 100644
index 0000000000000..0f6910258fed6
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/shapes/types.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export interface HoverShapeProps {
+ stroke: string;
+}
+
+export interface ShapeProps {
+ stroke: string;
+ fill: string;
+}
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/styles.tsx b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/styles.tsx
index f1bee0cf95e30..e76da737af0f9 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/styles.tsx
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/node/styles.tsx
@@ -23,6 +23,7 @@ export const LABEL_PADDING_X = 15;
export const LABEL_BORDER_WIDTH = 1;
export const NODE_WIDTH = 90;
export const NODE_HEIGHT = 90;
+const NODE_LABEL_WIDTH = 120;
export const LabelNodeContainer = styled.div`
text-wrap: nowrap;
@@ -79,9 +80,13 @@ export const LabelShapeOnHover = styled.div`
${LabelNodeContainer}:hover & {
opacity: 1; /* Show on hover */
}
+
+ .react-flow__node:focus:focus-visible & {
+ opacity: 1; /* Show on hover */
+ }
`;
-export const NodeContainer = styled.div`
+export const NodeShapeContainer = styled.div`
position: relative;
width: ${NODE_WIDTH}px;
height: ${NODE_HEIGHT}px;
@@ -99,7 +104,11 @@ export const NodeShapeOnHoverSvg = styled(NodeShapeSvg)`
opacity: 0; /* Hidden by default */
transition: opacity 0.2s ease; /* Smooth transition */
- ${NodeContainer}:hover & {
+ ${NodeShapeContainer}:hover & {
+ opacity: 1; /* Show on hover */
+ }
+
+ .react-flow__node:focus:focus-visible & {
opacity: 1; /* Show on hover */
}
`;
@@ -124,11 +133,8 @@ export const NodeIcon = ({ icon, color, x, y }: NodeIconProps) => {
};
export const NodeLabel = styled(EuiText)`
- position: absolute;
- top: 108%;
- left: 50%;
- transform: translateX(-50%);
- width: 130%;
+ width: ${NODE_LABEL_WIDTH}px;
+ margin-left: ${-(NODE_LABEL_WIDTH - NODE_WIDTH) / 2}px;
text-overflow: ellipsis;
// white-space: nowrap;
overflow: hidden;
@@ -167,9 +173,17 @@ export const StyledNodeButton = styled.div`
position: absolute;
z-index: 1;
- ${NodeContainer}:hover & {
+ ${NodeShapeContainer}:hover & {
opacity: 1; /* Show on hover */
}
+
+ &:has(button:focus) {
+ opacity: 1; /* Show when button is active */
+ }
+
+ .react-flow__node:focus:focus-visible & {
+ opacity: 1; /* Show on node focus */
+ }
`;
export interface NodeButtonProps {
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/types.ts b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/types.ts
index 262254c80afe3..27ec18f35f45b 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/src/components/types.ts
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/src/components/types.ts
@@ -10,29 +10,17 @@ import type {
GroupNodeDataModel,
LabelNodeDataModel,
EdgeDataModel,
+ NodeShape,
} from '@kbn/cloud-security-posture-common/types/graph/latest';
import type { Node, NodeProps as xyNodeProps } from '@xyflow/react';
import type { Edge, EdgeProps as xyEdgeProps } from '@xyflow/react';
-export interface PositionXY {
- x: number;
- y: number;
-}
-
export interface Size {
width: number;
height: number;
}
-export interface GraphMetadata {
- nodes: { [key: string]: { edgesIn: number; edgesOut: number } };
- edges: {
- [key: string]: { source: string; target: string; edgesStacked: number; edges: string[] };
- };
-}
-
interface BaseNodeDataViewModel {
- position: PositionXY;
interactive?: boolean;
}
@@ -46,9 +34,7 @@ export interface EntityNodeViewModel
export interface GroupNodeViewModel
extends Record,
GroupNodeDataModel,
- BaseNodeDataViewModel {
- size?: Size;
-}
+ BaseNodeDataViewModel {}
export interface LabelNodeViewModel
extends Record,
@@ -61,10 +47,13 @@ export type NodeViewModel = EntityNodeViewModel | GroupNodeViewModel | LabelNode
export type NodeProps = xyNodeProps>;
-export interface EdgeViewModel extends Record, EdgeDataModel {
- graphMetadata?: GraphMetadata;
- interactive?: boolean;
- onClick?: (e: React.MouseEvent, edge: EdgeProps) => void;
-}
+export interface EdgeViewModel extends Record, EdgeDataModel {}
-export type EdgeProps = xyEdgeProps>;
+export type EdgeProps = xyEdgeProps<
+ Edge<
+ EdgeViewModel & {
+ sourceShape: NodeShape;
+ targetShape: NodeShape;
+ }
+ >
+>;
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/main.ts b/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/main.ts
deleted file mode 100644
index 186e1a2a76bed..0000000000000
--- a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/main.ts
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { defaultConfig } from '@kbn/storybook';
-import { Configuration } from 'webpack';
-
-module.exports = {
- ...defaultConfig,
- stories: ['../../**/*.stories.+(tsx|mdx)'],
- reactOptions: {
- strictMode: true,
- },
- webpack: (config: Configuration) => {
- config.module?.rules.push({
- test: /\.js$/,
- include: /node_modules[\\\/]@dagrejs/,
- use: {
- loader: 'babel-loader',
- options: {
- presets: ['@babel/preset-env'],
- plugins: ['@babel/plugin-proposal-class-properties'],
- },
- },
- });
- config.module?.rules.push({
- test: /node_modules[\/\\]@?xyflow[\/\\].*.js$/,
- loaders: 'babel-loader',
- options: {
- presets: [['@babel/preset-env', { modules: false }], '@babel/preset-react'],
- plugins: [
- '@babel/plugin-proposal-optional-chaining',
- '@babel/plugin-proposal-nullish-coalescing-operator',
- '@babel/plugin-transform-logical-assignment-operators',
- ],
- },
- });
-
- return config;
- },
-};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/tsconfig.json b/x-pack/packages/kbn-cloud-security-posture/graph/tsconfig.json
index d97809a59772d..d0056e29e6784 100644
--- a/x-pack/packages/kbn-cloud-security-posture/graph/tsconfig.json
+++ b/x-pack/packages/kbn-cloud-security-posture/graph/tsconfig.json
@@ -13,6 +13,6 @@
"kbn_references": [
"@kbn/cloud-security-posture-common",
"@kbn/utility-types",
- "@kbn/storybook"
+ "@kbn/ui-theme",
]
}
diff --git a/x-pack/packages/kbn-cloud-security-posture/public/kibana.jsonc b/x-pack/packages/kbn-cloud-security-posture/public/kibana.jsonc
index 4c5a4f1f0165d..811a1ab5dad41 100644
--- a/x-pack/packages/kbn-cloud-security-posture/public/kibana.jsonc
+++ b/x-pack/packages/kbn-cloud-security-posture/public/kibana.jsonc
@@ -1,5 +1,5 @@
{
- "id": "@kbn/cloud-security-posture",
- "owner": "@elastic/kibana-cloud-security-posture",
- "type": "shared-browser"
-}
\ No newline at end of file
+ "id": "@kbn/cloud-security-posture",
+ "owner": "@elastic/kibana-cloud-security-posture",
+ "type": "shared-browser"
+}
diff --git a/x-pack/packages/kbn-cloud-security-posture/storybook/config/README.mdx b/x-pack/packages/kbn-cloud-security-posture/storybook/config/README.mdx
new file mode 100644
index 0000000000000..ab9ce5263ec69
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/storybook/config/README.mdx
@@ -0,0 +1,3 @@
+# @kbn/cloud-security-posture-storybook-config
+
+Storybook configuration used by `yarn storybook`. Refer to `@kbn/storybook` for more information.
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/constants.ts b/x-pack/packages/kbn-cloud-security-posture/storybook/config/constants.ts
similarity index 100%
rename from x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/constants.ts
rename to x-pack/packages/kbn-cloud-security-posture/storybook/config/constants.ts
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/index.ts b/x-pack/packages/kbn-cloud-security-posture/storybook/config/index.ts
similarity index 100%
rename from x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/index.ts
rename to x-pack/packages/kbn-cloud-security-posture/storybook/config/index.ts
diff --git a/x-pack/packages/kbn-cloud-security-posture/storybook/config/main.ts b/x-pack/packages/kbn-cloud-security-posture/storybook/config/main.ts
new file mode 100644
index 0000000000000..4e7fca030c2f6
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/storybook/config/main.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { defaultConfig } from '@kbn/storybook';
+
+module.exports = {
+ ...defaultConfig,
+ stories: ['../../**/*.stories.+(tsx|mdx)'],
+ reactOptions: {
+ strictMode: true,
+ },
+};
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/manager.ts b/x-pack/packages/kbn-cloud-security-posture/storybook/config/manager.ts
similarity index 100%
rename from x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/manager.ts
rename to x-pack/packages/kbn-cloud-security-posture/storybook/config/manager.ts
diff --git a/x-pack/packages/kbn-cloud-security-posture/storybook/config/package.json b/x-pack/packages/kbn-cloud-security-posture/storybook/config/package.json
new file mode 100644
index 0000000000000..4ba8c8fd3d57f
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/storybook/config/package.json
@@ -0,0 +1,6 @@
+{
+ "name": "@kbn/cloud-security-posture-storybook-config",
+ "private": true,
+ "version": "1.0.0",
+ "license": "Elastic License 2.0"
+}
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/preview.ts b/x-pack/packages/kbn-cloud-security-posture/storybook/config/preview.ts
similarity index 100%
rename from x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/preview.ts
rename to x-pack/packages/kbn-cloud-security-posture/storybook/config/preview.ts
diff --git a/x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/styles.css b/x-pack/packages/kbn-cloud-security-posture/storybook/config/styles.css
similarity index 100%
rename from x-pack/packages/kbn-cloud-security-posture/graph/storybook/config/styles.css
rename to x-pack/packages/kbn-cloud-security-posture/storybook/config/styles.css
diff --git a/x-pack/packages/kbn-cloud-security-posture/storybook/config/tsconfig.json b/x-pack/packages/kbn-cloud-security-posture/storybook/config/tsconfig.json
new file mode 100644
index 0000000000000..1f8b2275f5191
--- /dev/null
+++ b/x-pack/packages/kbn-cloud-security-posture/storybook/config/tsconfig.json
@@ -0,0 +1,20 @@
+{
+ "extends": "../../../../../tsconfig.base.json",
+ "compilerOptions": {
+ "outDir": "target/types",
+ "types": [
+ "jest",
+ "node",
+ "@kbn/ambient-storybook-types",
+ ]
+ },
+ "include": [
+ "**/*.ts"
+ ],
+ "kbn_references": [
+ "@kbn/storybook",
+ ],
+ "exclude": [
+ "target/**/*",
+ ]
+}
diff --git a/x-pack/packages/security-solution/common/src/flyout/common/components/expandable_panel.tsx b/x-pack/packages/security-solution/common/src/flyout/common/components/expandable_panel.tsx
index 4f1890e58554f..383bbbb341c8e 100644
--- a/x-pack/packages/security-solution/common/src/flyout/common/components/expandable_panel.tsx
+++ b/x-pack/packages/security-solution/common/src/flyout/common/components/expandable_panel.tsx
@@ -22,7 +22,7 @@ import {
EuiSkeletonText,
} from '@elastic/eui';
import { i18n } from '@kbn/i18n';
-import type { IconType } from '@elastic/eui';
+import type { EuiPanelProps, IconType } from '@elastic/eui';
import { css } from '@emotion/react';
export interface ExpandablePanelPanelProps {
@@ -59,6 +59,10 @@ export interface ExpandablePanelPanelProps {
* Returns a null component if true
*/
error?: boolean;
+ /**
+ * Content's padding size
+ */
+ paddingSize?: EuiPanelProps['paddingSize'];
};
expand?: {
/**
@@ -84,7 +88,11 @@ export interface ExpandablePanelPanelProps {
*/
export const ExpandablePanel: FC> = ({
header: { title, link, iconType, headerContent },
- content: { loading, error } = { loading: false, error: false },
+ content: { loading, error, paddingSize: contentPaddingSize } = {
+ loading: false,
+ error: false,
+ paddingSize: 'm',
+ },
expand: { expandable, expandedOnFirstRender } = {
expandable: false,
expandedOnFirstRender: false,
@@ -228,7 +236,9 @@ export const ExpandablePanel: FC> =
{showContent && (
- {content}
+
+ {content}
+
)}
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/graph/v1.ts b/x-pack/plugins/cloud_security_posture/server/routes/graph/v1.ts
index eb372a2bfea4f..5102d153c1905 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/graph/v1.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/graph/v1.ts
@@ -6,6 +6,7 @@
*/
import { castArray } from 'lodash';
+import { v4 as uuidv4 } from 'uuid';
import type { Logger, IScopedClusterClient } from '@kbn/core/server';
import type {
EdgeDataModel,
@@ -13,10 +14,9 @@ import type {
EntityNodeDataModel,
LabelNodeDataModel,
GroupNodeDataModel,
- NodeShape,
} from '@kbn/cloud-security-posture-common/types/graph/latest';
import type { EsqlToRecords } from '@elastic/elasticsearch/lib/helpers';
-import type { Writeable } from '@kbn/zod';
+import type { Writable } from '@kbn/utility-types';
import type { GraphContextServices, GraphContext } from './types';
interface GraphEdge {
@@ -31,6 +31,11 @@ interface GraphEdge {
isAlert: boolean;
}
+interface LabelEdges {
+ source: string;
+ target: string;
+}
+
export const getGraph = async (
services: GraphContextServices,
query: {
@@ -63,28 +68,29 @@ export const getGraph = async (
interface ParseContext {
nodesMap: Record;
- edgeLabelsNodes: Record;
edgesMap: Record;
+ edgeLabelsNodes: Record;
+ labelEdges: Record;
}
const parseRecords = (logger: Logger, records: GraphEdge[]): GraphContext => {
- const nodesMap: Record = {};
- const edgeLabelsNodes: Record = {};
- const edgesMap: Record = {};
+ const ctx: ParseContext = { nodesMap: {}, edgeLabelsNodes: {}, edgesMap: {}, labelEdges: {} };
logger.trace(`Parsing records [length: ${records.length}]`);
- createNodes(logger, records, { nodesMap, edgeLabelsNodes });
- createEdgesAndGroups(logger, { edgeLabelsNodes, edgesMap, nodesMap });
+ createNodes(logger, records, ctx);
+ createEdgesAndGroups(logger, ctx);
logger.trace(
- `Parsed [nodes: ${Object.keys(nodesMap).length}, edges: ${Object.keys(edgesMap).length}]`
+ `Parsed [nodes: ${Object.keys(ctx.nodesMap).length}, edges: ${
+ Object.keys(ctx.edgesMap).length
+ }]`
);
// Sort groups to be first (fixes minor layout issue)
- const nodes = sortNodes(nodesMap);
+ const nodes = sortNodes(ctx.nodesMap);
- return { nodes, edges: Object.values(edgesMap) };
+ return { nodes, edges: Object.values(ctx.edgesMap) };
};
const fetchGraph = async ({
@@ -168,12 +174,21 @@ const createNodes = (
records: GraphEdge[],
context: Omit
) => {
- const { nodesMap, edgeLabelsNodes } = context;
+ const { nodesMap, edgeLabelsNodes, labelEdges } = context;
for (const record of records) {
const { ips, hosts, users, actorIds, action, targetIds, isAlert, eventOutcome } = record;
const actorIdsArray = castArray(actorIds);
const targetIdsArray = castArray(targetIds);
+ const unknownTargets: string[] = [];
+
+ // Ensure all targets has an id (target can return null from the query)
+ targetIdsArray.forEach((id, idx) => {
+ if (!id) {
+ targetIdsArray[idx] = `unknown ${uuidv4()}`;
+ unknownTargets.push(targetIdsArray[idx]);
+ }
+ });
logger.trace(
`Parsing record [actorIds: ${actorIdsArray.join(
@@ -186,7 +201,7 @@ const createNodes = (
if (nodesMap[id] === undefined) {
nodesMap[id] = {
id,
- label: id,
+ label: unknownTargets.includes(id) ? 'Unknown' : undefined,
color: isAlert ? 'danger' : 'primary',
...determineEntityNodeShape(id, ips ?? [], hosts ?? [], users ?? []),
};
@@ -204,19 +219,18 @@ const createNodes = (
edgeLabelsNodes[edgeId] = [];
}
- const labelNode = {
+ const labelNode: LabelNodeDataModel = {
id: edgeId + `label(${action})outcome(${eventOutcome})`,
label: action,
- source: actorId,
- target: targetId,
color: isAlert ? 'danger' : eventOutcome === 'failed' ? 'warning' : 'primary',
shape: 'label',
- } as LabelNodeDataModel;
+ };
logger.trace(`Creating label node [${labelNode.id}]`);
nodesMap[labelNode.id] = labelNode;
edgeLabelsNodes[edgeId].push(labelNode.id);
+ labelEdges[labelNode.id] = { source: actorId, target: targetId };
}
}
}
@@ -265,7 +279,7 @@ const sortNodes = (nodesMap: Record) => {
};
const createEdgesAndGroups = (logger: Logger, context: ParseContext) => {
- const { edgeLabelsNodes, edgesMap, nodesMap } = context;
+ const { edgeLabelsNodes, edgesMap, nodesMap, labelEdges } = context;
Object.entries(edgeLabelsNodes).forEach(([edgeId, edgeLabelsIds]) => {
// When there's more than one edge label, create a group node
@@ -276,9 +290,9 @@ const createEdgesAndGroups = (logger: Logger, context: ParseContext) => {
logger,
edgesMap,
nodesMap,
- (nodesMap[edgeLabelId] as LabelNodeDataModel).source,
+ labelEdges[edgeLabelId].source,
edgeLabelId,
- (nodesMap[edgeLabelId] as LabelNodeDataModel).target
+ labelEdges[edgeLabelId].target
);
} else {
const groupNode: GroupNodeDataModel = {
@@ -291,13 +305,13 @@ const createEdgesAndGroups = (logger: Logger, context: ParseContext) => {
logger,
edgesMap,
nodesMap,
- (nodesMap[edgeLabelsIds[0]] as LabelNodeDataModel).source,
+ labelEdges[edgeLabelsIds[0]].source,
groupNode.id,
- (nodesMap[edgeLabelsIds[0]] as LabelNodeDataModel).target
+ labelEdges[edgeLabelsIds[0]].target
);
edgeLabelsIds.forEach((edgeLabelId) => {
- (nodesMap[edgeLabelId] as Writeable).parentId = groupNode.id;
+ (nodesMap[edgeLabelId] as Writable).parentId = groupNode.id;
connectEntitiesAndLabelNode(
logger,
edgesMap,
@@ -332,7 +346,7 @@ const connectNodes = (
nodesMap: Record,
sourceNodeId: string,
targetNodeId: string
-) => {
+): EdgeDataModel => {
const sourceNode = nodesMap[sourceNodeId];
const targetNode = nodesMap[targetNodeId];
const color =
@@ -345,9 +359,7 @@ const connectNodes = (
return {
id: `a(${sourceNodeId})-b(${targetNodeId})`,
source: sourceNodeId,
- sourceShape: nodesMap[sourceNodeId].shape as NodeShape,
target: targetNodeId,
- targetShape: nodesMap[targetNodeId].shape as NodeShape,
color,
- } as EdgeDataModel;
+ };
};
diff --git a/x-pack/plugins/cloud_security_posture/tsconfig.json b/x-pack/plugins/cloud_security_posture/tsconfig.json
index 456035c9112d1..f3883e0fc43c6 100755
--- a/x-pack/plugins/cloud_security_posture/tsconfig.json
+++ b/x-pack/plugins/cloud_security_posture/tsconfig.json
@@ -66,7 +66,6 @@
"@kbn/cloud-security-posture-common",
"@kbn/cloud-security-posture",
"@kbn/analytics",
- "@kbn/zod"
],
"exclude": ["target/**/*"]
}
diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
index 584b992a0f61d..68aaf7bf9cf04 100644
--- a/x-pack/plugins/security_solution/common/constants.ts
+++ b/x-pack/plugins/security_solution/common/constants.ts
@@ -280,6 +280,8 @@ export const PINNED_EVENT_URL = '/api/pinned_event' as const;
export const SOURCERER_API_URL = '/internal/security_solution/sourcerer' as const;
export const RISK_SCORE_INDEX_STATUS_API_URL = '/internal/risk_score/index_status' as const;
+export const EVENT_GRAPH_VISUALIZATION_API = '/internal/cloud_security_posture/graph' as const;
+
/**
* Default signals index key for kibana.dev.yml
*/
diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts
index ffb9e9748d9c1..792b6352912b3 100644
--- a/x-pack/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/plugins/security_solution/common/experimental_features.ts
@@ -190,6 +190,11 @@ export const allowedExperimentalValues = Object.freeze({
*/
analyzerDatePickersAndSourcererDisabled: false,
+ /**
+ * Enables graph visualization in alerts flyout
+ */
+ graphVisualizationInFlyoutEnabled: false,
+
/**
* Enables an ability to customize Elastic prebuilt rules.
*
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.test.tsx
new file mode 100644
index 0000000000000..22ac27eaa4e00
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.test.tsx
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { TestProviders } from '../../../../common/mock';
+import { mockContextValue } from '../../shared/mocks/mock_context';
+import { DocumentDetailsContext } from '../../shared/context';
+import { GraphPreview, type GraphPreviewProps } from './graph_preview';
+import { GRAPH_PREVIEW_TEST_ID, GRAPH_PREVIEW_LOADING_TEST_ID } from './test_ids';
+
+const mockGraph = () => ;
+
+jest.mock('@kbn/cloud-security-posture-graph', () => {
+ return { Graph: mockGraph };
+});
+
+const renderGraphPreview = (contextValue: DocumentDetailsContext, props: GraphPreviewProps) =>
+ render(
+
+
+
+
+
+ );
+
+const ERROR_MESSAGE = 'An error is preventing this alert from being visualized.';
+
+describe('', () => {
+ beforeEach(() => {
+ jest.clearAllMocks();
+ });
+
+ it('shows graph preview correctly when data is loaded', async () => {
+ const graphProps = {
+ isLoading: false,
+ isError: false,
+ data: { nodes: [], edges: [] },
+ };
+
+ const { findByTestId } = renderGraphPreview(mockContextValue, graphProps);
+
+ // Using findByTestId to wait for the component to be rendered because it is a lazy loaded component
+ expect(await findByTestId(GRAPH_PREVIEW_TEST_ID)).toBeInTheDocument();
+ });
+
+ it('shows loading when data is loading', () => {
+ const graphProps = {
+ isLoading: true,
+ isError: false,
+ };
+
+ const { getByTestId } = renderGraphPreview(mockContextValue, graphProps);
+
+ expect(getByTestId(GRAPH_PREVIEW_LOADING_TEST_ID)).toBeInTheDocument();
+ });
+
+ it('shows error message when there is an error', () => {
+ const graphProps = {
+ isLoading: false,
+ isError: true,
+ };
+
+ const { getByText } = renderGraphPreview(mockContextValue, graphProps);
+
+ expect(getByText(ERROR_MESSAGE)).toBeInTheDocument();
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.tsx
new file mode 100644
index 0000000000000..c3c6d65c7e986
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview.tsx
@@ -0,0 +1,102 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React, { memo, useMemo } from 'react';
+import { EuiSkeletonText } from '@elastic/eui';
+import { i18n } from '@kbn/i18n';
+import { css } from '@emotion/react';
+import { FormattedMessage } from '@kbn/i18n-react';
+import type {
+ NodeDataModel,
+ EdgeDataModel,
+} from '@kbn/cloud-security-posture-common/types/graph/latest';
+import { GRAPH_PREVIEW_TEST_ID, GRAPH_PREVIEW_LOADING_TEST_ID } from './test_ids';
+
+/**
+ * Props for the GraphPreview component.
+ */
+export interface GraphPreviewProps {
+ /**
+ * Indicates whether the graph is currently loading.
+ */
+ isLoading: boolean;
+
+ /**
+ * Indicates whether there was an error loading the graph.
+ */
+ isError: boolean;
+
+ /**
+ * Optional data for the graph, including nodes and edges.
+ */
+ data?: {
+ /**
+ * Array of node data models.
+ */
+ nodes: NodeDataModel[];
+
+ /**
+ * Array of edge data models.
+ */
+ edges: EdgeDataModel[];
+ };
+}
+
+const GraphLazy = React.lazy(() =>
+ import('@kbn/cloud-security-posture-graph').then((module) => ({ default: module.Graph }))
+);
+
+const LoadingComponent = () => (
+
+);
+
+/**
+ * Graph preview under Overview, Visualizations. It shows a graph without abilities to expand.
+ */
+export const GraphPreview: React.FC = memo(
+ ({ isLoading, isError, data }: GraphPreviewProps) => {
+ const memoizedNodes = useMemo(() => data?.nodes ?? [], [data?.nodes]);
+ const memoizedEdges = useMemo(() => data?.edges ?? [], [data?.edges]);
+
+ return isLoading ? (
+
+ ) : isError ? (
+
+ ) : (
+ }>
+
+
+ );
+ }
+);
+
+GraphPreview.displayName = 'GraphPreview';
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.test.tsx
new file mode 100644
index 0000000000000..6b30e2127a2f8
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.test.tsx
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import { TestProviders } from '../../../../common/mock';
+import React from 'react';
+import { DocumentDetailsContext } from '../../shared/context';
+import { mockContextValue } from '../../shared/mocks/mock_context';
+import { GraphPreviewContainer } from './graph_preview_container';
+import { GRAPH_PREVIEW_TEST_ID } from './test_ids';
+import { useGraphPreview } from '../hooks/use_graph_preview';
+import { useFetchGraphData } from '../hooks/use_fetch_graph_data';
+
+import {
+ EXPANDABLE_PANEL_CONTENT_TEST_ID,
+ EXPANDABLE_PANEL_HEADER_TITLE_ICON_TEST_ID,
+ EXPANDABLE_PANEL_HEADER_TITLE_LINK_TEST_ID,
+ EXPANDABLE_PANEL_HEADER_TITLE_TEXT_TEST_ID,
+ EXPANDABLE_PANEL_TOGGLE_ICON_TEST_ID,
+} from '@kbn/security-solution-common';
+
+jest.mock('../hooks/use_graph_preview');
+jest.mock('../hooks/use_fetch_graph_data', () => ({
+ useFetchGraphData: jest.fn(),
+}));
+const mockUseFetchGraphData = useFetchGraphData as jest.Mock;
+
+const mockUseUiSetting = jest.fn().mockReturnValue([false]);
+jest.mock('@kbn/kibana-react-plugin/public', () => {
+ const original = jest.requireActual('@kbn/kibana-react-plugin/public');
+ return {
+ ...original,
+ useUiSetting$: () => mockUseUiSetting(),
+ };
+});
+
+const mockGraph = () => ;
+
+jest.mock('@kbn/cloud-security-posture-graph', () => {
+ return { Graph: mockGraph };
+});
+
+const renderGraphPreview = (context = mockContextValue) =>
+ render(
+
+
+
+
+
+ );
+
+describe('', () => {
+ beforeEach(() => {
+ jest.clearAllMocks();
+ });
+
+ it('should render component and link in header', async () => {
+ mockUseFetchGraphData.mockReturnValue({
+ isLoading: false,
+ isError: false,
+ data: { nodes: [], edges: [] },
+ });
+
+ (useGraphPreview as jest.Mock).mockReturnValue({
+ isAuditLog: true,
+ });
+
+ const { getByTestId, queryByTestId, findByTestId } = renderGraphPreview();
+
+ // Using findByTestId to wait for the component to be rendered because it is a lazy loaded component
+ expect(await findByTestId(GRAPH_PREVIEW_TEST_ID)).toBeInTheDocument();
+ expect(
+ queryByTestId(EXPANDABLE_PANEL_HEADER_TITLE_LINK_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).not.toBeInTheDocument();
+ expect(
+ queryByTestId(EXPANDABLE_PANEL_TOGGLE_ICON_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).not.toBeInTheDocument();
+ expect(
+ getByTestId(EXPANDABLE_PANEL_HEADER_TITLE_ICON_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).toBeInTheDocument();
+ expect(
+ getByTestId(EXPANDABLE_PANEL_CONTENT_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).toBeInTheDocument();
+ expect(
+ getByTestId(EXPANDABLE_PANEL_HEADER_TITLE_TEXT_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).toBeInTheDocument();
+ });
+
+ it('should render error message and text in header', () => {
+ mockUseFetchGraphData.mockReturnValue({
+ isLoading: false,
+ isError: false,
+ data: undefined,
+ });
+
+ (useGraphPreview as jest.Mock).mockReturnValue({
+ isAuditLog: false,
+ });
+
+ const { getByTestId } = renderGraphPreview();
+
+ expect(
+ getByTestId(EXPANDABLE_PANEL_HEADER_TITLE_TEXT_TEST_ID(GRAPH_PREVIEW_TEST_ID))
+ ).toBeInTheDocument();
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
new file mode 100644
index 0000000000000..1bc6a8dd7e547
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { ExpandablePanel } from '@kbn/security-solution-common';
+import { useDocumentDetailsContext } from '../../shared/context';
+import { GRAPH_PREVIEW_TEST_ID } from './test_ids';
+import { GraphPreview } from './graph_preview';
+import { useFetchGraphData } from '../hooks/use_fetch_graph_data';
+import { useGraphPreview } from '../hooks/use_graph_preview';
+
+const DEFAULT_FROM = 'now-60d/d';
+const DEFAULT_TO = 'now/d';
+
+/**
+ * Graph preview under Overview, Visualizations. It shows a graph representation of entities.
+ */
+export const GraphPreviewContainer: React.FC = () => {
+ const { dataAsNestedObject, getFieldsData } = useDocumentDetailsContext();
+
+ const { eventIds } = useGraphPreview({
+ getFieldsData,
+ ecsData: dataAsNestedObject,
+ });
+
+ // TODO: default start and end might not capture the original event
+ const graphFetchQuery = useFetchGraphData({
+ req: {
+ query: {
+ actorIds: [],
+ eventIds,
+ start: DEFAULT_FROM,
+ end: DEFAULT_TO,
+ },
+ },
+ });
+
+ return (
+
+ ),
+ iconType: 'indexMapping',
+ }}
+ data-test-subj={GRAPH_PREVIEW_TEST_ID}
+ content={
+ !graphFetchQuery.isLoading && !graphFetchQuery.isError
+ ? {
+ paddingSize: 'none',
+ }
+ : undefined
+ }
+ >
+
+
+ );
+};
+
+GraphPreviewContainer.displayName = 'GraphPreviewContainer';
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/test_ids.ts b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/test_ids.ts
index e0d8bc6db0f5c..e649c578bf487 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/test_ids.ts
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/test_ids.ts
@@ -178,6 +178,9 @@ export const SESSION_PREVIEW_TEST_ID = `${PREFIX}SessionPreview` as const;
export const SESSION_PREVIEW_RULE_DETAILS_LINK_TEST_ID =
`${SESSION_PREVIEW_TEST_ID}RuleDetailsLink` as const;
+export const GRAPH_PREVIEW_TEST_ID = `${PREFIX}GraphPreview` as const;
+export const GRAPH_PREVIEW_LOADING_TEST_ID = `${GRAPH_PREVIEW_TEST_ID}Loading` as const;
+
/* Response section */
const RESPONSE_TEST_ID = `${PREFIX}Response` as const;
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.test.tsx
index 9af61e21fb67d..3aeb7d30f8e48 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.test.tsx
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.test.tsx
@@ -11,6 +11,7 @@ import { render } from '@testing-library/react';
import {
ANALYZER_PREVIEW_TEST_ID,
SESSION_PREVIEW_TEST_ID,
+ GRAPH_PREVIEW_TEST_ID,
VISUALIZATIONS_SECTION_CONTENT_TEST_ID,
VISUALIZATIONS_SECTION_HEADER_TEST_ID,
} from './test_ids';
@@ -24,6 +25,9 @@ import { TestProvider } from '@kbn/expandable-flyout/src/test/provider';
import { useExpandSection } from '../hooks/use_expand_section';
import { useInvestigateInTimeline } from '../../../../detections/components/alerts_table/timeline_actions/use_investigate_in_timeline';
import { useIsInvestigateInResolverActionEnabled } from '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
+import { useGraphPreview } from '../hooks/use_graph_preview';
+import { useFetchGraphData } from '../hooks/use_fetch_graph_data';
jest.mock('../hooks/use_expand_section');
jest.mock('../../shared/hooks/use_alert_prevalence_from_process_tree', () => ({
@@ -49,6 +53,11 @@ jest.mock(
jest.mock(
'../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver'
);
+jest.mock('../../../../common/hooks/use_experimental_features', () => ({
+ useIsExperimentalFeatureEnabled: jest.fn(),
+}));
+
+const useIsExperimentalFeatureEnabledMock = useIsExperimentalFeatureEnabled as jest.Mock;
const mockUseUiSetting = jest.fn().mockReturnValue([false]);
jest.mock('@kbn/kibana-react-plugin/public', () => {
@@ -58,6 +67,15 @@ jest.mock('@kbn/kibana-react-plugin/public', () => {
useUiSetting$: () => mockUseUiSetting(),
};
});
+jest.mock('../hooks/use_graph_preview');
+
+const mockUseGraphPreview = useGraphPreview as jest.Mock;
+
+jest.mock('../hooks/use_fetch_graph_data', () => ({
+ useFetchGraphData: jest.fn(),
+}));
+
+const mockUseFetchGraphData = useFetchGraphData as jest.Mock;
const panelContextValue = {
...mockContextValue,
@@ -84,6 +102,17 @@ describe('', () => {
alertIds: undefined,
statsNodes: undefined,
});
+ mockUseGraphPreview.mockReturnValue({
+ isAuditLog: true,
+ });
+ mockUseFetchGraphData.mockReturnValue({
+ isLoading: false,
+ isError: false,
+ data: {
+ nodes: [],
+ edges: [],
+ },
+ });
});
it('should render visualizations component', () => {
@@ -107,11 +136,22 @@ describe('', () => {
});
(useIsInvestigateInResolverActionEnabled as jest.Mock).mockReturnValue(true);
(useExpandSection as jest.Mock).mockReturnValue(true);
+ useIsExperimentalFeatureEnabledMock.mockReturnValue(false);
- const { getByTestId } = renderVisualizationsSection();
+ const { getByTestId, queryByTestId } = renderVisualizationsSection();
expect(getByTestId(VISUALIZATIONS_SECTION_CONTENT_TEST_ID)).toBeVisible();
expect(getByTestId(`${SESSION_PREVIEW_TEST_ID}LeftSection`)).toBeInTheDocument();
expect(getByTestId(`${ANALYZER_PREVIEW_TEST_ID}LeftSection`)).toBeInTheDocument();
+ expect(queryByTestId(`${GRAPH_PREVIEW_TEST_ID}LeftSection`)).not.toBeInTheDocument();
+ });
+
+ it('should render the graph preview component if the feature is enabled', () => {
+ (useExpandSection as jest.Mock).mockReturnValue(true);
+ useIsExperimentalFeatureEnabledMock.mockReturnValue(true);
+
+ const { getByTestId } = renderVisualizationsSection();
+
+ expect(getByTestId(`${GRAPH_PREVIEW_TEST_ID}LeftSection`)).toBeInTheDocument();
});
});
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.tsx
index afb828ebdb4e8..c328036eece43 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.tsx
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/visualizations_section.tsx
@@ -13,6 +13,10 @@ import { AnalyzerPreviewContainer } from './analyzer_preview_container';
import { SessionPreviewContainer } from './session_preview_container';
import { ExpandableSection } from './expandable_section';
import { VISUALIZATIONS_TEST_ID } from './test_ids';
+import { GraphPreviewContainer } from './graph_preview_container';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
+import { useDocumentDetailsContext } from '../../shared/context';
+import { useGraphPreview } from '../hooks/use_graph_preview';
const KEY = 'visualizations';
@@ -21,6 +25,17 @@ const KEY = 'visualizations';
*/
export const VisualizationsSection = memo(() => {
const expanded = useExpandSection({ title: KEY, defaultValue: false });
+ const graphVisualizationInFlyoutEnabled = useIsExperimentalFeatureEnabled(
+ 'graphVisualizationInFlyoutEnabled'
+ );
+
+ const { dataAsNestedObject, getFieldsData } = useDocumentDetailsContext();
+
+ // Decide whether to show the graph preview or not
+ const { isAuditLog: isGraphPreviewEnabled } = useGraphPreview({
+ getFieldsData,
+ ecsData: dataAsNestedObject,
+ });
return (
{
+ {graphVisualizationInFlyoutEnabled && isGraphPreviewEnabled && (
+ <>
+
+
+ >
+ )}
);
});
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts
new file mode 100644
index 0000000000000..2304cfb8d4fd2
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useQuery } from '@tanstack/react-query';
+import type {
+ GraphRequest,
+ GraphResponse,
+} from '@kbn/cloud-security-posture-common/types/graph/latest';
+import { EVENT_GRAPH_VISUALIZATION_API } from '../../../../../common/constants';
+import { useHttp } from '../../../../common/lib/kibana';
+
+/**
+ * Interface for the input parameters of the useFetchGraphData hook.
+ */
+export interface UseFetchGraphDataParams {
+ /**
+ * The request object containing the query parameters for the graph data.
+ */
+ req: GraphRequest;
+ /**
+ * Optional configuration options for the query.
+ */
+ options?: {
+ /**
+ * If false, the query will not automatically run.
+ * Defaults to true.
+ */
+ enabled?: boolean;
+ };
+}
+
+/**
+ * Interface for the result of the useFetchGraphData hook.
+ */
+export interface UseFetchGraphDataResult {
+ /**
+ * Indicates if the query is currently loading.
+ */
+ isLoading: boolean;
+ /**
+ * Indicates if there was an error during the query.
+ */
+ isError: boolean;
+ /**
+ * The data returned from the query.
+ */
+ data?: GraphResponse;
+}
+
+/**
+ * Hook to fetch event's graph visualization data.
+ *
+ * @param params - The input parameters for the hook.
+ * @returns The result of the hook.
+ */
+export const useFetchGraphData = ({
+ req,
+ options,
+}: UseFetchGraphDataParams): UseFetchGraphDataResult => {
+ const { actorIds, eventIds, start, end } = req.query;
+ const http = useHttp();
+
+ const { isLoading, isError, data } = useQuery(
+ ['useFetchGraphData', actorIds, eventIds, start, end],
+ () => {
+ return http.post(EVENT_GRAPH_VISUALIZATION_API, {
+ version: '1',
+ body: JSON.stringify(req),
+ });
+ },
+ options
+ );
+
+ return {
+ isLoading,
+ isError,
+ data,
+ };
+};
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx
new file mode 100644
index 0000000000000..ff6118ec9b743
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx
@@ -0,0 +1,137 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RenderHookResult } from '@testing-library/react-hooks';
+import { renderHook } from '@testing-library/react-hooks';
+import type { UseGraphPreviewParams, UseGraphPreviewResult } from './use_graph_preview';
+import { useGraphPreview } from './use_graph_preview';
+import type { GetFieldsData } from '../../shared/hooks/use_get_fields_data';
+import { mockFieldData } from '../../shared/mocks/mock_get_fields_data';
+
+describe('useGraphPreview', () => {
+ let hookResult: RenderHookResult;
+
+ it(`should return false when missing actor`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === 'kibana.alert.original_event.id') {
+ return field;
+ }
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ event: {
+ action: ['action'],
+ },
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(false);
+ });
+
+ it(`should return false when missing event.action`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === 'kibana.alert.original_event.id') {
+ return 'eventId';
+ } else if (field === 'actor.entity.id') {
+ return 'actorId';
+ }
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(false);
+ });
+
+ it(`should return false when missing original_event.id`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === 'actor.entity.id') {
+ return 'actorId';
+ }
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ event: {
+ action: ['action'],
+ },
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(false);
+ });
+
+ it(`should return true when alert is has graph preview`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === 'kibana.alert.original_event.id') {
+ return 'eventId';
+ } else if (field === 'actor.entity.id') {
+ return 'actorId';
+ }
+
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ event: {
+ action: ['action'],
+ },
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(true);
+ });
+
+ it(`should return true when alert is has graph preview with multiple values`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === 'kibana.alert.original_event.id') {
+ return ['id1', 'id2'];
+ } else if (field === 'actor.entity.id') {
+ return ['actorId1', 'actorId2'];
+ }
+
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ event: {
+ action: ['action1', 'action2'],
+ },
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(true);
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts
new file mode 100644
index 0000000000000..d833c0aa86dbc
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts
@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
+import { get } from 'lodash/fp';
+import type { GetFieldsData } from '../../shared/hooks/use_get_fields_data';
+import { getFieldArray } from '../../shared/utils';
+
+export interface UseGraphPreviewParams {
+ /**
+ * Retrieves searchHit values for the provided field
+ */
+ getFieldsData: GetFieldsData;
+
+ /**
+ * An object with top level fields from the ECS object
+ */
+ ecsData: Ecs;
+}
+/**
+ * Interface for the result of the useGraphPreview hook
+ */
+export interface UseGraphPreviewResult {
+ /**
+ * Array of event IDs associated with the alert
+ */
+ eventIds: string[];
+
+ /**
+ * Array of actor entity IDs associated with the alert
+ */
+ actorIds: string[];
+
+ /**
+ * Action associated with the event
+ */
+ action: string | undefined;
+
+ /**
+ * Boolean indicating if the event is an audit log (contains event ids, actor ids and action)
+ */
+ isAuditLog: boolean;
+}
+
+/**
+ * Hook that returns the graph view configuration if the graph view is available for the alert
+ */
+export const useGraphPreview = ({
+ getFieldsData,
+ ecsData,
+}: UseGraphPreviewParams): UseGraphPreviewResult => {
+ const originalEventId = getFieldsData('kibana.alert.original_event.id');
+ const eventId = getFieldsData('event.id');
+ const eventIds = originalEventId ? getFieldArray(originalEventId) : getFieldArray(eventId);
+
+ const actorIds = getFieldArray(getFieldsData('actor.entity.id'));
+ const action = get(['event', 'action'], ecsData);
+ const isAuditLog = actorIds.length > 0 && action?.length > 0 && eventIds.length > 0;
+
+ return { eventIds, actorIds, action, isAuditLog };
+};
diff --git a/x-pack/plugins/security_solution/tsconfig.json b/x-pack/plugins/security_solution/tsconfig.json
index 2b11529ea4d72..15d082d32edda 100644
--- a/x-pack/plugins/security_solution/tsconfig.json
+++ b/x-pack/plugins/security_solution/tsconfig.json
@@ -220,6 +220,7 @@
"@kbn/cloud-security-posture",
"@kbn/security-solution-distribution-bar",
"@kbn/cloud-security-posture-common",
+ "@kbn/cloud-security-posture-graph",
"@kbn/presentation-publishing",
"@kbn/entityManager-plugin",
"@kbn/entities-schema",
diff --git a/x-pack/test/cloud_security_posture_functional/config.ts b/x-pack/test/cloud_security_posture_functional/config.ts
index 28283fe427949..7e80788ffccfe 100644
--- a/x-pack/test/cloud_security_posture_functional/config.ts
+++ b/x-pack/test/cloud_security_posture_functional/config.ts
@@ -38,6 +38,9 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
* 1. release a new package to EPR
* 2. merge the updated version number change to kibana
*/
+ `--xpack.securitySolution.enableExperimental=${JSON.stringify([
+ 'graphVisualizationInFlyoutEnabled',
+ ])}`,
`--xpack.fleet.packages.0.name=cloud_security_posture`,
`--xpack.fleet.packages.0.version=${CLOUD_SECURITY_PLUGIN_VERSION}`,
// `--xpack.fleet.registryUrl=https://localhost:8080`,
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/data.json b/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/data.json
new file mode 100644
index 0000000000000..5e3d4cdfdffd5
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/data.json
@@ -0,0 +1,634 @@
+{
+ "type": "doc",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "id": "1",
+ "index": ".ds-logs-gcp.audit-default-2024.10.07-000001",
+ "source": {
+ "@timestamp": "2024-09-01T12:34:56.789Z",
+ "actor": {
+ "entity": {
+ "id": "admin@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "id": "kabcd1234efgh5678",
+ "ingested": "2024-10-07T17:47:35Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "id": "2",
+ "index": ".ds-logs-gcp.audit-default-2024.10.07-000001",
+ "source": {
+ "@timestamp": "2024-09-01T12:34:56.789Z",
+ "actor": {
+ "entity": {
+ "id": "admin2@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin2@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "id": "failed-event",
+ "ingested": "2024-10-07T17:47:35Z",
+ "kind": "event",
+ "outcome": "failed",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin2@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "id": "3",
+ "index": ".ds-logs-gcp.audit-default-2024.10.07-000001",
+ "source": {
+ "@timestamp": "2024-09-01T12:34:56.789Z",
+ "actor": {
+ "entity": {
+ "id": "admin3@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin3@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "id": "grouped-event1",
+ "ingested": "2024-10-07T17:47:35Z",
+ "kind": "event",
+ "outcome": "failed",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin3@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "id": "4",
+ "index": ".ds-logs-gcp.audit-default-2024.10.07-000001",
+ "source": {
+ "@timestamp": "2024-09-01T12:34:56.789Z",
+ "actor": {
+ "entity": {
+ "id": "admin3@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin3@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "id": "grouped-event2",
+ "ingested": "2024-10-07T17:47:35Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin3@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "id": "5",
+ "index": ".ds-logs-gcp.audit-default-2024.10.07-000001",
+ "source": {
+ "@timestamp": "2024-09-01T12:34:56.789Z",
+ "actor": {
+ "entity": {
+ "id": "admin4@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin4@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "id": "host-event",
+ "ingested": "2024-10-07T17:47:35Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "host": {
+ "hostname": "host1.example.com",
+ "name": "host1.example.com",
+ "ip": "192.168.1.1",
+ "os": {
+ "name": "Linux",
+ "version": "5.4.0-42-generic"
+ }
+ },
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin4@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/mappings.json b/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/mappings.json
new file mode 100644
index 0000000000000..085fc6d11d475
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit/mappings.json
@@ -0,0 +1,628 @@
+{
+ "type": "data_stream",
+ "value": {
+ "data_stream": "logs-gcp.audit-default",
+ "template": {
+ "_meta": {
+ "managed": true,
+ "managed_by": "fleet",
+ "package": {
+ "name": "gcp"
+ }
+ },
+ "data_stream": {
+ "allow_custom_routing": false,
+ "hidden": false
+ },
+ "ignore_missing_component_templates": [
+ "logs-gcp.audit@custom"
+ ],
+ "index_patterns": [
+ "logs-gcp.audit-*"
+ ],
+ "name": "logs-gcp.audit",
+ "priority": 200,
+ "template": {
+ "mappings": {
+ "_meta": {
+ "managed": true,
+ "managed_by": "fleet",
+ "package": {
+ "name": "gcp"
+ }
+ },
+ "date_detection": false,
+ "dynamic_templates": [
+ {
+ "ecs_message_match_only_text": {
+ "mapping": {
+ "type": "match_only_text"
+ },
+ "path_match": [
+ "message",
+ "*.message"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_non_indexed_keyword": {
+ "mapping": {
+ "doc_values": false,
+ "index": false,
+ "type": "keyword"
+ },
+ "path_match": [
+ "*event.original"
+ ]
+ }
+ },
+ {
+ "ecs_non_indexed_long": {
+ "mapping": {
+ "doc_values": false,
+ "index": false,
+ "type": "long"
+ },
+ "path_match": [
+ "*.x509.public_key_exponent"
+ ]
+ }
+ },
+ {
+ "ecs_ip": {
+ "mapping": {
+ "type": "ip"
+ },
+ "match_mapping_type": "string",
+ "path_match": [
+ "ip",
+ "*.ip",
+ "*_ip"
+ ]
+ }
+ },
+ {
+ "ecs_wildcard": {
+ "mapping": {
+ "type": "wildcard"
+ },
+ "path_match": [
+ "*.io.text",
+ "*.message_id",
+ "*registry.data.strings",
+ "*url.path"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_path_match_wildcard_and_match_only_text": {
+ "mapping": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "path_match": [
+ "*.body.content",
+ "*url.full",
+ "*url.original"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_match_wildcard_and_match_only_text": {
+ "mapping": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "match": [
+ "*command_line",
+ "*stack_trace"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_path_match_keyword_and_match_only_text": {
+ "mapping": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "keyword"
+ },
+ "path_match": [
+ "*.title",
+ "*.executable",
+ "*.name",
+ "*.working_directory",
+ "*.full_name",
+ "*file.path",
+ "*file.target_path",
+ "*os.full",
+ "*email.subject",
+ "*vulnerability.description",
+ "*user_agent.original"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_date": {
+ "mapping": {
+ "type": "date"
+ },
+ "path_match": [
+ "*.timestamp",
+ "*_timestamp",
+ "*.not_after",
+ "*.not_before",
+ "*.accessed",
+ "created",
+ "*.created",
+ "*.installed",
+ "*.creation_date",
+ "*.ctime",
+ "*.mtime",
+ "ingested",
+ "*.ingested",
+ "*.start",
+ "*.end",
+ "*.indicator.first_seen",
+ "*.indicator.last_seen",
+ "*.indicator.modified_at",
+ "*threat.enrichments.matched.occurred"
+ ],
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_path_match_float": {
+ "mapping": {
+ "type": "float"
+ },
+ "path_match": [
+ "*.score.*",
+ "*_score*"
+ ],
+ "path_unmatch": "*.version",
+ "unmatch_mapping_type": "object"
+ }
+ },
+ {
+ "ecs_usage_double_scaled_float": {
+ "mapping": {
+ "scaling_factor": 1000,
+ "type": "scaled_float"
+ },
+ "match_mapping_type": [
+ "double",
+ "long",
+ "string"
+ ],
+ "path_match": "*.usage"
+ }
+ },
+ {
+ "ecs_geo_point": {
+ "mapping": {
+ "type": "geo_point"
+ },
+ "path_match": [
+ "*.geo.location"
+ ]
+ }
+ },
+ {
+ "ecs_flattened": {
+ "mapping": {
+ "type": "flattened"
+ },
+ "match_mapping_type": "object",
+ "path_match": [
+ "*structured_data",
+ "*exports",
+ "*imports"
+ ]
+ }
+ },
+ {
+ "all_strings_to_keywords": {
+ "mapping": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "match_mapping_type": "string"
+ }
+ }
+ ],
+ "properties": {
+ "@timestamp": {
+ "ignore_malformed": false,
+ "type": "date"
+ },
+ "cloud": {
+ "properties": {
+ "image": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "data_stream": {
+ "properties": {
+ "dataset": {
+ "type": "constant_keyword"
+ },
+ "namespace": {
+ "type": "constant_keyword"
+ },
+ "type": {
+ "type": "constant_keyword"
+ }
+ }
+ },
+ "data_stream.dataset": {
+ "type": "constant_keyword"
+ },
+ "data_stream.namespace": {
+ "type": "constant_keyword"
+ },
+ "data_stream.type": {
+ "type": "constant_keyword",
+ "value": "logs"
+ },
+ "event": {
+ "properties": {
+ "agent_id_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dataset": {
+ "type": "constant_keyword",
+ "value": "gcp.audit"
+ },
+ "ingested": {
+ "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
+ "ignore_malformed": false,
+ "type": "date"
+ },
+ "module": {
+ "type": "constant_keyword",
+ "value": "gcp"
+ }
+ }
+ },
+ "gcp": {
+ "properties": {
+ "audit": {
+ "properties": {
+ "authentication_info": {
+ "properties": {
+ "authority_selector": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "principal_email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "principal_subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_account_delegation_info": {
+ "type": "flattened"
+ },
+ "service_account_key_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "third_party_principal": {
+ "type": "flattened"
+ }
+ }
+ },
+ "authorization_info": {
+ "properties": {
+ "granted": {
+ "type": "boolean"
+ },
+ "permission": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource_attributes": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ },
+ "type": "nested"
+ },
+ "flattened": {
+ "type": "flattened"
+ },
+ "labels": {
+ "type": "flattened"
+ },
+ "logentry_operation": {
+ "properties": {
+ "first": {
+ "type": "boolean"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last": {
+ "type": "boolean"
+ },
+ "producer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "metadata": {
+ "type": "flattened"
+ },
+ "method_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "num_response_items": {
+ "type": "long"
+ },
+ "policy_violation_info": {
+ "properties": {
+ "payload": {
+ "type": "flattened"
+ },
+ "resource_tags": {
+ "type": "flattened"
+ },
+ "resource_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "violations": {
+ "properties": {
+ "checkedValue": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "constraint": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "errorMessage": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "policyType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "request": {
+ "type": "flattened"
+ },
+ "request_metadata": {
+ "properties": {
+ "caller_ip": {
+ "type": "ip"
+ },
+ "caller_supplied_user_agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "properties": {
+ "caller_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "resource_location": {
+ "properties": {
+ "current_locations": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resource_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "response": {
+ "type": "flattened"
+ },
+ "service_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "properties": {
+ "code": {
+ "type": "long"
+ },
+ "details": {
+ "type": "flattened"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "destination": {
+ "properties": {
+ "instance": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpc": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subnetwork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpc_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "source": {
+ "properties": {
+ "instance": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpc": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subnetwork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpc_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "host": {
+ "properties": {
+ "containerized": {
+ "type": "boolean"
+ },
+ "os": {
+ "properties": {
+ "build": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "codename": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "input": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "log": {
+ "properties": {
+ "offset": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "settings": {
+ "index": {
+ "codec": "best_compression",
+ "final_pipeline": ".fleet_final_pipeline-1",
+ "mapping": {
+ "ignore_malformed": "true",
+ "total_fields": {
+ "ignore_dynamic_beyond_limit": "true",
+ "limit": "1000"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz
new file mode 100644
index 0000000000000..93b2c20b81c86
Binary files /dev/null and b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz differ
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/mappings.json b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/mappings.json
new file mode 100644
index 0000000000000..d13b6edbd768f
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/mappings.json
@@ -0,0 +1,8667 @@
+{
+ "type": "index",
+ "value": {
+ "aliases": {
+ ".alerts-security.alerts-default": {
+ "is_write_index": true
+ },
+ ".siem-signals-default": {
+ "is_write_index": false
+ }
+ },
+ "index": ".internal.alerts-security.alerts-default-000001",
+ "mappings": {
+ "_meta": {
+ "kibana": {
+ "version": "9.0.0"
+ },
+ "managed": true,
+ "namespace": "default"
+ },
+ "dynamic": "false",
+ "properties": {
+ "@timestamp": {
+ "ignore_malformed": false,
+ "type": "date"
+ },
+ "agent": {
+ "properties": {
+ "build": {
+ "properties": {
+ "original": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "client": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "port": {
+ "type": "long"
+ }
+ }
+ },
+ "packets": {
+ "type": "long"
+ },
+ "port": {
+ "type": "long"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "cloud": {
+ "properties": {
+ "account": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "availability_zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "machine": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "origin": {
+ "properties": {
+ "account": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "availability_zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "machine": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "project": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "project": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "target": {
+ "properties": {
+ "account": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "availability_zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "machine": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "project": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "container": {
+ "properties": {
+ "cpu": {
+ "properties": {
+ "usage": {
+ "scaling_factor": 1000,
+ "type": "scaled_float"
+ }
+ }
+ },
+ "disk": {
+ "properties": {
+ "read": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "write": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "image": {
+ "properties": {
+ "hash": {
+ "properties": {
+ "all": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "labels": {
+ "type": "object"
+ },
+ "memory": {
+ "properties": {
+ "usage": {
+ "scaling_factor": 1000,
+ "type": "scaled_float"
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "network": {
+ "properties": {
+ "egress": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "ingress": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "runtime": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "security_context": {
+ "properties": {
+ "privileged": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+ },
+ "destination": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "port": {
+ "type": "long"
+ }
+ }
+ },
+ "packets": {
+ "type": "long"
+ },
+ "port": {
+ "type": "long"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "device": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "manufacturer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "model": {
+ "properties": {
+ "identifier": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "dll": {
+ "properties": {
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ }
+ }
+ },
+ "dns": {
+ "properties": {
+ "answers": {
+ "properties": {
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ttl": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "header_flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "op_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "question": {
+ "properties": {
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resolved_ip": {
+ "type": "ip"
+ },
+ "response_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ecs": {
+ "properties": {
+ "version": {
+ "type": "keyword"
+ }
+ }
+ },
+ "email": {
+ "properties": {
+ "attachments": {
+ "properties": {
+ "file": {
+ "properties": {
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "size": {
+ "type": "long"
+ }
+ }
+ }
+ },
+ "type": "nested"
+ },
+ "bcc": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "cc": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "content_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "delivery_timestamp": {
+ "type": "date"
+ },
+ "direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "from": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "local_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_id": {
+ "type": "wildcard"
+ },
+ "origination_timestamp": {
+ "type": "date"
+ },
+ "reply_to": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "sender": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "subject": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "to": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "x_mailer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "error": {
+ "properties": {
+ "code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "type": "match_only_text"
+ },
+ "stack_trace": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "event": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agent_id_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "created": {
+ "type": "date"
+ },
+ "dataset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "type": "long"
+ },
+ "end": {
+ "type": "date"
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ingested": {
+ "type": "date"
+ },
+ "kind": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "original": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outcome": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_score": {
+ "type": "float"
+ },
+ "risk_score_norm": {
+ "type": "float"
+ },
+ "sequence": {
+ "type": "long"
+ },
+ "severity": {
+ "type": "long"
+ },
+ "start": {
+ "type": "date"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "faas": {
+ "properties": {
+ "coldstart": {
+ "type": "boolean"
+ },
+ "execution": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "file": {
+ "properties": {
+ "accessed": {
+ "type": "date"
+ },
+ "attributes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "created": {
+ "type": "date"
+ },
+ "ctime": {
+ "type": "date"
+ },
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "directory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "drive_letter": {
+ "ignore_above": 1,
+ "type": "keyword"
+ },
+ "elf": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "byte_order": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpu_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_date": {
+ "type": "date"
+ },
+ "exports": {
+ "type": "flattened"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "header": {
+ "properties": {
+ "abi_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entrypoint": {
+ "type": "long"
+ },
+ "object_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_abi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "chi2": {
+ "type": "long"
+ },
+ "entropy": {
+ "type": "long"
+ },
+ "flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_offset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_address": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "segments": {
+ "properties": {
+ "sections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ },
+ "shared_libraries": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "telfhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "inode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "macho": {
+ "properties": {
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "symhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mtime": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "owner": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "size": {
+ "type": "long"
+ },
+ "target_path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "host": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "asset": {
+ "properties": {
+ "criticality": {
+ "type": "keyword"
+ }
+ }
+ },
+ "boot": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "cpu": {
+ "properties": {
+ "usage": {
+ "scaling_factor": 1000,
+ "type": "scaled_float"
+ }
+ }
+ },
+ "disk": {
+ "properties": {
+ "read": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "write": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "network": {
+ "properties": {
+ "egress": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ },
+ "packets": {
+ "type": "long"
+ }
+ }
+ },
+ "ingress": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ },
+ "packets": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "os": {
+ "properties": {
+ "family": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kernel": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "platform": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "pid_ns_ino": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uptime": {
+ "type": "long"
+ }
+ }
+ },
+ "http": {
+ "properties": {
+ "request": {
+ "properties": {
+ "body": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ },
+ "content": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "response": {
+ "properties": {
+ "body": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ },
+ "content": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status_code": {
+ "type": "long"
+ }
+ }
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "kibana": {
+ "properties": {
+ "alert": {
+ "properties": {
+ "action_group": {
+ "type": "keyword"
+ },
+ "ancestors": {
+ "properties": {
+ "depth": {
+ "type": "long"
+ },
+ "id": {
+ "type": "keyword"
+ },
+ "index": {
+ "type": "keyword"
+ },
+ "rule": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword"
+ }
+ }
+ },
+ "building_block_type": {
+ "type": "keyword"
+ },
+ "case_ids": {
+ "type": "keyword"
+ },
+ "consecutive_matches": {
+ "type": "long"
+ },
+ "depth": {
+ "type": "long"
+ },
+ "duration": {
+ "properties": {
+ "us": {
+ "type": "long"
+ }
+ }
+ },
+ "end": {
+ "type": "date"
+ },
+ "flapping": {
+ "type": "boolean"
+ },
+ "flapping_history": {
+ "type": "boolean"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "index": {
+ "type": "integer"
+ }
+ }
+ },
+ "host": {
+ "properties": {
+ "criticality_level": {
+ "type": "keyword"
+ }
+ }
+ },
+ "instance": {
+ "properties": {
+ "id": {
+ "type": "keyword"
+ }
+ }
+ },
+ "intended_timestamp": {
+ "type": "date"
+ },
+ "last_detected": {
+ "type": "date"
+ },
+ "maintenance_window_ids": {
+ "type": "keyword"
+ },
+ "new_terms": {
+ "type": "keyword"
+ },
+ "original_event": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agent_id_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "created": {
+ "type": "date"
+ },
+ "dataset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "end": {
+ "type": "date"
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ingested": {
+ "type": "date"
+ },
+ "kind": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "original": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outcome": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_score": {
+ "type": "float"
+ },
+ "risk_score_norm": {
+ "type": "float"
+ },
+ "sequence": {
+ "type": "long"
+ },
+ "severity": {
+ "type": "long"
+ },
+ "start": {
+ "type": "date"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "original_time": {
+ "type": "date"
+ },
+ "previous_action_group": {
+ "type": "keyword"
+ },
+ "reason": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "keyword"
+ },
+ "risk_score": {
+ "type": "float"
+ },
+ "rule": {
+ "properties": {
+ "author": {
+ "type": "keyword"
+ },
+ "building_block_type": {
+ "type": "keyword"
+ },
+ "category": {
+ "type": "keyword"
+ },
+ "consumer": {
+ "type": "keyword"
+ },
+ "created_at": {
+ "type": "date"
+ },
+ "created_by": {
+ "type": "keyword"
+ },
+ "description": {
+ "type": "keyword"
+ },
+ "enabled": {
+ "type": "keyword"
+ },
+ "exceptions_list": {
+ "type": "object"
+ },
+ "execution": {
+ "properties": {
+ "timestamp": {
+ "type": "date"
+ },
+ "uuid": {
+ "type": "keyword"
+ }
+ }
+ },
+ "false_positives": {
+ "type": "keyword"
+ },
+ "from": {
+ "type": "keyword"
+ },
+ "immutable": {
+ "type": "keyword"
+ },
+ "interval": {
+ "type": "keyword"
+ },
+ "license": {
+ "type": "keyword"
+ },
+ "max_signals": {
+ "type": "long"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "note": {
+ "type": "keyword"
+ },
+ "parameters": {
+ "ignore_above": 4096,
+ "type": "flattened"
+ },
+ "producer": {
+ "type": "keyword"
+ },
+ "references": {
+ "type": "keyword"
+ },
+ "revision": {
+ "type": "long"
+ },
+ "rule_id": {
+ "type": "keyword"
+ },
+ "rule_name_override": {
+ "type": "keyword"
+ },
+ "rule_type_id": {
+ "type": "keyword"
+ },
+ "tags": {
+ "type": "keyword"
+ },
+ "threat": {
+ "properties": {
+ "framework": {
+ "type": "keyword"
+ },
+ "tactic": {
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "reference": {
+ "type": "keyword"
+ }
+ }
+ },
+ "technique": {
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "reference": {
+ "type": "keyword"
+ },
+ "subtechnique": {
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "reference": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "timeline_id": {
+ "type": "keyword"
+ },
+ "timeline_title": {
+ "type": "keyword"
+ },
+ "timestamp_override": {
+ "type": "keyword"
+ },
+ "to": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword"
+ },
+ "updated_at": {
+ "type": "date"
+ },
+ "updated_by": {
+ "type": "keyword"
+ },
+ "uuid": {
+ "type": "keyword"
+ },
+ "version": {
+ "type": "keyword"
+ }
+ }
+ },
+ "severity": {
+ "type": "keyword"
+ },
+ "severity_improving": {
+ "type": "boolean"
+ },
+ "start": {
+ "type": "date"
+ },
+ "status": {
+ "type": "keyword"
+ },
+ "suppression": {
+ "properties": {
+ "docs_count": {
+ "type": "long"
+ },
+ "end": {
+ "type": "date"
+ },
+ "start": {
+ "type": "date"
+ },
+ "terms": {
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "system_status": {
+ "type": "keyword"
+ },
+ "threshold_result": {
+ "properties": {
+ "cardinality": {
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "long"
+ }
+ }
+ },
+ "count": {
+ "type": "long"
+ },
+ "from": {
+ "type": "date"
+ },
+ "terms": {
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "time_range": {
+ "format": "epoch_millis||strict_date_optional_time",
+ "type": "date_range"
+ },
+ "url": {
+ "ignore_above": 2048,
+ "index": false,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "criticality_level": {
+ "type": "keyword"
+ }
+ }
+ },
+ "uuid": {
+ "type": "keyword"
+ },
+ "workflow_assignee_ids": {
+ "type": "keyword"
+ },
+ "workflow_reason": {
+ "type": "keyword"
+ },
+ "workflow_status": {
+ "type": "keyword"
+ },
+ "workflow_status_updated_at": {
+ "type": "date"
+ },
+ "workflow_tags": {
+ "type": "keyword"
+ },
+ "workflow_user": {
+ "type": "keyword"
+ }
+ }
+ },
+ "space_ids": {
+ "type": "keyword"
+ },
+ "version": {
+ "type": "version"
+ }
+ }
+ },
+ "labels": {
+ "type": "object"
+ },
+ "log": {
+ "properties": {
+ "file": {
+ "properties": {
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "logger": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "origin": {
+ "properties": {
+ "file": {
+ "properties": {
+ "line": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "function": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "syslog": {
+ "properties": {
+ "appname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "facility": {
+ "properties": {
+ "code": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "msgid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "priority": {
+ "type": "long"
+ },
+ "procid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "severity": {
+ "properties": {
+ "code": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "structured_data": {
+ "type": "flattened"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "message": {
+ "type": "match_only_text"
+ },
+ "network": {
+ "properties": {
+ "application": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "community_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "forwarded_ip": {
+ "type": "ip"
+ },
+ "iana_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inner": {
+ "properties": {
+ "vlan": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "packets": {
+ "type": "long"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "transport": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vlan": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "observer": {
+ "properties": {
+ "egress": {
+ "properties": {
+ "interface": {
+ "properties": {
+ "alias": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vlan": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ingress": {
+ "properties": {
+ "interface": {
+ "properties": {
+ "alias": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vlan": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "properties": {
+ "family": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kernel": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "platform": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "orchestrator": {
+ "properties": {
+ "api_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cluster": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "namespace": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource": {
+ "properties": {
+ "annotation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "organization": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "package": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "build_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "checksum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "install_scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "installed": {
+ "type": "date"
+ },
+ "license": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "process": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "command_line": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "elf": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "byte_order": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpu_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_date": {
+ "type": "date"
+ },
+ "exports": {
+ "type": "flattened"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "header": {
+ "properties": {
+ "abi_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entrypoint": {
+ "type": "long"
+ },
+ "object_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_abi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "chi2": {
+ "type": "long"
+ },
+ "entropy": {
+ "type": "long"
+ },
+ "flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_offset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_address": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "segments": {
+ "properties": {
+ "sections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ },
+ "shared_libraries": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "telfhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "end": {
+ "type": "date"
+ },
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entry_leader": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "attested_groups": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "attested_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "command_line": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entry_meta": {
+ "properties": {
+ "source": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "interactive": {
+ "type": "boolean"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent": {
+ "properties": {
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "session_leader": {
+ "properties": {
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "start": {
+ "type": "date"
+ },
+ "vpid": {
+ "type": "long"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "vpid": {
+ "type": "long"
+ }
+ }
+ },
+ "pid": {
+ "type": "long"
+ },
+ "real_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "same_as_process": {
+ "type": "boolean"
+ },
+ "saved_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "supplemental_groups": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tty": {
+ "properties": {
+ "char_device": {
+ "properties": {
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpid": {
+ "type": "long"
+ },
+ "working_directory": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "env_vars": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exit_code": {
+ "type": "long"
+ },
+ "group_leader": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "command_line": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "interactive": {
+ "type": "boolean"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "real_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "same_as_process": {
+ "type": "boolean"
+ },
+ "saved_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "supplemental_groups": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tty": {
+ "properties": {
+ "char_device": {
+ "properties": {
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpid": {
+ "type": "long"
+ },
+ "working_directory": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "interactive": {
+ "type": "boolean"
+ },
+ "io": {
+ "properties": {
+ "bytes_skipped": {
+ "properties": {
+ "length": {
+ "type": "long"
+ },
+ "offset": {
+ "type": "long"
+ }
+ }
+ },
+ "max_bytes_per_process_exceeded": {
+ "type": "boolean"
+ },
+ "text": {
+ "type": "wildcard"
+ },
+ "total_bytes_captured": {
+ "type": "long"
+ },
+ "total_bytes_skipped": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "macho": {
+ "properties": {
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "symhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "command_line": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "elf": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "byte_order": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpu_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_date": {
+ "type": "date"
+ },
+ "exports": {
+ "type": "flattened"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "header": {
+ "properties": {
+ "abi_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entrypoint": {
+ "type": "long"
+ },
+ "object_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_abi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "chi2": {
+ "type": "long"
+ },
+ "entropy": {
+ "type": "long"
+ },
+ "flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_offset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_address": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "segments": {
+ "properties": {
+ "sections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ },
+ "shared_libraries": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "telfhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "end": {
+ "type": "date"
+ },
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exit_code": {
+ "type": "long"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "group_leader": {
+ "properties": {
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "start": {
+ "type": "date"
+ },
+ "vpid": {
+ "type": "long"
+ }
+ }
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "interactive": {
+ "type": "boolean"
+ },
+ "macho": {
+ "properties": {
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "symhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "pgid": {
+ "type": "long"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "real_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "supplemental_groups": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "thread": {
+ "properties": {
+ "capabilities": {
+ "properties": {
+ "effective": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "permitted": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "id": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "title": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tty": {
+ "properties": {
+ "char_device": {
+ "properties": {
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "uptime": {
+ "type": "long"
+ },
+ "user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpid": {
+ "type": "long"
+ },
+ "working_directory": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "pgid": {
+ "type": "long"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "previous": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "session_leader": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "args_count": {
+ "type": "long"
+ },
+ "command_line": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "executable": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "interactive": {
+ "type": "boolean"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent": {
+ "properties": {
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "session_leader": {
+ "properties": {
+ "entity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "start": {
+ "type": "date"
+ },
+ "vpid": {
+ "type": "long"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "vpid": {
+ "type": "long"
+ }
+ }
+ },
+ "pid": {
+ "type": "long"
+ },
+ "real_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "real_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "same_as_process": {
+ "type": "boolean"
+ },
+ "saved_group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saved_user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "supplemental_groups": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tty": {
+ "properties": {
+ "char_device": {
+ "properties": {
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpid": {
+ "type": "long"
+ },
+ "working_directory": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start": {
+ "type": "date"
+ },
+ "supplemental_groups": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "thread": {
+ "properties": {
+ "capabilities": {
+ "properties": {
+ "effective": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "permitted": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "id": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "title": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tty": {
+ "properties": {
+ "char_device": {
+ "properties": {
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ }
+ }
+ },
+ "columns": {
+ "type": "long"
+ },
+ "rows": {
+ "type": "long"
+ }
+ }
+ },
+ "uptime": {
+ "type": "long"
+ },
+ "user": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpid": {
+ "type": "long"
+ },
+ "working_directory": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "registry": {
+ "properties": {
+ "data": {
+ "properties": {
+ "bytes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "strings": {
+ "type": "wildcard"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hive": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "related": {
+ "properties": {
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hosts": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "rule": {
+ "properties": {
+ "author": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "license": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ruleset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "server": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "port": {
+ "type": "long"
+ }
+ }
+ },
+ "packets": {
+ "type": "long"
+ },
+ "port": {
+ "type": "long"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "service": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "node": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "origin": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "node": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "node": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "signal": {
+ "properties": {
+ "ancestors": {
+ "properties": {
+ "depth": {
+ "path": "kibana.alert.ancestors.depth",
+ "type": "alias"
+ },
+ "id": {
+ "path": "kibana.alert.ancestors.id",
+ "type": "alias"
+ },
+ "index": {
+ "path": "kibana.alert.ancestors.index",
+ "type": "alias"
+ },
+ "type": {
+ "path": "kibana.alert.ancestors.type",
+ "type": "alias"
+ }
+ }
+ },
+ "depth": {
+ "path": "kibana.alert.depth",
+ "type": "alias"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "path": "kibana.alert.group.id",
+ "type": "alias"
+ },
+ "index": {
+ "path": "kibana.alert.group.index",
+ "type": "alias"
+ }
+ }
+ },
+ "original_event": {
+ "properties": {
+ "action": {
+ "path": "kibana.alert.original_event.action",
+ "type": "alias"
+ },
+ "category": {
+ "path": "kibana.alert.original_event.category",
+ "type": "alias"
+ },
+ "code": {
+ "path": "kibana.alert.original_event.code",
+ "type": "alias"
+ },
+ "created": {
+ "path": "kibana.alert.original_event.created",
+ "type": "alias"
+ },
+ "dataset": {
+ "path": "kibana.alert.original_event.dataset",
+ "type": "alias"
+ },
+ "duration": {
+ "path": "kibana.alert.original_event.duration",
+ "type": "alias"
+ },
+ "end": {
+ "path": "kibana.alert.original_event.end",
+ "type": "alias"
+ },
+ "hash": {
+ "path": "kibana.alert.original_event.hash",
+ "type": "alias"
+ },
+ "id": {
+ "path": "kibana.alert.original_event.id",
+ "type": "alias"
+ },
+ "kind": {
+ "path": "kibana.alert.original_event.kind",
+ "type": "alias"
+ },
+ "module": {
+ "path": "kibana.alert.original_event.module",
+ "type": "alias"
+ },
+ "outcome": {
+ "path": "kibana.alert.original_event.outcome",
+ "type": "alias"
+ },
+ "provider": {
+ "path": "kibana.alert.original_event.provider",
+ "type": "alias"
+ },
+ "reason": {
+ "path": "kibana.alert.original_event.reason",
+ "type": "alias"
+ },
+ "risk_score": {
+ "path": "kibana.alert.original_event.risk_score",
+ "type": "alias"
+ },
+ "risk_score_norm": {
+ "path": "kibana.alert.original_event.risk_score_norm",
+ "type": "alias"
+ },
+ "sequence": {
+ "path": "kibana.alert.original_event.sequence",
+ "type": "alias"
+ },
+ "severity": {
+ "path": "kibana.alert.original_event.severity",
+ "type": "alias"
+ },
+ "start": {
+ "path": "kibana.alert.original_event.start",
+ "type": "alias"
+ },
+ "timezone": {
+ "path": "kibana.alert.original_event.timezone",
+ "type": "alias"
+ },
+ "type": {
+ "path": "kibana.alert.original_event.type",
+ "type": "alias"
+ }
+ }
+ },
+ "original_time": {
+ "path": "kibana.alert.original_time",
+ "type": "alias"
+ },
+ "reason": {
+ "path": "kibana.alert.reason",
+ "type": "alias"
+ },
+ "rule": {
+ "properties": {
+ "author": {
+ "path": "kibana.alert.rule.author",
+ "type": "alias"
+ },
+ "building_block_type": {
+ "path": "kibana.alert.building_block_type",
+ "type": "alias"
+ },
+ "created_at": {
+ "path": "kibana.alert.rule.created_at",
+ "type": "alias"
+ },
+ "created_by": {
+ "path": "kibana.alert.rule.created_by",
+ "type": "alias"
+ },
+ "description": {
+ "path": "kibana.alert.rule.description",
+ "type": "alias"
+ },
+ "enabled": {
+ "path": "kibana.alert.rule.enabled",
+ "type": "alias"
+ },
+ "false_positives": {
+ "path": "kibana.alert.rule.false_positives",
+ "type": "alias"
+ },
+ "from": {
+ "path": "kibana.alert.rule.from",
+ "type": "alias"
+ },
+ "id": {
+ "path": "kibana.alert.rule.uuid",
+ "type": "alias"
+ },
+ "immutable": {
+ "path": "kibana.alert.rule.immutable",
+ "type": "alias"
+ },
+ "interval": {
+ "path": "kibana.alert.rule.interval",
+ "type": "alias"
+ },
+ "license": {
+ "path": "kibana.alert.rule.license",
+ "type": "alias"
+ },
+ "max_signals": {
+ "path": "kibana.alert.rule.max_signals",
+ "type": "alias"
+ },
+ "name": {
+ "path": "kibana.alert.rule.name",
+ "type": "alias"
+ },
+ "note": {
+ "path": "kibana.alert.rule.note",
+ "type": "alias"
+ },
+ "references": {
+ "path": "kibana.alert.rule.references",
+ "type": "alias"
+ },
+ "risk_score": {
+ "path": "kibana.alert.risk_score",
+ "type": "alias"
+ },
+ "rule_id": {
+ "path": "kibana.alert.rule.rule_id",
+ "type": "alias"
+ },
+ "rule_name_override": {
+ "path": "kibana.alert.rule.rule_name_override",
+ "type": "alias"
+ },
+ "severity": {
+ "path": "kibana.alert.severity",
+ "type": "alias"
+ },
+ "tags": {
+ "path": "kibana.alert.rule.tags",
+ "type": "alias"
+ },
+ "threat": {
+ "properties": {
+ "framework": {
+ "path": "kibana.alert.rule.threat.framework",
+ "type": "alias"
+ },
+ "tactic": {
+ "properties": {
+ "id": {
+ "path": "kibana.alert.rule.threat.tactic.id",
+ "type": "alias"
+ },
+ "name": {
+ "path": "kibana.alert.rule.threat.tactic.name",
+ "type": "alias"
+ },
+ "reference": {
+ "path": "kibana.alert.rule.threat.tactic.reference",
+ "type": "alias"
+ }
+ }
+ },
+ "technique": {
+ "properties": {
+ "id": {
+ "path": "kibana.alert.rule.threat.technique.id",
+ "type": "alias"
+ },
+ "name": {
+ "path": "kibana.alert.rule.threat.technique.name",
+ "type": "alias"
+ },
+ "reference": {
+ "path": "kibana.alert.rule.threat.technique.reference",
+ "type": "alias"
+ },
+ "subtechnique": {
+ "properties": {
+ "id": {
+ "path": "kibana.alert.rule.threat.technique.subtechnique.id",
+ "type": "alias"
+ },
+ "name": {
+ "path": "kibana.alert.rule.threat.technique.subtechnique.name",
+ "type": "alias"
+ },
+ "reference": {
+ "path": "kibana.alert.rule.threat.technique.subtechnique.reference",
+ "type": "alias"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "timeline_id": {
+ "path": "kibana.alert.rule.timeline_id",
+ "type": "alias"
+ },
+ "timeline_title": {
+ "path": "kibana.alert.rule.timeline_title",
+ "type": "alias"
+ },
+ "timestamp_override": {
+ "path": "kibana.alert.rule.timestamp_override",
+ "type": "alias"
+ },
+ "to": {
+ "path": "kibana.alert.rule.to",
+ "type": "alias"
+ },
+ "type": {
+ "path": "kibana.alert.rule.type",
+ "type": "alias"
+ },
+ "updated_at": {
+ "path": "kibana.alert.rule.updated_at",
+ "type": "alias"
+ },
+ "updated_by": {
+ "path": "kibana.alert.rule.updated_by",
+ "type": "alias"
+ },
+ "version": {
+ "path": "kibana.alert.rule.version",
+ "type": "alias"
+ }
+ }
+ },
+ "status": {
+ "path": "kibana.alert.workflow_status",
+ "type": "alias"
+ },
+ "threshold_result": {
+ "properties": {
+ "cardinality": {
+ "properties": {
+ "field": {
+ "path": "kibana.alert.threshold_result.cardinality.field",
+ "type": "alias"
+ },
+ "value": {
+ "path": "kibana.alert.threshold_result.cardinality.value",
+ "type": "alias"
+ }
+ }
+ },
+ "count": {
+ "path": "kibana.alert.threshold_result.count",
+ "type": "alias"
+ },
+ "from": {
+ "path": "kibana.alert.threshold_result.from",
+ "type": "alias"
+ },
+ "terms": {
+ "properties": {
+ "field": {
+ "path": "kibana.alert.threshold_result.terms.field",
+ "type": "alias"
+ },
+ "value": {
+ "path": "kibana.alert.threshold_result.terms.value",
+ "type": "alias"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "source": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "bytes": {
+ "type": "long"
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "port": {
+ "type": "long"
+ }
+ }
+ },
+ "packets": {
+ "type": "long"
+ },
+ "port": {
+ "type": "long"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "span": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tags": {
+ "type": "keyword"
+ },
+ "threat": {
+ "properties": {
+ "enrichments": {
+ "properties": {
+ "indicator": {
+ "properties": {
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "confidence": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "file": {
+ "properties": {
+ "accessed": {
+ "type": "date"
+ },
+ "attributes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "created": {
+ "type": "date"
+ },
+ "ctime": {
+ "type": "date"
+ },
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "directory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "drive_letter": {
+ "ignore_above": 1,
+ "type": "keyword"
+ },
+ "elf": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "byte_order": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpu_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_date": {
+ "type": "date"
+ },
+ "exports": {
+ "type": "flattened"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "header": {
+ "properties": {
+ "abi_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entrypoint": {
+ "type": "long"
+ },
+ "object_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_abi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "chi2": {
+ "type": "long"
+ },
+ "entropy": {
+ "type": "long"
+ },
+ "flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_offset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_address": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "segments": {
+ "properties": {
+ "sections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ },
+ "shared_libraries": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "telfhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "inode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mtime": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "owner": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "size": {
+ "type": "long"
+ },
+ "target_path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "first_seen": {
+ "type": "date"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "marking": {
+ "properties": {
+ "tlp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlp_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "modified_at": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "type": "long"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registry": {
+ "properties": {
+ "data": {
+ "properties": {
+ "bytes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "strings": {
+ "type": "wildcard"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hive": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "scanner_stats": {
+ "type": "long"
+ },
+ "sightings": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fragment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "original": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "password": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "type": "wildcard"
+ },
+ "port": {
+ "type": "long"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scheme": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "matched": {
+ "properties": {
+ "atomic": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "field": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "index": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "occurred": {
+ "type": "date"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ },
+ "type": "nested"
+ },
+ "feed": {
+ "properties": {
+ "dashboard_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "framework": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "alias": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "indicator": {
+ "properties": {
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "confidence": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "file": {
+ "properties": {
+ "accessed": {
+ "type": "date"
+ },
+ "attributes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code_signature": {
+ "properties": {
+ "digest_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exists": {
+ "type": "boolean"
+ },
+ "signing_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "team_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "trusted": {
+ "type": "boolean"
+ },
+ "valid": {
+ "type": "boolean"
+ }
+ }
+ },
+ "created": {
+ "type": "date"
+ },
+ "ctime": {
+ "type": "date"
+ },
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "directory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "drive_letter": {
+ "ignore_above": 1,
+ "type": "keyword"
+ },
+ "elf": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "byte_order": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpu_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_date": {
+ "type": "date"
+ },
+ "exports": {
+ "type": "flattened"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "header": {
+ "properties": {
+ "abi_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entrypoint": {
+ "type": "long"
+ },
+ "object_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_abi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "sections": {
+ "properties": {
+ "chi2": {
+ "type": "long"
+ },
+ "entropy": {
+ "type": "long"
+ },
+ "flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_offset": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_address": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ },
+ "segments": {
+ "properties": {
+ "sections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ },
+ "type": "nested"
+ },
+ "shared_libraries": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "telfhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha384": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha512": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssdeep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlsh": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "inode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mime_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mtime": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "owner": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pe": {
+ "properties": {
+ "architecture": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "company": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "go_imports": {
+ "type": "flattened"
+ },
+ "go_imports_names_entropy": {
+ "type": "long"
+ },
+ "go_imports_names_var_entropy": {
+ "type": "long"
+ },
+ "go_stripped": {
+ "type": "boolean"
+ },
+ "imphash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "import_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "imports": {
+ "type": "flattened"
+ },
+ "imports_names_entropy": {
+ "type": "long"
+ },
+ "imports_names_var_entropy": {
+ "type": "long"
+ },
+ "original_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pehash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sections": {
+ "properties": {
+ "entropy": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "physical_size": {
+ "type": "long"
+ },
+ "var_entropy": {
+ "type": "long"
+ },
+ "virtual_size": {
+ "type": "long"
+ }
+ },
+ "type": "nested"
+ }
+ }
+ },
+ "size": {
+ "type": "long"
+ },
+ "target_path": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "first_seen": {
+ "type": "date"
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "marking": {
+ "properties": {
+ "tlp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tlp_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "modified_at": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "type": "long"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registry": {
+ "properties": {
+ "data": {
+ "properties": {
+ "bytes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "strings": {
+ "type": "wildcard"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hive": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "scanner_stats": {
+ "type": "long"
+ },
+ "sightings": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fragment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "original": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "password": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "type": "wildcard"
+ },
+ "port": {
+ "type": "long"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scheme": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "software": {
+ "properties": {
+ "alias": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "platforms": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tactic": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "technique": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subtechnique": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tls": {
+ "properties": {
+ "cipher": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client": {
+ "properties": {
+ "certificate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "certificate_chain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "issuer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ja3": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "server_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "supported_ciphers": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "established": {
+ "type": "boolean"
+ },
+ "next_protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resumed": {
+ "type": "boolean"
+ },
+ "server": {
+ "properties": {
+ "certificate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "certificate_chain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "issuer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ja3s": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "x509": {
+ "properties": {
+ "alternative_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "issuer": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "not_after": {
+ "type": "date"
+ },
+ "not_before": {
+ "type": "date"
+ },
+ "public_key_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_curve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_exponent": {
+ "type": "long"
+ },
+ "public_key_size": {
+ "type": "long"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "properties": {
+ "common_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "distinguished_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "locality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "organizational_unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state_or_province": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version_protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "trace": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "transaction": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "url": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fragment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "original": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "type": "wildcard"
+ },
+ "password": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "type": "wildcard"
+ },
+ "port": {
+ "type": "long"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registered_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scheme": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_level_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "asset": {
+ "properties": {
+ "criticality": {
+ "type": "keyword"
+ }
+ }
+ },
+ "changes": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "effective": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "user_agent": {
+ "properties": {
+ "device": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "original": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "properties": {
+ "family": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kernel": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "platform": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vulnerability": {
+ "properties": {
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "enumeration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "report_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scanner": {
+ "properties": {
+ "vendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "score": {
+ "properties": {
+ "base": {
+ "type": "float"
+ },
+ "environmental": {
+ "type": "float"
+ },
+ "temporal": {
+ "type": "float"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "settings": {
+ "index": {
+ "auto_expand_replicas": "0-1",
+ "hidden": "true",
+ "lifecycle": {
+ "name": ".alerts-ilm-policy",
+ "rollover_alias": ".alerts-security.alerts-default"
+ },
+ "mapping": {
+ "ignore_malformed": "true",
+ "total_fields": {
+ "limit": "2500"
+ }
+ },
+ "number_of_replicas": "0",
+ "number_of_shards": "1"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/x-pack/test/cloud_security_posture_functional/page_objects/alerts_page.ts b/x-pack/test/cloud_security_posture_functional/page_objects/alerts_page.ts
new file mode 100644
index 0000000000000..f3a9f7b1448a8
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/page_objects/alerts_page.ts
@@ -0,0 +1,107 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { FtrService } from '../../functional/ftr_provider_context';
+
+const ALERT_TABLE_ROW_CSS_SELECTOR = '[data-test-subj="alertsTable"] .euiDataGridRow';
+const VISUALIZATIONS_SECTION_HEADER_TEST_ID = 'securitySolutionFlyoutVisualizationsHeader';
+const GRAPH_PREVIEW_TEST_ID = 'securitySolutionFlyoutGraphPreview';
+const GRAPH_PREVIEW_LOADING_TEST_ID = 'securitySolutionFlyoutGraphPreviewLoading';
+
+export class AlertsPageObject extends FtrService {
+ private readonly retry = this.ctx.getService('retry');
+ private readonly pageObjects = this.ctx.getPageObjects(['common', 'header']);
+ private readonly testSubjects = this.ctx.getService('testSubjects');
+ private readonly defaultTimeoutMs = this.ctx.getService('config').get('timeouts.waitFor');
+
+ async navigateToAlertsPage(urlQueryParams: string = ''): Promise {
+ await this.pageObjects.common.navigateToUrlWithBrowserHistory(
+ 'securitySolution',
+ '/alerts',
+ `${urlQueryParams && `?${urlQueryParams}`}`,
+ {
+ ensureCurrentUrl: false,
+ }
+ );
+ await this.pageObjects.header.waitUntilLoadingHasFinished();
+ }
+
+ getAbsoluteTimerangeFilter(from: string, to: string) {
+ return `timerange=(global:(linkTo:!(),timerange:(from:%27${from}%27,kind:absolute,to:%27${to}%27)))`;
+ }
+
+ getFlyoutFilter(alertId: string) {
+ return `flyout=(preview:!(),right:(id:document-details-right,params:(id:%27${alertId}%27,indexName:.internal.alerts-security.alerts-default-000001,scopeId:alerts-page)))`;
+ }
+
+ /**
+ * Clicks the refresh button on the Alerts page and waits for it to complete
+ */
+ async clickRefresh(): Promise {
+ await this.ensureOnAlertsPage();
+ await this.testSubjects.click('querySubmitButton');
+
+ // wait for refresh to complete
+ await this.retry.waitFor(
+ 'Alerts pages refresh button to be enabled',
+ async (): Promise => {
+ const refreshButton = await this.testSubjects.find('querySubmitButton');
+
+ return (await refreshButton.isDisplayed()) && (await refreshButton.isEnabled());
+ }
+ );
+ }
+
+ async ensureOnAlertsPage(): Promise {
+ await this.testSubjects.existOrFail('detectionsAlertsPage');
+ }
+
+ async waitForListToHaveAlerts(timeoutMs?: number): Promise {
+ const allEventRows = await this.testSubjects.findService.allByCssSelector(
+ ALERT_TABLE_ROW_CSS_SELECTOR
+ );
+
+ if (!Boolean(allEventRows.length)) {
+ await this.retry.waitForWithTimeout(
+ 'waiting for alerts to show up on alerts page',
+ timeoutMs ?? this.defaultTimeoutMs,
+ async (): Promise => {
+ await this.clickRefresh();
+
+ const allEventRowsInner = await this.testSubjects.findService.allByCssSelector(
+ ALERT_TABLE_ROW_CSS_SELECTOR
+ );
+
+ return Boolean(allEventRowsInner.length);
+ }
+ );
+ }
+ }
+
+ flyout = {
+ expandVisualizations: async (): Promise => {
+ await this.testSubjects.click(VISUALIZATIONS_SECTION_HEADER_TEST_ID);
+ },
+
+ assertGraphPreviewVisible: async () => {
+ return await this.testSubjects.existOrFail(GRAPH_PREVIEW_TEST_ID);
+ },
+
+ assertGraphNodesNumber: async (expected: number) => {
+ await this.flyout.waitGraphIsLoaded();
+ const graph = await this.testSubjects.find(GRAPH_PREVIEW_TEST_ID);
+ await graph.scrollIntoView();
+ const nodes = await graph.findAllByCssSelector('.react-flow__nodes .react-flow__node');
+ expect(nodes.length).to.be(expected);
+ },
+
+ waitGraphIsLoaded: async () => {
+ await this.testSubjects.missingOrFail(GRAPH_PREVIEW_LOADING_TEST_ID, { timeout: 10000 });
+ },
+ };
+}
diff --git a/x-pack/test/cloud_security_posture_functional/page_objects/index.ts b/x-pack/test/cloud_security_posture_functional/page_objects/index.ts
index 704f6310cdbb2..b7c20632e82f5 100644
--- a/x-pack/test/cloud_security_posture_functional/page_objects/index.ts
+++ b/x-pack/test/cloud_security_posture_functional/page_objects/index.ts
@@ -13,8 +13,10 @@ import { VulnerabilityDashboardPageProvider } from './vulnerability_dashboard_pa
import { BenchmarkPagePageProvider } from './benchmark_page';
import { CspSecurityCommonProvider } from './security_common';
import { RulePagePageProvider } from './rule_page';
+import { AlertsPageObject } from './alerts_page';
export const cloudSecurityPosturePageObjects = {
+ alerts: AlertsPageObject,
findings: FindingsPageProvider,
cloudPostureDashboard: CspDashboardPageProvider,
cisAddIntegration: AddCisIntegrationFormPageProvider,
diff --git a/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts b/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts
new file mode 100644
index 0000000000000..3095f6a663968
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts
@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { waitForPluginInitialized } from '../../cloud_security_posture_api/utils';
+import type { FtrProviderContext } from '../ftr_provider_context';
+
+// eslint-disable-next-line import/no-default-export
+export default function ({ getPageObjects, getService }: FtrProviderContext) {
+ const retry = getService('retry');
+ const logger = getService('log');
+ const supertest = getService('supertest');
+ const esArchiver = getService('esArchiver');
+ const pageObjects = getPageObjects(['common', 'header', 'alerts']);
+ const alertsPage = pageObjects.alerts;
+
+ describe('Security Alerts Page - Graph visualization', function () {
+ this.tags(['cloud_security_posture_graph_viz']);
+
+ before(async () => {
+ await esArchiver.load(
+ 'x-pack/test/cloud_security_posture_functional/es_archives/security_alerts'
+ );
+ await esArchiver.load(
+ 'x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit'
+ );
+
+ await waitForPluginInitialized({ retry, supertest, logger });
+
+ // Setting the timerange to fit the data and open the flyout for a specific alert
+ await alertsPage.navigateToAlertsPage(
+ `${alertsPage.getAbsoluteTimerangeFilter(
+ '2024-10-13T00:00:00.000Z',
+ '2024-10-14T00:00:00.000Z'
+ )}&${alertsPage.getFlyoutFilter(
+ '589e086d7ceec7d4b353340578bd607e96fbac7eab9e2926f110990be15122f1'
+ )}`
+ );
+
+ await alertsPage.waitForListToHaveAlerts();
+
+ await alertsPage.flyout.expandVisualizations();
+ });
+
+ after(async () => {
+ await esArchiver.unload(
+ 'x-pack/test/cloud_security_posture_functional/es_archives/security_alerts'
+ );
+ await esArchiver.unload(
+ 'x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit'
+ );
+ });
+
+ it('should render graph visualization', async () => {
+ await alertsPage.flyout.assertGraphPreviewVisible();
+ await alertsPage.flyout.assertGraphNodesNumber(3);
+ });
+ });
+}
diff --git a/x-pack/test/cloud_security_posture_functional/pages/index.ts b/x-pack/test/cloud_security_posture_functional/pages/index.ts
index 1edf38dc41ec9..0114b6a8ce4dc 100644
--- a/x-pack/test/cloud_security_posture_functional/pages/index.ts
+++ b/x-pack/test/cloud_security_posture_functional/pages/index.ts
@@ -36,5 +36,6 @@ export default function ({ getPageObjects, loadTestFile }: FtrProviderContext) {
loadTestFile(require.resolve('./vulnerabilities'));
loadTestFile(require.resolve('./vulnerabilities_grouping'));
loadTestFile(require.resolve('./benchmark'));
+ loadTestFile(require.resolve('./alerts_flyout'));
});
}