From 1ad0848339b77ed18600a56c7525c53b2082c939 Mon Sep 17 00:00:00 2001 From: Ying Date: Mon, 6 Feb 2023 14:28:10 -0500 Subject: [PATCH 01/49] wip --- packages/kbn-rule-data-utils/index.ts | 3 +- .../src/default_alerts_as_data.ts | 32 ++- .../src/legacy_alerts_as_data.ts | 124 +++++++++++ .../src/technical_field_names.ts | 177 +++++----------- .../field_maps/alert_field_map.ts | 123 ++++++----- .../field_maps/legacy_alert_field_map.ts | 194 ++++++++++++++++++ x-pack/plugins/alerting/common/index.ts | 2 + .../alerts_service/alerts_service.test.ts | 23 +-- .../alerting/server/alerts_service/types.ts | 2 +- .../field_maps/technical_rule_field_map.ts | 86 +++----- .../tests/alerting/group4/alerts_as_data.ts | 8 +- 11 files changed, 517 insertions(+), 257 deletions(-) create mode 100644 packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts index 18c81aba6d81a9..1ba56fa6d9de6d 100644 --- a/packages/kbn-rule-data-utils/index.ts +++ b/packages/kbn-rule-data-utils/index.ts @@ -7,7 +7,8 @@ */ export * from './src/default_alerts_as_data'; -export * from './src/technical_field_names'; +export * from './src/legacy_alerts_as_data'; +export { type TechnicalRuleDataFieldName } from './src/technical_field_names'; export * from './src/alerts_as_data_rbac'; export * from './src/alerts_as_data_severity'; export * from './src/alerts_as_data_status'; diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts index 3a982124b58e60..34b04116b95224 100644 --- a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts +++ b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts @@ -8,6 +8,9 @@ import { ValuesType } from 'utility-types'; +const TIMESTAMP = '@timestamp' as const; + +// namespaces const KIBANA_NAMESPACE = 'kibana' as const; const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const; const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const; @@ -21,6 +24,9 @@ const VERSION = `${KIBANA_NAMESPACE}.version` as const; // kibana.alert.action_group - framework action group ID for this alert const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const; +// kibana.alert.case_ids - array of cases associated with the alert +const ALERT_CASE_IDS = `${ALERT_NAMESPACE}.case_ids` as const; + // kibana.alert.duration.us - alert duration in nanoseconds - updated each execution // that the alert is active const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const; @@ -31,8 +37,11 @@ const ALERT_END = `${ALERT_NAMESPACE}.end` as const; // kibana.alert.flapping - whether the alert is currently in a flapping state const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const; -// kibana.alert.id - alert ID, also known as alert instance ID -const ALERT_ID = `${ALERT_NAMESPACE}.id` as const; +// kibana.alert.flapping_history - whether the alert is currently in a flapping state +const ALERT_FLAPPING_HISTORY = `${ALERT_NAMESPACE}.flapping_history` as const; + +// kibana.alert.instance.id - alert ID, also known as alert instance ID +const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const; // kibana.alert.last_detected - timestamp when the alert was last seen const ALERT_LAST_DETECTED = `${ALERT_NAMESPACE}.last_detected` as const; @@ -90,10 +99,12 @@ const namespaces = { const fields = { ALERT_ACTION_GROUP, + ALERT_CASE_IDS, ALERT_DURATION, ALERT_END, ALERT_FLAPPING, - ALERT_ID, + ALERT_FLAPPING_HISTORY, + ALERT_INSTANCE_ID, ALERT_LAST_DETECTED, ALERT_REASON, ALERT_RULE_CATEGORY, @@ -111,15 +122,24 @@ const fields = { ALERT_UUID, ALERT_WORKFLOW_STATUS, SPACE_IDS, + TIMESTAMP, VERSION, }; export { + // namespaces + ALERT_NAMESPACE, + ALERT_RULE_NAMESPACE, + KIBANA_NAMESPACE, + + // fields ALERT_ACTION_GROUP, + ALERT_CASE_IDS, ALERT_DURATION, ALERT_END, ALERT_FLAPPING, - ALERT_ID, + ALERT_FLAPPING_HISTORY, + ALERT_INSTANCE_ID, ALERT_LAST_DETECTED, ALERT_REASON, ALERT_RULE_CATEGORY, @@ -137,10 +157,8 @@ export { ALERT_UUID, ALERT_WORKFLOW_STATUS, SPACE_IDS, + TIMESTAMP, VERSION, - ALERT_NAMESPACE, - ALERT_RULE_NAMESPACE, - KIBANA_NAMESPACE, }; export type DefaultAlertFieldName = ValuesType; diff --git a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts new file mode 100644 index 00000000000000..6e24fb9fac1732 --- /dev/null +++ b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts @@ -0,0 +1,124 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from './default_alerts_as_data'; + +// namespaces +const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; + +const ECS_VERSION = 'ecs.version' as const; +const EVENT_ACTION = 'event.action' as const; +const EVENT_KIND = 'event.kind' as const; +const EVENT_MODULE = 'event.module' as const; +const TAGS = 'tags' as const; + +// Fields pertaining to the alert +const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; +const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; +const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; + +const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; +const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; +const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; +const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; +const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; +const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const; +const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const; +const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const; +const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const; +const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const; +const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const; +const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const; + +// Fields pertaining to the rule associated with the alert +const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const; +const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const; +const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const; +const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const; +const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const; +const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; +const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const; +const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const; +const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const; +const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; +const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const; +const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const; +const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const; +const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const; +const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const; +const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const; +const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const; +const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const; +const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const; + +// Fields pertaining to the threat tactic associated with the rule +const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; +const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; +const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; +const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; +const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; +const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; +const ALERT_THREAT_TECHNIQUE_REFERENCE = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; + +export { + ALERT_BUILDING_BLOCK_TYPE, + ALERT_EVALUATION_THRESHOLD, + ALERT_EVALUATION_VALUE, + ALERT_RISK_SCORE, + ALERT_RULE_AUTHOR, + ALERT_RULE_CREATED_AT, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_FROM, + ALERT_RULE_INTERVAL, + ALERT_RULE_LICENSE, + ALERT_RULE_NAMESPACE_FIELD, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RULE_ID, + ALERT_RULE_RULE_NAME_OVERRIDE, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_AT, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_SEVERITY, + ALERT_SUPPRESSION_DOCS_COUNT, + ALERT_SUPPRESSION_END, + ALERT_SUPPRESSION_FIELD, + ALERT_SUPPRESSION_START, + ALERT_SUPPRESSION_TERMS, + ALERT_SUPPRESSION_VALUE, + ALERT_SYSTEM_STATUS, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + ALERT_WORKFLOW_REASON, + ALERT_WORKFLOW_USER, + ECS_VERSION, + EVENT_ACTION, + EVENT_KIND, + EVENT_MODULE, + TAGS, +}; diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index 89eca0f9230464..10f6e290722336 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -8,11 +8,15 @@ import { ValuesType } from 'utility-types'; import { + ALERT_NAMESPACE, + ALERT_RULE_NAMESPACE, KIBANA_NAMESPACE, ALERT_ACTION_GROUP, + ALERT_CASE_IDS, ALERT_DURATION, ALERT_END, ALERT_FLAPPING, + ALERT_INSTANCE_ID, ALERT_REASON, ALERT_RULE_CATEGORY, ALERT_RULE_CONSUMER, @@ -29,139 +33,42 @@ import { ALERT_UUID, ALERT_WORKFLOW_STATUS, SPACE_IDS, + TIMESTAMP, VERSION, - ALERT_NAMESPACE, - ALERT_RULE_NAMESPACE, } from './default_alerts_as_data'; -const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; - -const ECS_VERSION = 'ecs.version' as const; -const EVENT_ACTION = 'event.action' as const; -const EVENT_KIND = 'event.kind' as const; -const EVENT_MODULE = 'event.module' as const; -const TAGS = 'tags' as const; -const TIMESTAMP = '@timestamp' as const; - -// Fields pertaining to the alert -const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; -const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; -const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; -const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const; -const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; -const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; -const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; -const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; -const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; -const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const; -const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const; -const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const; -const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const; -const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const; -const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const; -const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const; - -// Fields pertaining to the cases associated with the alert -const ALERT_CASE_IDS = `${ALERT_NAMESPACE}.case_ids` as const; - -// Fields pertaining to the rule associated with the alert -const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const; -const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const; -const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const; -const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const; -const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const; -const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; -const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const; -const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const; -const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const; -const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; -const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const; -const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const; -const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const; -const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const; -const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const; -const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const; -const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const; -const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const; -const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const; - -// Fields pertaining to the threat tactic associated with the rule -const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; -const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; -const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; -const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; -const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; -const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; -const ALERT_THREAT_TECHNIQUE_REFERENCE = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; - -const namespaces = { - KIBANA_NAMESPACE, - ALERT_NAMESPACE, - ALERT_RULE_NAMESPACE, -}; - -const fields = { - ECS_VERSION, - EVENT_KIND, - EVENT_ACTION, - EVENT_MODULE, - TAGS, - TIMESTAMP, - ALERT_ACTION_GROUP, +import { ALERT_BUILDING_BLOCK_TYPE, - ALERT_DURATION, - ALERT_END, ALERT_EVALUATION_THRESHOLD, ALERT_EVALUATION_VALUE, - ALERT_FLAPPING, - ALERT_INSTANCE_ID, - ALERT_RULE_CONSUMER, - ALERT_RULE_PRODUCER, - ALERT_REASON, ALERT_RISK_SCORE, - ALERT_CASE_IDS, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_EXCEPTIONS_LIST, - ALERT_RULE_EXECUTION_UUID, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - ALERT_RULE_NAME, ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, - ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, ALERT_RULE_RULE_NAME_OVERRIDE, - ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, - ALERT_RULE_TYPE_ID, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_START, - ALERT_TIME_RANGE, ALERT_SEVERITY, - ALERT_STATUS, + ALERT_SUPPRESSION_DOCS_COUNT, + ALERT_SUPPRESSION_END, + ALERT_SUPPRESSION_FIELD, + ALERT_SUPPRESSION_START, + ALERT_SUPPRESSION_TERMS, + ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - ALERT_UUID, - ALERT_WORKFLOW_REASON, - ALERT_WORKFLOW_STATUS, - ALERT_WORKFLOW_USER, - ALERT_RULE_UUID, - ALERT_RULE_CATEGORY, ALERT_THREAT_FRAMEWORK, ALERT_THREAT_TACTIC_ID, ALERT_THREAT_TACTIC_NAME, @@ -172,24 +79,40 @@ const fields = { ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, - ALERT_SUPPRESSION_TERMS, - ALERT_SUPPRESSION_FIELD, - ALERT_SUPPRESSION_VALUE, - ALERT_SUPPRESSION_START, - ALERT_SUPPRESSION_END, - ALERT_SUPPRESSION_DOCS_COUNT, - SPACE_IDS, - VERSION, + ALERT_WORKFLOW_REASON, + ALERT_WORKFLOW_USER, + ECS_VERSION, + EVENT_ACTION, + EVENT_KIND, + EVENT_MODULE, + TAGS, +} from './legacy_alerts_as_data'; + +const namespaces = { + KIBANA_NAMESPACE, + ALERT_NAMESPACE, + ALERT_RULE_NAMESPACE, }; -export { +const fields = { + ECS_VERSION, + EVENT_KIND, + EVENT_ACTION, + EVENT_MODULE, + TAGS, + TIMESTAMP, + ALERT_ACTION_GROUP, ALERT_BUILDING_BLOCK_TYPE, + ALERT_DURATION, + ALERT_END, ALERT_EVALUATION_THRESHOLD, ALERT_EVALUATION_VALUE, + ALERT_FLAPPING, ALERT_INSTANCE_ID, + ALERT_RULE_CONSUMER, + ALERT_RULE_PRODUCER, + ALERT_REASON, ALERT_RISK_SCORE, - ALERT_WORKFLOW_REASON, - ALERT_WORKFLOW_USER, ALERT_CASE_IDS, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, @@ -197,25 +120,35 @@ export { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_EXECUTION_UUID, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, + ALERT_RULE_NAME, ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, + ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, ALERT_RULE_RULE_NAME_OVERRIDE, + ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, + ALERT_RULE_TYPE_ID, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_START, + ALERT_TIME_RANGE, ALERT_SEVERITY, + ALERT_STATUS, ALERT_SYSTEM_STATUS, - ECS_VERSION, - EVENT_ACTION, - EVENT_KIND, - EVENT_MODULE, + ALERT_UUID, + ALERT_WORKFLOW_REASON, + ALERT_WORKFLOW_STATUS, + ALERT_WORKFLOW_USER, + ALERT_RULE_UUID, + ALERT_RULE_CATEGORY, ALERT_THREAT_FRAMEWORK, ALERT_THREAT_TACTIC_ID, ALERT_THREAT_TACTIC_NAME, @@ -232,8 +165,8 @@ export { ALERT_SUPPRESSION_START, ALERT_SUPPRESSION_END, ALERT_SUPPRESSION_DOCS_COUNT, - TAGS, - TIMESTAMP, + SPACE_IDS, + VERSION, }; export type TechnicalRuleDataFieldName = ValuesType; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts index 4613415e0fa002..f73f0adb649364 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts @@ -7,10 +7,13 @@ import { ALERT_ACTION_GROUP, + ALERT_CASE_IDS, ALERT_DURATION, ALERT_END, ALERT_FLAPPING, - ALERT_ID, + ALERT_FLAPPING_HISTORY, + ALERT_INSTANCE_ID, + ALERT_LAST_DETECTED, ALERT_REASON, ALERT_RULE_CATEGORY, ALERT_RULE_CONSUMER, @@ -27,92 +30,93 @@ import { ALERT_UUID, ALERT_WORKFLOW_STATUS, SPACE_IDS, + TIMESTAMP, VERSION, } from '@kbn/rule-data-utils'; +import { FieldMap } from './types'; -export const alertFieldMap = { - [ALERT_RULE_PARAMETERS]: { - type: 'object', - enabled: false, +export const alertFieldMap: FieldMap = { + [ALERT_ACTION_GROUP]: { + type: 'keyword', + array: false, required: false, }, - [ALERT_RULE_TYPE_ID]: { + [ALERT_CASE_IDS]: { type: 'keyword', + array: true, + required: false, + }, + [ALERT_DURATION]: { + type: 'long', array: false, - required: true, + required: false, }, - [ALERT_RULE_CONSUMER]: { - type: 'keyword', + [ALERT_END]: { + type: 'date', array: false, - required: true, + required: false, }, - [ALERT_RULE_PRODUCER]: { - type: 'keyword', + [ALERT_FLAPPING]: { + type: 'boolean', array: false, - required: true, + required: false, }, - [SPACE_IDS]: { - type: 'keyword', + [ALERT_FLAPPING_HISTORY]: { + type: 'boolean', array: true, - required: true, - }, - [ALERT_UUID]: { - type: 'keyword', - array: false, - required: true, + required: false, }, - [ALERT_ID]: { + [ALERT_INSTANCE_ID]: { type: 'keyword', array: false, required: true, }, - [ALERT_START]: { + [ALERT_LAST_DETECTED]: { type: 'date', - array: false, required: false, - }, - [ALERT_TIME_RANGE]: { - type: 'date_range', - format: 'epoch_millis||strict_date_optional_time', array: false, - required: false, }, - [ALERT_END]: { - type: 'date', + [ALERT_REASON]: { + type: 'keyword', array: false, required: false, }, - [ALERT_DURATION]: { - type: 'long', + [ALERT_RULE_CATEGORY]: { + type: 'keyword', array: false, - required: false, + required: true, }, - [ALERT_STATUS]: { + [ALERT_RULE_CONSUMER]: { type: 'keyword', array: false, required: true, }, - [VERSION]: { - type: 'version', + [ALERT_RULE_EXECUTION_UUID]: { + type: 'keyword', array: false, required: false, }, - [ALERT_WORKFLOW_STATUS]: { + [ALERT_RULE_NAME]: { type: 'keyword', array: false, + required: true, + }, + [ALERT_RULE_PARAMETERS]: { + type: 'object', + enabled: false, required: false, }, - [ALERT_ACTION_GROUP]: { + [ALERT_RULE_PRODUCER]: { type: 'keyword', array: false, - required: false, + required: true, }, - [ALERT_REASON]: { + [ALERT_RULE_TAGS]: { type: 'keyword', - array: false, + array: true, required: false, }, - [ALERT_RULE_CATEGORY]: { + [ALERT_RULE_TYPE_ID]: { type: 'keyword', array: false, required: true, @@ -122,23 +126,44 @@ export const alertFieldMap = { array: false, required: true, }, - [ALERT_RULE_EXECUTION_UUID]: { + [ALERT_START]: { + type: 'date', + array: false, + required: false, + }, + [ALERT_STATUS]: { type: 'keyword', array: false, + required: true, + }, + [ALERT_TIME_RANGE]: { + type: 'date_range', + format: 'epoch_millis||strict_date_optional_time', + array: false, required: false, }, - [ALERT_RULE_NAME]: { + [ALERT_UUID]: { type: 'keyword', array: false, required: true, }, - [ALERT_RULE_TAGS]: { + [ALERT_WORKFLOW_STATUS]: { type: 'keyword', - array: true, + array: false, required: false, }, - [ALERT_FLAPPING]: { - type: 'boolean', + [SPACE_IDS]: { + type: 'keyword', + array: true, + required: true, + }, + [TIMESTAMP]: { + type: 'date', + required: true, + array: false, + }, + [VERSION]: { + type: 'version', array: false, required: false, }, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts new file mode 100644 index 00000000000000..cf6a61268d7f6e --- /dev/null +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts @@ -0,0 +1,194 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + ALERT_BUILDING_BLOCK_TYPE, + ALERT_EVALUATION_THRESHOLD, + ALERT_EVALUATION_VALUE, + ALERT_RISK_SCORE, + ALERT_RULE_AUTHOR, + ALERT_RULE_CREATED_AT, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_FROM, + ALERT_RULE_INTERVAL, + ALERT_RULE_LICENSE, + ALERT_RULE_NAMESPACE_FIELD, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RULE_ID, + ALERT_RULE_RULE_NAME_OVERRIDE, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_AT, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_SEVERITY, + ALERT_SUPPRESSION_DOCS_COUNT, + ALERT_SUPPRESSION_END, + ALERT_SUPPRESSION_FIELD, + ALERT_SUPPRESSION_START, + ALERT_SUPPRESSION_TERMS, + ALERT_SUPPRESSION_VALUE, + ALERT_SYSTEM_STATUS, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + ALERT_WORKFLOW_REASON, + ALERT_WORKFLOW_USER, + ECS_VERSION, + EVENT_ACTION, + EVENT_KIND, + EVENT_MODULE, + TAGS, +} from '@kbn/rule-data-utils'; +import { FieldMap } from './types'; + +export const legacyAlertFieldMap: FieldMap = { + [ALERT_BUILDING_BLOCK_TYPE]: { + type: 'keyword', + array: false, + required: false, + }, + [ALERT_CASE_IDS]: { + type: 'keyword', + array: true, + required: false, + }, + [ALERT_DURATION]: { + type: 'long', + array: false, + required: false, + }, + [ALERT_END]: { + type: 'date', + array: false, + required: false, + }, + [ALERT_FLAPPING]: { + type: 'boolean', + array: false, + required: false, + }, + [ALERT_FLAPPING_HISTORY]: { + type: 'boolean', + array: true, + required: false, + }, + [ALERT_INSTANCE_ID]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_LAST_DETECTED]: { + type: 'date', + required: false, + array: false, + }, + [ALERT_REASON]: { + type: 'keyword', + array: false, + required: false, + }, + [ALERT_RULE_CATEGORY]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_RULE_CONSUMER]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_RULE_EXECUTION_UUID]: { + type: 'keyword', + array: false, + required: false, + }, + [ALERT_RULE_NAME]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_RULE_PARAMETERS]: { + type: 'object', + enabled: false, + required: false, + }, + [ALERT_RULE_PRODUCER]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_RULE_TAGS]: { + type: 'keyword', + array: true, + required: false, + }, + [ALERT_RULE_TYPE_ID]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_RULE_UUID]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_START]: { + type: 'date', + array: false, + required: false, + }, + [ALERT_STATUS]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_TIME_RANGE]: { + type: 'date_range', + format: 'epoch_millis||strict_date_optional_time', + array: false, + required: false, + }, + [ALERT_UUID]: { + type: 'keyword', + array: false, + required: true, + }, + [ALERT_WORKFLOW_STATUS]: { + type: 'keyword', + array: false, + required: false, + }, + [SPACE_IDS]: { + type: 'keyword', + array: true, + required: true, + }, + [TIMESTAMP]: { + type: 'date', + required: true, + array: false, + }, + [VERSION]: { + type: 'version', + array: false, + required: false, + }, +}; + +export type AlertFieldMap = typeof alertFieldMap; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 9a977213d44465..8d5b2af56b411b 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -25,6 +25,8 @@ export * from './parse_duration'; export * from './execution_log_types'; export * from './rule_snooze_type'; +export { alertFieldMap } from './alert_schema'; + export interface AlertingFrameworkHealth { isSufficientlySecure: boolean; hasPermanentEncryptionKey: boolean; diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index ba3623526591f7..a82c3db9af5861 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -79,10 +79,7 @@ const getIndexTemplatePutBody = (context?: string) => ({ name: `.alerts-${context ? context : 'test'}-default-template`, body: { index_patterns: [`.alerts-${context ? context : 'test'}-default-*`], - composed_of: [ - 'alerts-common-component-template', - `alerts-${context ? context : 'test'}-component-template`, - ], + composed_of: ['.alerts-framework-mappings', `.alerts-${context ? context : 'test'}-mappings`], template: { settings: { auto_expand_replicas: '0-1', @@ -148,7 +145,7 @@ describe('Alerts Service', () => { expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; - expect(componentTemplate1.name).toEqual('alerts-common-component-template'); + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); }); test('should log error and set initialized to false if adding ILM policy throws error', async () => { @@ -185,7 +182,7 @@ describe('Alerts Service', () => { expect(alertsService.isInitialized()).toEqual(false); expect(logger.error).toHaveBeenCalledWith( - `Error installing component template alerts-common-component-template - fail` + `Error installing component template .alerts-framework-mappings - fail` ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); @@ -218,11 +215,11 @@ describe('Alerts Service', () => { expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; - expect(componentTemplate1.name).toEqual('alerts-common-component-template'); + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; - expect(componentTemplate2.name).toEqual('alerts-another-component-template'); + expect(componentTemplate2.name).toEqual('.alerts-another-mappings'); const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; - expect(componentTemplate3.name).toEqual('alerts-test-component-template'); + expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(2); expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith( @@ -293,9 +290,9 @@ describe('Alerts Service', () => { expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; - expect(componentTemplate1.name).toEqual('alerts-common-component-template'); + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; - expect(componentTemplate2.name).toEqual('alerts-test-component-template'); + expect(componentTemplate2.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( getIndexTemplatePutBody() @@ -330,13 +327,13 @@ describe('Alerts Service', () => { expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; - expect(componentTemplate1.name).toEqual('alerts-common-component-template'); + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith({ name: `.alerts-empty-default-template`, body: { index_patterns: [`.alerts-empty-default-*`], - composed_of: ['alerts-common-component-template'], + composed_of: ['.alerts-framework-mappings'], template: { settings: { auto_expand_replicas: '0-1', diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index db47a9a8e00150..3cda04d784d6c8 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -10,7 +10,7 @@ import { getComponentTemplateFromFieldMap } from '../../common/alert_schema'; import { FieldMap } from '../../common/alert_schema/field_maps/types'; export const getComponentTemplateName = (context?: string) => - `alerts-${context ? context : 'common'}-component-template`; + `.alerts-${context ? `${context}` : 'framework'}-mappings`; export interface IIndexPatternString { template: string; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 9f1ee0838c1549..1572a92aec951a 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { alertFieldMap } from '@kbn/alerting-plugin/common'; import { pickWithPatterns } from '../../pick_with_patterns'; import * as Fields from '../../technical_rule_data_field_names'; import { ecsFieldMap } from './ecs_field_map'; @@ -17,23 +18,33 @@ export const technicalRuleFieldMap = { Fields.EVENT_ACTION, Fields.TAGS ), + [Fields.ALERT_ACTION_GROUP]: alertFieldMap[Fields.ALERT_ACTION_GROUP], + [Fields.ALERT_CASE_IDS]: alertFieldMap[Fields.ALERT_CASE_IDS], + [Fields.ALERT_DURATION]: alertFieldMap[Fields.ALERT_DURATION], + [Fields.ALERT_END]: alertFieldMap[Fields.ALERT_END], + [Fields.ALERT_FLAPPING]: alertFieldMap[Fields.ALERT_FLAPPING], + [Fields.ALERT_INSTANCE_ID]: alertFieldMap[Fields.ALERT_INSTANCE_ID], + [Fields.ALERT_REASON]: alertFieldMap[Fields.ALERT_REASON], + [Fields.ALERT_RULE_CATEGORY]: alertFieldMap[Fields.ALERT_RULE_CATEGORY], + [Fields.ALERT_RULE_CONSUMER]: alertFieldMap[Fields.ALERT_RULE_CONSUMER], + [Fields.ALERT_RULE_EXECUTION_UUID]: alertFieldMap[Fields.ALERT_RULE_EXECUTION_UUID], + [Fields.ALERT_RULE_NAME]: alertFieldMap[Fields.ALERT_RULE_NAME], + // want to change to 'object', is that ok? [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 }, - [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, - [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, - [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true }, - [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true }, - [Fields.ALERT_UUID]: { type: 'keyword', required: true }, - [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, - [Fields.ALERT_START]: { type: 'date' }, - [Fields.ALERT_TIME_RANGE]: { - type: 'date_range', - format: 'epoch_millis||strict_date_optional_time', - }, - [Fields.ALERT_END]: { type: 'date' }, - [Fields.ALERT_DURATION]: { type: 'long' }, + // --------------------------------------- + [Fields.ALERT_RULE_PRODUCER]: alertFieldMap[Fields.ALERT_RULE_PRODUCER], + [Fields.ALERT_RULE_TAGS]: alertFieldMap[Fields.ALERT_RULE_TAGS], + [Fields.ALERT_RULE_TYPE_ID]: alertFieldMap[Fields.ALERT_RULE_TYPE_ID], + [Fields.ALERT_RULE_UUID]: alertFieldMap[Fields.ALERT_RULE_UUID], + [Fields.ALERT_START]: alertFieldMap[Fields.ALERT_START], + [Fields.ALERT_STATUS]: alertFieldMap[Fields.ALERT_STATUS], + [Fields.ALERT_TIME_RANGE]: alertFieldMap[Fields.ALERT_TIME_RANGE], + [Fields.ALERT_UUID]: alertFieldMap[Fields.ALERT_UUID], + [Fields.ALERT_WORKFLOW_STATUS]: alertFieldMap[Fields.ALERT_WORKFLOW_STATUS], + [Fields.SPACE_IDS]: alertFieldMap[Fields.SPACE_IDS], + [Fields.VERSION]: alertFieldMap[Fields.VERSION], + [Fields.ALERT_SEVERITY]: { type: 'keyword' }, - [Fields.ALERT_STATUS]: { type: 'keyword', required: true }, - [Fields.ALERT_FLAPPING]: { type: 'boolean' }, [Fields.VERSION]: { type: 'version', array: false, @@ -49,11 +60,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_WORKFLOW_STATUS]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_WORKFLOW_USER]: { type: 'keyword', array: false, @@ -69,36 +75,11 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_ACTION_GROUP]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_REASON]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_CASE_IDS]: { - type: 'keyword', - array: true, - required: false, - }, [Fields.ALERT_RULE_AUTHOR]: { type: 'keyword', array: false, required: false, }, - [Fields.ALERT_RULE_CATEGORY]: { - type: 'keyword', - array: false, - required: true, - }, - [Fields.ALERT_RULE_UUID]: { - type: 'keyword', - array: false, - required: true, - }, [Fields.ALERT_RULE_CREATED_AT]: { type: 'date', array: false, @@ -119,11 +100,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_EXECUTION_UUID]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_RULE_FROM]: { type: 'keyword', array: false, @@ -139,11 +115,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_NAME]: { - type: 'keyword', - array: false, - required: true, - }, [Fields.ALERT_RULE_NOTE]: { type: 'keyword', array: false, @@ -164,11 +135,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_TAGS]: { - type: 'keyword', - array: true, - required: false, - }, [Fields.ALERT_RULE_TO]: { type: 'keyword', array: false, diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 49ec03fc6d8d89..425a90f080cb4d 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -18,7 +18,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex describe('alerts as data', () => { it('should install common alerts as data resources on startup', async () => { const ilmPolicyName = 'alerts-default-ilm-policy'; - const componentTemplateName = 'alerts-common-component-template'; + const componentTemplateName = '.alerts-framework-mappings'; const commonIlmPolicy = await es.ilm.getLifecycle({ name: ilmPolicyName, @@ -65,7 +65,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex }); it('should install context specific alerts as data resources on startup', async () => { - const componentTemplateName = 'alerts-test.always-firing-component-template'; + const componentTemplateName = 'alerts-test.always-firing-mappings'; const indexTemplateName = '.alerts-test.always-firing-default-template'; const indexName = '.alerts-test.always-firing-default-000001'; const contextSpecificMappings = { @@ -114,8 +114,8 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex '.alerts-test.always-firing-default-*', ]); expect(contextIndexTemplate.index_template.composed_of).to.eql([ - 'alerts-common-component-template', - 'alerts-test.always-firing-component-template', + '.alerts-framework-mappings', + 'alerts-test.always-firing-mappings', ]); expect(contextIndexTemplate.index_template.template!.mappings).to.eql({ dynamic: false, From 2197c3ec909781739b1f257aa058063a5222913b Mon Sep 17 00:00:00 2001 From: Ying Date: Mon, 6 Feb 2023 15:46:13 -0500 Subject: [PATCH 02/49] Splitting technical fields into default and legacy. Removing the fields defined in the package that are not in the mapping --- .../src/legacy_alerts_as_data.ts | 113 ++++++----- .../src/technical_field_names.ts | 64 +++--- .../field_maps/alert_field_map.ts | 1 + .../field_maps/legacy_alert_field_map.ts | 152 +++++++------- .../alerting/common/alert_schema/index.ts | 1 + x-pack/plugins/alerting/common/index.ts | 2 +- .../technical_rule_field_map.test.ts | 18 ++ .../field_maps/technical_rule_field_map.ts | 188 ++++-------------- 8 files changed, 228 insertions(+), 311 deletions(-) diff --git a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts index 6e24fb9fac1732..7770b511155c12 100644 --- a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts +++ b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts @@ -8,44 +8,21 @@ import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from './default_alerts_as_data'; -// namespaces -const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; - const ECS_VERSION = 'ecs.version' as const; const EVENT_ACTION = 'event.action' as const; const EVENT_KIND = 'event.kind' as const; -const EVENT_MODULE = 'event.module' as const; const TAGS = 'tags' as const; -// Fields pertaining to the alert -const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; -const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; -const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; - +// these are in the technical component template const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; -const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; -const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; -const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; -const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; -const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const; -const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const; -const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const; -const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const; -const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const; -const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const; -const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const; - -// Fields pertaining to the rule associated with the alert const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const; const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const; const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const; const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const; const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const; -const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const; const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const; const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const; -const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const; const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const; const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const; @@ -55,38 +32,64 @@ const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const; const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const; const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const; const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const; +const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; +const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const; +const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const; +const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const; +const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const; +const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const; +const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const; +const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const; +const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; +const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; +const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; + +// // these fields are not in the technical component template +// // namespaces +// const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; + +// const EVENT_MODULE = 'event.module' as const; + +// // Fields pertaining to the alert +// const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; +// const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; +// const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; + +// // Fields pertaining to the rule associated with the alert +// const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; +// const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; -// Fields pertaining to the threat tactic associated with the rule -const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; -const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; -const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; -const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; -const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; -const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; -const ALERT_THREAT_TECHNIQUE_REFERENCE = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; -const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = - `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; +// // Fields pertaining to the threat tactic associated with the rule +// const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; +// const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; +// const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; +// const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; +// const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; +// const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; +// const ALERT_THREAT_TECHNIQUE_REFERENCE = +// `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; +// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = +// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; +// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = +// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; +// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = +// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; export { - ALERT_BUILDING_BLOCK_TYPE, - ALERT_EVALUATION_THRESHOLD, - ALERT_EVALUATION_VALUE, + // ALERT_BUILDING_BLOCK_TYPE, + // ALERT_EVALUATION_THRESHOLD, + // ALERT_EVALUATION_VALUE, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - ALERT_RULE_EXCEPTIONS_LIST, + // ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - ALERT_RULE_NAMESPACE_FIELD, + // ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, @@ -104,21 +107,21 @@ export { ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - ALERT_THREAT_FRAMEWORK, - ALERT_THREAT_TACTIC_ID, - ALERT_THREAT_TACTIC_NAME, - ALERT_THREAT_TACTIC_REFERENCE, - ALERT_THREAT_TECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_REFERENCE, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + // ALERT_THREAT_FRAMEWORK, + // ALERT_THREAT_TACTIC_ID, + // ALERT_THREAT_TACTIC_NAME, + // ALERT_THREAT_TACTIC_REFERENCE, + // ALERT_THREAT_TECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_REFERENCE, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_USER, ECS_VERSION, EVENT_ACTION, EVENT_KIND, - EVENT_MODULE, + // EVENT_MODULE, TAGS, }; diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index 10f6e290722336..999b3349fa016c 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -38,20 +38,20 @@ import { } from './default_alerts_as_data'; import { - ALERT_BUILDING_BLOCK_TYPE, - ALERT_EVALUATION_THRESHOLD, - ALERT_EVALUATION_VALUE, + // ALERT_BUILDING_BLOCK_TYPE, + // ALERT_EVALUATION_THRESHOLD, + // ALERT_EVALUATION_VALUE, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - ALERT_RULE_EXCEPTIONS_LIST, + // ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - ALERT_RULE_NAMESPACE_FIELD, + // ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, @@ -69,22 +69,22 @@ import { ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - ALERT_THREAT_FRAMEWORK, - ALERT_THREAT_TACTIC_ID, - ALERT_THREAT_TACTIC_NAME, - ALERT_THREAT_TACTIC_REFERENCE, - ALERT_THREAT_TECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_REFERENCE, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + // ALERT_THREAT_FRAMEWORK, + // ALERT_THREAT_TACTIC_ID, + // ALERT_THREAT_TACTIC_NAME, + // ALERT_THREAT_TACTIC_REFERENCE, + // ALERT_THREAT_TECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_REFERENCE, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_USER, ECS_VERSION, EVENT_ACTION, EVENT_KIND, - EVENT_MODULE, + // EVENT_MODULE, TAGS, } from './legacy_alerts_as_data'; @@ -98,15 +98,15 @@ const fields = { ECS_VERSION, EVENT_KIND, EVENT_ACTION, - EVENT_MODULE, + // EVENT_MODULE, TAGS, TIMESTAMP, ALERT_ACTION_GROUP, - ALERT_BUILDING_BLOCK_TYPE, + // ALERT_BUILDING_BLOCK_TYPE, ALERT_DURATION, ALERT_END, - ALERT_EVALUATION_THRESHOLD, - ALERT_EVALUATION_VALUE, + // ALERT_EVALUATION_THRESHOLD, + // ALERT_EVALUATION_VALUE, ALERT_FLAPPING, ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER, @@ -119,13 +119,13 @@ const fields = { ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - ALERT_RULE_EXCEPTIONS_LIST, + // ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_EXECUTION_UUID, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, ALERT_RULE_NAME, - ALERT_RULE_NAMESPACE_FIELD, + // ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, @@ -149,16 +149,16 @@ const fields = { ALERT_WORKFLOW_USER, ALERT_RULE_UUID, ALERT_RULE_CATEGORY, - ALERT_THREAT_FRAMEWORK, - ALERT_THREAT_TACTIC_ID, - ALERT_THREAT_TACTIC_NAME, - ALERT_THREAT_TACTIC_REFERENCE, - ALERT_THREAT_TECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_REFERENCE, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + // ALERT_THREAT_FRAMEWORK, + // ALERT_THREAT_TACTIC_ID, + // ALERT_THREAT_TACTIC_NAME, + // ALERT_THREAT_TACTIC_REFERENCE, + // ALERT_THREAT_TECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_REFERENCE, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_FIELD, ALERT_SUPPRESSION_VALUE, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts index f73f0adb649364..b5862c24e275b2 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts @@ -71,6 +71,7 @@ export const alertFieldMap: FieldMap = { array: false, required: true, }, + // this is not in the technical field mapping ?? [ALERT_LAST_DETECTED]: { type: 'date', required: false, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts index cf6a61268d7f6e..6f0e60fb8ecf13 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts @@ -6,20 +6,15 @@ */ import { - ALERT_BUILDING_BLOCK_TYPE, - ALERT_EVALUATION_THRESHOLD, - ALERT_EVALUATION_VALUE, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, @@ -34,161 +29,174 @@ import { ALERT_SUPPRESSION_END, ALERT_SUPPRESSION_FIELD, ALERT_SUPPRESSION_START, - ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - ALERT_THREAT_FRAMEWORK, - ALERT_THREAT_TACTIC_ID, - ALERT_THREAT_TACTIC_NAME, - ALERT_THREAT_TACTIC_REFERENCE, - ALERT_THREAT_TECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_REFERENCE, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_USER, ECS_VERSION, EVENT_ACTION, EVENT_KIND, - EVENT_MODULE, TAGS, } from '@kbn/rule-data-utils'; import { FieldMap } from './types'; export const legacyAlertFieldMap: FieldMap = { - [ALERT_BUILDING_BLOCK_TYPE]: { - type: 'keyword', + [ALERT_RISK_SCORE]: { + type: 'float', array: false, required: false, }, - [ALERT_CASE_IDS]: { + [ALERT_RULE_AUTHOR]: { type: 'keyword', - array: true, + array: false, required: false, }, - [ALERT_DURATION]: { - type: 'long', + [ALERT_RULE_CREATED_AT]: { + type: 'date', array: false, required: false, }, - [ALERT_END]: { - type: 'date', + [ALERT_RULE_CREATED_BY]: { + type: 'keyword', array: false, required: false, }, - [ALERT_FLAPPING]: { - type: 'boolean', + [ALERT_RULE_DESCRIPTION]: { + type: 'keyword', array: false, required: false, }, - [ALERT_FLAPPING_HISTORY]: { - type: 'boolean', - array: true, + [ALERT_RULE_ENABLED]: { + type: 'keyword', + array: false, required: false, }, - [ALERT_INSTANCE_ID]: { + [ALERT_RULE_FROM]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_LAST_DETECTED]: { - type: 'date', + [ALERT_RULE_INTERVAL]: { + type: 'keyword', + array: false, required: false, + }, + [ALERT_RULE_LICENSE]: { + type: 'keyword', array: false, + required: false, }, - [ALERT_REASON]: { + [ALERT_RULE_NOTE]: { type: 'keyword', array: false, required: false, }, - [ALERT_RULE_CATEGORY]: { + [ALERT_RULE_REFERENCES]: { + type: 'keyword', + array: true, + required: false, + }, + [ALERT_RULE_RULE_ID]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_RULE_CONSUMER]: { + [ALERT_RULE_RULE_NAME_OVERRIDE]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_RULE_EXECUTION_UUID]: { + [ALERT_RULE_TO]: { type: 'keyword', array: false, required: false, }, - [ALERT_RULE_NAME]: { + [ALERT_RULE_TYPE]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_RULE_PARAMETERS]: { - type: 'object', - enabled: false, + [ALERT_RULE_UPDATED_AT]: { + type: 'date', + array: false, required: false, }, - [ALERT_RULE_PRODUCER]: { + [ALERT_RULE_UPDATED_BY]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_RULE_TAGS]: { + [ALERT_RULE_VERSION]: { type: 'keyword', - array: true, + array: false, required: false, }, - [ALERT_RULE_TYPE_ID]: { + [ALERT_SEVERITY]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_RULE_UUID]: { - type: 'keyword', + [ALERT_SUPPRESSION_DOCS_COUNT]: { + type: 'long', array: false, - required: true, + required: false, }, - [ALERT_START]: { + [ALERT_SUPPRESSION_END]: { type: 'date', array: false, required: false, }, - [ALERT_STATUS]: { + [ALERT_SUPPRESSION_FIELD]: { type: 'keyword', + array: true, + required: false, + }, + [ALERT_SUPPRESSION_START]: { + type: 'date', array: false, - required: true, + required: false, + }, + [ALERT_SUPPRESSION_VALUE]: { + type: 'keyword', + array: true, + required: false, }, - [ALERT_TIME_RANGE]: { - type: 'date_range', - format: 'epoch_millis||strict_date_optional_time', + [ALERT_SYSTEM_STATUS]: { + type: 'keyword', array: false, required: false, }, - [ALERT_UUID]: { + [ALERT_WORKFLOW_REASON]: { type: 'keyword', array: false, - required: true, + required: false, }, - [ALERT_WORKFLOW_STATUS]: { + [ALERT_WORKFLOW_USER]: { type: 'keyword', array: false, required: false, }, - [SPACE_IDS]: { + // get these from ecs field map when available + [ECS_VERSION]: { type: 'keyword', - array: true, - required: true, + array: false, + required: false, }, - [TIMESTAMP]: { - type: 'date', - required: true, + [EVENT_ACTION]: { + type: 'keyword', array: false, + required: false, }, - [VERSION]: { - type: 'version', + [EVENT_KIND]: { + type: 'keyword', array: false, required: false, }, + [TAGS]: { + type: 'keyword', + array: true, + required: false, + }, }; -export type AlertFieldMap = typeof alertFieldMap; +export type LegacyAlertFieldMap = typeof legacyAlertFieldMap; diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts index acca43450fe347..b338f6e73a06e4 100644 --- a/x-pack/plugins/alerting/common/alert_schema/index.ts +++ b/x-pack/plugins/alerting/common/alert_schema/index.ts @@ -6,4 +6,5 @@ */ export { alertFieldMap } from './field_maps/alert_field_map'; +export { legacyAlertFieldMap } from './field_maps/legacy_alert_field_map'; export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map'; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 8d5b2af56b411b..1cdb9b657e9c8e 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -25,7 +25,7 @@ export * from './parse_duration'; export * from './execution_log_types'; export * from './rule_snooze_type'; -export { alertFieldMap } from './alert_schema'; +export { alertFieldMap, legacyAlertFieldMap } from './alert_schema'; export interface AlertingFrameworkHealth { isSufficientlySecure: boolean; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index 42c690e41604b6..c33a6ae68363b3 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -43,15 +43,22 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.duration.us": Object { + "array": false, + "required": false, "type": "long", }, "kibana.alert.end": Object { + "array": false, + "required": false, "type": "date", }, "kibana.alert.flapping": Object { + "array": false, + "required": false, "type": "boolean", }, "kibana.alert.instance.id": Object { + "array": false, "required": true, "type": "keyword", }, @@ -76,6 +83,7 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.consumer": Object { + "array": false, "required": true, "type": "keyword", }, @@ -134,6 +142,7 @@ it('matches snapshot', () => { "type": "flattened", }, "kibana.alert.rule.producer": Object { + "array": false, "required": true, "type": "keyword", }, @@ -153,6 +162,7 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.rule_type_id": Object { + "array": false, "required": true, "type": "keyword", }, @@ -192,12 +202,17 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.severity": Object { + "array": false, + "required": false, "type": "keyword", }, "kibana.alert.start": Object { + "array": false, + "required": false, "type": "date", }, "kibana.alert.status": Object { + "array": false, "required": true, "type": "keyword", }, @@ -232,10 +247,13 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.time_range": Object { + "array": false, "format": "epoch_millis||strict_date_optional_time", + "required": false, "type": "date_range", }, "kibana.alert.uuid": Object { + "array": false, "required": true, "type": "keyword", }, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 1572a92aec951a..d570a391b9816e 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,19 +5,13 @@ * 2.0. */ -import { alertFieldMap } from '@kbn/alerting-plugin/common'; -import { pickWithPatterns } from '../../pick_with_patterns'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import * as Fields from '../../technical_rule_data_field_names'; -import { ecsFieldMap } from './ecs_field_map'; export const technicalRuleFieldMap = { - ...pickWithPatterns( - ecsFieldMap, - Fields.TIMESTAMP, - Fields.EVENT_KIND, - Fields.EVENT_ACTION, - Fields.TAGS - ), + // These fields are defined in the framework alerts as data field map and will + // be used for FAAD + [Fields.TIMESTAMP]: alertFieldMap[Fields.TIMESTAMP], [Fields.ALERT_ACTION_GROUP]: alertFieldMap[Fields.ALERT_ACTION_GROUP], [Fields.ALERT_CASE_IDS]: alertFieldMap[Fields.ALERT_CASE_IDS], [Fields.ALERT_DURATION]: alertFieldMap[Fields.ALERT_DURATION], @@ -44,147 +38,39 @@ export const technicalRuleFieldMap = { [Fields.SPACE_IDS]: alertFieldMap[Fields.SPACE_IDS], [Fields.VERSION]: alertFieldMap[Fields.VERSION], - [Fields.ALERT_SEVERITY]: { type: 'keyword' }, - [Fields.VERSION]: { - type: 'version', - array: false, - required: false, - }, - [Fields.ECS_VERSION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RISK_SCORE]: { - type: 'float', - array: false, - required: false, - }, - [Fields.ALERT_WORKFLOW_USER]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_WORKFLOW_REASON]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_SYSTEM_STATUS]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_AUTHOR]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_CREATED_AT]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_RULE_CREATED_BY]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_DESCRIPTION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_ENABLED]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_FROM]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_INTERVAL]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_LICENSE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_NOTE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_REFERENCES]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_RULE_RULE_ID]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_TO]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_TYPE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_UPDATED_AT]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_RULE_UPDATED_BY]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_VERSION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_FIELD]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_SUPPRESSION_VALUE]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_SUPPRESSION_START]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_END]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: { - type: 'long', - array: false, - required: false, - }, + // These fields are defined in the legacy alerts as data field map to maintain + // backwards compatibility with rule registry alerts as data + [Fields.ALERT_RISK_SCORE]: legacyAlertFieldMap[Fields.ALERT_RISK_SCORE], + [Fields.ALERT_RULE_AUTHOR]: legacyAlertFieldMap[Fields.ALERT_RULE_AUTHOR], + [Fields.ALERT_RULE_CREATED_AT]: legacyAlertFieldMap[Fields.ALERT_RULE_CREATED_AT], + [Fields.ALERT_RULE_CREATED_BY]: legacyAlertFieldMap[Fields.ALERT_RULE_CREATED_BY], + [Fields.ALERT_RULE_DESCRIPTION]: legacyAlertFieldMap[Fields.ALERT_RULE_DESCRIPTION], + [Fields.ALERT_RULE_ENABLED]: legacyAlertFieldMap[Fields.ALERT_RULE_ENABLED], + [Fields.ALERT_RULE_FROM]: legacyAlertFieldMap[Fields.ALERT_RULE_FROM], + [Fields.ALERT_RULE_INTERVAL]: legacyAlertFieldMap[Fields.ALERT_RULE_INTERVAL], + [Fields.ALERT_RULE_LICENSE]: legacyAlertFieldMap[Fields.ALERT_RULE_LICENSE], + [Fields.ALERT_RULE_NOTE]: legacyAlertFieldMap[Fields.ALERT_RULE_NOTE], + [Fields.ALERT_RULE_REFERENCES]: legacyAlertFieldMap[Fields.ALERT_RULE_REFERENCES], + [Fields.ALERT_RULE_RULE_ID]: legacyAlertFieldMap[Fields.ALERT_RULE_RULE_ID], + [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: legacyAlertFieldMap[Fields.ALERT_RULE_RULE_NAME_OVERRIDE], + [Fields.ALERT_RULE_TO]: legacyAlertFieldMap[Fields.ALERT_RULE_TO], + [Fields.ALERT_RULE_TYPE]: legacyAlertFieldMap[Fields.ALERT_RULE_TYPE], + [Fields.ALERT_RULE_UPDATED_AT]: legacyAlertFieldMap[Fields.ALERT_RULE_UPDATED_AT], + [Fields.ALERT_RULE_UPDATED_BY]: legacyAlertFieldMap[Fields.ALERT_RULE_UPDATED_BY], + [Fields.ALERT_RULE_VERSION]: legacyAlertFieldMap[Fields.ALERT_RULE_VERSION], + [Fields.ALERT_SEVERITY]: legacyAlertFieldMap[Fields.ALERT_SEVERITY], + [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_DOCS_COUNT], + [Fields.ALERT_SUPPRESSION_END]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_END], + [Fields.ALERT_SUPPRESSION_FIELD]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_FIELD], + [Fields.ALERT_SUPPRESSION_START]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_START], + [Fields.ALERT_SUPPRESSION_VALUE]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_VALUE], + [Fields.ALERT_SYSTEM_STATUS]: legacyAlertFieldMap[Fields.ALERT_SYSTEM_STATUS], + [Fields.ALERT_WORKFLOW_REASON]: legacyAlertFieldMap[Fields.ALERT_WORKFLOW_REASON], + [Fields.ALERT_WORKFLOW_USER]: legacyAlertFieldMap[Fields.ALERT_WORKFLOW_USER], + [Fields.ECS_VERSION]: legacyAlertFieldMap[Fields.ECS_VERSION], + [Fields.EVENT_ACTION]: legacyAlertFieldMap[Fields.EVENT_ACTION], + [Fields.EVENT_KIND]: legacyAlertFieldMap[Fields.EVENT_KIND], + [Fields.TAGS]: legacyAlertFieldMap[Fields.TAGS], } as const; export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap; From f24a0bed8e2c2a9c449e3ed4fed0173703706cdc Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 14:19:21 -0500 Subject: [PATCH 03/49] Removing rule registry FieldMap and mappingFromFieldMap in favor of alerting version --- packages/kbn-rule-data-utils/index.ts | 2 +- .../src/legacy_alerts_as_data.ts | 53 +--------- .../src/technical_field_names.ts | 99 +++++++++++++------ .../field_maps/mapping_from_field_map.test.ts | 73 +++++++++++++- .../common/alert_schema/field_maps/types.ts | 2 +- .../alerting/common/alert_schema/index.ts | 2 + x-pack/plugins/alerting/common/index.ts | 8 +- .../server/alerts_service/alerts_service.ts | 3 +- .../alerting/server/alerts_service/types.ts | 3 +- x-pack/plugins/alerting/server/types.ts | 2 +- x-pack/plugins/apm/server/plugin.ts | 9 +- .../server/services/rules/rule_data_client.ts | 2 +- x-pack/plugins/observability/server/plugin.ts | 2 +- .../ecs_component_template.ts | 2 +- .../technical_component_template.ts | 2 +- .../experimental_rule_field_map.test.ts | 2 + .../field_maps/experimental_rule_field_map.ts | 8 +- .../technical_rule_field_map.test.ts | 1 + .../field_maps/technical_rule_field_map.ts | 2 +- .../rule_registry/common/field_map/index.ts | 1 - .../common/field_map/merge_field_maps.ts | 3 +- .../runtime_type_from_fieldmap.test.ts | 8 +- .../field_map/runtime_type_from_fieldmap.ts | 2 +- .../rule_registry/common/field_map/types.ts | 17 ---- .../common/mapping_from_field_map.ts | 36 ------- .../security_solution/server/plugin.ts | 7 +- .../common/rules/uptime_rule_field_map.ts | 14 +++ x-pack/plugins/synthetics/server/plugin.ts | 2 +- .../tests/alerting/group4/alerts_as_data.ts | 2 +- .../tests/trial/get_summarized_alerts.ts | 2 +- .../tests/trial/lifecycle_executor.ts | 2 +- 31 files changed, 207 insertions(+), 166 deletions(-) delete mode 100644 x-pack/plugins/rule_registry/common/field_map/types.ts delete mode 100644 x-pack/plugins/rule_registry/common/mapping_from_field_map.ts diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts index 1ba56fa6d9de6d..fa0407b8371818 100644 --- a/packages/kbn-rule-data-utils/index.ts +++ b/packages/kbn-rule-data-utils/index.ts @@ -8,7 +8,7 @@ export * from './src/default_alerts_as_data'; export * from './src/legacy_alerts_as_data'; -export { type TechnicalRuleDataFieldName } from './src/technical_field_names'; +export * from './src/technical_field_names'; export * from './src/alerts_as_data_rbac'; export * from './src/alerts_as_data_severity'; export * from './src/alerts_as_data_status'; diff --git a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts index 7770b511155c12..4dd6c2be0c2a69 100644 --- a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts +++ b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts @@ -13,7 +13,11 @@ const EVENT_ACTION = 'event.action' as const; const EVENT_KIND = 'event.kind' as const; const TAGS = 'tags' as const; -// these are in the technical component template +// These are the fields that are in the rule registry technical component template +// that are NOT in the framework alerts as data common component template + +// We will maintain a legacy component template that can be used by legacy +// rule registry rules with these fields. const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const; const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const; @@ -44,52 +48,16 @@ const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; -// // these fields are not in the technical component template -// // namespaces -// const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; - -// const EVENT_MODULE = 'event.module' as const; - -// // Fields pertaining to the alert -// const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; -// const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; -// const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; - -// // Fields pertaining to the rule associated with the alert -// const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; -// const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; - -// // Fields pertaining to the threat tactic associated with the rule -// const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; -// const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; -// const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; -// const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; -// const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; -// const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; -// const ALERT_THREAT_TECHNIQUE_REFERENCE = -// `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; -// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = -// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; -// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = -// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; -// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = -// `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; - export { - // ALERT_BUILDING_BLOCK_TYPE, - // ALERT_EVALUATION_THRESHOLD, - // ALERT_EVALUATION_VALUE, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - // ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - // ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, @@ -107,21 +75,10 @@ export { ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - // ALERT_THREAT_FRAMEWORK, - // ALERT_THREAT_TACTIC_ID, - // ALERT_THREAT_TACTIC_NAME, - // ALERT_THREAT_TACTIC_REFERENCE, - // ALERT_THREAT_TECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_REFERENCE, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_USER, ECS_VERSION, EVENT_ACTION, EVENT_KIND, - // EVENT_MODULE, TAGS, }; diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index 999b3349fa016c..d786120f0d5b1a 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -38,20 +38,15 @@ import { } from './default_alerts_as_data'; import { - // ALERT_BUILDING_BLOCK_TYPE, - // ALERT_EVALUATION_THRESHOLD, - // ALERT_EVALUATION_VALUE, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - // ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, - // ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, ALERT_RULE_RULE_ID, @@ -69,25 +64,47 @@ import { ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_VALUE, ALERT_SYSTEM_STATUS, - // ALERT_THREAT_FRAMEWORK, - // ALERT_THREAT_TACTIC_ID, - // ALERT_THREAT_TACTIC_NAME, - // ALERT_THREAT_TACTIC_REFERENCE, - // ALERT_THREAT_TECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_REFERENCE, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_USER, ECS_VERSION, EVENT_ACTION, EVENT_KIND, - // EVENT_MODULE, TAGS, } from './legacy_alerts_as_data'; +// The following fields were identified as technical field names but were not defined in the +// rule registry technical component template. We will leave these here for backwards +// compatibility but these consts should be moved to the plugin that uses them + +const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const; + +const EVENT_MODULE = 'event.module' as const; + +// Fields pertaining to the alert +const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; +const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; +const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; + +// Fields pertaining to the rule associated with the alert +const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; +const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const; + +// Fields pertaining to the threat tactic associated with the rule +const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const; +const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const; +const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const; +const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const; +const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const; +const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const; +const ALERT_THREAT_TECHNIQUE_REFERENCE = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const; +const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = + `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const; + const namespaces = { KIBANA_NAMESPACE, ALERT_NAMESPACE, @@ -98,15 +115,15 @@ const fields = { ECS_VERSION, EVENT_KIND, EVENT_ACTION, - // EVENT_MODULE, + EVENT_MODULE, TAGS, TIMESTAMP, ALERT_ACTION_GROUP, - // ALERT_BUILDING_BLOCK_TYPE, + ALERT_BUILDING_BLOCK_TYPE, ALERT_DURATION, ALERT_END, - // ALERT_EVALUATION_THRESHOLD, - // ALERT_EVALUATION_VALUE, + ALERT_EVALUATION_THRESHOLD, + ALERT_EVALUATION_VALUE, ALERT_FLAPPING, ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER, @@ -119,13 +136,13 @@ const fields = { ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, - // ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_EXECUTION_UUID, ALERT_RULE_FROM, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, ALERT_RULE_NAME, - // ALERT_RULE_NAMESPACE_FIELD, + ALERT_RULE_NAMESPACE_FIELD, ALERT_RULE_NOTE, ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, @@ -149,16 +166,16 @@ const fields = { ALERT_WORKFLOW_USER, ALERT_RULE_UUID, ALERT_RULE_CATEGORY, - // ALERT_THREAT_FRAMEWORK, - // ALERT_THREAT_TACTIC_ID, - // ALERT_THREAT_TACTIC_NAME, - // ALERT_THREAT_TACTIC_REFERENCE, - // ALERT_THREAT_TECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_REFERENCE, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, - // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, ALERT_SUPPRESSION_TERMS, ALERT_SUPPRESSION_FIELD, ALERT_SUPPRESSION_VALUE, @@ -169,4 +186,22 @@ const fields = { VERSION, }; +export { + ALERT_BUILDING_BLOCK_TYPE, + ALERT_EVALUATION_THRESHOLD, + ALERT_EVALUATION_VALUE, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_NAMESPACE_FIELD, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, +}; + export type TechnicalRuleDataFieldName = ValuesType; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index 2f2cac2367e8bd..7e530ef467d0e6 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -7,6 +7,7 @@ import { mappingFromFieldMap } from './mapping_from_field_map'; import { FieldMap } from './types'; import { alertFieldMap } from './alert_field_map'; +import { legacyAlertFieldMap } from './legacy_alert_field_map'; describe('mappingFromFieldMap', () => { const fieldMap: FieldMap = { @@ -184,6 +185,9 @@ describe('mappingFromFieldMap', () => { expect(mappingFromFieldMap(alertFieldMap)).toEqual({ dynamic: 'strict', properties: { + '@timestamp': { + type: 'date', + }, kibana: { properties: { alert: { @@ -191,6 +195,9 @@ describe('mappingFromFieldMap', () => { action_group: { type: 'keyword', }, + case_ids: { + type: 'keyword', + }, duration: { properties: { us: { @@ -204,8 +211,18 @@ describe('mappingFromFieldMap', () => { flapping: { type: 'boolean', }, - id: { - type: 'keyword', + flapping_history: { + type: 'boolean', + }, + instance: { + properties: { + id: { + type: 'keyword', + }, + }, + }, + last_detected: { + type: 'date', }, reason: { type: 'keyword', @@ -274,6 +291,58 @@ describe('mappingFromFieldMap', () => { }, }, }); + expect(mappingFromFieldMap(legacyAlertFieldMap)).toEqual({ + dynamic: 'strict', + properties: { + kibana: { + properties: { + alert: { + properties: { + risk_score: { type: 'float' }, + rule: { + properties: { + author: { type: 'keyword' }, + created_at: { type: 'date' }, + created_by: { type: 'keyword' }, + description: { type: 'keyword' }, + enabled: { type: 'keyword' }, + from: { type: 'keyword' }, + interval: { type: 'keyword' }, + license: { type: 'keyword' }, + note: { type: 'keyword' }, + references: { type: 'keyword' }, + rule_id: { type: 'keyword' }, + rule_name_override: { type: 'keyword' }, + to: { type: 'keyword' }, + type: { type: 'keyword' }, + updated_at: { type: 'date' }, + updated_by: { type: 'keyword' }, + version: { type: 'keyword' }, + }, + }, + severity: { type: 'keyword' }, + suppression: { + properties: { + docs_count: { type: 'long' }, + end: { type: 'date' }, + terms: { + properties: { field: { type: 'keyword' }, value: { type: 'keyword' } }, + }, + start: { type: 'date' }, + }, + }, + system_status: { type: 'keyword' }, + workflow_reason: { type: 'keyword' }, + workflow_user: { type: 'keyword' }, + }, + }, + }, + }, + ecs: { properties: { version: { type: 'keyword' } } }, + event: { properties: { action: { type: 'keyword' }, kind: { type: 'keyword' } } }, + tags: { type: 'keyword' }, + }, + }); }); it('uses dynamic setting if specified', () => { diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts index b687cbfb0cf7de..1150a353ac46a6 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts @@ -24,6 +24,6 @@ export interface FieldMap { multi_fields?: MultiField[]; path?: string; scaling_factor?: number; - dynamic?: boolean | string; + dynamic?: boolean | 'strict'; }; } diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts index b338f6e73a06e4..d77da5b36526c0 100644 --- a/x-pack/plugins/alerting/common/alert_schema/index.ts +++ b/x-pack/plugins/alerting/common/alert_schema/index.ts @@ -7,4 +7,6 @@ export { alertFieldMap } from './field_maps/alert_field_map'; export { legacyAlertFieldMap } from './field_maps/legacy_alert_field_map'; +export { mappingFromFieldMap } from './field_maps/mapping_from_field_map'; +export { type FieldMap } from './field_maps/types'; export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map'; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 1cdb9b657e9c8e..3b0a13aa88527d 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -25,7 +25,13 @@ export * from './parse_duration'; export * from './execution_log_types'; export * from './rule_snooze_type'; -export { alertFieldMap, legacyAlertFieldMap } from './alert_schema'; +export { + alertFieldMap, + legacyAlertFieldMap, + mappingFromFieldMap, + getComponentTemplateFromFieldMap, + type FieldMap, +} from './alert_schema'; export interface AlertingFrameworkHealth { isSufficientlySecure: boolean; diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 0742be50c4fa40..6115415425c8a1 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,8 +13,7 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { FieldMap } from '../../common/alert_schema/field_maps/types'; -import { alertFieldMap } from '../../common/alert_schema'; +import { alertFieldMap, type FieldMap } from '../../common'; import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy'; import { getComponentTemplate, diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index 3cda04d784d6c8..8ddcf34a6eb826 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -6,8 +6,7 @@ */ import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types'; -import { getComponentTemplateFromFieldMap } from '../../common/alert_schema'; -import { FieldMap } from '../../common/alert_schema/field_maps/types'; +import { FieldMap, getComponentTemplateFromFieldMap } from '../../common'; export const getComponentTemplateName = (context?: string) => `.alerts-${context ? `${context}` : 'framework'}-mappings`; diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts index 09493e4357a15a..78484d511d55cd 100644 --- a/x-pack/plugins/alerting/server/types.ts +++ b/x-pack/plugins/alerting/server/types.ts @@ -48,9 +48,9 @@ import { RuleSnooze, IntervalSchedule, RuleLastRun, + FieldMap, } from '../common'; import { PublicAlertFactory } from './alert/create_alert_factory'; -import { FieldMap } from '../common/alert_schema/field_maps/types'; import { RulesSettingsFlappingProperties } from '../common/rules_settings'; export type WithoutQueryAndParams = Pick>; export type SpaceIdToNamespaceFunction = (spaceId?: string) => string | undefined; diff --git a/x-pack/plugins/apm/server/plugin.ts b/x-pack/plugins/apm/server/plugin.ts index 86907fdd570bee..5b98c8e437782a 100644 --- a/x-pack/plugins/apm/server/plugin.ts +++ b/x-pack/plugins/apm/server/plugin.ts @@ -15,10 +15,10 @@ import { PluginInitializerContext, } from '@kbn/core/server'; import { isEmpty, mapValues } from 'lodash'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { Dataset } from '@kbn/rule-registry-plugin/server'; import { UI_SETTINGS } from '@kbn/data-plugin/common'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { APMConfig, APM_SERVER_FEATURE_ID } from '.'; import { APM_FEATURE, registerFeaturesUsage } from './feature'; import { registerApmRuleTypes } from './routes/alerts/register_apm_rule_types'; @@ -130,25 +130,32 @@ export class APMPlugin ...experimentalRuleFieldMap, [SERVICE_NAME]: { type: 'keyword', + required: false, }, [SERVICE_ENVIRONMENT]: { type: 'keyword', + required: false, }, [TRANSACTION_TYPE]: { type: 'keyword', + required: false, }, [PROCESSOR_EVENT]: { type: 'keyword', + required: false, }, [AGENT_NAME]: { type: 'keyword', + required: false, }, [SERVICE_LANGUAGE_NAME]: { type: 'keyword', + required: false, }, labels: { type: 'object', dynamic: true, + required: false, }, }, 'strict' diff --git a/x-pack/plugins/infra/server/services/rules/rule_data_client.ts b/x-pack/plugins/infra/server/services/rules/rule_data_client.ts index 1435f4812d16ca..c1f9adbfa58381 100644 --- a/x-pack/plugins/infra/server/services/rules/rule_data_client.ts +++ b/x-pack/plugins/infra/server/services/rules/rule_data_client.ts @@ -6,11 +6,11 @@ */ import { CoreSetup, Logger } from '@kbn/core/server'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { Dataset, RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server'; import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import type { InfraFeatureId } from '../../../common/constants'; import { RuleRegistrationContext, RulesServiceStartDeps } from './types'; diff --git a/x-pack/plugins/observability/server/plugin.ts b/x-pack/plugins/observability/server/plugin.ts index 9d58eb445a75e5..bf6d94a3976d13 100644 --- a/x-pack/plugins/observability/server/plugin.ts +++ b/x-pack/plugins/observability/server/plugin.ts @@ -19,10 +19,10 @@ import { PluginSetupContract as FeaturesSetup } from '@kbn/features-plugin/serve import { createUICapabilities } from '@kbn/cases-plugin/common'; import { SpacesPluginStart } from '@kbn/spaces-plugin/server'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; import type { GuidedOnboardingPluginSetup } from '@kbn/guided-onboarding-plugin/server'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { kubernetesGuideId, kubernetesGuideConfig, diff --git a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts index 8e956ba0004a24..8f30e07a0d9dcf 100644 --- a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts +++ b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts @@ -5,7 +5,7 @@ * 2.0. */ import { merge } from 'lodash'; -import { mappingFromFieldMap } from '../../mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { ClusterPutComponentTemplateBody } from '../../types'; import { ecsFieldMap } from '../field_maps/ecs_field_map'; import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map'; diff --git a/x-pack/plugins/rule_registry/common/assets/component_templates/technical_component_template.ts b/x-pack/plugins/rule_registry/common/assets/component_templates/technical_component_template.ts index e110be339d0a0f..1315d7f0d1b587 100644 --- a/x-pack/plugins/rule_registry/common/assets/component_templates/technical_component_template.ts +++ b/x-pack/plugins/rule_registry/common/assets/component_templates/technical_component_template.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { mappingFromFieldMap } from '../../mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { ClusterPutComponentTemplateBody } from '../../types'; import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map'; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts index 4e2d591bf88bd0..3a6dbc4f209827 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts @@ -13,10 +13,12 @@ it('matches snapshot', () => { expect(experimentalRuleFieldMap).toMatchInlineSnapshot(` Object { "kibana.alert.evaluation.threshold": Object { + "required": false, "scaling_factor": 100, "type": "scaled_float", }, "kibana.alert.evaluation.value": Object { + "required": false, "scaling_factor": 100, "type": "scaled_float", }, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts index 92f93015309c0b..3859ebe6df9b6b 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts @@ -8,8 +8,12 @@ import * as Fields from '../../technical_rule_data_field_names'; export const experimentalRuleFieldMap = { - [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 }, - [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 }, + [Fields.ALERT_EVALUATION_THRESHOLD]: { + type: 'scaled_float', + scaling_factor: 100, + required: false, + }, + [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100, required: false }, } as const; export type ExperimentalRuleFieldMap = typeof experimentalRuleFieldMap; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index c33a6ae68363b3..1e11bfbac0a8ff 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -139,6 +139,7 @@ it('matches snapshot', () => { }, "kibana.alert.rule.parameters": Object { "ignore_above": 4096, + "required": false, "type": "flattened", }, "kibana.alert.rule.producer": Object { diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index d570a391b9816e..eb121ccea99e39 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -24,7 +24,7 @@ export const technicalRuleFieldMap = { [Fields.ALERT_RULE_EXECUTION_UUID]: alertFieldMap[Fields.ALERT_RULE_EXECUTION_UUID], [Fields.ALERT_RULE_NAME]: alertFieldMap[Fields.ALERT_RULE_NAME], // want to change to 'object', is that ok? - [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 }, + [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096, required: false }, // --------------------------------------- [Fields.ALERT_RULE_PRODUCER]: alertFieldMap[Fields.ALERT_RULE_PRODUCER], [Fields.ALERT_RULE_TAGS]: alertFieldMap[Fields.ALERT_RULE_TAGS], diff --git a/x-pack/plugins/rule_registry/common/field_map/index.ts b/x-pack/plugins/rule_registry/common/field_map/index.ts index fac8575b8af48e..e64ba5823e6739 100644 --- a/x-pack/plugins/rule_registry/common/field_map/index.ts +++ b/x-pack/plugins/rule_registry/common/field_map/index.ts @@ -7,4 +7,3 @@ export * from './merge_field_maps'; export * from './runtime_type_from_fieldmap'; -export * from './types'; diff --git a/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts b/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts index 124de243352ea3..4e0cd2139566a2 100644 --- a/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts +++ b/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts @@ -4,7 +4,8 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { FieldMap } from './types'; + +import { FieldMap } from '@kbn/alerting-plugin/common'; export function mergeFieldMaps( first: T1, diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.test.ts index 8ee71356ef7064..0b724150f0dcc2 100644 --- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.test.ts +++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.test.ts @@ -8,11 +8,11 @@ import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap'; describe('runtimeTypeFromFieldMap', () => { const fieldmapRt = runtimeTypeFromFieldMap({ - keywordField: { type: 'keyword' }, - longField: { type: 'long' }, - booleanField: { type: 'boolean' }, + keywordField: { type: 'keyword', required: false }, + longField: { type: 'long', required: false }, + booleanField: { type: 'boolean', required: false }, requiredKeywordField: { type: 'keyword', required: true }, - multiKeywordField: { type: 'keyword', array: true }, + multiKeywordField: { type: 'keyword', array: true, required: false }, } as const); it('accepts both singular and array fields', () => { diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts index feb59f88abc7b0..5da10cb5ee31f1 100644 --- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts +++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts @@ -8,7 +8,7 @@ import { Optional } from 'utility-types'; import { mapValues, pickBy } from 'lodash'; import { either } from 'fp-ts/lib/Either'; import * as t from 'io-ts'; -import { FieldMap } from './types'; +import { type FieldMap } from '@kbn/alerting-plugin/common'; const NumberFromString = new t.Type( 'NumberFromString', diff --git a/x-pack/plugins/rule_registry/common/field_map/types.ts b/x-pack/plugins/rule_registry/common/field_map/types.ts deleted file mode 100644 index 52ee246375ad05..00000000000000 --- a/x-pack/plugins/rule_registry/common/field_map/types.ts +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export interface FieldMap { - [key: string]: { - type: string; - required?: boolean; - array?: boolean; - path?: string; - scaling_factor?: number; - dynamic?: 'strict' | boolean; - }; -} diff --git a/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts b/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts deleted file mode 100644 index 1b66496bee19b8..00000000000000 --- a/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { set } from '@kbn/safer-lodash-set'; -import { FieldMap } from './field_map/types'; - -export function mappingFromFieldMap( - fieldMap: FieldMap, - dynamic: 'strict' | boolean -): estypes.MappingTypeMapping { - const mappings = { - dynamic, - properties: {}, - }; - - const fields = Object.keys(fieldMap).map((key) => { - const field = fieldMap[key]; - return { - name: key, - ...field, - }; - }); - - fields.forEach((field) => { - const { name, required, array, ...rest } = field; - - set(mappings.properties, field.name.split('.').join('.properties.'), rest); - }); - - return mappings; -} diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 6dee0730b5aa3a..3dc8c0ddebb01b 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -22,9 +22,7 @@ import { SavedObjectsClient } from '@kbn/core/server'; import type { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; -import type { FieldMap } from '@kbn/rule-registry-plugin/common/field_map'; -import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; +import { mappingFromFieldMap, type FieldMap } from '@kbn/alerting-plugin/common'; import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server'; import { Dataset } from '@kbn/rule-registry-plugin/server'; import type { ListPluginSetup } from '@kbn/lists-plugin/server'; @@ -220,6 +218,7 @@ export class Plugin implements ISecuritySolutionPlugin { Object.entries(aadFieldConversion).forEach(([key, value]) => { aliasesFieldMap[key] = { type: 'alias', + required: false, path: value, }; }); @@ -233,7 +232,7 @@ export class Plugin implements ISecuritySolutionPlugin { { name: 'mappings', mappings: mappingFromFieldMap( - { ...technicalRuleFieldMap, ...alertsFieldMap, ...rulesFieldMap, ...aliasesFieldMap }, + { ...alertsFieldMap, ...rulesFieldMap, ...aliasesFieldMap }, false ), }, diff --git a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts index ff69d3a5e6e7fa..be097ed8d8268c 100644 --- a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts +++ b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts @@ -9,48 +9,62 @@ export const uptimeRuleFieldMap = { // common fields 'monitor.id': { type: 'keyword', + required: false, }, 'url.full': { type: 'keyword', + required: false, }, 'observer.geo.name': { type: 'keyword', + required: false, }, // monitor status alert fields 'error.message': { type: 'text', + required: false, }, 'agent.name': { type: 'keyword', + required: false, }, 'monitor.name': { type: 'keyword', + required: false, }, 'monitor.type': { type: 'keyword', + required: false, }, // tls alert fields 'tls.server.x509.issuer.common_name': { type: 'keyword', + required: false, }, 'tls.server.x509.subject.common_name': { type: 'keyword', + required: false, }, 'tls.server.x509.not_after': { type: 'date', + required: false, }, 'tls.server.x509.not_before': { type: 'date', + required: false, }, 'tls.server.hash.sha256': { type: 'keyword', + required: false, }, // anomaly alert fields 'anomaly.start': { type: 'date', + required: false, }, 'anomaly.bucket_span.minutes': { type: 'keyword', + required: false, }, } as const; diff --git a/x-pack/plugins/synthetics/server/plugin.ts b/x-pack/plugins/synthetics/server/plugin.ts index 598fdd18b229be..c6120c70c38181 100644 --- a/x-pack/plugins/synthetics/server/plugin.ts +++ b/x-pack/plugins/synthetics/server/plugin.ts @@ -13,7 +13,7 @@ import { SavedObjectsClient, SavedObjectsClientContract, } from '@kbn/core/server'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { Dataset } from '@kbn/rule-registry-plugin/server'; import { SyntheticsMonitorClient } from './synthetics_service/synthetics_monitor/synthetics_monitor_client'; diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 425a90f080cb4d..0ad1f81037be2c 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -6,7 +6,7 @@ */ import { alertFieldMap } from '@kbn/alerting-plugin/common/alert_schema'; -import { mappingFromFieldMap } from '@kbn/alerting-plugin/common/alert_schema/field_maps/mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; diff --git a/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts b/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts index b62d744503fc69..08243236fba5e3 100644 --- a/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts +++ b/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts @@ -10,7 +10,7 @@ import type { ElasticsearchClient, Logger, LogMeta } from '@kbn/core/server'; import sinon from 'sinon'; import { v4 as uuidv4 } from 'uuid'; import expect from '@kbn/expect'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { AlertConsumers, ALERT_REASON, diff --git a/x-pack/test/rule_registry/spaces_only/tests/trial/lifecycle_executor.ts b/x-pack/test/rule_registry/spaces_only/tests/trial/lifecycle_executor.ts index 2fbba4478e925d..10c4139bbaef5d 100644 --- a/x-pack/test/rule_registry/spaces_only/tests/trial/lifecycle_executor.ts +++ b/x-pack/test/rule_registry/spaces_only/tests/trial/lifecycle_executor.ts @@ -9,7 +9,7 @@ import { type Subject, ReplaySubject } from 'rxjs'; import type { ElasticsearchClient, Logger, LogMeta } from '@kbn/core/server'; import sinon from 'sinon'; import expect from '@kbn/expect'; -import { mappingFromFieldMap } from '@kbn/rule-registry-plugin/common/mapping_from_field_map'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import { AlertConsumers, ALERT_REASON, From a5d0b5d85eebebccac76e00a3f57ec605c90d5ee Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 14:25:04 -0500 Subject: [PATCH 04/49] Need to double check alerts client typing --- .../server/alert_data_client/alerts_client.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts index 8dfa02b0f93af0..34ab1a4db3f5dd 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts @@ -173,8 +173,8 @@ export class AlertsClient { // this is typed kind of crazy to fit the output of es api response to this _source?: | { - [ALERT_RULE_TYPE_ID]?: string | null | undefined; - [ALERT_RULE_CONSUMER]?: string | null | undefined; + [ALERT_RULE_TYPE_ID]?: unknown; + [ALERT_RULE_CONSUMER]?: unknown; } | null | undefined; @@ -194,8 +194,8 @@ export class AlertsClient { { hitIds: [], ownersAndRuleTypeIds: [] } as { hitIds: string[]; ownersAndRuleTypeIds: Array<{ - [ALERT_RULE_TYPE_ID]: string | null | undefined; - [ALERT_RULE_CONSUMER]: string | null | undefined; + [ALERT_RULE_TYPE_ID]: unknown; + [ALERT_RULE_CONSUMER]: unknown; }>; } ); From c8b60274d9ad6a19ffabf521218e66edc08cda03 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 7 Feb 2023 19:32:42 +0000 Subject: [PATCH 05/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/rule_registry/tsconfig.json | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugins/rule_registry/tsconfig.json b/x-pack/plugins/rule_registry/tsconfig.json index a3a2a6d373b2bf..188e7567dffb73 100644 --- a/x-pack/plugins/rule_registry/tsconfig.json +++ b/x-pack/plugins/rule_registry/tsconfig.json @@ -16,7 +16,6 @@ "@kbn/data-plugin", "@kbn/alerting-plugin", "@kbn/security-plugin", - "@kbn/safer-lodash-set", "@kbn/rule-data-utils", "@kbn/es-query", "@kbn/data-views-plugin", From 851b779ba29751a1fa0705452991c2e7c9d6d2cc Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 15:54:06 -0500 Subject: [PATCH 06/49] trying to fix distribution issue --- x-pack/plugins/apm/kibana.json | 1 + .../field_maps/technical_rule_field_map.ts | 274 ++++++++++++++---- .../server/alert_data_client/alerts_client.ts | 8 +- 3 files changed, 216 insertions(+), 67 deletions(-) diff --git a/x-pack/plugins/apm/kibana.json b/x-pack/plugins/apm/kibana.json index 3df051925ab619..ee8deff66d870e 100644 --- a/x-pack/plugins/apm/kibana.json +++ b/x-pack/plugins/apm/kibana.json @@ -47,6 +47,7 @@ "apm" ], "requiredBundles": [ + "alerting", "fleet", "kibanaReact", "kibanaUtils", diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index eb121ccea99e39..9f1ee0838c1549 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,72 +5,220 @@ * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; +import { pickWithPatterns } from '../../pick_with_patterns'; import * as Fields from '../../technical_rule_data_field_names'; +import { ecsFieldMap } from './ecs_field_map'; export const technicalRuleFieldMap = { - // These fields are defined in the framework alerts as data field map and will - // be used for FAAD - [Fields.TIMESTAMP]: alertFieldMap[Fields.TIMESTAMP], - [Fields.ALERT_ACTION_GROUP]: alertFieldMap[Fields.ALERT_ACTION_GROUP], - [Fields.ALERT_CASE_IDS]: alertFieldMap[Fields.ALERT_CASE_IDS], - [Fields.ALERT_DURATION]: alertFieldMap[Fields.ALERT_DURATION], - [Fields.ALERT_END]: alertFieldMap[Fields.ALERT_END], - [Fields.ALERT_FLAPPING]: alertFieldMap[Fields.ALERT_FLAPPING], - [Fields.ALERT_INSTANCE_ID]: alertFieldMap[Fields.ALERT_INSTANCE_ID], - [Fields.ALERT_REASON]: alertFieldMap[Fields.ALERT_REASON], - [Fields.ALERT_RULE_CATEGORY]: alertFieldMap[Fields.ALERT_RULE_CATEGORY], - [Fields.ALERT_RULE_CONSUMER]: alertFieldMap[Fields.ALERT_RULE_CONSUMER], - [Fields.ALERT_RULE_EXECUTION_UUID]: alertFieldMap[Fields.ALERT_RULE_EXECUTION_UUID], - [Fields.ALERT_RULE_NAME]: alertFieldMap[Fields.ALERT_RULE_NAME], - // want to change to 'object', is that ok? - [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096, required: false }, - // --------------------------------------- - [Fields.ALERT_RULE_PRODUCER]: alertFieldMap[Fields.ALERT_RULE_PRODUCER], - [Fields.ALERT_RULE_TAGS]: alertFieldMap[Fields.ALERT_RULE_TAGS], - [Fields.ALERT_RULE_TYPE_ID]: alertFieldMap[Fields.ALERT_RULE_TYPE_ID], - [Fields.ALERT_RULE_UUID]: alertFieldMap[Fields.ALERT_RULE_UUID], - [Fields.ALERT_START]: alertFieldMap[Fields.ALERT_START], - [Fields.ALERT_STATUS]: alertFieldMap[Fields.ALERT_STATUS], - [Fields.ALERT_TIME_RANGE]: alertFieldMap[Fields.ALERT_TIME_RANGE], - [Fields.ALERT_UUID]: alertFieldMap[Fields.ALERT_UUID], - [Fields.ALERT_WORKFLOW_STATUS]: alertFieldMap[Fields.ALERT_WORKFLOW_STATUS], - [Fields.SPACE_IDS]: alertFieldMap[Fields.SPACE_IDS], - [Fields.VERSION]: alertFieldMap[Fields.VERSION], - - // These fields are defined in the legacy alerts as data field map to maintain - // backwards compatibility with rule registry alerts as data - [Fields.ALERT_RISK_SCORE]: legacyAlertFieldMap[Fields.ALERT_RISK_SCORE], - [Fields.ALERT_RULE_AUTHOR]: legacyAlertFieldMap[Fields.ALERT_RULE_AUTHOR], - [Fields.ALERT_RULE_CREATED_AT]: legacyAlertFieldMap[Fields.ALERT_RULE_CREATED_AT], - [Fields.ALERT_RULE_CREATED_BY]: legacyAlertFieldMap[Fields.ALERT_RULE_CREATED_BY], - [Fields.ALERT_RULE_DESCRIPTION]: legacyAlertFieldMap[Fields.ALERT_RULE_DESCRIPTION], - [Fields.ALERT_RULE_ENABLED]: legacyAlertFieldMap[Fields.ALERT_RULE_ENABLED], - [Fields.ALERT_RULE_FROM]: legacyAlertFieldMap[Fields.ALERT_RULE_FROM], - [Fields.ALERT_RULE_INTERVAL]: legacyAlertFieldMap[Fields.ALERT_RULE_INTERVAL], - [Fields.ALERT_RULE_LICENSE]: legacyAlertFieldMap[Fields.ALERT_RULE_LICENSE], - [Fields.ALERT_RULE_NOTE]: legacyAlertFieldMap[Fields.ALERT_RULE_NOTE], - [Fields.ALERT_RULE_REFERENCES]: legacyAlertFieldMap[Fields.ALERT_RULE_REFERENCES], - [Fields.ALERT_RULE_RULE_ID]: legacyAlertFieldMap[Fields.ALERT_RULE_RULE_ID], - [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: legacyAlertFieldMap[Fields.ALERT_RULE_RULE_NAME_OVERRIDE], - [Fields.ALERT_RULE_TO]: legacyAlertFieldMap[Fields.ALERT_RULE_TO], - [Fields.ALERT_RULE_TYPE]: legacyAlertFieldMap[Fields.ALERT_RULE_TYPE], - [Fields.ALERT_RULE_UPDATED_AT]: legacyAlertFieldMap[Fields.ALERT_RULE_UPDATED_AT], - [Fields.ALERT_RULE_UPDATED_BY]: legacyAlertFieldMap[Fields.ALERT_RULE_UPDATED_BY], - [Fields.ALERT_RULE_VERSION]: legacyAlertFieldMap[Fields.ALERT_RULE_VERSION], - [Fields.ALERT_SEVERITY]: legacyAlertFieldMap[Fields.ALERT_SEVERITY], - [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_DOCS_COUNT], - [Fields.ALERT_SUPPRESSION_END]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_END], - [Fields.ALERT_SUPPRESSION_FIELD]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_FIELD], - [Fields.ALERT_SUPPRESSION_START]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_START], - [Fields.ALERT_SUPPRESSION_VALUE]: legacyAlertFieldMap[Fields.ALERT_SUPPRESSION_VALUE], - [Fields.ALERT_SYSTEM_STATUS]: legacyAlertFieldMap[Fields.ALERT_SYSTEM_STATUS], - [Fields.ALERT_WORKFLOW_REASON]: legacyAlertFieldMap[Fields.ALERT_WORKFLOW_REASON], - [Fields.ALERT_WORKFLOW_USER]: legacyAlertFieldMap[Fields.ALERT_WORKFLOW_USER], - [Fields.ECS_VERSION]: legacyAlertFieldMap[Fields.ECS_VERSION], - [Fields.EVENT_ACTION]: legacyAlertFieldMap[Fields.EVENT_ACTION], - [Fields.EVENT_KIND]: legacyAlertFieldMap[Fields.EVENT_KIND], - [Fields.TAGS]: legacyAlertFieldMap[Fields.TAGS], + ...pickWithPatterns( + ecsFieldMap, + Fields.TIMESTAMP, + Fields.EVENT_KIND, + Fields.EVENT_ACTION, + Fields.TAGS + ), + [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 }, + [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, + [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, + [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true }, + [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true }, + [Fields.ALERT_UUID]: { type: 'keyword', required: true }, + [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, + [Fields.ALERT_START]: { type: 'date' }, + [Fields.ALERT_TIME_RANGE]: { + type: 'date_range', + format: 'epoch_millis||strict_date_optional_time', + }, + [Fields.ALERT_END]: { type: 'date' }, + [Fields.ALERT_DURATION]: { type: 'long' }, + [Fields.ALERT_SEVERITY]: { type: 'keyword' }, + [Fields.ALERT_STATUS]: { type: 'keyword', required: true }, + [Fields.ALERT_FLAPPING]: { type: 'boolean' }, + [Fields.VERSION]: { + type: 'version', + array: false, + required: false, + }, + [Fields.ECS_VERSION]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RISK_SCORE]: { + type: 'float', + array: false, + required: false, + }, + [Fields.ALERT_WORKFLOW_STATUS]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_WORKFLOW_USER]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_WORKFLOW_REASON]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_SYSTEM_STATUS]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_ACTION_GROUP]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_REASON]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_CASE_IDS]: { + type: 'keyword', + array: true, + required: false, + }, + [Fields.ALERT_RULE_AUTHOR]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_CATEGORY]: { + type: 'keyword', + array: false, + required: true, + }, + [Fields.ALERT_RULE_UUID]: { + type: 'keyword', + array: false, + required: true, + }, + [Fields.ALERT_RULE_CREATED_AT]: { + type: 'date', + array: false, + required: false, + }, + [Fields.ALERT_RULE_CREATED_BY]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_DESCRIPTION]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_ENABLED]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_EXECUTION_UUID]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_FROM]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_INTERVAL]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_LICENSE]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_NAME]: { + type: 'keyword', + array: false, + required: true, + }, + [Fields.ALERT_RULE_NOTE]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_REFERENCES]: { + type: 'keyword', + array: true, + required: false, + }, + [Fields.ALERT_RULE_RULE_ID]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_TAGS]: { + type: 'keyword', + array: true, + required: false, + }, + [Fields.ALERT_RULE_TO]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_TYPE]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_UPDATED_AT]: { + type: 'date', + array: false, + required: false, + }, + [Fields.ALERT_RULE_UPDATED_BY]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_VERSION]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_SUPPRESSION_FIELD]: { + type: 'keyword', + array: true, + required: false, + }, + [Fields.ALERT_SUPPRESSION_VALUE]: { + type: 'keyword', + array: true, + required: false, + }, + [Fields.ALERT_SUPPRESSION_START]: { + type: 'date', + array: false, + required: false, + }, + [Fields.ALERT_SUPPRESSION_END]: { + type: 'date', + array: false, + required: false, + }, + [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: { + type: 'long', + array: false, + required: false, + }, } as const; export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap; diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts index 34ab1a4db3f5dd..8dfa02b0f93af0 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts @@ -173,8 +173,8 @@ export class AlertsClient { // this is typed kind of crazy to fit the output of es api response to this _source?: | { - [ALERT_RULE_TYPE_ID]?: unknown; - [ALERT_RULE_CONSUMER]?: unknown; + [ALERT_RULE_TYPE_ID]?: string | null | undefined; + [ALERT_RULE_CONSUMER]?: string | null | undefined; } | null | undefined; @@ -194,8 +194,8 @@ export class AlertsClient { { hitIds: [], ownersAndRuleTypeIds: [] } as { hitIds: string[]; ownersAndRuleTypeIds: Array<{ - [ALERT_RULE_TYPE_ID]: unknown; - [ALERT_RULE_CONSUMER]: unknown; + [ALERT_RULE_TYPE_ID]: string | null | undefined; + [ALERT_RULE_CONSUMER]: string | null | undefined; }>; } ); From 085b7b850d31b3b53e42eb5fbf89628a238437fb Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 16:02:07 -0500 Subject: [PATCH 07/49] testing revert --- .../assets/field_maps/technical_rule_field_map.ts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 9f1ee0838c1549..59bad29950d428 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -17,7 +17,7 @@ export const technicalRuleFieldMap = { Fields.EVENT_ACTION, Fields.TAGS ), - [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 }, + [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096, required: false }, [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true }, @@ -26,14 +26,15 @@ export const technicalRuleFieldMap = { [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, [Fields.ALERT_START]: { type: 'date' }, [Fields.ALERT_TIME_RANGE]: { + required: false, type: 'date_range', format: 'epoch_millis||strict_date_optional_time', }, - [Fields.ALERT_END]: { type: 'date' }, - [Fields.ALERT_DURATION]: { type: 'long' }, - [Fields.ALERT_SEVERITY]: { type: 'keyword' }, + [Fields.ALERT_END]: { type: 'date', required: false }, + [Fields.ALERT_DURATION]: { type: 'long', required: false }, + [Fields.ALERT_SEVERITY]: { type: 'keyword', required: false }, [Fields.ALERT_STATUS]: { type: 'keyword', required: true }, - [Fields.ALERT_FLAPPING]: { type: 'boolean' }, + [Fields.ALERT_FLAPPING]: { type: 'boolean', required: false }, [Fields.VERSION]: { type: 'version', array: false, From 2ca888ce8fb0075805ba67fa33b104ec01333251 Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 17:04:30 -0500 Subject: [PATCH 08/49] unbelievable --- packages/kbn-rule-data-utils/src/technical_field_names.ts | 1 + x-pack/plugins/apm/kibana.json | 1 - .../common/assets/field_maps/technical_rule_field_map.ts | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index d786120f0d5b1a..cf45162b208538 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -202,6 +202,7 @@ export { ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + EVENT_MODULE, }; export type TechnicalRuleDataFieldName = ValuesType; diff --git a/x-pack/plugins/apm/kibana.json b/x-pack/plugins/apm/kibana.json index ee8deff66d870e..3df051925ab619 100644 --- a/x-pack/plugins/apm/kibana.json +++ b/x-pack/plugins/apm/kibana.json @@ -47,7 +47,6 @@ "apm" ], "requiredBundles": [ - "alerting", "fleet", "kibanaReact", "kibanaUtils", diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 59bad29950d428..1a6fc174556be0 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -24,7 +24,7 @@ export const technicalRuleFieldMap = { [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true }, [Fields.ALERT_UUID]: { type: 'keyword', required: true }, [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, - [Fields.ALERT_START]: { type: 'date' }, + [Fields.ALERT_START]: { type: 'date', required: false }, [Fields.ALERT_TIME_RANGE]: { required: false, type: 'date_range', From b5b5b1a3664e3039a0ea7f5f8e277d86d241eb7b Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 7 Feb 2023 19:26:25 -0500 Subject: [PATCH 09/49] Fixing tests --- .../field_maps/technical_rule_field_map.test.ts | 12 ------------ x-pack/plugins/security_solution/server/plugin.ts | 3 ++- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index 1e11bfbac0a8ff..f01fa4b0cb8a3b 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -43,22 +43,18 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.duration.us": Object { - "array": false, "required": false, "type": "long", }, "kibana.alert.end": Object { - "array": false, "required": false, "type": "date", }, "kibana.alert.flapping": Object { - "array": false, "required": false, "type": "boolean", }, "kibana.alert.instance.id": Object { - "array": false, "required": true, "type": "keyword", }, @@ -83,7 +79,6 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.consumer": Object { - "array": false, "required": true, "type": "keyword", }, @@ -143,7 +138,6 @@ it('matches snapshot', () => { "type": "flattened", }, "kibana.alert.rule.producer": Object { - "array": false, "required": true, "type": "keyword", }, @@ -163,7 +157,6 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.rule_type_id": Object { - "array": false, "required": true, "type": "keyword", }, @@ -203,17 +196,14 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.severity": Object { - "array": false, "required": false, "type": "keyword", }, "kibana.alert.start": Object { - "array": false, "required": false, "type": "date", }, "kibana.alert.status": Object { - "array": false, "required": true, "type": "keyword", }, @@ -248,13 +238,11 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.time_range": Object { - "array": false, "format": "epoch_millis||strict_date_optional_time", "required": false, "type": "date_range", }, "kibana.alert.uuid": Object { - "array": false, "required": true, "type": "keyword", }, diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 3dc8c0ddebb01b..9fbaced6e9a74f 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -23,6 +23,7 @@ import type { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; import { mappingFromFieldMap, type FieldMap } from '@kbn/alerting-plugin/common'; +import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server'; import { Dataset } from '@kbn/rule-registry-plugin/server'; import type { ListPluginSetup } from '@kbn/lists-plugin/server'; @@ -232,7 +233,7 @@ export class Plugin implements ISecuritySolutionPlugin { { name: 'mappings', mappings: mappingFromFieldMap( - { ...alertsFieldMap, ...rulesFieldMap, ...aliasesFieldMap }, + { ...technicalRuleFieldMap, ...alertsFieldMap, ...rulesFieldMap, ...aliasesFieldMap }, false ), }, From d8c2acf7f24c63cf5825e237fe91511686a6caf7 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 07:58:20 -0500 Subject: [PATCH 10/49] Fixing tests --- .../spaces_only/tests/alerting/group4/alerts_as_data.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 0ad1f81037be2c..557230b9c047b1 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -65,7 +65,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex }); it('should install context specific alerts as data resources on startup', async () => { - const componentTemplateName = 'alerts-test.always-firing-mappings'; + const componentTemplateName = '.alerts-test.always-firing-mappings'; const indexTemplateName = '.alerts-test.always-firing-default-template'; const indexName = '.alerts-test.always-firing-default-000001'; const contextSpecificMappings = { @@ -115,7 +115,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex ]); expect(contextIndexTemplate.index_template.composed_of).to.eql([ '.alerts-framework-mappings', - 'alerts-test.always-firing-mappings', + '.alerts-test.always-firing-mappings', ]); expect(contextIndexTemplate.index_template.template!.mappings).to.eql({ dynamic: false, From e7388749ef0b0c0834a68c5e94b56a59b51fc03b Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 09:44:26 -0500 Subject: [PATCH 11/49] Building technical field map from legacy and framework alert field map --- .../field_maps/alert_field_map.ts | 5 +- .../field_maps/legacy_alert_field_map.ts | 5 +- .../technical_rule_field_map.test.ts | 22 ++ .../field_maps/technical_rule_field_map.ts | 214 +----------------- 4 files changed, 30 insertions(+), 216 deletions(-) diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts index b5862c24e275b2..6a08b3da70e4f1 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts @@ -33,9 +33,8 @@ import { TIMESTAMP, VERSION, } from '@kbn/rule-data-utils'; -import { FieldMap } from './types'; -export const alertFieldMap: FieldMap = { +export const alertFieldMap = { [ALERT_ACTION_GROUP]: { type: 'keyword', array: false, @@ -168,6 +167,6 @@ export const alertFieldMap: FieldMap = { array: false, required: false, }, -}; +} as const; export type AlertFieldMap = typeof alertFieldMap; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts index 6f0e60fb8ecf13..6051834e676b5d 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts @@ -38,9 +38,8 @@ import { EVENT_KIND, TAGS, } from '@kbn/rule-data-utils'; -import { FieldMap } from './types'; -export const legacyAlertFieldMap: FieldMap = { +export const legacyAlertFieldMap = { [ALERT_RISK_SCORE]: { type: 'float', array: false, @@ -197,6 +196,6 @@ export const legacyAlertFieldMap: FieldMap = { array: true, required: false, }, -}; +} as const; export type LegacyAlertFieldMap = typeof legacyAlertFieldMap; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index f01fa4b0cb8a3b..2b569e926229cc 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -43,21 +43,35 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.duration.us": Object { + "array": false, "required": false, "type": "long", }, "kibana.alert.end": Object { + "array": false, "required": false, "type": "date", }, "kibana.alert.flapping": Object { + "array": false, + "required": false, + "type": "boolean", + }, + "kibana.alert.flapping_history": Object { + "array": true, "required": false, "type": "boolean", }, "kibana.alert.instance.id": Object { + "array": false, "required": true, "type": "keyword", }, + "kibana.alert.last_detected": Object { + "array": false, + "required": false, + "type": "date", + }, "kibana.alert.reason": Object { "array": false, "required": false, @@ -79,6 +93,7 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.consumer": Object { + "array": false, "required": true, "type": "keyword", }, @@ -138,6 +153,7 @@ it('matches snapshot', () => { "type": "flattened", }, "kibana.alert.rule.producer": Object { + "array": false, "required": true, "type": "keyword", }, @@ -157,6 +173,7 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.rule_type_id": Object { + "array": false, "required": true, "type": "keyword", }, @@ -196,14 +213,17 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.severity": Object { + "array": false, "required": false, "type": "keyword", }, "kibana.alert.start": Object { + "array": false, "required": false, "type": "date", }, "kibana.alert.status": Object { + "array": false, "required": true, "type": "keyword", }, @@ -238,11 +258,13 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.time_range": Object { + "array": false, "format": "epoch_millis||strict_date_optional_time", "required": false, "type": "date_range", }, "kibana.alert.uuid": Object { + "array": false, "required": true, "type": "keyword", }, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 1a6fc174556be0..0b5a22a882ff95 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,221 +5,15 @@ * 2.0. */ +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import { pickWithPatterns } from '../../pick_with_patterns'; import * as Fields from '../../technical_rule_data_field_names'; -import { ecsFieldMap } from './ecs_field_map'; export const technicalRuleFieldMap = { - ...pickWithPatterns( - ecsFieldMap, - Fields.TIMESTAMP, - Fields.EVENT_KIND, - Fields.EVENT_ACTION, - Fields.TAGS - ), + ...pickWithPatterns(alertFieldMap, '*'), + ...pickWithPatterns(legacyAlertFieldMap, '*'), + // TODO - are we able to change this [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096, required: false }, - [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, - [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, - [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true }, - [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true }, - [Fields.ALERT_UUID]: { type: 'keyword', required: true }, - [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, - [Fields.ALERT_START]: { type: 'date', required: false }, - [Fields.ALERT_TIME_RANGE]: { - required: false, - type: 'date_range', - format: 'epoch_millis||strict_date_optional_time', - }, - [Fields.ALERT_END]: { type: 'date', required: false }, - [Fields.ALERT_DURATION]: { type: 'long', required: false }, - [Fields.ALERT_SEVERITY]: { type: 'keyword', required: false }, - [Fields.ALERT_STATUS]: { type: 'keyword', required: true }, - [Fields.ALERT_FLAPPING]: { type: 'boolean', required: false }, - [Fields.VERSION]: { - type: 'version', - array: false, - required: false, - }, - [Fields.ECS_VERSION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RISK_SCORE]: { - type: 'float', - array: false, - required: false, - }, - [Fields.ALERT_WORKFLOW_STATUS]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_WORKFLOW_USER]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_WORKFLOW_REASON]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_SYSTEM_STATUS]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_ACTION_GROUP]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_REASON]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_CASE_IDS]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_RULE_AUTHOR]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_CATEGORY]: { - type: 'keyword', - array: false, - required: true, - }, - [Fields.ALERT_RULE_UUID]: { - type: 'keyword', - array: false, - required: true, - }, - [Fields.ALERT_RULE_CREATED_AT]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_RULE_CREATED_BY]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_DESCRIPTION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_ENABLED]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_EXECUTION_UUID]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_FROM]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_INTERVAL]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_LICENSE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_NAME]: { - type: 'keyword', - array: false, - required: true, - }, - [Fields.ALERT_RULE_NOTE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_REFERENCES]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_RULE_RULE_ID]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_TAGS]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_RULE_TO]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_TYPE]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_UPDATED_AT]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_RULE_UPDATED_BY]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_VERSION]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_FIELD]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_SUPPRESSION_VALUE]: { - type: 'keyword', - array: true, - required: false, - }, - [Fields.ALERT_SUPPRESSION_START]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_END]: { - type: 'date', - array: false, - required: false, - }, - [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: { - type: 'long', - array: false, - required: false, - }, } as const; export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap; From 8fa924aee215719a53708c551c803a5a82465b15 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 09:54:50 -0500 Subject: [PATCH 12/49] Building technical field map from legacy and framework alert field map --- x-pack/plugins/apm/kibana.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/apm/kibana.json b/x-pack/plugins/apm/kibana.json index 3df051925ab619..ee8deff66d870e 100644 --- a/x-pack/plugins/apm/kibana.json +++ b/x-pack/plugins/apm/kibana.json @@ -47,6 +47,7 @@ "apm" ], "requiredBundles": [ + "alerting", "fleet", "kibanaReact", "kibanaUtils", From f54aefe75fbb142ad54117445eca74112ccdab9a Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 13:00:36 -0500 Subject: [PATCH 13/49] parameters have to be flattened --- .../common/alert_schema/field_maps/alert_field_map.ts | 5 +++-- .../assets/field_maps/technical_rule_field_map.test.ts | 1 + .../common/assets/field_maps/technical_rule_field_map.ts | 3 --- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts index 6a08b3da70e4f1..a2892a172231e6 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts @@ -102,8 +102,9 @@ export const alertFieldMap = { required: true, }, [ALERT_RULE_PARAMETERS]: { - type: 'object', - enabled: false, + array: false, + type: 'flattened', + ignore_above: 4096, required: false, }, [ALERT_RULE_PRODUCER]: { diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index 2b569e926229cc..7c2cc7c2a02af0 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -148,6 +148,7 @@ it('matches snapshot', () => { "type": "keyword", }, "kibana.alert.rule.parameters": Object { + "array": false, "ignore_above": 4096, "required": false, "type": "flattened", diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 0b5a22a882ff95..c6ab419534f4b4 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -7,13 +7,10 @@ import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import { pickWithPatterns } from '../../pick_with_patterns'; -import * as Fields from '../../technical_rule_data_field_names'; export const technicalRuleFieldMap = { ...pickWithPatterns(alertFieldMap, '*'), ...pickWithPatterns(legacyAlertFieldMap, '*'), - // TODO - are we able to change this - [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096, required: false }, } as const; export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap; From 98f957b1e6c095c75034193153f83488c17dde6a Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 13:50:16 -0500 Subject: [PATCH 14/49] Installing legacy alert component template on startup --- .../alerts_service/alerts_service.test.ts | 56 +++++++++++-------- .../server/alerts_service/alerts_service.ts | 7 ++- .../alerting/server/alerts_service/types.ts | 2 +- .../tests/alerting/group4/alerts_as_data.ts | 48 ++++++++++++---- 4 files changed, 75 insertions(+), 38 deletions(-) diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index a82c3db9af5861..8ef71ee5fe2ffb 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -142,10 +142,12 @@ describe('Alerts Service', () => { expect(alertsService.isInitialized()).toEqual(true); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); + const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); }); test('should log error and set initialized to false if adding ILM policy throws error', async () => { @@ -211,15 +213,17 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - // 1x for common component template, 2x for context specific - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + // 1x for framework component template, 1x for legacy alert, 2x for context specific + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; - expect(componentTemplate2.name).toEqual('.alerts-another-mappings'); + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; - expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); + expect(componentTemplate3.name).toEqual('.alerts-another-mappings'); + const componentTemplate4 = clusterClient.cluster.putComponentTemplate.mock.calls[3][0]; + expect(componentTemplate4.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(2); expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith( @@ -288,11 +292,13 @@ describe('Alerts Service', () => { expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; - expect(componentTemplate2.name).toEqual('.alerts-test-mappings'); + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); + const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; + expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( getIndexTemplatePutBody() @@ -315,7 +321,7 @@ describe('Alerts Service', () => { }); }); - test('should not install component template for context fieldMap is empty', async () => { + test('should not install component template for context if fieldMap is empty', async () => { alertsService.register({ context: 'empty', fieldMap: {}, @@ -325,9 +331,11 @@ describe('Alerts Service', () => { expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); + const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith({ name: `.alerts-empty-default-template`, @@ -407,7 +415,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); // putIndexTemplate is skipped but other operations are called as expected expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled(); @@ -440,7 +448,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled(); expect(clusterClient.indices.getAlias).not.toHaveBeenCalled(); @@ -464,7 +472,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).not.toHaveBeenCalled(); @@ -488,7 +496,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putSettings).not.toHaveBeenCalled(); @@ -509,7 +517,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putSettings).not.toHaveBeenCalled(); @@ -532,7 +540,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -556,7 +564,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -578,7 +586,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -598,7 +606,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -637,7 +645,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -670,7 +678,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -692,7 +700,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -727,7 +735,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -763,7 +771,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -807,7 +815,7 @@ describe('Alerts Service', () => { alertsService.initialize(); await new Promise((r) => setTimeout(r, 150)); expect(alertsService.isInitialized()).toEqual(true); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); }); test('should retry updating index template for transient ES errors', async () => { diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 6115415425c8a1..3921541c3e4171 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,7 +13,7 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, type FieldMap } from '../../common'; +import { alertFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy'; import { getComponentTemplate, @@ -103,6 +103,11 @@ export class AlertsService implements IAlertsService { const initFns = [ () => this.createOrUpdateIlmPolicy(esClient), () => this.createOrUpdateComponentTemplate(esClient, getComponentTemplate(alertFieldMap)), + () => + this.createOrUpdateComponentTemplate( + esClient, + getComponentTemplate(legacyAlertFieldMap, 'legacy-alert') + ), ]; for (const fn of initFns) { diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index 8ddcf34a6eb826..71a3d606ea45d1 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -39,5 +39,5 @@ export const getComponentTemplate = ( name: getComponentTemplateName(context), fieldMap, // set field limit slightly higher than actual number of fields - fieldLimit: 100, // Math.round(Object.keys(fieldMap).length * 1.5), + fieldLimit: Math.ceil(Object.keys(fieldMap).length / 100) * 100, }); diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 557230b9c047b1..c7b204a4fc1fac 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { alertFieldMap } from '@kbn/alerting-plugin/common/alert_schema'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; @@ -13,12 +13,14 @@ import { FtrProviderContext } from '../../../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function createAlertsAsDataTest({ getService }: FtrProviderContext) { const es = getService('es'); - const commonFrameworkMappings = mappingFromFieldMap(alertFieldMap, 'strict'); + const frameworkMappings = mappingFromFieldMap(alertFieldMap, 'strict'); + const legacyAlertMappings = mappingFromFieldMap(legacyAlertFieldMap, 'strict'); describe('alerts as data', () => { it('should install common alerts as data resources on startup', async () => { const ilmPolicyName = 'alerts-default-ilm-policy'; - const componentTemplateName = '.alerts-framework-mappings'; + const frameworkComponentTemplateName = '.alerts-framework-mappings'; + const legacyComponentTemplateName = '.alerts-legacy-alert-mappings'; const commonIlmPolicy = await es.ilm.getLifecycle({ name: ilmPolicyName, @@ -41,18 +43,40 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex }, }); - const { component_templates: componentTemplates } = await es.cluster.getComponentTemplate({ - name: componentTemplateName, + const { component_templates: componentTemplates1 } = await es.cluster.getComponentTemplate({ + name: frameworkComponentTemplateName, }); - expect(componentTemplates.length).to.eql(1); - const commonComponentTemplate = componentTemplates[0]; + expect(componentTemplates1.length).to.eql(1); + const frameworkComponentTemplate = componentTemplates1[0]; + + expect(frameworkComponentTemplate.name).to.eql(frameworkComponentTemplateName); + expect(frameworkComponentTemplate.component_template.template.mappings).to.eql( + frameworkMappings + ); + expect(frameworkComponentTemplate.component_template.template.settings).to.eql({ + index: { + number_of_shards: 1, + mapping: { + total_fields: { + limit: 100, + }, + }, + }, + }); + + const { component_templates: componentTemplates2 } = await es.cluster.getComponentTemplate({ + name: legacyComponentTemplateName, + }); + + expect(componentTemplates2.length).to.eql(1); + const legacyComponentTemplate = componentTemplates2[0]; - expect(commonComponentTemplate.name).to.eql(componentTemplateName); - expect(commonComponentTemplate.component_template.template.mappings).to.eql( - commonFrameworkMappings + expect(legacyComponentTemplate.name).to.eql(legacyComponentTemplateName); + expect(legacyComponentTemplate.component_template.template.mappings).to.eql( + legacyAlertMappings ); - expect(commonComponentTemplate.component_template.template.settings).to.eql({ + expect(legacyComponentTemplate.component_template.template.settings).to.eql({ index: { number_of_shards: 1, mapping: { @@ -150,7 +174,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex dynamic: 'false', properties: { ...contextSpecificMappings, - ...commonFrameworkMappings.properties, + ...frameworkMappings.properties, }, }); From 65b24e4157a796b0f1e1a67d1acff63151902229 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 8 Feb 2023 15:02:13 -0500 Subject: [PATCH 15/49] Referencing legacy alert template when specified --- .../field_maps/alert_field_map.ts | 1 - .../field_maps/mapping_from_field_map.test.ts | 4 +- .../alerts_service/alerts_service.test.ts | 97 ++++++++++++++----- .../server/alerts_service/alerts_service.ts | 69 +++++++------ x-pack/plugins/alerting/server/types.ts | 1 + 5 files changed, 118 insertions(+), 54 deletions(-) diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts index a2892a172231e6..404e09666c52b6 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts @@ -70,7 +70,6 @@ export const alertFieldMap = { array: false, required: true, }, - // this is not in the technical field mapping ?? [ALERT_LAST_DETECTED]: { type: 'date', required: false, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index 7e530ef467d0e6..049145b71abd39 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -246,8 +246,8 @@ describe('mappingFromFieldMap', () => { type: 'keyword', }, parameters: { - type: 'object', - enabled: false, + type: 'flattened', + ignore_above: 4096, }, producer: { type: 'keyword', diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index 8ef71ee5fe2ffb..7a2759e256cc37 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -9,6 +9,7 @@ import { elasticsearchServiceMock, loggingSystemMock } from '@kbn/core/server/mo import { errors as EsErrors } from '@elastic/elasticsearch'; import { ReplaySubject, Subject } from 'rxjs'; import { AlertsService } from './alerts_service'; +import { IRuleTypeAlerts } from '../types'; let logger: ReturnType; const clusterClient = elasticsearchServiceMock.createClusterClient().asInternalUser; @@ -75,37 +76,49 @@ const IlmPutBody = { name: 'alerts-default-ilm-policy', }; -const getIndexTemplatePutBody = (context?: string) => ({ - name: `.alerts-${context ? context : 'test'}-default-template`, - body: { - index_patterns: [`.alerts-${context ? context : 'test'}-default-*`], - composed_of: ['.alerts-framework-mappings', `.alerts-${context ? context : 'test'}-mappings`], - template: { - settings: { - auto_expand_replicas: '0-1', - hidden: true, - 'index.lifecycle': { - name: 'alerts-default-ilm-policy', - rollover_alias: `.alerts-${context ? context : 'test'}-default`, +interface GetIndexTemplatePutBodyOpts { + context?: string; + useLegacyAlerts?: boolean; +} +const getIndexTemplatePutBody = (opts?: GetIndexTemplatePutBodyOpts) => { + const context = opts ? opts.context : undefined; + const useLegacyAlerts = opts ? opts.useLegacyAlerts : undefined; + return { + name: `.alerts-${context ? context : 'test'}-default-template`, + body: { + index_patterns: [`.alerts-${context ? context : 'test'}-default-*`], + composed_of: [ + `.alerts-${context ? context : 'test'}-mappings`, + ...(useLegacyAlerts ? ['.alerts-legacy-alert-mappings'] : []), + '.alerts-framework-mappings', + ], + template: { + settings: { + auto_expand_replicas: '0-1', + hidden: true, + 'index.lifecycle': { + name: 'alerts-default-ilm-policy', + rollover_alias: `.alerts-${context ? context : 'test'}-default`, + }, + 'index.mapping.total_fields.limit': 2500, + }, + mappings: { + dynamic: false, }, - 'index.mapping.total_fields.limit': 2500, }, - mappings: { - dynamic: false, + _meta: { + managed: true, }, }, - _meta: { - managed: true, - }, - }, -}); + }; +}; -const TestRegistrationContext = { +const TestRegistrationContext: IRuleTypeAlerts = { context: 'test', fieldMap: { field: { type: 'keyword', required: false } }, }; -const AnotherRegistrationContext = { +const AnotherRegistrationContext: IRuleTypeAlerts = { context: 'another', fieldMap: { field: { type: 'keyword', required: false } }, }; @@ -228,7 +241,7 @@ describe('Alerts Service', () => { expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(2); expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith( 1, - getIndexTemplatePutBody('another') + getIndexTemplatePutBody({ context: 'another' }) ); expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith( 2, @@ -321,6 +334,44 @@ describe('Alerts Service', () => { }); }); + test('should correctly install resources for context when useLegacyAlerts is true', async () => { + alertsService.register({ ...TestRegistrationContext, useLegacyAlerts: true }); + await new Promise((r) => setTimeout(r, 50)); + expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual( + true + ); + + expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); + + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); + const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); + const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; + expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); + + expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( + getIndexTemplatePutBody({ useLegacyAlerts: true }) + ); + expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ + index: '.alerts-test-default-*', + }); + expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.create).toHaveBeenCalledWith({ + index: '.alerts-test-default-000001', + body: { + aliases: { + '.alerts-test-default': { + is_write_index: true, + }, + }, + }, + }); + }); + test('should not install component template for context if fieldMap is empty', async () => { alertsService.register({ context: 'empty', diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 3921541c3e4171..e3183b736219b2 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -30,7 +30,7 @@ import { const TOTAL_FIELDS_LIMIT = 2500; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes - +const LEGACY_ALERT_CONTEXT = 'legacy-alert'; interface AlertsServiceParams { logger: Logger; pluginStop$: Observable; @@ -106,7 +106,7 @@ export class AlertsService implements IAlertsService { () => this.createOrUpdateComponentTemplate( esClient, - getComponentTemplate(legacyAlertFieldMap, 'legacy-alert') + getComponentTemplate(legacyAlertFieldMap, LEGACY_ALERT_CONTEXT) ), ]; @@ -128,7 +128,8 @@ export class AlertsService implements IAlertsService { }); } - public register({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) { + public register(opts: IRuleTypeAlerts, timeoutMs?: number) { + const { context, fieldMap } = opts; // check whether this context has been registered before if (this.registeredContexts.has(context)) { const registeredFieldMap = this.registeredContexts.get(context); @@ -141,37 +142,49 @@ export class AlertsService implements IAlertsService { this.options.logger.info(`Registering resources for context "${context}".`); this.registeredContexts.set(context, fieldMap); - this.resourceInitializationHelper.add({ context, fieldMap }, timeoutMs); + this.resourceInitializationHelper.add(opts, timeoutMs); } - private async initializeContext({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) { + private async initializeContext( + { context, fieldMap, useLegacyAlerts }: IRuleTypeAlerts, + timeoutMs?: number + ) { const esClient = await this.options.elasticsearchClientPromise; const indexTemplateAndPattern = getIndexTemplateAndPattern(context); - // Context specific initialization installs component template, index template and write index - // If fieldMap is empty, don't create context specific component template - const initFns = isEmpty(fieldMap) - ? [ - async () => - await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [ - getComponentTemplateName(), - ]), - async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern), - ] - : [ - async () => - await this.createOrUpdateComponentTemplate( - esClient, - getComponentTemplate(fieldMap, context) - ), - async () => - await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [ - getComponentTemplateName(), - getComponentTemplateName(context), - ]), - async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern), - ]; + let initFns: Array<() => Promise> = []; + + // List of component templates to reference + const componentTemplateRefs: string[] = []; + + // If fieldMap is not empty, create a context specific component template + if (!isEmpty(fieldMap)) { + const componentTemplate = getComponentTemplate(fieldMap, context); + initFns.push( + async () => await this.createOrUpdateComponentTemplate(esClient, componentTemplate) + ); + componentTemplateRefs.push(componentTemplate.name); + } + + // If useLegacy is set to true, add the legacy alert component template to the references + if (useLegacyAlerts) { + componentTemplateRefs.push(getComponentTemplateName(LEGACY_ALERT_CONTEXT)); + } + + // Add framework component template to the references + componentTemplateRefs.push(getComponentTemplateName()); + + // Context specific initialization installs index template and write index + initFns = initFns.concat([ + async () => + await this.createOrUpdateIndexTemplate( + esClient, + indexTemplateAndPattern, + componentTemplateRefs + ), + async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern), + ]); for (const fn of initFns) { await this.installWithTimeout(async () => await fn(), timeoutMs); diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts index 78484d511d55cd..19ecb79626bfbb 100644 --- a/x-pack/plugins/alerting/server/types.ts +++ b/x-pack/plugins/alerting/server/types.ts @@ -165,6 +165,7 @@ export interface IRuleTypeAlerts { context: string; namespace?: string; fieldMap: FieldMap; + useLegacyAlerts?: boolean; } export interface RuleType< From 9055fc20c4f16e0c3d946457350a3ca7507b1d46 Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 9 Feb 2023 16:08:34 -0500 Subject: [PATCH 16/49] Adding ecs field map and installing ecs component template --- .../alert_schema/field_maps/ecs_field_map.ts | 57 ++++++++++++++++++ .../alerting/common/alert_schema/index.ts | 1 + x-pack/plugins/alerting/common/index.ts | 1 + .../alerts_service/alerts_service.test.ts | 60 +++++++++++-------- .../server/alerts_service/alerts_service.ts | 8 ++- .../alerting/server/alerts_service/types.ts | 2 +- 6 files changed, 102 insertions(+), 27 deletions(-) create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts new file mode 100644 index 00000000000000..a22d8047ef482f --- /dev/null +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts @@ -0,0 +1,57 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EcsFlat } from '@kbn/ecs'; + +export interface AllowedValue { + description?: string; + name?: string; +} + +export interface MultiField { + flat_name: string; + name: string; + type: string; +} + +export interface EcsMetadata { + allowed_values?: AllowedValue[]; + dashed_name: string; + description: string; + doc_values?: boolean; + example?: string | number | boolean; + flat_name: string; + ignore_above?: number; + index?: boolean; + level: string; + multi_fields?: MultiField[]; + name: string; + normalize: string[]; + required?: boolean; + scaling_factor?: number; + short: string; + type: string; +} + +export const ecsFieldMap = Object.keys(EcsFlat).reduce((acc, currKey) => { + const value: EcsMetadata = EcsFlat[currKey as keyof typeof EcsFlat]; + return { + ...acc, + [currKey]: { + type: value.type, + array: value.normalize.includes('array'), + required: !!value.required, + ...(value.scaling_factor ? { scaling_factor: value.scaling_factor } : {}), + ...(value.ignore_above ? { ignore_above: value.ignore_above } : {}), + ...(value.multi_fields ? { multi_fields: value.multi_fields } : {}), + ...(value.doc_values != null ? { doc_values: value.doc_values } : {}), + ...(value.index != null ? { index: value.index } : {}), + }, + }; +}, {}); + +export type EcsFieldMap = typeof ecsFieldMap; diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts index d77da5b36526c0..dea683136a7639 100644 --- a/x-pack/plugins/alerting/common/alert_schema/index.ts +++ b/x-pack/plugins/alerting/common/alert_schema/index.ts @@ -6,6 +6,7 @@ */ export { alertFieldMap } from './field_maps/alert_field_map'; +export { ecsFieldMap } from './field_maps/ecs_field_map'; export { legacyAlertFieldMap } from './field_maps/legacy_alert_field_map'; export { mappingFromFieldMap } from './field_maps/mapping_from_field_map'; export { type FieldMap } from './field_maps/types'; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 3b0a13aa88527d..7c8d1dfa9a7599 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -27,6 +27,7 @@ export * from './rule_snooze_type'; export { alertFieldMap, + ecsFieldMap, legacyAlertFieldMap, mappingFromFieldMap, getComponentTemplateFromFieldMap, diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index 7a2759e256cc37..6aa6738cc4c77b 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -155,12 +155,14 @@ describe('Alerts Service', () => { expect(alertsService.isInitialized()).toEqual(true); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); + const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); }); test('should log error and set initialized to false if adding ILM policy throws error', async () => { @@ -226,17 +228,19 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - // 1x for framework component template, 1x for legacy alert, 2x for context specific - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); + // 1x for framework component template, 1x for legacy alert, 1x for ecs, 2x for context specific + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(5); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; - expect(componentTemplate3.name).toEqual('.alerts-another-mappings'); + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); const componentTemplate4 = clusterClient.cluster.putComponentTemplate.mock.calls[3][0]; - expect(componentTemplate4.name).toEqual('.alerts-test-mappings'); + expect(componentTemplate4.name).toEqual('.alerts-another-mappings'); + const componentTemplate5 = clusterClient.cluster.putComponentTemplate.mock.calls[4][0]; + expect(componentTemplate5.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(2); expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith( @@ -305,13 +309,15 @@ describe('Alerts Service', () => { expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; - expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); + const componentTemplate4 = clusterClient.cluster.putComponentTemplate.mock.calls[3][0]; + expect(componentTemplate4.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( getIndexTemplatePutBody() @@ -343,13 +349,15 @@ describe('Alerts Service', () => { expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; - expect(componentTemplate3.name).toEqual('.alerts-test-mappings'); + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); + const componentTemplate4 = clusterClient.cluster.putComponentTemplate.mock.calls[3][0]; + expect(componentTemplate4.name).toEqual('.alerts-test-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( getIndexTemplatePutBody({ useLegacyAlerts: true }) @@ -382,11 +390,13 @@ describe('Alerts Service', () => { expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); + const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith({ name: `.alerts-empty-default-template`, @@ -466,7 +476,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); // putIndexTemplate is skipped but other operations are called as expected expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled(); @@ -499,7 +509,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled(); expect(clusterClient.indices.getAlias).not.toHaveBeenCalled(); @@ -523,7 +533,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).not.toHaveBeenCalled(); @@ -547,7 +557,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putSettings).not.toHaveBeenCalled(); @@ -568,7 +578,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putSettings).not.toHaveBeenCalled(); @@ -591,7 +601,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -615,7 +625,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -637,7 +647,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -657,7 +667,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -696,7 +706,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -729,7 +739,7 @@ describe('Alerts Service', () => { ); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -751,7 +761,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -786,7 +796,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -822,7 +832,7 @@ describe('Alerts Service', () => { expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`); expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled(); expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled(); expect(clusterClient.indices.getAlias).toHaveBeenCalled(); @@ -866,7 +876,7 @@ describe('Alerts Service', () => { alertsService.initialize(); await new Promise((r) => setTimeout(r, 150)); expect(alertsService.isInitialized()).toEqual(true); - expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(5); }); test('should retry updating index template for transient ES errors', async () => { diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index e3183b736219b2..723f67d7b425cd 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,7 +13,7 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy'; import { getComponentTemplate, @@ -31,6 +31,7 @@ import { const TOTAL_FIELDS_LIMIT = 2500; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes const LEGACY_ALERT_CONTEXT = 'legacy-alert'; +const ECS_CONTEXT = `ecs`; interface AlertsServiceParams { logger: Logger; pluginStop$: Observable; @@ -108,6 +109,11 @@ export class AlertsService implements IAlertsService { esClient, getComponentTemplate(legacyAlertFieldMap, LEGACY_ALERT_CONTEXT) ), + () => + this.createOrUpdateComponentTemplate( + esClient, + getComponentTemplate(ecsFieldMap, ECS_CONTEXT) + ), ]; for (const fn of initFns) { diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index 71a3d606ea45d1..c6c7d1b27399bb 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -39,5 +39,5 @@ export const getComponentTemplate = ( name: getComponentTemplateName(context), fieldMap, // set field limit slightly higher than actual number of fields - fieldLimit: Math.ceil(Object.keys(fieldMap).length / 100) * 100, + fieldLimit: Math.ceil(Object.keys(fieldMap).length / 1000) * 1000, }); From 23b5bc7dd46f6722b318b10e1cba62dda1fb13b4 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 9 Feb 2023 21:14:46 +0000 Subject: [PATCH 17/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/alerting/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json index 1f7017de59a2e1..a65039fa5a2bb0 100644 --- a/x-pack/plugins/alerting/tsconfig.json +++ b/x-pack/plugins/alerting/tsconfig.json @@ -39,6 +39,7 @@ "@kbn/data-views-plugin", "@kbn/share-plugin", "@kbn/safer-lodash-set", + "@kbn/ecs", ], "exclude": [ "target/**/*", From 3444c8d586bcfae159fdb98a99848570b62a6d5e Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 9 Feb 2023 21:31:59 -0500 Subject: [PATCH 18/49] Fixing functional test --- .../tests/alerting/group4/alerts_as_data.ts | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index c7b204a4fc1fac..b0f94996c74561 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; @@ -15,12 +15,14 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex const es = getService('es'); const frameworkMappings = mappingFromFieldMap(alertFieldMap, 'strict'); const legacyAlertMappings = mappingFromFieldMap(legacyAlertFieldMap, 'strict'); + const ecsMappings = mappingFromFieldMap(ecsFieldMap, 'strict'); describe('alerts as data', () => { it('should install common alerts as data resources on startup', async () => { const ilmPolicyName = 'alerts-default-ilm-policy'; const frameworkComponentTemplateName = '.alerts-framework-mappings'; const legacyComponentTemplateName = '.alerts-legacy-alert-mappings'; + const ecsComponentTemplateName = '.alerts-ecs-mappings'; const commonIlmPolicy = await es.ilm.getLifecycle({ name: ilmPolicyName, @@ -59,7 +61,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 100, + limit: 1000, }, }, }, @@ -81,7 +83,27 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 100, + limit: 1000, + }, + }, + }, + }); + + const { component_templates: componentTemplates3 } = await es.cluster.getComponentTemplate({ + name: ecsComponentTemplateName, + }); + + expect(componentTemplates3.length).to.eql(1); + const ecsComponentTemplate = componentTemplates3[0]; + + expect(ecsComponentTemplate.name).to.eql(ecsComponentTemplateName); + expect(ecsComponentTemplate.component_template.template.mappings).to.eql(ecsMappings); + expect(ecsComponentTemplate.component_template.template.settings).to.eql({ + index: { + number_of_shards: 1, + mapping: { + total_fields: { + limit: 2000, }, }, }, @@ -122,7 +144,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 100, + limit: 1000, }, }, }, @@ -138,8 +160,8 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex '.alerts-test.always-firing-default-*', ]); expect(contextIndexTemplate.index_template.composed_of).to.eql([ - '.alerts-framework-mappings', '.alerts-test.always-firing-mappings', + '.alerts-framework-mappings', ]); expect(contextIndexTemplate.index_template.template!.mappings).to.eql({ dynamic: false, From cbfead14394c3d7241f6277cd950424b887c382c Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 9 Feb 2023 21:40:22 -0500 Subject: [PATCH 19/49] Adding flag to allow rule types to use ecs component template --- .../alerts_service/alerts_service.test.ts | 43 +++++++++++++++++++ .../server/alerts_service/alerts_service.ts | 7 ++- x-pack/plugins/alerting/server/types.ts | 1 + 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index 6aa6738cc4c77b..a9432794227a05 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -79,10 +79,12 @@ const IlmPutBody = { interface GetIndexTemplatePutBodyOpts { context?: string; useLegacyAlerts?: boolean; + useEcs?: boolean; } const getIndexTemplatePutBody = (opts?: GetIndexTemplatePutBodyOpts) => { const context = opts ? opts.context : undefined; const useLegacyAlerts = opts ? opts.useLegacyAlerts : undefined; + const useEcs = opts ? opts.useEcs : undefined; return { name: `.alerts-${context ? context : 'test'}-default-template`, body: { @@ -90,6 +92,7 @@ const getIndexTemplatePutBody = (opts?: GetIndexTemplatePutBodyOpts) => { composed_of: [ `.alerts-${context ? context : 'test'}-mappings`, ...(useLegacyAlerts ? ['.alerts-legacy-alert-mappings'] : []), + ...(useEcs ? ['.alerts-ecs-mappings'] : []), '.alerts-framework-mappings', ], template: { @@ -380,6 +383,46 @@ describe('Alerts Service', () => { }); }); + test('should correctly install resources for context when useEcs is true', async () => { + alertsService.register({ ...TestRegistrationContext, useEcs: true }); + await new Promise((r) => setTimeout(r, 50)); + expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual( + true + ); + + expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody); + + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); + const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0]; + expect(componentTemplate1.name).toEqual('.alerts-framework-mappings'); + const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0]; + expect(componentTemplate2.name).toEqual('.alerts-legacy-alert-mappings'); + const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0]; + expect(componentTemplate3.name).toEqual('.alerts-ecs-mappings'); + const componentTemplate4 = clusterClient.cluster.putComponentTemplate.mock.calls[3][0]; + expect(componentTemplate4.name).toEqual('.alerts-test-mappings'); + + expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith( + getIndexTemplatePutBody({ useEcs: true }) + ); + expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ + index: '.alerts-test-default-*', + }); + expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2); + expect(clusterClient.indices.create).toHaveBeenCalledWith({ + index: '.alerts-test-default-000001', + body: { + aliases: { + '.alerts-test-default': { + is_write_index: true, + }, + }, + }, + }); + }); + test('should not install component template for context if fieldMap is empty', async () => { alertsService.register({ context: 'empty', diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 723f67d7b425cd..b76f3e574a0442 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -152,7 +152,7 @@ export class AlertsService implements IAlertsService { } private async initializeContext( - { context, fieldMap, useLegacyAlerts }: IRuleTypeAlerts, + { context, fieldMap, useEcs, useLegacyAlerts }: IRuleTypeAlerts, timeoutMs?: number ) { const esClient = await this.options.elasticsearchClientPromise; @@ -178,6 +178,11 @@ export class AlertsService implements IAlertsService { componentTemplateRefs.push(getComponentTemplateName(LEGACY_ALERT_CONTEXT)); } + // If useEcs is set to true, add the ECS component template to the references + if (useEcs) { + componentTemplateRefs.push(getComponentTemplateName(ECS_CONTEXT)); + } + // Add framework component template to the references componentTemplateRefs.push(getComponentTemplateName()); diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts index 19ecb79626bfbb..260ebecb0f7a6d 100644 --- a/x-pack/plugins/alerting/server/types.ts +++ b/x-pack/plugins/alerting/server/types.ts @@ -165,6 +165,7 @@ export interface IRuleTypeAlerts { context: string; namespace?: string; fieldMap: FieldMap; + useEcs?: boolean; useLegacyAlerts?: boolean; } From 482a43576b9ef001938ca7b116cb70c5604cc6b7 Mon Sep 17 00:00:00 2001 From: Ying Date: Mon, 13 Feb 2023 13:17:39 -0500 Subject: [PATCH 20/49] Trying to control bundle size --- x-pack/plugins/alerting/common/index.ts | 1 - .../plugins/alerting/server/alerts_service/alerts_service.ts | 3 ++- .../spaces_only/tests/alerting/group4/alerts_as_data.ts | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 7c8d1dfa9a7599..3b0a13aa88527d 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -27,7 +27,6 @@ export * from './rule_snooze_type'; export { alertFieldMap, - ecsFieldMap, legacyAlertFieldMap, mappingFromFieldMap, getComponentTemplateFromFieldMap, diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index b76f3e574a0442..d131ee1d31bfed 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,7 +13,8 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; +import { alertFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; +import { ecsFieldMap } from '../../common/alert_schema'; import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy'; import { getComponentTemplate, diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index b0f94996c74561..1aabad94ad4ee0 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -5,9 +5,10 @@ * 2.0. */ -import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; +import { ecsFieldMap } from '@kbn/alerting-plugin/common/alert_schema'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; -import expect from '@kbn/expect'; +import expect from '@kbn/expect/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export From b78b881f79945af8fb960368c932731e66fc7123 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Feb 2023 18:21:53 +0000 Subject: [PATCH 21/49] [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix' --- .../spaces_only/tests/alerting/group4/alerts_as_data.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 1aabad94ad4ee0..c41422fe66c6dc 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -8,7 +8,7 @@ import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; import { ecsFieldMap } from '@kbn/alerting-plugin/common/alert_schema'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; -import expect from '@kbn/expect/expect'; +import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export From 031f0a47708e43b16157b966afe35a6ec2ea1f65 Mon Sep 17 00:00:00 2001 From: Ying Date: Mon, 13 Feb 2023 16:45:03 -0500 Subject: [PATCH 22/49] Moving field maps to packages --- packages/kbn-rule-data-utils/index.ts | 1 + .../src}/field_maps/alert_field_map.ts | 7 ++++--- .../src}/field_maps/ecs_field_map.ts | 5 +++-- packages/kbn-rule-data-utils/src/field_maps/index.ts | 11 +++++++++++ .../src}/field_maps/legacy_alert_field_map.ts | 7 ++++--- .../field_maps/mapping_from_field_map.test.ts | 3 +-- x-pack/plugins/alerting/common/alert_schema/index.ts | 3 --- x-pack/plugins/alerting/common/index.ts | 1 - .../alerting/server/alerts_service/alerts_service.ts | 4 ++-- .../assets/field_maps/technical_rule_field_map.ts | 2 +- .../tests/alerting/group4/alerts_as_data.ts | 5 ++--- 11 files changed, 29 insertions(+), 20 deletions(-) rename {x-pack/plugins/alerting/common/alert_schema => packages/kbn-rule-data-utils/src}/field_maps/alert_field_map.ts (93%) rename {x-pack/plugins/alerting/common/alert_schema => packages/kbn-rule-data-utils/src}/field_maps/ecs_field_map.ts (88%) create mode 100644 packages/kbn-rule-data-utils/src/field_maps/index.ts rename {x-pack/plugins/alerting/common/alert_schema => packages/kbn-rule-data-utils/src}/field_maps/legacy_alert_field_map.ts (94%) diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts index ea0028b972ed9e..112a5651463db8 100644 --- a/packages/kbn-rule-data-utils/index.ts +++ b/packages/kbn-rule-data-utils/index.ts @@ -14,3 +14,4 @@ export * from './src/alerts_as_data_severity'; export * from './src/alerts_as_data_status'; export * from './src/alerts_as_data_cases'; export * from './src/routes/stack_rule_paths'; +export * from './src/field_maps'; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/packages/kbn-rule-data-utils/src/field_maps/alert_field_map.ts similarity index 93% rename from x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts rename to packages/kbn-rule-data-utils/src/field_maps/alert_field_map.ts index 404e09666c52b6..bfbb00797104e6 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts +++ b/packages/kbn-rule-data-utils/src/field_maps/alert_field_map.ts @@ -1,8 +1,9 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import { @@ -32,7 +33,7 @@ import { SPACE_IDS, TIMESTAMP, VERSION, -} from '@kbn/rule-data-utils'; +} from '../default_alerts_as_data'; export const alertFieldMap = { [ALERT_ACTION_GROUP]: { diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts b/packages/kbn-rule-data-utils/src/field_maps/ecs_field_map.ts similarity index 88% rename from x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts rename to packages/kbn-rule-data-utils/src/field_maps/ecs_field_map.ts index a22d8047ef482f..af41e14e814c33 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts +++ b/packages/kbn-rule-data-utils/src/field_maps/ecs_field_map.ts @@ -1,8 +1,9 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import { EcsFlat } from '@kbn/ecs'; diff --git a/packages/kbn-rule-data-utils/src/field_maps/index.ts b/packages/kbn-rule-data-utils/src/field_maps/index.ts new file mode 100644 index 00000000000000..19eda894abd594 --- /dev/null +++ b/packages/kbn-rule-data-utils/src/field_maps/index.ts @@ -0,0 +1,11 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export * from './alert_field_map'; +export * from './legacy_alert_field_map'; +export * from './ecs_field_map'; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts b/packages/kbn-rule-data-utils/src/field_maps/legacy_alert_field_map.ts similarity index 94% rename from x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts rename to packages/kbn-rule-data-utils/src/field_maps/legacy_alert_field_map.ts index 6051834e676b5d..49f4c32247376f 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/legacy_alert_field_map.ts +++ b/packages/kbn-rule-data-utils/src/field_maps/legacy_alert_field_map.ts @@ -1,8 +1,9 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import { @@ -37,7 +38,7 @@ import { EVENT_ACTION, EVENT_KIND, TAGS, -} from '@kbn/rule-data-utils'; +} from '../legacy_alerts_as_data'; export const legacyAlertFieldMap = { [ALERT_RISK_SCORE]: { diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index 049145b71abd39..af1cdec8ea43a7 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -4,10 +4,9 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; import { mappingFromFieldMap } from './mapping_from_field_map'; import { FieldMap } from './types'; -import { alertFieldMap } from './alert_field_map'; -import { legacyAlertFieldMap } from './legacy_alert_field_map'; describe('mappingFromFieldMap', () => { const fieldMap: FieldMap = { diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts index dea683136a7639..7beec739549a45 100644 --- a/x-pack/plugins/alerting/common/alert_schema/index.ts +++ b/x-pack/plugins/alerting/common/alert_schema/index.ts @@ -5,9 +5,6 @@ * 2.0. */ -export { alertFieldMap } from './field_maps/alert_field_map'; -export { ecsFieldMap } from './field_maps/ecs_field_map'; -export { legacyAlertFieldMap } from './field_maps/legacy_alert_field_map'; export { mappingFromFieldMap } from './field_maps/mapping_from_field_map'; export { type FieldMap } from './field_maps/types'; export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map'; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 3b0a13aa88527d..761584e1f5b119 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -26,7 +26,6 @@ export * from './execution_log_types'; export * from './rule_snooze_type'; export { - alertFieldMap, legacyAlertFieldMap, mappingFromFieldMap, getComponentTemplateFromFieldMap, diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index d131ee1d31bfed..56f3ff709bd3ee 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,8 +13,8 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, legacyAlertFieldMap, type FieldMap } from '../../common'; -import { ecsFieldMap } from '../../common/alert_schema'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; +import { type FieldMap } from '../../common'; import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy'; import { getComponentTemplate, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index c6ab419534f4b4..79119b21bc565f 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; import { pickWithPatterns } from '../../pick_with_patterns'; export const technicalRuleFieldMap = { diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 1aabad94ad4ee0..2238f53d13ecb1 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -5,10 +5,9 @@ * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerting-plugin/common'; -import { ecsFieldMap } from '@kbn/alerting-plugin/common/alert_schema'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; -import expect from '@kbn/expect/expect'; +import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export From cadc717ea14e6033af8f7239ba0ac3b49961a1d9 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Feb 2023 21:51:16 +0000 Subject: [PATCH 23/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- packages/kbn-rule-data-utils/tsconfig.json | 3 ++- x-pack/plugins/alerting/tsconfig.json | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kbn-rule-data-utils/tsconfig.json b/packages/kbn-rule-data-utils/tsconfig.json index 5c94013fc2eaf0..7d13aeaeddce40 100644 --- a/packages/kbn-rule-data-utils/tsconfig.json +++ b/packages/kbn-rule-data-utils/tsconfig.json @@ -11,7 +11,8 @@ "**/*.ts" ], "kbn_references": [ - "@kbn/es-query" + "@kbn/es-query", + "@kbn/ecs" ], "exclude": [ "target/**/*", diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json index a65039fa5a2bb0..1f7017de59a2e1 100644 --- a/x-pack/plugins/alerting/tsconfig.json +++ b/x-pack/plugins/alerting/tsconfig.json @@ -39,7 +39,6 @@ "@kbn/data-views-plugin", "@kbn/share-plugin", "@kbn/safer-lodash-set", - "@kbn/ecs", ], "exclude": [ "target/**/*", From 5e6b9956d178b78b5659299d78d8bff8b0b0b33a Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 14 Feb 2023 08:50:30 -0500 Subject: [PATCH 24/49] Fixing types --- x-pack/plugins/alerting/common/index.ts | 1 - x-pack/plugins/apm/kibana.jsonc | 1 - 2 files changed, 2 deletions(-) diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 761584e1f5b119..2507b0f3c11bcb 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -26,7 +26,6 @@ export * from './execution_log_types'; export * from './rule_snooze_type'; export { - legacyAlertFieldMap, mappingFromFieldMap, getComponentTemplateFromFieldMap, type FieldMap, diff --git a/x-pack/plugins/apm/kibana.jsonc b/x-pack/plugins/apm/kibana.jsonc index 2faacdb89925f2..9d77d00b21befb 100644 --- a/x-pack/plugins/apm/kibana.jsonc +++ b/x-pack/plugins/apm/kibana.jsonc @@ -45,7 +45,6 @@ "usageCollection" ], "requiredBundles": [ - "alerting", "fleet", "kibanaReact", "kibanaUtils", From c828e613ca05322568c69386a6cca354f6627763 Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 14 Feb 2023 14:01:17 -0500 Subject: [PATCH 25/49] Moving to a new package --- package.json | 1 + packages/kbn-alerts-as-data-utils/README.md | 3 +++ packages/kbn-alerts-as-data-utils/index.ts | 9 +++++++++ .../kbn-alerts-as-data-utils/jest.config.js | 13 +++++++++++++ .../kbn-alerts-as-data-utils/kibana.jsonc | 5 +++++ .../kbn-alerts-as-data-utils/package.json | 6 ++++++ .../src/field_maps/alert_field_map.ts | 0 .../src/field_maps/ecs_field_map.ts | 0 .../src/field_maps/index.ts | 2 +- .../src/field_maps/legacy_alert_field_map.ts | 0 .../kbn-alerts-as-data-utils/tsconfig.json | 19 +++++++++++++++++++ packages/kbn-rule-data-utils/index.ts | 1 - tsconfig.base.json | 2 ++ .../field_maps/mapping_from_field_map.test.ts | 2 +- .../server/alerts_service/alerts_service.ts | 2 +- .../field_maps/technical_rule_field_map.ts | 2 +- yarn.lock | 4 ++++ 17 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 packages/kbn-alerts-as-data-utils/README.md create mode 100644 packages/kbn-alerts-as-data-utils/index.ts create mode 100644 packages/kbn-alerts-as-data-utils/jest.config.js create mode 100644 packages/kbn-alerts-as-data-utils/kibana.jsonc create mode 100644 packages/kbn-alerts-as-data-utils/package.json rename packages/{kbn-rule-data-utils => kbn-alerts-as-data-utils}/src/field_maps/alert_field_map.ts (100%) rename packages/{kbn-rule-data-utils => kbn-alerts-as-data-utils}/src/field_maps/ecs_field_map.ts (100%) rename packages/{kbn-rule-data-utils => kbn-alerts-as-data-utils}/src/field_maps/index.ts (100%) rename packages/{kbn-rule-data-utils => kbn-alerts-as-data-utils}/src/field_maps/legacy_alert_field_map.ts (100%) create mode 100644 packages/kbn-alerts-as-data-utils/tsconfig.json diff --git a/package.json b/package.json index a3e5a3b5f6e336..ecf83e52b24708 100644 --- a/package.json +++ b/package.json @@ -144,6 +144,7 @@ "@kbn/alerting-fixture-plugin": "link:x-pack/test/functional_with_es_ssl/plugins/alerts", "@kbn/alerting-plugin": "link:x-pack/plugins/alerting", "@kbn/alerts": "link:packages/kbn-alerts", + "@kbn/alerts-as-data-utils": "link:packages/kbn-alerts-as-data-utils", "@kbn/alerts-restricted-fixtures-plugin": "link:x-pack/test/alerting_api_integration/common/plugins/alerts_restricted", "@kbn/alerts-ui-shared": "link:packages/kbn-alerts-ui-shared", "@kbn/analytics": "link:packages/kbn-analytics", diff --git a/packages/kbn-alerts-as-data-utils/README.md b/packages/kbn-alerts-as-data-utils/README.md new file mode 100644 index 00000000000000..b7b200c591f694 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/README.md @@ -0,0 +1,3 @@ +# @kbn/alerts-as-data-utils + +Empty package generated by @kbn/generate diff --git a/packages/kbn-alerts-as-data-utils/index.ts b/packages/kbn-alerts-as-data-utils/index.ts new file mode 100644 index 00000000000000..7b2cad2ca54404 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export * from './src/field_maps'; diff --git a/packages/kbn-alerts-as-data-utils/jest.config.js b/packages/kbn-alerts-as-data-utils/jest.config.js new file mode 100644 index 00000000000000..347db52d6e7682 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../..', + roots: ['/packages/kbn-alerts-as-data-utils'], +}; diff --git a/packages/kbn-alerts-as-data-utils/kibana.jsonc b/packages/kbn-alerts-as-data-utils/kibana.jsonc new file mode 100644 index 00000000000000..6001de8bcc632d --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/kibana.jsonc @@ -0,0 +1,5 @@ +{ + "type": "shared-common", + "id": "@kbn/alerts-as-data-utils", + "owner": "@elastic/response-ops-team" +} diff --git a/packages/kbn-alerts-as-data-utils/package.json b/packages/kbn-alerts-as-data-utils/package.json new file mode 100644 index 00000000000000..25aa26b3d435c4 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/package.json @@ -0,0 +1,6 @@ +{ + "name": "@kbn/alerts-as-data-utils", + "private": true, + "version": "1.0.0", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/packages/kbn-rule-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts similarity index 100% rename from packages/kbn-rule-data-utils/src/field_maps/alert_field_map.ts rename to packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts diff --git a/packages/kbn-rule-data-utils/src/field_maps/ecs_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts similarity index 100% rename from packages/kbn-rule-data-utils/src/field_maps/ecs_field_map.ts rename to packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts diff --git a/packages/kbn-rule-data-utils/src/field_maps/index.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts similarity index 100% rename from packages/kbn-rule-data-utils/src/field_maps/index.ts rename to packages/kbn-alerts-as-data-utils/src/field_maps/index.ts index 19eda894abd594..7678388282a748 100644 --- a/packages/kbn-rule-data-utils/src/field_maps/index.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts @@ -7,5 +7,5 @@ */ export * from './alert_field_map'; -export * from './legacy_alert_field_map'; export * from './ecs_field_map'; +export * from './legacy_alert_field_map'; diff --git a/packages/kbn-rule-data-utils/src/field_maps/legacy_alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts similarity index 100% rename from packages/kbn-rule-data-utils/src/field_maps/legacy_alert_field_map.ts rename to packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts diff --git a/packages/kbn-alerts-as-data-utils/tsconfig.json b/packages/kbn-alerts-as-data-utils/tsconfig.json new file mode 100644 index 00000000000000..dad708677fd870 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/tsconfig.json @@ -0,0 +1,19 @@ +{ + "extends": "../../tsconfig.base.json", + "compilerOptions": { + "outDir": "target/types", + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "**/*.ts", + "**/*.tsx", + ], + "exclude": [ + "target/**/*" + ], + "kbn_references": [] +} diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts index 112a5651463db8..ea0028b972ed9e 100644 --- a/packages/kbn-rule-data-utils/index.ts +++ b/packages/kbn-rule-data-utils/index.ts @@ -14,4 +14,3 @@ export * from './src/alerts_as_data_severity'; export * from './src/alerts_as_data_status'; export * from './src/alerts_as_data_cases'; export * from './src/routes/stack_rule_paths'; -export * from './src/field_maps'; diff --git a/tsconfig.base.json b/tsconfig.base.json index e4cf587ee9cb42..ffcd4798fe8813 100644 --- a/tsconfig.base.json +++ b/tsconfig.base.json @@ -32,6 +32,8 @@ "@kbn/alerting-plugin/*": ["x-pack/plugins/alerting/*"], "@kbn/alerts": ["packages/kbn-alerts"], "@kbn/alerts/*": ["packages/kbn-alerts/*"], + "@kbn/alerts-as-data-utils": ["packages/kbn-alerts-as-data-utils"], + "@kbn/alerts-as-data-utils/*": ["packages/kbn-alerts-as-data-utils/*"], "@kbn/alerts-restricted-fixtures-plugin": ["x-pack/test/alerting_api_integration/common/plugins/alerts_restricted"], "@kbn/alerts-restricted-fixtures-plugin/*": ["x-pack/test/alerting_api_integration/common/plugins/alerts_restricted/*"], "@kbn/alerts-ui-shared": ["packages/kbn-alerts-ui-shared"], diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index af1cdec8ea43a7..cd73e8d8f7a757 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; import { mappingFromFieldMap } from './mapping_from_field_map'; import { FieldMap } from './types'; diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 87c6bf33927dbc..c6421e29d12b88 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,7 +13,7 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; import { type FieldMap } from '../../common'; import { DEFAULT_ALERTS_ILM_POLICY_NAME, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 79119b21bc565f..ef476f468544b5 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; +import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; import { pickWithPatterns } from '../../pick_with_patterns'; export const technicalRuleFieldMap = { diff --git a/yarn.lock b/yarn.lock index 405c3ad9bf181d..226ee161402412 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2785,6 +2785,10 @@ version "0.0.0" uid "" +"@kbn/alerts-as-data-utils@link:packages/kbn-alerts-as-data-utils": + version "0.0.0" + uid "" + "@kbn/alerts-restricted-fixtures-plugin@link:x-pack/test/alerting_api_integration/common/plugins/alerts_restricted": version "0.0.0" uid "" From 27d63d13d0df51f96efba4ec3156a761bef1e1dc Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:07:50 +0000 Subject: [PATCH 26/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- packages/kbn-alerts-as-data-utils/tsconfig.json | 6 ++++-- packages/kbn-rule-data-utils/tsconfig.json | 1 - x-pack/plugins/alerting/tsconfig.json | 1 + x-pack/plugins/rule_registry/tsconfig.json | 1 + 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/kbn-alerts-as-data-utils/tsconfig.json b/packages/kbn-alerts-as-data-utils/tsconfig.json index dad708677fd870..6e40098450eda3 100644 --- a/packages/kbn-alerts-as-data-utils/tsconfig.json +++ b/packages/kbn-alerts-as-data-utils/tsconfig.json @@ -10,10 +10,12 @@ }, "include": [ "**/*.ts", - "**/*.tsx", + "**/*.tsx", ], "exclude": [ "target/**/*" ], - "kbn_references": [] + "kbn_references": [ + "@kbn/ecs", + ] } diff --git a/packages/kbn-rule-data-utils/tsconfig.json b/packages/kbn-rule-data-utils/tsconfig.json index 7d13aeaeddce40..77352c4f44209c 100644 --- a/packages/kbn-rule-data-utils/tsconfig.json +++ b/packages/kbn-rule-data-utils/tsconfig.json @@ -12,7 +12,6 @@ ], "kbn_references": [ "@kbn/es-query", - "@kbn/ecs" ], "exclude": [ "target/**/*", diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json index 1f7017de59a2e1..08524ee24ea582 100644 --- a/x-pack/plugins/alerting/tsconfig.json +++ b/x-pack/plugins/alerting/tsconfig.json @@ -39,6 +39,7 @@ "@kbn/data-views-plugin", "@kbn/share-plugin", "@kbn/safer-lodash-set", + "@kbn/alerts-as-data-utils", ], "exclude": [ "target/**/*", diff --git a/x-pack/plugins/rule_registry/tsconfig.json b/x-pack/plugins/rule_registry/tsconfig.json index 188e7567dffb73..1bb9b96e6aa921 100644 --- a/x-pack/plugins/rule_registry/tsconfig.json +++ b/x-pack/plugins/rule_registry/tsconfig.json @@ -31,6 +31,7 @@ "@kbn/logging", "@kbn/securitysolution-io-ts-utils", "@kbn/share-plugin", + "@kbn/alerts-as-data-utils", ], "exclude": [ "target/**/*", From 98a34faa434b08a2d24b04211f8051effe70f90d Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:14:48 +0000 Subject: [PATCH 27/49] [CI] Auto-commit changed files from 'node scripts/generate codeowners' --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 6b230be1aefebb..66197f986a7d5f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -19,6 +19,7 @@ x-pack/examples/alerting_example @elastic/response-ops x-pack/test/functional_with_es_ssl/plugins/alerts @elastic/response-ops x-pack/plugins/alerting @elastic/response-ops packages/kbn-alerts @elastic/security-solution +packages/kbn-alerts-as-data-utils @elastic/response-ops-team x-pack/test/alerting_api_integration/common/plugins/alerts_restricted @elastic/response-ops packages/kbn-alerts-ui-shared @elastic/response-ops packages/kbn-ambient-common-types @elastic/kibana-operations From c60177a3930e3573a4569ebbfb4ec03029db1d4c Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 14 Feb 2023 14:33:25 -0500 Subject: [PATCH 28/49] Fixing checks --- .../kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts | 2 +- .../src/field_maps/legacy_alert_field_map.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts index bfbb00797104e6..8e5a606a910176 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts @@ -33,7 +33,7 @@ import { SPACE_IDS, TIMESTAMP, VERSION, -} from '../default_alerts_as_data'; +} from '@kbn/rule-data-utils'; export const alertFieldMap = { [ALERT_ACTION_GROUP]: { diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts index 49f4c32247376f..6faa403188fdbe 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts @@ -38,7 +38,7 @@ import { EVENT_ACTION, EVENT_KIND, TAGS, -} from '../legacy_alerts_as_data'; +} from '@kbn/rule-data-utils'; export const legacyAlertFieldMap = { [ALERT_RISK_SCORE]: { From dc311d958c5e6824e9f60349eeb7da546b932599 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:39:24 +0000 Subject: [PATCH 29/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- packages/kbn-alerts-as-data-utils/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/kbn-alerts-as-data-utils/tsconfig.json b/packages/kbn-alerts-as-data-utils/tsconfig.json index 6e40098450eda3..4ddbcfef1fa296 100644 --- a/packages/kbn-alerts-as-data-utils/tsconfig.json +++ b/packages/kbn-alerts-as-data-utils/tsconfig.json @@ -17,5 +17,6 @@ ], "kbn_references": [ "@kbn/ecs", + "@kbn/rule-data-utils", ] } From 5d6f656df7f48d09b859a86d00caf9a0811c18e7 Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 14 Feb 2023 15:03:10 -0500 Subject: [PATCH 30/49] Fixing checks --- .github/CODEOWNERS | 2 +- .../spaces_only/tests/alerting/group4/alerts_as_data.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 66197f986a7d5f..e4f53618788a94 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -19,7 +19,7 @@ x-pack/examples/alerting_example @elastic/response-ops x-pack/test/functional_with_es_ssl/plugins/alerts @elastic/response-ops x-pack/plugins/alerting @elastic/response-ops packages/kbn-alerts @elastic/security-solution -packages/kbn-alerts-as-data-utils @elastic/response-ops-team +packages/kbn-alerts-as-data-utils @elastic/response-ops x-pack/test/alerting_api_integration/common/plugins/alerts_restricted @elastic/response-ops packages/kbn-alerts-ui-shared @elastic/response-ops packages/kbn-ambient-common-types @elastic/kibana-operations diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index a36ef210f7ae72..0172e12a18af34 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/rule-data-utils'; +import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; import expect from '@kbn/expect'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; From 089807f300ed552f7e9f0b78c6f11dd1c751f4e4 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 14 Feb 2023 20:08:53 +0000 Subject: [PATCH 31/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/test/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/test/tsconfig.json b/x-pack/test/tsconfig.json index 95f90a10734d3f..336b90df818827 100644 --- a/x-pack/test/tsconfig.json +++ b/x-pack/test/tsconfig.json @@ -115,5 +115,6 @@ "@kbn/cloud-security-posture-plugin", "@kbn/cloud-integration-saml-provider-plugin", "@kbn/security-api-integration-helpers", + "@kbn/alerts-as-data-utils", ] } From 6d00d49ce5b9f1ed61729f9b043716ae60dffa7a Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 14 Feb 2023 20:14:42 +0000 Subject: [PATCH 32/49] [CI] Auto-commit changed files from 'node scripts/generate codeowners' --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e4f53618788a94..66197f986a7d5f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -19,7 +19,7 @@ x-pack/examples/alerting_example @elastic/response-ops x-pack/test/functional_with_es_ssl/plugins/alerts @elastic/response-ops x-pack/plugins/alerting @elastic/response-ops packages/kbn-alerts @elastic/security-solution -packages/kbn-alerts-as-data-utils @elastic/response-ops +packages/kbn-alerts-as-data-utils @elastic/response-ops-team x-pack/test/alerting_api_integration/common/plugins/alerts_restricted @elastic/response-ops packages/kbn-alerts-ui-shared @elastic/response-ops packages/kbn-ambient-common-types @elastic/kibana-operations From 539b4c36f668a0f59c7f062da746951008ec0567 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 08:02:33 -0500 Subject: [PATCH 33/49] cleanup --- packages/kbn-alerts-as-data-utils/README.md | 3 --- packages/kbn-alerts-as-data-utils/jest.config.js | 13 ------------- packages/kbn-alerts-as-data-utils/kibana.jsonc | 2 +- packages/kbn-alerts-as-data-utils/tsconfig.json | 6 ++---- 4 files changed, 3 insertions(+), 21 deletions(-) delete mode 100644 packages/kbn-alerts-as-data-utils/README.md delete mode 100644 packages/kbn-alerts-as-data-utils/jest.config.js diff --git a/packages/kbn-alerts-as-data-utils/README.md b/packages/kbn-alerts-as-data-utils/README.md deleted file mode 100644 index b7b200c591f694..00000000000000 --- a/packages/kbn-alerts-as-data-utils/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# @kbn/alerts-as-data-utils - -Empty package generated by @kbn/generate diff --git a/packages/kbn-alerts-as-data-utils/jest.config.js b/packages/kbn-alerts-as-data-utils/jest.config.js deleted file mode 100644 index 347db52d6e7682..00000000000000 --- a/packages/kbn-alerts-as-data-utils/jest.config.js +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -module.exports = { - preset: '@kbn/test', - rootDir: '../..', - roots: ['/packages/kbn-alerts-as-data-utils'], -}; diff --git a/packages/kbn-alerts-as-data-utils/kibana.jsonc b/packages/kbn-alerts-as-data-utils/kibana.jsonc index 6001de8bcc632d..07e8490dde7b53 100644 --- a/packages/kbn-alerts-as-data-utils/kibana.jsonc +++ b/packages/kbn-alerts-as-data-utils/kibana.jsonc @@ -1,5 +1,5 @@ { "type": "shared-common", "id": "@kbn/alerts-as-data-utils", - "owner": "@elastic/response-ops-team" + "owner": "@elastic/response-ops" } diff --git a/packages/kbn-alerts-as-data-utils/tsconfig.json b/packages/kbn-alerts-as-data-utils/tsconfig.json index 4ddbcfef1fa296..00b7ffc082c954 100644 --- a/packages/kbn-alerts-as-data-utils/tsconfig.json +++ b/packages/kbn-alerts-as-data-utils/tsconfig.json @@ -4,13 +4,11 @@ "outDir": "target/types", "types": [ "jest", - "node", - "react" + "node" ] }, "include": [ - "**/*.ts", - "**/*.tsx", + "**/*.ts" ], "exclude": [ "target/**/*" From 52dfd19f26b429430a29cc4e921562cf722fcbb6 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 08:03:49 -0500 Subject: [PATCH 34/49] cleanup --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 66197f986a7d5f..e4f53618788a94 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -19,7 +19,7 @@ x-pack/examples/alerting_example @elastic/response-ops x-pack/test/functional_with_es_ssl/plugins/alerts @elastic/response-ops x-pack/plugins/alerting @elastic/response-ops packages/kbn-alerts @elastic/security-solution -packages/kbn-alerts-as-data-utils @elastic/response-ops-team +packages/kbn-alerts-as-data-utils @elastic/response-ops x-pack/test/alerting_api_integration/common/plugins/alerts_restricted @elastic/response-ops packages/kbn-alerts-ui-shared @elastic/response-ops packages/kbn-ambient-common-types @elastic/kibana-operations From 88a0ea7d88d8a672aab98efd8cd2ccd6e79eb9dc Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 11:55:58 -0500 Subject: [PATCH 35/49] Conditionally installing ECS component template. Updating to use same ecs field map everywhere --- .../src/field_maps/ecs_field_map.ts | 33 +- .../src/field_maps/index.ts | 1 + .../src/field_maps/types.ts | 54 + .../component_template_from_field_map.ts | 2 +- .../field_maps/mapping_from_field_map.test.ts | 2 +- .../field_maps/mapping_from_field_map.ts | 2 +- .../common/alert_schema/field_maps/types.ts | 29 - .../alerting/common/alert_schema/index.ts | 1 - x-pack/plugins/alerting/common/index.ts | 6 +- .../server/alerts_service/alerts_service.ts | 11 +- .../alerting/server/alerts_service/index.ts | 13 + .../alerting/server/alerts_service/types.ts | 5 +- x-pack/plugins/alerting/server/index.ts | 5 +- x-pack/plugins/alerting/server/types.ts | 2 +- .../log_threshold/log_threshold_executor.ts | 4 +- .../server/services/rules/rule_data_client.ts | 2 +- x-pack/plugins/observability/server/plugin.ts | 2 +- x-pack/plugins/rule_registry/common/assets.ts | 3 +- .../ecs_component_template.ts | 25 - .../common/assets/field_maps/ecs_field_map.ts | 6151 ----------------- .../common/field_map/merge_field_maps.ts | 2 +- .../field_map/runtime_type_from_fieldmap.ts | 2 +- .../resource_installer.test.ts | 31 +- .../resource_installer.ts | 34 +- .../common/utils/field_formatters.ts | 2 +- .../factories/utils/strip_non_ecs_fields.ts | 2 +- .../security_solution/server/plugin.ts | 5 +- .../common/utils/field_formatters.ts | 2 +- 28 files changed, 125 insertions(+), 6308 deletions(-) create mode 100644 packages/kbn-alerts-as-data-utils/src/field_maps/types.ts delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts create mode 100644 x-pack/plugins/alerting/server/alerts_service/index.ts delete mode 100644 x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts delete mode 100644 x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts index af41e14e814c33..ecbf8f31115ae3 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts @@ -7,38 +7,9 @@ */ import { EcsFlat } from '@kbn/ecs'; +import { EcsMetadata, FieldMap } from './types'; -export interface AllowedValue { - description?: string; - name?: string; -} - -export interface MultiField { - flat_name: string; - name: string; - type: string; -} - -export interface EcsMetadata { - allowed_values?: AllowedValue[]; - dashed_name: string; - description: string; - doc_values?: boolean; - example?: string | number | boolean; - flat_name: string; - ignore_above?: number; - index?: boolean; - level: string; - multi_fields?: MultiField[]; - name: string; - normalize: string[]; - required?: boolean; - scaling_factor?: number; - short: string; - type: string; -} - -export const ecsFieldMap = Object.keys(EcsFlat).reduce((acc, currKey) => { +export const ecsFieldMap: FieldMap = Object.keys(EcsFlat).reduce((acc, currKey) => { const value: EcsMetadata = EcsFlat[currKey as keyof typeof EcsFlat]; return { ...acc, diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts index 7678388282a748..9aef7690b343ca 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts @@ -9,3 +9,4 @@ export * from './alert_field_map'; export * from './ecs_field_map'; export * from './legacy_alert_field_map'; +export type { FieldMap, MultiField } from './types'; diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts new file mode 100644 index 00000000000000..6e66a72d224b82 --- /dev/null +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export interface AllowedValue { + description?: string; + name?: string; +} + +export interface MultiField { + flat_name: string; + name: string; + type: string; +} + +export interface EcsMetadata { + allowed_values?: AllowedValue[]; + dashed_name: string; + description: string; + doc_values?: boolean; + example?: string | number | boolean; + flat_name: string; + ignore_above?: number; + index?: boolean; + level: string; + multi_fields?: MultiField[]; + name: string; + normalize: string[]; + required?: boolean; + scaling_factor?: number; + short: string; + type: string; +} + +export interface FieldMap { + [key: string]: { + type: string; + required: boolean; + array?: boolean; + doc_values?: boolean; + enabled?: boolean; + format?: string; + ignore_above?: number; + index?: boolean; + multi_fields?: MultiField[]; + path?: string; + scaling_factor?: number; + dynamic?: boolean | 'strict'; + }; +} diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts index b4cd25a4f41260..4fc36193a15d9b 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts @@ -6,8 +6,8 @@ */ import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types'; +import { type FieldMap } from '@kbn/alerts-as-data-utils'; import { mappingFromFieldMap } from './mapping_from_field_map'; -import { FieldMap } from './types'; export interface GetComponentTemplateFromFieldMapOpts { name: string; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index cd73e8d8f7a757..52384880d8aa8f 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -6,7 +6,7 @@ */ import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; import { mappingFromFieldMap } from './mapping_from_field_map'; -import { FieldMap } from './types'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; describe('mappingFromFieldMap', () => { const fieldMap: FieldMap = { diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts index 5a1de7a995b366..1d56fb853bb3ed 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts @@ -7,7 +7,7 @@ import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { set } from '@kbn/safer-lodash-set'; -import { FieldMap, MultiField } from './types'; +import type { FieldMap, MultiField } from '@kbn/alerts-as-data-utils'; export function mappingFromFieldMap( fieldMap: FieldMap, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts deleted file mode 100644 index 1150a353ac46a6..00000000000000 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export interface MultiField { - flat_name?: string; - name: string; - type: string; -} - -export interface FieldMap { - [key: string]: { - type: string; - required: boolean; - array?: boolean; - doc_values?: boolean; - enabled?: boolean; - format?: string; - ignore_above?: number; - index?: boolean; - multi_fields?: MultiField[]; - path?: string; - scaling_factor?: number; - dynamic?: boolean | 'strict'; - }; -} diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts index 7beec739549a45..cccb492b10e175 100644 --- a/x-pack/plugins/alerting/common/alert_schema/index.ts +++ b/x-pack/plugins/alerting/common/alert_schema/index.ts @@ -6,5 +6,4 @@ */ export { mappingFromFieldMap } from './field_maps/mapping_from_field_map'; -export { type FieldMap } from './field_maps/types'; export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map'; diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts index 2507b0f3c11bcb..6d516835638786 100644 --- a/x-pack/plugins/alerting/common/index.ts +++ b/x-pack/plugins/alerting/common/index.ts @@ -25,11 +25,7 @@ export * from './parse_duration'; export * from './execution_log_types'; export * from './rule_snooze_type'; -export { - mappingFromFieldMap, - getComponentTemplateFromFieldMap, - type FieldMap, -} from './alert_schema'; +export { mappingFromFieldMap, getComponentTemplateFromFieldMap } from './alert_schema'; export interface AlertingFrameworkHealth { isSufficientlySecure: boolean; diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index c6421e29d12b88..010c4db5c3ac41 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -13,8 +13,12 @@ import { import { get, isEmpty, isEqual } from 'lodash'; import { Logger, ElasticsearchClient } from '@kbn/core/server'; import { firstValueFrom, Observable } from 'rxjs'; -import { alertFieldMap, ecsFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; -import { type FieldMap } from '../../common'; +import { + alertFieldMap, + ecsFieldMap, + legacyAlertFieldMap, + type FieldMap, +} from '@kbn/alerts-as-data-utils'; import { DEFAULT_ALERTS_ILM_POLICY_NAME, DEFAULT_ALERTS_ILM_POLICY, @@ -35,7 +39,8 @@ import { const TOTAL_FIELDS_LIMIT = 2500; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes const LEGACY_ALERT_CONTEXT = 'legacy-alert'; -const ECS_CONTEXT = `ecs`; +export const ECS_CONTEXT = `ecs`; +export const ECS_COMPONENT_TEMPLATE_NAME = getComponentTemplateName(ECS_CONTEXT); interface AlertsServiceParams { logger: Logger; pluginStop$: Observable; diff --git a/x-pack/plugins/alerting/server/alerts_service/index.ts b/x-pack/plugins/alerting/server/alerts_service/index.ts new file mode 100644 index 00000000000000..49247f3baa243a --- /dev/null +++ b/x-pack/plugins/alerting/server/alerts_service/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { + DEFAULT_ALERTS_ILM_POLICY, + DEFAULT_ALERTS_ILM_POLICY_NAME, +} from './default_lifecycle_policy'; +export { ECS_COMPONENT_TEMPLATE_NAME, ECS_CONTEXT } from './alerts_service'; +export { getComponentTemplate } from './types'; diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index c6c7d1b27399bb..6073c288208562 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -6,7 +6,8 @@ */ import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types'; -import { FieldMap, getComponentTemplateFromFieldMap } from '../../common'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; +import { getComponentTemplateFromFieldMap } from '../../common'; export const getComponentTemplateName = (context?: string) => `.alerts-${context ? `${context}` : 'framework'}-mappings`; @@ -39,5 +40,5 @@ export const getComponentTemplate = ( name: getComponentTemplateName(context), fieldMap, // set field limit slightly higher than actual number of fields - fieldLimit: Math.ceil(Object.keys(fieldMap).length / 1000) * 1000, + fieldLimit: Math.ceil(Object.keys(fieldMap).length / 1000) * 1000 + 500, }); diff --git a/x-pack/plugins/alerting/server/index.ts b/x-pack/plugins/alerting/server/index.ts index a13b06596f557b..6b5ad3012d8a91 100644 --- a/x-pack/plugins/alerting/server/index.ts +++ b/x-pack/plugins/alerting/server/index.ts @@ -56,7 +56,10 @@ export { export { DEFAULT_ALERTS_ILM_POLICY, DEFAULT_ALERTS_ILM_POLICY_NAME, -} from './alerts_service/default_lifecycle_policy'; + ECS_COMPONENT_TEMPLATE_NAME, + ECS_CONTEXT, + getComponentTemplate, +} from './alerts_service'; export const plugin = (initContext: PluginInitializerContext) => new AlertingPlugin(initContext); diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts index 260ebecb0f7a6d..0392149a894c1f 100644 --- a/x-pack/plugins/alerting/server/types.ts +++ b/x-pack/plugins/alerting/server/types.ts @@ -22,6 +22,7 @@ import { } from '@kbn/core/server'; import type { PublicMethodsOf } from '@kbn/utility-types'; import { SharePluginStart } from '@kbn/share-plugin/server'; +import { type FieldMap } from '@kbn/alerts-as-data-utils'; import { RuleTypeRegistry as OrigruleTypeRegistry } from './rule_type_registry'; import { PluginSetupContract, PluginStartContract } from './plugin'; import { RulesClient } from './rules_client'; @@ -48,7 +49,6 @@ import { RuleSnooze, IntervalSchedule, RuleLastRun, - FieldMap, } from '../common'; import { PublicAlertFactory } from './alert/create_alert_factory'; import { RulesSettingsFlappingProperties } from '../common/rules_settings'; diff --git a/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts b/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts index 37eb4698ff0891..4d2af0ea2e96de 100644 --- a/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts +++ b/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts @@ -23,10 +23,10 @@ import { RuleTypeState, } from '@kbn/alerting-plugin/server'; import { addSpaceIdToPath } from '@kbn/spaces-plugin/common'; - +import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common'; import { ParsedExperimentalFields } from '@kbn/rule-registry-plugin/common/parse_experimental_fields'; -import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; + import { RuleParams, ruleParamsRT, diff --git a/x-pack/plugins/infra/server/services/rules/rule_data_client.ts b/x-pack/plugins/infra/server/services/rules/rule_data_client.ts index c1f9adbfa58381..3a81f957e93141 100644 --- a/x-pack/plugins/infra/server/services/rules/rule_data_client.ts +++ b/x-pack/plugins/infra/server/services/rules/rule_data_client.ts @@ -9,8 +9,8 @@ import { CoreSetup, Logger } from '@kbn/core/server'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { Dataset, RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server'; -import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; +import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/alerting-plugin/server'; import type { InfraFeatureId } from '../../../common/constants'; import { RuleRegistrationContext, RulesServiceStartDeps } from './types'; diff --git a/x-pack/plugins/observability/server/plugin.ts b/x-pack/plugins/observability/server/plugin.ts index 04919ecf0a58d8..03b97549370e66 100644 --- a/x-pack/plugins/observability/server/plugin.ts +++ b/x-pack/plugins/observability/server/plugin.ts @@ -19,7 +19,7 @@ import { PluginSetupContract as FeaturesSetup } from '@kbn/features-plugin/serve import { createUICapabilities } from '@kbn/cases-plugin/common'; import { SpacesPluginStart } from '@kbn/spaces-plugin/server'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; -import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; +import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/alerting-plugin/server'; import type { GuidedOnboardingPluginSetup } from '@kbn/guided-onboarding-plugin/server'; import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; diff --git a/x-pack/plugins/rule_registry/common/assets.ts b/x-pack/plugins/rule_registry/common/assets.ts index a1df09df18a8f9..1e8919a3a07e4a 100644 --- a/x-pack/plugins/rule_registry/common/assets.ts +++ b/x-pack/plugins/rule_registry/common/assets.ts @@ -5,5 +5,4 @@ * 2.0. */ -export const TECHNICAL_COMPONENT_TEMPLATE_NAME = `technical-mappings`; -export const ECS_COMPONENT_TEMPLATE_NAME = `ecs-mappings`; +export const TECHNICAL_COMPONENT_TEMPLATE_NAME = `.alerts-technical-mappings`; diff --git a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts deleted file mode 100644 index 8f30e07a0d9dcf..00000000000000 --- a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -import { merge } from 'lodash'; -import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; -import { ClusterPutComponentTemplateBody } from '../../types'; -import { ecsFieldMap } from '../field_maps/ecs_field_map'; -import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map'; - -export const ecsComponentTemplate: ClusterPutComponentTemplateBody = { - template: { - settings: { - number_of_shards: 1, - 'index.mapping.total_fields.limit': 1700, - }, - mappings: merge( - {}, - mappingFromFieldMap(ecsFieldMap, 'strict'), - mappingFromFieldMap(technicalRuleFieldMap, 'strict') - ), - }, -}; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts deleted file mode 100644 index eb4c977ab7f0d7..00000000000000 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts +++ /dev/null @@ -1,6151 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* This file is generated by x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js, -do not manually edit -*/ - -export const ecsFieldMap = { - '@timestamp': { - type: 'date', - array: false, - required: true, - }, - 'agent.build.original': { - type: 'keyword', - array: false, - required: false, - }, - 'agent.ephemeral_id': { - type: 'keyword', - array: false, - required: false, - }, - 'agent.id': { - type: 'keyword', - array: false, - required: false, - }, - 'agent.name': { - type: 'keyword', - array: false, - required: false, - }, - 'agent.type': { - type: 'keyword', - array: false, - required: false, - }, - 'agent.version': { - type: 'keyword', - array: false, - required: false, - }, - 'client.address': { - type: 'keyword', - array: false, - required: false, - }, - 'client.as.number': { - type: 'long', - array: false, - required: false, - }, - 'client.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.bytes': { - type: 'long', - array: false, - required: false, - }, - 'client.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'client.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'client.ip': { - type: 'ip', - array: false, - required: false, - }, - 'client.mac': { - type: 'keyword', - array: false, - required: false, - }, - 'client.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'client.nat.port': { - type: 'long', - array: false, - required: false, - }, - 'client.packets': { - type: 'long', - array: false, - required: false, - }, - 'client.port': { - type: 'long', - array: false, - required: false, - }, - 'client.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.email': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.id': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.name': { - type: 'keyword', - array: false, - required: false, - }, - 'client.user.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'cloud.account.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.account.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.availability_zone': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.instance.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.instance.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.machine.type': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.account.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.account.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.availability_zone': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.instance.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.instance.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.machine.type': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.project.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.project.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.region': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.origin.service.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.project.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.project.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.region': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.service.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.account.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.account.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.availability_zone': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.instance.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.instance.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.machine.type': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.project.id': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.project.name': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.region': { - type: 'keyword', - array: false, - required: false, - }, - 'cloud.target.service.name': { - type: 'keyword', - array: false, - required: false, - }, - 'container.id': { - type: 'keyword', - array: false, - required: false, - }, - 'container.image.name': { - type: 'keyword', - array: false, - required: false, - }, - 'container.image.tag': { - type: 'keyword', - array: true, - required: false, - }, - 'container.labels': { - type: 'object', - array: false, - required: false, - }, - 'container.name': { - type: 'keyword', - array: false, - required: false, - }, - 'container.runtime': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.address': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.as.number': { - type: 'long', - array: false, - required: false, - }, - 'destination.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.bytes': { - type: 'long', - array: false, - required: false, - }, - 'destination.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'destination.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.ip': { - type: 'ip', - array: false, - required: false, - }, - 'destination.mac': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'destination.nat.port': { - type: 'long', - array: false, - required: false, - }, - 'destination.packets': { - type: 'long', - array: false, - required: false, - }, - 'destination.port': { - type: 'long', - array: false, - required: false, - }, - 'destination.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.email': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.id': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.name': { - type: 'keyword', - array: false, - required: false, - }, - 'destination.user.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'dll.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'dll.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'dll.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'dll.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'dll.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.name': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.path': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'dll.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.answers': { - type: 'object', - array: true, - required: false, - }, - 'dns.answers.class': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.answers.data': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.answers.name': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.answers.ttl': { - type: 'long', - array: false, - required: false, - }, - 'dns.answers.type': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.header_flags': { - type: 'keyword', - array: true, - required: false, - }, - 'dns.id': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.op_code': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.class': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.name': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.question.type': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.resolved_ip': { - type: 'ip', - array: true, - required: false, - }, - 'dns.response_code': { - type: 'keyword', - array: false, - required: false, - }, - 'dns.type': { - type: 'keyword', - array: false, - required: false, - }, - 'ecs.version': { - type: 'keyword', - array: false, - required: true, - }, - 'error.code': { - type: 'keyword', - array: false, - required: false, - }, - 'error.id': { - type: 'keyword', - array: false, - required: false, - }, - 'error.message': { - type: 'match_only_text', - array: false, - required: false, - }, - 'error.stack_trace': { - type: 'wildcard', - array: false, - required: false, - }, - 'error.type': { - type: 'keyword', - array: false, - required: false, - }, - 'event.action': { - type: 'keyword', - array: false, - required: false, - }, - 'event.agent_id_status': { - type: 'keyword', - array: false, - required: false, - }, - 'event.category': { - type: 'keyword', - array: true, - required: false, - }, - 'event.code': { - type: 'keyword', - array: false, - required: false, - }, - 'event.created': { - type: 'date', - array: false, - required: false, - }, - 'event.dataset': { - type: 'keyword', - array: false, - required: false, - }, - 'event.duration': { - type: 'long', - array: false, - required: false, - }, - 'event.end': { - type: 'date', - array: false, - required: false, - }, - 'event.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'event.id': { - type: 'keyword', - array: false, - required: false, - }, - 'event.ingested': { - type: 'date', - array: false, - required: false, - }, - 'event.kind': { - type: 'keyword', - array: false, - required: false, - }, - 'event.module': { - type: 'keyword', - array: false, - required: false, - }, - 'event.original': { - type: 'keyword', - array: false, - required: false, - }, - 'event.outcome': { - type: 'keyword', - array: false, - required: false, - }, - 'event.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'event.reason': { - type: 'keyword', - array: false, - required: false, - }, - 'event.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'event.risk_score': { - type: 'float', - array: false, - required: false, - }, - 'event.risk_score_norm': { - type: 'float', - array: false, - required: false, - }, - 'event.sequence': { - type: 'long', - array: false, - required: false, - }, - 'event.severity': { - type: 'long', - array: false, - required: false, - }, - 'event.start': { - type: 'date', - array: false, - required: false, - }, - 'event.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'event.type': { - type: 'keyword', - array: true, - required: false, - }, - 'event.url': { - type: 'keyword', - array: false, - required: false, - }, - 'faas.coldstart': { - type: 'boolean', - array: false, - required: false, - }, - 'faas.execution': { - type: 'keyword', - array: false, - required: false, - }, - 'faas.trigger': { - type: 'nested', - array: false, - required: false, - }, - 'faas.trigger.request_id': { - type: 'keyword', - array: false, - required: false, - }, - 'faas.trigger.type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.accessed': { - type: 'date', - array: false, - required: false, - }, - 'file.attributes': { - type: 'keyword', - array: true, - required: false, - }, - 'file.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'file.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'file.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'file.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'file.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'file.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'file.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'file.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'file.created': { - type: 'date', - array: false, - required: false, - }, - 'file.ctime': { - type: 'date', - array: false, - required: false, - }, - 'file.device': { - type: 'keyword', - array: false, - required: false, - }, - 'file.directory': { - type: 'keyword', - array: false, - required: false, - }, - 'file.drive_letter': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.byte_order': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.cpu_type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.creation_date': { - type: 'date', - array: false, - required: false, - }, - 'file.elf.exports': { - type: 'flattened', - array: true, - required: false, - }, - 'file.elf.header.abi_version': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.class': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.data': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.entrypoint': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.header.object_version': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.os_abi': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.header.version': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.imports': { - type: 'flattened', - array: true, - required: false, - }, - 'file.elf.sections': { - type: 'nested', - array: true, - required: false, - }, - 'file.elf.sections.chi2': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.sections.entropy': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.sections.flags': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.sections.name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.sections.physical_offset': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.sections.physical_size': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.sections.type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.sections.virtual_address': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.sections.virtual_size': { - type: 'long', - array: false, - required: false, - }, - 'file.elf.segments': { - type: 'nested', - array: true, - required: false, - }, - 'file.elf.segments.sections': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.segments.type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.elf.shared_libraries': { - type: 'keyword', - array: true, - required: false, - }, - 'file.elf.telfhash': { - type: 'keyword', - array: false, - required: false, - }, - 'file.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'file.fork_name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.gid': { - type: 'keyword', - array: false, - required: false, - }, - 'file.group': { - type: 'keyword', - array: false, - required: false, - }, - 'file.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'file.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'file.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'file.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'file.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'file.inode': { - type: 'keyword', - array: false, - required: false, - }, - 'file.mime_type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.mode': { - type: 'keyword', - array: false, - required: false, - }, - 'file.mtime': { - type: 'date', - array: false, - required: false, - }, - 'file.name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.owner': { - type: 'keyword', - array: false, - required: false, - }, - 'file.path': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'file.size': { - type: 'long', - array: false, - required: false, - }, - 'file.target_path': { - type: 'keyword', - array: false, - required: false, - }, - 'file.type': { - type: 'keyword', - array: false, - required: false, - }, - 'file.uid': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'file.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'file.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'file.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'file.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'file.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'file.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'host.boot.id': { - type: 'keyword', - array: false, - required: false, - }, - 'host.cpu.usage': { - type: 'scaled_float', - array: false, - required: false, - scaling_factor: 1000, - }, - 'host.disk.read.bytes': { - type: 'long', - array: false, - required: false, - }, - 'host.disk.write.bytes': { - type: 'long', - array: false, - required: false, - }, - 'host.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'host.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'host.hostname': { - type: 'keyword', - array: false, - required: false, - }, - 'host.id': { - type: 'keyword', - array: false, - required: false, - }, - 'host.ip': { - type: 'ip', - array: true, - required: false, - }, - 'host.mac': { - type: 'keyword', - array: true, - required: false, - }, - 'host.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.network.egress.bytes': { - type: 'long', - array: false, - required: false, - }, - 'host.network.egress.packets': { - type: 'long', - array: false, - required: false, - }, - 'host.network.ingress.bytes': { - type: 'long', - array: false, - required: false, - }, - 'host.network.ingress.packets': { - type: 'long', - array: false, - required: false, - }, - 'host.os.family': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.full': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.kernel': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.platform': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.type': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.version': { - type: 'keyword', - array: false, - required: false, - }, - 'host.pid_ns_ino': { - type: 'keyword', - array: false, - required: false, - }, - 'host.risk.calculated_level': { - type: 'keyword', - array: false, - required: false, - }, - 'host.risk.calculated_score': { - type: 'float', - array: false, - required: false, - }, - 'host.risk.calculated_score_norm': { - type: 'float', - array: false, - required: false, - }, - 'host.risk.static_level': { - type: 'keyword', - array: false, - required: false, - }, - 'host.risk.static_score': { - type: 'float', - array: false, - required: false, - }, - 'host.risk.static_score_norm': { - type: 'float', - array: false, - required: false, - }, - 'host.type': { - type: 'keyword', - array: false, - required: false, - }, - 'host.uptime': { - type: 'long', - array: false, - required: false, - }, - 'http.request.body.bytes': { - type: 'long', - array: false, - required: false, - }, - 'http.request.body.content': { - type: 'wildcard', - array: false, - required: false, - }, - 'http.request.bytes': { - type: 'long', - array: false, - required: false, - }, - 'http.request.id': { - type: 'keyword', - array: false, - required: false, - }, - 'http.request.method': { - type: 'keyword', - array: false, - required: false, - }, - 'http.request.mime_type': { - type: 'keyword', - array: false, - required: false, - }, - 'http.request.referrer': { - type: 'keyword', - array: false, - required: false, - }, - 'http.response.body.bytes': { - type: 'long', - array: false, - required: false, - }, - 'http.response.body.content': { - type: 'wildcard', - array: false, - required: false, - }, - 'http.response.bytes': { - type: 'long', - array: false, - required: false, - }, - 'http.response.mime_type': { - type: 'keyword', - array: false, - required: false, - }, - 'http.response.status_code': { - type: 'long', - array: false, - required: false, - }, - 'http.version': { - type: 'keyword', - array: false, - required: false, - }, - labels: { - type: 'object', - array: false, - required: false, - }, - 'log.file.path': { - type: 'keyword', - array: false, - required: false, - }, - 'log.level': { - type: 'keyword', - array: false, - required: false, - }, - 'log.logger': { - type: 'keyword', - array: false, - required: false, - }, - 'log.origin.file.line': { - type: 'long', - array: false, - required: false, - }, - 'log.origin.file.name': { - type: 'keyword', - array: false, - required: false, - }, - 'log.origin.function': { - type: 'keyword', - array: false, - required: false, - }, - 'log.syslog': { - type: 'object', - array: false, - required: false, - }, - 'log.syslog.facility.code': { - type: 'long', - array: false, - required: false, - }, - 'log.syslog.facility.name': { - type: 'keyword', - array: false, - required: false, - }, - 'log.syslog.priority': { - type: 'long', - array: false, - required: false, - }, - 'log.syslog.severity.code': { - type: 'long', - array: false, - required: false, - }, - 'log.syslog.severity.name': { - type: 'keyword', - array: false, - required: false, - }, - message: { - type: 'match_only_text', - array: false, - required: false, - }, - 'network.application': { - type: 'keyword', - array: false, - required: false, - }, - 'network.bytes': { - type: 'long', - array: false, - required: false, - }, - 'network.community_id': { - type: 'keyword', - array: false, - required: false, - }, - 'network.direction': { - type: 'keyword', - array: false, - required: false, - }, - 'network.forwarded_ip': { - type: 'ip', - array: false, - required: false, - }, - 'network.iana_number': { - type: 'keyword', - array: false, - required: false, - }, - 'network.inner': { - type: 'object', - array: false, - required: false, - }, - 'network.inner.vlan.id': { - type: 'keyword', - array: false, - required: false, - }, - 'network.inner.vlan.name': { - type: 'keyword', - array: false, - required: false, - }, - 'network.name': { - type: 'keyword', - array: false, - required: false, - }, - 'network.packets': { - type: 'long', - array: false, - required: false, - }, - 'network.protocol': { - type: 'keyword', - array: false, - required: false, - }, - 'network.transport': { - type: 'keyword', - array: false, - required: false, - }, - 'network.type': { - type: 'keyword', - array: false, - required: false, - }, - 'network.vlan.id': { - type: 'keyword', - array: false, - required: false, - }, - 'network.vlan.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress': { - type: 'object', - array: false, - required: false, - }, - 'observer.egress.interface.alias': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress.interface.id': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress.interface.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress.vlan.id': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress.vlan.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.egress.zone': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'observer.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.hostname': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress': { - type: 'object', - array: false, - required: false, - }, - 'observer.ingress.interface.alias': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress.interface.id': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress.interface.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress.vlan.id': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress.vlan.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ingress.zone': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.ip': { - type: 'ip', - array: true, - required: false, - }, - 'observer.mac': { - type: 'keyword', - array: true, - required: false, - }, - 'observer.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.family': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.full': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.kernel': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.name': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.platform': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.type': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.os.version': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.product': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.type': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.vendor': { - type: 'keyword', - array: false, - required: false, - }, - 'observer.version': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.api_version': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.cluster.id': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.cluster.name': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.cluster.url': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.cluster.version': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.namespace': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.organization': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.resource.id': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.resource.ip': { - type: 'ip', - array: true, - required: false, - }, - 'orchestrator.resource.name': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.resource.parent.type': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.resource.type': { - type: 'keyword', - array: false, - required: false, - }, - 'orchestrator.type': { - type: 'keyword', - array: false, - required: false, - }, - 'organization.id': { - type: 'keyword', - array: false, - required: false, - }, - 'organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'package.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'package.build_version': { - type: 'keyword', - array: false, - required: false, - }, - 'package.checksum': { - type: 'keyword', - array: false, - required: false, - }, - 'package.description': { - type: 'keyword', - array: false, - required: false, - }, - 'package.install_scope': { - type: 'keyword', - array: false, - required: false, - }, - 'package.installed': { - type: 'date', - array: false, - required: false, - }, - 'package.license': { - type: 'keyword', - array: false, - required: false, - }, - 'package.name': { - type: 'keyword', - array: false, - required: false, - }, - 'package.path': { - type: 'keyword', - array: false, - required: false, - }, - 'package.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'package.size': { - type: 'long', - array: false, - required: false, - }, - 'package.type': { - type: 'keyword', - array: false, - required: false, - }, - 'package.version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.args': { - type: 'keyword', - array: true, - required: false, - }, - 'process.args_count': { - type: 'long', - array: false, - required: false, - }, - 'process.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'process.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'process.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'process.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'process.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'process.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'process.command_line': { - type: 'wildcard', - array: false, - required: false, - }, - 'process.elf.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.byte_order': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.cpu_type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.creation_date': { - type: 'date', - array: false, - required: false, - }, - 'process.elf.exports': { - type: 'flattened', - array: true, - required: false, - }, - 'process.elf.header.abi_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.class': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.data': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.entrypoint': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.header.object_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.os_abi': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.header.version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.imports': { - type: 'flattened', - array: true, - required: false, - }, - 'process.elf.sections': { - type: 'nested', - array: true, - required: false, - }, - 'process.elf.sections.chi2': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.sections.entropy': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.sections.flags': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.sections.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.sections.physical_offset': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.sections.physical_size': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.sections.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.sections.virtual_address': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.sections.virtual_size': { - type: 'long', - array: false, - required: false, - }, - 'process.elf.segments': { - type: 'nested', - array: true, - required: false, - }, - 'process.elf.segments.sections': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.segments.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.elf.shared_libraries': { - type: 'keyword', - array: true, - required: false, - }, - 'process.elf.telfhash': { - type: 'keyword', - array: false, - required: false, - }, - 'process.end': { - type: 'date', - array: false, - required: false, - }, - 'process.entity_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.entry_leader.entity_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.executable': { - type: 'keyword', - array: false, - required: false, - }, - 'process.exit_code': { - type: 'long', - array: false, - required: false, - }, - 'process.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'process.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'process.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'process.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'process.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'process.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.args': { - type: 'keyword', - array: true, - required: false, - }, - 'process.parent.args_count': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'process.parent.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'process.parent.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'process.parent.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'process.parent.command_line': { - type: 'wildcard', - array: false, - required: false, - }, - 'process.parent.elf.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.byte_order': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.cpu_type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.creation_date': { - type: 'date', - array: false, - required: false, - }, - 'process.parent.elf.exports': { - type: 'flattened', - array: true, - required: false, - }, - 'process.parent.elf.header.abi_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.class': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.data': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.entrypoint': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.header.object_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.os_abi': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.header.version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.imports': { - type: 'flattened', - array: true, - required: false, - }, - 'process.parent.elf.sections': { - type: 'nested', - array: true, - required: false, - }, - 'process.parent.elf.sections.chi2': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.sections.entropy': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.sections.flags': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.sections.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.sections.physical_offset': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.sections.physical_size': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.sections.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.sections.virtual_address': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.sections.virtual_size': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.elf.segments': { - type: 'nested', - array: true, - required: false, - }, - 'process.parent.elf.segments.sections': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.segments.type': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.elf.shared_libraries': { - type: 'keyword', - array: true, - required: false, - }, - 'process.parent.elf.telfhash': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.end': { - type: 'date', - array: false, - required: false, - }, - 'process.parent.entity_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.executable': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.exit_code': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pgid': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.pid': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.start': { - type: 'date', - array: false, - required: false, - }, - 'process.parent.thread.id': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.thread.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.title': { - type: 'keyword', - array: false, - required: false, - }, - 'process.parent.uptime': { - type: 'long', - array: false, - required: false, - }, - 'process.parent.working_directory': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'process.pgid': { - type: 'long', - array: false, - required: false, - }, - 'process.pid': { - type: 'long', - array: false, - required: false, - }, - 'process.session_leader.entity_id': { - type: 'keyword', - array: false, - required: false, - }, - 'process.start': { - type: 'date', - array: false, - required: false, - }, - 'process.thread.id': { - type: 'long', - array: false, - required: false, - }, - 'process.thread.name': { - type: 'keyword', - array: false, - required: false, - }, - 'process.title': { - type: 'keyword', - array: false, - required: false, - }, - 'process.uptime': { - type: 'long', - array: false, - required: false, - }, - 'process.working_directory': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.data.bytes': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.data.strings': { - type: 'wildcard', - array: true, - required: false, - }, - 'registry.data.type': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.hive': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.key': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.path': { - type: 'keyword', - array: false, - required: false, - }, - 'registry.value': { - type: 'keyword', - array: false, - required: false, - }, - 'related.hash': { - type: 'keyword', - array: true, - required: false, - }, - 'related.hosts': { - type: 'keyword', - array: true, - required: false, - }, - 'related.ip': { - type: 'ip', - array: true, - required: false, - }, - 'related.user': { - type: 'keyword', - array: true, - required: false, - }, - 'rule.author': { - type: 'keyword', - array: true, - required: false, - }, - 'rule.category': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.description': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.id': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.license': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.name': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.ruleset': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.uuid': { - type: 'keyword', - array: false, - required: false, - }, - 'rule.version': { - type: 'keyword', - array: false, - required: false, - }, - 'server.address': { - type: 'keyword', - array: false, - required: false, - }, - 'server.as.number': { - type: 'long', - array: false, - required: false, - }, - 'server.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.bytes': { - type: 'long', - array: false, - required: false, - }, - 'server.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'server.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'server.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.mac': { - type: 'keyword', - array: false, - required: false, - }, - 'server.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.nat.port': { - type: 'long', - array: false, - required: false, - }, - 'server.packets': { - type: 'long', - array: false, - required: false, - }, - 'server.port': { - type: 'long', - array: false, - required: false, - }, - 'server.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.email': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.id': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.name': { - type: 'keyword', - array: false, - required: false, - }, - 'server.user.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'service.address': { - type: 'keyword', - array: false, - required: false, - }, - 'service.environment': { - type: 'keyword', - array: false, - required: false, - }, - 'service.ephemeral_id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.node.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.address': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.environment': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.ephemeral_id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.node.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.state': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.type': { - type: 'keyword', - array: false, - required: false, - }, - 'service.origin.version': { - type: 'keyword', - array: false, - required: false, - }, - 'service.state': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.address': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.environment': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.ephemeral_id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.id': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.node.name': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.state': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.type': { - type: 'keyword', - array: false, - required: false, - }, - 'service.target.version': { - type: 'keyword', - array: false, - required: false, - }, - 'service.type': { - type: 'keyword', - array: false, - required: false, - }, - 'service.version': { - type: 'keyword', - array: false, - required: false, - }, - 'source.address': { - type: 'keyword', - array: false, - required: false, - }, - 'source.as.number': { - type: 'long', - array: false, - required: false, - }, - 'source.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.bytes': { - type: 'long', - array: false, - required: false, - }, - 'source.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'source.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'source.ip': { - type: 'ip', - array: false, - required: false, - }, - 'source.mac': { - type: 'keyword', - array: false, - required: false, - }, - 'source.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'source.nat.port': { - type: 'long', - array: false, - required: false, - }, - 'source.packets': { - type: 'long', - array: false, - required: false, - }, - 'source.port': { - type: 'long', - array: false, - required: false, - }, - 'source.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.email': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.id': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.name': { - type: 'keyword', - array: false, - required: false, - }, - 'source.user.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'span.id': { - type: 'keyword', - array: false, - required: false, - }, - tags: { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments': { - type: 'nested', - array: true, - required: false, - }, - 'threat.enrichments.indicator': { - type: 'object', - array: false, - required: false, - }, - 'threat.enrichments.indicator.as.number': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.confidence': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.email.address': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.accessed': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.attributes': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.created': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.ctime': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.device': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.directory': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.drive_letter': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.byte_order': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.cpu_type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.creation_date': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.exports': { - type: 'flattened', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.abi_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.class': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.data': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.entrypoint': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.object_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.os_abi': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.header.version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.imports': { - type: 'flattened', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections': { - type: 'nested', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.chi2': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.entropy': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.flags': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.physical_offset': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.physical_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.virtual_address': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.sections.virtual_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.segments': { - type: 'nested', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.elf.segments.sections': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.segments.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.elf.shared_libraries': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.elf.telfhash': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.fork_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.gid': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.group': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.inode': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.mime_type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.mode': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.mtime': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.owner': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.size': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.target_path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.uid': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.file.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.first_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.ip': { - type: 'ip', - array: false, - required: false, - }, - 'threat.enrichments.indicator.last_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.marking.tlp': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.modified_at': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.data.bytes': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.data.strings': { - type: 'wildcard', - array: true, - required: false, - }, - 'threat.enrichments.indicator.registry.data.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.hive': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.key': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.registry.value': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.scanner_stats': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.sightings': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.fragment': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.full': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.original': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.password': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.path': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.query': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.scheme': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.url.username': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.enrichments.indicator.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.matched.atomic': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.matched.field': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.matched.id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.matched.index': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.enrichments.matched.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.framework': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.group.alias': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.group.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.as.number': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.confidence': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.email.address': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.accessed': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.attributes': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.code_signature.digest_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.exists': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.signing_id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.status': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.subject_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.team_id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.timestamp': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.trusted': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.indicator.file.code_signature.valid': { - type: 'boolean', - array: false, - required: false, - }, - 'threat.indicator.file.created': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.ctime': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.device': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.directory': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.drive_letter': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.byte_order': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.cpu_type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.creation_date': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.elf.exports': { - type: 'flattened', - array: true, - required: false, - }, - 'threat.indicator.file.elf.header.abi_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.class': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.data': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.entrypoint': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.object_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.os_abi': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.header.version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.imports': { - type: 'flattened', - array: true, - required: false, - }, - 'threat.indicator.file.elf.sections': { - type: 'nested', - array: true, - required: false, - }, - 'threat.indicator.file.elf.sections.chi2': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.entropy': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.flags': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.physical_offset': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.physical_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.virtual_address': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.sections.virtual_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.elf.segments': { - type: 'nested', - array: true, - required: false, - }, - 'threat.indicator.file.elf.segments.sections': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.segments.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.elf.shared_libraries': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.elf.telfhash': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.fork_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.gid': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.group': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.hash.sha512': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.hash.ssdeep': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.inode': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.mime_type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.mode': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.mtime': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.owner': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.architecture': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.company': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.file_version': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.imphash': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.original_file_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.pe.product': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.size': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.target_path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.uid': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.file.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.file.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.file.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.file.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.first_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.continent_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'threat.indicator.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.postal_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.timezone': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.ip': { - type: 'ip', - array: false, - required: false, - }, - 'threat.indicator.last_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.marking.tlp': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.modified_at': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.data.bytes': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.data.strings': { - type: 'wildcard', - array: true, - required: false, - }, - 'threat.indicator.registry.data.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.hive': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.key': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.path': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.registry.value': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.scanner_stats': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.sightings': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.fragment': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.full': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.indicator.url.original': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.indicator.url.password': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.path': { - type: 'wildcard', - array: false, - required: false, - }, - 'threat.indicator.url.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.url.query': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.scheme': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.url.username': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.indicator.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.software.alias': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.software.id': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.software.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.software.platforms': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.software.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.software.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.tactic.id': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.tactic.name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.tactic.reference': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.id': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.reference': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.subtechnique.id': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.subtechnique.name': { - type: 'keyword', - array: true, - required: false, - }, - 'threat.technique.subtechnique.reference': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.cipher': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.certificate': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.certificate_chain': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.issuer': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.ja3': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.not_after': { - type: 'date', - array: false, - required: false, - }, - 'tls.client.not_before': { - type: 'date', - array: false, - required: false, - }, - 'tls.client.server_name': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.subject': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.supported_ciphers': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'tls.client.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'tls.client.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'tls.client.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'tls.client.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.client.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.client.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.curve': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.established': { - type: 'boolean', - array: false, - required: false, - }, - 'tls.next_protocol': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.resumed': { - type: 'boolean', - array: false, - required: false, - }, - 'tls.server.certificate': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.certificate_chain': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.hash.md5': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.hash.sha1': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.hash.sha256': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.issuer': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.ja3s': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.not_after': { - type: 'date', - array: false, - required: false, - }, - 'tls.server.not_before': { - type: 'date', - array: false, - required: false, - }, - 'tls.server.subject': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.alternative_names': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.country': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.issuer.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.issuer.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.not_after': { - type: 'date', - array: false, - required: false, - }, - 'tls.server.x509.not_before': { - type: 'date', - array: false, - required: false, - }, - 'tls.server.x509.public_key_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.public_key_curve': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.public_key_exponent': { - type: 'long', - array: false, - required: false, - }, - 'tls.server.x509.public_key_size': { - type: 'long', - array: false, - required: false, - }, - 'tls.server.x509.serial_number': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.signature_algorithm': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.subject.common_name': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.subject.country': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.subject.distinguished_name': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.server.x509.subject.locality': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.subject.organization': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.subject.organizational_unit': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.subject.state_or_province': { - type: 'keyword', - array: true, - required: false, - }, - 'tls.server.x509.version_number': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.version': { - type: 'keyword', - array: false, - required: false, - }, - 'tls.version_protocol': { - type: 'keyword', - array: false, - required: false, - }, - 'trace.id': { - type: 'keyword', - array: false, - required: false, - }, - 'transaction.id': { - type: 'keyword', - array: false, - required: false, - }, - 'url.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'url.extension': { - type: 'keyword', - array: false, - required: false, - }, - 'url.fragment': { - type: 'keyword', - array: false, - required: false, - }, - 'url.full': { - type: 'wildcard', - array: false, - required: false, - }, - 'url.original': { - type: 'wildcard', - array: false, - required: false, - }, - 'url.password': { - type: 'keyword', - array: false, - required: false, - }, - 'url.path': { - type: 'wildcard', - array: false, - required: false, - }, - 'url.port': { - type: 'long', - array: false, - required: false, - }, - 'url.query': { - type: 'keyword', - array: false, - required: false, - }, - 'url.registered_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'url.scheme': { - type: 'keyword', - array: false, - required: false, - }, - 'url.subdomain': { - type: 'keyword', - array: false, - required: false, - }, - 'url.top_level_domain': { - type: 'keyword', - array: false, - required: false, - }, - 'url.username': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.email': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.changes.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'user.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.email': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.effective.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'user.email': { - type: 'keyword', - array: false, - required: false, - }, - 'user.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'user.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.risk.calculated_level': { - type: 'keyword', - array: false, - required: false, - }, - 'user.risk.calculated_score': { - type: 'float', - array: false, - required: false, - }, - 'user.risk.calculated_score_norm': { - type: 'float', - array: false, - required: false, - }, - 'user.risk.static_level': { - type: 'keyword', - array: false, - required: false, - }, - 'user.risk.static_score': { - type: 'float', - array: false, - required: false, - }, - 'user.risk.static_score_norm': { - type: 'float', - array: false, - required: false, - }, - 'user.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'user.target.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.email': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.full_name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.group.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.group.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.group.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.hash': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.id': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user.target.roles': { - type: 'keyword', - array: true, - required: false, - }, - 'user_agent.device.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.original': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.family': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.full': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.kernel': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.name': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.platform': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.type': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.os.version': { - type: 'keyword', - array: false, - required: false, - }, - 'user_agent.version': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.category': { - type: 'keyword', - array: true, - required: false, - }, - 'vulnerability.classification': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.description': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.enumeration': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.id': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.reference': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.report_id': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.scanner.vendor': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.score.base': { - type: 'float', - array: false, - required: false, - }, - 'vulnerability.score.environmental': { - type: 'float', - array: false, - required: false, - }, - 'vulnerability.score.temporal': { - type: 'float', - array: false, - required: false, - }, - 'vulnerability.score.version': { - type: 'keyword', - array: false, - required: false, - }, - 'vulnerability.severity': { - type: 'keyword', - array: false, - required: false, - }, -} as const; - -export type EcsFieldMap = typeof ecsFieldMap; diff --git a/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts b/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts index 4e0cd2139566a2..701bab82855d44 100644 --- a/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts +++ b/x-pack/plugins/rule_registry/common/field_map/merge_field_maps.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { FieldMap } from '@kbn/alerting-plugin/common'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; export function mergeFieldMaps( first: T1, diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts index 5da10cb5ee31f1..93e182e53af633 100644 --- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts +++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts @@ -8,7 +8,7 @@ import { Optional } from 'utility-types'; import { mapValues, pickBy } from 'lodash'; import { either } from 'fp-ts/lib/Either'; import * as t from 'io-ts'; -import { type FieldMap } from '@kbn/alerting-plugin/common'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; const NumberFromString = new t.Type( 'NumberFromString', diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.test.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.test.ts index b63fb2aae83d03..083c4d08d42536 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.test.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.test.ts @@ -12,11 +12,9 @@ import { AlertConsumers } from '@kbn/rule-data-utils'; import { Dataset } from './index_options'; import { IndexInfo } from './index_info'; +import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/alerting-plugin/server'; import { elasticsearchServiceMock, ElasticsearchClientMock } from '@kbn/core/server/mocks'; -import { - ECS_COMPONENT_TEMPLATE_NAME, - TECHNICAL_COMPONENT_TEMPLATE_NAME, -} from '../../common/assets'; +import { TECHNICAL_COMPONENT_TEMPLATE_NAME } from '../../common/assets'; describe('resourceInstaller', () => { let pluginStop$: Subject; @@ -82,15 +80,11 @@ describe('resourceInstaller', () => { it('should install common resources', async () => { const mockClusterClient = elasticsearchServiceMock.createElasticsearchClient(); const getClusterClient = jest.fn(() => Promise.resolve(mockClusterClient)); - const getResourceNameMock = jest - .fn() - .mockReturnValueOnce(TECHNICAL_COMPONENT_TEMPLATE_NAME) - .mockReturnValueOnce(ECS_COMPONENT_TEMPLATE_NAME); const installer = new ResourceInstaller({ logger: loggerMock.create(), isWriteEnabled: true, disabledRegistrationContexts: [], - getResourceName: getResourceNameMock, + getResourceName: jest.fn(), getClusterClient, areFrameworkAlertsEnabled: false, pluginStop$, @@ -102,26 +96,22 @@ describe('resourceInstaller', () => { expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenNthCalledWith( 1, - expect.objectContaining({ name: TECHNICAL_COMPONENT_TEMPLATE_NAME }) + expect.objectContaining({ name: ECS_COMPONENT_TEMPLATE_NAME }) ); expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenNthCalledWith( 2, - expect.objectContaining({ name: ECS_COMPONENT_TEMPLATE_NAME }) + expect.objectContaining({ name: TECHNICAL_COMPONENT_TEMPLATE_NAME }) ); }); - it('should install common resources when framework alerts are enabled', async () => { + it('should install subset of common resources when framework alerts are enabled', async () => { const mockClusterClient = elasticsearchServiceMock.createElasticsearchClient(); const getClusterClient = jest.fn(() => Promise.resolve(mockClusterClient)); - const getResourceNameMock = jest - .fn() - .mockReturnValueOnce(TECHNICAL_COMPONENT_TEMPLATE_NAME) - .mockReturnValueOnce(ECS_COMPONENT_TEMPLATE_NAME); const installer = new ResourceInstaller({ logger: loggerMock.create(), isWriteEnabled: true, disabledRegistrationContexts: [], - getResourceName: getResourceNameMock, + getResourceName: jest.fn(), getClusterClient, areFrameworkAlertsEnabled: true, pluginStop$, @@ -131,15 +121,12 @@ describe('resourceInstaller', () => { // ILM policy should be handled by framework expect(mockClusterClient.ilm.putLifecycle).not.toHaveBeenCalled(); - expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2); + // ECS component template should be handled by framework + expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenNthCalledWith( 1, expect.objectContaining({ name: TECHNICAL_COMPONENT_TEMPLATE_NAME }) ); - expect(mockClusterClient.cluster.putComponentTemplate).toHaveBeenNthCalledWith( - 2, - expect.objectContaining({ name: ECS_COMPONENT_TEMPLATE_NAME }) - ); }); it('should install index level resources', async () => { const mockClusterClient = elasticsearchServiceMock.createElasticsearchClient(); diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index 6af288e57a4a03..a665c57302a0e9 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -15,18 +15,17 @@ import type { PublicMethodsOf } from '@kbn/utility-types'; import { DEFAULT_ALERTS_ILM_POLICY, DEFAULT_ALERTS_ILM_POLICY_NAME, + ECS_CONTEXT, + getComponentTemplate, } from '@kbn/alerting-plugin/server'; -import { - ECS_COMPONENT_TEMPLATE_NAME, - TECHNICAL_COMPONENT_TEMPLATE_NAME, -} from '../../common/assets'; +import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; +import { TECHNICAL_COMPONENT_TEMPLATE_NAME } from '../../common/assets'; import { technicalComponentTemplate } from '../../common/assets/component_templates/technical_component_template'; -import { ecsComponentTemplate } from '../../common/assets/component_templates/ecs_component_template'; import type { IndexInfo } from './index_info'; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes -const TOTAL_FIELDS_LIMIT = 1900; +const TOTAL_FIELDS_LIMIT = 2500; interface ConstructorOptions { getResourceName(relativeName: string): string; getClusterClient: () => Promise; @@ -98,7 +97,7 @@ export class ResourceInstaller { */ public async installCommonResources(): Promise { await this.installWithTimeout('common resources shared between all indices', async () => { - const { getResourceName, logger, areFrameworkAlertsEnabled } = this.options; + const { logger, areFrameworkAlertsEnabled } = this.options; try { // We can install them in parallel @@ -112,16 +111,14 @@ export class ResourceInstaller { name: DEFAULT_ALERTS_ILM_POLICY_NAME, body: DEFAULT_ALERTS_ILM_POLICY, }), + this.createOrUpdateComponentTemplate( + getComponentTemplate(ecsFieldMap, ECS_CONTEXT) + ), ]), this.createOrUpdateComponentTemplate({ - name: getResourceName(TECHNICAL_COMPONENT_TEMPLATE_NAME), + name: TECHNICAL_COMPONENT_TEMPLATE_NAME, body: technicalComponentTemplate, }), - - this.createOrUpdateComponentTemplate({ - name: getResourceName(ECS_COMPONENT_TEMPLATE_NAME), - body: ecsComponentTemplate, - }), ]); } catch (err) { logger.error( @@ -315,7 +312,7 @@ export class ResourceInstaller { } private async installNamespacedIndexTemplate(indexInfo: IndexInfo, namespace: string) { - const { logger, getResourceName } = this.options; + const { logger } = this.options; const { componentTemplateRefs, componentTemplates, @@ -329,8 +326,7 @@ export class ResourceInstaller { logger.debug(`Installing index template for ${primaryNamespacedAlias}`); - const technicalComponentNames = [getResourceName(TECHNICAL_COMPONENT_TEMPLATE_NAME)]; - const referencedComponentNames = componentTemplateRefs.map((ref) => getResourceName(ref)); + const technicalComponentNames = [TECHNICAL_COMPONENT_TEMPLATE_NAME]; const ownComponentNames = componentTemplates.map((template) => indexInfo.getComponentTemplateName(template.name) ); @@ -365,11 +361,7 @@ export class ResourceInstaller { // - then we include own component templates registered with this index // - finally, we include technical component templates to make sure the index gets all the // mappings and settings required by all Kibana plugins using rule registry to work properly - composed_of: [ - ...referencedComponentNames, - ...ownComponentNames, - ...technicalComponentNames, - ], + composed_of: [...componentTemplateRefs, ...ownComponentNames, ...technicalComponentNames], template: { settings: { diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.ts index 65fc3871c7fc38..0059271d0d122c 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { isEmpty } from 'lodash/fp'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts index 975b2b643a4e78..7c95bf4f5df2b4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; import { isPlainObject, cloneDeep, isArray } from 'lodash'; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index ae6ee625075124..4a391ebcab4be2 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -21,8 +21,9 @@ import type { Logger } from '@kbn/core/server'; import { SavedObjectsClient } from '@kbn/core/server'; import type { UsageCounter } from '@kbn/usage-collection-plugin/server'; -import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/rule-registry-plugin/common/assets'; -import { mappingFromFieldMap, type FieldMap } from '@kbn/alerting-plugin/common'; +import { ECS_COMPONENT_TEMPLATE_NAME } from '@kbn/alerting-plugin/server'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server'; import { Dataset } from '@kbn/rule-registry-plugin/server'; diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.ts b/x-pack/plugins/timelines/common/utils/field_formatters.ts index 49590bfea54c1a..622254fff270cd 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.ts @@ -8,7 +8,7 @@ import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils'; -import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; From de819fc0b26d7df83f03ea99fc0c9b533a4ab214 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 15 Feb 2023 17:01:56 +0000 Subject: [PATCH 36/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/infra/tsconfig.json | 3 ++- x-pack/plugins/security_solution/tsconfig.json | 1 + x-pack/plugins/timelines/tsconfig.json | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/infra/tsconfig.json b/x-pack/plugins/infra/tsconfig.json index 22f0d5727de838..43b614459c4682 100644 --- a/x-pack/plugins/infra/tsconfig.json +++ b/x-pack/plugins/infra/tsconfig.json @@ -53,7 +53,8 @@ "@kbn/core-saved-objects-common", "@kbn/core-analytics-server", "@kbn/analytics-client", - "@kbn/shared-ux-router" + "@kbn/shared-ux-router", + "@kbn/alerts-as-data-utils" ], "exclude": ["target/**/*"] } diff --git a/x-pack/plugins/security_solution/tsconfig.json b/x-pack/plugins/security_solution/tsconfig.json index ac6c2b0c6e16cb..d0e97ba1298cf5 100644 --- a/x-pack/plugins/security_solution/tsconfig.json +++ b/x-pack/plugins/security_solution/tsconfig.json @@ -140,5 +140,6 @@ "@kbn/securitysolution-ecs", "@kbn/cell-actions", "@kbn/shared-ux-router", + "@kbn/alerts-as-data-utils", ] } diff --git a/x-pack/plugins/timelines/tsconfig.json b/x-pack/plugins/timelines/tsconfig.json index 288701db08c55a..0ed48b0e3d1132 100644 --- a/x-pack/plugins/timelines/tsconfig.json +++ b/x-pack/plugins/timelines/tsconfig.json @@ -32,6 +32,7 @@ "@kbn/i18n", "@kbn/security-plugin", "@kbn/safer-lodash-set", + "@kbn/alerts-as-data-utils", ], "exclude": [ "target/**/*", From 29e26ead788563967c529450e8c7b7057f781598 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 12:40:13 -0500 Subject: [PATCH 37/49] Fixing types --- .../server/lib/detection_engine/signals/types.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts index 877239af49a9a5..95b7aca017b9ca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts @@ -17,7 +17,7 @@ import type { RuleExecutorServices, } from '@kbn/alerting-plugin/server'; import type { ListClient } from '@kbn/lists-plugin/server'; -import type { EcsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; +import type { EcsFieldMap } from '@kbn/alerts-as-data-utils'; import type { TypeOfFieldMap } from '@kbn/rule-registry-plugin/common/field_map'; import type { Status } from '../../../../common/detection_engine/schemas/common/schemas'; import type { From 044018e3a5bc2b7123d771ffbf3f90a0e19b838f Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 13:26:50 -0500 Subject: [PATCH 38/49] Not using multi_field --- .../src/field_maps/ecs_field_map.ts | 1 - .../src/field_maps/index.ts | 2 +- .../src/field_maps/types.ts | 8 ------ .../field_maps/mapping_from_field_map.test.ts | 25 +------------------ .../field_maps/mapping_from_field_map.ts | 23 +++-------------- 5 files changed, 5 insertions(+), 54 deletions(-) diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts index ecbf8f31115ae3..a0d2321f396374 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts @@ -19,7 +19,6 @@ export const ecsFieldMap: FieldMap = Object.keys(EcsFlat).reduce((acc, currKey) required: !!value.required, ...(value.scaling_factor ? { scaling_factor: value.scaling_factor } : {}), ...(value.ignore_above ? { ignore_above: value.ignore_above } : {}), - ...(value.multi_fields ? { multi_fields: value.multi_fields } : {}), ...(value.doc_values != null ? { doc_values: value.doc_values } : {}), ...(value.index != null ? { index: value.index } : {}), }, diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts index 9aef7690b343ca..f956bd661f2408 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts @@ -9,4 +9,4 @@ export * from './alert_field_map'; export * from './ecs_field_map'; export * from './legacy_alert_field_map'; -export type { FieldMap, MultiField } from './types'; +export type { FieldMap } from './types'; diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts index 6e66a72d224b82..1c2465b5c96c4e 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts @@ -11,12 +11,6 @@ export interface AllowedValue { name?: string; } -export interface MultiField { - flat_name: string; - name: string; - type: string; -} - export interface EcsMetadata { allowed_values?: AllowedValue[]; dashed_name: string; @@ -27,7 +21,6 @@ export interface EcsMetadata { ignore_above?: number; index?: boolean; level: string; - multi_fields?: MultiField[]; name: string; normalize: string[]; required?: boolean; @@ -46,7 +39,6 @@ export interface FieldMap { format?: string; ignore_above?: number; index?: boolean; - multi_fields?: MultiField[]; path?: string; scaling_factor?: number; dynamic?: boolean | 'strict'; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index 52384880d8aa8f..e9d2eea6073d22 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -4,9 +4,8 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { alertFieldMap, legacyAlertFieldMap } from '@kbn/alerts-as-data-utils'; +import { alertFieldMap, legacyAlertFieldMap, type FieldMap } from '@kbn/alerts-as-data-utils'; import { mappingFromFieldMap } from './mapping_from_field_map'; -import type { FieldMap } from '@kbn/alerts-as-data-utils'; describe('mappingFromFieldMap', () => { const fieldMap: FieldMap = { @@ -26,19 +25,6 @@ describe('mappingFromFieldMap', () => { array: false, required: false, }, - multifield_field: { - type: 'keyword', - array: false, - required: false, - ignore_above: 1024, - multi_fields: [ - { - flat_name: 'multifield_field.text', - name: 'text', - type: 'match_only_text', - }, - ], - }, geopoint_field: { type: 'geo_point', array: false, @@ -131,15 +117,6 @@ describe('mappingFromFieldMap', () => { long_field: { type: 'long', }, - multifield_field: { - fields: { - text: { - type: 'match_only_text', - }, - }, - ignore_above: 1024, - type: 'keyword', - }, nested_array_field: { properties: { field1: { diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts index 1d56fb853bb3ed..7ed437ca11ac0d 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts @@ -7,7 +7,7 @@ import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { set } from '@kbn/safer-lodash-set'; -import type { FieldMap, MultiField } from '@kbn/alerts-as-data-utils'; +import type { FieldMap } from '@kbn/alerts-as-data-utils'; export function mappingFromFieldMap( fieldMap: FieldMap, @@ -27,25 +27,8 @@ export function mappingFromFieldMap( }); fields.forEach((field) => { - // eslint-disable-next-line @typescript-eslint/naming-convention - const { name, required, array, multi_fields, ...rest } = field; - - const mapped = multi_fields - ? { - ...rest, - // eslint-disable-next-line @typescript-eslint/naming-convention - fields: multi_fields.reduce((acc, multi_field: MultiField) => { - return { - ...acc, - [multi_field.name]: { - type: multi_field.type, - }, - }; - }, {}), - } - : rest; - - set(mappings.properties, field.name.split('.').join('.properties.'), mapped); + const { name, required, array, ...rest } = field; + set(mappings.properties, field.name.split('.').join('.properties.'), rest); }); return mappings; From 8431ca0cf0f363d4c8615df5b69e8514886f984e Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 13:44:47 -0500 Subject: [PATCH 39/49] Fixing functional test --- .../spaces_only/tests/alerting/group4/alerts_as_data.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts index 0172e12a18af34..ad2c33b079b0aa 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data.ts @@ -61,7 +61,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 1000, + limit: 1500, }, }, }, @@ -83,7 +83,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 1000, + limit: 1500, }, }, }, @@ -103,7 +103,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 2000, + limit: 2500, }, }, }, @@ -144,7 +144,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex number_of_shards: 1, mapping: { total_fields: { - limit: 1000, + limit: 1500, }, }, }, From e5379a217284bb482da71642742eb7d1f185b402 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 15 Feb 2023 16:15:38 -0500 Subject: [PATCH 40/49] Removing index and doc values fields --- .../kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts index a0d2321f396374..fc82c75eb5019d 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts @@ -19,8 +19,6 @@ export const ecsFieldMap: FieldMap = Object.keys(EcsFlat).reduce((acc, currKey) required: !!value.required, ...(value.scaling_factor ? { scaling_factor: value.scaling_factor } : {}), ...(value.ignore_above ? { ignore_above: value.ignore_above } : {}), - ...(value.doc_values != null ? { doc_values: value.doc_values } : {}), - ...(value.index != null ? { index: value.index } : {}), }, }; }, {}); From d4201df948429e69fb812987233aa379bf814a59 Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 16 Feb 2023 10:18:07 -0500 Subject: [PATCH 41/49] Keeping rule registry ecsFieldMap for now --- .../log_threshold/log_threshold_executor.ts | 4 +- .../ecs_component_template.ts | 25 + .../common/assets/field_maps/ecs_field_map.ts | 6151 +++++++++++++++++ .../resource_installer.ts | 14 +- .../common/utils/field_formatters.ts | 2 +- .../factories/utils/strip_non_ecs_fields.ts | 2 +- .../lib/detection_engine/signals/types.ts | 2 +- .../common/utils/field_formatters.ts | 2 +- 8 files changed, 6189 insertions(+), 13 deletions(-) create mode 100644 x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts create mode 100644 x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts diff --git a/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts b/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts index 4d2af0ea2e96de..37eb4698ff0891 100644 --- a/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts +++ b/x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts @@ -23,10 +23,10 @@ import { RuleTypeState, } from '@kbn/alerting-plugin/server'; import { addSpaceIdToPath } from '@kbn/spaces-plugin/common'; -import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; + import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common'; import { ParsedExperimentalFields } from '@kbn/rule-registry-plugin/common/parse_experimental_fields'; - +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; import { RuleParams, ruleParamsRT, diff --git a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts new file mode 100644 index 00000000000000..8f30e07a0d9dcf --- /dev/null +++ b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { merge } from 'lodash'; +import { mappingFromFieldMap } from '@kbn/alerting-plugin/common'; +import { ClusterPutComponentTemplateBody } from '../../types'; +import { ecsFieldMap } from '../field_maps/ecs_field_map'; +import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map'; + +export const ecsComponentTemplate: ClusterPutComponentTemplateBody = { + template: { + settings: { + number_of_shards: 1, + 'index.mapping.total_fields.limit': 1700, + }, + mappings: merge( + {}, + mappingFromFieldMap(ecsFieldMap, 'strict'), + mappingFromFieldMap(technicalRuleFieldMap, 'strict') + ), + }, +}; diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts new file mode 100644 index 00000000000000..eb4c977ab7f0d7 --- /dev/null +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts @@ -0,0 +1,6151 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* This file is generated by x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js, +do not manually edit +*/ + +export const ecsFieldMap = { + '@timestamp': { + type: 'date', + array: false, + required: true, + }, + 'agent.build.original': { + type: 'keyword', + array: false, + required: false, + }, + 'agent.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'agent.id': { + type: 'keyword', + array: false, + required: false, + }, + 'agent.name': { + type: 'keyword', + array: false, + required: false, + }, + 'agent.type': { + type: 'keyword', + array: false, + required: false, + }, + 'agent.version': { + type: 'keyword', + array: false, + required: false, + }, + 'client.address': { + type: 'keyword', + array: false, + required: false, + }, + 'client.as.number': { + type: 'long', + array: false, + required: false, + }, + 'client.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.bytes': { + type: 'long', + array: false, + required: false, + }, + 'client.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'client.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'client.ip': { + type: 'ip', + array: false, + required: false, + }, + 'client.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'client.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'client.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'client.packets': { + type: 'long', + array: false, + required: false, + }, + 'client.port': { + type: 'long', + array: false, + required: false, + }, + 'client.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'client.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'cloud.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'container.id': { + type: 'keyword', + array: false, + required: false, + }, + 'container.image.name': { + type: 'keyword', + array: false, + required: false, + }, + 'container.image.tag': { + type: 'keyword', + array: true, + required: false, + }, + 'container.labels': { + type: 'object', + array: false, + required: false, + }, + 'container.name': { + type: 'keyword', + array: false, + required: false, + }, + 'container.runtime': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.address': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.as.number': { + type: 'long', + array: false, + required: false, + }, + 'destination.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.bytes': { + type: 'long', + array: false, + required: false, + }, + 'destination.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'destination.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.ip': { + type: 'ip', + array: false, + required: false, + }, + 'destination.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'destination.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'destination.packets': { + type: 'long', + array: false, + required: false, + }, + 'destination.port': { + type: 'long', + array: false, + required: false, + }, + 'destination.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'destination.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'dll.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'dll.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'dll.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'dll.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'dll.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.name': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.path': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.answers': { + type: 'object', + array: true, + required: false, + }, + 'dns.answers.class': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.answers.data': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.answers.name': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.answers.ttl': { + type: 'long', + array: false, + required: false, + }, + 'dns.answers.type': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.header_flags': { + type: 'keyword', + array: true, + required: false, + }, + 'dns.id': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.op_code': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.class': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.name': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.question.type': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.resolved_ip': { + type: 'ip', + array: true, + required: false, + }, + 'dns.response_code': { + type: 'keyword', + array: false, + required: false, + }, + 'dns.type': { + type: 'keyword', + array: false, + required: false, + }, + 'ecs.version': { + type: 'keyword', + array: false, + required: true, + }, + 'error.code': { + type: 'keyword', + array: false, + required: false, + }, + 'error.id': { + type: 'keyword', + array: false, + required: false, + }, + 'error.message': { + type: 'match_only_text', + array: false, + required: false, + }, + 'error.stack_trace': { + type: 'wildcard', + array: false, + required: false, + }, + 'error.type': { + type: 'keyword', + array: false, + required: false, + }, + 'event.action': { + type: 'keyword', + array: false, + required: false, + }, + 'event.agent_id_status': { + type: 'keyword', + array: false, + required: false, + }, + 'event.category': { + type: 'keyword', + array: true, + required: false, + }, + 'event.code': { + type: 'keyword', + array: false, + required: false, + }, + 'event.created': { + type: 'date', + array: false, + required: false, + }, + 'event.dataset': { + type: 'keyword', + array: false, + required: false, + }, + 'event.duration': { + type: 'long', + array: false, + required: false, + }, + 'event.end': { + type: 'date', + array: false, + required: false, + }, + 'event.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'event.id': { + type: 'keyword', + array: false, + required: false, + }, + 'event.ingested': { + type: 'date', + array: false, + required: false, + }, + 'event.kind': { + type: 'keyword', + array: false, + required: false, + }, + 'event.module': { + type: 'keyword', + array: false, + required: false, + }, + 'event.original': { + type: 'keyword', + array: false, + required: false, + }, + 'event.outcome': { + type: 'keyword', + array: false, + required: false, + }, + 'event.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'event.reason': { + type: 'keyword', + array: false, + required: false, + }, + 'event.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'event.risk_score': { + type: 'float', + array: false, + required: false, + }, + 'event.risk_score_norm': { + type: 'float', + array: false, + required: false, + }, + 'event.sequence': { + type: 'long', + array: false, + required: false, + }, + 'event.severity': { + type: 'long', + array: false, + required: false, + }, + 'event.start': { + type: 'date', + array: false, + required: false, + }, + 'event.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'event.type': { + type: 'keyword', + array: true, + required: false, + }, + 'event.url': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.coldstart': { + type: 'boolean', + array: false, + required: false, + }, + 'faas.execution': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger': { + type: 'nested', + array: false, + required: false, + }, + 'faas.trigger.request_id': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.accessed': { + type: 'date', + array: false, + required: false, + }, + 'file.attributes': { + type: 'keyword', + array: true, + required: false, + }, + 'file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'file.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'file.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'file.created': { + type: 'date', + array: false, + required: false, + }, + 'file.ctime': { + type: 'date', + array: false, + required: false, + }, + 'file.device': { + type: 'keyword', + array: false, + required: false, + }, + 'file.directory': { + type: 'keyword', + array: false, + required: false, + }, + 'file.drive_letter': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'file.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'file.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'file.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'file.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'file.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'file.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'file.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'file.fork_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.gid': { + type: 'keyword', + array: false, + required: false, + }, + 'file.group': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'file.size': { + type: 'long', + array: false, + required: false, + }, + 'file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'file.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'file.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'file.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'file.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'host.boot.id': { + type: 'keyword', + array: false, + required: false, + }, + 'host.cpu.usage': { + type: 'scaled_float', + array: false, + required: false, + scaling_factor: 1000, + }, + 'host.disk.read.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.disk.write.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'host.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'host.hostname': { + type: 'keyword', + array: false, + required: false, + }, + 'host.id': { + type: 'keyword', + array: false, + required: false, + }, + 'host.ip': { + type: 'ip', + array: true, + required: false, + }, + 'host.mac': { + type: 'keyword', + array: true, + required: false, + }, + 'host.name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.network.egress.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.network.egress.packets': { + type: 'long', + array: false, + required: false, + }, + 'host.network.ingress.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.network.ingress.packets': { + type: 'long', + array: false, + required: false, + }, + 'host.os.family': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.full': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.kernel': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.name': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.platform': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.type': { + type: 'keyword', + array: false, + required: false, + }, + 'host.os.version': { + type: 'keyword', + array: false, + required: false, + }, + 'host.pid_ns_ino': { + type: 'keyword', + array: false, + required: false, + }, + 'host.risk.calculated_level': { + type: 'keyword', + array: false, + required: false, + }, + 'host.risk.calculated_score': { + type: 'float', + array: false, + required: false, + }, + 'host.risk.calculated_score_norm': { + type: 'float', + array: false, + required: false, + }, + 'host.risk.static_level': { + type: 'keyword', + array: false, + required: false, + }, + 'host.risk.static_score': { + type: 'float', + array: false, + required: false, + }, + 'host.risk.static_score_norm': { + type: 'float', + array: false, + required: false, + }, + 'host.type': { + type: 'keyword', + array: false, + required: false, + }, + 'host.uptime': { + type: 'long', + array: false, + required: false, + }, + 'http.request.body.bytes': { + type: 'long', + array: false, + required: false, + }, + 'http.request.body.content': { + type: 'wildcard', + array: false, + required: false, + }, + 'http.request.bytes': { + type: 'long', + array: false, + required: false, + }, + 'http.request.id': { + type: 'keyword', + array: false, + required: false, + }, + 'http.request.method': { + type: 'keyword', + array: false, + required: false, + }, + 'http.request.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'http.request.referrer': { + type: 'keyword', + array: false, + required: false, + }, + 'http.response.body.bytes': { + type: 'long', + array: false, + required: false, + }, + 'http.response.body.content': { + type: 'wildcard', + array: false, + required: false, + }, + 'http.response.bytes': { + type: 'long', + array: false, + required: false, + }, + 'http.response.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'http.response.status_code': { + type: 'long', + array: false, + required: false, + }, + 'http.version': { + type: 'keyword', + array: false, + required: false, + }, + labels: { + type: 'object', + array: false, + required: false, + }, + 'log.file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'log.level': { + type: 'keyword', + array: false, + required: false, + }, + 'log.logger': { + type: 'keyword', + array: false, + required: false, + }, + 'log.origin.file.line': { + type: 'long', + array: false, + required: false, + }, + 'log.origin.file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'log.origin.function': { + type: 'keyword', + array: false, + required: false, + }, + 'log.syslog': { + type: 'object', + array: false, + required: false, + }, + 'log.syslog.facility.code': { + type: 'long', + array: false, + required: false, + }, + 'log.syslog.facility.name': { + type: 'keyword', + array: false, + required: false, + }, + 'log.syslog.priority': { + type: 'long', + array: false, + required: false, + }, + 'log.syslog.severity.code': { + type: 'long', + array: false, + required: false, + }, + 'log.syslog.severity.name': { + type: 'keyword', + array: false, + required: false, + }, + message: { + type: 'match_only_text', + array: false, + required: false, + }, + 'network.application': { + type: 'keyword', + array: false, + required: false, + }, + 'network.bytes': { + type: 'long', + array: false, + required: false, + }, + 'network.community_id': { + type: 'keyword', + array: false, + required: false, + }, + 'network.direction': { + type: 'keyword', + array: false, + required: false, + }, + 'network.forwarded_ip': { + type: 'ip', + array: false, + required: false, + }, + 'network.iana_number': { + type: 'keyword', + array: false, + required: false, + }, + 'network.inner': { + type: 'object', + array: false, + required: false, + }, + 'network.inner.vlan.id': { + type: 'keyword', + array: false, + required: false, + }, + 'network.inner.vlan.name': { + type: 'keyword', + array: false, + required: false, + }, + 'network.name': { + type: 'keyword', + array: false, + required: false, + }, + 'network.packets': { + type: 'long', + array: false, + required: false, + }, + 'network.protocol': { + type: 'keyword', + array: false, + required: false, + }, + 'network.transport': { + type: 'keyword', + array: false, + required: false, + }, + 'network.type': { + type: 'keyword', + array: false, + required: false, + }, + 'network.vlan.id': { + type: 'keyword', + array: false, + required: false, + }, + 'network.vlan.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress': { + type: 'object', + array: false, + required: false, + }, + 'observer.egress.interface.alias': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress.interface.id': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress.interface.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress.vlan.id': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress.vlan.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.egress.zone': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'observer.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.hostname': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress': { + type: 'object', + array: false, + required: false, + }, + 'observer.ingress.interface.alias': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress.interface.id': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress.interface.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress.vlan.id': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress.vlan.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ingress.zone': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.ip': { + type: 'ip', + array: true, + required: false, + }, + 'observer.mac': { + type: 'keyword', + array: true, + required: false, + }, + 'observer.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.family': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.full': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.kernel': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.name': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.platform': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.type': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.os.version': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.product': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.type': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.vendor': { + type: 'keyword', + array: false, + required: false, + }, + 'observer.version': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.api_version': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.cluster.id': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.cluster.name': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.cluster.url': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.cluster.version': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.namespace': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.organization': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.resource.id': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.resource.ip': { + type: 'ip', + array: true, + required: false, + }, + 'orchestrator.resource.name': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.resource.parent.type': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.resource.type': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.id': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'package.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'package.build_version': { + type: 'keyword', + array: false, + required: false, + }, + 'package.checksum': { + type: 'keyword', + array: false, + required: false, + }, + 'package.description': { + type: 'keyword', + array: false, + required: false, + }, + 'package.install_scope': { + type: 'keyword', + array: false, + required: false, + }, + 'package.installed': { + type: 'date', + array: false, + required: false, + }, + 'package.license': { + type: 'keyword', + array: false, + required: false, + }, + 'package.name': { + type: 'keyword', + array: false, + required: false, + }, + 'package.path': { + type: 'keyword', + array: false, + required: false, + }, + 'package.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'package.size': { + type: 'long', + array: false, + required: false, + }, + 'package.type': { + type: 'keyword', + array: false, + required: false, + }, + 'package.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.args': { + type: 'keyword', + array: true, + required: false, + }, + 'process.args_count': { + type: 'long', + array: false, + required: false, + }, + 'process.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'process.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'process.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'process.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'process.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.end': { + type: 'date', + array: false, + required: false, + }, + 'process.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.entry_leader.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.executable': { + type: 'keyword', + array: false, + required: false, + }, + 'process.exit_code': { + type: 'long', + array: false, + required: false, + }, + 'process.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'process.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'process.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'process.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'process.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'process.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.args': { + type: 'keyword', + array: true, + required: false, + }, + 'process.parent.args_count': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'process.parent.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'process.parent.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'process.parent.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.parent.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.parent.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.end': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.executable': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.exit_code': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.start': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.session_leader.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.start': { + type: 'date', + array: false, + required: false, + }, + 'process.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'related.hash': { + type: 'keyword', + array: true, + required: false, + }, + 'related.hosts': { + type: 'keyword', + array: true, + required: false, + }, + 'related.ip': { + type: 'ip', + array: true, + required: false, + }, + 'related.user': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.author': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.category': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.description': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.id': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.license': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.name': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.ruleset': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.uuid': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.version': { + type: 'keyword', + array: false, + required: false, + }, + 'server.address': { + type: 'keyword', + array: false, + required: false, + }, + 'server.as.number': { + type: 'long', + array: false, + required: false, + }, + 'server.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.bytes': { + type: 'long', + array: false, + required: false, + }, + 'server.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'server.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'server.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'server.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'server.packets': { + type: 'long', + array: false, + required: false, + }, + 'server.port': { + type: 'long', + array: false, + required: false, + }, + 'server.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'service.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.version': { + type: 'keyword', + array: false, + required: false, + }, + 'source.address': { + type: 'keyword', + array: false, + required: false, + }, + 'source.as.number': { + type: 'long', + array: false, + required: false, + }, + 'source.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.bytes': { + type: 'long', + array: false, + required: false, + }, + 'source.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'source.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'source.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'source.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'source.packets': { + type: 'long', + array: false, + required: false, + }, + 'source.port': { + type: 'long', + array: false, + required: false, + }, + 'source.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'span.id': { + type: 'keyword', + array: false, + required: false, + }, + tags: { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator': { + type: 'object', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.number': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.confidence': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.email.address': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.accessed': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.attributes': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.created': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.ctime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.device': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.directory': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.drive_letter': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.fork_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.gid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.group': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.first_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.ip': { + type: 'ip', + array: false, + required: false, + }, + 'threat.enrichments.indicator.last_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.marking.tlp': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.modified_at': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.enrichments.indicator.registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.scanner_stats': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.sightings': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.fragment': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.full': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.original': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.password': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.path': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.query': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.scheme': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.username': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.matched.atomic': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.matched.field': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.matched.id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.matched.index': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.matched.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.framework': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.group.alias': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.group.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.as.number': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.confidence': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.email.address': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.accessed': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.attributes': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.indicator.file.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.indicator.file.created': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.ctime': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.device': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.directory': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.drive_letter': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.indicator.file.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.indicator.file.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.indicator.file.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.fork_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.gid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.group': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.size': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.file.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.file.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.file.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.file.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.first_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'threat.indicator.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.ip': { + type: 'ip', + array: false, + required: false, + }, + 'threat.indicator.last_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.marking.tlp': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.modified_at': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.indicator.registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.scanner_stats': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.sightings': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.fragment': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.full': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.indicator.url.original': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.indicator.url.password': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.path': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.indicator.url.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.url.query': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.scheme': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.url.username': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.indicator.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.indicator.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.indicator.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.indicator.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.software.alias': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.software.id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.software.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.software.platforms': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.software.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.software.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.tactic.id': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.tactic.name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.tactic.reference': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.id': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.reference': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.subtechnique.id': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.subtechnique.name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.technique.subtechnique.reference': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.cipher': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.certificate': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.certificate_chain': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.issuer': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.ja3': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.not_after': { + type: 'date', + array: false, + required: false, + }, + 'tls.client.not_before': { + type: 'date', + array: false, + required: false, + }, + 'tls.client.server_name': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.subject': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.supported_ciphers': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'tls.client.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'tls.client.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'tls.client.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'tls.client.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.client.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.client.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.curve': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.established': { + type: 'boolean', + array: false, + required: false, + }, + 'tls.next_protocol': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.resumed': { + type: 'boolean', + array: false, + required: false, + }, + 'tls.server.certificate': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.certificate_chain': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.issuer': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.ja3s': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.not_after': { + type: 'date', + array: false, + required: false, + }, + 'tls.server.not_before': { + type: 'date', + array: false, + required: false, + }, + 'tls.server.subject': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'tls.server.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'tls.server.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'tls.server.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'tls.server.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.server.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'tls.server.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.version': { + type: 'keyword', + array: false, + required: false, + }, + 'tls.version_protocol': { + type: 'keyword', + array: false, + required: false, + }, + 'trace.id': { + type: 'keyword', + array: false, + required: false, + }, + 'transaction.id': { + type: 'keyword', + array: false, + required: false, + }, + 'url.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'url.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'url.fragment': { + type: 'keyword', + array: false, + required: false, + }, + 'url.full': { + type: 'wildcard', + array: false, + required: false, + }, + 'url.original': { + type: 'wildcard', + array: false, + required: false, + }, + 'url.password': { + type: 'keyword', + array: false, + required: false, + }, + 'url.path': { + type: 'wildcard', + array: false, + required: false, + }, + 'url.port': { + type: 'long', + array: false, + required: false, + }, + 'url.query': { + type: 'keyword', + array: false, + required: false, + }, + 'url.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'url.scheme': { + type: 'keyword', + array: false, + required: false, + }, + 'url.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'url.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'url.username': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.email': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.changes.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.email': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.effective.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.risk.calculated_level': { + type: 'keyword', + array: false, + required: false, + }, + 'user.risk.calculated_score': { + type: 'float', + array: false, + required: false, + }, + 'user.risk.calculated_score_norm': { + type: 'float', + array: false, + required: false, + }, + 'user.risk.static_level': { + type: 'keyword', + array: false, + required: false, + }, + 'user.risk.static_score': { + type: 'float', + array: false, + required: false, + }, + 'user.risk.static_score_norm': { + type: 'float', + array: false, + required: false, + }, + 'user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'user.target.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.email': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.id': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user.target.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'user_agent.device.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.original': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.family': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.full': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.kernel': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.name': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.platform': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.type': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.os.version': { + type: 'keyword', + array: false, + required: false, + }, + 'user_agent.version': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.category': { + type: 'keyword', + array: true, + required: false, + }, + 'vulnerability.classification': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.description': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.enumeration': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.id': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.report_id': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.scanner.vendor': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.score.base': { + type: 'float', + array: false, + required: false, + }, + 'vulnerability.score.environmental': { + type: 'float', + array: false, + required: false, + }, + 'vulnerability.score.temporal': { + type: 'float', + array: false, + required: false, + }, + 'vulnerability.score.version': { + type: 'keyword', + array: false, + required: false, + }, + 'vulnerability.severity': { + type: 'keyword', + array: false, + required: false, + }, +} as const; + +export type EcsFieldMap = typeof ecsFieldMap; diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index a665c57302a0e9..740df8e2040934 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -15,17 +15,16 @@ import type { PublicMethodsOf } from '@kbn/utility-types'; import { DEFAULT_ALERTS_ILM_POLICY, DEFAULT_ALERTS_ILM_POLICY_NAME, - ECS_CONTEXT, - getComponentTemplate, + ECS_COMPONENT_TEMPLATE_NAME, } from '@kbn/alerting-plugin/server'; -import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; import { TECHNICAL_COMPONENT_TEMPLATE_NAME } from '../../common/assets'; import { technicalComponentTemplate } from '../../common/assets/component_templates/technical_component_template'; +import { ecsComponentTemplate } from '../../common/assets/component_templates/ecs_component_template'; import type { IndexInfo } from './index_info'; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes -const TOTAL_FIELDS_LIMIT = 2500; +const TOTAL_FIELDS_LIMIT = 1900; interface ConstructorOptions { getResourceName(relativeName: string): string; getClusterClient: () => Promise; @@ -111,9 +110,10 @@ export class ResourceInstaller { name: DEFAULT_ALERTS_ILM_POLICY_NAME, body: DEFAULT_ALERTS_ILM_POLICY, }), - this.createOrUpdateComponentTemplate( - getComponentTemplate(ecsFieldMap, ECS_CONTEXT) - ), + this.createOrUpdateComponentTemplate({ + name: ECS_COMPONENT_TEMPLATE_NAME, + body: ecsComponentTemplate, + }), ]), this.createOrUpdateComponentTemplate({ name: TECHNICAL_COMPONENT_TEMPLATE_NAME, diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.ts index 0059271d0d122c..65fc3871c7fc38 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { isEmpty } from 'lodash/fp'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts index 7c95bf4f5df2b4..975b2b643a4e78 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/strip_non_ecs_fields.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; import { isPlainObject, cloneDeep, isArray } from 'lodash'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts index 95b7aca017b9ca..877239af49a9a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts @@ -17,7 +17,7 @@ import type { RuleExecutorServices, } from '@kbn/alerting-plugin/server'; import type { ListClient } from '@kbn/lists-plugin/server'; -import type { EcsFieldMap } from '@kbn/alerts-as-data-utils'; +import type { EcsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; import type { TypeOfFieldMap } from '@kbn/rule-registry-plugin/common/field_map'; import type { Status } from '../../../../common/detection_engine/schemas/common/schemas'; import type { diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.ts b/x-pack/plugins/timelines/common/utils/field_formatters.ts index 622254fff270cd..49590bfea54c1a 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.ts @@ -8,7 +8,7 @@ import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils'; -import { ecsFieldMap } from '@kbn/alerts-as-data-utils'; +import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map'; import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map'; import { EventHit, TimelineEventsDetailsItem } from '../search_strategy'; From 2345ebab381a9fae85783b613b7c6a1f0e7ae34c Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 16 Feb 2023 15:25:18 +0000 Subject: [PATCH 42/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/infra/tsconfig.json | 1 - x-pack/plugins/timelines/tsconfig.json | 1 - 2 files changed, 2 deletions(-) diff --git a/x-pack/plugins/infra/tsconfig.json b/x-pack/plugins/infra/tsconfig.json index 43b614459c4682..ac7aba61f8b8dc 100644 --- a/x-pack/plugins/infra/tsconfig.json +++ b/x-pack/plugins/infra/tsconfig.json @@ -54,7 +54,6 @@ "@kbn/core-analytics-server", "@kbn/analytics-client", "@kbn/shared-ux-router", - "@kbn/alerts-as-data-utils" ], "exclude": ["target/**/*"] } diff --git a/x-pack/plugins/timelines/tsconfig.json b/x-pack/plugins/timelines/tsconfig.json index 0ed48b0e3d1132..288701db08c55a 100644 --- a/x-pack/plugins/timelines/tsconfig.json +++ b/x-pack/plugins/timelines/tsconfig.json @@ -32,7 +32,6 @@ "@kbn/i18n", "@kbn/security-plugin", "@kbn/safer-lodash-set", - "@kbn/alerts-as-data-utils", ], "exclude": [ "target/**/*", From f3115236d978f491e287d8beaaa5aa1d9778fe4c Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 16 Feb 2023 12:07:57 -0500 Subject: [PATCH 43/49] temporarily updating ecs_flat and upping field limit --- packages/kbn-ecs/generated/ecs_flat.ts | 21 +++++++++++++++---- .../resource_installer.ts | 5 +++-- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/packages/kbn-ecs/generated/ecs_flat.ts b/packages/kbn-ecs/generated/ecs_flat.ts index 63ce568d0d6f52..0756c8b2184a1c 100644 --- a/packages/kbn-ecs/generated/ecs_flat.ts +++ b/packages/kbn-ecs/generated/ecs_flat.ts @@ -13765,14 +13765,27 @@ export const EcsFlat = { short: 'Date/time indicator was last reported.', type: 'date', }, - 'threat.enrichments.indicator.marking.tlp.version': { - dashed_name: 'threat-enrichments-indicator-marking-tlp-version', + 'threat.enrichments.indicator.marking.tlp': { + dashed_name: 'threat-enrichments-indicator-marking-tlp', + description: 'Traffic Light Protocol sharing markings.', + example: 'CLEAR', + expected_values: ['WHITE', 'CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED'], + flat_name: 'threat.enrichments.indicator.marking.tlp', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.marking.tlp', + normalize: [], + short: 'Indicator TLP marking', + type: 'keyword', + }, + 'threat.enrichments.indicator.marking.tlp_version': { + dashed_name: 'threat-enrichments-indicator-marking-tlp_version', description: 'Traffic Light Protocol version.', example: 2, - flat_name: 'threat.enrichments.indicator.marking.tlp.version', + flat_name: 'threat.enrichments.indicator.marking.tlp_version', ignore_above: 1024, level: 'extended', - name: 'enrichments.indicator.marking.tlp.version', + name: 'enrichments.indicator.marking.tlp_version', normalize: [], short: 'Indicator TLP version', type: 'keyword', diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index 740df8e2040934..592b8e54285f26 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -24,7 +24,7 @@ import { ecsComponentTemplate } from '../../common/assets/component_templates/ec import type { IndexInfo } from './index_info'; const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes -const TOTAL_FIELDS_LIMIT = 1900; +const TOTAL_FIELDS_LIMIT = 2500; interface ConstructorOptions { getResourceName(relativeName: string): string; getClusterClient: () => Promise; @@ -170,7 +170,7 @@ export class ResourceInstaller { const aliases = indexInfo.basePattern; const backingIndices = indexInfo.getPatternForBackingIndices(namespace); - logger.debug(`Updating mappings of existing concrete indices for ${indexInfo.baseName}`); + logger.info(`Updating mappings of existing concrete indices for ${indexInfo.baseName}`); // Find all concrete indices for all namespaces of the index. const concreteIndices = await this.fetchConcreteIndices(aliases, backingIndices); @@ -185,6 +185,7 @@ export class ResourceInstaller { const clusterClient = await getClusterClient(); try { + console.log(`PUTTING updated field limit`); await clusterClient.indices.putSettings({ index, body: { From ab6977f49e8bcc59c5672d8e2f58890412fc135f Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 16 Feb 2023 13:58:26 -0500 Subject: [PATCH 44/49] wip --- .../server/rule_data_plugin_service/resource_installer.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index 592b8e54285f26..0ffeaa3db77339 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -185,7 +185,6 @@ export class ResourceInstaller { const clusterClient = await getClusterClient(); try { - console.log(`PUTTING updated field limit`); await clusterClient.indices.putSettings({ index, body: { From 54c7aa8b818491eb8a9ad5cef2d70c027c46ba4a Mon Sep 17 00:00:00 2001 From: Ying Date: Thu, 16 Feb 2023 16:24:43 -0500 Subject: [PATCH 45/49] Updating index template field mapping limit on error and retrying component template installation --- .../alerts_service/alerts_service.test.ts | 93 +++++++++++++++++++ .../server/alerts_service/alerts_service.ts | 67 ++++++++++++- 2 files changed, 157 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts index 380afb8c8e47aa..ca64faa7c51ea7 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts @@ -6,6 +6,7 @@ */ import { elasticsearchServiceMock, loggingSystemMock } from '@kbn/core/server/mocks'; +import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks'; import { errors as EsErrors } from '@elastic/elasticsearch'; import { ReplaySubject, Subject } from 'rxjs'; import { AlertsService } from './alerts_service'; @@ -209,6 +210,98 @@ describe('Alerts Service', () => { expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1); }); + test('should update index template field limit and retry initialization if creating/updating common component template fails with field limit error', async () => { + clusterClient.cluster.putComponentTemplate.mockRejectedValueOnce( + new EsErrors.ResponseError( + elasticsearchClientMock.createApiResponse({ + statusCode: 400, + body: { + error: { + root_cause: [ + { + type: 'illegal_argument_exception', + reason: + 'updating component template [.alerts-ecs-mappings] results in invalid composable template [.alerts-security.alerts-default-index-template] after templates are merged', + }, + ], + type: 'illegal_argument_exception', + reason: + 'updating component template [.alerts-ecs-mappings] results in invalid composable template [.alerts-security.alerts-default-index-template] after templates are merged', + caused_by: { + type: 'illegal_argument_exception', + reason: + 'composable template [.alerts-security.alerts-default-index-template] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid', + caused_by: { + type: 'illegal_argument_exception', + reason: + 'invalid composite mappings for [.alerts-security.alerts-default-index-template]', + caused_by: { + type: 'illegal_argument_exception', + reason: 'Limit of total fields [1900] has been exceeded', + }, + }, + }, + }, + }, + }) + ) + ); + const existingIndexTemplate = { + name: 'test-template', + index_template: { + index_patterns: ['test*'], + composed_of: ['.alerts-framework-mappings'], + template: { + settings: { + auto_expand_replicas: '0-1', + hidden: true, + 'index.lifecycle': { + name: '.alerts-ilm-policy', + rollover_alias: `.alerts-empty-default`, + }, + 'index.mapping.total_fields.limit': 1800, + }, + mappings: { + dynamic: false, + }, + }, + }, + }; + clusterClient.indices.getIndexTemplate.mockResolvedValueOnce({ + index_templates: [existingIndexTemplate], + }); + const alertsService = new AlertsService({ + logger, + elasticsearchClientPromise: Promise.resolve(clusterClient), + pluginStop$, + }); + + alertsService.initialize(); + await new Promise((r) => setTimeout(r, 50)); + + expect(alertsService.isInitialized()).toEqual(true); + expect(clusterClient.indices.getIndexTemplate).toHaveBeenCalledTimes(1); + expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(1); + expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith({ + name: existingIndexTemplate.name, + body: { + ...existingIndexTemplate.index_template, + template: { + ...existingIndexTemplate.index_template.template, + settings: { + ...existingIndexTemplate.index_template.template?.settings, + 'index.mapping.total_fields.limit': 2500, + }, + }, + }, + }); + + expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled(); + // 3x for framework, legacy-alert and ecs mappings, then 1 extra time to update component template + // after updating index template field limit + expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4); + }); + test('should install resources for contexts awaiting initialization when common resources are initialized', async () => { const alertsService = new AlertsService({ logger, diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts index 010c4db5c3ac41..22cb9f4df18840 100644 --- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts +++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts @@ -19,6 +19,8 @@ import { legacyAlertFieldMap, type FieldMap, } from '@kbn/alerts-as-data-utils'; +import { IndicesGetIndexTemplateIndexTemplateItem } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { asyncForEach } from '@kbn/std'; import { DEFAULT_ALERTS_ILM_POLICY_NAME, DEFAULT_ALERTS_ILM_POLICY, @@ -234,6 +236,62 @@ export class AlertsService implements IAlertsService { } } + private async getIndexTemplatesUsingComponentTemplate( + esClient: ElasticsearchClient, + componentTemplateName: string + ) { + // Get all index templates and filter down to just the ones referencing this component template + const { index_templates: indexTemplates } = await esClient.indices.getIndexTemplate(); + const indexTemplatesUsingComponentTemplate = (indexTemplates ?? []).filter( + (indexTemplate: IndicesGetIndexTemplateIndexTemplateItem) => + indexTemplate.index_template.composed_of.includes(componentTemplateName) + ); + await asyncForEach( + indexTemplatesUsingComponentTemplate, + async (template: IndicesGetIndexTemplateIndexTemplateItem) => { + await esClient.indices.putIndexTemplate({ + name: template.name, + body: { + ...template.index_template, + template: { + ...template.index_template.template, + settings: { + ...template.index_template.template?.settings, + 'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT, + }, + }, + }, + }); + } + ); + } + + private async createOrUpdateComponentTemplateHelper( + esClient: ElasticsearchClient, + template: ClusterPutComponentTemplateRequest + ) { + try { + await esClient.cluster.putComponentTemplate(template); + } catch (error) { + const reason = error?.meta?.body?.error?.caused_by?.caused_by?.caused_by?.reason; + if (reason && reason.match(/Limit of total fields \[\d+\] has been exceeded/) != null) { + // This error message occurs when there is an index template using this component template + // that contains a field limit setting that using this component template exceeds + // Specifically, this can happen for the ECS component template when we add new fields + // to adhere to the ECS spec. Individual index templates specify field limits so if the + // number of new ECS fields pushes the composed mapping above the limit, this error will + // occur. We have to update the field limit inside the index template now otherwise we + // can never update the component template + await this.getIndexTemplatesUsingComponentTemplate(esClient, template.name); + + // Try to update the component template again + await esClient.cluster.putComponentTemplate(template); + } else { + throw error; + } + } + } + private async createOrUpdateComponentTemplate( esClient: ElasticsearchClient, template: ClusterPutComponentTemplateRequest @@ -241,9 +299,12 @@ export class AlertsService implements IAlertsService { this.options.logger.info(`Installing component template ${template.name}`); try { - await retryTransientEsErrors(() => esClient.cluster.putComponentTemplate(template), { - logger: this.options.logger, - }); + await retryTransientEsErrors( + () => this.createOrUpdateComponentTemplateHelper(esClient, template), + { + logger: this.options.logger, + } + ); } catch (err) { this.options.logger.error( `Error installing component template ${template.name} - ${err.message}` From 19d5c96bae82039665c147df63d4c5e66272edec Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 16 Feb 2023 21:37:37 +0000 Subject: [PATCH 46/49] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/alerting/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json index 08524ee24ea582..6fed19209ad122 100644 --- a/x-pack/plugins/alerting/tsconfig.json +++ b/x-pack/plugins/alerting/tsconfig.json @@ -40,6 +40,7 @@ "@kbn/share-plugin", "@kbn/safer-lodash-set", "@kbn/alerts-as-data-utils", + "@kbn/core-elasticsearch-client-server-mocks", ], "exclude": [ "target/**/*", From 6c5f8753d371e2e5897aa5eb852ff6fa864eae82 Mon Sep 17 00:00:00 2001 From: Ying Date: Tue, 21 Feb 2023 13:10:01 -0500 Subject: [PATCH 47/49] Cleanup --- .../server/rule_data_plugin_service/resource_installer.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index 0ffeaa3db77339..59c74b81712d8f 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -170,7 +170,7 @@ export class ResourceInstaller { const aliases = indexInfo.basePattern; const backingIndices = indexInfo.getPatternForBackingIndices(namespace); - logger.info(`Updating mappings of existing concrete indices for ${indexInfo.baseName}`); + logger.debug(`Updating mappings of existing concrete indices for ${indexInfo.baseName}`); // Find all concrete indices for all namespaces of the index. const concreteIndices = await this.fetchConcreteIndices(aliases, backingIndices); From 9e77b995d0bc06388765b66bc7306b0a5d1bf65e Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Tue, 21 Feb 2023 14:55:48 -0500 Subject: [PATCH 48/49] Update x-pack/plugins/alerting/server/alerts_service/types.ts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Mike Côté --- x-pack/plugins/alerting/server/alerts_service/types.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts index 6073c288208562..aeb73cab6ffd21 100644 --- a/x-pack/plugins/alerting/server/alerts_service/types.ts +++ b/x-pack/plugins/alerting/server/alerts_service/types.ts @@ -10,7 +10,7 @@ import type { FieldMap } from '@kbn/alerts-as-data-utils'; import { getComponentTemplateFromFieldMap } from '../../common'; export const getComponentTemplateName = (context?: string) => - `.alerts-${context ? `${context}` : 'framework'}-mappings`; + `.alerts-${context || 'framework'}-mappings`; export interface IIndexPatternString { template: string; From b9ac0f47fa0bb190f27e6c20be9bec2631f36d65 Mon Sep 17 00:00:00 2001 From: Ying Date: Wed, 22 Feb 2023 15:12:06 -0500 Subject: [PATCH 49/49] Restoring multi_fields --- .../src/field_maps/ecs_field_map.ts | 1 + .../src/field_maps/index.ts | 2 +- .../src/field_maps/types.ts | 8 +++++++ .../field_maps/mapping_from_field_map.test.ts | 22 +++++++++++++++++++ .../field_maps/mapping_from_field_map.ts | 22 ++++++++++++++++--- 5 files changed, 51 insertions(+), 4 deletions(-) diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts index fc82c75eb5019d..9294a12b4ce508 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts @@ -19,6 +19,7 @@ export const ecsFieldMap: FieldMap = Object.keys(EcsFlat).reduce((acc, currKey) required: !!value.required, ...(value.scaling_factor ? { scaling_factor: value.scaling_factor } : {}), ...(value.ignore_above ? { ignore_above: value.ignore_above } : {}), + ...(value.multi_fields ? { multi_fields: value.multi_fields } : {}), }, }; }, {}); diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts index f956bd661f2408..9aef7690b343ca 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts @@ -9,4 +9,4 @@ export * from './alert_field_map'; export * from './ecs_field_map'; export * from './legacy_alert_field_map'; -export type { FieldMap } from './types'; +export type { FieldMap, MultiField } from './types'; diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts index 1c2465b5c96c4e..04f9d045f6e28a 100644 --- a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts +++ b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts @@ -11,6 +11,12 @@ export interface AllowedValue { name?: string; } +export interface MultiField { + flat_name: string; + name: string; + type: string; +} + export interface EcsMetadata { allowed_values?: AllowedValue[]; dashed_name: string; @@ -21,6 +27,7 @@ export interface EcsMetadata { ignore_above?: number; index?: boolean; level: string; + multi_fields?: MultiField[]; name: string; normalize: string[]; required?: boolean; @@ -38,6 +45,7 @@ export interface FieldMap { enabled?: boolean; format?: string; ignore_above?: number; + multi_fields?: MultiField[]; index?: boolean; path?: string; scaling_factor?: number; diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts index e9d2eea6073d22..f5eeeb8ba6c35c 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts @@ -25,6 +25,19 @@ describe('mappingFromFieldMap', () => { array: false, required: false, }, + multifield_field: { + type: 'keyword', + array: false, + required: false, + ignore_above: 1024, + multi_fields: [ + { + flat_name: 'multifield_field.text', + name: 'text', + type: 'match_only_text', + }, + ], + }, geopoint_field: { type: 'geo_point', array: false, @@ -104,6 +117,15 @@ describe('mappingFromFieldMap', () => { date_field: { type: 'date', }, + multifield_field: { + fields: { + text: { + type: 'match_only_text', + }, + }, + ignore_above: 1024, + type: 'keyword', + }, geopoint_field: { type: 'geo_point', }, diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts index 7ed437ca11ac0d..9d1db8e577aa53 100644 --- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts +++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts @@ -7,7 +7,7 @@ import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { set } from '@kbn/safer-lodash-set'; -import type { FieldMap } from '@kbn/alerts-as-data-utils'; +import type { FieldMap, MultiField } from '@kbn/alerts-as-data-utils'; export function mappingFromFieldMap( fieldMap: FieldMap, @@ -27,8 +27,24 @@ export function mappingFromFieldMap( }); fields.forEach((field) => { - const { name, required, array, ...rest } = field; - set(mappings.properties, field.name.split('.').join('.properties.'), rest); + // eslint-disable-next-line @typescript-eslint/naming-convention + const { name, required, array, multi_fields, ...rest } = field; + const mapped = multi_fields + ? { + ...rest, + // eslint-disable-next-line @typescript-eslint/naming-convention + fields: multi_fields.reduce((acc, multi_field: MultiField) => { + return { + ...acc, + [multi_field.name]: { + type: multi_field.type, + }, + }; + }, {}), + } + : rest; + + set(mappings.properties, field.name.split('.').join('.properties.'), mapped); }); return mappings;