github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

Revert "[Security Solution] Update ecs package to latest ecs definiti… (#168864)

Browse source 
Reverts https://github.com/elastic/kibana/pull/168553

Seeing these errors when updating existing alerts as data mappings

```
[2023-10-13T11:06:44.254-04:00][ERROR][plugins.alerting] ResponseError: illegal_argument_exception
	Root causes:
		illegal_argument_exception: can't merge a non-nested mapping [faas.trigger] with a nested mapping
    at KibanaTransport.request (/Users/ying/Code/kibana_prs/node_modules/@elastic/transport/src/Transport.ts:535:17)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
```

Needs further investigation as ECS mappings should be backwards
compatible
This commit is contained in:
Ying Mao 2023-10-13 12:30:34 -04:00 committed by GitHub
parent ddcc528395
commit 11c0bacdab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
41 changed files with 23189 additions and 6869 deletions
Download patch file Download diff file Expand all files Collapse all files

10
packages/core/logging/core-logging-server-internal/src/__snapshots__/logging_system.test.ts.snap generated
View file

@ -16,7 +16,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 1`] = `
Object {
"@timestamp": "2012-01-30T22:33:22.011-05:00",
"ecs": Object {
"version": "8.10.0",
"version": "8.6.1",
},
"log": Object {
"level": "TRACE",
@ -33,7 +33,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 2`] = `
Object {
"@timestamp": "2012-01-30T17:33:22.011-05:00",
"ecs": Object {
"version": "8.10.0",
"version": "8.6.1",
},
"log": Object {
"level": "INFO",
@ -51,7 +51,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 3`] = `
Object {
"@timestamp": "2012-01-30T12:33:22.011-05:00",
"ecs": Object {
"version": "8.10.0",
"version": "8.6.1",
},
"log": Object {
"level": "FATAL",
@ -68,7 +68,7 @@ exports[`flushes memory buffer logger and switches to real logger once config is
Object {
"@timestamp": "2012-02-01T09:33:22.011-05:00",
"ecs": Object {
"version": "8.10.0",
"version": "8.6.1",
},
"log": Object {
"level": "INFO",
@ -86,7 +86,7 @@ exports[`flushes memory buffer logger and switches to real logger once config is
Object {
"@timestamp": "2012-01-31T23:33:22.011-05:00",
"ecs": Object {
"version": "8.10.0",
"version": "8.6.1",
},
"log": Object {
"level": "INFO",

203
packages/kbn-alerts-as-data-utils/src/schemas/generated/ecs_schema.ts
View file

@ -157,7 +157,6 @@ const EcsOptional = rt.partial({
'container.network.egress.bytes': schemaStringOrNumber,
'container.network.ingress.bytes': schemaStringOrNumber,
'container.runtime': schemaString,
'container.security_context.privileged': schemaBoolean,
'destination.address': schemaString,
'destination.as.number': schemaStringOrNumber,
'destination.as.organization.name': schemaString,
@ -219,28 +218,10 @@ const EcsOptional = rt.partial({
'dll.pe.company': schemaString,
'dll.pe.description': schemaString,
'dll.pe.file_version': schemaString,
'dll.pe.go_import_hash': schemaString,
'dll.pe.go_imports': schemaUnknown,
'dll.pe.go_imports_names_entropy': schemaStringOrNumber,
'dll.pe.go_imports_names_var_entropy': schemaStringOrNumber,
'dll.pe.go_stripped': schemaBoolean,
'dll.pe.imphash': schemaString,
'dll.pe.import_hash': schemaString,
'dll.pe.imports': schemaUnknownArray,
'dll.pe.imports_names_entropy': schemaStringOrNumber,
'dll.pe.imports_names_var_entropy': schemaStringOrNumber,
'dll.pe.original_file_name': schemaString,
'dll.pe.pehash': schemaString,
'dll.pe.product': schemaString,
'dll.pe.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'dns.answers': rt.array(
rt.partial({
class: schemaString,
@ -326,8 +307,6 @@ const EcsOptional = rt.partial({
'faas.execution': schemaString,
'faas.id': schemaString,
'faas.name': schemaString,
'faas.trigger.request_id': schemaString,
'faas.trigger.type': schemaString,
'faas.version': schemaString,
'file.accessed': schemaDate,
'file.attributes': schemaStringArray,
@ -350,11 +329,6 @@ const EcsOptional = rt.partial({
'file.elf.cpu_type': schemaString,
'file.elf.creation_date': schemaDate,
'file.elf.exports': schemaUnknownArray,
'file.elf.go_import_hash': schemaString,
'file.elf.go_imports': schemaUnknown,
'file.elf.go_imports_names_entropy': schemaStringOrNumber,
'file.elf.go_imports_names_var_entropy': schemaStringOrNumber,
'file.elf.go_stripped': schemaBoolean,
'file.elf.header.abi_version': schemaString,
'file.elf.header.class': schemaString,
'file.elf.header.data': schemaString,
@ -363,10 +337,7 @@ const EcsOptional = rt.partial({
'file.elf.header.os_abi': schemaString,
'file.elf.header.type': schemaString,
'file.elf.header.version': schemaString,
'file.elf.import_hash': schemaString,
'file.elf.imports': schemaUnknownArray,
'file.elf.imports_names_entropy': schemaStringOrNumber,
'file.elf.imports_names_var_entropy': schemaStringOrNumber,
'file.elf.sections': rt.array(
rt.partial({
chi2: schemaStringOrNumber,
@ -376,7 +347,6 @@ const EcsOptional = rt.partial({
physical_offset: schemaString,
physical_size: schemaStringOrNumber,
type: schemaString,
var_entropy: schemaStringOrNumber,
virtual_address: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
@ -401,25 +371,6 @@ const EcsOptional = rt.partial({
'file.hash.ssdeep': schemaString,
'file.hash.tlsh': schemaString,
'file.inode': schemaString,
'file.macho.go_import_hash': schemaString,
'file.macho.go_imports': schemaUnknown,
'file.macho.go_imports_names_entropy': schemaStringOrNumber,
'file.macho.go_imports_names_var_entropy': schemaStringOrNumber,
'file.macho.go_stripped': schemaBoolean,
'file.macho.import_hash': schemaString,
'file.macho.imports': schemaUnknownArray,
'file.macho.imports_names_entropy': schemaStringOrNumber,
'file.macho.imports_names_var_entropy': schemaStringOrNumber,
'file.macho.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'file.macho.symhash': schemaString,
'file.mime_type': schemaString,
'file.mode': schemaString,
'file.mtime': schemaDate,
@ -430,28 +381,10 @@ const EcsOptional = rt.partial({
'file.pe.company': schemaString,
'file.pe.description': schemaString,
'file.pe.file_version': schemaString,
'file.pe.go_import_hash': schemaString,
'file.pe.go_imports': schemaUnknown,
'file.pe.go_imports_names_entropy': schemaStringOrNumber,
'file.pe.go_imports_names_var_entropy': schemaStringOrNumber,
'file.pe.go_stripped': schemaBoolean,
'file.pe.imphash': schemaString,
'file.pe.import_hash': schemaString,
'file.pe.imports': schemaUnknownArray,
'file.pe.imports_names_entropy': schemaStringOrNumber,
'file.pe.imports_names_var_entropy': schemaStringOrNumber,
'file.pe.original_file_name': schemaString,
'file.pe.pehash': schemaString,
'file.pe.product': schemaString,
'file.pe.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'file.size': schemaStringOrNumber,
'file.target_path': schemaString,
'file.type': schemaString,
@ -592,10 +525,8 @@ const EcsOptional = rt.partial({
'orchestrator.cluster.version': schemaString,
'orchestrator.namespace': schemaString,
'orchestrator.organization': schemaString,
'orchestrator.resource.annotation': schemaStringArray,
'orchestrator.resource.id': schemaString,
'orchestrator.resource.ip': schemaStringArray,
'orchestrator.resource.label': schemaStringArray,
'orchestrator.resource.name': schemaString,
'orchestrator.resource.parent.type': schemaString,
'orchestrator.resource.type': schemaString,
@ -632,11 +563,6 @@ const EcsOptional = rt.partial({
'process.elf.cpu_type': schemaString,
'process.elf.creation_date': schemaDate,
'process.elf.exports': schemaUnknownArray,
'process.elf.go_import_hash': schemaString,
'process.elf.go_imports': schemaUnknown,
'process.elf.go_imports_names_entropy': schemaStringOrNumber,
'process.elf.go_imports_names_var_entropy': schemaStringOrNumber,
'process.elf.go_stripped': schemaBoolean,
'process.elf.header.abi_version': schemaString,
'process.elf.header.class': schemaString,
'process.elf.header.data': schemaString,
@ -645,10 +571,7 @@ const EcsOptional = rt.partial({
'process.elf.header.os_abi': schemaString,
'process.elf.header.type': schemaString,
'process.elf.header.version': schemaString,
'process.elf.import_hash': schemaString,
'process.elf.imports': schemaUnknownArray,
'process.elf.imports_names_entropy': schemaStringOrNumber,
'process.elf.imports_names_var_entropy': schemaStringOrNumber,
'process.elf.sections': rt.array(
rt.partial({
chi2: schemaStringOrNumber,
@ -658,7 +581,6 @@ const EcsOptional = rt.partial({
physical_offset: schemaString,
physical_size: schemaStringOrNumber,
type: schemaString,
var_entropy: schemaStringOrNumber,
virtual_address: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
@ -692,9 +614,7 @@ const EcsOptional = rt.partial({
'process.entry_leader.parent.session_leader.entity_id': schemaString,
'process.entry_leader.parent.session_leader.pid': schemaStringOrNumber,
'process.entry_leader.parent.session_leader.start': schemaDate,
'process.entry_leader.parent.session_leader.vpid': schemaStringOrNumber,
'process.entry_leader.parent.start': schemaDate,
'process.entry_leader.parent.vpid': schemaStringOrNumber,
'process.entry_leader.pid': schemaStringOrNumber,
'process.entry_leader.real_group.id': schemaString,
'process.entry_leader.real_group.name': schemaString,
@ -710,7 +630,6 @@ const EcsOptional = rt.partial({
'process.entry_leader.supplemental_groups.name': schemaString,
'process.entry_leader.user.id': schemaString,
'process.entry_leader.user.name': schemaString,
'process.entry_leader.vpid': schemaStringOrNumber,
'process.entry_leader.working_directory': schemaString,
'process.env_vars': schemaStringArray,
'process.executable': schemaString,
@ -739,7 +658,6 @@ const EcsOptional = rt.partial({
'process.group_leader.supplemental_groups.name': schemaString,
'process.group_leader.user.id': schemaString,
'process.group_leader.user.name': schemaString,
'process.group_leader.vpid': schemaStringOrNumber,
'process.group_leader.working_directory': schemaString,
'process.hash.md5': schemaString,
'process.hash.sha1': schemaString,
@ -749,25 +667,6 @@ const EcsOptional = rt.partial({
'process.hash.ssdeep': schemaString,
'process.hash.tlsh': schemaString,
'process.interactive': schemaBoolean,
'process.macho.go_import_hash': schemaString,
'process.macho.go_imports': schemaUnknown,
'process.macho.go_imports_names_entropy': schemaStringOrNumber,
'process.macho.go_imports_names_var_entropy': schemaStringOrNumber,
'process.macho.go_stripped': schemaBoolean,
'process.macho.import_hash': schemaString,
'process.macho.imports': schemaUnknownArray,
'process.macho.imports_names_entropy': schemaStringOrNumber,
'process.macho.imports_names_var_entropy': schemaStringOrNumber,
'process.macho.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'process.macho.symhash': schemaString,
'process.name': schemaString,
'process.parent.args': schemaStringArray,
'process.parent.args_count': schemaStringOrNumber,
@ -786,11 +685,6 @@ const EcsOptional = rt.partial({
'process.parent.elf.cpu_type': schemaString,
'process.parent.elf.creation_date': schemaDate,
'process.parent.elf.exports': schemaUnknownArray,
'process.parent.elf.go_import_hash': schemaString,
'process.parent.elf.go_imports': schemaUnknown,
'process.parent.elf.go_imports_names_entropy': schemaStringOrNumber,
'process.parent.elf.go_imports_names_var_entropy': schemaStringOrNumber,
'process.parent.elf.go_stripped': schemaBoolean,
'process.parent.elf.header.abi_version': schemaString,
'process.parent.elf.header.class': schemaString,
'process.parent.elf.header.data': schemaString,
@ -799,10 +693,7 @@ const EcsOptional = rt.partial({
'process.parent.elf.header.os_abi': schemaString,
'process.parent.elf.header.type': schemaString,
'process.parent.elf.header.version': schemaString,
'process.parent.elf.import_hash': schemaString,
'process.parent.elf.imports': schemaUnknownArray,
'process.parent.elf.imports_names_entropy': schemaStringOrNumber,
'process.parent.elf.imports_names_var_entropy': schemaStringOrNumber,
'process.parent.elf.sections': rt.array(
rt.partial({
chi2: schemaStringOrNumber,
@ -812,7 +703,6 @@ const EcsOptional = rt.partial({
physical_offset: schemaString,
physical_size: schemaStringOrNumber,
type: schemaString,
var_entropy: schemaStringOrNumber,
virtual_address: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
@ -834,7 +724,6 @@ const EcsOptional = rt.partial({
'process.parent.group_leader.entity_id': schemaString,
'process.parent.group_leader.pid': schemaStringOrNumber,
'process.parent.group_leader.start': schemaDate,
'process.parent.group_leader.vpid': schemaStringOrNumber,
'process.parent.hash.md5': schemaString,
'process.parent.hash.sha1': schemaString,
'process.parent.hash.sha256': schemaString,
@ -843,52 +732,15 @@ const EcsOptional = rt.partial({
'process.parent.hash.ssdeep': schemaString,
'process.parent.hash.tlsh': schemaString,
'process.parent.interactive': schemaBoolean,
'process.parent.macho.go_import_hash': schemaString,
'process.parent.macho.go_imports': schemaUnknown,
'process.parent.macho.go_imports_names_entropy': schemaStringOrNumber,
'process.parent.macho.go_imports_names_var_entropy': schemaStringOrNumber,
'process.parent.macho.go_stripped': schemaBoolean,
'process.parent.macho.import_hash': schemaString,
'process.parent.macho.imports': schemaUnknownArray,
'process.parent.macho.imports_names_entropy': schemaStringOrNumber,
'process.parent.macho.imports_names_var_entropy': schemaStringOrNumber,
'process.parent.macho.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'process.parent.macho.symhash': schemaString,
'process.parent.name': schemaString,
'process.parent.pe.architecture': schemaString,
'process.parent.pe.company': schemaString,
'process.parent.pe.description': schemaString,
'process.parent.pe.file_version': schemaString,
'process.parent.pe.go_import_hash': schemaString,
'process.parent.pe.go_imports': schemaUnknown,
'process.parent.pe.go_imports_names_entropy': schemaStringOrNumber,
'process.parent.pe.go_imports_names_var_entropy': schemaStringOrNumber,
'process.parent.pe.go_stripped': schemaBoolean,
'process.parent.pe.imphash': schemaString,
'process.parent.pe.import_hash': schemaString,
'process.parent.pe.imports': schemaUnknownArray,
'process.parent.pe.imports_names_entropy': schemaStringOrNumber,
'process.parent.pe.imports_names_var_entropy': schemaStringOrNumber,
'process.parent.pe.original_file_name': schemaString,
'process.parent.pe.pehash': schemaString,
'process.parent.pe.product': schemaString,
'process.parent.pe.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'process.parent.pgid': schemaStringOrNumber,
'process.parent.pid': schemaStringOrNumber,
'process.parent.real_group.id': schemaString,
@ -902,42 +754,21 @@ const EcsOptional = rt.partial({
'process.parent.start': schemaDate,
'process.parent.supplemental_groups.id': schemaString,
'process.parent.supplemental_groups.name': schemaString,
'process.parent.thread.capabilities.effective': schemaStringArray,
'process.parent.thread.capabilities.permitted': schemaStringArray,
'process.parent.thread.id': schemaStringOrNumber,
'process.parent.thread.name': schemaString,
'process.parent.title': schemaString,
'process.parent.uptime': schemaStringOrNumber,
'process.parent.user.id': schemaString,
'process.parent.user.name': schemaString,
'process.parent.vpid': schemaStringOrNumber,
'process.parent.working_directory': schemaString,
'process.pe.architecture': schemaString,
'process.pe.company': schemaString,
'process.pe.description': schemaString,
'process.pe.file_version': schemaString,
'process.pe.go_import_hash': schemaString,
'process.pe.go_imports': schemaUnknown,
'process.pe.go_imports_names_entropy': schemaStringOrNumber,
'process.pe.go_imports_names_var_entropy': schemaStringOrNumber,
'process.pe.go_stripped': schemaBoolean,
'process.pe.imphash': schemaString,
'process.pe.import_hash': schemaString,
'process.pe.imports': schemaUnknownArray,
'process.pe.imports_names_entropy': schemaStringOrNumber,
'process.pe.imports_names_var_entropy': schemaStringOrNumber,
'process.pe.original_file_name': schemaString,
'process.pe.pehash': schemaString,
'process.pe.product': schemaString,
'process.pe.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'process.pgid': schemaStringOrNumber,
'process.pid': schemaStringOrNumber,
'process.previous.args': schemaStringArray,
@ -965,9 +796,7 @@ const EcsOptional = rt.partial({
'process.session_leader.parent.session_leader.entity_id': schemaString,
'process.session_leader.parent.session_leader.pid': schemaStringOrNumber,
'process.session_leader.parent.session_leader.start': schemaDate,
'process.session_leader.parent.session_leader.vpid': schemaStringOrNumber,
'process.session_leader.parent.start': schemaDate,
'process.session_leader.parent.vpid': schemaStringOrNumber,
'process.session_leader.pid': schemaStringOrNumber,
'process.session_leader.real_group.id': schemaString,
'process.session_leader.real_group.name': schemaString,
@ -983,20 +812,16 @@ const EcsOptional = rt.partial({
'process.session_leader.supplemental_groups.name': schemaString,
'process.session_leader.user.id': schemaString,
'process.session_leader.user.name': schemaString,
'process.session_leader.vpid': schemaStringOrNumber,
'process.session_leader.working_directory': schemaString,
'process.start': schemaDate,
'process.supplemental_groups.id': schemaString,
'process.supplemental_groups.name': schemaString,
'process.thread.capabilities.effective': schemaStringArray,
'process.thread.capabilities.permitted': schemaStringArray,
'process.thread.id': schemaStringOrNumber,
'process.thread.name': schemaString,
'process.title': schemaString,
'process.uptime': schemaStringOrNumber,
'process.user.id': schemaString,
'process.user.name': schemaString,
'process.vpid': schemaStringOrNumber,
'process.working_directory': schemaString,
'registry.data.bytes': schemaString,
'registry.data.strings': schemaStringArray,
@ -1169,11 +994,6 @@ const EcsOptional = rt.partial({
'threat.indicator.file.elf.cpu_type': schemaString,
'threat.indicator.file.elf.creation_date': schemaDate,
'threat.indicator.file.elf.exports': schemaUnknownArray,
'threat.indicator.file.elf.go_import_hash': schemaString,
'threat.indicator.file.elf.go_imports': schemaUnknown,
'threat.indicator.file.elf.go_imports_names_entropy': schemaStringOrNumber,
'threat.indicator.file.elf.go_imports_names_var_entropy': schemaStringOrNumber,
'threat.indicator.file.elf.go_stripped': schemaBoolean,
'threat.indicator.file.elf.header.abi_version': schemaString,
'threat.indicator.file.elf.header.class': schemaString,
'threat.indicator.file.elf.header.data': schemaString,
@ -1182,10 +1002,7 @@ const EcsOptional = rt.partial({
'threat.indicator.file.elf.header.os_abi': schemaString,
'threat.indicator.file.elf.header.type': schemaString,
'threat.indicator.file.elf.header.version': schemaString,
'threat.indicator.file.elf.import_hash': schemaString,
'threat.indicator.file.elf.imports': schemaUnknownArray,
'threat.indicator.file.elf.imports_names_entropy': schemaStringOrNumber,
'threat.indicator.file.elf.imports_names_var_entropy': schemaStringOrNumber,
'threat.indicator.file.elf.sections': rt.array(
rt.partial({
chi2: schemaStringOrNumber,
@ -1195,7 +1012,6 @@ const EcsOptional = rt.partial({
physical_offset: schemaString,
physical_size: schemaStringOrNumber,
type: schemaString,
var_entropy: schemaStringOrNumber,
virtual_address: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
@ -1230,28 +1046,10 @@ const EcsOptional = rt.partial({
'threat.indicator.file.pe.company': schemaString,
'threat.indicator.file.pe.description': schemaString,
'threat.indicator.file.pe.file_version': schemaString,
'threat.indicator.file.pe.go_import_hash': schemaString,
'threat.indicator.file.pe.go_imports': schemaUnknown,
'threat.indicator.file.pe.go_imports_names_entropy': schemaStringOrNumber,
'threat.indicator.file.pe.go_imports_names_var_entropy': schemaStringOrNumber,
'threat.indicator.file.pe.go_stripped': schemaBoolean,
'threat.indicator.file.pe.imphash': schemaString,
'threat.indicator.file.pe.import_hash': schemaString,
'threat.indicator.file.pe.imports': schemaUnknownArray,
'threat.indicator.file.pe.imports_names_entropy': schemaStringOrNumber,
'threat.indicator.file.pe.imports_names_var_entropy': schemaStringOrNumber,
'threat.indicator.file.pe.original_file_name': schemaString,
'threat.indicator.file.pe.pehash': schemaString,
'threat.indicator.file.pe.product': schemaString,
'threat.indicator.file.pe.sections': rt.array(
rt.partial({
entropy: schemaStringOrNumber,
name: schemaString,
physical_size: schemaStringOrNumber,
var_entropy: schemaStringOrNumber,
virtual_size: schemaStringOrNumber,
})
),
'threat.indicator.file.size': schemaStringOrNumber,
'threat.indicator.file.target_path': schemaString,
'threat.indicator.file.type': schemaString,
@ -1297,7 +1095,6 @@ const EcsOptional = rt.partial({
'threat.indicator.marking.tlp': schemaString,
'threat.indicator.marking.tlp_version': schemaString,
'threat.indicator.modified_at': schemaDate,
'threat.indicator.name': schemaString,
'threat.indicator.port': schemaStringOrNumber,
'threat.indicator.provider': schemaString,
'threat.indicator.reference': schemaString,

2
packages/kbn-ecs/generated/base.ts
View file

@ -32,5 +32,5 @@ export interface EcsBase {
/**
* List of keywords used to tag each event.
*/
tags?: string | string[];
tags?: string[];
}

2
packages/kbn-ecs/generated/client.ts
View file

@ -181,6 +181,6 @@ export interface EcsClient {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
}

10
packages/kbn-ecs/generated/container.ts
View file

@ -43,7 +43,7 @@ export interface EcsContainer {
/**
* An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.
*/
all?: string | string[];
all?: string[];
};
/**
@ -53,7 +53,7 @@ export interface EcsContainer {
/**
* Container image tags.
*/
tag?: string | string[];
tag?: string[];
};
/**
@ -91,10 +91,4 @@ export interface EcsContainer {
* Runtime managing this container.
*/
runtime?: string;
security_context?: {
/**
* Indicates whether the container is running in privileged mode.
*/
privileged?: boolean;
};
}

2
packages/kbn-ecs/generated/destination.ts
View file

@ -180,6 +180,6 @@ export interface EcsDestination {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
}

2
packages/kbn-ecs/generated/device.ts
View file

@ -12,7 +12,7 @@
*/
export interface EcsDevice {
/**
* The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device.
* The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device.
* On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
* For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.
*/

43
packages/kbn-ecs/generated/dll.ts
View file

@ -117,49 +117,11 @@ export interface EcsDll {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -173,10 +135,5 @@ export interface EcsDll {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
};
}

6
packages/kbn-ecs/generated/dns.ts
View file

@ -16,11 +16,11 @@ export interface EcsDns {
* The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
* Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
*/
answers?: Record<string, unknown> | Array<Record<string, unknown>>;
answers?: Array<Record<string, unknown>>;
/**
* Array of 2 letter DNS header flags.
*/
header_flags?: string | string[];
header_flags?: string[];
/**
* The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
*/
@ -65,7 +65,7 @@ export interface EcsDns {
* Array containing all IPs seen in `answers.data`.
* The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
*/
resolved_ip?: string | string[];
resolved_ip?: string[];
/**
* The DNS response code.
*/

2
packages/kbn-ecs/generated/ecs.ts
View file

@ -14,5 +14,5 @@ export interface EcsEcs {
* ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
* When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
*/
version: '8.10.0';
version: '8.6.1';
}

2604
packages/kbn-ecs/generated/ecs_flat.ts
View file

File diff suppressed because it is too large Load diff

3131
packages/kbn-ecs/generated/ecs_nested.ts
View file

File diff suppressed because it is too large Load diff

44
packages/kbn-ecs/generated/elf.ts
View file

@ -29,28 +29,7 @@ export interface EcsElf {
/**
* List of exported element names and types.
*/
exports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
exports?: Array<Record<string, unknown>>;
header?: {
/**
* Version of the ELF Application Binary Interface (ABI).
@ -86,37 +65,24 @@ export interface EcsElf {
version?: string;
};
/**
* A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is an ELF implementation of the Windows PE imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
imports?: Array<Record<string, unknown>>;
/**
* An array containing an object for each section of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Array<Record<string, unknown>>;
/**
* An array containing an object for each segment of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
*/
segments?: Record<string, unknown> | Array<Record<string, unknown>>;
segments?: Array<Record<string, unknown>>;
/**
* List of shared libraries used by this ELF object.
*/
shared_libraries?: string | string[];
shared_libraries?: string[];
/**
* telfhash symbol hash for ELF file.
*/

12
packages/kbn-ecs/generated/email.ts
View file

@ -14,19 +14,19 @@ export interface EcsEmail {
/**
* A list of objects describing the attachment files sent along with an email message.
*/
attachments?: Record<string, unknown> | Array<Record<string, unknown>>;
attachments?: Array<Record<string, unknown>>;
bcc?: {
/**
* The email address of BCC recipient
*/
address?: string | string[];
address?: string[];
};
cc?: {
/**
* The email address of CC recipient
*/
address?: string | string[];
address?: string[];
};
/**
@ -46,7 +46,7 @@ export interface EcsEmail {
/**
* The email address of the sender, typically from the RFC 5322 `From:` header field.
*/
address?: string | string[];
address?: string[];
};
/**
@ -66,7 +66,7 @@ export interface EcsEmail {
/**
* The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.
*/
address?: string | string[];
address?: string[];
};
sender?: {
@ -84,7 +84,7 @@ export interface EcsEmail {
/**
* The email address of recipient
*/
address?: string | string[];
address?: string[];
};
/**

18
packages/kbn-ecs/generated/event.ts
View file

@ -32,17 +32,17 @@ export interface EcsEvent {
* `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
* This field is an array. This will allow proper categorization of some events that fall in multiple categories.
*/
category?: string | string[];
category?: string[];
/**
* Identification code for this event, if one exists.
* Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
*/
code?: string;
/**
* `event.created` contains the date/time when the event was first read by an agent, or by your pipeline.
* This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event.
* event.created contains the date/time when the event was first read by an agent, or by your pipeline.
* This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
* In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
* In case the two timestamps are identical, `@timestamp` should be used.
* In case the two timestamps are identical, @timestamp should be used.
*/
created?: string;
/**
@ -53,11 +53,11 @@ export interface EcsEvent {
dataset?: string;
/**
* Duration of the event in nanoseconds.
* If `event.start` and `event.end` are known this value should be the difference between the end and start time.
* If event.start and event.end are known this value should be the difference between the end and start time.
*/
duration?: number;
/**
* `event.end` contains the date when the event ended or when the activity was last observed.
* event.end contains the date when the event ended or when the activity was last observed.
*/
end?: string;
/**
@ -77,7 +77,7 @@ export interface EcsEvent {
/**
* This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
* `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
* The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.
* The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
*/
kind?: string;
/**
@ -134,7 +134,7 @@ export interface EcsEvent {
*/
severity?: number;
/**
* `event.start` contains the date when the event started or when the activity was first observed.
* event.start contains the date when the event started or when the activity was first observed.
*/
start?: string;
/**
@ -147,7 +147,7 @@ export interface EcsEvent {
* `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
* This field is an array. This will allow proper categorization of some events that fall in multiple event types.
*/
type?: string | string[];
type?: string[];
/**
* URL linking to an external system to continue investigation of this event.
* This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.

15
packages/kbn-ecs/generated/faas.ts
View file

@ -27,17 +27,10 @@ export interface EcsFaas {
* The name of a serverless function.
*/
name?: string;
trigger?: {
/**
* The ID of the trigger request , message, event, etc.
*/
request_id?: string;
/**
* The trigger for the function execution.
*/
type?: string;
};
/**
* Details about the function trigger.
*/
trigger?: Record<string, unknown>;
/**
* The version of a serverless function.
*/

166
packages/kbn-ecs/generated/file.ts
View file

@ -20,7 +20,7 @@ export interface EcsFile {
* Array of file attributes.
* Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
*/
attributes?: string | string[];
attributes?: string[];
code_signature?: {
/**
* The hashing algorithm used to sign the process.
@ -109,28 +109,7 @@ export interface EcsFile {
/**
* List of exported element names and types.
*/
exports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
exports?: Array<Record<string, unknown>>;
header?: {
/**
* Version of the ELF Application Binary Interface (ABI).
@ -166,37 +145,24 @@ export interface EcsFile {
version?: string;
};
/**
* A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is an ELF implementation of the Windows PE imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
imports?: Array<Record<string, unknown>>;
/**
* An array containing an object for each section of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Array<Record<string, unknown>>;
/**
* An array containing an object for each segment of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
*/
segments?: Record<string, unknown> | Array<Record<string, unknown>>;
segments?: Array<Record<string, unknown>>;
/**
* List of shared libraries used by this ELF object.
*/
shared_libraries?: string | string[];
shared_libraries?: string[];
/**
* telfhash symbol hash for ELF file.
*/
@ -257,57 +223,6 @@ export interface EcsFile {
* Inode representing the file in the filesystem.
*/
inode?: string;
macho?: {
/**
* A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for symhash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* An array containing an object for each section of the Mach-O file.
* The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a Mach-O implementation of the Windows PE imphash
*/
symhash?: string;
};
/**
* MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
*/
@ -349,49 +264,11 @@ export interface EcsFile {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -405,11 +282,6 @@ export interface EcsFile {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
};
/**
@ -433,16 +305,16 @@ export interface EcsFile {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -450,19 +322,19 @@ export interface EcsFile {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -501,11 +373,11 @@ export interface EcsFile {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -513,19 +385,19 @@ export interface EcsFile {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**

6
packages/kbn-ecs/generated/host.ts
View file

@ -116,15 +116,15 @@ export interface EcsHost {
/**
* Host ip addresses.
*/
ip?: string | string[];
ip?: string[];
/**
* Host MAC addresses.
* The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
*/
mac?: string | string[];
mac?: string[];
/**
* Name of the host.
* It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
* It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
*/
name?: string;
network?: {

4
packages/kbn-ecs/generated/index.ts
View file

@ -32,7 +32,6 @@ import { EcsHost } from './host';
import { EcsHttp } from './http';
import { EcsInterface } from './interface';
import { EcsLog } from './log';
import { EcsMacho } from './macho';
import { EcsNetwork } from './network';
import { EcsObserver } from './observer';
import { EcsOrchestrator } from './orchestrator';
@ -58,7 +57,7 @@ import { EcsVlan } from './vlan';
import { EcsVulnerability } from './vulnerability';
import { EcsX509 } from './x509';
export const EcsVersion = '8.10.0' as const;
export const EcsVersion = '8.6.1' as const;
/**
* Exporting raw schema files for easy programmatic use
@ -93,7 +92,6 @@ export type {
EcsHttp,
EcsInterface,
EcsLog,
EcsMacho,
EcsNetwork,
EcsObserver,
EcsOrchestrator,

4
packages/kbn-ecs/generated/macho.ts
View file

@ -39,7 +39,7 @@ export interface EcsMacho {
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
@ -52,7 +52,7 @@ export interface EcsMacho {
* An array containing an object for each section of the Mach-O file.
* The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Record<string, unknown>;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a Mach-O implementation of the Windows PE imphash

4
packages/kbn-ecs/generated/observer.ts
View file

@ -76,12 +76,12 @@ export interface EcsObserver {
/**
* IP addresses of the observer.
*/
ip?: string | string[];
ip?: string[];
/**
* MAC addresses of the observer.
* The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
*/
mac?: string | string[];
mac?: string[];
/**
* Custom name of the observer.
* This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.

10
packages/kbn-ecs/generated/orchestrator.ts
View file

@ -42,10 +42,6 @@ export interface EcsOrchestrator {
*/
organization?: string;
resource?: {
/**
* The list of annotations added to the resource.
*/
annotation?: string | string[];
/**
* Unique ID of the resource being acted upon.
*/
@ -53,11 +49,7 @@ export interface EcsOrchestrator {
/**
* IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).
*/
ip?: string | string[];
/**
* The list of labels added to the resource.
*/
label?: string | string[];
ip?: string[];
/**
* Name of the resource being acted upon.
*/

43
packages/kbn-ecs/generated/pe.ts
View file

@ -26,49 +26,11 @@ export interface EcsPe {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -82,9 +44,4 @@ export interface EcsPe {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
}

362
packages/kbn-ecs/generated/process.ts
View file

@ -15,7 +15,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -91,28 +91,7 @@ export interface EcsProcess {
/**
* List of exported element names and types.
*/
exports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
exports?: Array<Record<string, unknown>>;
header?: {
/**
* Version of the ELF Application Binary Interface (ABI).
@ -148,37 +127,24 @@ export interface EcsProcess {
version?: string;
};
/**
* A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is an ELF implementation of the Windows PE imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
imports?: Array<Record<string, unknown>>;
/**
* An array containing an object for each section of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Array<Record<string, unknown>>;
/**
* An array containing an object for each segment of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
*/
segments?: Record<string, unknown> | Array<Record<string, unknown>>;
segments?: Array<Record<string, unknown>>;
/**
* List of shared libraries used by this ELF object.
*/
shared_libraries?: string | string[];
shared_libraries?: string[];
/**
* telfhash symbol hash for ELF file.
*/
@ -200,7 +166,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -302,22 +268,12 @@ export interface EcsProcess {
* The time the process started.
*/
start?: string;
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
};
/**
* The time the process started.
*/
start?: string;
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
};
/**
@ -406,11 +362,6 @@ export interface EcsProcess {
name?: string;
};
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
/**
* The working directory of the process.
*/
@ -421,7 +372,7 @@ export interface EcsProcess {
* Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
* May be filtered to protect sensitive information.
*/
env_vars?: string | string[];
env_vars?: string[];
/**
* Absolute path to the process executable.
*/
@ -436,7 +387,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -565,11 +516,6 @@ export interface EcsProcess {
name?: string;
};
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
/**
* The working directory of the process.
*/
@ -618,57 +564,6 @@ export interface EcsProcess {
* This field only appears on the top level process object, which is the process that wrote the output or read the input.
*/
io?: Record<string, unknown>;
macho?: {
/**
* A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for symhash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* An array containing an object for each section of the Mach-O file.
* The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a Mach-O implementation of the Windows PE imphash
*/
symhash?: string;
};
/**
* Process name.
* Sometimes called program name or similar.
@ -679,7 +574,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -755,28 +650,7 @@ export interface EcsProcess {
/**
* List of exported element names and types.
*/
exports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
exports?: Array<Record<string, unknown>>;
header?: {
/**
* Version of the ELF Application Binary Interface (ABI).
@ -812,37 +686,24 @@ export interface EcsProcess {
version?: string;
};
/**
* A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is an ELF implementation of the Windows PE imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
imports?: Array<Record<string, unknown>>;
/**
* An array containing an object for each section of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Array<Record<string, unknown>>;
/**
* An array containing an object for each segment of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
*/
segments?: Record<string, unknown> | Array<Record<string, unknown>>;
segments?: Array<Record<string, unknown>>;
/**
* List of shared libraries used by this ELF object.
*/
shared_libraries?: string | string[];
shared_libraries?: string[];
/**
* telfhash symbol hash for ELF file.
*/
@ -894,11 +755,6 @@ export interface EcsProcess {
* The time the process started.
*/
start?: string;
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
};
hash?: {
@ -938,57 +794,6 @@ export interface EcsProcess {
* Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
*/
interactive?: boolean;
macho?: {
/**
* A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for symhash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* An array containing an object for each section of the Mach-O file.
* The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a Mach-O implementation of the Windows PE imphash
*/
symhash?: string;
};
/**
* Process name.
* Sometimes called program name or similar.
@ -1011,49 +816,11 @@ export interface EcsProcess {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -1067,11 +834,6 @@ export interface EcsProcess {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
};
/**
@ -1143,17 +905,6 @@ export interface EcsProcess {
};
thread?: {
capabilities?: {
/**
* This is the set of capabilities used by the kernel to perform permission checks for the thread.
*/
effective?: string | string[];
/**
* This is a limiting superset for the effective capabilities that the thread may assume.
*/
permitted?: string | string[];
};
/**
* Thread ID.
*/
@ -1188,11 +939,6 @@ export interface EcsProcess {
name?: string;
};
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
/**
* The working directory of the process.
*/
@ -1216,49 +962,11 @@ export interface EcsProcess {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -1272,11 +980,6 @@ export interface EcsProcess {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
};
/**
@ -1293,7 +996,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -1354,7 +1057,7 @@ export interface EcsProcess {
* Array of process arguments, starting with the absolute path to the executable.
* May be filtered to protect sensitive information.
*/
args?: string | string[];
args?: string[];
/**
* Length of the process.args array.
* This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@ -1423,22 +1126,12 @@ export interface EcsProcess {
* The time the process started.
*/
start?: string;
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
};
/**
* The time the process started.
*/
start?: string;
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
};
/**
@ -1527,11 +1220,6 @@ export interface EcsProcess {
name?: string;
};
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
/**
* The working directory of the process.
*/
@ -1554,17 +1242,6 @@ export interface EcsProcess {
};
thread?: {
capabilities?: {
/**
* This is the set of capabilities used by the kernel to perform permission checks for the thread.
*/
effective?: string | string[];
/**
* This is a limiting superset for the effective capabilities that the thread may assume.
*/
permitted?: string | string[];
};
/**
* Thread ID.
*/
@ -1599,11 +1276,6 @@ export interface EcsProcess {
name?: string;
};
/**
* Virtual process id.
* The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
*/
vpid?: number;
/**
* The working directory of the process.
*/

2
packages/kbn-ecs/generated/registry.ts
View file

@ -20,7 +20,7 @@ export interface EcsRegistry {
* Content when writing string types.
* Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
*/
strings?: string | string[];
strings?: string[];
/**
* Standard registry type for encoding contents
*/

8
packages/kbn-ecs/generated/related.ts
View file

@ -15,17 +15,17 @@ export interface EcsRelated {
/**
* All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
*/
hash?: string | string[];
hash?: string[];
/**
* All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
*/
hosts?: string | string[];
hosts?: string[];
/**
* All of the IPs seen on your event.
*/
ip?: string | string[];
ip?: string[];
/**
* All the user names or other user identifiers seen on the event.
*/
user?: string | string[];
user?: string[];
}

2
packages/kbn-ecs/generated/rule.ts
View file

@ -14,7 +14,7 @@ export interface EcsRule {
/**
* Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
*/
author?: string | string[];
author?: string[];
/**
* A categorization value keyword used by the entity using the rule for detection of this event.
*/

22185
packages/kbn-ecs/generated/schema.ts Normal file
View file

File diff suppressed because it is too large Load diff

2
packages/kbn-ecs/generated/server.ts
View file

@ -181,6 +181,6 @@ export interface EcsServer {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
}

6
packages/kbn-ecs/generated/service.ts
View file

@ -61,7 +61,7 @@ export interface EcsService {
* In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.
* Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
*/
roles?: string | string[];
roles?: string[];
};
origin?: {
@ -115,7 +115,7 @@ export interface EcsService {
* In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.
* Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
*/
roles?: string | string[];
roles?: string[];
};
/**
@ -190,7 +190,7 @@ export interface EcsService {
* In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.
* Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
*/
roles?: string | string[];
roles?: string[];
};
/**

2
packages/kbn-ecs/generated/source.ts
View file

@ -180,6 +180,6 @@ export interface EcsSource {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
}

173
packages/kbn-ecs/generated/threat.ts
View file

@ -14,7 +14,7 @@ export interface EcsThreat {
/**
* A list of associated indicators objects enriching the event, and the context of that association/enrichment.
*/
enrichments?: Record<string, unknown> | Array<Record<string, unknown>>;
enrichments?: Array<Record<string, unknown>>;
feed?: {
/**
* The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.
@ -43,7 +43,7 @@ export interface EcsThreat {
* The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.
* While not required, you can use a MITRE ATT&CK® group alias(es).
*/
alias?: string | string[];
alias?: string[];
/**
* The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.
* While not required, you can use a MITRE ATT&CK® group id.
@ -100,7 +100,7 @@ export interface EcsThreat {
* Array of file attributes.
* Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
*/
attributes?: string | string[];
attributes?: string[];
code_signature?: {
/**
* The hashing algorithm used to sign the process.
@ -189,28 +189,7 @@ export interface EcsThreat {
/**
* List of exported element names and types.
*/
exports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
exports?: Array<Record<string, unknown>>;
header?: {
/**
* Version of the ELF Application Binary Interface (ABI).
@ -246,37 +225,24 @@ export interface EcsThreat {
version?: string;
};
/**
* A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is an ELF implementation of the Windows PE imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
imports?: Array<Record<string, unknown>>;
/**
* An array containing an object for each section of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
sections?: Array<Record<string, unknown>>;
/**
* An array containing an object for each segment of the ELF file.
* The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
*/
segments?: Record<string, unknown> | Array<Record<string, unknown>>;
segments?: Array<Record<string, unknown>>;
/**
* List of shared libraries used by this ELF object.
*/
shared_libraries?: string | string[];
shared_libraries?: string[];
/**
* telfhash symbol hash for ELF file.
*/
@ -378,49 +344,11 @@ export interface EcsThreat {
* Internal version of the file, provided at compile-time.
*/
file_version?: string;
/**
* A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
*/
go_import_hash?: string;
/**
* List of imported Go language element names and types.
*/
go_imports?: Record<string, unknown>;
/**
* Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of Go imports.
*/
go_imports_names_var_entropy?: number;
/**
* Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
*/
go_stripped?: boolean;
/**
* A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
*/
imphash?: string;
/**
* A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
* This is a synonym for imphash.
*/
import_hash?: string;
/**
* List of imported element names and types.
*/
imports?: Record<string, unknown> | Array<Record<string, unknown>>;
/**
* Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_entropy?: number;
/**
* Variance for Shannon entropy calculation from the list of imported element names and types.
*/
imports_names_var_entropy?: number;
/**
* Internal name of the file, provided at compile-time.
*/
@ -434,11 +362,6 @@ export interface EcsThreat {
* Internal product name of the file, provided at compile-time.
*/
product?: string;
/**
* An array containing an object for each section of the PE file.
* The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
*/
sections?: Record<string, unknown> | Array<Record<string, unknown>>;
};
/**
@ -462,16 +385,16 @@ export interface EcsThreat {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -479,19 +402,19 @@ export interface EcsThreat {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -530,11 +453,11 @@ export interface EcsThreat {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -542,19 +465,19 @@ export interface EcsThreat {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -641,10 +564,6 @@ export interface EcsThreat {
* The date and time when intelligence source last modified information for this indicator.
*/
modified_at?: string;
/**
* The display name indicator in an UI friendly format
*/
name?: string;
/**
* Identifies a threat indicator as a port number (irrespective of direction).
*/
@ -668,7 +587,7 @@ export interface EcsThreat {
* Content when writing string types.
* Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
*/
strings?: string | string[];
strings?: string[];
/**
* Standard registry type for encoding contents
*/
@ -782,16 +701,16 @@ export interface EcsThreat {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -799,19 +718,19 @@ export interface EcsThreat {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -850,11 +769,11 @@ export interface EcsThreat {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -862,19 +781,19 @@ export interface EcsThreat {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -889,7 +808,7 @@ export interface EcsThreat {
* The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.
* While not required, you can use a MITRE ATT&CK® associated software description.
*/
alias?: string | string[];
alias?: string[];
/**
* The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
* While not required, you can use a MITRE ATT&CK® software id.
@ -904,7 +823,7 @@ export interface EcsThreat {
* The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
* While not required, you can use MITRE ATT&CK® software platform values.
*/
platforms?: string | string[];
platforms?: string[];
/**
* The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
* While not required, you can use a MITRE ATT&CK® software reference URL.
@ -921,43 +840,43 @@ export interface EcsThreat {
/**
* The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
*/
id?: string | string[];
id?: string[];
/**
* Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
*/
name?: string | string[];
name?: string[];
/**
* The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
*/
reference?: string | string[];
reference?: string[];
};
technique?: {
/**
* The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
*/
id?: string | string[];
id?: string[];
/**
* The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
*/
name?: string | string[];
name?: string[];
/**
* The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
*/
reference?: string | string[];
reference?: string[];
subtechnique?: {
/**
* The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
*/
id?: string | string[];
id?: string[];
/**
* The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
*/
name?: string | string[];
name?: string[];
/**
* The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
*/
reference?: string | string[];
reference?: string[];
};
};
}

58
packages/kbn-ecs/generated/tls.ts
View file

@ -22,7 +22,7 @@ export interface EcsTls {
/**
* Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
*/
certificate_chain?: string | string[];
certificate_chain?: string[];
hash?: {
/**
* Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
@ -65,21 +65,21 @@ export interface EcsTls {
/**
* Array of ciphers offered by the client during the client hello.
*/
supported_ciphers?: string | string[];
supported_ciphers?: string[];
x509?: {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -87,19 +87,19 @@ export interface EcsTls {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -138,11 +138,11 @@ export interface EcsTls {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -150,19 +150,19 @@ export interface EcsTls {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -196,7 +196,7 @@ export interface EcsTls {
/**
* Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
*/
certificate_chain?: string | string[];
certificate_chain?: string[];
hash?: {
/**
* Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
@ -236,16 +236,16 @@ export interface EcsTls {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -253,19 +253,19 @@ export interface EcsTls {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -304,11 +304,11 @@ export interface EcsTls {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -316,19 +316,19 @@ export interface EcsTls {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**

8
packages/kbn-ecs/generated/user.ts
View file

@ -57,7 +57,7 @@ export interface EcsUser {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
/**
@ -111,7 +111,7 @@ export interface EcsUser {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
/**
@ -181,7 +181,7 @@ export interface EcsUser {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
target?: {
/**
* Name of the directory the user is a member of.
@ -228,6 +228,6 @@ export interface EcsUser {
/**
* Array of user roles at the time of the event.
*/
roles?: string | string[];
roles?: string[];
};
}

2
packages/kbn-ecs/generated/vulnerability.ts
View file

@ -14,7 +14,7 @@ export interface EcsVulnerability {
* The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
* This field must be an array.
*/
category?: string | string[];
category?: string[];
/**
* The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
*/

26
packages/kbn-ecs/generated/x509.ts
View file

@ -15,16 +15,16 @@ export interface EcsX509 {
/**
* List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
*/
alternative_names?: string | string[];
alternative_names?: string[];
issuer?: {
/**
* List of common name (CN) of issuing certificate authority.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) codes
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of issuing certificate authority.
*/
@ -32,19 +32,19 @@ export interface EcsX509 {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of issuing certificate authority.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of issuing certificate authority.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**
@ -83,11 +83,11 @@ export interface EcsX509 {
/**
* List of common names (CN) of subject.
*/
common_name?: string | string[];
common_name?: string[];
/**
* List of country \(C) code
*/
country?: string | string[];
country?: string[];
/**
* Distinguished name (DN) of the certificate subject entity.
*/
@ -95,19 +95,19 @@ export interface EcsX509 {
/**
* List of locality names (L)
*/
locality?: string | string[];
locality?: string[];
/**
* List of organizations (O) of subject.
*/
organization?: string | string[];
organization?: string[];
/**
* List of organizational units (OU) of subject.
*/
organizational_unit?: string | string[];
organizational_unit?: string[];
/**
* List of state or province names (ST, S, or P)
*/
state_or_province?: string | string[];
state_or_province?: string[];
};
/**

121
x-pack/packages/security-solution/ecs_data_quality_dashboard/impl/data_quality/data_quality_panel/allowed_values/helpers.test.tsx
View file

@ -54,9 +54,26 @@ describe('helpers', () => {
describe('getValidValues', () => {
test('it returns the expected valid values', () => {
expect(getValidValues(ecsMetadata['event.category'])).toEqual(
expect.arrayContaining([expect.any(String)])
);
expect(getValidValues(ecsMetadata['event.category'])).toEqual([
'authentication',
'configuration',
'database',
'driver',
'email',
'file',
'host',
'iam',
'intrusion_detection',
'malware',
'network',
'package',
'process',
'registry',
'session',
'threat',
'vulnerability',
'web',
]);
});
test('it returns an empty array when the `field` does NOT have `allowed_values`', () => {
@ -79,8 +96,26 @@ describe('helpers', () => {
allowed_values: missingDatabase,
};
expect(getValidValues(field)).toEqual(expect.arrayContaining([expect.any(String)]));
expect(getValidValues(field)).not.toEqual(expect.arrayContaining(['database']));
expect(getValidValues(field)).toEqual([
'authentication',
'configuration',
// no entry for 'database'
'driver',
'email',
'file',
'host',
'iam',
'intrusion_detection',
'malware',
'network',
'package',
'process',
'registry',
'session',
'threat',
'vulnerability',
'web',
]);
});
});
@ -91,15 +126,73 @@ describe('helpers', () => {
ecsMetadata,
indexName: 'auditbeat-*',
})
).toEqual(
expect.arrayContaining([
expect.objectContaining({
indexName: 'auditbeat-*',
indexFieldName: 'event.category',
allowedValues: expect.arrayContaining([expect.any(String)]),
}),
])
);
).toEqual([
{
indexName: 'auditbeat-*',
indexFieldName: 'event.category',
allowedValues: [
'authentication',
'configuration',
'database',
'driver',
'email',
'file',
'host',
'iam',
'intrusion_detection',
'malware',
'network',
'package',
'process',
'registry',
'session',
'threat',
'vulnerability',
'web',
],
},
{
indexName: 'auditbeat-*',
indexFieldName: 'event.kind',
allowedValues: [
'alert',
'enrichment',
'event',
'metric',
'state',
'pipeline_error',
'signal',
],
},
{
indexName: 'auditbeat-*',
indexFieldName: 'event.outcome',
allowedValues: ['failure', 'success', 'unknown'],
},
{
indexName: 'auditbeat-*',
indexFieldName: 'event.type',
allowedValues: [
'access',
'admin',
'allowed',
'change',
'connection',
'creation',
'deletion',
'denied',
'end',
'error',
'group',
'indicator',
'info',
'installation',
'protocol',
'start',
'user',
],
},
]);
});
test('it returns an empty array when `ecsMetadata` is null', () => {

612
x-pack/packages/security-solution/ecs_data_quality_dashboard/impl/data_quality/data_quality_panel/index_properties/helpers.test.ts
View file

@ -122,82 +122,542 @@ describe('helpers', () => {
unallowedValues,
})
).toEqual({
all: expect.arrayContaining([
expect.objectContaining({
allowed_values: expect.arrayContaining([
expect.objectContaining({
name: expect.any(String),
description: expect.any(String),
expected_event_types: expect.arrayContaining([expect.any(String)]),
}),
]),
dashed_name: expect.any(String),
description: expect.any(String),
example: expect.any(String),
flat_name: expect.any(String),
ignore_above: expect.any(Number),
level: expect.any(String),
name: expect.any(String),
normalize: expect.any(Array),
short: expect.any(String),
type: expect.any(String),
indexFieldName: expect.any(String),
indexFieldType: expect.any(String),
indexInvalidValues: expect.any(Array),
hasEcsMetadata: expect.any(Boolean),
isEcsCompliant: expect.any(Boolean),
isInSameFamily: expect.any(Boolean),
}),
]),
ecsCompliant: expect.arrayContaining([
expect.objectContaining({
dashed_name: expect.any(String),
description: expect.any(String),
example: expect.any(String),
flat_name: expect.any(String),
level: expect.any(String),
name: expect.any(String),
normalize: expect.any(Array),
short: expect.any(String),
type: expect.any(String),
indexFieldName: expect.any(String),
indexFieldType: expect.any(String),
indexInvalidValues: expect.any(Array),
hasEcsMetadata: expect.any(Boolean),
isEcsCompliant: expect.any(Boolean),
isInSameFamily: expect.any(Boolean),
}),
]),
custom: expect.arrayContaining([
expect.objectContaining({
indexFieldName: expect.any(String),
indexFieldType: expect.any(String),
indexInvalidValues: expect.any(Array),
hasEcsMetadata: expect.any(Boolean),
isEcsCompliant: expect.any(Boolean),
isInSameFamily: expect.any(Boolean),
}),
]),
incompatible: expect.arrayContaining([
expect.objectContaining({
dashed_name: expect.any(String),
description: expect.any(String),
example: expect.any(String),
flat_name: expect.any(String),
level: expect.any(String),
name: expect.any(String),
normalize: expect.any(Array),
short: expect.any(String),
type: expect.any(String),
indexFieldName: expect.any(String),
indexFieldType: expect.any(String),
indexInvalidValues: expect.any(Array),
hasEcsMetadata: expect.any(Boolean),
isEcsCompliant: expect.any(Boolean),
isInSameFamily: expect.any(Boolean),
}),
]),
all: [
{
dashed_name: 'timestamp',
description:
'Date/time when the event originated.\nThis is the date/time extracted from the event, typically representing when the event was generated by the source.\nIf the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
flat_name: '@timestamp',
level: 'core',
name: '@timestamp',
normalize: [],
required: true,
short: 'Date/time when the event originated.',
type: 'date',
indexFieldName: '@timestamp',
indexFieldType: 'date',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: true,
isInSameFamily: false,
},
{
allowed_values: [
{
description:
'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.',
expected_event_types: ['start', 'end', 'info'],
name: 'authentication',
},
{
description:
'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.',
expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'],
name: 'configuration',
},
{
description:
'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.',
expected_event_types: ['access', 'change', 'info', 'error'],
name: 'database',
},
{
description:
'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.',
expected_event_types: ['change', 'end', 'info', 'start'],
name: 'driver',
},
{
description:
'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.',
expected_event_types: ['info'],
name: 'email',
},
{
description:
'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.',
expected_event_types: ['change', 'creation', 'deletion', 'info'],
name: 'file',
},
{
description:
'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'host',
},
{
description:
'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.',
expected_event_types: [
'admin',
'change',
'creation',
'deletion',
'group',
'info',
'user',
],
name: 'iam',
},
{
description:
'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.',
expected_event_types: ['allowed', 'denied', 'info'],
name: 'intrusion_detection',
},
{
description:
'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.',
expected_event_types: ['info'],
name: 'malware',
},
{
description:
'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.',
expected_event_types: [
'access',
'allowed',
'connection',
'denied',
'end',
'info',
'protocol',
'start',
],
name: 'network',
},
{
description:
'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.',
expected_event_types: [
'access',
'change',
'deletion',
'info',
'installation',
'start',
],
name: 'package',
},
{
description:
'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'process',
},
{
description:
'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.',
expected_event_types: ['access', 'change', 'creation', 'deletion'],
name: 'registry',
},
{
description:
'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.',
expected_event_types: ['start', 'end', 'info'],
name: 'session',
},
{
description:
"Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.",
expected_event_types: ['indicator'],
name: 'threat',
},
{
description:
'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.',
expected_event_types: ['info'],
name: 'vulnerability',
},
{
description:
'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.',
expected_event_types: ['access', 'error', 'info'],
name: 'web',
},
],
dashed_name: 'event-category',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.',
example: 'authentication',
flat_name: 'event.category',
ignore_above: 1024,
level: 'core',
name: 'category',
normalize: ['array'],
short: 'Event category. The second categorization field in the hierarchy.',
type: 'keyword',
indexFieldName: 'event.category',
indexFieldType: 'keyword',
indexInvalidValues: [
{
count: 2,
fieldName: 'an_invalid_category',
},
{
count: 1,
fieldName: 'theory',
},
],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
{
dashed_name: 'host-name',
description:
'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
flat_name: 'host.name',
ignore_above: 1024,
level: 'core',
name: 'name',
normalize: [],
short: 'Name of the host.',
type: 'keyword',
indexFieldName: 'host.name',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'host.name.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'some.field',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'some.field.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
dashed_name: 'source-ip',
description: 'IP address of the source (IPv4 or IPv6).',
flat_name: 'source.ip',
level: 'core',
name: 'ip',
normalize: [],
short: 'IP address of the source.',
type: 'ip',
indexFieldName: 'source.ip',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'source.ip.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
dashed_name: 'source-port',
description: 'Port of the source.',
flat_name: 'source.port',
format: 'string',
level: 'core',
name: 'port',
normalize: [],
short: 'Port of the source.',
type: 'long',
indexFieldName: 'source.port',
indexFieldType: 'long',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: true,
isInSameFamily: false,
},
],
ecsCompliant: [
{
dashed_name: 'timestamp',
description:
'Date/time when the event originated.\nThis is the date/time extracted from the event, typically representing when the event was generated by the source.\nIf the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
flat_name: '@timestamp',
level: 'core',
name: '@timestamp',
normalize: [],
required: true,
short: 'Date/time when the event originated.',
type: 'date',
indexFieldName: '@timestamp',
indexFieldType: 'date',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: true,
isInSameFamily: false,
},
{
dashed_name: 'source-port',
description: 'Port of the source.',
flat_name: 'source.port',
format: 'string',
level: 'core',
name: 'port',
normalize: [],
short: 'Port of the source.',
type: 'long',
indexFieldName: 'source.port',
indexFieldType: 'long',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: true,
isInSameFamily: false,
},
],
custom: [
{
indexFieldName: 'host.name.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'some.field',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'some.field.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
{
indexFieldName: 'source.ip.keyword',
indexFieldType: 'keyword',
indexInvalidValues: [],
hasEcsMetadata: false,
isEcsCompliant: false,
isInSameFamily: false,
},
],
incompatible: [
{
allowed_values: [
{
description:
'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.',
expected_event_types: ['start', 'end', 'info'],
name: 'authentication',
},
{
description:
'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.',
expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'],
name: 'configuration',
},
{
description:
'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.',
expected_event_types: ['access', 'change', 'info', 'error'],
name: 'database',
},
{
description:
'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.',
expected_event_types: ['change', 'end', 'info', 'start'],
name: 'driver',
},
{
description:
'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.',
expected_event_types: ['info'],
name: 'email',
},
{
description:
'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.',
expected_event_types: ['change', 'creation', 'deletion', 'info'],
name: 'file',
},
{
description:
'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'host',
},
{
description:
'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.',
expected_event_types: [
'admin',
'change',
'creation',
'deletion',
'group',
'info',
'user',
],
name: 'iam',
},
{
description:
'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.',
expected_event_types: ['allowed', 'denied', 'info'],
name: 'intrusion_detection',
},
{
description:
'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.',
expected_event_types: ['info'],
name: 'malware',
},
{
description:
'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.',
expected_event_types: [
'access',
'allowed',
'connection',
'denied',
'end',
'info',
'protocol',
'start',
],
name: 'network',
},
{
description:
'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.',
expected_event_types: [
'access',
'change',
'deletion',
'info',
'installation',
'start',
],
name: 'package',
},
{
description:
'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'process',
},
{
description:
'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.',
expected_event_types: ['access', 'change', 'creation', 'deletion'],
name: 'registry',
},
{
description:
'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.',
expected_event_types: ['start', 'end', 'info'],
name: 'session',
},
{
description:
"Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.",
expected_event_types: ['indicator'],
name: 'threat',
},
{
description:
'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.',
expected_event_types: ['info'],
name: 'vulnerability',
},
{
description:
'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.',
expected_event_types: ['access', 'error', 'info'],
name: 'web',
},
],
dashed_name: 'event-category',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.',
example: 'authentication',
flat_name: 'event.category',
ignore_above: 1024,
level: 'core',
name: 'category',
normalize: ['array'],
short: 'Event category. The second categorization field in the hierarchy.',
type: 'keyword',
indexFieldName: 'event.category',
indexFieldType: 'keyword',
indexInvalidValues: [
{
count: 2,
fieldName: 'an_invalid_category',
},
{
count: 1,
fieldName: 'theory',
},
],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
{
dashed_name: 'host-name',
description:
'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
flat_name: 'host.name',
ignore_above: 1024,
level: 'core',
name: 'name',
normalize: [],
short: 'Name of the host.',
type: 'keyword',
indexFieldName: 'host.name',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
{
dashed_name: 'source-ip',
description: 'IP address of the source (IPv4 or IPv6).',
flat_name: 'source.ip',
level: 'core',
name: 'ip',
normalize: [],
short: 'IP address of the source.',
type: 'ip',
indexFieldName: 'source.ip',
indexFieldType: 'text',
indexInvalidValues: [],
hasEcsMetadata: true,
isEcsCompliant: false,
isInSameFamily: false,
},
],
sameFamily: [],
});
});

134
x-pack/packages/security-solution/ecs_data_quality_dashboard/impl/data_quality/helpers.test.ts
View file

@ -440,13 +440,133 @@ describe('helpers', () => {
* `isEcsCompliant` is true, because the index has the expected mapping type, and no unallowed values
*/
const happyPathResult: EnrichedFieldMetadata = {
allowed_values: expect.arrayContaining([
expect.objectContaining({
description: expect.any(String),
name: expect.any(String),
expected_event_types: expect.arrayContaining([expect.any(String)]),
}),
]),
allowed_values: [
{
description:
'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.',
expected_event_types: ['start', 'end', 'info'],
name: 'authentication',
},
{
description:
'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.',
expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'],
name: 'configuration',
},
{
description:
'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.',
expected_event_types: ['access', 'change', 'info', 'error'],
name: 'database',
},
{
description:
'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.',
expected_event_types: ['change', 'end', 'info', 'start'],
name: 'driver',
},
{
description:
'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.',
expected_event_types: ['info'],
name: 'email',
},
{
description:
'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.',
expected_event_types: ['change', 'creation', 'deletion', 'info'],
name: 'file',
},
{
description:
'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'host',
},
{
description:
'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.',
expected_event_types: [
'admin',
'change',
'creation',
'deletion',
'group',
'info',
'user',
],
name: 'iam',
},
{
description:
'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.',
expected_event_types: ['allowed', 'denied', 'info'],
name: 'intrusion_detection',
},
{
description:
'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.',
expected_event_types: ['info'],
name: 'malware',
},
{
description:
'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.',
expected_event_types: [
'access',
'allowed',
'connection',
'denied',
'end',
'info',
'protocol',
'start',
],
name: 'network',
},
{
description:
'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.',
expected_event_types: ['access', 'change', 'deletion', 'info', 'installation', 'start'],
name: 'package',
},
{
description:
'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.',
expected_event_types: ['access', 'change', 'end', 'info', 'start'],
name: 'process',
},
{
description:
'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.',
expected_event_types: ['access', 'change', 'creation', 'deletion'],
name: 'registry',
},
{
description:
'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.',
expected_event_types: ['start', 'end', 'info'],
name: 'session',
},
{
description:
"Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.",
expected_event_types: ['indicator'],
name: 'threat',
},
{
description:
'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.',
expected_event_types: ['info'],
name: 'vulnerability',
},
{
description:
'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.',
expected_event_types: ['access', 'error', 'info'],
name: 'web',
},
],
dashed_name: 'event-category',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.',

7
x-pack/packages/security-solution/ecs_data_quality_dashboard/impl/data_quality/use_results_rollup/helpers.test.ts
View file

@ -27,7 +27,6 @@ import { EMPTY_STAT } from '../helpers';
import { IndicesStatsIndicesStats } from '@elastic/elasticsearch/lib/api/types';
import { mockPartitionedFieldMetadata } from '../mock/partitioned_field_metadata/mock_partitioned_field_metadata';
import { alertIndexWithAllResults } from '../mock/pattern_rollup/mock_alerts_pattern_rollup';
import { EcsVersion } from '@kbn/ecs';
const defaultBytesFormat = '0,0.[0]b';
const formatBytes = (value: number | undefined) =>
@ -272,7 +271,7 @@ describe('helpers', () => {
'### .ds-packetbeat-8.6.1-2023.02.04-000001\n',
'| Result | Index | Docs | Incompatible fields | ILM Phase | Size |\n|--------|-------|------|---------------------|-----------|------|\n| ❌ | .ds-packetbeat-8.6.1-2023.02.04-000001 | 1,628,343 (50.0%) | 3 | `hot` | 697.7MB |\n\n',
'### **Incompatible fields** `3` **Same family** `0` **Custom fields** `4` **ECS compliant fields** `2` **All fields** `9`\n',
`#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version ${EcsVersion}.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n`,
"#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.1.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n",
'\n#### Incompatible field mappings - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS mapping type (expected) | Index mapping type (actual) | \n|-------|-----------------------------|-----------------------------|\n| host.name | `keyword` | `text` |\n| source.ip | `ip` | `text` |\n\n#### Incompatible field values - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS values (expected) | Document values (actual) | \n|-------|-----------------------|--------------------------|\n| event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `an_invalid_category` (2), `theory` (1) |\n\n',
],
pattern: 'packetbeat-*',
@ -373,7 +372,7 @@ describe('helpers', () => {
'### .ds-packetbeat-8.6.1-2023.02.04-000001\n',
'| Result | Index | Docs | Incompatible fields | ILM Phase | Size |\n|--------|-------|------|---------------------|-----------|------|\n| ❌ | .ds-packetbeat-8.6.1-2023.02.04-000001 | 1,628,343 () | 3 | `hot` | 697.7MB |\n\n',
'### **Incompatible fields** `3` **Same family** `0` **Custom fields** `4` **ECS compliant fields** `2` **All fields** `9`\n',
`#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version ${EcsVersion}.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n`,
"#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.1.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n",
'\n#### Incompatible field mappings - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS mapping type (expected) | Index mapping type (actual) | \n|-------|-----------------------------|-----------------------------|\n| host.name | `keyword` | `text` |\n| source.ip | `ip` | `text` |\n\n#### Incompatible field values - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS values (expected) | Document values (actual) | \n|-------|-----------------------|--------------------------|\n| event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `an_invalid_category` (2), `theory` (1) |\n\n',
],
pattern: 'packetbeat-*',
@ -522,7 +521,7 @@ describe('helpers', () => {
'### .ds-packetbeat-8.6.1-2023.02.04-000001\n',
'| Result | Index | Docs | Incompatible fields | ILM Phase | Size |\n|--------|-------|------|---------------------|-----------|------|\n| ❌ | .ds-packetbeat-8.6.1-2023.02.04-000001 | 1,628,343 (50.0%) | 3 | -- | 697.7MB |\n\n',
'### **Incompatible fields** `3` **Same family** `0` **Custom fields** `4` **ECS compliant fields** `2` **All fields** `9`\n',
`#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version ${EcsVersion}.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n`,
"#### 3 incompatible fields\n\nFields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.1.\n\n❌ Detection engine rules referencing these fields may not match them correctly\n❌ Pages may not display some events or fields due to unexpected field mappings or values\n❌ Mappings or field values that don't comply with ECS are not supported\n",
'\n#### Incompatible field mappings - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS mapping type (expected) | Index mapping type (actual) | \n|-------|-----------------------------|-----------------------------|\n| host.name | `keyword` | `text` |\n| source.ip | `ip` | `text` |\n\n#### Incompatible field values - .ds-packetbeat-8.6.1-2023.02.04-000001\n\n\n| Field | ECS values (expected) | Document values (actual) | \n|-------|-----------------------|--------------------------|\n| event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `an_invalid_category` (2), `theory` (1) |\n\n',
],
pattern: 'packetbeat-*',

5
x-pack/plugins/security/server/audit/audit_service.ts
View file

@ -249,9 +249,8 @@ export function filterEvent(
return !ignoreFilters.some(
(rule) =>
(!rule.actions || rule.actions.includes(event.event?.action!)) &&
(!rule.categories ||
(event.event?.category as string[])?.every?.((c) => rule.categories?.includes(c))) &&
(!rule.types || (event.event?.type as string[])?.every?.((t) => rule.types?.includes(t))) &&
(!rule.categories || event.event?.category?.every((c) => rule.categories?.includes(c))) &&
(!rule.types || event.event?.type?.every((t) => rule.types?.includes(t))) &&
(!rule.outcomes || rule.outcomes.includes(event.event?.outcome!)) &&
(!rule.spaces || rule.spaces.includes(event.kibana?.space_id!))
);