[Security Solution] Security Common Schema Package (#148664)

.github/CODEOWNERS

@@ -981,6 +981,7 @@ packages/kbn-rison @elastic/kibana-operations
 packages/kbn-rule-data-utils @elastic/security-detections-response @elastic/actionable-observability @elastic/response-ops
 packages/kbn-safer-lodash-set @elastic/kibana-security
 packages/kbn-securitysolution-autocomplete @elastic/security-solution-platform
+packages/kbn-securitysolution-ecs @elastic/security-threat-hunting-explore
 packages/kbn-securitysolution-es-utils @elastic/security-solution-platform
 packages/kbn-securitysolution-exception-list-components @elastic/security-solution-platform
 packages/kbn-securitysolution-hook-utils @elastic/security-solution-platform

package.json

@@ -375,6 +375,7 @@
     "@kbn/rule-data-utils": "link:packages/kbn-rule-data-utils",
     "@kbn/safer-lodash-set": "link:packages/kbn-safer-lodash-set",
     "@kbn/securitysolution-autocomplete": "link:packages/kbn-securitysolution-autocomplete",
+    "@kbn/securitysolution-ecs": "link:packages/kbn-securitysolution-ecs",
     "@kbn/securitysolution-es-utils": "link:packages/kbn-securitysolution-es-utils",
     "@kbn/securitysolution-exception-list-components": "link:packages/kbn-securitysolution-exception-list-components",
     "@kbn/securitysolution-hook-utils": "link:packages/kbn-securitysolution-hook-utils",

packages/kbn-securitysolution-ecs/README.md

@@ -0,0 +1,4 @@
+# @kbn/securitysolution-ecs
+
+Security Solution Ecs
+ - Ecs for the security solution

packages/kbn-securitysolution-ecs/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export * from './src';

packages/kbn-securitysolution-ecs/jest.config.js

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../..',
+  roots: ['<rootDir>/packages/kbn-securitysolution-ecs'],
+};

packages/kbn-securitysolution-ecs/kibana.jsonc

@@ -0,0 +1,5 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/securitysolution-ecs",
+  "owner": "@elastic/security-threat-hunting-explore"
+}

packages/kbn-securitysolution-ecs/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/securitysolution-ecs",
+  "private": true,
+  "version": "1.0.0",
+  "license": "SSPL-1.0 OR Elastic License 2.0"
+}

packages/kbn-securitysolution-ecs/src/agent/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface AgentEcs {

packages/kbn-securitysolution-ecs/src/auditd/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface AuditdEcs {

packages/kbn-securitysolution-ecs/src/cloud/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface CloudEcs {

packages/kbn-securitysolution-ecs/src/destination/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { GeoEcs } from '../geo';

packages/kbn-securitysolution-ecs/src/dll/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { CodeSignature } from '../file';

packages/kbn-securitysolution-ecs/src/dns/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface DnsEcs {

packages/kbn-securitysolution-ecs/src/ecs_fields/extend_map.test.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { extendMap } from './extend_map';

packages/kbn-securitysolution-ecs/src/ecs_fields/extend_map.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export const extendMap = (

packages/kbn-securitysolution-ecs/src/ecs_fields/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { extendMap } from './extend_map';

packages/kbn-securitysolution-ecs/src/endgame/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface EndgameEcs {

packages/kbn-securitysolution-ecs/src/event/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface EventEcs {

packages/kbn-securitysolution-ecs/src/file/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 interface Original {

packages/kbn-securitysolution-ecs/src/geo/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface GeoEcs {

packages/kbn-securitysolution-ecs/src/host/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface HostEcs {

packages/kbn-securitysolution-ecs/src/http/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface HttpEcs {

packages/kbn-securitysolution-ecs/src/index.ts

@@ -1,80 +1,127 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
-import type { AgentEcs } from './agent';
+import { AgentEcs } from './agent';
 import type { AuditdEcs } from './auditd';
+import type { CloudEcs } from './cloud';
+import type { CodeSignature, FileEcs } from './file';
 import type { DestinationEcs } from './destination';
-import type { DnsEcs } from './dns';
 import type { DllEcs } from './dll';
+import type { DnsEcs } from './dns';
 import type { EndgameEcs } from './endgame';
+import { EventCategory, EventCode } from './event';
 import type { EventEcs } from './event';
-import type { FileEcs } from './file';
 import type { GeoEcs } from './geo';
-import type { HostEcs } from './host';
+import type { HostEcs, OsEcs } from './host';
+import type { HttpEcs } from './http';
+import type { MemoryProtection } from './memory_protection';
 import type { NetworkEcs } from './network';
+import type { ProcessEcs } from './process';
+import type { Ransomware } from './ransomware';
 import type { RegistryEcs } from './registry';
 import type { RuleEcs } from './rule';
 import type { SignalEcs, SignalEcsAAD } from './signal';
 import type { SourceEcs } from './source';
 import type { SuricataEcs } from './suricata';
+import type { SystemEcs } from './system';
+import type { Target } from './target_type';
+import type { ThreatEcs, ThreatIndicatorEcs } from './threat';
 import type { TlsEcs } from './tls';
-import type { ZeekEcs } from './zeek';
-import type { HttpEcs } from './http';
 import type { UrlEcs } from './url';
 import type { UserEcs } from './user';
 import type { WinlogEcs } from './winlog';
-import type { ProcessEcs } from './process';
-import type { SystemEcs } from './system';
-import type { ThreatEcs } from './threat';
-import type { Ransomware } from './ransomware';
-import type { MemoryProtection } from './memory_protection';
-import type { Target } from './target_type';
+import type { ZeekEcs } from './zeek';
+export * from './ecs_fields';
 
-export interface Ecs {
-  _id: string;
-  _index?: string;
+export { EventCategory, EventCode };
+
+export type {
+  AgentEcs,
+  AuditdEcs,
+  CloudEcs,
+  CodeSignature,
+  DestinationEcs,
+  DllEcs,
+  DnsEcs,
+  EndgameEcs,
+  EventEcs,
+  FileEcs,
+  GeoEcs,
+  HostEcs,
+  HttpEcs,
+  MemoryProtection,
+  NetworkEcs,
+  OsEcs,
+  ProcessEcs,
+  Ransomware,
+  RegistryEcs,
+  RuleEcs,
+  SignalEcs,
+  SourceEcs,
+  SuricataEcs,
+  SystemEcs,
+  Target,
+  ThreatEcs,
+  ThreatIndicatorEcs,
+  TlsEcs,
+  UrlEcs,
+  UserEcs,
+  WinlogEcs,
+  ZeekEcs,
+};
+
+// Security Solution Extension of the Elastic Common Schema
+export interface EcsSecurityExtension {
+  // Ecs Overrides
+  // overrides Ecs to support multiple values for security entities
   agent?: AgentEcs;
-  auditd?: AuditdEcs;
   destination?: DestinationEcs;
   dns?: DnsEcs;
-  endgame?: EndgameEcs;
   event?: EventEcs;
-  geo?: GeoEcs;
+  file?: FileEcs;
   host?: HostEcs;
+  http?: HttpEcs;
+  message?: string[];
   network?: NetworkEcs;
+  process?: ProcessEcs;
   registry?: RegistryEcs;
   rule?: RuleEcs;
+  source?: SourceEcs;
+  threat?: ThreatEcs;
+  tls?: TlsEcs;
+  url?: UrlEcs;
+  user?: UserEcs;
+
+  // Security Specific Ecs
+  // exists only in security solution Ecs definition
+  _id: string;
+  _index?: string;
+  auditd?: AuditdEcs;
+  endgame?: EndgameEcs;
+  geo?: GeoEcs;
   kibana?: {
     alert: SignalEcsAAD;
   };
-  signal?: SignalEcs;
-  source?: SourceEcs;
-  suricata?: SuricataEcs;
-  tls?: TlsEcs;
-  zeek?: ZeekEcs;
-  http?: HttpEcs;
-  url?: UrlEcs;
-  timestamp?: string;
-  message?: string[];
-  user?: UserEcs;
-  winlog?: WinlogEcs;
-  process?: ProcessEcs;
-  file?: FileEcs;
-  system?: SystemEcs;
-  threat?: ThreatEcs;
-  // This should be temporary
-  eql?: { parentId: string; sequenceNumber: string };
-  Ransomware?: Ransomware;
-  // eslint-disable-next-line @typescript-eslint/naming-convention
-  Memory_protection?: MemoryProtection;
-  Target?: Target;
-  dll?: DllEcs;
-  'kibana.alert.workflow_status'?: 'open' | 'acknowledged' | 'in-progress' | 'closed';
   // I believe these parameters are all snake cased to correspond with how they are sent "over the wire" as request / response
   // Not representative of the parsed types that are camel cased.
   'kibana.alert.rule.parameters'?: { index: string[]; data_view_id?: string };
+  'kibana.alert.workflow_status'?: 'open' | 'acknowledged' | 'in-progress' | 'closed';
+  // eslint-disable-next-line @typescript-eslint/naming-convention
+  Memory_protection?: MemoryProtection;
+  Ransomware?: Ransomware;
+  Target?: Target;
+  dll?: DllEcs;
+  // This should be temporary
+  eql?: { parentId: string; sequenceNumber: string };
+  signal?: SignalEcs;
+  suricata?: SuricataEcs;
+  system?: SystemEcs;
+  timestamp?: string;
+  winlog?: WinlogEcs;
+  zeek?: ZeekEcs;
 }

packages/kbn-securitysolution-ecs/src/memory_protection/index.ts

@@ -1,9 +1,11 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
+
 export interface MemoryProtection {
   cross_session?: boolean;
   feature?: string;

packages/kbn-securitysolution-ecs/src/network/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface NetworkEcs {

packages/kbn-securitysolution-ecs/src/process/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { CodeSignature, Ext } from '../file';

packages/kbn-securitysolution-ecs/src/ransomware/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface Ransomware {

packages/kbn-securitysolution-ecs/src/registry/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface RegistryEcs {

packages/kbn-securitysolution-ecs/src/rule/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface RuleEcs {

packages/kbn-securitysolution-ecs/src/signal/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { RuleEcs } from '../rule';

packages/kbn-securitysolution-ecs/src/source/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { GeoEcs } from '../geo';

packages/kbn-securitysolution-ecs/src/suricata/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface SuricataEcs {

packages/kbn-securitysolution-ecs/src/system/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface SystemEcs {

packages/kbn-securitysolution-ecs/src/target_type/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { ProcessEcs } from '../process';

packages/kbn-securitysolution-ecs/src/threat/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import type { EventEcs } from '../event';
@@ -31,9 +32,14 @@ export interface ThreatIndicatorEcs {
   type?: string[];
 }
 
+export interface ThreatFeedEcs {
+  name?: string[];
+}
+
 export interface ThreatEnrichmentEcs {
   indicator?: ThreatIndicatorEcs;
   matched?: ThreatMatchEcs;
+  feed?: ThreatFeedEcs;
 }
 
 export interface ThreatEcs {

packages/kbn-securitysolution-ecs/src/tls/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface TlsEcs {

packages/kbn-securitysolution-ecs/src/url/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface UrlEcs {

packages/kbn-securitysolution-ecs/src/user/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface UserEcs {

packages/kbn-securitysolution-ecs/src/winlog/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface WinlogEcs {

packages/kbn-securitysolution-ecs/src/zeek/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 export interface ZeekEcs {

packages/kbn-securitysolution-ecs/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "target/types",
+    "types": [
+      "jest",
+      "node"
+    ]
+  },
+  "include": [
+    "**/*.ts"
+  ],
+  "exclude": [
+    "target/**/*"
+  ]
+}

tsconfig.base.json

@@ -990,6 +990,8 @@
       "@kbn/security-test-endpoints-plugin/*": ["x-pack/test/security_functional/plugins/test_endpoints/*"],
       "@kbn/securitysolution-autocomplete": ["packages/kbn-securitysolution-autocomplete"],
       "@kbn/securitysolution-autocomplete/*": ["packages/kbn-securitysolution-autocomplete/*"],
+      "@kbn/securitysolution-ecs": ["packages/kbn-securitysolution-ecs"],
+      "@kbn/securitysolution-ecs/*": ["packages/kbn-securitysolution-ecs/*"],
       "@kbn/securitysolution-es-utils": ["packages/kbn-securitysolution-es-utils"],
       "@kbn/securitysolution-es-utils/*": ["packages/kbn-securitysolution-es-utils/*"],
       "@kbn/securitysolution-exception-list-components": ["packages/kbn-securitysolution-exception-list-components"],

x-pack/plugins/observability/public/pages/alerts/components/observability_actions.tsx

@@ -18,7 +18,7 @@ import React, { useMemo, useState, useCallback } from 'react';
 
 import { CaseAttachmentsWithoutOwner } from '@kbn/cases-plugin/public';
 import { CommentType } from '@kbn/cases-plugin/common';
-import { Ecs } from '@kbn/timelines-plugin/common/ecs';
+import { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { TimelineNonEcsData } from '@kbn/timelines-plugin/common';
 import { isAlertDetailsEnabledPerApp } from '../../../utils/is_alert_details_enabled';
 import { useKibana } from '../../../utils/kibana_react';

x-pack/plugins/observability/tsconfig.json

@@ -69,6 +69,7 @@
     "@kbn/slo-schema",
     "@kbn/guided-onboarding",
     "@kbn/charts-plugin",
+    "@kbn/securitysolution-ecs",
   ],
   "exclude": [
     "target/**/*",

x-pack/plugins/security_solution/common/ecs/auditd/index.ts

@@ -1,46 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface AuditdEcs {
-  result?: string[];
-
-  session?: string[];
-
-  data?: AuditdDataEcs;
-
-  summary?: SummaryEcs;
-
-  sequence?: string[];
-}
-
-export interface AuditdDataEcs {
-  acct?: string[];
-
-  terminal?: string[];
-
-  op?: string[];
-}
-
-export interface SummaryEcs {
-  actor?: PrimarySecondaryEcs;
-
-  object?: PrimarySecondaryEcs;
-
-  how?: string[];
-
-  message_type?: string[];
-
-  sequence?: string[];
-}
-
-export interface PrimarySecondaryEcs {
-  primary?: string[];
-
-  secondary?: string[];
-
-  type?: string[];
-}

x-pack/plugins/security_solution/common/ecs/cloud/index.ts

@@ -1,21 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface CloudEcs {
-  instance?: CloudInstanceEcs;
-  machine?: CloudMachineEcs;
-  provider?: string[];
-  region?: string[];
-}
-
-export interface CloudMachineEcs {
-  type?: string[];
-}
-
-export interface CloudInstanceEcs {
-  id?: string[];
-}

x-pack/plugins/security_solution/common/ecs/dns/index.ts

@@ -1,20 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface DnsEcs {
-  question?: DnsQuestionEcs;
-
-  resolved_ip?: string[];
-
-  response_code?: string[];
-}
-
-export interface DnsQuestionEcs {
-  name?: string[];
-
-  type?: string[];
-}

x-pack/plugins/security_solution/common/ecs/geo/index.ts

@@ -1,21 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface GeoEcs {
-  city_name?: string[];
-  continent_name?: string[];
-  country_iso_code?: string[];
-  country_name?: string[];
-  location?: Location;
-  region_iso_code?: string[];
-  region_name?: string[];
-}
-
-export interface Location {
-  lon?: number[];
-  lat?: number[];
-}

x-pack/plugins/security_solution/common/ecs/host/index.ts

@@ -1,36 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface HostEcs {
-  architecture?: string[];
-
-  id?: string[];
-
-  ip?: string[];
-
-  mac?: string[];
-
-  name?: string[];
-
-  os?: OsEcs;
-
-  type?: string[];
-}
-
-export interface OsEcs {
-  platform?: string[];
-
-  name?: string[];
-
-  full?: string[];
-
-  family?: string[];
-
-  version?: string[];
-
-  kernel?: string[];
-}

x-pack/plugins/security_solution/common/ecs/http/index.ts

@@ -1,38 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface HttpEcs {
-  version?: string[];
-
-  request?: HttpRequestData;
-
-  response?: HttpResponseData;
-}
-
-export interface HttpRequestData {
-  method?: string[];
-
-  body?: HttpBodyData;
-
-  referrer?: string[];
-
-  bytes?: number[];
-}
-
-export interface HttpBodyData {
-  content?: string[];
-
-  bytes?: number[];
-}
-
-export interface HttpResponseData {
-  status_code?: number[];
-
-  body?: HttpBodyData;
-
-  bytes?: number[];
-}

x-pack/plugins/security_solution/common/ecs/ransomware/index.ts

@@ -1,30 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface Ransomware {
-  feature?: string[];
-  score?: string[];
-  version?: number[];
-  child_pids?: string[];
-  files?: RansomwareFiles;
-}
-
-export interface RansomwareFiles {
-  operation?: string[];
-  entropy?: number[];
-  metrics?: string[];
-  extension?: string[];
-  original?: OriginalRansomwareFiles;
-  path?: string[];
-  data?: string[];
-  score?: number[];
-}
-
-export interface OriginalRansomwareFiles {
-  path?: string[];
-  extension?: string[];
-}

x-pack/plugins/security_solution/common/ecs/suricata/index.ts

@@ -1,24 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface SuricataEcs {
-  eve?: SuricataEveData;
-}
-
-export interface SuricataEveData {
-  alert?: SuricataAlertData;
-
-  flow_id?: number[];
-
-  proto?: string[];
-}
-
-export interface SuricataAlertData {
-  signature?: string[];
-
-  signature_id?: number[];
-}

x-pack/plugins/security_solution/common/ecs/tls/index.ts

@@ -1,34 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface TlsEcs {
-  client_certificate?: TlsClientCertificateData;
-
-  fingerprints?: TlsFingerprintsData;
-
-  server_certificate?: TlsServerCertificateData;
-}
-
-export interface TlsClientCertificateData {
-  fingerprint?: FingerprintData;
-}
-
-export interface FingerprintData {
-  sha1?: string[];
-}
-
-export interface TlsFingerprintsData {
-  ja3?: TlsJa3Data;
-}
-
-export interface TlsJa3Data {
-  hash?: string[];
-}
-
-export interface TlsServerCertificateData {
-  fingerprint?: FingerprintData;
-}

x-pack/plugins/security_solution/common/ecs/url/index.ts

@@ -1,16 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface UrlEcs {
-  domain?: string[];
-
-  original?: string[];
-
-  username?: string[];
-
-  password?: string[];
-}

x-pack/plugins/security_solution/common/ecs/user/index.ts

@@ -1,22 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface UserEcs {
-  domain?: string[];
-
-  id?: string[];
-
-  name?: string[];
-
-  full_name?: string[];
-
-  email?: string[];
-
-  hash?: string[];
-
-  group?: string[];
-}

x-pack/plugins/security_solution/common/ecs/winlog/index.ts

@@ -1,10 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export interface WinlogEcs {
-  event_id?: number[];
-}

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts

@@ -5,8 +5,7 @@
  * 2.0.
  */
 
-import type { CloudEcs } from '../../../../ecs/cloud';
-import type { HostEcs, OsEcs } from '../../../../ecs/host';
+import type { CloudEcs, HostEcs, OsEcs } from '@kbn/securitysolution-ecs';
 import type { Hit, Hits, Maybe, SearchHit, StringOrNumber, TotalValue } from '../../../common';
 import type { EndpointPendingActions, HostStatus } from '../../../../endpoint/types';
 import type { CommonFields } from '../..';

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/uncommon_processes/index.ts

@@ -7,9 +7,7 @@
 
 import type { IEsSearchResponse } from '@kbn/data-plugin/common';
 
-import type { HostEcs } from '../../../../ecs/host';
-import type { UserEcs } from '../../../../ecs/user';
-import type { ProcessEcs } from '../../../../ecs/process';
+import type { HostEcs, ProcessEcs, UserEcs } from '@kbn/securitysolution-ecs';
 import type {
   RequestOptionsPaginated,
   SortField,

x-pack/plugins/security_solution/common/search_strategy/security_solution/network/common/index.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { GeoEcs } from '../../../../ecs/geo';
+import type { GeoEcs } from '@kbn/securitysolution-ecs';
 import type { Maybe } from '../../..';
 
 export enum NetworkDirectionEcs {

x-pack/plugins/security_solution/common/search_strategy/security_solution/network/details/index.ts

@@ -6,8 +6,7 @@
  */
 
 import type { IEsSearchResponse } from '@kbn/data-plugin/common';
-import type { HostEcs } from '../../../../ecs/host';
-import type { GeoEcs } from '../../../../ecs/geo';
+import type { HostEcs, GeoEcs } from '@kbn/securitysolution-ecs';
 import type { Inspect, Maybe, TotalValue, Hit, ShardsResponse } from '../../../common';
 import type { RequestBasicOptions } from '../..';
 

x-pack/plugins/security_solution/common/search_strategy/security_solution/users/authentications/index.ts

@@ -7,9 +7,7 @@
 
 import type { IEsSearchResponse } from '@kbn/data-plugin/common';
 
-import type { UserEcs } from '../../../../ecs/user';
-import type { SourceEcs } from '../../../../ecs/source';
-import type { HostEcs } from '../../../../ecs/host';
+import type { UserEcs, SourceEcs, HostEcs } from '@kbn/securitysolution-ecs';
 import type {
   CursorType,
   Inspect,

x-pack/plugins/security_solution/common/search_strategy/security_solution/users/common/index.ts

@@ -5,9 +5,8 @@
  * 2.0.
  */
 
+import type { HostEcs, UserEcs } from '@kbn/securitysolution-ecs';
 import type { CommonFields, Maybe, RiskScoreFields, RiskSeverity, SortField } from '../../..';
-import type { HostEcs } from '../../../../ecs/host';
-import type { UserEcs } from '../../../../ecs/user';
 
 export interface UserRiskScoreItem {
   _id?: Maybe<string>;

x-pack/plugins/security_solution/common/types/header_actions/index.ts

@@ -14,8 +14,8 @@ import type {
 import type { IFieldSubType } from '@kbn/es-query';
 import type { FieldBrowserOptions } from '@kbn/triggers-actions-ui-plugin/public';
 import type { ComponentType, JSXElementConstructor, ReactNode } from 'react';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { OnRowSelected, SetEventsDeleted, SetEventsLoading } from '..';
-import type { Ecs } from '../../ecs';
 import type { BrowserFields, TimelineNonEcsData } from '../../search_strategy';
 import type { SortColumnTable } from '../data_table';
 

x-pack/plugins/security_solution/common/types/timeline/cells/index.ts

@@ -7,8 +7,8 @@
 
 import type { EuiDataGridCellValueElementProps } from '@elastic/eui';
 import type { Filter } from '@kbn/es-query';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { ColumnHeaderOptions, RowRenderer } from '../..';
-import type { Ecs } from '../../../ecs';
 import type { BrowserFields, TimelineNonEcsData } from '../../../search_strategy';
 
 /** The following props are provided to the function called by `renderCellValue` */

x-pack/plugins/security_solution/public/common/components/data_table/helpers.tsx

@@ -9,8 +9,8 @@ import { isEmpty } from 'lodash/fp';
 
 import type { EuiDataGridCellValueElementProps } from '@elastic/eui';
 import type { EuiTheme } from '@kbn/kibana-react-plugin/common';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { SortColumnTable } from '../../../../common/types';
-import type { Ecs } from '../../../../common/ecs';
 import type { TimelineItem, TimelineNonEcsData } from '../../../../common/search_strategy';
 import type { ColumnHeaderOptions, SortDirection } from '../../../../common/types/timeline';
 

x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx

@@ -20,6 +20,7 @@ import React, { useCallback, useMemo, useState } from 'react';
 import styled from 'styled-components';
 import { isEmpty } from 'lodash';
 
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { SearchHit } from '../../../../common/search_strategy';
 import { getMitreComponentParts } from '../../../detections/mitre/get_mitre_threat_component';
 import { GuidedOnboardingTourStep } from '../guided_onboarding_tour/tour_step';
@@ -37,7 +38,6 @@ import { ThreatSummaryView } from './cti_details/threat_summary_view';
 import { ThreatDetailsView } from './cti_details/threat_details_view';
 import * as i18n from './translations';
 import { AlertSummaryView } from './alert_summary_view';
-import type { Ecs } from '../../../../common/ecs';
 import type { BrowserFields } from '../../containers/source';
 import { useInvestigationTimeEnrichment } from '../../containers/cti/event_enrichment';
 import type { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';

x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx

@@ -8,6 +8,7 @@
 import { find, isEmpty, uniqBy } from 'lodash/fp';
 import { ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
 
+import { EventCode, EventCategory } from '@kbn/securitysolution-ecs';
 import * as i18n from './translations';
 import type { BrowserFields } from '../../../../common/search_strategy/index_fields';
 import {
@@ -30,7 +31,6 @@ import type { EventSummaryField, EnrichedFieldInfo } from './types';
 import type { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 
 import { isAlertFromEndpointEvent } from '../../utils/endpoint_alert_check';
-import { EventCode, EventCategory } from '../../../../common/ecs/event';
 
 const THRESHOLD_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT}.terms.field`;
 const THRESHOLD_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT}.terms.value`;

x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx

@@ -9,7 +9,7 @@ import { EuiCode, EuiEmptyPrompt, EuiNotificationBadge, EuiSpacer } from '@elast
 import React, { useMemo } from 'react';
 import styled from 'styled-components';
 import { FormattedMessage } from '@kbn/i18n-react';
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { PERMISSION_DENIED } from '../../../detection_engine/rule_response_actions/osquery/translations';
 import { expandDottedObject } from '../../../../common/utils/expand_dotted';
 import { useIsExperimentalFeatureEnabled } from '../../hooks/use_experimental_features';

x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/osquery/renderer.tsx

@@ -11,9 +11,9 @@ import { reduce } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import styled from 'styled-components';
 import { EuiButton } from '@elastic/eui';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { BasicAlertDataContext } from '../../../event_details/investigation_guide_view';
 import { expandDottedObject } from '../../../../../../common/utils/expand_dotted';
-import type { Ecs } from '../../../../../../common/ecs';
 import OsqueryLogo from './osquery_icon/osquery.svg';
 import { OsqueryFlyout } from '../../../../../detections/components/osquery/osquery_flyout';
 

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/creation.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameCreationEvent: Ecs = {
   _id: 'BcjPcG0BOpWiDweSou3g',

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/dns.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameDnsRequest: Ecs = {
   _id: 'S8jPcG0BOpWiDweSou3g',

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/file_events.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameFileCreateEvent: Ecs = {
   _id: '98jPcG0BOpWiDweSouzg',

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/ipv4.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameIpv4ConnectionAcceptEvent: Ecs = {
   _id: 'LsjPcG0BOpWiDweSCNfu',

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/termination.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameTerminationEvent: Ecs = {
   _id: '2MjPcG0BOpWiDweSoutC',

x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/user_logon.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndgameUserLogon: Ecs = {
   _id: 'QsjPcG0BOpWiDweSeuRE',

x-pack/plugins/security_solution/public/common/demo_data/endpoint/library_load_event.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndpointLibraryLoadEvent: Ecs = {
   file: {

x-pack/plugins/security_solution/public/common/demo_data/endpoint/process_execution_malware_prevention_alert.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndpointProcessExecutionMalwarePreventionAlert: Ecs = {
   process: {

x-pack/plugins/security_solution/public/common/demo_data/endpoint/registry_modification_event.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const demoEndpointRegistryModificationEvent: Ecs = {
   host: {

x-pack/plugins/security_solution/public/common/demo_data/netflow.ts

@@ -5,8 +5,8 @@
  * 2.0.
  */
 
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { ONE_MILLISECOND_AS_NANOSECONDS } from '../../timelines/components/formatted_duration/helpers';
-import type { Ecs } from '../../../common/ecs';
 
 /** Returns mock data for testing the Netflow component */
 export const getDemoNetflowData = (): Ecs => ({

x-pack/plugins/security_solution/public/common/lib/cell_actions/default_cell_actions.test.tsx

@@ -11,7 +11,7 @@ import type {
   BrowserFields,
   TimelineNonEcsData,
 } from '@kbn/timelines-plugin/common/search_strategy';
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { defaultCellActions } from './default_cell_actions';
 import { COLUMNS_WITH_LINKS, EmptyComponent } from './helpers';
 

x-pack/plugins/security_solution/public/common/lib/cell_actions/field_value.tsx

@@ -9,9 +9,9 @@ import type { EuiDataGridColumnCellActionProps } from '@elastic/eui';
 import { head, getOr, get, isEmpty } from 'lodash/fp';
 import React, { useMemo } from 'react';
 
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { ColumnHeaderOptions } from '../../../../common/types';
 import type { TimelineNonEcsData } from '../../../../common/search_strategy';
-import type { Ecs } from '../../../../common/ecs';
 import { useGetMappedNonEcsValue } from '../../../timelines/components/timeline/body/data_driven_columns';
 import { FormattedFieldValue } from '../../../timelines/components/timeline/body/renderers/formatted_field';
 import { parseValue } from '../../../timelines/components/timeline/body/renderers/parse_value';

x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const getDetectionAlertMock = (overrides: Partial<Ecs> = {}): Ecs => ({
   ...{

x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts_aad.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const mockAADEcsDataWithAlert: Ecs = {
   _id: '1',

x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 // these "mocks" are used by browser bundles so they were moved out of the mocks and are
 // re-exported here for convenience and internal bwc

x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export { demoTimelineData as mockTimelineData } from '../demo_data/timeline';
 export { demoEndpointRegistryModificationEvent as mockEndpointRegistryModificationEvent } from '../demo_data/endpoint/registry_modification_event';

x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts

@@ -6,7 +6,7 @@
  */
 
 import _ from 'lodash';
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { generateMockDetailItemData } from '../mock';
 import { isAlertFromEndpointAlert, isAlertFromEndpointEvent } from './endpoint_alert_check';
 

x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts

@@ -7,7 +7,7 @@
 
 import { find, getOr, some } from 'lodash/fp';
 import type { TimelineEventsDetailsItem } from '@kbn/timelines-plugin/common';
-import type { Ecs } from '../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 /**
  * Check to see if a timeline event item is an Alert (vs an event)

x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/helpers.test.tsx

@@ -39,7 +39,7 @@ import { getEntryMatchMock } from '@kbn/lists-plugin/common/schemas/types/entry_
 import { getCommentsArrayMock } from '@kbn/lists-plugin/common/schemas/types/comment.mock';
 import { fields } from '@kbn/data-plugin/common/mocks';
 import { ENTRIES, OLD_DATE_RELATIVE_TO_DATE_NOW } from '@kbn/lists-plugin/common/constants.mock';
-import type { CodeSignature } from '../../../../common/ecs/file';
+import type { CodeSignature } from '@kbn/securitysolution-ecs';
 import {
   ALERT_ORIGINAL_EVENT_KIND,
   ALERT_ORIGINAL_EVENT_MODULE,

x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/helpers.tsx

@@ -34,11 +34,10 @@ import { getNewExceptionItem, addIdToEntries } from '@kbn/securitysolution-list-
 import type { DataViewBase } from '@kbn/es-query';
 import { removeIdFromExceptionItemsEntries } from '@kbn/securitysolution-list-hooks';
 
+import type { EcsSecurityExtension as Ecs, CodeSignature } from '@kbn/securitysolution-ecs';
 import * as i18n from './translations';
 import type { AlertData, Flattened } from './types';
 
-import type { Ecs } from '../../../../common/ecs';
-import type { CodeSignature } from '../../../../common/ecs/file';
 import { WithCopyToClipboard } from '../../../common/lib/clipboard/with_copy_to_clipboard';
 import exceptionableLinuxFields from './exceptionable_linux_fields.json';
 import exceptionableWindowsMacFields from './exceptionable_windows_mac_fields.json';

x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/types.ts

@@ -6,8 +6,7 @@
  */
 
 import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types';
-import type { Ecs } from '../../../../common/ecs';
-import type { CodeSignature } from '../../../../common/ecs/file';
+import type { EcsSecurityExtension as Ecs, CodeSignature } from '@kbn/securitysolution-ecs';
 
 export interface ExceptionListItemIdentifiers {
   id: string;

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx

@@ -31,7 +31,7 @@ import {
   mockTimelineData,
 } from '../../../common/mock';
 import type { CreateTimeline, UpdateTimelineLoading } from './types';
-import type { Ecs } from '../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { DataProvider } from '../../../../common/types/timeline';
 import {
   TimelineId,

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

@@ -30,6 +30,7 @@ import {
 } from '@kbn/rule-data-utils';
 
 import { lastValueFrom } from 'rxjs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import type { DataTableModel } from '../../../common/store/data_table/types';
 import {
   ALERT_ORIGINAL_TIME,
@@ -50,7 +51,6 @@ import type {
   GetExceptionFilter,
   CreateTimeline,
 } from './types';
-import type { Ecs } from '../../../../common/ecs';
 import type {
   TimelineEventsDetailsItem,
   TimelineEventsDetailsRequestOptions,

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx

@@ -10,7 +10,7 @@ import { AlertContextMenu } from './alert_context_menu';
 import { TableId, TimelineId } from '../../../../../common/types';
 import { TestProviders } from '../../../../common/mock';
 import React from 'react';
-import type { Ecs } from '../../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { mockTimelines } from '../../../../common/mock/mock_timelines_plugin';
 import { mockCasesContract } from '@kbn/cases-plugin/public/mocks';
 import { initialUserPrivilegesState as mockInitialUserPrivilegesState } from '../../../../common/components/user_privileges/user_privileges_context';

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx

@@ -13,6 +13,7 @@ import type { ConnectedProps } from 'react-redux';
 import { connect } from 'react-redux';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { get } from 'lodash/fp';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { DEFAULT_ACTION_BUTTON_WIDTH } from '../../../../common/components/header_actions';
 import { isActiveTimeline } from '../../../../helpers';
 import { useOsqueryContextActionItem } from '../../osquery/use_osquery_context_action_item';
@@ -21,7 +22,6 @@ import { useRouteSpy } from '../../../../common/utils/route/use_route_spy';
 import { buildGetAlertByIdQuery } from '../../../../detection_engine/rule_exceptions/utils/helpers';
 import { useUserPrivileges } from '../../../../common/components/user_privileges';
 import { EventsTdContent } from '../../../../timelines/components/timeline/styles';
-import type { Ecs } from '../../../../../common/ecs';
 import type { AddExceptionFlyoutProps } from '../../../../detection_engine/rule_exceptions/components/add_exception_flyout';
 import { AddExceptionFlyout } from '../../../../detection_engine/rule_exceptions/components/add_exception_flyout';
 import * as i18n from '../translations';

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.test.tsx

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { Ecs } from '../../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { isInvestigateInResolverActionEnabled } from './investigate_in_resolver';
 
 describe('InvestigateInResolverAction', () => {

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.tsx

@@ -6,7 +6,7 @@
  */
 
 import { get } from 'lodash/fp';
-import type { Ecs } from '../../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 
 export const isInvestigateInResolverActionEnabled = (ecsData?: Ecs) =>
   (get(['agent', 'type', 0], ecsData) === 'endpoint' ||

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.test.tsx

@@ -8,7 +8,7 @@ import React from 'react';
 import { fireEvent, render, act } from '@testing-library/react';
 import { TestProviders } from '../../../../common/mock';
 import { KibanaServices, useKibana } from '../../../../common/lib/kibana';
-import type { Ecs } from '../../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import * as actions from '../actions';
 import { coreMock } from '@kbn/core/public/mocks';
 import { InvestigateInTimelineAction } from './investigate_in_timeline_action';

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx

@@ -6,10 +6,9 @@
  */
 
 import React from 'react';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { ActionIconItem } from '../../../../common/components/header_actions/action_icon_item';
 
-import type { Ecs } from '../../../../../common/ecs';
-
 import {
   ACTION_INVESTIGATE_IN_TIMELINE,
   ACTION_INVESTIGATE_IN_TIMELINE_ARIA_LABEL,

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_add_to_case_actions.tsx

@@ -9,6 +9,7 @@ import React, { useCallback, useMemo } from 'react';
 import { EuiContextMenuItem } from '@elastic/eui';
 import { CommentType } from '@kbn/cases-plugin/common';
 import type { CaseAttachmentsWithoutOwner } from '@kbn/cases-plugin/public';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { CasesTourSteps } from '../../../../common/components/guided_onboarding_tour/cases_tour_steps';
 import {
   AlertsCasesTourSteps,
@@ -18,7 +19,6 @@ import {
 import { useTourContext } from '../../../../common/components/guided_onboarding_tour';
 import { useGetUserCasesPermissions, useKibana } from '../../../../common/lib/kibana';
 import type { TimelineNonEcsData } from '../../../../../common/search_strategy';
-import type { Ecs } from '../../../../../common/ecs';
 import { ADD_TO_EXISTING_CASE, ADD_TO_NEW_CASE } from '../translations';
 
 export interface UseAddToCaseActions {

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_investigate_in_timeline.test.tsx

@@ -8,7 +8,7 @@ import { renderHook, act } from '@testing-library/react-hooks';
 import { fireEvent, render } from '@testing-library/react';
 import { TestProviders } from '../../../../common/mock';
 import { KibanaServices, useKibana } from '../../../../common/lib/kibana';
-import type { Ecs } from '../../../../../common/ecs';
+import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { useInvestigateInTimeline } from './use_investigate_in_timeline';
 import * as actions from '../actions';
 import { coreMock } from '@kbn/core/public/mocks';