github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.6] [Endpoint filtering] Added more options to filter predicates (#147209) (#148271)

Browse source 
# Backport

This will backport the following commits from `main` to `8.6`:
- [[Endpoint filtering] Added more options to filter predicates
(#147209)](https://github.com/elastic/kibana/pull/147209)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Karl
Godard","email":"karl.godard@elastic.co"},"sourceCommit":{"committedDate":"2022-12-15T20:10:49Z","message":"[Endpoint
filtering] Added more options to filter predicates (#147209)\n\n##
Summary\r\n\r\nAdds some of the ECS fields added in 8.2 to the list of
available filter\r\npredicates.\r\n\r\nMy IDE reordered the list to be
alphabetical, so I've included the list\r\nof added fields
below.\r\n\r\n### List of new
fields:\r\n```process.entry_leader.command_line\r\nprocess.entry_leader.entry_meta.source.ip\r\nprocess.entry_leader.entry_meta.type\r\nprocess.entry_leader.executable\r\nprocess.entry_leader.group.id\r\nprocess.entry_leader.group.name\r\nprocess.entry_leader.interactive\r\nprocess.entry_leader.name\r\nprocess.entry_leader.user.id\r\nprocess.entry_leader.user.name\r\nprocess.entry_leader.working_directory\r\nprocess.group_leader.args\r\nprocess.group_leader.command_line\r\nprocess.group_leader.executable\r\nprocess.group_leader.group.id\r\nprocess.group_leader.group.name\r\nprocess.group_leader.interactive\r\nprocess.group_leader.name\r\nprocess.group_leader.user.id\r\nprocess.group_leader.user.name\r\nprocess.group_leader.working_directory\r\nprocess.interactive\r\nprocess.io.text\r\nprocess.parent.group.id\r\nprocess.parent.group.name\r\nprocess.parent.interactive\r\nprocess.parent.user.id\r\nprocess.parent.user.name\r\nprocess.parent.working_directory\r\nprocess.session_leader.args\r\nprocess.session_leader.command_line\r\nprocess.session_leader.executable\r\nprocess.session_leader.group.id\r\nprocess.session_leader.group.name\r\nprocess.session_leader.interactive\r\nprocess.session_leader.name\r\nprocess.session_leader.start\r\nprocess.session_leader.user.id\r\nprocess.session_leader.user.name\r\nprocess.session_leader.working_directory\r\nprocess.supplemental_groups.id\r\nprocess.supplemental_groups.name\r\ncloud.account.id\r\ncloud.instance.name\r\ncloud.project.id\r\ncloud.provider\r\ncloud.region\r\ncontainer.id\r\ncontainer.image.hash.all\r\ncontainer.image.name\r\ncontainer.image.tag\r\ncontainer.name\r\norchestrator.cluster.id\r\norchestrator.cluster.name\r\norchestrator.resource.ip\r\norchestrator.resource.name\r\norchestrator.resource.parent.type\r\norchestrator.resource.type\r\n```\r\n\r\nCo-authored-by:
Karl Godard
<karlgodard@elastic.co>","sha":"d0039eadf6b87410c4b37142aeb7cf94be8eaa69","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport
missing","backport:prev-minor","v8.6.0","v8.7.0"],"number":147209,"url":"https://github.com/elastic/kibana/pull/147209","mergeCommit":{"message":"[Endpoint
filtering] Added more options to filter predicates (#147209)\n\n##
Summary\r\n\r\nAdds some of the ECS fields added in 8.2 to the list of
available filter\r\npredicates.\r\n\r\nMy IDE reordered the list to be
alphabetical, so I've included the list\r\nof added fields
below.\r\n\r\n### List of new
fields:\r\n```process.entry_leader.command_line\r\nprocess.entry_leader.entry_meta.source.ip\r\nprocess.entry_leader.entry_meta.type\r\nprocess.entry_leader.executable\r\nprocess.entry_leader.group.id\r\nprocess.entry_leader.group.name\r\nprocess.entry_leader.interactive\r\nprocess.entry_leader.name\r\nprocess.entry_leader.user.id\r\nprocess.entry_leader.user.name\r\nprocess.entry_leader.working_directory\r\nprocess.group_leader.args\r\nprocess.group_leader.command_line\r\nprocess.group_leader.executable\r\nprocess.group_leader.group.id\r\nprocess.group_leader.group.name\r\nprocess.group_leader.interactive\r\nprocess.group_leader.name\r\nprocess.group_leader.user.id\r\nprocess.group_leader.user.name\r\nprocess.group_leader.working_directory\r\nprocess.interactive\r\nprocess.io.text\r\nprocess.parent.group.id\r\nprocess.parent.group.name\r\nprocess.parent.interactive\r\nprocess.parent.user.id\r\nprocess.parent.user.name\r\nprocess.parent.working_directory\r\nprocess.session_leader.args\r\nprocess.session_leader.command_line\r\nprocess.session_leader.executable\r\nprocess.session_leader.group.id\r\nprocess.session_leader.group.name\r\nprocess.session_leader.interactive\r\nprocess.session_leader.name\r\nprocess.session_leader.start\r\nprocess.session_leader.user.id\r\nprocess.session_leader.user.name\r\nprocess.session_leader.working_directory\r\nprocess.supplemental_groups.id\r\nprocess.supplemental_groups.name\r\ncloud.account.id\r\ncloud.instance.name\r\ncloud.project.id\r\ncloud.provider\r\ncloud.region\r\ncontainer.id\r\ncontainer.image.hash.all\r\ncontainer.image.name\r\ncontainer.image.tag\r\ncontainer.name\r\norchestrator.cluster.id\r\norchestrator.cluster.name\r\norchestrator.resource.ip\r\norchestrator.resource.name\r\norchestrator.resource.parent.type\r\norchestrator.resource.type\r\n```\r\n\r\nCo-authored-by:
Karl Godard
<karlgodard@elastic.co>","sha":"d0039eadf6b87410c4b37142aeb7cf94be8eaa69"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/147209","number":147209,"mergeCommit":{"message":"[Endpoint
filtering] Added more options to filter predicates (#147209)\n\n##
Summary\r\n\r\nAdds some of the ECS fields added in 8.2 to the list of
available filter\r\npredicates.\r\n\r\nMy IDE reordered the list to be
alphabetical, so I've included the list\r\nof added fields
below.\r\n\r\n### List of new
fields:\r\n```process.entry_leader.command_line\r\nprocess.entry_leader.entry_meta.source.ip\r\nprocess.entry_leader.entry_meta.type\r\nprocess.entry_leader.executable\r\nprocess.entry_leader.group.id\r\nprocess.entry_leader.group.name\r\nprocess.entry_leader.interactive\r\nprocess.entry_leader.name\r\nprocess.entry_leader.user.id\r\nprocess.entry_leader.user.name\r\nprocess.entry_leader.working_directory\r\nprocess.group_leader.args\r\nprocess.group_leader.command_line\r\nprocess.group_leader.executable\r\nprocess.group_leader.group.id\r\nprocess.group_leader.group.name\r\nprocess.group_leader.interactive\r\nprocess.group_leader.name\r\nprocess.group_leader.user.id\r\nprocess.group_leader.user.name\r\nprocess.group_leader.working_directory\r\nprocess.interactive\r\nprocess.io.text\r\nprocess.parent.group.id\r\nprocess.parent.group.name\r\nprocess.parent.interactive\r\nprocess.parent.user.id\r\nprocess.parent.user.name\r\nprocess.parent.working_directory\r\nprocess.session_leader.args\r\nprocess.session_leader.command_line\r\nprocess.session_leader.executable\r\nprocess.session_leader.group.id\r\nprocess.session_leader.group.name\r\nprocess.session_leader.interactive\r\nprocess.session_leader.name\r\nprocess.session_leader.start\r\nprocess.session_leader.user.id\r\nprocess.session_leader.user.name\r\nprocess.session_leader.working_directory\r\nprocess.supplemental_groups.id\r\nprocess.supplemental_groups.name\r\ncloud.account.id\r\ncloud.instance.name\r\ncloud.project.id\r\ncloud.provider\r\ncloud.region\r\ncontainer.id\r\ncontainer.image.hash.all\r\ncontainer.image.name\r\ncontainer.image.tag\r\ncontainer.name\r\norchestrator.cluster.id\r\norchestrator.cluster.name\r\norchestrator.resource.ip\r\norchestrator.resource.name\r\norchestrator.resource.parent.type\r\norchestrator.resource.type\r\n```\r\n\r\nCo-authored-by:
Karl Godard
<karlgodard@elastic.co>","sha":"d0039eadf6b87410c4b37142aeb7cf94be8eaa69"}}]}]
BACKPORT-->

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Karl Godard 2023-01-04 17:01:44 -08:00 committed by GitHub
parent 4664cfb7e5
commit 8449c71a79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 106 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

158
x-pack/plugins/security_solution/common/endpoint/exceptions/exceptionable_endpoint_event_fields.ts
View file

@ -7,10 +7,26 @@
export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'@timestamp',
'Endpoint.policy',
'Endpoint.policy.applied',
'Endpoint.policy.applied.id',
'Endpoint.policy.applied.name',
'Endpoint.policy.applied.status',
'Endpoint.status',
'agent.id',
'agent.name',
'agent.type',
'agent.version',
'cloud.account.id',
'cloud.instance.name',
'cloud.project.id',
'cloud.provider',
'cloud.region',
'container.id',
'container.image.hash.all',
'container.image.name',
'container.image.tag',
'container.name',
'data_stream.dataset',
'data_stream.namespace',
'data_stream.type',
@ -30,11 +46,6 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'destination.port',
'destination.registered_domain',
'destination.top_level_domain',
'dll.code_signature.exists',
'dll.code_signature.status',
'dll.code_signature.subject_name',
'dll.code_signature.trusted',
'dll.code_signature.valid',
'dll.Ext',
'dll.Ext.code_signature',
'dll.Ext.code_signature.exists',
@ -43,6 +54,11 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'dll.Ext.code_signature.trusted',
'dll.Ext.code_signature.valid',
'dll.Ext.load_index',
'dll.code_signature.exists',
'dll.code_signature.status',
'dll.code_signature.subject_name',
'dll.code_signature.trusted',
'dll.code_signature.valid',
'dll.hash.md5',
'dll.hash.sha1',
'dll.hash.sha256',
@ -67,20 +83,14 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'ecs.version',
'elastic.agent',
'elastic.agent.id',
'Endpoint.policy',
'Endpoint.policy.applied',
'Endpoint.policy.applied.id',
'Endpoint.policy.applied.name',
'Endpoint.policy.applied.status',
'Endpoint.status',
'event.Ext',
'event.Ext.correlation',
'event.Ext.correlation.id',
'event.action',
'event.category',
'event.code',
'event.created',
'event.dataset',
'event.Ext',
'event.Ext.correlation',
'event.Ext.correlation.id',
'event.hash',
'event.id',
'event.ingested',
@ -90,13 +100,6 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'event.sequence',
'event.severity',
'event.type',
'file.accessed',
'file.attributes',
'file.created',
'file.ctime',
'file.device',
'file.directory',
'file.drive_letter',
'file.Ext',
'file.Ext.code_signature',
'file.Ext.code_signature.exists',
@ -117,6 +120,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'file.Ext.original.uid',
'file.Ext.windows',
'file.Ext.windows.zone_identifier',
'file.accessed',
'file.attributes',
'file.created',
'file.ctime',
'file.device',
'file.directory',
'file.drive_letter',
'file.extension',
'file.gid',
'file.group',
@ -145,11 +155,11 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'file.target_path.text',
'file.type',
'file.uid',
'group.domain',
'group.Ext',
'group.Ext.real',
'group.Ext.real.id',
'group.Ext.real.name',
'group.domain',
'group.id',
'group.name',
'host.architecture',
@ -177,12 +187,12 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'http.request.body.content',
'http.request.body.content.text',
'http.request.bytes',
'http.response.Ext',
'http.response.Ext.version',
'http.response.body.bytes',
'http.response.body.content',
'http.response.body.content.text',
'http.response.bytes',
'http.response.Ext',
'http.response.Ext.version',
'http.response.status_code',
'message',
'network.bytes',
@ -193,23 +203,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'network.protocol',
'network.transport',
'network.type',
'orchestrator.cluster.id',
'orchestrator.cluster.name',
'orchestrator.resource.ip',
'orchestrator.resource.name',
'orchestrator.resource.parent.type',
'orchestrator.resource.type',
'package.name',
'process.args',
'process.args_count',
'process.code_signature.exists',
'process.code_signature.status',
'process.code_signature.subject_name',
'process.code_signature.trusted',
'process.code_signature.valid',
'process.command_line',
'process.command_line.caseless',
'process.command_line.text',
'process.entity_id',
'process.entry_leader.interactive',
'process.executable',
'process.executable.caseless',
'process.executable.text',
'process.exit_code',
'process.Ext',
'process.Ext.ancestry',
'process.Ext.authentication_id',
@ -224,13 +224,60 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'process.Ext.token.elevation',
'process.Ext.token.elevation_type',
'process.Ext.token.integrity_level_name',
'process.args',
'process.args_count',
'process.code_signature.exists',
'process.code_signature.status',
'process.code_signature.subject_name',
'process.code_signature.trusted',
'process.code_signature.valid',
'process.command_line',
'process.command_line.caseless',
'process.command_line.text',
'process.entity_id',
'process.entry_leader.command_line',
'process.entry_leader.entry_meta.source.ip',
'process.entry_leader.entry_meta.type',
'process.entry_leader.executable',
'process.entry_leader.group.id',
'process.entry_leader.group.name',
'process.entry_leader.interactive',
'process.entry_leader.name',
'process.entry_leader.user.id',
'process.entry_leader.user.name',
'process.entry_leader.working_directory',
'process.executable',
'process.executable.caseless',
'process.executable.text',
'process.exit_code',
'process.group_leader.args',
'process.group_leader.command_line',
'process.group_leader.executable',
'process.group_leader.group.id',
'process.group_leader.group.name',
'process.group_leader.interactive',
'process.group_leader.name',
'process.group_leader.user.id',
'process.group_leader.user.name',
'process.group_leader.working_directory',
'process.hash.md5',
'process.hash.sha1',
'process.hash.sha256',
'process.hash.sha512',
'process.interactive',
'process.io.text',
'process.name',
'process.name.caseless',
'process.name.text',
'process.parent.Ext',
'process.parent.Ext.code_signature',
'process.parent.Ext.code_signature.exists',
'process.parent.Ext.code_signature.status',
'process.parent.Ext.code_signature.subject_name',
'process.parent.Ext.code_signature.trusted',
'process.parent.Ext.code_signature.valid',
'process.parent.Ext.real',
'process.parent.Ext.real.pid',
'process.parent.args',
'process.parent.args_count',
'process.parent.code_signature.exists',
@ -246,19 +293,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'process.parent.executable.caseless',
'process.parent.executable.text',
'process.parent.exit_code',
'process.parent.Ext',
'process.parent.Ext.code_signature',
'process.parent.Ext.code_signature.exists',
'process.parent.Ext.code_signature.status',
'process.parent.Ext.code_signature.subject_name',
'process.parent.Ext.code_signature.trusted',
'process.parent.Ext.code_signature.valid',
'process.parent.Ext.real',
'process.parent.Ext.real.pid',
'process.parent.group.id',
'process.parent.group.name',
'process.parent.hash.md5',
'process.parent.hash.sha1',
'process.parent.hash.sha256',
'process.parent.hash.sha512',
'process.parent.interactive',
'process.parent.name',
'process.parent.name.caseless',
'process.parent.name.text',
@ -276,6 +317,9 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'process.parent.title',
'process.parent.title.text',
'process.parent.uptime',
'process.parent.user.id',
'process.parent.user.name',
'process.parent.working_directory',
'process.parent.working_directory',
'process.parent.working_directory.caseless',
'process.parent.working_directory.text',
@ -288,6 +332,16 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'process.pgid',
'process.pid',
'process.ppid',
'process.session_leader.args',
'process.session_leader.command_line',
'process.session_leader.executable',
'process.session_leader.group.id',
'process.session_leader.group.name',
'process.session_leader.interactive',
'process.session_leader.name',
'process.session_leader.user.id',
'process.session_leader.user.name',
'process.session_leader.working_directory',
'process.thread.id',
'process.thread.name',
'process.title',
@ -318,19 +372,19 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
'source.port',
'source.registered_domain',
'source.top_level_domain',
'user.domain',
'user.email',
'user.Ext',
'user.Ext.real',
'user.Ext.real.id',
'user.Ext.real.name',
'user.domain',
'user.email',
'user.full_name',
'user.full_name.text',
'user.group.domain',
'user.group.Ext',
'user.group.Ext.real',
'user.group.Ext.real.id',
'user.group.Ext.real.name',
'user.group.domain',
'user.group.id',
'user.group.name',
'user.hash',