github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

remove category from the browser field (#186839)

Browse source 
## Summary

Cleaning up the sourcerer model a bit, `category` does not seem to be
used anywhere and it is one of the things that deviate from the
FieldSpec.
This commit is contained in:
Luke G 2024-06-26 12:05:10 +02:00 committed by GitHub
parent 4ec5ad566f
commit ac9f6233eb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
17 changed files with 15 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

8
x-pack/packages/security-solution/data_table/components/data_table/column_headers/helpers.test.tsx
View file

@ -226,7 +226,6 @@ describe('helpers', () => {
{
actions,
aggregatable: true,
category: 'base',
columnHeaderType: 'not-filtered',
defaultSortDirection,
description:
@ -247,7 +246,6 @@ describe('helpers', () => {
{
actions,
aggregatable: true,
category: 'source',
columnHeaderType: 'not-filtered',
defaultSortDirection,
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
@ -266,7 +264,6 @@ describe('helpers', () => {
{
actions,
aggregatable: true,
category: 'destination',
columnHeaderType: 'not-filtered',
defaultSortDirection,
description:
@ -296,7 +293,6 @@ describe('helpers', () => {
{
actions,
aggregatable: true,
category: 'base',
columnHeaderType: 'not-filtered',
defaultSortDirection,
description:
@ -355,7 +351,6 @@ describe('helpers', () => {
const fieldName = 'test_field';
const testField = {
aggregatable: true,
category: 'base',
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
@ -389,7 +384,6 @@ describe('helpers', () => {
const fieldName = 'testFieldName';
const testField = {
aggregatable: true,
category: fieldName,
description: 'test field description',
example: '2016-05-23T08:05:34.853Z',
format: 'date',
@ -422,7 +416,6 @@ describe('helpers', () => {
const fieldName = 'test.field.splittable';
const testField = {
aggregatable: true,
category: 'test',
description: 'test field description',
example: '2016-05-23T08:05:34.853Z',
format: 'date',
@ -455,7 +448,6 @@ describe('helpers', () => {
describe('allowSorting', () => {
const aggregatableField = {
category: 'cloud',
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',

35
x-pack/packages/security-solution/data_table/mock/mock_source.ts
View file

@ -25,7 +25,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'agent.ephemeral_id': {
aggregatable: true,
category: 'agent',
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
@ -38,7 +37,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.hostname': {
aggregatable: true,
category: 'agent',
description: null,
example: null,
format: '',
@ -50,7 +48,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.id': {
aggregatable: true,
category: 'agent',
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
@ -63,7 +60,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.name': {
aggregatable: true,
category: 'agent',
description:
'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
example: 'foo',
@ -80,7 +76,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'auditd.data.a0': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -92,7 +87,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a1': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -104,7 +98,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a2': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -120,7 +113,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'@timestamp': {
aggregatable: true,
category: 'base',
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
@ -133,7 +125,6 @@ export const mockBrowserFields: BrowserFields = {
readFromDocValues: true,
},
_id: {
category: 'base',
description: 'Each document has an _id that uniquely identifies it',
example: 'Y-6TfmcB0WOhS6qyMv3s',
name: '_id',
@ -144,7 +135,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
},
message: {
category: 'base',
description:
'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.',
example: 'Hello World',
@ -162,7 +152,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'client.address': {
aggregatable: true,
category: 'client',
description:
'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -175,7 +164,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.bytes': {
aggregatable: true,
category: 'client',
description: 'Bytes sent from the client to the server.',
example: '184',
format: '',
@ -187,7 +175,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.domain': {
aggregatable: true,
category: 'client',
description: 'Client domain.',
example: null,
format: '',
@ -199,7 +186,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.geo.country_iso_code': {
aggregatable: true,
category: 'client',
description: 'Country ISO code.',
example: 'CA',
format: '',
@ -215,7 +201,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'cloud.account.id': {
aggregatable: true,
category: 'cloud',
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
@ -228,7 +213,6 @@ export const mockBrowserFields: BrowserFields = {
},
'cloud.availability_zone': {
aggregatable: true,
category: 'cloud',
description: 'Availability zone in which this host is running.',
example: 'us-east-1c',
format: '',
@ -244,7 +228,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'container.id': {
aggregatable: true,
category: 'container',
description: 'Unique container id.',
example: null,
format: '',
@ -256,7 +239,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.name': {
aggregatable: true,
category: 'container',
description: 'Name of the image the container was built on.',
example: null,
format: '',
@ -268,7 +250,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.tag': {
aggregatable: true,
category: 'container',
description: 'Container image tag.',
example: null,
format: '',
@ -284,7 +265,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'destination.address': {
aggregatable: true,
category: 'destination',
description:
'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -297,7 +277,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.bytes': {
aggregatable: true,
category: 'destination',
description: 'Bytes sent from the destination to the source.',
example: '184',
format: '',
@ -309,7 +288,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.domain': {
aggregatable: true,
category: 'destination',
description: 'Destination domain.',
example: null,
format: '',
@ -321,7 +299,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.ip': {
aggregatable: true,
category: 'destination',
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
@ -334,7 +311,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.port': {
aggregatable: true,
category: 'destination',
description: 'Port of the destination.',
example: '',
format: '',
@ -349,7 +325,6 @@ export const mockBrowserFields: BrowserFields = {
event: {
fields: {
'event.end': {
category: 'event',
description:
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
@ -362,7 +337,6 @@ export const mockBrowserFields: BrowserFields = {
aggregatable: true,
},
'event.action': {
category: 'event',
description:
'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
example: 'user-password-change',
@ -375,7 +349,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.category': {
category: 'event',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.',
example: 'authentication',
@ -388,7 +361,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.severity': {
category: 'event',
description:
"The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.",
example: 7,
@ -405,7 +377,6 @@ export const mockBrowserFields: BrowserFields = {
host: {
fields: {
'host.name': {
category: 'host',
description:
'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
name: 'host.name',
@ -422,7 +393,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'source.ip': {
aggregatable: true,
category: 'source',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
format: '',
@ -434,7 +404,6 @@ export const mockBrowserFields: BrowserFields = {
},
'source.port': {
aggregatable: true,
category: 'source',
description: 'Port of the source.',
example: '',
format: '',
@ -449,7 +418,6 @@ export const mockBrowserFields: BrowserFields = {
user: {
fields: {
'user.name': {
category: 'user',
description: 'Short name or login of the user.',
example: 'albert',
name: 'user.name',
@ -466,7 +434,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'nestedField.firstAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -482,7 +449,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.secondAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -498,7 +464,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.thirdAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',

36
x-pack/plugins/security_solution/public/common/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap generated
View file

@ -8,7 +8,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"agent.ephemeral_id": Object {
"aggregatable": true,
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"esTypes": Array [
"keyword",
@ -26,7 +25,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"agent.hostname": Object {
"aggregatable": true,
"category": "agent",
"description": null,
"esTypes": Array [
"keyword",
@ -44,7 +42,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"agent.id": Object {
"aggregatable": true,
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"esTypes": Array [
"keyword",
@ -62,7 +59,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"agent.name": Object {
"aggregatable": true,
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"esTypes": Array [
"keyword",
@ -84,7 +80,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"auditd.data.a0": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -100,7 +95,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"auditd.data.a1": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -116,7 +110,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"auditd.data.a2": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -136,7 +129,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"@timestamp": Object {
"aggregatable": true,
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"esTypes": Array [
"date",
@ -155,7 +147,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"_id": Object {
"aggregatable": false,
"category": "base",
"description": "Each document has an _id that uniquely identifies it",
"esTypes": Array [],
"example": "Y-6TfmcB0WOhS6qyMv3s",
@ -170,7 +161,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"message": Object {
"aggregatable": false,
"category": "base",
"description": "For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.",
"esTypes": Array [
"text",
@ -192,7 +182,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"client.address": Object {
"aggregatable": true,
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"esTypes": Array [
"keyword",
@ -210,7 +199,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"client.bytes": Object {
"aggregatable": true,
"category": "client",
"description": "Bytes sent from the client to the server.",
"esTypes": Array [
"long",
@ -228,7 +216,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"client.domain": Object {
"aggregatable": true,
"category": "client",
"description": "Client domain.",
"esTypes": Array [
"keyword",
@ -246,7 +233,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"client.geo.country_iso_code": Object {
"aggregatable": true,
"category": "client",
"description": "Country ISO code.",
"esTypes": Array [
"keyword",
@ -268,7 +254,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"cloud.account.id": Object {
"aggregatable": true,
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"esTypes": Array [
"keyword",
@ -286,7 +271,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"cloud.availability_zone": Object {
"aggregatable": true,
"category": "cloud",
"description": "Availability zone in which this host is running.",
"esTypes": Array [
"keyword",
@ -308,7 +292,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"container.id": Object {
"aggregatable": true,
"category": "container",
"description": "Unique container id.",
"esTypes": Array [
"keyword",
@ -326,7 +309,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"container.image.name": Object {
"aggregatable": true,
"category": "container",
"description": "Name of the image the container was built on.",
"esTypes": Array [
"keyword",
@ -344,7 +326,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"container.image.tag": Object {
"aggregatable": true,
"category": "container",
"description": "Container image tag.",
"esTypes": Array [
"keyword",
@ -366,7 +347,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"destination.address": Object {
"aggregatable": true,
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"esTypes": Array [
"keyword",
@ -384,7 +364,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"destination.bytes": Object {
"aggregatable": true,
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"esTypes": Array [
"long",
@ -402,7 +381,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"destination.domain": Object {
"aggregatable": true,
"category": "destination",
"description": "Destination domain.",
"esTypes": Array [
"keyword",
@ -420,7 +398,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"destination.ip": Object {
"aggregatable": true,
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
"ip",
@ -438,7 +415,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"destination.port": Object {
"aggregatable": true,
"category": "destination",
"description": "Port of the destination.",
"esTypes": Array [
"long",
@ -460,7 +436,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"event.action": Object {
"aggregatable": true,
"category": "event",
"description": "The action captured by the event. This describes the information in the event. It is more specific than \`event.category\`. Examples are \`group-add\`, \`process-started\`, \`file-created\`. The value is normally defined by the implementer.",
"esTypes": Array [
"keyword",
@ -484,7 +459,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"event.category": Object {
"aggregatable": true,
"category": "event",
"description": "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. \`event.category\` represents the \\"big buckets\\" of ECS categories. For example, filtering on \`event.category:process\` yields all events relating to process activity. This field is closely related to \`event.type\`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.",
"esTypes": Array [
"keyword",
@ -508,7 +482,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"event.end": Object {
"aggregatable": true,
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"esTypes": Array [
"date",
@ -532,7 +505,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"event.kind": Object {
"aggregatable": true,
"category": "event",
"description": "This defined the type of event eg. alerts",
"esTypes": Array [
"keyword",
@ -556,7 +528,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"event.severity": Object {
"aggregatable": true,
"category": "event",
"description": "The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in \`log.syslog.severity.code\`. \`event.severity\` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the \`log.syslog.severity.code\` to \`event.severity\`.",
"esTypes": Array [
"long",
@ -584,7 +555,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"host.name": Object {
"aggregatable": true,
"category": "host",
"description": "Name of the host. It can contain what \`hostname\` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.",
"esTypes": Array [
"keyword",
@ -611,7 +581,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"nestedField.firstAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -631,7 +600,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"nestedField.secondAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -651,7 +619,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"nestedField.thirdAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -690,7 +657,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"source.ip": Object {
"aggregatable": true,
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
"ip",
@ -708,7 +674,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
},
"source.port": Object {
"aggregatable": true,
"category": "source",
"description": "Port of the source.",
"esTypes": Array [
"long",
@ -730,7 +695,6 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"fields": Object {
"user.name": Object {
"aggregatable": true,
"category": "user",
"description": "Short name or login of the user.",
"esTypes": Array [
"keyword",

1
x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
View file

@ -231,7 +231,6 @@ export const addFieldToColumns = ({
dispatch(
scopedActions.upsertColumn({
column: {
category: column.category,
columnHeaderType: 'not-filtered',
description: isString(column.description) ? column.description : undefined,
example: isString(column.example) ? column.example : undefined,

16
x-pack/plugins/security_solution/public/common/components/event_details/columns.tsx
View file

@ -6,10 +6,10 @@
*/
import { EuiPanel, EuiText } from '@elastic/eui';
import { get } from 'lodash';
import memoizeOne from 'memoize-one';
import React from 'react';
import styled from 'styled-components';
import { getCategory } from '@kbn/triggers-actions-ui-plugin/public';
import { SecurityCellActions, CellActionsMode, SecurityCellActionsTrigger } from '../cell_actions';
import type { BrowserFields } from '../../containers/source';
import * as i18n from './translations';
@ -35,9 +35,12 @@ const HoverActionsContainer = styled(EuiPanel)`
HoverActionsContainer.displayName = 'HoverActionsContainer';
export const getFieldFromBrowserField = memoizeOne(
(keys: string[], browserFields: BrowserFields): BrowserField | undefined =>
get(browserFields, keys),
(newArgs, lastArgs) => newArgs[0].join() === lastArgs[0].join()
(field: string, browserFields: BrowserFields): BrowserField | undefined => {
const category = getCategory(field);
return browserFields[category]?.fields?.[field] as BrowserField;
},
(newArgs, lastArgs) => newArgs[0] === lastArgs[0]
);
export const getColumns: ColumnsProvider = ({
@ -106,10 +109,7 @@ export const getColumns: ColumnsProvider = ({
sortable: true,
truncateText: false,
render: (values, data) => {
const fieldFromBrowserField = getFieldFromBrowserField(
[data.category as string, 'fields', data.field],
browserFields
);
const fieldFromBrowserField = getFieldFromBrowserField(data.field, browserFields);
return (
<FieldValueCell
contextId={contextId}

1
x-pack/plugins/security_solution/public/common/components/event_details/summary_view.test.tsx
View file

@ -21,7 +21,6 @@ const eventId = 'TUWyf3wBFCFU0qRJTauW';
const hostIpValues = ['127.0.0.1', '::1', '10.1.2.3', '2001:0DB8:AC10:FE01::'];
const hostIpFieldFromBrowserField: BrowserField = {
aggregatable: true,
category: 'host',
description: 'Host ip addresses.',
example: '127.0.0.1',
fields: {},

4
x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.test.tsx
View file

@ -20,7 +20,6 @@ const eventId = 'TUWyf3wBFCFU0qRJTauW';
const hostIpData: EventFieldsData = {
aggregatable: true,
ariaRowindex: 35,
category: 'host',
description: 'Host ip addresses.',
example: '127.0.0.1',
field: 'host.ip',
@ -89,7 +88,6 @@ describe('FieldValueCell', () => {
const messageData: EventFieldsData = {
aggregatable: false,
ariaRowindex: 50,
category: 'base',
description:
'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.',
example: 'Hello World',
@ -109,7 +107,6 @@ describe('FieldValueCell', () => {
const messageFieldFromBrowserField: BrowserField = {
aggregatable: false,
category: 'base',
description:
'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.',
example: 'Hello World',
@ -150,7 +147,6 @@ describe('FieldValueCell', () => {
describe('when `BrowserField` metadata IS available', () => {
const hostIpFieldFromBrowserField: BrowserField = {
aggregatable: true,
category: 'host',
description: 'Host ip addresses.',
example: '127.0.0.1',
fields: {},

1
x-pack/plugins/security_solution/public/common/components/event_details/table/prevalence_cell.test.tsx
View file

@ -27,7 +27,6 @@ const eventId = 'TUWyf3wBFCFU0qRJTauW';
const hostIpValues = ['127.0.0.1', '::1', '10.1.2.3', '2001:0DB8:AC10:FE01::'];
const hostIpFieldFromBrowserField: BrowserField = {
aggregatable: true,
category: 'host',
description: 'Host ip addresses.',
example: '127.0.0.1',
fields: {},

2
x-pack/plugins/security_solution/public/common/components/event_details/table/summary_value_cell.test.tsx
View file

@ -24,7 +24,6 @@ const eventId = 'TUWyf3wBFCFU0qRJTauW';
const hostIpValues = ['127.0.0.1', '::1', '10.1.2.3', '2001:0DB8:AC10:FE01::'];
const hostIpFieldFromBrowserField: BrowserField = {
aggregatable: true,
category: 'host',
description: 'Host ip addresses.',
example: '127.0.0.1',
fields: {},
@ -63,7 +62,6 @@ const enrichedAgentStatusData: AlertSummaryRow['description'] = {
aggregatable: false,
description: '',
example: '',
category: '',
fields: {},
indexes: [],
name: AGENT_STATUS_FIELD_NAME,

36
x-pack/plugins/security_solution/public/common/containers/source/mock.ts
View file

@ -53,7 +53,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'agent.ephemeral_id': {
aggregatable: true,
category: 'agent',
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
@ -66,7 +65,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.hostname': {
aggregatable: true,
category: 'agent',
description: null,
example: null,
format: '',
@ -78,7 +76,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.id': {
aggregatable: true,
category: 'agent',
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
@ -91,7 +88,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.name': {
aggregatable: true,
category: 'agent',
description:
'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
example: 'foo',
@ -108,7 +104,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'auditd.data.a0': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -120,7 +115,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a1': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -132,7 +126,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a2': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -148,7 +141,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'@timestamp': {
aggregatable: true,
category: 'base',
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
@ -161,7 +153,6 @@ export const mockBrowserFields: BrowserFields = {
readFromDocValues: true,
},
_id: {
category: 'base',
description: 'Each document has an _id that uniquely identifies it',
example: 'Y-6TfmcB0WOhS6qyMv3s',
name: '_id',
@ -172,7 +163,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
},
message: {
category: 'base',
description:
'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.',
example: 'Hello World',
@ -190,7 +180,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'client.address': {
aggregatable: true,
category: 'client',
description:
'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -203,7 +192,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.bytes': {
aggregatable: true,
category: 'client',
description: 'Bytes sent from the client to the server.',
example: '184',
format: '',
@ -215,7 +203,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.domain': {
aggregatable: true,
category: 'client',
description: 'Client domain.',
example: null,
format: '',
@ -227,7 +214,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.geo.country_iso_code': {
aggregatable: true,
category: 'client',
description: 'Country ISO code.',
example: 'CA',
format: '',
@ -243,7 +229,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'cloud.account.id': {
aggregatable: true,
category: 'cloud',
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
@ -256,7 +241,6 @@ export const mockBrowserFields: BrowserFields = {
},
'cloud.availability_zone': {
aggregatable: true,
category: 'cloud',
description: 'Availability zone in which this host is running.',
example: 'us-east-1c',
format: '',
@ -272,7 +256,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'container.id': {
aggregatable: true,
category: 'container',
description: 'Unique container id.',
example: null,
format: '',
@ -284,7 +267,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.name': {
aggregatable: true,
category: 'container',
description: 'Name of the image the container was built on.',
example: null,
format: '',
@ -296,7 +278,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.tag': {
aggregatable: true,
category: 'container',
description: 'Container image tag.',
example: null,
format: '',
@ -312,7 +293,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'destination.address': {
aggregatable: true,
category: 'destination',
description:
'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -325,7 +305,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.bytes': {
aggregatable: true,
category: 'destination',
description: 'Bytes sent from the destination to the source.',
example: '184',
format: '',
@ -337,7 +316,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.domain': {
aggregatable: true,
category: 'destination',
description: 'Destination domain.',
example: null,
format: '',
@ -349,7 +327,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.ip': {
aggregatable: true,
category: 'destination',
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
@ -362,7 +339,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.port': {
aggregatable: true,
category: 'destination',
description: 'Port of the destination.',
example: '',
format: '',
@ -377,7 +353,6 @@ export const mockBrowserFields: BrowserFields = {
event: {
fields: {
'event.end': {
category: 'event',
description:
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
@ -390,7 +365,6 @@ export const mockBrowserFields: BrowserFields = {
aggregatable: true,
},
'event.action': {
category: 'event',
description:
'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
example: 'user-password-change',
@ -403,7 +377,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.category': {
category: 'event',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.',
example: 'authentication',
@ -416,7 +389,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.severity': {
category: 'event',
description:
"The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.",
example: 7,
@ -429,7 +401,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.kind': {
category: 'event',
description: 'This defined the type of event eg. alerts',
example: 'signal',
name: 'event.kind',
@ -445,7 +416,6 @@ export const mockBrowserFields: BrowserFields = {
host: {
fields: {
'host.name': {
category: 'host',
description:
'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
name: 'host.name',
@ -462,7 +432,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'source.ip': {
aggregatable: true,
category: 'source',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
format: '',
@ -474,7 +443,6 @@ export const mockBrowserFields: BrowserFields = {
},
'source.port': {
aggregatable: true,
category: 'source',
description: 'Port of the source.',
example: '',
format: '',
@ -489,7 +457,6 @@ export const mockBrowserFields: BrowserFields = {
user: {
fields: {
'user.name': {
category: 'user',
description: 'Short name or login of the user.',
example: 'albert',
name: 'user.name',
@ -506,7 +473,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'nestedField.firstAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -522,7 +488,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.secondAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -538,7 +503,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.thirdAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',

15
x-pack/plugins/security_solution/public/flyout/document_details/right/tabs/table_tab.tsx
View file

@ -7,11 +7,9 @@
import React, { memo } from 'react';
import { EuiText } from '@elastic/eui';
import { get } from 'lodash';
import memoizeOne from 'memoize-one';
import { getFieldFromBrowserField } from '../../../../common/components/event_details/columns';
import type { EventFieldsData } from '../../../../common/components/event_details/types';
import { FieldValueCell } from '../../../../common/components/event_details/table/field_value_cell';
import type { BrowserField, BrowserFields } from '../../../../../common/search_strategy';
import { FieldNameCell } from '../../../../common/components/event_details/table/field_name_cell';
import { CellActions } from '../components/cell_actions';
import * as i18n from '../../../../common/components/event_details/translations';
@ -20,12 +18,6 @@ import type { ColumnsProvider } from '../../../../common/components/event_detail
import { EventFieldsBrowser } from '../../../../common/components/event_details/event_fields_browser';
import { TimelineTabs } from '../../../../../common/types';
export const getFieldFromBrowserField = memoizeOne(
(keys: string[], browserFields: BrowserFields): BrowserField | undefined =>
get(browserFields, keys),
(newArgs, lastArgs) => newArgs[0].join() === lastArgs[0].join()
);
export const getColumns: ColumnsProvider = ({
browserFields,
eventId,
@ -57,10 +49,7 @@ export const getColumns: ColumnsProvider = ({
),
width: '70%',
render: (values, data) => {
const fieldFromBrowserField = getFieldFromBrowserField(
[data.category as string, 'fields', data.field],
browserFields
);
const fieldFromBrowserField = getFieldFromBrowserField(data.field, browserFields);
return (
<CellActions field={data.field} value={values} isObjectArray={data.isObjectArray}>
<FieldValueCell

1
x-pack/plugins/security_solution/public/sourcerer/containers/mocks.ts
View file

@ -28,7 +28,6 @@ export const mockSourcererScope: SelectedDataView = {
fields: {
_id: {
aggregatable: false,
category: '_id',
description: 'Each document has an _id that uniquely identifies it',
esTypes: undefined,
example: 'Y-6TfmcB0WOhS6qyMv3s',

36
x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap generated
View file

@ -9,7 +9,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"agent.ephemeral_id": Object {
"aggregatable": true,
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"esTypes": Array [
"keyword",
@ -27,7 +26,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"agent.hostname": Object {
"aggregatable": true,
"category": "agent",
"description": null,
"esTypes": Array [
"keyword",
@ -45,7 +43,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"agent.id": Object {
"aggregatable": true,
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"esTypes": Array [
"keyword",
@ -63,7 +60,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"agent.name": Object {
"aggregatable": true,
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"esTypes": Array [
"keyword",
@ -85,7 +81,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"auditd.data.a0": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -101,7 +96,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"auditd.data.a1": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -117,7 +111,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"auditd.data.a2": Object {
"aggregatable": true,
"category": "auditd",
"description": null,
"esTypes": Array [
"keyword",
@ -137,7 +130,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"@timestamp": Object {
"aggregatable": true,
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"esTypes": Array [
"date",
@ -156,7 +148,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"_id": Object {
"aggregatable": false,
"category": "base",
"description": "Each document has an _id that uniquely identifies it",
"esTypes": Array [],
"example": "Y-6TfmcB0WOhS6qyMv3s",
@ -171,7 +162,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"message": Object {
"aggregatable": false,
"category": "base",
"description": "For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.",
"esTypes": Array [
"text",
@ -193,7 +183,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"client.address": Object {
"aggregatable": true,
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"esTypes": Array [
"keyword",
@ -211,7 +200,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"client.bytes": Object {
"aggregatable": true,
"category": "client",
"description": "Bytes sent from the client to the server.",
"esTypes": Array [
"long",
@ -229,7 +217,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"client.domain": Object {
"aggregatable": true,
"category": "client",
"description": "Client domain.",
"esTypes": Array [
"keyword",
@ -247,7 +234,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"client.geo.country_iso_code": Object {
"aggregatable": true,
"category": "client",
"description": "Country ISO code.",
"esTypes": Array [
"keyword",
@ -269,7 +255,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"cloud.account.id": Object {
"aggregatable": true,
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"esTypes": Array [
"keyword",
@ -287,7 +272,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"cloud.availability_zone": Object {
"aggregatable": true,
"category": "cloud",
"description": "Availability zone in which this host is running.",
"esTypes": Array [
"keyword",
@ -309,7 +293,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"container.id": Object {
"aggregatable": true,
"category": "container",
"description": "Unique container id.",
"esTypes": Array [
"keyword",
@ -327,7 +310,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"container.image.name": Object {
"aggregatable": true,
"category": "container",
"description": "Name of the image the container was built on.",
"esTypes": Array [
"keyword",
@ -345,7 +327,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"container.image.tag": Object {
"aggregatable": true,
"category": "container",
"description": "Container image tag.",
"esTypes": Array [
"keyword",
@ -367,7 +348,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"destination.address": Object {
"aggregatable": true,
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"esTypes": Array [
"keyword",
@ -385,7 +365,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"destination.bytes": Object {
"aggregatable": true,
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"esTypes": Array [
"long",
@ -403,7 +382,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"destination.domain": Object {
"aggregatable": true,
"category": "destination",
"description": "Destination domain.",
"esTypes": Array [
"keyword",
@ -421,7 +399,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"destination.ip": Object {
"aggregatable": true,
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
"ip",
@ -439,7 +416,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"destination.port": Object {
"aggregatable": true,
"category": "destination",
"description": "Port of the destination.",
"esTypes": Array [
"long",
@ -461,7 +437,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"event.action": Object {
"aggregatable": true,
"category": "event",
"description": "The action captured by the event. This describes the information in the event. It is more specific than \`event.category\`. Examples are \`group-add\`, \`process-started\`, \`file-created\`. The value is normally defined by the implementer.",
"esTypes": Array [
"keyword",
@ -485,7 +460,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"event.category": Object {
"aggregatable": true,
"category": "event",
"description": "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. \`event.category\` represents the \\"big buckets\\" of ECS categories. For example, filtering on \`event.category:process\` yields all events relating to process activity. This field is closely related to \`event.type\`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.",
"esTypes": Array [
"keyword",
@ -509,7 +483,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"event.end": Object {
"aggregatable": true,
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"esTypes": Array [
"date",
@ -533,7 +506,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"event.kind": Object {
"aggregatable": true,
"category": "event",
"description": "This defined the type of event eg. alerts",
"esTypes": Array [
"keyword",
@ -557,7 +529,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"event.severity": Object {
"aggregatable": true,
"category": "event",
"description": "The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in \`log.syslog.severity.code\`. \`event.severity\` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the \`log.syslog.severity.code\` to \`event.severity\`.",
"esTypes": Array [
"long",
@ -585,7 +556,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"host.name": Object {
"aggregatable": true,
"category": "host",
"description": "Name of the host. It can contain what \`hostname\` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.",
"esTypes": Array [
"keyword",
@ -612,7 +582,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"nestedField.firstAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -632,7 +601,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"nestedField.secondAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -652,7 +620,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"nestedField.thirdAttributes": Object {
"aggregatable": false,
"category": "nestedField",
"description": "",
"example": "",
"format": "",
@ -691,7 +658,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"source.ip": Object {
"aggregatable": true,
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
"ip",
@ -709,7 +675,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
},
"source.port": Object {
"aggregatable": true,
"category": "source",
"description": "Port of the source.",
"esTypes": Array [
"long",
@ -731,7 +696,6 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"fields": Object {
"user.name": Object {
"aggregatable": true,
"category": "user",
"description": "Short name or login of the user.",
"esTypes": Array [
"keyword",

8
x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/helpers.test.ts
View file

@ -105,7 +105,6 @@ describe('helpers', () => {
const expectedData = [
{
aggregatable: true,
category: 'base',
columnHeaderType: 'not-filtered',
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
@ -122,7 +121,6 @@ describe('helpers', () => {
},
{
aggregatable: true,
category: 'source',
columnHeaderType: 'not-filtered',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
@ -137,7 +135,6 @@ describe('helpers', () => {
},
{
aggregatable: true,
category: 'destination',
columnHeaderType: 'not-filtered',
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
@ -170,7 +167,6 @@ describe('helpers', () => {
expect(getColumnHeaders(headers, mockBrowserFields)).toEqual([
{
aggregatable: false,
category: 'base',
columnHeaderType: 'not-filtered',
description: 'Each document has an _id that uniquely identifies it',
esTypes: [],
@ -199,7 +195,6 @@ describe('helpers', () => {
fields: {
test_field_1: {
aggregatable: true,
category: 'test_field_1',
esTypes: ['keyword'],
format: 'string',
indexes: [
@ -226,7 +221,6 @@ describe('helpers', () => {
expect(getColumnHeaders(headers, oneLevelDeep)).toEqual([
{
aggregatable: true,
category: 'test_field_1',
columnHeaderType: 'not-filtered',
esTypes: ['keyword'],
format: 'string',
@ -266,7 +260,6 @@ describe('helpers', () => {
fields: {
'foo.bar': {
aggregatable: true,
category: 'foo',
esTypes: ['keyword'],
format: 'string',
indexes: [
@ -293,7 +286,6 @@ describe('helpers', () => {
expect(getColumnHeaders(headers, twoLevelsDeep)).toEqual([
{
aggregatable: true,
category: 'foo',
columnHeaderType: 'not-filtered',
esTypes: ['keyword'],
format: 'string',

17
x-pack/plugins/security_solution/public/timelines/components/timeline/tabs/shared/__snapshots__/use_timeline_columns.test.ts.snap generated
View file

@ -4,7 +4,6 @@ exports[`useTimelineColumns augmentedColumnHeaders should return the default col
Array [
Object {
"aggregatable": true,
"category": "base",
"columnHeaderType": "not-filtered",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"esTypes": Array [
@ -26,7 +25,6 @@ Array [
},
Object {
"aggregatable": false,
"category": "base",
"columnHeaderType": "not-filtered",
"description": "For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.",
"esTypes": Array [
@ -47,7 +45,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "event",
"columnHeaderType": "not-filtered",
"description": "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. \`event.category\` represents the \\"big buckets\\" of ECS categories. For example, filtering on \`event.category:process\` yields all events relating to process activity. This field is closely related to \`event.type\`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.",
"esTypes": Array [
@ -74,7 +71,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "event",
"columnHeaderType": "not-filtered",
"description": "The action captured by the event. This describes the information in the event. It is more specific than \`event.category\`. Examples are \`group-add\`, \`process-started\`, \`file-created\`. The value is normally defined by the implementer.",
"esTypes": Array [
@ -101,7 +97,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "host",
"columnHeaderType": "not-filtered",
"description": "Name of the host. It can contain what \`hostname\` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.",
"esTypes": Array [
@ -127,7 +122,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "source",
"columnHeaderType": "not-filtered",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
@ -148,7 +142,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "destination",
"columnHeaderType": "not-filtered",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
@ -169,7 +162,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "user",
"columnHeaderType": "not-filtered",
"description": "Short name or login of the user.",
"esTypes": Array [
@ -195,7 +187,6 @@ exports[`useTimelineColumns augmentedColumnHeaders should return the default uni
Array [
Object {
"aggregatable": true,
"category": "base",
"columnHeaderType": "not-filtered",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"esTypes": Array [
@ -217,7 +208,6 @@ Array [
},
Object {
"aggregatable": false,
"category": "base",
"columnHeaderType": "not-filtered",
"description": "For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.",
"esTypes": Array [
@ -238,7 +228,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "event",
"columnHeaderType": "not-filtered",
"description": "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. \`event.category\` represents the \\"big buckets\\" of ECS categories. For example, filtering on \`event.category:process\` yields all events relating to process activity. This field is closely related to \`event.type\`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.",
"esTypes": Array [
@ -264,7 +253,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "event",
"columnHeaderType": "not-filtered",
"description": "The action captured by the event. This describes the information in the event. It is more specific than \`event.category\`. Examples are \`group-add\`, \`process-started\`, \`file-created\`. The value is normally defined by the implementer.",
"esTypes": Array [
@ -290,7 +278,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "host",
"columnHeaderType": "not-filtered",
"description": "Name of the host. It can contain what \`hostname\` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.",
"esTypes": Array [
@ -315,7 +302,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "source",
"columnHeaderType": "not-filtered",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
@ -335,7 +321,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "destination",
"columnHeaderType": "not-filtered",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [
@ -355,7 +340,6 @@ Array [
},
Object {
"aggregatable": true,
"category": "user",
"columnHeaderType": "not-filtered",
"description": "Short name or login of the user.",
"esTypes": Array [
@ -380,7 +364,6 @@ exports[`useTimelineColumns augmentedColumnHeaders should return the provided co
Array [
Object {
"aggregatable": true,
"category": "source",
"columnHeaderType": "not-filtered",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"esTypes": Array [

11
x-pack/plugins/timelines/common/search_strategy/index_fields/index.ts
View file

@ -76,17 +76,16 @@ export interface IndexFieldsStrategyResponse extends IEsSearchResponse {
*/
export interface BrowserField {
aggregatable: boolean;
category: string;
description: string | null;
example: string | number | null;
fields: Record<string, Partial<BrowserField>>;
description: string | null; // FIXME: replace with customDescription or EcsFlat
example: string | number | null; // FIXME: not there, could be pulled from the ecs
fields: Record<string, Partial<BrowserField>>; // FIXME: missing in FieldSpec
format: string;
indexes: string[];
indexes: string[]; // FIXME: missing in FieldSpec
name: string;
searchable: boolean;
type: string;
esTypes?: string[];
subType?: IFieldSubType;
subType?: IFieldSubType; // not sure
readFromDocValues: boolean;
runtimeField?: RuntimeField;
}

35
x-pack/plugins/timelines/public/mock/browser_fields.ts
View file

@ -372,7 +372,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'agent.ephemeral_id': {
aggregatable: true,
category: 'agent',
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
@ -384,7 +383,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.hostname': {
aggregatable: true,
category: 'agent',
description: null,
example: null,
format: '',
@ -395,7 +393,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.id': {
aggregatable: true,
category: 'agent',
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
@ -407,7 +404,6 @@ export const mockBrowserFields: BrowserFields = {
},
'agent.name': {
aggregatable: true,
category: 'agent',
description:
'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
example: 'foo',
@ -423,7 +419,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'auditd.data.a0': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -434,7 +429,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a1': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -445,7 +439,6 @@ export const mockBrowserFields: BrowserFields = {
},
'auditd.data.a2': {
aggregatable: true,
category: 'auditd',
description: null,
example: null,
format: '',
@ -460,7 +453,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'@timestamp': {
aggregatable: true,
category: 'base',
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
@ -471,7 +463,6 @@ export const mockBrowserFields: BrowserFields = {
type: 'date',
},
_id: {
category: 'base',
description: 'Each document has an _id that uniquely identifies it',
example: 'Y-6TfmcB0WOhS6qyMv3s',
name: '_id',
@ -481,7 +472,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
},
message: {
category: 'base',
description:
'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.',
example: 'Hello World',
@ -498,7 +488,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'client.address': {
aggregatable: true,
category: 'client',
description:
'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -510,7 +499,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.bytes': {
aggregatable: true,
category: 'client',
description: 'Bytes sent from the client to the server.',
example: '184',
format: '',
@ -521,7 +509,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.domain': {
aggregatable: true,
category: 'client',
description: 'Client domain.',
example: null,
format: '',
@ -532,7 +519,6 @@ export const mockBrowserFields: BrowserFields = {
},
'client.geo.country_iso_code': {
aggregatable: true,
category: 'client',
description: 'Country ISO code.',
example: 'CA',
format: '',
@ -547,7 +533,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'cloud.account.id': {
aggregatable: true,
category: 'cloud',
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
@ -559,7 +544,6 @@ export const mockBrowserFields: BrowserFields = {
},
'cloud.availability_zone': {
aggregatable: true,
category: 'cloud',
description: 'Availability zone in which this host is running.',
example: 'us-east-1c',
format: '',
@ -574,7 +558,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'container.id': {
aggregatable: true,
category: 'container',
description: 'Unique container id.',
example: null,
format: '',
@ -585,7 +568,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.name': {
aggregatable: true,
category: 'container',
description: 'Name of the image the container was built on.',
example: null,
format: '',
@ -596,7 +578,6 @@ export const mockBrowserFields: BrowserFields = {
},
'container.image.tag': {
aggregatable: true,
category: 'container',
description: 'Container image tag.',
example: null,
format: '',
@ -611,7 +592,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'destination.address': {
aggregatable: true,
category: 'destination',
description:
'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
@ -623,7 +603,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.bytes': {
aggregatable: true,
category: 'destination',
description: 'Bytes sent from the destination to the source.',
example: '184',
format: '',
@ -634,7 +613,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.domain': {
aggregatable: true,
category: 'destination',
description: 'Destination domain.',
example: null,
format: '',
@ -645,7 +623,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.ip': {
aggregatable: true,
category: 'destination',
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
@ -657,7 +634,6 @@ export const mockBrowserFields: BrowserFields = {
},
'destination.port': {
aggregatable: true,
category: 'destination',
description: 'Port of the destination.',
example: '',
format: '',
@ -671,7 +647,6 @@ export const mockBrowserFields: BrowserFields = {
event: {
fields: {
'event.end': {
category: 'event',
description:
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
@ -683,7 +658,6 @@ export const mockBrowserFields: BrowserFields = {
aggregatable: true,
},
'event.action': {
category: 'event',
description:
'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
example: 'user-password-change',
@ -695,7 +669,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.category': {
category: 'event',
description:
'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.',
example: 'authentication',
@ -707,7 +680,6 @@ export const mockBrowserFields: BrowserFields = {
indexes: DEFAULT_INDEX_PATTERN,
},
'event.severity': {
category: 'event',
description:
"The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.",
example: 7,
@ -723,7 +695,6 @@ export const mockBrowserFields: BrowserFields = {
host: {
fields: {
'host.name': {
category: 'host',
description:
'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
name: 'host.name',
@ -739,7 +710,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'source.ip': {
aggregatable: true,
category: 'source',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
format: '',
@ -750,7 +720,6 @@ export const mockBrowserFields: BrowserFields = {
},
'source.port': {
aggregatable: true,
category: 'source',
description: 'Port of the source.',
example: '',
format: '',
@ -764,7 +733,6 @@ export const mockBrowserFields: BrowserFields = {
user: {
fields: {
'user.name': {
category: 'user',
description: 'Short name or login of the user.',
example: 'albert',
name: 'user.name',
@ -780,7 +748,6 @@ export const mockBrowserFields: BrowserFields = {
fields: {
'nestedField.firstAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -796,7 +763,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.secondAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',
@ -812,7 +778,6 @@ export const mockBrowserFields: BrowserFields = {
},
'nestedField.thirdAttributes': {
aggregatable: false,
category: 'nestedField',
description: '',
example: '',
format: '',