mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
[Endpoint filtering] Added more options to filter predicates (#147209)
## Summary Adds some of the ECS fields added in 8.2 to the list of available filter predicates. My IDE reordered the list to be alphabetical, so I've included the list of added fields below. ### List of new fields: ```process.entry_leader.command_line process.entry_leader.entry_meta.source.ip process.entry_leader.entry_meta.type process.entry_leader.executable process.entry_leader.group.id process.entry_leader.group.name process.entry_leader.interactive process.entry_leader.name process.entry_leader.user.id process.entry_leader.user.name process.entry_leader.working_directory process.group_leader.args process.group_leader.command_line process.group_leader.executable process.group_leader.group.id process.group_leader.group.name process.group_leader.interactive process.group_leader.name process.group_leader.user.id process.group_leader.user.name process.group_leader.working_directory process.interactive process.io.text process.parent.group.id process.parent.group.name process.parent.interactive process.parent.user.id process.parent.user.name process.parent.working_directory process.session_leader.args process.session_leader.command_line process.session_leader.executable process.session_leader.group.id process.session_leader.group.name process.session_leader.interactive process.session_leader.name process.session_leader.start process.session_leader.user.id process.session_leader.user.name process.session_leader.working_directory process.supplemental_groups.id process.supplemental_groups.name cloud.account.id cloud.instance.name cloud.project.id cloud.provider cloud.region container.id container.image.hash.all container.image.name container.image.tag container.name orchestrator.cluster.id orchestrator.cluster.name orchestrator.resource.ip orchestrator.resource.name orchestrator.resource.parent.type orchestrator.resource.type ``` Co-authored-by: Karl Godard <karlgodard@elastic.co>
This commit is contained in:
Karl Godard
GitHub
parent
f11affb8e2
commit
d0039eadf6
1 changed files with 106 additions and 52 deletions
|
|
@ -7,10 +7,26 @@
|
|||
|
||||
export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
||||
'@timestamp',
|
||||
'Endpoint.policy',
|
||||
'Endpoint.policy.applied',
|
||||
'Endpoint.policy.applied.id',
|
||||
'Endpoint.policy.applied.name',
|
||||
'Endpoint.policy.applied.status',
|
||||
'Endpoint.status',
|
||||
'agent.id',
|
||||
'agent.name',
|
||||
'agent.type',
|
||||
'agent.version',
|
||||
'cloud.account.id',
|
||||
'cloud.instance.name',
|
||||
'cloud.project.id',
|
||||
'cloud.provider',
|
||||
'cloud.region',
|
||||
'container.id',
|
||||
'container.image.hash.all',
|
||||
'container.image.name',
|
||||
'container.image.tag',
|
||||
'container.name',
|
||||
'data_stream.dataset',
|
||||
'data_stream.namespace',
|
||||
'data_stream.type',
|
||||
|
|
@ -30,11 +46,6 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'destination.port',
|
||||
'destination.registered_domain',
|
||||
'destination.top_level_domain',
|
||||
'dll.code_signature.exists',
|
||||
'dll.code_signature.status',
|
||||
'dll.code_signature.subject_name',
|
||||
'dll.code_signature.trusted',
|
||||
'dll.code_signature.valid',
|
||||
'dll.Ext',
|
||||
'dll.Ext.code_signature',
|
||||
'dll.Ext.code_signature.exists',
|
||||
|
|
@ -43,6 +54,11 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'dll.Ext.code_signature.trusted',
|
||||
'dll.Ext.code_signature.valid',
|
||||
'dll.Ext.load_index',
|
||||
'dll.code_signature.exists',
|
||||
'dll.code_signature.status',
|
||||
'dll.code_signature.subject_name',
|
||||
'dll.code_signature.trusted',
|
||||
'dll.code_signature.valid',
|
||||
'dll.hash.md5',
|
||||
'dll.hash.sha1',
|
||||
'dll.hash.sha256',
|
||||
|
|
@ -67,20 +83,14 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'ecs.version',
|
||||
'elastic.agent',
|
||||
'elastic.agent.id',
|
||||
'Endpoint.policy',
|
||||
'Endpoint.policy.applied',
|
||||
'Endpoint.policy.applied.id',
|
||||
'Endpoint.policy.applied.name',
|
||||
'Endpoint.policy.applied.status',
|
||||
'Endpoint.status',
|
||||
'event.Ext',
|
||||
'event.Ext.correlation',
|
||||
'event.Ext.correlation.id',
|
||||
'event.action',
|
||||
'event.category',
|
||||
'event.code',
|
||||
'event.created',
|
||||
'event.dataset',
|
||||
'event.Ext',
|
||||
'event.Ext.correlation',
|
||||
'event.Ext.correlation.id',
|
||||
'event.hash',
|
||||
'event.id',
|
||||
'event.ingested',
|
||||
|
|
@ -90,13 +100,6 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'event.sequence',
|
||||
'event.severity',
|
||||
'event.type',
|
||||
'file.accessed',
|
||||
'file.attributes',
|
||||
'file.created',
|
||||
'file.ctime',
|
||||
'file.device',
|
||||
'file.directory',
|
||||
'file.drive_letter',
|
||||
'file.Ext',
|
||||
'file.Ext.code_signature',
|
||||
'file.Ext.code_signature.exists',
|
||||
|
|
@ -117,6 +120,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'file.Ext.original.uid',
|
||||
'file.Ext.windows',
|
||||
'file.Ext.windows.zone_identifier',
|
||||
'file.accessed',
|
||||
'file.attributes',
|
||||
'file.created',
|
||||
'file.ctime',
|
||||
'file.device',
|
||||
'file.directory',
|
||||
'file.drive_letter',
|
||||
'file.extension',
|
||||
'file.gid',
|
||||
'file.group',
|
||||
|
|
@ -145,11 +155,11 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'file.target_path.text',
|
||||
'file.type',
|
||||
'file.uid',
|
||||
'group.domain',
|
||||
'group.Ext',
|
||||
'group.Ext.real',
|
||||
'group.Ext.real.id',
|
||||
'group.Ext.real.name',
|
||||
'group.domain',
|
||||
'group.id',
|
||||
'group.name',
|
||||
'host.architecture',
|
||||
|
|
@ -177,12 +187,12 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'http.request.body.content',
|
||||
'http.request.body.content.text',
|
||||
'http.request.bytes',
|
||||
'http.response.Ext',
|
||||
'http.response.Ext.version',
|
||||
'http.response.body.bytes',
|
||||
'http.response.body.content',
|
||||
'http.response.body.content.text',
|
||||
'http.response.bytes',
|
||||
'http.response.Ext',
|
||||
'http.response.Ext.version',
|
||||
'http.response.status_code',
|
||||
'message',
|
||||
'network.bytes',
|
||||
|
|
@ -193,23 +203,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'network.protocol',
|
||||
'network.transport',
|
||||
'network.type',
|
||||
'orchestrator.cluster.id',
|
||||
'orchestrator.cluster.name',
|
||||
'orchestrator.resource.ip',
|
||||
'orchestrator.resource.name',
|
||||
'orchestrator.resource.parent.type',
|
||||
'orchestrator.resource.type',
|
||||
'package.name',
|
||||
'process.args',
|
||||
'process.args_count',
|
||||
'process.code_signature.exists',
|
||||
'process.code_signature.status',
|
||||
'process.code_signature.subject_name',
|
||||
'process.code_signature.trusted',
|
||||
'process.code_signature.valid',
|
||||
'process.command_line',
|
||||
'process.command_line.caseless',
|
||||
'process.command_line.text',
|
||||
'process.entity_id',
|
||||
'process.entry_leader.interactive',
|
||||
'process.executable',
|
||||
'process.executable.caseless',
|
||||
'process.executable.text',
|
||||
'process.exit_code',
|
||||
'process.Ext',
|
||||
'process.Ext.ancestry',
|
||||
'process.Ext.authentication_id',
|
||||
|
|
@ -224,13 +224,60 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'process.Ext.token.elevation',
|
||||
'process.Ext.token.elevation_type',
|
||||
'process.Ext.token.integrity_level_name',
|
||||
'process.args',
|
||||
'process.args_count',
|
||||
'process.code_signature.exists',
|
||||
'process.code_signature.status',
|
||||
'process.code_signature.subject_name',
|
||||
'process.code_signature.trusted',
|
||||
'process.code_signature.valid',
|
||||
'process.command_line',
|
||||
'process.command_line.caseless',
|
||||
'process.command_line.text',
|
||||
'process.entity_id',
|
||||
'process.entry_leader.command_line',
|
||||
'process.entry_leader.entry_meta.source.ip',
|
||||
'process.entry_leader.entry_meta.type',
|
||||
'process.entry_leader.executable',
|
||||
'process.entry_leader.group.id',
|
||||
'process.entry_leader.group.name',
|
||||
'process.entry_leader.interactive',
|
||||
'process.entry_leader.name',
|
||||
'process.entry_leader.user.id',
|
||||
'process.entry_leader.user.name',
|
||||
'process.entry_leader.working_directory',
|
||||
'process.executable',
|
||||
'process.executable.caseless',
|
||||
'process.executable.text',
|
||||
'process.exit_code',
|
||||
'process.group_leader.args',
|
||||
'process.group_leader.command_line',
|
||||
'process.group_leader.executable',
|
||||
'process.group_leader.group.id',
|
||||
'process.group_leader.group.name',
|
||||
'process.group_leader.interactive',
|
||||
'process.group_leader.name',
|
||||
'process.group_leader.user.id',
|
||||
'process.group_leader.user.name',
|
||||
'process.group_leader.working_directory',
|
||||
'process.hash.md5',
|
||||
'process.hash.sha1',
|
||||
'process.hash.sha256',
|
||||
'process.hash.sha512',
|
||||
'process.interactive',
|
||||
'process.io.text',
|
||||
'process.name',
|
||||
'process.name.caseless',
|
||||
'process.name.text',
|
||||
'process.parent.Ext',
|
||||
'process.parent.Ext.code_signature',
|
||||
'process.parent.Ext.code_signature.exists',
|
||||
'process.parent.Ext.code_signature.status',
|
||||
'process.parent.Ext.code_signature.subject_name',
|
||||
'process.parent.Ext.code_signature.trusted',
|
||||
'process.parent.Ext.code_signature.valid',
|
||||
'process.parent.Ext.real',
|
||||
'process.parent.Ext.real.pid',
|
||||
'process.parent.args',
|
||||
'process.parent.args_count',
|
||||
'process.parent.code_signature.exists',
|
||||
|
|
@ -246,19 +293,13 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'process.parent.executable.caseless',
|
||||
'process.parent.executable.text',
|
||||
'process.parent.exit_code',
|
||||
'process.parent.Ext',
|
||||
'process.parent.Ext.code_signature',
|
||||
'process.parent.Ext.code_signature.exists',
|
||||
'process.parent.Ext.code_signature.status',
|
||||
'process.parent.Ext.code_signature.subject_name',
|
||||
'process.parent.Ext.code_signature.trusted',
|
||||
'process.parent.Ext.code_signature.valid',
|
||||
'process.parent.Ext.real',
|
||||
'process.parent.Ext.real.pid',
|
||||
'process.parent.group.id',
|
||||
'process.parent.group.name',
|
||||
'process.parent.hash.md5',
|
||||
'process.parent.hash.sha1',
|
||||
'process.parent.hash.sha256',
|
||||
'process.parent.hash.sha512',
|
||||
'process.parent.interactive',
|
||||
'process.parent.name',
|
||||
'process.parent.name.caseless',
|
||||
'process.parent.name.text',
|
||||
|
|
@ -276,6 +317,9 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'process.parent.title',
|
||||
'process.parent.title.text',
|
||||
'process.parent.uptime',
|
||||
'process.parent.user.id',
|
||||
'process.parent.user.name',
|
||||
'process.parent.working_directory',
|
||||
'process.parent.working_directory',
|
||||
'process.parent.working_directory.caseless',
|
||||
'process.parent.working_directory.text',
|
||||
|
|
@ -288,6 +332,16 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'process.pgid',
|
||||
'process.pid',
|
||||
'process.ppid',
|
||||
'process.session_leader.args',
|
||||
'process.session_leader.command_line',
|
||||
'process.session_leader.executable',
|
||||
'process.session_leader.group.id',
|
||||
'process.session_leader.group.name',
|
||||
'process.session_leader.interactive',
|
||||
'process.session_leader.name',
|
||||
'process.session_leader.user.id',
|
||||
'process.session_leader.user.name',
|
||||
'process.session_leader.working_directory',
|
||||
'process.thread.id',
|
||||
'process.thread.name',
|
||||
'process.title',
|
||||
|
|
@ -318,19 +372,19 @@ export const EXCEPTIONABLE_ENDPOINT_EVENT_FIELDS = [
|
|||
'source.port',
|
||||
'source.registered_domain',
|
||||
'source.top_level_domain',
|
||||
'user.domain',
|
||||
'user.email',
|
||||
'user.Ext',
|
||||
'user.Ext.real',
|
||||
'user.Ext.real.id',
|
||||
'user.Ext.real.name',
|
||||
'user.domain',
|
||||
'user.email',
|
||||
'user.full_name',
|
||||
'user.full_name.text',
|
||||
'user.group.domain',
|
||||
'user.group.Ext',
|
||||
'user.group.Ext.real',
|
||||
'user.group.Ext.real.id',
|
||||
'user.group.Ext.real.name',
|
||||
'user.group.domain',
|
||||
'user.group.id',
|
||||
'user.group.name',
|
||||
'user.hash',
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue