[SIEM] Endgame events on the SIEM Overview page (#47774) (#47904)

## Summary * Adds Endgame events to the SIEM Overview page, per the following screenshot: <img width="1680" alt="overview-chrome" src="https://user-images.githubusercontent.com/4459398/66524250-26a47800-eaaf-11e9-8ff9-311c031e5d00.png"> * Adds `endgame-*` to the default SIEM index pattern, per the following screenshot: <img width="1665" alt="siem-advanced-settings" src="https://user-images.githubusercontent.com/4459398/66524300-45a30a00-eaaf-11e9-93c3-dce74917e73a.png"> RELEASE NOTE: To view Endgame events in existing SIEM deployments, you must manually add `endgame-*` to the SIEM index pattern in `Kibana Management > Advanced Settings > SIEM > Elasticsearch indices`. Also note that the `Reset to default` feature for this setting in the Advanced Settings page now includes `endgame-*`. * Adds the GraphQL plumbing for rendering Endgame data in the Timeline via row renderers (in an upcoming PR), with the introduction of the following fields: ``` dns.question.name dns.question.type dns.resolved_ip dns.response_code endgame.exit_code endgame.file_name endgame.file_path endgame.logon_type endgame.parent_process_name endgame.pid endgame.process_name endgame.subject_domain_name endgame.subject_logon_id endgame.subject_user_name endgame.target_domain_name endgame.target_logon_id endgame.target_user_name event.code file.name process.hash.md5 process.hash.sha1 process.hash.sha256 user.domain winlog.event_id ``` ## Testing ### Cypress The `smoke_tests/overview/overview.spec.ts` Cypress test was updated to include the new counts on the Overview page, per the screenshot below: ![cypress-overview-spec](https://user-images.githubusercontent.com/4459398/66529142-8c98fb80-eabf-11e9-800e-a0d9e1e51d6d.png) ### API Integration test The Overview page API integration test `xpack/test/api_integration/apis/siem/overview_host.ts` was updated to include counts of mock Endgame data added to `test/functional/es_archives/auditbeat/overview/data.json.gz` ### Unit tests Overview page unit tests were updated to include the new Endgame event counts ### Desk testing * Desk tested by hand-editing `components/page/overview/overview_host/index.tsx` and setting the `endDate` and `startDate` values below to a fixed datetime: ``` <OverviewHostQuery endDate={endDate} sourceId="default" startDate={startDate}> ``` The counts shown on the overview page where then compared to the counts shown in the timeline in the same date period, to verify the counts match 1:1. * The additional fields mentioned above in this PR (e.g. `dns.question.name`,`endgame.target_domain_name`) that are now being requested via GraphQL can be seen via the Timeline Inspect (query) feature: 1) Enter `event.module: endgame` in the Timeline KQL bar. (Adjust the date range if necessary.) 2) After Endgame events are displayed in the timeline, click the Inspect button in the Timeline settings gear. The additional fields (and values) will be included in the Inspect query Request / Response tabs. ### Cross-browser dark/light testing #### Firefox <img width="1680" alt="overview-firefox" src="https://user-images.githubusercontent.com/4459398/66524773-9c5d1380-eab0-11e9-9383-c155872881b0.png"> #### Safari <img width="1680" alt="overview-safari" src="https://user-images.githubusercontent.com/4459398/66524790-a54de500-eab0-11e9-9786-aa7dbe18c1bf.png"> #### IE11 This PR was *not* tested in IE11 due to the current blocker with `react-reverse-portal` https://github.com/elastic/siem-team/issues/465 https://github.com/elastic/ecs-dev/issues/178
2025-04-24 17:59:23 -04:00 · 2019-10-11 08:42:58 -06:00 · 2019-10-11 08:42:58 -06:00 · d503b7268a
commit d503b7268a
parent e5b6e90fa7
45 changed files with 1370 additions and 2080 deletions
--- a/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json
+++ b/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json
@ -21,6 +21,13 @@
        "auditbeatPackage": 567,
        "auditbeatProcess": 678,
        "auditbeatUser": 789,
+        "endgameDns": 391,
+        "endgameFile": 392,
+        "endgameImageLoad": 393,
+        "endgameNetwork": 394,
+        "endgameProcess": 395,
+        "endgameRegistry": 396,
+        "endgameSecurity": 397,
        "filebeatSystemModule": 890,
        "winlogbeat": 100,
        "__typename": "OverviewHostData"
--- a/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts
+++ b/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts
@ -9,6 +9,34 @@ export const STAT_AUDITD = {
  value: '123',
  domId: '[data-test-subj="host-stat-auditbeatAuditd"]',
 };
+export const ENDGAME_DNS = {
+  value: '391',
+  domId: '[data-test-subj="host-stat-endgameDns"]',
+};
+export const ENDGAME_FILE = {
+  value: '392',
+  domId: '[data-test-subj="host-stat-endgameFile"]',
+};
+export const ENDGAME_IMAGE_LOAD = {
+  value: '393',
+  domId: '[data-test-subj="host-stat-endgameImageLoad"]',
+};
+export const ENDGAME_NETWORK = {
+  value: '394',
+  domId: '[data-test-subj="host-stat-endgameNetwork"]',
+};
+export const ENDGAME_PROCESS = {
+  value: '395',
+  domId: '[data-test-subj="host-stat-endgameProcess"]',
+};
+export const ENDGAME_REGISTRY = {
+  value: '396',
+  domId: '[data-test-subj="host-stat-endgameRegistry"]',
+};
+export const ENDGAME_SECURITY = {
+  value: '397',
+  domId: '[data-test-subj="host-stat-endgameSecurity"]',
+};
 export const STAT_FILEBEAT = {
  value: '890',
  domId: '[data-test-subj="host-stat-filebeatSystemModule"]',
@ -40,6 +68,13 @@ export const STAT_WINLOGBEAT = {

 export const HOST_STATS = [
  STAT_AUDITD,
+  ENDGAME_DNS,
+  ENDGAME_FILE,
+  ENDGAME_IMAGE_LOAD,
+  ENDGAME_NETWORK,
+  ENDGAME_PROCESS,
+  ENDGAME_REGISTRY,
+  ENDGAME_SECURITY,
  STAT_FILEBEAT,
  STAT_FIM,
  STAT_LOGIN,
--- a/x-pack/legacy/plugins/siem/default_index_pattern.ts
+++ b/x-pack/legacy/plugins/siem/default_index_pattern.ts
@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/** The comma-delimited list of Elasticsearch indices from which the SIEM app collects events */
+export const defaultIndexPattern = [
+  'auditbeat-*',
+  'endgame-*',
+  'filebeat-*',
+  'packetbeat-*',
+  'winlogbeat-*',
+];
--- a/x-pack/legacy/plugins/siem/index.ts
+++ b/x-pack/legacy/plugins/siem/index.ts
@ -25,6 +25,7 @@ import {
  DEFAULT_TO,
 } from './common/constants';
 import { signalsAlertType } from './server/lib/detection_engine/alerts/signals_alert_type';
+import { defaultIndexPattern } from './default_index_pattern';

 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function siem(kibana: any) {
@ -98,7 +99,7 @@ export function siem(kibana: any) {
          name: i18n.translate('xpack.siem.uiSettings.defaultIndexLabel', {
            defaultMessage: 'Elasticsearch indices',
          }),
-          value: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+          value: defaultIndexPattern,
          description: i18n.translate('xpack.siem.uiSettings.defaultIndexDescription', {
            defaultMessage:
              '<p>Comma-delimited list of Elasticsearch indices from which the SIEM app collects events.</p>',
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/drag_drop_context_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/drag_drop_context_wrapper.test.tsx.snap
@ -371,6 +371,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
                "format": "",
                "indexes": Array [
                  "auditbeat-*",
+                  "endgame-*",
                  "filebeat-*",
                  "packetbeat-*",
                  "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/draggable_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/draggable_wrapper.test.tsx.snap
@ -371,6 +371,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
                "format": "",
                "indexes": Array [
                  "auditbeat-*",
+                  "endgame-*",
                  "filebeat-*",
                  "packetbeat-*",
                  "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/droppable_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/snapshots/droppable_wrapper.test.tsx.snap
@ -371,6 +371,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
                "format": "",
                "indexes": Array [
                  "auditbeat-*",
+                  "endgame-*",
                  "filebeat-*",
                  "packetbeat-*",
                  "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/event_details/snapshots/event_details.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/event_details/snapshots/event_details.test.tsx.snap
@ -367,6 +367,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
              "format": "",
              "indexes": Array [
                "auditbeat-*",
+                "endgame-*",
                "filebeat-*",
                "packetbeat-*",
                "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/events_viewer/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/components/events_viewer/mock.ts
--- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/snapshots/index.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/snapshots/index.test.tsx.snap
@ -10,6 +10,13 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
      "auditbeatPackage": 2003,
      "auditbeatProcess": 1200,
      "auditbeatUser": 1979,
+      "endgameDns": 39123,
+      "endgameFile": 39456,
+      "endgameImageLoad": 39789,
+      "endgameNetwork": 39101112,
+      "endgameProcess": 39131415,
+      "endgameRegistry": 39161718,
+      "endgameSecurity": 39202122,
      "filebeatSystemModule": 568,
      "winlogbeat": 296999,
    }
--- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx
@ -25,6 +25,7 @@ interface OverviewHostProps {
  loading: boolean;
 }

+// eslint-disable-next-line complexity
 const overviewHostStats = (data: OverviewHostData) => [
  {
    description:
@ -104,6 +105,91 @@ const overviewHostStats = (data: OverviewHostData) => [
    ),
    id: 'auditbeatUser',
  },
+  {
+    description:
+      has('endgameDns', data) && data.endgameDns !== null
+        ? numeral(data.endgameDns).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage id="xpack.siem.overview.endgameDnsTitle" defaultMessage="Endgame DNS" />
+    ),
+    id: 'endgameDns',
+  },
+  {
+    description:
+      has('endgameFile', data) && data.endgameFile !== null
+        ? numeral(data.endgameFile).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage id="xpack.siem.overview.endgameFileTitle" defaultMessage="Endgame File" />
+    ),
+    id: 'endgameFile',
+  },
+  {
+    description:
+      has('endgameImageLoad', data) && data.endgameImageLoad !== null
+        ? numeral(data.endgameImageLoad).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage
+        id="xpack.siem.overview.endgameImageLoadTitle"
+        defaultMessage="Endgame Image Load"
+      />
+    ),
+    id: 'endgameImageLoad',
+  },
+  {
+    description:
+      has('endgameNetwork', data) && data.endgameNetwork !== null
+        ? numeral(data.endgameNetwork).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage
+        id="xpack.siem.overview.endgameNetworkTitle"
+        defaultMessage="Endgame Network"
+      />
+    ),
+    id: 'endgameNetwork',
+  },
+  {
+    description:
+      has('endgameProcess', data) && data.endgameProcess !== null
+        ? numeral(data.endgameProcess).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage
+        id="xpack.siem.overview.endgameProcessTitle"
+        defaultMessage="Endgame Process"
+      />
+    ),
+    id: 'endgameProcess',
+  },
+  {
+    description:
+      has('endgameRegistry', data) && data.endgameRegistry !== null
+        ? numeral(data.endgameRegistry).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage
+        id="xpack.siem.overview.endgameRegistryTitle"
+        defaultMessage="Endgame Registry"
+      />
+    ),
+    id: 'endgameRegistry',
+  },
+  {
+    description:
+      has('endgameSecurity', data) && data.endgameSecurity !== null
+        ? numeral(data.endgameSecurity).format('0,0')
+        : getEmptyTagValue(),
+    title: (
+      <FormattedMessage
+        id="xpack.siem.overview.endgameSecurityTitle"
+        defaultMessage="Endgame Security"
+      />
+    ),
+    id: 'endgameSecurity',
+  },
  {
    description:
      has('filebeatSystemModule', data) && data.filebeatSystemModule !== null
--- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts
@ -14,6 +14,13 @@ export const mockData: { OverviewHost: OverviewHostData } = {
    auditbeatPackage: 2003,
    auditbeatProcess: 1200,
    auditbeatUser: 1979,
+    endgameDns: 39123,
+    endgameFile: 39456,
+    endgameImageLoad: 39789,
+    endgameNetwork: 39101112,
+    endgameProcess: 39131415,
+    endgameRegistry: 39161718,
+    endgameSecurity: 39202122,
    filebeatSystemModule: 568,
    winlogbeat: 296999,
  },
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/snapshots/index.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/snapshots/index.test.tsx.snap
@ -378,6 +378,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
                      "format": "",
                      "indexes": Array [
                        "auditbeat-*",
+                        "endgame-*",
                        "filebeat-*",
                        "packetbeat-*",
                        "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/snapshots/suricata_details.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/snapshots/suricata_details.test.tsx.snap
@ -366,6 +366,7 @@ exports[`SuricataDetails rendering it renders the default SuricataDetails 1`] =
            "format": "",
            "indexes": Array [
              "auditbeat-*",
+              "endgame-*",
              "filebeat-*",
              "packetbeat-*",
              "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/snapshots/suricata_row_renderer.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/snapshots/suricata_row_renderer.test.tsx.snap
@ -371,6 +371,7 @@ exports[`suricata_row_renderer renders correctly against snapshot 1`] = `
                "format": "",
                "indexes": Array [
                  "auditbeat-*",
+                  "endgame-*",
                  "filebeat-*",
                  "packetbeat-*",
                  "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/snapshots/zeek_details.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/snapshots/zeek_details.test.tsx.snap
@ -366,6 +366,7 @@ exports[`ZeekDetails rendering it renders the default ZeekDetails 1`] = `
            "format": "",
            "indexes": Array [
              "auditbeat-*",
+              "endgame-*",
              "filebeat-*",
              "packetbeat-*",
              "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/snapshots/zeek_row_renderer.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/snapshots/zeek_row_renderer.test.tsx.snap
@ -371,6 +371,7 @@ exports[`zeek_row_renderer renders correctly against snapshot 1`] = `
                "format": "",
                "indexes": Array [
                  "auditbeat-*",
+                  "endgame-*",
                  "filebeat-*",
                  "packetbeat-*",
                  "winlogbeat-*",
--- a/x-pack/legacy/plugins/siem/public/containers/events/last_event_time/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/events/last_event_time/mock.ts
@ -4,6 +4,7 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../../default_index_pattern';
 import { GetLastEventTimeQuery, LastEventIndexKey } from '../../../graphql/types';

 import { LastEventTimeGqlQuery } from './last_event_time.gql_query';
@ -42,7 +43,7 @@ export const mockLastEventTimeQuery: MockLastEventTimeQuery[] = [
        sourceId: 'default',
        indexKey: LastEventIndexKey.hosts,
        details: {},
-        defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+        defaultIndex: defaultIndexPattern,
      },
    },
    result: {
--- a/x-pack/legacy/plugins/siem/public/containers/hosts/first_last_seen/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/hosts/first_last_seen/mock.ts
@ -4,6 +4,7 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../../default_index_pattern';
 import { GetHostFirstLastSeenQuery } from '../../../graphql/types';

 import { HostFirstLastSeenGqlQuery } from './first_last_seen.gql_query';
@ -33,7 +34,7 @@ export const mockFirstLastSeenHostQuery: MockedProvidedQuery[] = [
      variables: {
        sourceId: 'default',
        hostName: 'kibana-siem',
-        defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+        defaultIndex: defaultIndexPattern,
      },
    },
    result: {
--- a/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts
@ -23,6 +23,13 @@ export const overviewHostQuery = gql`
        auditbeatPackage
        auditbeatProcess
        auditbeatUser
+        endgameDns
+        endgameFile
+        endgameImageLoad
+        endgameNetwork
+        endgameProcess
+        endgameRegistry
+        endgameSecurity
        filebeatSystemModule
        winlogbeat
        inspect @include(if: $inspect) {
--- a/x-pack/legacy/plugins/siem/public/containers/source/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/source/mock.ts
@ -6,6 +6,7 @@

 import { BrowserFields } from '.';
 import { sourceQuery } from './index.gql_query';
+import { defaultIndexPattern } from '../../../default_index_pattern';

 export const mocksSource = [
  {
@ -13,7 +14,7 @@ export const mocksSource = [
      query: sourceQuery,
      variables: {
        sourceId: 'default',
-        defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+        defaultIndex: defaultIndexPattern,
      },
    },
    result: {
@ -332,7 +333,7 @@ export const mocksSource = [
                  'event.end contains the date when the event ended or when the activity was last observed.',
                example: null,
                format: '',
-                indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+                indexes: defaultIndexPattern,
                name: 'event.end',
                searchable: true,
                type: 'date',
@ -660,7 +661,7 @@ export const mockBrowserFields: BrowserFields = {
          'event.end contains the date when the event ended or when the activity was last observed.',
        example: null,
        format: '',
-        indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+        indexes: defaultIndexPattern,
        name: 'event.end',
        searchable: true,
        type: 'date',
--- a/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts
@ -71,6 +71,7 @@ export const timelineQuery = gql`
              event {
                action
                category
+                code
                created
                dataset
                duration
@ -112,6 +113,7 @@ export const timelineQuery = gql`
                }
              }
              file {
+                name
                path
                target_path
                extension
@ -160,6 +162,29 @@ export const timelineQuery = gql`
                  region_name
                }
              }
+              dns {
+                question {
+                  name
+                  type
+                }
+                resolved_ip
+                response_code
+              }
+              endgame {
+                exit_code
+                file_name
+                file_path
+                logon_type
+                parent_process_name
+                pid
+                process_name
+                subject_domain_name
+                subject_logon_id
+                subject_user_name
+                target_domain_name
+                target_logon_id
+                target_user_name
+              }
              geo {
                region_name
                country_iso_code
@ -224,9 +249,18 @@ export const timelineQuery = gql`
                password
              }
              user {
+                domain
                name
              }
+              winlog {
+                event_id
+              }
              process {
+                hash {
+                  md5
+                  sha1
+                  sha256
+                }
                pid
                name
                ppid
--- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json
+++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json
@ -2590,6 +2590,14 @@
        "name": "UserEcsFields",
        "description": "",
        "fields": [
+          {
+            "name": "domain",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "id",
            "description": "",
@ -3410,6 +3418,22 @@
            "isDeprecated": false,
            "deprecationReason": null
          },
+          {
+            "name": "dns",
+            "description": "",
+            "args": [],
+            "type": { "kind": "OBJECT", "name": "DnsEcsFields", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgame",
+            "description": "",
+            "args": [],
+            "type": { "kind": "OBJECT", "name": "EndgameEcsFields", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "event",
            "description": "",
@ -3514,6 +3538,14 @@
            "isDeprecated": false,
            "deprecationReason": null
          },
+          {
+            "name": "winlog",
+            "description": "",
+            "args": [],
+            "type": { "kind": "OBJECT", "name": "WinlogEcsFields", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "process",
            "description": "",
@ -3775,6 +3807,183 @@
        "enumValues": null,
        "possibleTypes": null
      },
+      {
+        "kind": "OBJECT",
+        "name": "DnsEcsFields",
+        "description": "",
+        "fields": [
+          {
+            "name": "question",
+            "description": "",
+            "args": [],
+            "type": { "kind": "OBJECT", "name": "DnsQuestionData", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "resolved_ip",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "response_code",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          }
+        ],
+        "inputFields": null,
+        "interfaces": [],
+        "enumValues": null,
+        "possibleTypes": null
+      },
+      {
+        "kind": "OBJECT",
+        "name": "DnsQuestionData",
+        "description": "",
+        "fields": [
+          {
+            "name": "name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "type",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          }
+        ],
+        "inputFields": null,
+        "interfaces": [],
+        "enumValues": null,
+        "possibleTypes": null
+      },
+      {
+        "kind": "OBJECT",
+        "name": "EndgameEcsFields",
+        "description": "",
+        "fields": [
+          {
+            "name": "exit_code",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "file_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "file_path",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "logon_type",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "parent_process_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "pid",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "process_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "subject_domain_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "subject_logon_id",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "subject_user_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "target_domain_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "target_logon_id",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "target_user_name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          }
+        ],
+        "inputFields": null,
+        "interfaces": [],
+        "enumValues": null,
+        "possibleTypes": null
+      },
      {
        "kind": "OBJECT",
        "name": "EventEcsFields",
@ -3796,6 +4005,14 @@
            "isDeprecated": false,
            "deprecationReason": null
          },
+          {
+            "name": "code",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "created",
            "description": "",
@ -4936,11 +5153,38 @@
        "enumValues": null,
        "possibleTypes": null
      },
+      {
+        "kind": "OBJECT",
+        "name": "WinlogEcsFields",
+        "description": "",
+        "fields": [
+          {
+            "name": "event_id",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          }
+        ],
+        "inputFields": null,
+        "interfaces": [],
+        "enumValues": null,
+        "possibleTypes": null
+      },
      {
        "kind": "OBJECT",
        "name": "ProcessEcsFields",
        "description": "",
        "fields": [
+          {
+            "name": "hash",
+            "description": "",
+            "args": [],
+            "type": { "kind": "OBJECT", "name": "ProcessHashData", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "pid",
            "description": "",
@ -5011,6 +5255,41 @@
        "enumValues": null,
        "possibleTypes": null
      },
+      {
+        "kind": "OBJECT",
+        "name": "ProcessHashData",
+        "description": "",
+        "fields": [
+          {
+            "name": "md5",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "sha1",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "sha256",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          }
+        ],
+        "inputFields": null,
+        "interfaces": [],
+        "enumValues": null,
+        "possibleTypes": null
+      },
      {
        "kind": "OBJECT",
        "name": "Thread",
@ -5043,6 +5322,14 @@
        "name": "FileFields",
        "description": "",
        "fields": [
+          {
+            "name": "name",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "path",
            "description": "",
@ -8215,6 +8502,62 @@
            "isDeprecated": false,
            "deprecationReason": null
          },
+          {
+            "name": "endgameDns",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameFile",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameImageLoad",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameNetwork",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameProcess",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameRegistry",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
+          {
+            "name": "endgameSecurity",
+            "description": "",
+            "args": [],
+            "type": { "kind": "SCALAR", "name": "Float", "ofType": null },
+            "isDeprecated": false,
+            "deprecationReason": null
+          },
          {
            "name": "filebeatSystemModule",
            "description": "",
--- a/x-pack/legacy/plugins/siem/public/graphql/types.ts
+++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts
@ -539,6 +539,8 @@ export interface AuthenticationItem {
 }

 export interface UserEcsFields {
+  domain?: Maybe<string[]>;
+
  id?: Maybe<string[]>;

  name?: Maybe<string[]>;
@ -687,6 +689,10 @@ export interface Ecs {

  destination?: Maybe<DestinationEcsFields>;

+  dns?: Maybe<DnsEcsFields>;
+
+  endgame?: Maybe<EndgameEcsFields>;
+
  event?: Maybe<EventEcsFields>;

  geo?: Maybe<GeoEcsFields>;
@ -713,6 +719,8 @@ export interface Ecs {

  user?: Maybe<UserEcsFields>;

+  winlog?: Maybe<WinlogEcsFields>;
+
  process?: Maybe<ProcessEcsFields>;

  file?: Maybe<FileFields>;
@ -774,11 +782,55 @@ export interface DestinationEcsFields {
  packets?: Maybe<number[]>;
 }

+export interface DnsEcsFields {
+  question?: Maybe<DnsQuestionData>;
+
+  resolved_ip?: Maybe<string[]>;
+
+  response_code?: Maybe<string[]>;
+}
+
+export interface DnsQuestionData {
+  name?: Maybe<string[]>;
+
+  type?: Maybe<string[]>;
+}
+
+export interface EndgameEcsFields {
+  exit_code?: Maybe<number[]>;
+
+  file_name?: Maybe<string[]>;
+
+  file_path?: Maybe<string[]>;
+
+  logon_type?: Maybe<number[]>;
+
+  parent_process_name?: Maybe<string[]>;
+
+  pid?: Maybe<number[]>;
+
+  process_name?: Maybe<string[]>;
+
+  subject_domain_name?: Maybe<string[]>;
+
+  subject_logon_id?: Maybe<string[]>;
+
+  subject_user_name?: Maybe<string[]>;
+
+  target_domain_name?: Maybe<string[]>;
+
+  target_logon_id?: Maybe<string[]>;
+
+  target_user_name?: Maybe<string[]>;
+}
+
 export interface EventEcsFields {
  action?: Maybe<string[]>;

  category?: Maybe<string[]>;

+  code?: Maybe<string[]>;
+
  created?: Maybe<string[]>;

  dataset?: Maybe<string[]>;
@ -1042,7 +1094,13 @@ export interface UrlEcsFields {
  password?: Maybe<string[]>;
 }

+export interface WinlogEcsFields {
+  event_id?: Maybe<number[]>;
+}
+
 export interface ProcessEcsFields {
+  hash?: Maybe<ProcessHashData>;
+
  pid?: Maybe<number[]>;

  name?: Maybe<string[]>;
@ -1060,6 +1118,14 @@ export interface ProcessEcsFields {
  working_directory?: Maybe<string[]>;
 }

+export interface ProcessHashData {
+  md5?: Maybe<string[]>;
+
+  sha1?: Maybe<string[]>;
+
+  sha256?: Maybe<string[]>;
+}
+
 export interface Thread {
  id?: Maybe<number[]>;

@ -1067,6 +1133,8 @@ export interface Thread {
 }

 export interface FileFields {
+  name?: Maybe<string[]>;
+
  path?: Maybe<string[]>;

  target_path?: Maybe<string[]>;
@ -1593,6 +1661,20 @@ export interface OverviewHostData {

  auditbeatUser?: Maybe<number>;

+  endgameDns?: Maybe<number>;
+
+  endgameFile?: Maybe<number>;
+
+  endgameImageLoad?: Maybe<number>;
+
+  endgameNetwork?: Maybe<number>;
+
+  endgameProcess?: Maybe<number>;
+
+  endgameRegistry?: Maybe<number>;
+
+  endgameSecurity?: Maybe<number>;
+
  filebeatSystemModule?: Maybe<number>;

  winlogbeat?: Maybe<number>;
@ -3414,6 +3496,20 @@ export namespace GetOverviewHostQuery {

    auditbeatUser: Maybe<number>;

+    endgameDns: Maybe<number>;
+
+    endgameFile: Maybe<number>;
+
+    endgameImageLoad: Maybe<number>;
+
+    endgameNetwork: Maybe<number>;
+
+    endgameProcess: Maybe<number>;
+
+    endgameRegistry: Maybe<number>;
+
+    endgameSecurity: Maybe<number>;
+
    filebeatSystemModule: Maybe<number>;

    winlogbeat: Maybe<number>;
@ -3843,6 +3939,10 @@ export namespace GetTimelineQuery {

    destination: Maybe<Destination>;

+    dns: Maybe<Dns>;
+
+    endgame: Maybe<Endgame>;
+
    geo: Maybe<__Geo>;

    suricata: Maybe<Suricata>;
@ -3857,6 +3957,8 @@ export namespace GetTimelineQuery {

    user: Maybe<User>;

+    winlog: Maybe<Winlog>;
+
    process: Maybe<Process>;

    zeek: Maybe<Zeek>;
@ -3913,6 +4015,8 @@ export namespace GetTimelineQuery {

    category: Maybe<string[]>;

+    code: Maybe<string[]>;
+
    created: Maybe<string[]>;

    dataset: Maybe<string[]>;
@ -4003,6 +4107,8 @@ export namespace GetTimelineQuery {
  export type File = {
    __typename?: 'FileFields';

+    name: Maybe<string[]>;
+
    path: Maybe<string[]>;

    target_path: Maybe<string[]>;
@ -4102,6 +4208,54 @@ export namespace GetTimelineQuery {
    region_name: Maybe<string[]>;
  };

+  export type Dns = {
+    __typename?: 'DnsEcsFields';
+
+    question: Maybe<Question>;
+
+    resolved_ip: Maybe<string[]>;
+
+    response_code: Maybe<string[]>;
+  };
+
+  export type Question = {
+    __typename?: 'DnsQuestionData';
+
+    name: Maybe<string[]>;
+
+    type: Maybe<string[]>;
+  };
+
+  export type Endgame = {
+    __typename?: 'EndgameEcsFields';
+
+    exit_code: Maybe<number[]>;
+
+    file_name: Maybe<string[]>;
+
+    file_path: Maybe<string[]>;
+
+    logon_type: Maybe<number[]>;
+
+    parent_process_name: Maybe<string[]>;
+
+    pid: Maybe<number[]>;
+
+    process_name: Maybe<string[]>;
+
+    subject_domain_name: Maybe<string[]>;
+
+    subject_logon_id: Maybe<string[]>;
+
+    subject_user_name: Maybe<string[]>;
+
+    target_domain_name: Maybe<string[]>;
+
+    target_logon_id: Maybe<string[]>;
+
+    target_user_name: Maybe<string[]>;
+  };
+
  export type __Geo = {
    __typename?: 'GeoEcsFields';

@ -4255,12 +4409,22 @@ export namespace GetTimelineQuery {
  export type User = {
    __typename?: 'UserEcsFields';

+    domain: Maybe<string[]>;
+
    name: Maybe<string[]>;
  };

+  export type Winlog = {
+    __typename?: 'WinlogEcsFields';
+
+    event_id: Maybe<number[]>;
+  };
+
  export type Process = {
    __typename?: 'ProcessEcsFields';

+    hash: Maybe<Hash>;
+
    pid: Maybe<number[]>;

    name: Maybe<string[]>;
@ -4276,6 +4440,16 @@ export namespace GetTimelineQuery {
    working_directory: Maybe<string[]>;
  };

+  export type Hash = {
+    __typename?: 'ProcessHashData';
+
+    md5: Maybe<string[]>;
+
+    sha1: Maybe<string[]>;
+
+    sha256: Maybe<string[]>;
+  };
+
  export type Zeek = {
    __typename?: 'ZeekEcsFields';

@ -4285,7 +4459,7 @@ export namespace GetTimelineQuery {

    notice: Maybe<Notice>;

-    dns: Maybe<Dns>;
+    dns: Maybe<_Dns>;

    http: Maybe<_Http>;

@ -4326,7 +4500,7 @@ export namespace GetTimelineQuery {
    peer_descr: Maybe<string[]>;
  };

-  export type Dns = {
+  export type _Dns = {
    __typename?: 'ZeekDnsData';

    AA: Maybe<boolean[]>;
--- a/x-pack/legacy/plugins/siem/public/mock/ui_settings.ts
+++ b/x-pack/legacy/plugins/siem/public/mock/ui_settings.ts
@ -18,6 +18,7 @@ import {
  DEFAULT_INTERVAL_PAUSE,
  DEFAULT_INTERVAL_VALUE,
 } from '../../common/constants';
+import { defaultIndexPattern } from '../../default_index_pattern';

 chrome.getUiSettingsClient().get.mockImplementation((key: string) => {
  switch (key) {
@ -36,7 +37,7 @@ chrome.getUiSettingsClient().get.mockImplementation((key: string) => {
        value: DEFAULT_INTERVAL_VALUE,
      };
    case DEFAULT_INDEX_KEY:
-      return ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'];
+      return defaultIndexPattern;
    case DEFAULT_DATE_FORMAT_TZ:
      return 'Asia/Taipei';
    case DEFAULT_DARK_MODE:
--- a/x-pack/legacy/plugins/siem/public/pages/hosts/details/body.test.tsx
+++ b/x-pack/legacy/plugins/siem/public/pages/hosts/details/body.test.tsx
@ -51,7 +51,10 @@ describe('body', () => {
      endDate: 0,
      filterQuery: { term: { 'host.name': 'host-1' } },
      hostName: 'host-1',
-      indexPattern: { fields: [], title: 'auditbeat-*,filebeat-*,packetbeat-*,winlogbeat-*' },
+      indexPattern: {
+        fields: [],
+        title: 'auditbeat-*,endgame-*,filebeat-*,packetbeat-*,winlogbeat-*',
+      },
      kqlQueryExpression: 'host.name: "host-1"',
      skip: false,
      startDate: 0,
--- a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts
+++ b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts
@ -12,6 +12,7 @@ export const ecsSchema = gql`
  type EventEcsFields {
    action: ToStringArray
    category: ToStringArray
+    code: ToStringArray
    created: ToDateArray
    dataset: ToStringArray
    duration: ToNumberArray
@ -97,7 +98,14 @@ export const ecsSchema = gql`
    start: ToStringArray
  }

+  type ProcessHashData {
+    md5: ToStringArray
+    sha1: ToStringArray
+    sha256: ToStringArray
+  }
+
  type ProcessEcsFields {
+    hash: ProcessHashData
    pid: ToNumberArray
    name: ToStringArray
    ppid: ToNumberArray
@ -126,6 +134,33 @@ export const ecsSchema = gql`
    packets: ToNumberArray
  }

+  type DnsQuestionData {
+    name: ToStringArray
+    type: ToStringArray
+  }
+
+  type DnsEcsFields {
+    question: DnsQuestionData
+    resolved_ip: ToStringArray
+    response_code: ToStringArray
+  }
+
+  type EndgameEcsFields {
+    exit_code: ToNumberArray
+    file_name: ToStringArray
+    file_path: ToStringArray
+    logon_type: ToNumberArray
+    parent_process_name: ToStringArray
+    pid: ToNumberArray
+    process_name: ToStringArray
+    subject_domain_name: ToStringArray
+    subject_logon_id: ToStringArray
+    subject_user_name: ToStringArray
+    target_domain_name: ToStringArray
+    target_logon_id: ToStringArray
+    target_user_name: ToStringArray
+  }
+
  type SuricataAlertData {
    signature: ToStringArray
    signature_id: ToNumberArray
@ -200,6 +235,7 @@ export const ecsSchema = gql`
  }

  type FileFields {
+    name: ToStringArray
    path: ToStringArray
    target_path: ToStringArray
    extension: ToStringArray
@ -294,6 +330,7 @@ export const ecsSchema = gql`
  }

  type UserEcsFields {
+    domain: ToStringArray
    id: ToStringArray
    name: ToStringArray
    full_name: ToStringArray
@ -302,6 +339,10 @@ export const ecsSchema = gql`
    group: ToStringArray
  }

+  type WinlogEcsFields {
+    event_id: ToNumberArray
+  }
+
  type NetworkEcsField {
    bytes: ToNumberArray
    community_id: ToStringArray
@ -343,6 +384,8 @@ export const ecsSchema = gql`
    _index: String
    auditd: AuditdEcsFields
    destination: DestinationEcsFields
+    dns: DnsEcsFields
+    endgame: EndgameEcsFields
    event: EventEcsFields
    geo: GeoEcsFields
    host: HostEcsFields
@ -356,6 +399,7 @@ export const ecsSchema = gql`
    timestamp: Date
    message: ToStringArray
    user: UserEcsFields
+    winlog: WinlogEcsFields
    process: ProcessEcsFields
    file: FileFields
    system: SystemEcsField
--- a/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts
+++ b/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts
@ -27,6 +27,13 @@ export const overviewSchema = gql`
    auditbeatPackage: Float
    auditbeatProcess: Float
    auditbeatUser: Float
+    endgameDns: Float
+    endgameFile: Float
+    endgameImageLoad: Float
+    endgameNetwork: Float
+    endgameProcess: Float
+    endgameRegistry: Float
+    endgameSecurity: Float
    filebeatSystemModule: Float
    winlogbeat: Float
    inspect: Inspect
--- a/x-pack/legacy/plugins/siem/server/graphql/types.ts
+++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts
@ -541,6 +541,8 @@ export interface AuthenticationItem {
 }

 export interface UserEcsFields {
+  domain?: Maybe<string[] | string>;
+
  id?: Maybe<string[] | string>;

  name?: Maybe<string[] | string>;
@ -689,6 +691,10 @@ export interface Ecs {

  destination?: Maybe<DestinationEcsFields>;

+  dns?: Maybe<DnsEcsFields>;
+
+  endgame?: Maybe<EndgameEcsFields>;
+
  event?: Maybe<EventEcsFields>;

  geo?: Maybe<GeoEcsFields>;
@ -715,6 +721,8 @@ export interface Ecs {

  user?: Maybe<UserEcsFields>;

+  winlog?: Maybe<WinlogEcsFields>;
+
  process?: Maybe<ProcessEcsFields>;

  file?: Maybe<FileFields>;
@ -776,11 +784,55 @@ export interface DestinationEcsFields {
  packets?: Maybe<number[] | number>;
 }

+export interface DnsEcsFields {
+  question?: Maybe<DnsQuestionData>;
+
+  resolved_ip?: Maybe<string[] | string>;
+
+  response_code?: Maybe<string[] | string>;
+}
+
+export interface DnsQuestionData {
+  name?: Maybe<string[] | string>;
+
+  type?: Maybe<string[] | string>;
+}
+
+export interface EndgameEcsFields {
+  exit_code?: Maybe<number[] | number>;
+
+  file_name?: Maybe<string[] | string>;
+
+  file_path?: Maybe<string[] | string>;
+
+  logon_type?: Maybe<number[] | number>;
+
+  parent_process_name?: Maybe<string[] | string>;
+
+  pid?: Maybe<number[] | number>;
+
+  process_name?: Maybe<string[] | string>;
+
+  subject_domain_name?: Maybe<string[] | string>;
+
+  subject_logon_id?: Maybe<string[] | string>;
+
+  subject_user_name?: Maybe<string[] | string>;
+
+  target_domain_name?: Maybe<string[] | string>;
+
+  target_logon_id?: Maybe<string[] | string>;
+
+  target_user_name?: Maybe<string[] | string>;
+}
+
 export interface EventEcsFields {
  action?: Maybe<string[] | string>;

  category?: Maybe<string[] | string>;

+  code?: Maybe<string[] | string>;
+
  created?: Maybe<string[] | string>;

  dataset?: Maybe<string[] | string>;
@ -1044,7 +1096,13 @@ export interface UrlEcsFields {
  password?: Maybe<string[] | string>;
 }

+export interface WinlogEcsFields {
+  event_id?: Maybe<number[] | number>;
+}
+
 export interface ProcessEcsFields {
+  hash?: Maybe<ProcessHashData>;
+
  pid?: Maybe<number[] | number>;

  name?: Maybe<string[] | string>;
@ -1062,6 +1120,14 @@ export interface ProcessEcsFields {
  working_directory?: Maybe<string[] | string>;
 }

+export interface ProcessHashData {
+  md5?: Maybe<string[] | string>;
+
+  sha1?: Maybe<string[] | string>;
+
+  sha256?: Maybe<string[] | string>;
+}
+
 export interface Thread {
  id?: Maybe<number[] | number>;

@ -1069,6 +1135,8 @@ export interface Thread {
 }

 export interface FileFields {
+  name?: Maybe<string[] | string>;
+
  path?: Maybe<string[] | string>;

  target_path?: Maybe<string[] | string>;
@ -1595,6 +1663,20 @@ export interface OverviewHostData {

  auditbeatUser?: Maybe<number>;

+  endgameDns?: Maybe<number>;
+
+  endgameFile?: Maybe<number>;
+
+  endgameImageLoad?: Maybe<number>;
+
+  endgameNetwork?: Maybe<number>;
+
+  endgameProcess?: Maybe<number>;
+
+  endgameRegistry?: Maybe<number>;
+
+  endgameSecurity?: Maybe<number>;
+
  filebeatSystemModule?: Maybe<number>;

  winlogbeat?: Maybe<number>;
@ -3185,6 +3267,8 @@ export namespace AuthenticationItemResolvers {

 export namespace UserEcsFieldsResolvers {
  export interface Resolvers<TContext = SiemContext, TypeParent = UserEcsFields> {
+    domain?: DomainResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
    id?: IdResolver<Maybe<string[] | string>, TypeParent, TContext>;

    name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -3198,6 +3282,11 @@ export namespace UserEcsFieldsResolvers {
    group?: GroupResolver<Maybe<string[] | string>, TypeParent, TContext>;
  }

+  export type DomainResolver<
+    R = Maybe<string[] | string>,
+    Parent = UserEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type IdResolver<
    R = Maybe<string[] | string>,
    Parent = UserEcsFields,
@ -3655,6 +3744,10 @@ export namespace EcsResolvers {

    destination?: DestinationResolver<Maybe<DestinationEcsFields>, TypeParent, TContext>;

+    dns?: DnsResolver<Maybe<DnsEcsFields>, TypeParent, TContext>;
+
+    endgame?: EndgameResolver<Maybe<EndgameEcsFields>, TypeParent, TContext>;
+
    event?: EventResolver<Maybe<EventEcsFields>, TypeParent, TContext>;

    geo?: GeoResolver<Maybe<GeoEcsFields>, TypeParent, TContext>;
@ -3681,6 +3774,8 @@ export namespace EcsResolvers {

    user?: UserResolver<Maybe<UserEcsFields>, TypeParent, TContext>;

+    winlog?: WinlogResolver<Maybe<WinlogEcsFields>, TypeParent, TContext>;
+
    process?: ProcessResolver<Maybe<ProcessEcsFields>, TypeParent, TContext>;

    file?: FileResolver<Maybe<FileFields>, TypeParent, TContext>;
@ -3708,6 +3803,16 @@ export namespace EcsResolvers {
    Parent = Ecs,
    TContext = SiemContext
  > = Resolver<R, Parent, TContext>;
+  export type DnsResolver<R = Maybe<DnsEcsFields>, Parent = Ecs, TContext = SiemContext> = Resolver<
+    R,
+    Parent,
+    TContext
+  >;
+  export type EndgameResolver<
+    R = Maybe<EndgameEcsFields>,
+    Parent = Ecs,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type EventResolver<
    R = Maybe<EventEcsFields>,
    Parent = Ecs,
@ -3773,6 +3878,11 @@ export namespace EcsResolvers {
    Parent = Ecs,
    TContext = SiemContext
  > = Resolver<R, Parent, TContext>;
+  export type WinlogResolver<
+    R = Maybe<WinlogEcsFields>,
+    Parent = Ecs,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type ProcessResolver<
    R = Maybe<ProcessEcsFields>,
    Parent = Ecs,
@ -3969,12 +4079,155 @@ export namespace DestinationEcsFieldsResolvers {
  > = Resolver<R, Parent, TContext>;
 }

+export namespace DnsEcsFieldsResolvers {
+  export interface Resolvers<TContext = SiemContext, TypeParent = DnsEcsFields> {
+    question?: QuestionResolver<Maybe<DnsQuestionData>, TypeParent, TContext>;
+
+    resolved_ip?: ResolvedIpResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    response_code?: ResponseCodeResolver<Maybe<string[] | string>, TypeParent, TContext>;
+  }
+
+  export type QuestionResolver<
+    R = Maybe<DnsQuestionData>,
+    Parent = DnsEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type ResolvedIpResolver<
+    R = Maybe<string[] | string>,
+    Parent = DnsEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type ResponseCodeResolver<
+    R = Maybe<string[] | string>,
+    Parent = DnsEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+}
+
+export namespace DnsQuestionDataResolvers {
+  export interface Resolvers<TContext = SiemContext, TypeParent = DnsQuestionData> {
+    name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    type?: TypeResolver<Maybe<string[] | string>, TypeParent, TContext>;
+  }
+
+  export type NameResolver<
+    R = Maybe<string[] | string>,
+    Parent = DnsQuestionData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type TypeResolver<
+    R = Maybe<string[] | string>,
+    Parent = DnsQuestionData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+}
+
+export namespace EndgameEcsFieldsResolvers {
+  export interface Resolvers<TContext = SiemContext, TypeParent = EndgameEcsFields> {
+    exit_code?: ExitCodeResolver<Maybe<number[] | number>, TypeParent, TContext>;
+
+    file_name?: FileNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    file_path?: FilePathResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    logon_type?: LogonTypeResolver<Maybe<number[] | number>, TypeParent, TContext>;
+
+    parent_process_name?: ParentProcessNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    pid?: PidResolver<Maybe<number[] | number>, TypeParent, TContext>;
+
+    process_name?: ProcessNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    subject_domain_name?: SubjectDomainNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    subject_logon_id?: SubjectLogonIdResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    subject_user_name?: SubjectUserNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    target_domain_name?: TargetDomainNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    target_logon_id?: TargetLogonIdResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    target_user_name?: TargetUserNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+  }
+
+  export type ExitCodeResolver<
+    R = Maybe<number[] | number>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type FileNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type FilePathResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type LogonTypeResolver<
+    R = Maybe<number[] | number>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type ParentProcessNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type PidResolver<
+    R = Maybe<number[] | number>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type ProcessNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type SubjectDomainNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type SubjectLogonIdResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type SubjectUserNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type TargetDomainNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type TargetLogonIdResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type TargetUserNameResolver<
+    R = Maybe<string[] | string>,
+    Parent = EndgameEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+}
+
 export namespace EventEcsFieldsResolvers {
  export interface Resolvers<TContext = SiemContext, TypeParent = EventEcsFields> {
    action?: ActionResolver<Maybe<string[] | string>, TypeParent, TContext>;

    category?: CategoryResolver<Maybe<string[] | string>, TypeParent, TContext>;

+    code?: CodeResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
    created?: CreatedResolver<Maybe<string[] | string>, TypeParent, TContext>;

    dataset?: DatasetResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4018,6 +4271,11 @@ export namespace EventEcsFieldsResolvers {
    Parent = EventEcsFields,
    TContext = SiemContext
  > = Resolver<R, Parent, TContext>;
+  export type CodeResolver<
+    R = Maybe<string[] | string>,
+    Parent = EventEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type CreatedResolver<
    R = Maybe<string[] | string>,
    Parent = EventEcsFields,
@ -4869,8 +5127,22 @@ export namespace UrlEcsFieldsResolvers {
  > = Resolver<R, Parent, TContext>;
 }

+export namespace WinlogEcsFieldsResolvers {
+  export interface Resolvers<TContext = SiemContext, TypeParent = WinlogEcsFields> {
+    event_id?: EventIdResolver<Maybe<number[] | number>, TypeParent, TContext>;
+  }
+
+  export type EventIdResolver<
+    R = Maybe<number[] | number>,
+    Parent = WinlogEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+}
+
 export namespace ProcessEcsFieldsResolvers {
  export interface Resolvers<TContext = SiemContext, TypeParent = ProcessEcsFields> {
+    hash?: HashResolver<Maybe<ProcessHashData>, TypeParent, TContext>;
+
    pid?: PidResolver<Maybe<number[] | number>, TypeParent, TContext>;

    name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4888,6 +5160,11 @@ export namespace ProcessEcsFieldsResolvers {
    working_directory?: WorkingDirectoryResolver<Maybe<string[] | string>, TypeParent, TContext>;
  }

+  export type HashResolver<
+    R = Maybe<ProcessHashData>,
+    Parent = ProcessEcsFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type PidResolver<
    R = Maybe<number[] | number>,
    Parent = ProcessEcsFields,
@ -4930,6 +5207,32 @@ export namespace ProcessEcsFieldsResolvers {
  > = Resolver<R, Parent, TContext>;
 }

+export namespace ProcessHashDataResolvers {
+  export interface Resolvers<TContext = SiemContext, TypeParent = ProcessHashData> {
+    md5?: Md5Resolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    sha1?: Sha1Resolver<Maybe<string[] | string>, TypeParent, TContext>;
+
+    sha256?: Sha256Resolver<Maybe<string[] | string>, TypeParent, TContext>;
+  }
+
+  export type Md5Resolver<
+    R = Maybe<string[] | string>,
+    Parent = ProcessHashData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type Sha1Resolver<
+    R = Maybe<string[] | string>,
+    Parent = ProcessHashData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type Sha256Resolver<
+    R = Maybe<string[] | string>,
+    Parent = ProcessHashData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+}
+
 export namespace ThreadResolvers {
  export interface Resolvers<TContext = SiemContext, TypeParent = Thread> {
    id?: IdResolver<Maybe<number[] | number>, TypeParent, TContext>;
@ -4951,6 +5254,8 @@ export namespace ThreadResolvers {

 export namespace FileFieldsResolvers {
  export interface Resolvers<TContext = SiemContext, TypeParent = FileFields> {
+    name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
+
    path?: PathResolver<Maybe<string[] | string>, TypeParent, TContext>;

    target_path?: TargetPathResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4980,6 +5285,11 @@ export namespace FileFieldsResolvers {
    ctime?: CtimeResolver<Maybe<string[] | string>, TypeParent, TContext>;
  }

+  export type NameResolver<
+    R = Maybe<string[] | string>,
+    Parent = FileFields,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type PathResolver<
    R = Maybe<string[] | string>,
    Parent = FileFields,
@ -6702,6 +7012,20 @@ export namespace OverviewHostDataResolvers {

    auditbeatUser?: AuditbeatUserResolver<Maybe<number>, TypeParent, TContext>;

+    endgameDns?: EndgameDnsResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameFile?: EndgameFileResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameImageLoad?: EndgameImageLoadResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameNetwork?: EndgameNetworkResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameProcess?: EndgameProcessResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameRegistry?: EndgameRegistryResolver<Maybe<number>, TypeParent, TContext>;
+
+    endgameSecurity?: EndgameSecurityResolver<Maybe<number>, TypeParent, TContext>;
+
    filebeatSystemModule?: FilebeatSystemModuleResolver<Maybe<number>, TypeParent, TContext>;

    winlogbeat?: WinlogbeatResolver<Maybe<number>, TypeParent, TContext>;
@ -6739,6 +7063,41 @@ export namespace OverviewHostDataResolvers {
    Parent = OverviewHostData,
    TContext = SiemContext
  > = Resolver<R, Parent, TContext>;
+  export type EndgameDnsResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameFileResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameImageLoadResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameNetworkResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameProcessResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameRegistryResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
+  export type EndgameSecurityResolver<
+    R = Maybe<number>,
+    Parent = OverviewHostData,
+    TContext = SiemContext
+  > = Resolver<R, Parent, TContext>;
  export type FilebeatSystemModuleResolver<
    R = Maybe<number>,
    Parent = OverviewHostData,
@ -7781,6 +8140,9 @@ export type IResolvers<TContext = SiemContext> = {
  Summary?: SummaryResolvers.Resolvers<TContext>;
  PrimarySecondary?: PrimarySecondaryResolvers.Resolvers<TContext>;
  DestinationEcsFields?: DestinationEcsFieldsResolvers.Resolvers<TContext>;
+  DnsEcsFields?: DnsEcsFieldsResolvers.Resolvers<TContext>;
+  DnsQuestionData?: DnsQuestionDataResolvers.Resolvers<TContext>;
+  EndgameEcsFields?: EndgameEcsFieldsResolvers.Resolvers<TContext>;
  EventEcsFields?: EventEcsFieldsResolvers.Resolvers<TContext>;
  NetworkEcsField?: NetworkEcsFieldResolvers.Resolvers<TContext>;
  SuricataEcsFields?: SuricataEcsFieldsResolvers.Resolvers<TContext>;
@ -7804,7 +8166,9 @@ export type IResolvers<TContext = SiemContext> = {
  HttpBodyData?: HttpBodyDataResolvers.Resolvers<TContext>;
  HttpResponseData?: HttpResponseDataResolvers.Resolvers<TContext>;
  UrlEcsFields?: UrlEcsFieldsResolvers.Resolvers<TContext>;
+  WinlogEcsFields?: WinlogEcsFieldsResolvers.Resolvers<TContext>;
  ProcessEcsFields?: ProcessEcsFieldsResolvers.Resolvers<TContext>;
+  ProcessHashData?: ProcessHashDataResolvers.Resolvers<TContext>;
  Thread?: ThreadResolvers.Resolvers<TContext>;
  FileFields?: FileFieldsResolvers.Resolvers<TContext>;
  SystemEcsField?: SystemEcsFieldResolvers.Resolvers<TContext>;
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/build_events_query.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/build_events_query.ts
@ -4,12 +4,14 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../../default_index_pattern';
+
 // TODO: See build_events_reindex.ts for all the spots to make things "configurable"
 // here but this is intended to replace the build_events_reindex.ts
 export const buildEventsQuery = () => {
  return {
    allowNoIndices: true,
-    index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+    index: defaultIndexPattern,
    ignoreUnavailable: true,
    body: {
      query: {
--- a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts
@ -33,6 +33,7 @@ export const cloudFieldsMap: Readonly<Record<string, string>> = {
 };

 export const fileMap: Readonly<Record<string, string>> = {
+  'file.name': 'file.name',
  'file.path': 'file.path',
  'file.target_path': 'file.target_path',
  'file.extension': 'file.extension',
@ -68,6 +69,9 @@ export const hostFieldsMap: Readonly<Record<string, string>> = {
 };

 export const processFieldsMap: Readonly<Record<string, string>> = {
+  'process.hash.md5': 'process.hash.md5',
+  'process.hash.sha1': 'process.hash.sha1',
+  'process.hash.sha256': 'process.hash.sha256',
  'process.pid': 'process.pid',
  'process.name': 'process.name',
  'process.ppid': 'process.ppid',
@ -79,6 +83,7 @@ export const processFieldsMap: Readonly<Record<string, string>> = {
 };

 export const userFieldsMap: Readonly<Record<string, string>> = {
+  'user.domain': 'user.domain',
  'user.id': 'user.id',
  'user.name': 'user.name',
  // NOTE: This field is not tested and available from ECS. Please remove this tag once it is
@ -91,6 +96,10 @@ export const userFieldsMap: Readonly<Record<string, string>> = {
  'user.group': 'user.group',
 };

+export const winlogFieldsMap: Readonly<Record<string, string>> = {
+  'winlog.event_id': 'winlog.event_id',
+};
+
 export const suricataFieldsMap: Readonly<Record<string, string>> = {
  'suricata.eve.flow_id': 'suricata.eve.flow_id',
  'suricata.eve.proto': 'suricata.eve.proto',
@ -219,9 +228,33 @@ export const geoFieldsMap: Readonly<Record<string, string>> = {
  'geo.country_iso_code': 'destination.geo.country_iso_code',
 };

+export const dnsFieldsMap: Readonly<Record<string, string>> = {
+  'dns.question.name': 'dns.question.name',
+  'dns.question.type': 'dns.question.type',
+  'dns.resolved_ip': 'dns.resolved_ip',
+  'dns.response_code': 'dns.response_code',
+};
+
+export const endgameFieldsMap: Readonly<Record<string, string>> = {
+  'endgame.exit_code': 'endgame.exit_code',
+  'endgame.file_name': 'endgame.file_name',
+  'endgame.file_path': 'endgame.file_path',
+  'endgame.logon_type': 'endgame.logon_type',
+  'endgame.parent_process_name': 'endgame.parent_process_name',
+  'endgame.pid': 'endgame.pid',
+  'endgame.process_name': 'endgame.process_name',
+  'endgame.subject_domain_name': 'endgame.subject_domain_name',
+  'endgame.subject_logon_id': 'endgame.subject_logon_id',
+  'endgame.subject_user_name': 'endgame.subject_user_name',
+  'endgame.target_domain_name': 'endgame.target_domain_name',
+  'endgame.target_logon_id': 'endgame.target_logon_id',
+  'endgame.target_user_name': 'endgame.target_user_name',
+};
+
 export const eventBaseFieldsMap: Readonly<Record<string, string>> = {
  'event.action': 'event.action',
  'event.category': 'event.category',
+  'event.code': 'event.code',
  'event.created': 'event.created',
  'event.dataset': 'event.dataset',
  'event.duration': 'event.duration',
@ -257,6 +290,8 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
  message: 'message',
  ...{ ...auditdMap },
  ...{ ...destinationFieldsMap },
+  ...{ ...dnsFieldsMap },
+  ...{ ...endgameFieldsMap },
  ...{ ...eventBaseFieldsMap },
  ...{ ...geoFieldsMap },
  ...{ ...hostFieldsMap },
@ -268,6 +303,7 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
  ...{ ...zeekFieldsMap },
  ...{ ...httpFieldsMap },
  ...{ ...userFieldsMap },
+  ...{ ...winlogFieldsMap },
  ...{ ...processFieldsMap },
  ...{ ...fileMap },
 };
--- a/x-pack/legacy/plugins/siem/server/lib/events/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/events/mock.ts
@ -5,6 +5,7 @@
 */

 import { cloneDeep } from 'lodash/fp';
+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { RequestDetailsOptions } from './types';

 export const mockResponseSearchTimelineDetails = {
@ -184,7 +185,7 @@ export const mockResponseSearchTimelineDetails = {
 export const mockOptions: RequestDetailsOptions = {
  indexName: 'auditbeat-8.0.0-2019.03.29-000003',
  eventId: 'TUfUymkBCQofM5eXGBYL',
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
 };

 export const mockRequest = {
--- a/x-pack/legacy/plugins/siem/server/lib/hosts/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/hosts/mock.ts
@ -5,6 +5,7 @@
 */

 import { Direction, HostsFields } from '../../graphql/types';
+import { defaultIndexPattern } from '../../../default_index_pattern';

 import {
  HostOverviewRequestOptions,
@ -13,7 +14,7 @@ import {
 } from '.';

 export const mockGetHostsOptions: HostsRequestOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
@ -298,7 +299,7 @@ export const mockGetHostOverviewOptions: HostOverviewRequestOptions = {
    },
  },
  timerange: { interval: '12h', to: 1554824274610, from: 1554737874610 },
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  fields: [
    '_id',
    'host.architecture',
@ -504,7 +505,7 @@ export const mockGetHostOverviewResult = {
 };

 export const mockGetHostLastFirstSeenOptions: HostLastFirstSeenRequestOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
--- a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts
@ -4,13 +4,14 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { RequestBasicOptions } from '../framework/types';

 const FROM = new Date('2019-05-03T13:24:00.660Z').valueOf();
 const TO = new Date('2019-05-04T13:24:00.660Z').valueOf();

 export const mockKpiHostsOptions: RequestBasicOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
@ -26,7 +27,7 @@ export const mockKpiHostsOptions: RequestBasicOptions = {
 };

 export const mockKpiHostDetailsOptions: RequestBasicOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
@ -293,7 +294,7 @@ export const mockKpiHostsResponse = {
 export const mockKpiHostsResponseNodata = { responses: [null, null, null] };

 const mockMsearchHeader = {
-  index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  index: defaultIndexPattern,
  allowNoIndices: true,
  ignoreUnavailable: true,
 };
--- a/x-pack/legacy/plugins/siem/server/lib/kpi_network/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/kpi_network/mock.ts
@ -4,10 +4,11 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { RequestBasicOptions } from '../framework/types';

 export const mockOptions: RequestBasicOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
--- a/x-pack/legacy/plugins/siem/server/lib/network/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/network/mock.ts
@ -4,12 +4,13 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { Direction, FlowTargetNew, NetworkTopNFlowFields } from '../../graphql/types';

 import { NetworkTopNFlowRequestOptions } from '.';

 export const mockOptions: NetworkTopNFlowRequestOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
--- a/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts
@ -136,6 +136,13 @@ describe('Siem Overview elasticsearch_adapter', () => {
    describe('Unhappy Path - No data', () => {
      const mockNoDataResponse = cloneDeep(mockResponseHost);
      mockNoDataResponse.aggregations.auditd_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.dns_event_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.file_event_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.image_load_event_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.network_event_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.process_event_count.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.registry_event.doc_count = 0;
+      mockNoDataResponse.aggregations.endgame_module.security_event_count.doc_count = 0;
      mockNoDataResponse.aggregations.fim_count.doc_count = 0;
      mockNoDataResponse.aggregations.system_module.login_count.doc_count = 0;
      mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0;
@ -174,6 +181,13 @@ describe('Siem Overview elasticsearch_adapter', () => {
          auditbeatPackage: 0,
          auditbeatProcess: 0,
          auditbeatUser: 0,
+          endgameDns: 0,
+          endgameFile: 0,
+          endgameImageLoad: 0,
+          endgameNetwork: 0,
+          endgameProcess: 0,
+          endgameRegistry: 0,
+          endgameSecurity: 0,
          filebeatSystemModule: 0,
          winlogbeat: 0,
        });
--- a/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts
@ -85,6 +85,33 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
      auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response),
      auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response),
      auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response),
+      endgameDns: getOr(null, 'aggregations.endgame_module.dns_event_count.doc_count', response),
+      endgameFile: getOr(null, 'aggregations.endgame_module.file_event_count.doc_count', response),
+      endgameImageLoad: getOr(
+        null,
+        'aggregations.endgame_module.image_load_event_count.doc_count',
+        response
+      ),
+      endgameNetwork: getOr(
+        null,
+        'aggregations.endgame_module.network_event_count.doc_count',
+        response
+      ),
+      endgameProcess: getOr(
+        null,
+        'aggregations.endgame_module.process_event_count.doc_count',
+        response
+      ),
+      endgameRegistry: getOr(
+        null,
+        'aggregations.endgame_module.registry_event.doc_count',
+        response
+      ),
+      endgameSecurity: getOr(
+        null,
+        'aggregations.endgame_module.security_event_count.doc_count',
+        response
+      ),
      filebeatSystemModule: getOr(
        null,
        'aggregations.system_module.filebeat_count.doc_count',
--- a/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts
@ -4,10 +4,11 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { RequestBasicOptions } from '../framework/types';

 export const mockOptionsNetwork: RequestBasicOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
@ -80,7 +81,7 @@ export const mockResultNetwork = {
 };

 export const mockOptionsHost: RequestBasicOptions = {
-  defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+  defaultIndex: defaultIndexPattern,
  sourceConfiguration: {
    fields: {
      container: 'docker.container.name',
@ -117,6 +118,16 @@ export const mockResponseHost = {
  hits: { total: { value: 950867, relation: 'eq' }, max_score: null, hits: [] },
  aggregations: {
    auditd_count: { doc_count: 73847 },
+    endgame_module: {
+      doc_count: 6258,
+      dns_event_count: { doc_count: 891 },
+      file_event_count: { doc_count: 892 },
+      image_load_event_count: { doc_count: 893 },
+      network_event_count: { doc_count: 894 },
+      process_event_count: { doc_count: 895 },
+      registry_event: { doc_count: 896 },
+      security_event_count: { doc_count: 897 },
+    },
    fim_count: { doc_count: 107307 },
    system_module: {
      doc_count: 20000000,
@ -141,6 +152,13 @@ export const mockResultHost = {
  auditbeatPackage: 2003,
  auditbeatProcess: 1200,
  auditbeatUser: 1979,
+  endgameDns: 891,
+  endgameFile: 892,
+  endgameImageLoad: 893,
+  endgameNetwork: 894,
+  endgameProcess: 895,
+  endgameRegistry: 896,
+  endgameSecurity: 897,
  filebeatSystemModule: 225,
  winlogbeat: 737,
 };
--- a/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts
@ -138,6 +138,64 @@ export const buildOverviewHostQuery = ({
            },
          },
        },
+        endgame_module: {
+          filter: {
+            term: {
+              'event.module': 'endgame',
+            },
+          },
+          aggs: {
+            dns_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'dns_event',
+                },
+              },
+            },
+            file_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'file_event',
+                },
+              },
+            },
+            image_load_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'image_load_event',
+                },
+              },
+            },
+            network_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'network_event',
+                },
+              },
+            },
+            process_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'process_event',
+                },
+              },
+            },
+            registry_event: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'registry_event',
+                },
+              },
+            },
+            security_event_count: {
+              filter: {
+                term: {
+                  'endgame.event_type_full': 'security_event',
+                },
+              },
+            },
+          },
+        },
        fim_count: {
          filter: {
            term: {
--- a/x-pack/legacy/plugins/siem/server/lib/overview/types.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/overview/types.ts
@ -59,6 +59,29 @@ export interface OverviewHostHit extends SearchHit {
    auditd_count: {
      doc_count: number;
    };
+    endgame_module: {
+      dns_event_count: {
+        doc_count: number;
+      };
+      file_event_count: {
+        doc_count: number;
+      };
+      image_load_event_count: {
+        doc_count: number;
+      };
+      network_event_count: {
+        doc_count: number;
+      };
+      process_event_count: {
+        doc_count: number;
+      };
+      registry_event: {
+        doc_count: number;
+      };
+      security_event_count: {
+        doc_count: number;
+      };
+    };
    fim_count: {
      doc_count: number;
    };
--- a/x-pack/legacy/plugins/siem/server/lib/sources/configuration.test.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/sources/configuration.test.ts
@ -5,6 +5,7 @@
 */

 import { InmemoryConfigurationAdapter } from '../configuration/inmemory_configuration_adapter';
+import { defaultIndexPattern } from '../../../default_index_pattern';

 import { ConfigurationSourcesAdapter } from './configuration';
 import { PartialSourceConfiguration } from './types';
@ -75,7 +76,7 @@ describe('the ConfigurationSourcesAdapter', () => {
      new InmemoryConfigurationAdapter({
        sources: {
          sourceOne: {
-            defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+            defaultIndex: defaultIndexPattern,
            fields: {
              container: 'DIFFERENT_CONTAINER_FIELD',
            },
--- a/x-pack/legacy/plugins/siem/server/utils/build_query/create_options.test.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/build_query/create_options.test.ts
@ -6,6 +6,7 @@

 import { omit } from 'lodash/fp';

+import { defaultIndexPattern } from '../../../default_index_pattern';
 import { Direction } from '../../graphql/types';
 import { RequestOptions } from '../../lib/framework';

@ -29,7 +30,7 @@ describe('createOptions', () => {
      },
    };
    args = {
-      defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+      defaultIndex: defaultIndexPattern,
      pagination: {
        limit: 5,
      },
@ -56,7 +57,7 @@ describe('createOptions', () => {
  test('should create options given all input including sort field', () => {
    const options = createOptions(source, args, info);
    const expected: RequestOptions = {
-      defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+      defaultIndex: defaultIndexPattern,
      sourceConfiguration: {
        fields: {
          host: 'host-1',
@ -86,7 +87,7 @@ describe('createOptions', () => {
    const argsWithoutSort: Args = omit('sortField', args);
    const options = createOptions(source, argsWithoutSort, info);
    const expected: RequestOptions = {
-      defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+      defaultIndex: defaultIndexPattern,
      sourceConfiguration: {
        fields: {
          host: 'host-1',
--- a/x-pack/test/api_integration/apis/siem/overview_host.ts
+++ b/x-pack/test/api_integration/apis/siem/overview_host.ts
@ -8,6 +8,7 @@ import expect from '@kbn/expect';
 import { overviewHostQuery } from '../../../../legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query';
 import { GetOverviewHostQuery } from '../../../../legacy/plugins/siem/public/graphql/types';
 import { FtrProviderContext } from '../../ftr_provider_context';
+import { defaultIndexPattern } from '../../../../legacy/plugins/siem/default_index_pattern';

 export default function({ getService }: FtrProviderContext) {
  const esArchiver = getService('esArchiver');
@ -26,6 +27,13 @@ export default function({ getService }: FtrProviderContext) {
        auditbeatPackage: 3,
        auditbeatProcess: 7,
        auditbeatUser: 6,
+        endgameDns: 1,
+        endgameFile: 2,
+        endgameImageLoad: 1,
+        endgameNetwork: 4,
+        endgameProcess: 2,
+        endgameRegistry: 1,
+        endgameSecurity: 4,
        filebeatSystemModule: 0,
        winlogbeat: 1,
        __typename: 'OverviewHostData',
@ -42,7 +50,7 @@ export default function({ getService }: FtrProviderContext) {
                to: TO,
                from: FROM,
              },
-              defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+              defaultIndex: defaultIndexPattern,
              inspect: false,
            },
          })
--- a/x-pack/test/functional/es_archives/auditbeat/overview/data.json.gz
+++ b/x-pack/test/functional/es_archives/auditbeat/overview/data.json.gz