From 2881f1c8a72c7be407feece343322041e1bedc75 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com> Date: Thu, 19 Aug 2021 16:01:39 -0400 Subject: [PATCH] [Cases] Include rule registry client for updating alert statuses (#108588) * Trying to get import to work * Plumbed alerts client through and logging errors * No longer need the ES cluster client * Fixing types * Fixing imports * Fixing integration tests and refactoring * Throwing an error when rule registry is disabled * Reworking alert update and get to catch errors * Adding tests and fixing errors --- x-pack/plugins/cases/kibana.json | 1 + .../plugins/cases/server/client/alerts/get.ts | 14 +- .../cases/server/client/alerts/types.ts | 12 +- .../server/client/alerts/update_status.ts | 4 +- .../cases/server/client/attachments/add.ts | 34 +- .../plugins/cases/server/client/cases/push.ts | 65 +- .../cases/server/client/cases/update.ts | 27 +- x-pack/plugins/cases/server/client/factory.ts | 19 +- .../cases/server/client/sub_cases/update.ts | 21 +- x-pack/plugins/cases/server/client/types.ts | 3 +- .../server/common/models/commentable_case.ts | 34 +- .../connectors/servicenow/sir_format.test.ts | 159 +- .../connectors/servicenow/sir_format.ts | 36 +- x-pack/plugins/cases/server/plugin.ts | 7 +- .../server/services/alerts/index.test.ts | 81 +- .../cases/server/services/alerts/index.ts | 137 +- .../cases/server/services/alerts/types.ts | 13 + x-pack/plugins/cases/tsconfig.json | 1 + x-pack/plugins/rule_registry/server/index.ts | 1 + x-pack/plugins/rule_registry/server/mocks.ts | 2 + .../tests/common/cases/patch_cases.ts | 10 +- .../common/client/update_alert_status.ts | 6 +- .../tests/common/comments/post_comment.ts | 2 +- .../tests/common/sub_cases/patch_sub_cases.ts | 8 +- .../cases/signals/default/data.json.gz | Bin 5586 -> 3945 bytes .../cases/signals/default/mappings.json | 1926 ++++++++- .../cases/signals/duplicate_ids/data.json.gz | Bin 5513 -> 3876 bytes .../cases/signals/duplicate_ids/mappings.json | 3713 ++++++++++++++++- 28 files changed, 5794 insertions(+), 542 deletions(-) create mode 100644 x-pack/plugins/cases/server/services/alerts/types.ts diff --git a/x-pack/plugins/cases/kibana.json b/x-pack/plugins/cases/kibana.json index ebac6295166df..3889c559238b3 100644 --- a/x-pack/plugins/cases/kibana.json +++ b/x-pack/plugins/cases/kibana.json @@ -10,6 +10,7 @@ "id":"cases", "kibanaVersion":"kibana", "optionalPlugins":[ + "ruleRegistry", "security", "spaces" ], diff --git a/x-pack/plugins/cases/server/client/alerts/get.ts b/x-pack/plugins/cases/server/client/alerts/get.ts index 2048ccae4fa60..391279aab5a83 100644 --- a/x-pack/plugins/cases/server/client/alerts/get.ts +++ b/x-pack/plugins/cases/server/client/alerts/get.ts @@ -12,19 +12,11 @@ export const get = async ( { alertsInfo }: AlertGet, clientArgs: CasesClientArgs ): Promise => { - const { alertsService, scopedClusterClient, logger } = clientArgs; + const { alertsService, logger } = clientArgs; if (alertsInfo.length === 0) { return []; } - const alerts = await alertsService.getAlerts({ alertsInfo, scopedClusterClient, logger }); - if (!alerts) { - return []; - } - - return alerts.docs.map((alert) => ({ - id: alert._id, - index: alert._index, - ...alert._source, - })); + const alerts = await alertsService.getAlerts({ alertsInfo, logger }); + return alerts ?? []; }; diff --git a/x-pack/plugins/cases/server/client/alerts/types.ts b/x-pack/plugins/cases/server/client/alerts/types.ts index 95cd9ae33bff9..6b3a49f20d1e5 100644 --- a/x-pack/plugins/cases/server/client/alerts/types.ts +++ b/x-pack/plugins/cases/server/client/alerts/types.ts @@ -7,17 +7,7 @@ import { CaseStatuses } from '../../../common/api'; import { AlertInfo } from '../../common'; - -interface Alert { - id: string; - index: string; - destination?: { - ip: string; - }; - source?: { - ip: string; - }; -} +import { Alert } from '../../services/alerts/types'; export type CasesClientGetAlertsResponse = Alert[]; diff --git a/x-pack/plugins/cases/server/client/alerts/update_status.ts b/x-pack/plugins/cases/server/client/alerts/update_status.ts index a0684b59241b0..9c8cc33264413 100644 --- a/x-pack/plugins/cases/server/client/alerts/update_status.ts +++ b/x-pack/plugins/cases/server/client/alerts/update_status.ts @@ -16,6 +16,6 @@ export const updateStatus = async ( { alerts }: UpdateAlertsStatusArgs, clientArgs: CasesClientArgs ): Promise => { - const { alertsService, scopedClusterClient, logger } = clientArgs; - await alertsService.updateAlertsStatus({ alerts, scopedClusterClient, logger }); + const { alertsService, logger } = clientArgs; + await alertsService.updateAlertsStatus({ alerts, logger }); }; diff --git a/x-pack/plugins/cases/server/client/attachments/add.ts b/x-pack/plugins/cases/server/client/attachments/add.ts index 166ae2ae65012..5393a108d6af2 100644 --- a/x-pack/plugins/cases/server/client/attachments/add.ts +++ b/x-pack/plugins/cases/server/client/attachments/add.ts @@ -40,12 +40,7 @@ import { } from '../../services/user_actions/helpers'; import { AttachmentService, CasesService, CaseUserActionService } from '../../services'; -import { - createCaseError, - CommentableCase, - createAlertUpdateRequest, - isCommentRequestTypeGenAlert, -} from '../../common'; +import { createCaseError, CommentableCase, isCommentRequestTypeGenAlert } from '../../common'; import { CasesClientArgs, CasesClientInternal } from '..'; import { decodeCommentRequest } from '../utils'; @@ -195,22 +190,9 @@ const addGeneratedAlerts = async ( user: userDetails, commentReq: query, id: savedObjectID, + casesClientInternal, }); - if ( - (newComment.attributes.type === CommentType.alert || - newComment.attributes.type === CommentType.generatedAlert) && - caseInfo.attributes.settings.syncAlerts - ) { - const alertsToUpdate = createAlertUpdateRequest({ - comment: query, - status: subCase.attributes.status, - }); - await casesClientInternal.alerts.updateStatus({ - alerts: alertsToUpdate, - }); - } - await userActionService.bulkCreate({ unsecuredSavedObjectsClient, actions: [ @@ -386,19 +368,9 @@ export const addComment = async ( user: userInfo, commentReq: query, id: savedObjectID, + casesClientInternal, }); - if (newComment.attributes.type === CommentType.alert && updatedCase.settings.syncAlerts) { - const alertsToUpdate = createAlertUpdateRequest({ - comment: query, - status: updatedCase.status, - }); - - await casesClientInternal.alerts.updateStatus({ - alerts: alertsToUpdate, - }); - } - await userActionService.bulkCreate({ unsecuredSavedObjectsClient, actions: [ diff --git a/x-pack/plugins/cases/server/client/cases/push.ts b/x-pack/plugins/cases/server/client/cases/push.ts index 3048cf01bb3ba..80e69d53e9e8b 100644 --- a/x-pack/plugins/cases/server/client/cases/push.ts +++ b/x-pack/plugins/cases/server/client/cases/push.ts @@ -6,7 +6,7 @@ */ import Boom from '@hapi/boom'; -import { SavedObjectsFindResponse, SavedObject } from 'kibana/server'; +import { SavedObjectsFindResponse, SavedObject, Logger } from 'kibana/server'; import { ActionConnector, @@ -22,26 +22,16 @@ import { import { buildCaseUserActionItem } from '../../services/user_actions/helpers'; import { createIncident, getCommentContextFromAttributes } from './utils'; -import { createCaseError, flattenCaseSavedObject, getAlertInfoFromComments } from '../../common'; +import { + AlertInfo, + createCaseError, + flattenCaseSavedObject, + getAlertInfoFromComments, +} from '../../common'; import { CasesClient, CasesClientArgs, CasesClientInternal } from '..'; import { Operations } from '../../authorization'; import { casesConnectors } from '../../connectors'; - -/** - * Returns true if the case should be closed based on the configuration settings and whether the case - * is a collection. Collections are not closable because we aren't allowing their status to be changed. - * In the future we could allow push to close all the sub cases of a collection but that's not currently supported. - */ -function shouldCloseByPush( - configureSettings: SavedObjectsFindResponse, - caseInfo: SavedObject -): boolean { - return ( - configureSettings.total > 0 && - configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' && - caseInfo.attributes.type !== CaseType.collection - ); -} +import { CasesClientGetAlertsResponse } from '../alerts/types'; /** * Parameters for pushing a case to an external system @@ -106,9 +96,7 @@ export const push = async ( const alertsInfo = getAlertInfoFromComments(theCase?.comments); - const alerts = await casesClientInternal.alerts.get({ - alertsInfo, - }); + const alerts = await getAlertsCatchErrors({ casesClientInternal, alertsInfo, logger }); const getMappingsResponse = await casesClientInternal.configuration.getMappings({ connector: theCase.connector, @@ -278,3 +266,38 @@ export const push = async ( throw createCaseError({ message: `Failed to push case: ${error}`, error, logger }); } }; + +async function getAlertsCatchErrors({ + casesClientInternal, + alertsInfo, + logger, +}: { + casesClientInternal: CasesClientInternal; + alertsInfo: AlertInfo[]; + logger: Logger; +}): Promise { + try { + return await casesClientInternal.alerts.get({ + alertsInfo, + }); + } catch (error) { + logger.error(`Failed to retrieve alerts during push: ${error}`); + return []; + } +} + +/** + * Returns true if the case should be closed based on the configuration settings and whether the case + * is a collection. Collections are not closable because we aren't allowing their status to be changed. + * In the future we could allow push to close all the sub cases of a collection but that's not currently supported. + */ +function shouldCloseByPush( + configureSettings: SavedObjectsFindResponse, + caseInfo: SavedObject +): boolean { + return ( + configureSettings.total > 0 && + configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' && + caseInfo.attributes.type !== CaseType.collection + ); +} diff --git a/x-pack/plugins/cases/server/client/cases/update.ts b/x-pack/plugins/cases/server/client/cases/update.ts index ed19444414d57..611c9e09fa76e 100644 --- a/x-pack/plugins/cases/server/client/cases/update.ts +++ b/x-pack/plugins/cases/server/client/cases/update.ts @@ -12,6 +12,7 @@ import { fold } from 'fp-ts/lib/Either'; import { identity } from 'fp-ts/lib/function'; import { + Logger, SavedObject, SavedObjectsClientContract, SavedObjectsFindResponse, @@ -307,12 +308,14 @@ async function updateAlerts({ caseService, unsecuredSavedObjectsClient, casesClientInternal, + logger, }: { casesWithSyncSettingChangedToOn: UpdateRequestWithOriginalCase[]; casesWithStatusChangedAndSynced: UpdateRequestWithOriginalCase[]; caseService: CasesService; unsecuredSavedObjectsClient: SavedObjectsClientContract; casesClientInternal: CasesClientInternal; + logger: Logger; }) { /** * It's possible that a case ID can appear multiple times in each array. I'm intentionally placing the status changes @@ -361,7 +364,9 @@ async function updateAlerts({ [] ); - await casesClientInternal.alerts.updateStatus({ alerts: alertsToUpdate }); + await casesClientInternal.alerts.updateStatus({ + alerts: alertsToUpdate, + }); } function partitionPatchRequest( @@ -562,15 +567,6 @@ export const update = async ( ); }); - // Update the alert's status to match any case status or sync settings changes - await updateAlerts({ - casesWithStatusChangedAndSynced, - casesWithSyncSettingChangedToOn, - caseService, - unsecuredSavedObjectsClient, - casesClientInternal, - }); - const returnUpdatedCase = myCases.saved_objects .filter((myCase) => updatedCases.saved_objects.some((updatedCase) => updatedCase.id === myCase.id) @@ -598,6 +594,17 @@ export const update = async ( }), }); + // Update the alert's status to match any case status or sync settings changes + // Attempt to do this after creating/changing the other entities just in case it fails + await updateAlerts({ + casesWithStatusChangedAndSynced, + casesWithSyncSettingChangedToOn, + caseService, + unsecuredSavedObjectsClient, + casesClientInternal, + logger, + }); + return CasesResponseRt.encode(returnUpdatedCase); } catch (error) { const idVersions = cases.cases.map((caseInfo) => ({ diff --git a/x-pack/plugins/cases/server/client/factory.ts b/x-pack/plugins/cases/server/client/factory.ts index 2fae6996f4aa2..a1a3ccdd3bc52 100644 --- a/x-pack/plugins/cases/server/client/factory.ts +++ b/x-pack/plugins/cases/server/client/factory.ts @@ -5,12 +5,7 @@ * 2.0. */ -import { - KibanaRequest, - SavedObjectsServiceStart, - Logger, - ElasticsearchClient, -} from 'kibana/server'; +import { KibanaRequest, SavedObjectsServiceStart, Logger } from 'kibana/server'; import { SecurityPluginSetup, SecurityPluginStart } from '../../../security/server'; import { SAVED_OBJECT_TYPES } from '../../common'; import { Authorization } from '../authorization/authorization'; @@ -25,8 +20,8 @@ import { } from '../services'; import { PluginStartContract as FeaturesPluginStart } from '../../../features/server'; import { PluginStartContract as ActionsPluginStart } from '../../../actions/server'; +import { RuleRegistryPluginStartContract } from '../../../rule_registry/server'; import { LensServerPluginSetup } from '../../../lens/server'; - import { AuthorizationAuditLogger } from '../authorization'; import { CasesClient, createCasesClient } from '.'; @@ -36,6 +31,7 @@ interface CasesClientFactoryArgs { getSpace: GetSpaceFn; featuresPluginStart: FeaturesPluginStart; actionsPluginStart: ActionsPluginStart; + ruleRegistryPluginStart?: RuleRegistryPluginStartContract; lensEmbeddableFactory: LensServerPluginSetup['lensEmbeddableFactory']; } @@ -69,12 +65,10 @@ export class CasesClientFactory { */ public async create({ request, - scopedClusterClient, savedObjectsService, }: { request: KibanaRequest; savedObjectsService: SavedObjectsServiceStart; - scopedClusterClient: ElasticsearchClient; }): Promise { if (!this.isInitialized || !this.options) { throw new Error('CasesClientFactory must be initialized before calling create'); @@ -94,9 +88,12 @@ export class CasesClientFactory { const caseService = new CasesService(this.logger, this.options?.securityPluginStart?.authc); const userInfo = caseService.getUser({ request }); + const alertsClient = await this.options.ruleRegistryPluginStart?.getRacClientWithRequest( + request + ); + return createCasesClient({ - alertsService: new AlertService(), - scopedClusterClient, + alertsService: new AlertService(alertsClient), unsecuredSavedObjectsClient: savedObjectsService.getScopedClient(request, { includedHiddenTypes: SAVED_OBJECT_TYPES, // this tells the security plugin to not perform SO authorization and audit logging since we are handling diff --git a/x-pack/plugins/cases/server/client/sub_cases/update.ts b/x-pack/plugins/cases/server/client/sub_cases/update.ts index c8cb96cbb6b8c..56610ea6858e3 100644 --- a/x-pack/plugins/cases/server/client/sub_cases/update.ts +++ b/x-pack/plugins/cases/server/client/sub_cases/update.ts @@ -246,7 +246,9 @@ async function updateAlerts({ [] ); - await casesClientInternal.alerts.updateStatus({ alerts: alertsToUpdate }); + await casesClientInternal.alerts.updateStatus({ + alerts: alertsToUpdate, + }); } catch (error) { throw createCaseError({ message: `Failed to update alert status while updating sub cases: ${JSON.stringify( @@ -355,14 +357,6 @@ export async function update({ ); }); - await updateAlerts({ - caseService, - unsecuredSavedObjectsClient, - casesClientInternal, - subCasesToSync: subCasesToSyncAlertsFor, - logger: clientArgs.logger, - }); - const returnUpdatedSubCases = updatedCases.saved_objects.reduce( (acc, updatedSO) => { const originalSubCase = subCasesMap.get(updatedSO.id); @@ -394,6 +388,15 @@ export async function update({ }), }); + // attempt to update the status of the alerts after creating all the user actions just in case it fails + await updateAlerts({ + caseService, + unsecuredSavedObjectsClient, + casesClientInternal, + subCasesToSync: subCasesToSyncAlertsFor, + logger: clientArgs.logger, + }); + return SubCasesResponseRt.encode(returnUpdatedSubCases); } catch (error) { const idVersions = query.subCases.map((subCase) => ({ diff --git a/x-pack/plugins/cases/server/client/types.ts b/x-pack/plugins/cases/server/client/types.ts index 27829d2539c7d..3979c19949d9a 100644 --- a/x-pack/plugins/cases/server/client/types.ts +++ b/x-pack/plugins/cases/server/client/types.ts @@ -6,7 +6,7 @@ */ import type { PublicMethodsOf } from '@kbn/utility-types'; -import { ElasticsearchClient, SavedObjectsClientContract, Logger } from 'kibana/server'; +import { SavedObjectsClientContract, Logger } from 'kibana/server'; import { User } from '../../common'; import { Authorization } from '../authorization/authorization'; import { @@ -24,7 +24,6 @@ import { LensServerPluginSetup } from '../../../lens/server'; * Parameters for initializing a cases client */ export interface CasesClientArgs { - readonly scopedClusterClient: ElasticsearchClient; readonly caseConfigureService: CaseConfigureService; readonly caseService: CasesService; readonly connectorMappingsService: ConnectorMappingsService; diff --git a/x-pack/plugins/cases/server/common/models/commentable_case.ts b/x-pack/plugins/cases/server/common/models/commentable_case.ts index 856d6378d5900..e540332b1ff84 100644 --- a/x-pack/plugins/cases/server/common/models/commentable_case.ts +++ b/x-pack/plugins/cases/server/common/models/commentable_case.ts @@ -34,10 +34,16 @@ import { CommentRequestUserType, CaseAttributes, } from '../../../common'; -import { flattenCommentSavedObjects, flattenSubCaseSavedObject, transformNewComment } from '..'; +import { + createAlertUpdateRequest, + flattenCommentSavedObjects, + flattenSubCaseSavedObject, + transformNewComment, +} from '..'; import { AttachmentService, CasesService } from '../../services'; import { createCaseError } from '../error'; import { countAlertsForID } from '../index'; +import { CasesClientInternal } from '../../client'; import { getOrUpdateLensReferences } from '../utils'; interface UpdateCommentResp { @@ -273,11 +279,13 @@ export class CommentableCase { user, commentReq, id, + casesClientInternal, }: { createdDate: string; user: User; commentReq: CommentRequest; id: string; + casesClientInternal: CasesClientInternal; }): Promise { try { if (commentReq.type === CommentType.alert) { @@ -294,6 +302,10 @@ export class CommentableCase { throw Boom.badRequest('The owner field of the comment must match the case'); } + // Let's try to sync the alert's status before creating the attachment, that way if the alert doesn't exist + // we'll throw an error early before creating the attachment + await this.syncAlertStatus(commentReq, casesClientInternal); + let references = this.buildRefsToCase(); if (commentReq.type === CommentType.user && commentReq?.comment) { @@ -331,6 +343,26 @@ export class CommentableCase { } } + private async syncAlertStatus( + commentRequest: CommentRequest, + casesClientInternal: CasesClientInternal + ) { + if ( + (commentRequest.type === CommentType.alert || + commentRequest.type === CommentType.generatedAlert) && + this.settings.syncAlerts + ) { + const alertsToUpdate = createAlertUpdateRequest({ + comment: commentRequest, + status: this.status, + }); + + await casesClientInternal.alerts.updateStatus({ + alerts: alertsToUpdate, + }); + } + } + private formatCollectionForEncoding(totalComment: number) { return { id: this.collection.id, diff --git a/x-pack/plugins/cases/server/connectors/servicenow/sir_format.test.ts b/x-pack/plugins/cases/server/connectors/servicenow/sir_format.test.ts index fa103d4c1142d..7a1efe8b366d0 100644 --- a/x-pack/plugins/cases/server/connectors/servicenow/sir_format.test.ts +++ b/x-pack/plugins/cases/server/connectors/servicenow/sir_format.test.ts @@ -24,7 +24,7 @@ describe('ITSM formatter', () => { } as CaseResponse; it('it formats correctly without alerts', async () => { - const res = await format(theCase, []); + const res = format(theCase, []); expect(res).toEqual({ dest_ip: null, source_ip: null, @@ -38,7 +38,7 @@ describe('ITSM formatter', () => { it('it formats correctly when fields do not exist ', async () => { const invalidFields = { connector: { fields: null } } as CaseResponse; - const res = await format(invalidFields, []); + const res = format(invalidFields, []); expect(res).toEqual({ dest_ip: null, source_ip: null, @@ -55,25 +55,31 @@ describe('ITSM formatter', () => { { id: 'alert-1', index: 'index-1', - destination: { ip: '192.168.1.1' }, - source: { ip: '192.168.1.2' }, - file: { - hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.2' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com' }, }, - url: { full: 'https://attack.com' }, }, { id: 'alert-2', index: 'index-2', - destination: { ip: '192.168.1.4' }, - source: { ip: '192.168.1.3' }, - file: { - hash: { sha256: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752' }, + source: { + source: { + ip: '192.168.1.3', + }, + destination: { ip: '192.168.1.4' }, + file: { + hash: { sha256: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752' }, + }, + url: { full: 'https://attack.com/api' }, }, - url: { full: 'https://attack.com/api' }, }, ]; - const res = await format(theCase, alerts); + const res = format(theCase, alerts); expect(res).toEqual({ dest_ip: '192.168.1.1,192.168.1.4', source_ip: '192.168.1.2,192.168.1.3', @@ -86,30 +92,109 @@ describe('ITSM formatter', () => { }); }); + it('it ignores alerts with an error', async () => { + const alerts = [ + { + id: 'alert-1', + index: 'index-1', + error: new Error('an error'), + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.2' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com' }, + }, + }, + { + id: 'alert-2', + index: 'index-2', + source: { + source: { + ip: '192.168.1.3', + }, + destination: { ip: '192.168.1.4' }, + file: { + hash: { sha256: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752' }, + }, + url: { full: 'https://attack.com/api' }, + }, + }, + ]; + const res = format(theCase, alerts); + expect(res).toEqual({ + dest_ip: '192.168.1.4', + source_ip: '192.168.1.3', + category: 'Denial of Service', + subcategory: 'Inbound DDos', + malware_hash: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752', + malware_url: 'https://attack.com/api', + priority: '2 - High', + }); + }); + + it('it ignores alerts without a source field', async () => { + const alerts = [ + { + id: 'alert-1', + index: 'index-1', + }, + { + id: 'alert-2', + index: 'index-2', + source: { + source: { + ip: '192.168.1.3', + }, + destination: { ip: '192.168.1.4' }, + file: { + hash: { sha256: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752' }, + }, + url: { full: 'https://attack.com/api' }, + }, + }, + ]; + const res = format(theCase, alerts); + expect(res).toEqual({ + dest_ip: '192.168.1.4', + source_ip: '192.168.1.3', + category: 'Denial of Service', + subcategory: 'Inbound DDos', + malware_hash: '60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752', + malware_url: 'https://attack.com/api', + priority: '2 - High', + }); + }); + it('it handles duplicates correctly', async () => { const alerts = [ { id: 'alert-1', index: 'index-1', - destination: { ip: '192.168.1.1' }, - source: { ip: '192.168.1.2' }, - file: { - hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.2' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com' }, }, - url: { full: 'https://attack.com' }, }, { id: 'alert-2', index: 'index-2', - destination: { ip: '192.168.1.1' }, - source: { ip: '192.168.1.3' }, - file: { - hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.3' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com/api' }, }, - url: { full: 'https://attack.com/api' }, }, ]; - const res = await format(theCase, alerts); + const res = format(theCase, alerts); expect(res).toEqual({ dest_ip: '192.168.1.1', source_ip: '192.168.1.2,192.168.1.3', @@ -126,22 +211,26 @@ describe('ITSM formatter', () => { { id: 'alert-1', index: 'index-1', - destination: { ip: '192.168.1.1' }, - source: { ip: '192.168.1.2' }, - file: { - hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.2' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com' }, }, - url: { full: 'https://attack.com' }, }, { id: 'alert-2', index: 'index-2', - destination: { ip: '192.168.1.1' }, - source: { ip: '192.168.1.3' }, - file: { - hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + source: { + destination: { ip: '192.168.1.1' }, + source: { ip: '192.168.1.3' }, + file: { + hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, + }, + url: { full: 'https://attack.com/api' }, }, - url: { full: 'https://attack.com/api' }, }, ]; @@ -150,7 +239,7 @@ describe('ITSM formatter', () => { connector: { fields: { ...theCase.connector.fields, destIp: false, malwareHash: false } }, } as CaseResponse; - const res = await format(newCase, alerts); + const res = format(newCase, alerts); expect(res).toEqual({ dest_ip: null, source_ip: '192.168.1.2,192.168.1.3', diff --git a/x-pack/plugins/cases/server/connectors/servicenow/sir_format.ts b/x-pack/plugins/cases/server/connectors/servicenow/sir_format.ts index b48a1b7f734c8..88b8f79d3ba5b 100644 --- a/x-pack/plugins/cases/server/connectors/servicenow/sir_format.ts +++ b/x-pack/plugins/cases/server/connectors/servicenow/sir_format.ts @@ -44,23 +44,25 @@ export const format: ServiceNowSIRFormat = (theCase, alerts) => { ); if (fieldsToAdd.length > 0) { - sirFields = alerts.reduce>((acc, alert) => { - fieldsToAdd.forEach((alertField) => { - const field = get(alertFieldMapping[alertField].alertPath, alert); - if (field && !manageDuplicate[alertFieldMapping[alertField].sirFieldKey].has(field)) { - manageDuplicate[alertFieldMapping[alertField].sirFieldKey].add(field); - acc = { - ...acc, - [alertFieldMapping[alertField].sirFieldKey]: `${ - acc[alertFieldMapping[alertField].sirFieldKey] != null - ? `${acc[alertFieldMapping[alertField].sirFieldKey]},${field}` - : field - }`, - }; - } - }); - return acc; - }, sirFields); + sirFields = alerts + .filter((alert) => !alert.error && alert.source != null) + .reduce>((acc, alert) => { + fieldsToAdd.forEach((alertField) => { + const field = get(alertFieldMapping[alertField].alertPath, alert.source); + if (field && !manageDuplicate[alertFieldMapping[alertField].sirFieldKey].has(field)) { + manageDuplicate[alertFieldMapping[alertField].sirFieldKey].add(field); + acc = { + ...acc, + [alertFieldMapping[alertField].sirFieldKey]: `${ + acc[alertFieldMapping[alertField].sirFieldKey] != null + ? `${acc[alertFieldMapping[alertField].sirFieldKey]},${field}` + : field + }`, + }; + } + }); + return acc; + }, sirFields); } return { diff --git a/x-pack/plugins/cases/server/plugin.ts b/x-pack/plugins/cases/server/plugin.ts index bb1be163585a8..49220fc716034 100644 --- a/x-pack/plugins/cases/server/plugin.ts +++ b/x-pack/plugins/cases/server/plugin.ts @@ -32,6 +32,7 @@ import type { CasesRequestHandlerContext } from './types'; import { CasesClientFactory } from './client/factory'; import { SpacesPluginStart } from '../../spaces/server'; import { PluginStartContract as FeaturesPluginStart } from '../../features/server'; +import { RuleRegistryPluginStartContract } from '../../rule_registry/server'; import { LensServerPluginSetup } from '../../lens/server'; function createConfig(context: PluginInitializerContext) { @@ -49,6 +50,7 @@ export interface PluginsStart { features: FeaturesPluginStart; spaces?: SpacesPluginStart; actions: ActionsPluginStart; + ruleRegistry?: RuleRegistryPluginStartContract; } /** @@ -137,15 +139,13 @@ export class CasePlugin { }, featuresPluginStart: plugins.features, actionsPluginStart: plugins.actions, + ruleRegistryPluginStart: plugins.ruleRegistry, lensEmbeddableFactory: this.lensEmbeddableFactory!, }); - const client = core.elasticsearch.client; - const getCasesClientWithRequest = async (request: KibanaRequest): Promise => { return this.clientFactory.create({ request, - scopedClusterClient: client.asScoped(request).asCurrentUser, savedObjectsService: core.savedObjects, }); }; @@ -171,7 +171,6 @@ export class CasePlugin { return this.clientFactory.create({ request, - scopedClusterClient: context.core.elasticsearch.client.asCurrentUser, savedObjectsService: savedObjects, }); }, diff --git a/x-pack/plugins/cases/server/services/alerts/index.test.ts b/x-pack/plugins/cases/server/services/alerts/index.test.ts index 28c3a6278d544..0e1ad03a32af2 100644 --- a/x-pack/plugins/cases/server/services/alerts/index.test.ts +++ b/x-pack/plugins/cases/server/services/alerts/index.test.ts @@ -5,56 +5,75 @@ * 2.0. */ -import { KibanaRequest } from 'kibana/server'; import { CaseStatuses } from '../../../common'; import { AlertService, AlertServiceContract } from '.'; -import { elasticsearchServiceMock, loggingSystemMock } from 'src/core/server/mocks'; +import { loggingSystemMock } from 'src/core/server/mocks'; +import { ruleRegistryMocks } from '../../../../rule_registry/server/mocks'; +import { AlertsClient } from '../../../../rule_registry/server'; +import { PublicMethodsOf } from '@kbn/utility-types'; describe('updateAlertsStatus', () => { - const esClient = elasticsearchServiceMock.createElasticsearchClient(); const logger = loggingSystemMock.create().get('case'); + let alertsClient: jest.Mocked>; + let alertService: AlertServiceContract; + + beforeEach(async () => { + alertsClient = ruleRegistryMocks.createAlertsClientMock.create(); + alertService = new AlertService(alertsClient); + jest.restoreAllMocks(); + }); describe('happy path', () => { - let alertService: AlertServiceContract; const args = { alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses.closed }], - request: {} as KibanaRequest, - scopedClusterClient: esClient, logger, }; - beforeEach(async () => { - alertService = new AlertService(); - jest.restoreAllMocks(); + it('updates the status of the alert correctly', async () => { + await alertService.updateAlertsStatus(args); + + expect(alertsClient.update).toHaveBeenCalledWith({ + id: 'alert-id-1', + index: '.siem-signals', + status: CaseStatuses.closed, + }); }); - test('it update the status of the alert correctly', async () => { - await alertService.updateAlertsStatus(args); + it('translates the in-progress status to acknowledged', async () => { + await alertService.updateAlertsStatus({ + alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses['in-progress'] }], + logger, + }); - expect(esClient.bulk).toHaveBeenCalledWith({ - body: [ - { update: { _id: 'alert-id-1', _index: '.siem-signals' } }, - { - doc: { - signal: { - status: CaseStatuses.closed, - }, - }, - }, - ], + expect(alertsClient.update).toHaveBeenCalledWith({ + id: 'alert-id-1', + index: '.siem-signals', + status: 'acknowledged', }); }); - describe('unhappy path', () => { - it('ignores empty indices', async () => { - expect( - await alertService.updateAlertsStatus({ - alerts: [{ id: 'alert-id-1', index: '', status: CaseStatuses.closed }], - scopedClusterClient: esClient, - logger, - }) - ).toBeUndefined(); + it('defaults an unknown status to open', async () => { + await alertService.updateAlertsStatus({ + alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: 'bananas' as CaseStatuses }], + logger, + }); + + expect(alertsClient.update).toHaveBeenCalledWith({ + id: 'alert-id-1', + index: '.siem-signals', + status: 'open', }); }); }); + + describe('unhappy path', () => { + it('ignores empty indices', async () => { + expect( + await alertService.updateAlertsStatus({ + alerts: [{ id: 'alert-id-1', index: '', status: CaseStatuses.closed }], + logger, + }) + ).toBeUndefined(); + }); + }); }); diff --git a/x-pack/plugins/cases/server/services/alerts/index.ts b/x-pack/plugins/cases/server/services/alerts/index.ts index e33b0385bc123..ccb0fca4f995f 100644 --- a/x-pack/plugins/cases/server/services/alerts/index.ts +++ b/x-pack/plugins/cases/server/services/alerts/index.ts @@ -9,56 +9,67 @@ import { isEmpty } from 'lodash'; import type { PublicMethodsOf } from '@kbn/utility-types'; -import { ElasticsearchClient, Logger } from 'kibana/server'; -import { MAX_ALERTS_PER_SUB_CASE } from '../../../common'; +import { Logger } from 'kibana/server'; +import { CaseStatuses, MAX_ALERTS_PER_SUB_CASE } from '../../../common'; import { AlertInfo, createCaseError } from '../../common'; import { UpdateAlertRequest } from '../../client/alerts/types'; +import { AlertsClient } from '../../../../rule_registry/server'; +import { Alert } from './types'; +import { STATUS_VALUES } from '../../../../rule_registry/common/technical_rule_data_field_names'; export type AlertServiceContract = PublicMethodsOf; interface UpdateAlertsStatusArgs { alerts: UpdateAlertRequest[]; - scopedClusterClient: ElasticsearchClient; logger: Logger; } interface GetAlertsArgs { alertsInfo: AlertInfo[]; - scopedClusterClient: ElasticsearchClient; logger: Logger; } -interface Alert { - _id: string; - _index: string; - _source: Record; -} - -interface AlertsResponse { - docs: Alert[]; -} - function isEmptyAlert(alert: AlertInfo): boolean { return isEmpty(alert.id) || isEmpty(alert.index); } export class AlertService { - constructor() {} + constructor(private readonly alertsClient?: PublicMethodsOf) {} - public async updateAlertsStatus({ alerts, scopedClusterClient, logger }: UpdateAlertsStatusArgs) { + public async updateAlertsStatus({ alerts, logger }: UpdateAlertsStatusArgs) { try { - const body = alerts - .filter((alert) => !isEmptyAlert(alert)) - .flatMap((alert) => [ - { update: { _id: alert.id, _index: alert.index } }, - { doc: { signal: { status: alert.status } } }, - ]); - - if (body.length <= 0) { + if (!this.alertsClient) { + throw new Error( + 'Alert client is undefined, the rule registry plugin must be enabled to updated the status of alerts' + ); + } + + const alertsToUpdate = alerts.filter((alert) => !isEmptyAlert(alert)); + + if (alertsToUpdate.length <= 0) { return; } - return scopedClusterClient.bulk({ body }); + const updatedAlerts = await Promise.allSettled( + alertsToUpdate.map((alert) => + this.alertsClient?.update({ + id: alert.id, + index: alert.index, + status: translateStatus({ alert, logger }), + _version: undefined, + }) + ) + ); + + updatedAlerts.forEach((updatedAlert, index) => { + if (updatedAlert.status === 'rejected') { + logger.error( + `Failed to update status for alert: ${JSON.stringify(alertsToUpdate[index])}: ${ + updatedAlert.reason + }` + ); + } + }); } catch (error) { throw createCaseError({ message: `Failed to update alert status ids: ${JSON.stringify(alerts)}: ${error}`, @@ -68,25 +79,51 @@ export class AlertService { } } - public async getAlerts({ - scopedClusterClient, - alertsInfo, - logger, - }: GetAlertsArgs): Promise { + public async getAlerts({ alertsInfo, logger }: GetAlertsArgs): Promise { try { - const docs = alertsInfo - .filter((alert) => !isEmptyAlert(alert)) - .slice(0, MAX_ALERTS_PER_SUB_CASE) - .map((alert) => ({ _id: alert.id, _index: alert.index })); + if (!this.alertsClient) { + throw new Error( + 'Alert client is undefined, the rule registry plugin must be enabled to retrieve alerts' + ); + } - if (docs.length <= 0) { + const alertsToGet = alertsInfo + .filter((alert) => !isEmpty(alert)) + .slice(0, MAX_ALERTS_PER_SUB_CASE); + + if (alertsToGet.length <= 0) { return; } - const results = await scopedClusterClient.mget({ body: { docs } }); + const retrievedAlerts = await Promise.allSettled( + alertsToGet.map(({ id, index }) => this.alertsClient?.get({ id, index })) + ); + + retrievedAlerts.forEach((alert, index) => { + if (alert.status === 'rejected') { + logger.error( + `Failed to retrieve alert: ${JSON.stringify(alertsToGet[index])}: ${alert.reason}` + ); + } + }); - // @ts-expect-error @elastic/elasticsearch _source is optional - return results.body; + return retrievedAlerts.map((alert, index) => { + let source: unknown | undefined; + let error: Error | undefined; + + if (alert.status === 'fulfilled') { + source = alert.value; + } else { + error = alert.reason; + } + + return { + id: alertsToGet[index].id, + index: alertsToGet[index].index, + source, + error, + }; + }); } catch (error) { throw createCaseError({ message: `Failed to retrieve alerts ids: ${JSON.stringify(alertsInfo)}: ${error}`, @@ -96,3 +133,27 @@ export class AlertService { } } } + +function translateStatus({ + alert, + logger, +}: { + alert: UpdateAlertRequest; + logger: Logger; +}): STATUS_VALUES { + const translatedStatuses: Record = { + [CaseStatuses.open]: 'open', + [CaseStatuses['in-progress']]: 'acknowledged', + [CaseStatuses.closed]: 'closed', + }; + + const translatedStatus = translatedStatuses[alert.status]; + if (!translatedStatus) { + logger.error( + `Unable to translate case status ${alert.status} during alert update: ${JSON.stringify( + alert + )}` + ); + } + return translatedStatus ?? 'open'; +} diff --git a/x-pack/plugins/cases/server/services/alerts/types.ts b/x-pack/plugins/cases/server/services/alerts/types.ts new file mode 100644 index 0000000000000..5ddc57fa5861c --- /dev/null +++ b/x-pack/plugins/cases/server/services/alerts/types.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface Alert { + id: string; + index: string; + error?: Error; + source?: unknown; +} diff --git a/x-pack/plugins/cases/tsconfig.json b/x-pack/plugins/cases/tsconfig.json index 1c9373e023366..d7c123ce3970b 100644 --- a/x-pack/plugins/cases/tsconfig.json +++ b/x-pack/plugins/cases/tsconfig.json @@ -22,6 +22,7 @@ // Required from './kibana.json' { "path": "../actions/tsconfig.json" }, + { "path": "../rule_registry/tsconfig.json" }, { "path": "../triggers_actions_ui/tsconfig.json"}, { "path": "../../../src/plugins/es_ui_shared/tsconfig.json" }, { "path": "../../../src/plugins/kibana_react/tsconfig.json" }, diff --git a/x-pack/plugins/rule_registry/server/index.ts b/x-pack/plugins/rule_registry/server/index.ts index 19257845fabe4..2a609aa3bef7e 100644 --- a/x-pack/plugins/rule_registry/server/index.ts +++ b/x-pack/plugins/rule_registry/server/index.ts @@ -29,6 +29,7 @@ export { } from './utils/create_lifecycle_executor'; export { createPersistenceRuleTypeFactory } from './utils/create_persistence_rule_type_factory'; export * from './utils/persistence_types'; +export type { AlertsClient } from './alert_data_client/alerts_client'; export const plugin = (initContext: PluginInitializerContext) => new RuleRegistryPlugin(initContext); diff --git a/x-pack/plugins/rule_registry/server/mocks.ts b/x-pack/plugins/rule_registry/server/mocks.ts index 395b53e229d64..269eff182633f 100644 --- a/x-pack/plugins/rule_registry/server/mocks.ts +++ b/x-pack/plugins/rule_registry/server/mocks.ts @@ -5,10 +5,12 @@ * 2.0. */ +import { alertsClientMock } from './alert_data_client/alerts_client.mock'; import { ruleDataPluginServiceMock } from './rule_data_plugin_service/rule_data_plugin_service.mock'; import { createLifecycleAlertServicesMock } from './utils/lifecycle_alert_services_mock'; export const ruleRegistryMocks = { createLifecycleAlertServices: createLifecycleAlertServicesMock, createRuleDataPluginService: ruleDataPluginServiceMock.create, + createAlertsClientMock: alertsClientMock, }; diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts index e2a7512940250..63b2f2e9b90ed 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts @@ -535,8 +535,8 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should update the status of multiple alerts attached to multiple cases', async () => { - const signalID = '5f2b9ec41f8febb1c06b5d1045aeabb9874733b7617e88a370510f2fb3a41a5d'; - const signalID2 = '4d0f4b1533e46b66b43bdd0330d23f39f2cf42a7253153270e38d30cce9ff0c6'; + const signalID = '4679431ee0ba3209b6fcd60a255a696886fe0a7d18f5375de510ff5b68fa6b78'; + const signalID2 = '1023bcfea939643c5e51fd8df53797e0ea693cee547db579ab56d96402365c1e'; // does NOT updates alert status when adding comments and syncAlerts=false const individualCase1 = await createCase(supertest, { @@ -653,7 +653,7 @@ export default ({ getService }: FtrProviderContext): void => { CaseStatuses.closed ); expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); }); }); @@ -846,7 +846,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('in-progress'); + expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('acknowledged'); }); it('does NOT updates alert status when the status is updated and syncAlerts=false', async () => { @@ -970,7 +970,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('in-progress'); + expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('acknowledged'); }); it('it does NOT updates alert status when syncAlerts is turned off', async () => { diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts index 15df0f0b40d0f..d2949c9728989 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts @@ -35,8 +35,8 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should update the status of multiple alerts attached to multiple cases using the cases client', async () => { - const signalID = '5f2b9ec41f8febb1c06b5d1045aeabb9874733b7617e88a370510f2fb3a41a5d'; - const signalID2 = '4d0f4b1533e46b66b43bdd0330d23f39f2cf42a7253153270e38d30cce9ff0c6'; + const signalID = '4679431ee0ba3209b6fcd60a255a696886fe0a7d18f5375de510ff5b68fa6b78'; + const signalID2 = '1023bcfea939643c5e51fd8df53797e0ea693cee547db579ab56d96402365c1e'; // does NOT updates alert status when adding comments and syncAlerts=false const individualCase1 = await createCase(supertest, { @@ -160,7 +160,7 @@ export default ({ getService }: FtrProviderContext): void => { CaseStatuses.closed ); expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); }); }); diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/post_comment.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/post_comment.ts index ecd05a2717e08..f4c31c052cddd 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/post_comment.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/post_comment.ts @@ -394,7 +394,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source.signal.status).eql('in-progress'); + expect(updatedAlert.hits.hits[0]._source.signal.status).eql('acknowledged'); }); it('should NOT change the status of the alert if sync alert is off', async () => { diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts index 45fada30ab567..340fdfbf77de1 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts @@ -129,7 +129,7 @@ export default function ({ getService }: FtrProviderContext) { signals = await getSignalsWithES({ es, indices: defaultSignalsIndex, ids: signalID }); expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); }); @@ -200,7 +200,7 @@ export default function ({ getService }: FtrProviderContext) { CaseStatuses['in-progress'] ); expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); }); @@ -321,7 +321,7 @@ export default function ({ getService }: FtrProviderContext) { CaseStatuses.closed ); expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); }); @@ -470,7 +470,7 @@ export default function ({ getService }: FtrProviderContext) { // alerts should be updated now that the expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] + 'acknowledged' ); expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( CaseStatuses.closed diff --git a/x-pack/test/functional/es_archives/cases/signals/default/data.json.gz b/x-pack/test/functional/es_archives/cases/signals/default/data.json.gz index 6caae322450e44b439e17bc8b6cf6445a4a9940c..51a1c96980e77311c8506a5f5311f88b6d0f1177 100644 GIT binary patch literal 3945 zcmV-v50>yBiwFq9d>UZ@17u-zVJ>QOZ*BnXomr3EwjIFV{V9ZfEW$BK@sgkFwkaAE zX@h!;An67Jp0l#0kyg^|RrtG?(pxJGQ~yHb=}+2*z3B(SsB|Dl<{IIlM)!~u~S6e5&n)uGlBT8oA$oGT-asR>R`7X5lUo3@yn6b zs_yYbuB!8SYAe|+GmXnKUM|}6(z3FPthn)&|Fe7QpKq7Ad-mIR{ez+~Bt$X?up=4} z!~8)}&OpdGw~RALjcyO+NA?0@&8U2YYcQw4#ap5uUqz+fQ4Uak^(Rqs(_ z^@>j>j;H%_FNd~dA!>iXNh>+jmayl9NT*~y>Zot@e1 zJjn`M%err`w^MO-GvC;e1;lA=)XKG|<7cT?l~hU7Uw;7|ZItDCf4Zrmjrv9sI)WWg5{H0z z^8{q*6mU}Gh&@ zh;<`_U6(tz-1w=srjDA6?HW+qJ{0jH_FFk0`ntz?yTkr&%;R+?_*k#^Fu&LGeCsuL zm2A}YjXS@g`#WSMcDq~$aN~2NGeU94Kj*R-Ig(L9yssEOyAU1{!Ow$rd;|LBdYP*fydUjbmu39|2x3t}&Yi*kj%6Squ;pgF1 zIG=#od7hPV6<^xpo8sc6vI9@it5al6w6e^uKm>cy%0`+wb;v~!I4dDQ$SM$V1AP=I zt&utkC8WJ}X}a^%&4fplx@VhYo`OGss*uZaed2!@$amqBsS@~#gCe;yai#oWfkBa1 ztA+R6!veoOcDzZWj)SK@mHT854B}%--)K{I*j+6Bd0aMuz)9HO>_jdXEAPST!cQyf z{ZY3#)^=GorQL#5Ue7m~c@utgE$v8<(K>aM_80OgR&wdHU!U*KWuDJhMKjy;s>n2q#!aW=ijl3VeC56NQP$9Ha?xy$uj_sNyY5+d ztLAJ`yTs#iUz@3UW2SsHj1H8|Q@_MIU^v>9U(zOSWz-OAu>z3u2oU8YPzE7DozLpH zq<(Is@4(l#a}5Hn#tZK?jY=+#FS$Cet=U~wvZ`wIcIgwMZdtam6XPEBVkok!+#I#I z(To%E>v)?Z7Iz;bqfrOG5B{>;E{B+8RobG*b+S~(jrp!FR;W?i6jPs_%oLh%8*#4Vbq0B&&}u%o*>->>4M&& zt{3=?LAs!Wy4r4e)U$QzU7lU}iJsde+3`CTtzHDbyP&98R9C7C$cFr`yM%iZJQ-5M z4fUxAWj@H#*a9JHiM9wb^Q`@n@t8I_^*c*nqmRjK!#oz99+B#c=2lB z-~-+5!yImKUpUzIx#M1U=y#t$2iY^w!8_&fwbH@Ypv{~5foa^h~=Dy#t=Iyef_nv%zJ!!%CgPqMn*QA2vux$XLD z)Ub4nii^@~&~a+mUcfz>q4SCqhCbFZ%F8%GUc^--EZ|T`LJ)Nk5yzR~p+WCK3=bUQ z011u(Lr$WBSiLY{`0-Wnj8_8;ALxM}=7WR#0>ic&9(Tk;SNsHE$e#fi-YJK#6&St_ z1$zQ8L=OXoA6;YxUzDqA0)`VXoPgm33|qw$Fr0wlu+3KjhH;fkMjSdX#(?48k3Ah2 zDq>vZe72w=VVp6;9CKl0Et6acV+3ji#$z;KkIH6<+y)pppU zKCcT5lTw!DjuxiHrx!sBbHWo{!Lh3Tu{7_SBtKG5?%%=ZTO1%++*JMMso zF8B$cP&@-Dyi*QeD=2&&3ibq0h#v+D&%^U`c3z|ePM~lCg%c>8Kw+zR0)-PO9JcvN zpzuZ;d=V+)+KRE0;JqJvhBphPw8EmuNMn(ch&ZFD)uB=@GR#PYkucIS7&(MP9)^k< z=%@%aq!DyG_V)!qVJjd#`F_jwIvc2EE>)a(pVU*kcD$jprHdDc-EEh=;E zja(VKSdS^jX4h*z;o`<_o%~!Q(K=8Z2v2>k8k|AV5W|eS}RhT#liQ~SpPCDT;NRt;%_w!nA9Q7{uWXh{ZU9NQFRKD82QT6hulJ zfJ6ud(JYj#W4)i}rYOzKI=3I4Sqo$lK4P1jM7-YX!Lc-3a2KZ^SeI_@IWV|=YonwI z>gKi>THL*@>3Z8{ng=88dm8_q>ECW$K6njzYxhy#61J`WjImyE&+LccVcT)Bl0G-D z;-$}uywTres!o2g!M-Ti79DEpXH&c15eib-G;aiYzPD0u>xXaaG3J{MYb?=dL?d-g z%bJ5g3`Yo4%pjrdUvjd+IY(+7dv&>9X+6K7e$dU+Hl}}HrFqh?voY_TTJ^Kh<)qv2 z;lNC{qB+={HpjhMuI1*#FCR|7|FKJJcYA!ShmGG32_62vgz36=x~~0ZuWOG7uV3B0 zRM{sx;!XCT;~%HN`+uMQ?Vtbp;q;f`)r1d28t#<%peJdJP$&i|bGO!RG3AY)?|>`j zMSST^-eQ2|#x^JzVD*1lFE82#GT5AT&cYgk@x5#pBvpxXiEd&z%J=g{_)n zX9}<8JD>;p--mhN;J)7hwVm*|8y-61$A1Sz&@-UBJLT}Teh2hA6zmJ3JarS?=GQ4H zE|#};0(%qKo50=#_FBag*qgxKu+3Nc4hY={A;>unJH%uw!FxY8iVOb-oKjw%B7^_{ D7lFVE literal 5586 zcmV;@6)ox?iwFqo`7>Yu17u-zVJ>QOZ*BnXomr3LNOFMR`&S5hTuj#Fee{!IV+_Bn z_rdloJnlsyPZe8diBw&S`R`7uN)jnjrK{AEs&g0UnNg6*JR&k8zRu&HUpk#`@jUU} zubr+N+wL#r4-a}UD}VWC{EzsbnJc9%V57XHD9GTAK^Ahu9DYsP(g?h90@O_ zCIT`90}h60iZpZcqRY}o&Oem}-sG7df;{Vu^dJY$2R$1U0G9tli-+^^Y-(3kiNE|y zkqv!b=;5R+14E1e!~miHM)E6RUn#o56#en`etcf{{HUlDuxt;8l4#@!K!H&}sR$r8 z0RnAet))jIAh9f_(o25iCgUuYS&=>XX`YQorI_Eu|99U+e=e)xbfItaV(RsGl@HVf1yi#v;LvLWqD-VtC zv%2uT@$@1xCssp(X+ zL%KRDaGXZgjqe|;qJOFCWUnl-`>p$LU%!1DX2YzniubG{W^KqzHQMG1qQpt+v+gClmr}vh= zyi5o8)#}7r+F7B^U|!yO18PR4^Skxx4jr3YArqW%A%N$C#|g(p6QU@pu+<(b4FkoY zy@rd1Z2IVAUU!9YV<_Kdp4v#>4t=55>$uVmMBB%2KG@@FzBbxxCgS|0xU0`<^WR^4 zSApMse`NpFd-$CFFM1psLc8lvE`74gLFqfd24A#v)8%Y@196;I>K=Pp6H=0(D)b5j-UTKrnFT1Ub zl*%sUh(InWf^nX&YOtQRbZe_J?W#&2u1K5I=+8zwegYer&IXNXS=%B`A?uB=tGk{R zcjM{1kC<6Da8bQ)&0uW%w{I02MNe6K%*OaN>i?}ST7z%GZy4ok`oDO`%ssLn=)A~m z{SoJLJIyA=o2z{5$IiUHwFmvE^atgTMJMFzq9^O;CFHk*Y#y9#Zf%GOhrgYS^Q_1o z{QI33vO(b+Gw|9o)A2k87>yqR;czVocvUg)1?DzDz^xLo%e(;!N(O}RnlsLEOrqA_ z8xEKLZ(ie8OIw>G^kfMB0*a{~<*%yomvyDnGnW-6jtOXpqC)qg+iMD9C;0YP=7!Mt zHD)M%zu_Y>nu;&I$u>{XquA>Yb2r*W!+OUI^r$zBd0i>%&wO+Nb#Z3>D4$E~f}wu8 zeM>jXX%W_^xE2px8Co`6Z%02fdK7cIn8e=d$>er6omcj*C?;Qj{WY4A9+c7kSH>aw zH9qib9^;v5jCwW)u8WxCw{kw{EF4^CvptN)MXQ~TXT@Yz+`gY`*NeKJcjRI+x>$inD#*nf8#?%KtE#24q#xc$E{%vl@^N-tDYn{5I>g`|SIsZO$g{ zT?Zm!E-L?Mf9D+sQi-HnLxffGGM@NRlXA>*KV8Ezl}URj22rsm?-i zKjYJ}87xcvviS4QFModdQkJ?$Puj=o@4&F$ucwjr#A?w|WzH}y5Lh2#E+izvlD*I0Hh;FAUu-9fohH0n0}68~k%TsM=)&0EZw+oC zE|6QCf$i<-1`l$Con6^p)fcvV!=^vn8}6ZF;oeqVx>mS%9Y&JiUV?ioX@Yy*1osl$ zOK>m2y_3Q{H!a+~nBB1&LRgq;zyI{2?p_%DemvZ>+6xJ}@SHJ;H8EHSi?pNMXkrak zkWx%>@X%puOd!EJFPI3<5#-RKPZHeg{=9I{a{{A|XyAoVfJ!fcGLXh0Kqig=G5ao` zlaN8QKinf}{ak{3pAGJ{a95c6KFx zI1#@@{5~1+YlUEQ$thUi zAlG@m1c5TEZFW5y2;_9abJ%BO{5}X=)_z9{h@qw|kT?N(1EaIh3`l7Rzy=ep0u9k& zyiWmJzqkVe+%T$5#@B`bDZ;X$X_tlouVOvZSvK_U~Vqm=NGe5#R{RXL$D=<7#rcG*x$}@=45Brto+KsF2l2 zS!s-=&SMreTr-J1=TW06w#)_sy=DYEOcB%85RMQf0vbu9#wP@r5TNDS2`mWUnsGoe zCBQiEfY2-`LL7CFSDUjvry-OaaAqD)i~bS<{A>uY6@R_H^F!fa8TL)ITjIgNeT~PR z4G#w5(DRHu=TGnB!Akvi1ccFHAxV)3ia-=y3HRk5;b*H&^y3VOa8GA?kUQ<{iU|3SSS3i0MTA>*=~@xtbr?xPgb5L@ zqzMsr6CzBAFd@Q(2v3R#sl+Oikf|CgSePnCA%A$8-P_`LLZ!9aWMfyGoo z=B=i(%CUCIX&5F4AVSpavxEp+hAkn&N+}nP2wM@@TyiP!u(8YdWq27Ed$1zT_<^F{ zmZJp^*kw!+SBOFexDo=;=pLgDa|8&X+`IB`*t|X2F5?X<(FBBT{16c-8ftoB{O~{j zb`5Cc4E%6UPkWHB?d;4C>v`2__#r!%A8ys9YvqU6VI+wkCVse*CVtpW{4nvu#19ic zJSjh9oG5wMpW;@2C=F*hLY#iU5e_nowbxfxvERXDp9Zy-gDnikcMQO%Spvuu&io8Qk!;w6I zAEsT#i64G8e%K1ZUK@PzWO032;zO@?YR37NCAyr+q499bjlugbOY{apOdJJ{a1E$8 z2uPw3(3U%{q=JOt_qpQX%Mv$eN|PJ5?pzk|^0DGooXd6wthlEGKF9@kcE*Z7V&^hH z8Y_O*!wav&ND@{|SaBsySh1V1V#10ED<-UXQmi=OgNISy+xyzF?F&u z`epIwzF1KPVq(}CoRgddVS=MHCO?p4X_;3}m06PDhFR~iM?5M#j}KBE<2oKNOjt2t zMGu|S0xH0@i@CIA3TVU~2ts3KC<$8CcHr-j(+G9Q&SjdgV#11_3@f%Gu({-#fn)Q+ z6jn`s&qo}4cX8ezJ{RBLCys|)m_iKJL@I!FoE)je7$`3YaOE^nK5~CC( zj%uZ$ncwQ7peD*|0gXY6W5g4U?EbtoGU^Go)COP$E3+DdfD+1rAcBheBIw#3L_6d( zOdUca(+bE$BR?CBY=vNR$sL!tT{~{^Y><-nSa!*HokSp)( zj3Ov2^Od%K}bO$4%i|eBtt|{;Uu+0#&E@wA9=NO z!jl(@CzW?fJ4}HS&HyT{1&Rp+0t;9Xp`1o_O1C|y;X)jMCt0)45}s@swuC1urCd0k zY{g%5NdlJ}w|i&P+TZJ)ja}ZGjPm?JkuCRLAF|y$x;AbJ12_;5s306D>=-aSx@_#7 zAWolbyY~jAY$D25f(iM>-+cZ1>>A+A83^W{zWyL@-`Sa9vYO;11T$9oSc17tm#&sz zUWJh)f|&^BN}32}HxbN4FcZN{1oNZ>^Z5zdyQyRMHQKf?RguT^EBm88zb{|wR*#(hkJq>mv94Tw=@k(3NV#f;}iEgapfou}apF+}4~%QHl2_mu@|7vt18DQisw2oiG?{k?Y42e#Jm1K{Qc zb$z3kn8|kT_$H>TVL=zhHtkjHi#-F|+%pO|C=TfC$~J4EKzlII3eUKl_a>C;O0u2;AS_$%>*|S+)Qxuq;T`4=Qw?MneWxRgo!JIYGDNw|;d?xEp=F(Q~_f)K}$mfCQec8@2x*;VE8U2int!fH@n ztps$O5`m%0BMSq!dOx_Skl+Vg%Z*q%%re2v&jvSJDcD?+u;+&!n%RG;>G9dH=aVL; z(D1om&CNdM&`i#u*UqZw7NpvETIIe=p;{eXyyh*UT{q!aO;=f#ELG$ ztc&HI->-t`oMTPregVQkAwp+o?#X_@shKfaJ(7EFRi#!d3vP)`yyYOy4c|N(dP?3NLoE*Klo!uD`&V(u;2D_bp25LE z;X!A2=J_Mmda`4g=T>F9R_1vfR+5-!VxB8$VxHZ^JQMRw%ri01lQPfZX(S2r`@-iJWBZM{O(K8q%9g1P74_0`?Jt9;_r6&YMsX@?b=Mh6xMIl6z z^R(78G0(1Iar*NF0!0l16e$g~gBnnyk$@Hj681ZaQ&Ef$VV)8-J1sHKmT^nWvr@{1 zGtWdek0G1>X;NR&nd{pAiL;?ioYN_x-VAG}Z8y*5n#YV!atJ7Q7#NM? zd`wMXgm|f_d!KD?`smRc+21>&lk&afP;d7&dy|0)-%4-kWGFp z+1#p3*Ge|8!%7m_Ok{H|JsR<*fb`IV4q=r+)_9vSdszf#u+5BW=vlW5OC5d@{=q~oB z@73t-jE8qlNbgP$?0u~|AF_*G#{`6y?hrZZqy6IO9Zj6GF^+R5f(9aQPqvGFgCf6i zO+w{+yVwO;0LzQTp3heSbk1?L`hM}jK@mb{SL|5}657LrW}vV)_7ulr&#lUIt=RKA ztR!L2ggsZ%ggv_ndnW9euxG-aC&ixk&Y;2L#1~l`_7wKf_UQOZ*BnXo!O4uxVeDu{S-o724BJywD&I*Bc%I`}l2BVWad-RcD!pI&R8yptRv- zQ~+50huX?{Qf6}ByM6LMMHuV6;Bi{@fgwf!`T(&rMBWqcJqeaR@_uXD+xmR1H$|s| z-4uP7BkdvsC@};OBR$|lE&w#x*T^%-qwcPo&cgLZrAcV}?37*UEDw`SRqQPhUgAYl z_GLE@#S6a5i%j#lKbxu`*G0GMrM|M0&X;MHNS){1kv80}KIL+I2HQQGnq`!%^YJ9K z%=?3PCXSY52`8FdjrOnJ(p9MJa(GczJuY}zT&!YU@OqhXnCIbU-JMq@3+p7iwUz&W z_tZXbm$-ZO``h6`QRouFnE}`k35a6$ps2@y%REmrk3p(rcPKlu6%ef^<-;Yvb?bh% z(pc5oN@2Go*O#T<)cXv_``cTC-G;2_tYEZ<7fC+c!c1O-g_cE`)yIX2MzOjs?!4|C zs&>_ZS2g}-|7{m9?#i`_F4bbRO`aAML6-tbeGG^cJ_wY+fNBqE0|U;f=(S3R>p*ac zJh=4Xl69xilu&nxp|`|@O&?aw<*-Ae00l|_t5sM5Kj?QVAh6Rj9-uBz82Ij>*azGI zM1ki6+mY{05Bq@qN%}%>pZsuB3?9{nEDL!p>x*BkSR~iE^HFD3Ll&KSUwU&iJPxBu zrWe=S7X2ldGK$9CIT#|=uh=f)m#JRTh!-Zw;)4~sN(}cpY$rRC#8%yU!Z_ZI1-FuK zjnzi&ic z=xHO*FNV{N6|L1b;Ls3kfZ*5##F{6-T_b?u5(iXp*VA-*hV4QQ4Vu<-w|ec3&a$yt zy`!vc@NklQ`JiL%Wr$v9EiY zw>#|braWG6f=~5&kMnyS&$nH3U&$t2-?Z}^yT3zLVz1VNK%j zK>CVUsd_$9r3&f2db=eF0(K#8n4csqTR-RJ-w+M zS0x_STk3w%jns7q`6>$Q@bmC0j7`AwDoygR2(R?^@JytdSIJ)8iPN9BIBEUd*Xi@ z$#-UxsT|mfqat3aun_jJz^KTo)!KUQae>_)J>8^M$I(-p%6--c2C*@vZPb(vP~{9J15kNU--)SJ96?H9!SX4Pcob@5A`%MuZ}pN1r-KA@c++x7aU{rk(CFK^ydeSRJ6hM$GqFr2a59|*ezSbLff0X#x9 zAOXj~C-%%ahukGvNEq~a(o17EglFzHb2n#jsM`g8XWY%{(W|bfope@xAeScBcA^(L zigrkj1?8(ia+efk>*8AUnb#P}^_TEKD92r@JVkAGL79!4B-X(9D~Z+!GGS=-=Qxx* zJnS@=xF0t<6GU%73hH7XvXKnEGTyg72_A7Wyzi0j_Hho^c_{De`rK)+JNCQJ0DkNR zfZx4xc&fnfG!*RVz|ZCjj{<(4SYO{{B9`S0{AS=c1HT#gb&6-;Hv_+Mn{NdC%+2L> z_zBCnn|bdfc<;xa5Bwz8p3N0J%_{o9U4cDMBCZG%+?4_ckPu9;(NJL`gmH~j+M}LP z%0&vbd-4@t%EM@;gMT18h=lMx*QP6&3t?@P!axMB21v-j^9czE@4aU8;&c#`nGVi$ z&>0-+c7fj?9h?Mdb;;AYVI0QcXI|Xxs3E=WU0{7PYM2{F{ma~H&~a+mUBCmGp|OhO zx;EBQ!pb;7R>Vc%Yv4hj6N0D-h<}_J9vbuk#PGl&j*#FKF!V?;6027R3_qO&&o~)i z_(%`@I3Mgh6c~2h@U$ZyyW(d6L+=HE;k|Nrs=)9x6zmzm5IqhUelmgfy>(s|GccTi z;S3CCVAv_1f#D1c$8Ek5Fbs>7Gh)z1HU$j#e(d?cP!MGTW3vSb3G*0J%rN5yS~Knm zUn!p%$*DEH(32$KzNZ3$l#j6t5O?|R4Z*Jf4Dk#M|3JV{A`~!g^Aqhu3<%^3a6&1t zzEE3zRFy#fSAn6+W?(o2LuYWP+Xa4qz;KeG)g>JY)pgjDKCcf9qnzjYjuyt*=T|`s zQ{qLkNUupZTbQ7QyV*Yw6-ok`vYr%3s1zU+W5BtgHvED%45J89eb4KKlOsNW6COCb z5eb~)gcuVt5~o)N3geUD7$*Y?AL)4?=X;%pg2Jx*op!)u7yJxR=)V9cyjKoS6%?L^ zf;|Hi;>Ur)3-{uJU1TwVGbo%v;S36AP}nJ+LE#Jv$8Ek5D7=*lUj~Ahu43#Yc<;xa z4+;a$wXad2xYEdQM2r$tOIHXJD5ki;$X8r57#M_I&vgY=&`{r%kOt7~*xy$Gg`I$O z@k7h?dK)Nt%0(DipEOXrZoDCrjS1If#v5PRbMj%HL~TLsGNxm*#G1j|QGk%9QCPdy zfthO~s@1mLYA-otVD`3WLOkUKR)+!et1sF-Us&}GBrpOhEQA}-zzhv$D;s~+6{m83 z;?cDYAf10~qT6BByw zc5CrVg+!}BaU?v|xi&5hj!G)?pI;=Ank?-cgAIhcbgZ`>yQ!yXW!RODPsZ} zNe!0R^*Kd8RKg>4lzrtF9Mw30`xFyvrnzC9*>e|)a~m!(pGu0fHrBce2}g==+uOlv z_2P;^89>euQZCcNH-Q$I7!HZ?Y-8>rR|(g5jiHo7mvd-bAL{@^hB!VPilw~HT5BHn zbC#?#9y|YQWi>xP?`-G?S>+bCT)<-4h&?%KgNWou6Sgd_SuND63n-QnLPda zr?n14#M=~wGEB;RRi!Z98WRR_d;_8}4j>XPkQ#Dpy*UMekP0B*g+7tY<*aADU*@JL zPSiHHpPX3-WD#$|HrI)Gwb!F#skh)hPCv3P{oHe8aEI1LaOG6ZbvCxRdt1}@w)Hd* zM%oWF{sYtBZe2Qh4Y{@ZXlMz$R)5LZpm<>RUH7oqdt_;6sRt!R!mr^|7#H(R;+ z`0K~BAAai7+T9)>>!I=6E}`S!moQ(~&eyfy?RD+(;Psokmm>MBC%nlXbo~9y`S7o^ zzy0H%Kc4+MzM8OMNX?xh8}vlA5pw-e%G|HDTTFgy=R4wxX%=2tleZpWxv33uMp*ry z+RBU64tJWfcIrW$?K+2>=5%rU2tYSA+WCIeAM$GRf6l^~XSZink3YAwT@2cN>HYls zV3GOOW_<+6S_tGHx}PbUA*$hqbs9L;TI_>5dZ^wruj$_%@B{bx#p5pVUT=8J5$-nKn+l&2wMvD*y?3)(zzrvb?6N|HGNs({izU zv$2QdWA|ocPtD05mz8z$vijf#_eaMPv%{&`k>u>LFB1^>0xuKXE730|&tK^!g4eC0 z&v_}M#23m?NRh_`@jOTs z_XB1G^@YUHgC6rG^swjoh7yF0O(wX|5*x!LXI@LQzV^lbNnZBOUjTIvs>&UxV1R00 z0|Frf0VW98=hn&)>0|ca{r~t8f4sr-7eJ%anvwE%fs`kKTV2wDQC-(M>7Dvt0Bw>& zr(Es60ZQZRp7Hor-vHfRMsE2@lCozS#@_&S=KnytsGyYAuK7R)*oH_*XdonofN*1# zl~Ka{1NVXLIu4Ba0BCsN1Y2l`j{UwMmwE0;s9qTaOi$u7g_HRX=#l>SaUR%t=yyO} zCp_(j$By{v-vJTy0_g5uIXu(LQOZ*BnXomq3^IDWw2`%|d&xHa(LKKdz@)THvV z*@q;vl}T^8aLR0*7Aap_^W6i=mPCq_by+RRjhQNUH~%DvdAnic{8M?)O`iGTn>+{3 z2R$1U0G9uu#m)J6HnpqLkD@8Y$qCeiAkN4}I z9~G4XmQ}=15{*0oC@=~r6#+;=A+`(&qLGe`pJ@9!1g~AzR>{G* zmp3cnZC-zQrQYa<-oTbe9vaJA^ z)Bqy`2G)DbAfZ(AP;E{&>cz44u4SmnSFCQZ5E!vPs*m)eewDYs>Qz;e`}>(6&ASdZ zyR6ofs9)2f(vU{C+>P_KUeQx~mlfU?v*~;UET$d}-DB}mtwZ@-IfmsO{}KNVs539K zo*Ue|Zlkx16y7id0bz^*im{Eog&Z)Ld4YU@O6%HFll68Wc!LSLK~UWwq$>Bm%8(Q{ zNa1KPtbNpm+O8Mr3NnK<0$$bl&xS%RjHjkk%?|16sKC*UtQ+4yRz?3()yZC2V)tA3-@bnPHq3@uUl%Vo z{>gvqcD{YnPrf=JcI^D^+-%--xc1^`62)v@S}~o?ZL-$Vd}h8!<-c9@*zPwBa_tomeTH0Bm&0t>MdIM@krSrS>>JA;7TOkvia3O%_ zf=7qrq6twHRoH5em4<=h&|bquLpHs1GOxSBxG|J(o~JgFw?kj(^*XM!1JU;Jn-BJQ zny-!anu$0+DemfCZGQc=cNO^E_eb_$y@$`)|DwmSA+)=G=Q1X{9F(yGY=}k6FkO1% z8;GM@sYmQ(k;`y746 zH=5Rn)E<+XQE8LaFT1VGl*%sUh(InWg3-@cHCRtuy0ulAc2%VhSENm9^k<_TKY@)* zXM=`Y*0zW)WWDiqb=R}vZajVW7BkBRE~@vf8H{cJ_N`*07%6MF*_gjZ{lC>kYw}I_ z4WoQb{}<1gc|`UDofny{-{O33r`e=<3zcvE*qOJtcB3Da@t_>C7=(OX^kn_Kg#31p z&6BgutqpO);cqA7JS(yX|9 zOuqj5YcwN0D6{>qj6?Kmyy4e8<}=fn^=wXD7dgjor9bE_0$gXaJ&eXhtDTN##bj38 zzCYEj7j-}H$b~byS-kw~w}m;zl(GKA)CWH;!`J)9G0pP+ZEnZ&loF#2vfE+oqUeC$ zFDiDxTh3^?hr!2?O|%PuDkXs?fdFZ-vWPKb{95pyKV0_k?Kmc0)6BK@T&^FYubRK3 zDT`e*AHewp`*A&%zY2G1NTGZ0cUo~*dd+ROjEiE>+KMvr53-Tp(2%7#CgGb4m_wF# zJF6JKdA;_Sec!ar*~GmYKt!C2%0Jqlc_)BWGU?V7VKsRfPyDD!IcB+^u3?$+P-pXK zBpz80;$h~h?s;jdvryd6_;hRr%Tm8Ae*XF8&o5ufGJgy-TTD(9H2Yl8O!zonLIq&0 zgMbF2fR>a3Oem2~5Gi=A&$rG}B*aSW56!Sl)GSf6&qU2SHTG1Ew5?I3j?*UN$5_uh zKNu{5+C7?H1W<$QCC+Q^d!zpQK&{?{9g!NOkaFZXke=aaUmOBM7zEabIK2@PVaeV{ zYMWo%jwH6j!cLRNtucbRlt@AwI&@*U?zaYt5EqCd&VcLo41)&+!p^R^t{My5qhT{1 z?#=7avAk}pE?q0HyAC5sye{#&l{E3XZsK)`*Ck$;c-={PotqZ!Ud--T4IwN{wcmew zQFkv4em|bqS?z^{TzJly#F`i^ghkp>ZZxq5D@ZA(IC$tVH71Z?ofk|5=Lm9W(I;s| zT=(aNd!7>*bwmR%gaTB036y~}4goT81c=#pMVy2TqW$3>NlW4q-1}^Bua$$%C5L0b z#wxmTUemawheD1y zb=)YfxMhkn98K3rD5H*BVG#2SIuCu2NSd?!2Gl7741^9S9Va`% z7zSx=rRffH8Ug76#1ALpmx$jdBYv$AY%Vzk3moJ+&zB%jX0`pRX9IzpPIwOcjEvt0 zfy>(ONC7d_lm!wUkT);}3(bI(h5&3Z;VRG&1IGIlu=R~QAixcy+GKof2#_Ky8=7`$ z2=FS_Go59R?q0$2pm5pQ83E#&!QEwFp`7-69QaG69Vie1eg$DLVyVY zo)iI&uzZGh-!ZOEPM4XB^OY$)9sw$3HBwd@W2y6)MGe-t?Rf64N~|&onX0jZ zg{fi`@`sn%y)BMMgb)YltcMm#>Ah4^2IZ-9%o0XbkTiHBkO)pO6SQJfazmi;C_du_ zTT;J-2!CEgXcW`|N0%r}>~6{k2HI;6ET#%FZ#9)wjug+Jjv`pI4oRAF^Zl z;Z|L`R(^OLMw0kp;)g3~;)mVD4--F3{4nvulk!8xiIR8yDQ@M5(r}g|#OVhtF@#Zd zop6N3yp%d2DG>rIgN-zlK`aE+2ueewB1Q-kLxwX%V@{E>6q`lHlK5fw=jDf3$LX|$ z<&j;n<0&gwMJQUbD9tzuR5@CkBJVJ#;Yc3957RE=#1B6kKWv3yuMNIu`epHRU#uttF){57&PmRKFu_q8CqIy5 zX_;3}m9r$l4YS^3k9bsg9&e;N=5;(^n6P5PiXJ+t1yq1*7w6KJDWDN|AP9|_p(JQk z+kwBsoJOcab}rL|6%$tcWLU8kfz2h?3>=#uOkvf@@A-&h?=Jcc;&bu+ed2h?2UCc_ znn(q(j?R%QYC^@oAhU920X~NfUGICgzx!V`7epIi8d`epk4dKnVx6na{#h z!%#|Ho@B_5XO0XzZ9Q{PIbpQ)!VqJf3|?r-q*didRG`9)Q)igu&<7%z#X)-xm9h&s z@*|idPR#K#nIrXzdm4vKieLdHm;e>k6IjAgunLhliQkVoa*7Z5V2Vmh8548-Y|OD0 zg1t8QQ_{%HKMi7THeDUdIA9k+BQyR;XZ`3VYrj8f(#UE9cBGLG`+&IefO%CefQ()= zMqmhJ^b*E9rKs4lv3k=>cc76Q6s(CGTUS65c=6wE`Jbx*Eob?5%U*H&pvc|Xl}4%` zu>w*aOCz`H(zVja>oAf;BNL5WNfV9iCK{P&WTKIYMxK;LPWU~?GnU&?D~&AJU0(=F z(eX5r1P!gxk{A+00;3|PY$BFzg@e*MPKi+p5=XVt(9FN;qM#VH(b?I91%itn#r0bDJ(*Ey27BBS{1^5zLh|5zKBPn2BH}f|&^B zNeSlj6SQ|z$L?#iZDFb+kJFPUZlaG`l=@}yb6p7AV`R_n&=HF^b9B-Jm7=`%ZRZ` z){)%SIgO$c?@urhPAe=E!u)Iqvz3C)B?)dW{aOUaiiDz)fAA z{fv14$PgFv)aaD8rU3+rIg0UKyBGsoYxn_hbA!6R(M!x^J9m5&Q`WGc3uBx1D)z;m zfo<-Y1ss$IbarK%wN#)z8EB>hd&5m~EZp3xOxFrGufs|b+)QwDB~5U%o8V@Gn+a|v zxOq~z`O4eFgg=ICI2uonhntEDV=WEX28prVaGQ3IC%D;Fx`G~mK&P<~no=;#uGp~@o*1GjoVxT%of2Yi+r zv2>Vaf}5WWZnjdexg=rF4?Q%q|5DTAvtiFCO-!NTbH6$_`tQ!{0mc_L$!4BQ*T6vN7Mgf%3HaApO^1)N~h>e?VIfk=R{~f8Pf^ptwqPIcV3P5#qyM_n^thUNq>7~S5 z4&vPK&ZD8H@yxS-6^9I-fqCwk92}G$barQ+KVq#XJC=EFRi?#)BpC=F~Y7n4EX`mg{ zfEtYiv?!3U-%*^3Vtfeml&INhiFvk+TVkG-QZAf%CbD@9+4N77`ijn6*Y;1G4Q=9_ zP6_p9SUYXIi8iYZ*pY2QAqCPr&iEvUfO3a{(Kz~JY62s~OGVxLY;)5~kKV}s-VvRg zUp(2I{_Pr=%{f+c?w0}_lmv8kCY!Q8<2w!6C7Yxd?85_p8nlv4S!g!Ndb8k;C!0bsp`rDRLE)6}SYpL#kT8hgtPTiL zMBXlT8d&BAbb9eloJziooWQ#5_NA7yHxqYW8-)^Hl(yb9`ET zzx?2!4570t_N*ld?P)?YQP>-Mies_oR%Np525!6ZTBlGhxq@ zV$XYL(BN_6i>wWM3j1h#cas?(f55lZS)2-$JJUHKo_Q@rRB{f9i|HuzI3P{5V$y4i z4fBX<$FL2=5`wh#L?-N+uqRap8%rdhERGv>h61I^9czwq=ahF?@41Ox3Ut7NPE2^h zo(X#w)zN{p diff --git a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json index 97b2897150212..6ec0622bfce71 100644 --- a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json +++ b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json @@ -2,6 +2,9 @@ "type": "index", "value": { "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": false + }, ".siem-signals-default": { "is_write_index": true } @@ -9,7 +12,8 @@ "index": ".siem-signals-default-000001", "mappings": { "_meta": { - "version": 14 + "aliases_version": 1, + "version": 55 }, "dynamic": "false", "properties": { @@ -18,6 +22,14 @@ }, "agent": { "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" @@ -101,6 +113,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -120,6 +136,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -127,6 +147,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -157,6 +181,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -214,6 +242,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -226,6 +258,10 @@ "id": { "ignore_above": 1024, "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -253,6 +289,18 @@ } } }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "provider": { "ignore_above": 1024, "type": "keyword" @@ -260,6 +308,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -315,6 +371,19 @@ } } }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, "destination": { "properties": { "address": { @@ -355,6 +424,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -374,6 +447,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -381,6 +458,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -411,6 +492,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -468,6 +553,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -480,6 +569,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -488,6 +581,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -513,6 +610,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -526,6 +627,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -538,6 +643,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -728,6 +837,10 @@ "ignore_above": 1024, "type": "keyword" }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -775,6 +888,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -783,6 +900,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -838,6 +959,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -876,6 +1001,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -888,6 +1017,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -918,6 +1051,112 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -998,6 +1237,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -1008,6 +1273,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1027,6 +1296,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1034,6 +1307,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1056,6 +1333,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { @@ -1090,6 +1391,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1156,6 +1461,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -1185,10 +1494,18 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "referrer": { "ignore_above": 1024, "type": "keyword" @@ -1217,6 +1534,10 @@ "bytes": { "type": "long" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "status_code": { "type": "long" } @@ -1244,11 +1565,475 @@ } } }, - "labels": { - "type": "object" + "kibana": { + "properties": { + "alert": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "path": "signal.ancestors.depth", + "type": "alias" + }, + "id": { + "path": "signal.ancestors.id", + "type": "alias" + }, + "index": { + "path": "signal.ancestors.index", + "type": "alias" + }, + "type": { + "path": "signal.ancestors.type", + "type": "alias" + } + } + }, + "depth": { + "path": "signal.depth", + "type": "alias" + }, + "original_event": { + "properties": { + "action": { + "path": "signal.original_event.action", + "type": "alias" + }, + "category": { + "path": "signal.original_event.category", + "type": "alias" + }, + "code": { + "path": "signal.original_event.code", + "type": "alias" + }, + "created": { + "path": "signal.original_event.created", + "type": "alias" + }, + "dataset": { + "path": "signal.original_event.dataset", + "type": "alias" + }, + "duration": { + "path": "signal.original_event.duration", + "type": "alias" + }, + "end": { + "path": "signal.original_event.end", + "type": "alias" + }, + "hash": { + "path": "signal.original_event.hash", + "type": "alias" + }, + "id": { + "path": "signal.original_event.id", + "type": "alias" + }, + "kind": { + "path": "signal.original_event.kind", + "type": "alias" + }, + "module": { + "path": "signal.original_event.module", + "type": "alias" + }, + "outcome": { + "path": "signal.original_event.outcome", + "type": "alias" + }, + "provider": { + "path": "signal.original_event.provider", + "type": "alias" + }, + "reason": { + "path": "signal.original_event.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.original_event.risk_score", + "type": "alias" + }, + "risk_score_norm": { + "path": "signal.original_event.risk_score_norm", + "type": "alias" + }, + "sequence": { + "path": "signal.original_event.sequence", + "type": "alias" + }, + "severity": { + "path": "signal.original_event.severity", + "type": "alias" + }, + "start": { + "path": "signal.original_event.start", + "type": "alias" + }, + "timezone": { + "path": "signal.original_event.timezone", + "type": "alias" + }, + "type": { + "path": "signal.original_event.type", + "type": "alias" + } + } + }, + "original_time": { + "path": "signal.original_time", + "type": "alias" + }, + "reason": { + "path": "signal.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.rule.risk_score", + "type": "alias" + }, + "rule": { + "properties": { + "author": { + "path": "signal.rule.author", + "type": "alias" + }, + "building_block_type": { + "path": "signal.rule.building_block_type", + "type": "alias" + }, + "consumer": { + "type": "constant_keyword", + "value": "siem" + }, + "created_at": { + "path": "signal.rule.created_at", + "type": "alias" + }, + "created_by": { + "path": "signal.rule.created_by", + "type": "alias" + }, + "description": { + "path": "signal.rule.description", + "type": "alias" + }, + "enabled": { + "path": "signal.rule.enabled", + "type": "alias" + }, + "false_positives": { + "path": "signal.rule.false_positives", + "type": "alias" + }, + "from": { + "path": "signal.rule.from", + "type": "alias" + }, + "id": { + "path": "signal.rule.id", + "type": "alias" + }, + "immutable": { + "path": "signal.rule.immutable", + "type": "alias" + }, + "index": { + "path": "signal.rule.index", + "type": "alias" + }, + "interval": { + "path": "signal.rule.interval", + "type": "alias" + }, + "language": { + "path": "signal.rule.language", + "type": "alias" + }, + "license": { + "path": "signal.rule.license", + "type": "alias" + }, + "max_signals": { + "path": "signal.rule.max_signals", + "type": "alias" + }, + "name": { + "path": "signal.rule.name", + "type": "alias" + }, + "note": { + "path": "signal.rule.note", + "type": "alias" + }, + "producer": { + "type": "constant_keyword", + "value": "siem" + }, + "query": { + "path": "signal.rule.query", + "type": "alias" + }, + "references": { + "path": "signal.rule.references", + "type": "alias" + }, + "risk_score_mapping": { + "properties": { + "field": { + "path": "signal.rule.risk_score_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.risk_score_mapping.operator", + "type": "alias" + }, + "value": { + "path": "signal.rule.risk_score_mapping.value", + "type": "alias" + } + } + }, + "rule_id": { + "path": "signal.rule.rule_id", + "type": "alias" + }, + "rule_name_override": { + "path": "signal.rule.rule_name_override", + "type": "alias" + }, + "rule_type_id": { + "type": "constant_keyword", + "value": "siem.signals" + }, + "saved_id": { + "path": "signal.rule.saved_id", + "type": "alias" + }, + "severity_mapping": { + "properties": { + "field": { + "path": "signal.rule.severity_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.severity_mapping.operator", + "type": "alias" + }, + "severity": { + "path": "signal.rule.severity_mapping.severity", + "type": "alias" + }, + "value": { + "path": "signal.rule.severity_mapping.value", + "type": "alias" + } + } + }, + "tags": { + "path": "signal.rule.tags", + "type": "alias" + }, + "threat": { + "properties": { + "framework": { + "path": "signal.rule.threat.framework", + "type": "alias" + }, + "tactic": { + "properties": { + "id": { + "path": "signal.rule.threat.tactic.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.tactic.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.tactic.reference", + "type": "alias" + } + } + }, + "technique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.reference", + "type": "alias" + }, + "subtechnique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.subtechnique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.subtechnique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.subtechnique.reference", + "type": "alias" + } + } + } + } + } + } + }, + "threat_index": { + "path": "signal.rule.threat_index", + "type": "alias" + }, + "threat_indicator_path": { + "path": "signal.rule.threat_indicator_path", + "type": "alias" + }, + "threat_language": { + "path": "signal.rule.threat_language", + "type": "alias" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "path": "signal.rule.threat_mapping.entries.field", + "type": "alias" + }, + "type": { + "path": "signal.rule.threat_mapping.entries.type", + "type": "alias" + }, + "value": { + "path": "signal.rule.threat_mapping.entries.value", + "type": "alias" + } + } + } + } + }, + "threat_query": { + "path": "signal.rule.threat_query", + "type": "alias" + }, + "threshold": { + "properties": { + "field": { + "path": "signal.rule.threshold.field", + "type": "alias" + }, + "value": { + "path": "signal.rule.threshold.value", + "type": "alias" + } + } + }, + "timeline_id": { + "path": "signal.rule.timeline_id", + "type": "alias" + }, + "timeline_title": { + "path": "signal.rule.timeline_title", + "type": "alias" + }, + "to": { + "path": "signal.rule.to", + "type": "alias" + }, + "type": { + "path": "signal.rule.type", + "type": "alias" + }, + "updated_at": { + "path": "signal.rule.updated_at", + "type": "alias" + }, + "updated_by": { + "path": "signal.rule.updated_by", + "type": "alias" + }, + "version": { + "path": "signal.rule.version", + "type": "alias" + } + } + }, + "severity": { + "path": "signal.rule.severity", + "type": "alias" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "path": "signal.threshold_result.cardinality.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.cardinality.value", + "type": "alias" + } + } + }, + "count": { + "path": "signal.threshold_result.count", + "type": "alias" + }, + "from": { + "path": "signal.threshold_result.from", + "type": "alias" + }, + "terms": { + "properties": { + "field": { + "path": "signal.threshold_result.terms.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.terms.value", + "type": "alias" + } + } + } + } + }, + "workflow_status": { + "path": "signal.status", + "type": "alias" + } + } + }, + "space_ids": { + "type": "constant_keyword", + "value": "default" + } + } + }, + "labels": { + "type": "object" }, "log": { "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "level": { "ignore_above": 1024, "type": "keyword" @@ -1434,6 +2219,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1453,6 +2242,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1460,6 +2253,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1548,6 +2345,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1576,6 +2377,54 @@ } } }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "organization": { "properties": { "id": { @@ -1726,6 +2575,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1734,6 +2587,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1786,6 +2643,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1813,6 +2674,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1821,6 +2686,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1873,6 +2742,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1886,22 +2759,54 @@ "ignore_above": 1024, "type": "keyword" }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { + "pe": { "properties": { - "id": { - "type": "long" + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" }, "name": { "ignore_above": 1024, @@ -1936,6 +2841,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -1948,6 +2857,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -2048,6 +2961,10 @@ "ignore_above": 1024, "type": "keyword" }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, @@ -2141,6 +3058,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2160,6 +3081,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2167,6 +3092,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2197,6 +3126,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2254,6 +3187,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -2382,6 +3319,9 @@ "provider": { "type": "keyword" }, + "reason": { + "type": "keyword" + }, "risk_score": { "type": "float" }, @@ -2451,6 +3391,9 @@ } } }, + "reason": { + "type": "keyword" + }, "rule": { "properties": { "author": { @@ -2612,6 +3555,38 @@ } } }, + "threat_filters": { + "type": "object" + }, + "threat_index": { + "type": "keyword" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "threat_query": { + "type": "keyword" + }, "threshold": { "properties": { "field": { @@ -2656,11 +3631,31 @@ }, "threshold_result": { "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, "count": { "type": "long" }, - "value": { - "type": "keyword" + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } } } } @@ -2706,6 +3701,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2725,6 +3724,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2732,6 +3735,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2762,6 +3769,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2819,11 +3830,23 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } } }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tags": { "ignore_above": 1024, "type": "keyword" @@ -2834,129 +3857,492 @@ "ignore_above": 1024, "type": "keyword" }, - "tactic": { + "indicator": { "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } }, - "name": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { + "dataset": { "ignore_above": 1024, "type": "keyword" }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" + "description": { + "type": "wildcard" }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { + "domain": { "ignore_above": 1024, "type": "keyword" }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "hash": { + "event": { "properties": { - "md5": { + "action": { "ignore_above": 1024, "type": "keyword" }, - "sha1": { + "category": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" }, "hash": { "properties": { @@ -2991,6 +4377,112 @@ "subject": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -3077,6 +4569,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3089,10 +4585,130 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -3140,6 +4756,70 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -3201,6 +4881,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3320,7 +5004,8 @@ "index": ".siem-signals-default-000002", "mappings": { "_meta": { - "version": 14 + "aliases_version": 1, + "version": 55 }, "dynamic": "false", "properties": { @@ -3329,6 +5014,14 @@ }, "agent": { "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" @@ -3412,6 +5105,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -3431,6 +5128,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -3438,6 +5139,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -3468,6 +5173,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3525,6 +5234,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -3537,6 +5250,10 @@ "id": { "ignore_above": 1024, "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -3564,6 +5281,18 @@ } } }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "provider": { "ignore_above": 1024, "type": "keyword" @@ -3571,6 +5300,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -3626,6 +5363,19 @@ } } }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, "destination": { "properties": { "address": { @@ -3666,6 +5416,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -3685,6 +5439,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -3692,6 +5450,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -3722,6 +5484,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3779,6 +5545,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -3791,6 +5561,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -3799,6 +5573,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -3824,6 +5602,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -3837,6 +5619,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -3849,6 +5635,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -4039,6 +5829,10 @@ "ignore_above": 1024, "type": "keyword" }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -4086,6 +5880,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -4094,6 +5892,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -4149,6 +5951,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -4187,6 +5993,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -4199,6 +6009,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -4229,6 +6043,112 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -4309,6 +6229,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -4319,6 +6265,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -4338,6 +6288,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -4345,6 +6299,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -4367,6 +6325,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { @@ -4401,6 +6383,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -4467,6 +6453,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -4493,65 +6483,533 @@ } } }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "path": "signal.ancestors.depth", + "type": "alias" + }, + "id": { + "path": "signal.ancestors.id", + "type": "alias" + }, + "index": { + "path": "signal.ancestors.index", + "type": "alias" + }, + "type": { + "path": "signal.ancestors.type", + "type": "alias" + } + } + }, + "depth": { + "path": "signal.depth", + "type": "alias" + }, + "original_event": { + "properties": { + "action": { + "path": "signal.original_event.action", + "type": "alias" + }, + "category": { + "path": "signal.original_event.category", + "type": "alias" + }, + "code": { + "path": "signal.original_event.code", + "type": "alias" + }, + "created": { + "path": "signal.original_event.created", + "type": "alias" + }, + "dataset": { + "path": "signal.original_event.dataset", + "type": "alias" + }, + "duration": { + "path": "signal.original_event.duration", + "type": "alias" + }, + "end": { + "path": "signal.original_event.end", + "type": "alias" + }, + "hash": { + "path": "signal.original_event.hash", + "type": "alias" + }, + "id": { + "path": "signal.original_event.id", + "type": "alias" + }, + "kind": { + "path": "signal.original_event.kind", + "type": "alias" + }, + "module": { + "path": "signal.original_event.module", + "type": "alias" + }, + "outcome": { + "path": "signal.original_event.outcome", + "type": "alias" + }, + "provider": { + "path": "signal.original_event.provider", + "type": "alias" + }, + "reason": { + "path": "signal.original_event.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.original_event.risk_score", + "type": "alias" + }, + "risk_score_norm": { + "path": "signal.original_event.risk_score_norm", + "type": "alias" + }, + "sequence": { + "path": "signal.original_event.sequence", + "type": "alias" + }, + "severity": { + "path": "signal.original_event.severity", + "type": "alias" + }, + "start": { + "path": "signal.original_event.start", + "type": "alias" + }, + "timezone": { + "path": "signal.original_event.timezone", + "type": "alias" + }, + "type": { + "path": "signal.original_event.type", + "type": "alias" + } + } + }, + "original_time": { + "path": "signal.original_time", + "type": "alias" + }, + "reason": { + "path": "signal.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.rule.risk_score", + "type": "alias" + }, + "rule": { + "properties": { + "author": { + "path": "signal.rule.author", + "type": "alias" + }, + "building_block_type": { + "path": "signal.rule.building_block_type", + "type": "alias" + }, + "consumer": { + "type": "constant_keyword", + "value": "siem" + }, + "created_at": { + "path": "signal.rule.created_at", + "type": "alias" + }, + "created_by": { + "path": "signal.rule.created_by", + "type": "alias" + }, + "description": { + "path": "signal.rule.description", + "type": "alias" + }, + "enabled": { + "path": "signal.rule.enabled", + "type": "alias" + }, + "false_positives": { + "path": "signal.rule.false_positives", + "type": "alias" + }, + "from": { + "path": "signal.rule.from", + "type": "alias" + }, + "id": { + "path": "signal.rule.id", + "type": "alias" + }, + "immutable": { + "path": "signal.rule.immutable", + "type": "alias" + }, + "index": { + "path": "signal.rule.index", + "type": "alias" + }, + "interval": { + "path": "signal.rule.interval", + "type": "alias" + }, + "language": { + "path": "signal.rule.language", + "type": "alias" + }, + "license": { + "path": "signal.rule.license", + "type": "alias" + }, + "max_signals": { + "path": "signal.rule.max_signals", + "type": "alias" + }, + "name": { + "path": "signal.rule.name", + "type": "alias" + }, + "note": { + "path": "signal.rule.note", + "type": "alias" + }, + "producer": { + "type": "constant_keyword", + "value": "siem" + }, + "query": { + "path": "signal.rule.query", + "type": "alias" + }, + "references": { + "path": "signal.rule.references", + "type": "alias" + }, + "risk_score_mapping": { + "properties": { + "field": { + "path": "signal.rule.risk_score_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.risk_score_mapping.operator", + "type": "alias" + }, + "value": { + "path": "signal.rule.risk_score_mapping.value", + "type": "alias" + } + } + }, + "rule_id": { + "path": "signal.rule.rule_id", + "type": "alias" + }, + "rule_name_override": { + "path": "signal.rule.rule_name_override", + "type": "alias" + }, + "rule_type_id": { + "type": "constant_keyword", + "value": "siem.signals" + }, + "saved_id": { + "path": "signal.rule.saved_id", + "type": "alias" + }, + "severity_mapping": { + "properties": { + "field": { + "path": "signal.rule.severity_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.severity_mapping.operator", + "type": "alias" + }, + "severity": { + "path": "signal.rule.severity_mapping.severity", + "type": "alias" + }, + "value": { + "path": "signal.rule.severity_mapping.value", + "type": "alias" + } + } + }, + "tags": { + "path": "signal.rule.tags", + "type": "alias" + }, + "threat": { + "properties": { + "framework": { + "path": "signal.rule.threat.framework", + "type": "alias" + }, + "tactic": { + "properties": { + "id": { + "path": "signal.rule.threat.tactic.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.tactic.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.tactic.reference", + "type": "alias" + } + } + }, + "technique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.reference", + "type": "alias" + }, + "subtechnique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.subtechnique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.subtechnique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.subtechnique.reference", + "type": "alias" + } + } + } + } + } + } + }, + "threat_index": { + "path": "signal.rule.threat_index", + "type": "alias" + }, + "threat_indicator_path": { + "path": "signal.rule.threat_indicator_path", + "type": "alias" + }, + "threat_language": { + "path": "signal.rule.threat_language", + "type": "alias" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "path": "signal.rule.threat_mapping.entries.field", + "type": "alias" + }, + "type": { + "path": "signal.rule.threat_mapping.entries.type", + "type": "alias" + }, + "value": { + "path": "signal.rule.threat_mapping.entries.value", + "type": "alias" + } + } + } + } + }, + "threat_query": { + "path": "signal.rule.threat_query", + "type": "alias" + }, + "threshold": { + "properties": { + "field": { + "path": "signal.rule.threshold.field", + "type": "alias" + }, + "value": { + "path": "signal.rule.threshold.value", + "type": "alias" + } + } + }, + "timeline_id": { + "path": "signal.rule.timeline_id", + "type": "alias" + }, + "timeline_title": { + "path": "signal.rule.timeline_title", + "type": "alias" + }, + "to": { + "path": "signal.rule.to", + "type": "alias" + }, + "type": { + "path": "signal.rule.type", + "type": "alias" + }, + "updated_at": { + "path": "signal.rule.updated_at", + "type": "alias" + }, + "updated_by": { + "path": "signal.rule.updated_by", + "type": "alias" + }, + "version": { + "path": "signal.rule.version", + "type": "alias" + } + } + }, + "severity": { + "path": "signal.rule.severity", + "type": "alias" }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { + "threshold_result": { "properties": { - "bytes": { - "type": "long" + "cardinality": { + "properties": { + "field": { + "path": "signal.threshold_result.cardinality.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.cardinality.value", + "type": "alias" + } + } }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" + "count": { + "path": "signal.threshold_result.count", + "type": "alias" + }, + "from": { + "path": "signal.threshold_result.from", + "type": "alias" + }, + "terms": { + "properties": { + "field": { + "path": "signal.threshold_result.terms.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.terms.value", + "type": "alias" } - }, - "ignore_above": 1024, - "type": "keyword" + } } } }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" + "workflow_status": { + "path": "signal.status", + "type": "alias" } } }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "space_ids": { + "type": "constant_keyword", + "value": "default" } } }, @@ -4560,6 +7018,14 @@ }, "log": { "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "level": { "ignore_above": 1024, "type": "keyword" @@ -4745,6 +7211,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -4764,6 +7234,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -4771,6 +7245,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -4859,6 +7337,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -4887,6 +7369,54 @@ } } }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "organization": { "properties": { "id": { @@ -5037,6 +7567,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -5045,6 +7579,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -5097,6 +7635,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -5124,6 +7666,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -5132,6 +7678,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -5184,6 +7734,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -5197,6 +7751,38 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, @@ -5247,6 +7833,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -5259,6 +7849,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -5359,6 +7953,10 @@ "ignore_above": 1024, "type": "keyword" }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, @@ -5452,6 +8050,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -5471,6 +8073,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -5478,6 +8084,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -5508,6 +8118,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -5565,6 +8179,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -5693,6 +8311,9 @@ "provider": { "type": "keyword" }, + "reason": { + "type": "keyword" + }, "risk_score": { "type": "float" }, @@ -5762,6 +8383,9 @@ } } }, + "reason": { + "type": "keyword" + }, "rule": { "properties": { "author": { @@ -5923,6 +8547,38 @@ } } }, + "threat_filters": { + "type": "object" + }, + "threat_index": { + "type": "keyword" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "threat_query": { + "type": "keyword" + }, "threshold": { "properties": { "field": { @@ -5967,11 +8623,31 @@ }, "threshold_result": { "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, "count": { "type": "long" }, - "value": { - "type": "keyword" + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } } } } @@ -6017,6 +8693,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -6036,6 +8716,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -6043,6 +8727,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -6069,7 +8757,11 @@ "port": { "type": "long" }, - "registered_domain": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { "ignore_above": 1024, "type": "keyword" }, @@ -6130,11 +8822,23 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } } }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tags": { "ignore_above": 1024, "type": "keyword" @@ -6145,6 +8849,241 @@ "ignore_above": 1024, "type": "keyword" }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "tactic": { "properties": { "id": { @@ -6180,6 +9119,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } @@ -6242,6 +9203,112 @@ "supported_ciphers": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -6302,6 +9369,112 @@ "subject": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -6388,6 +9561,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -6400,10 +9577,130 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -6451,6 +9748,70 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -6512,6 +9873,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword"