maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[SIEM] Endgame events on the SIEM Overview page (#47774) (#47904)

Browse source 
## Summary

* Adds Endgame events to the SIEM Overview page, per the following screenshot:

<img width="1680" alt="overview-chrome" src="https://user-images.githubusercontent.com/4459398/66524250-26a47800-eaaf-11e9-8ff9-311c031e5d00.png">

* Adds `endgame-*` to the default SIEM index pattern, per the following screenshot:

<img width="1665" alt="siem-advanced-settings" src="https://user-images.githubusercontent.com/4459398/66524300-45a30a00-eaaf-11e9-93c3-dce74917e73a.png">

RELEASE NOTE: To view Endgame events in existing SIEM deployments, you must manually add `endgame-*` to the SIEM index pattern in `Kibana Management > Advanced Settings > SIEM > Elasticsearch indices`. Also note that the `Reset to default` feature for this setting in the Advanced Settings page now includes `endgame-*`.

* Adds the GraphQL plumbing for rendering Endgame data in the Timeline via row renderers (in an upcoming PR), with the introduction of the following fields:

```
dns.question.name
dns.question.type
dns.resolved_ip
dns.response_code
endgame.exit_code
endgame.file_name
endgame.file_path
endgame.logon_type
endgame.parent_process_name
endgame.pid
endgame.process_name
endgame.subject_domain_name
endgame.subject_logon_id
endgame.subject_user_name
endgame.target_domain_name
endgame.target_logon_id
endgame.target_user_name
event.code
file.name
process.hash.md5
process.hash.sha1
process.hash.sha256
user.domain
winlog.event_id
```

## Testing

### Cypress
The `smoke_tests/overview/overview.spec.ts` Cypress test was updated to include the new counts on the Overview page, per the screenshot below:

![cypress-overview-spec](https://user-images.githubusercontent.com/4459398/66529142-8c98fb80-eabf-11e9-800e-a0d9e1e51d6d.png)

### API Integration test

The Overview page API integration test `xpack/test/api_integration/apis/siem/overview_host.ts` was updated to include counts of mock Endgame data added to `test/functional/es_archives/auditbeat/overview/data.json.gz`

### Unit tests

Overview page unit tests were updated to include the new Endgame event counts

### Desk testing

* Desk tested by hand-editing `components/page/overview/overview_host/index.tsx` and setting the `endDate` and `startDate` values below to a fixed datetime:

```
<OverviewHostQuery endDate={endDate} sourceId="default" startDate={startDate}>
```

The counts shown on the overview page where then compared to the counts shown in the timeline in the same date period, to verify the counts match 1:1.

* The additional fields mentioned above in this PR (e.g. `dns.question.name`,`endgame.target_domain_name`) that are now being requested via GraphQL can be seen via the Timeline Inspect (query) feature:

1) Enter `event.module: endgame` in the Timeline KQL bar. (Adjust the date range if necessary.)
2) After Endgame events are displayed in the timeline, click the Inspect button in the Timeline settings gear.

The additional fields (and values) will be included in the Inspect query Request / Response tabs.

### Cross-browser dark/light testing
#### Firefox

<img width="1680" alt="overview-firefox" src="https://user-images.githubusercontent.com/4459398/66524773-9c5d1380-eab0-11e9-9383-c155872881b0.png">

#### Safari

<img width="1680" alt="overview-safari" src="https://user-images.githubusercontent.com/4459398/66524790-a54de500-eab0-11e9-9786-aa7dbe18c1bf.png">

#### IE11

This PR was *not* tested in IE11 due to the current blocker with `react-reverse-portal`

https://github.com/elastic/siem-team/issues/465
https://github.com/elastic/ecs-dev/issues/178
This commit is contained in:
Andrew Goldstein 2019-10-11 08:42:58 -06:00 committed by GitHub
parent e5b6e90fa7
commit d503b7268a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
45 changed files with 1370 additions and 2080 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
x-pack/legacy/plugins/siem/cypress/fixtures/overview.json
View file

@ -21,6 +21,13 @@
"auditbeatPackage": 567,
"auditbeatProcess": 678,
"auditbeatUser": 789,
"endgameDns": 391,
"endgameFile": 392,
"endgameImageLoad": 393,
"endgameNetwork": 394,
"endgameProcess": 395,
"endgameRegistry": 396,
"endgameSecurity": 397,
"filebeatSystemModule": 890,
"winlogbeat": 100,
"__typename": "OverviewHostData"

35
x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts
View file

@ -9,6 +9,34 @@ export const STAT_AUDITD = {
value: '123',
domId: '[data-test-subj="host-stat-auditbeatAuditd"]',
};
export const ENDGAME_DNS = {
value: '391',
domId: '[data-test-subj="host-stat-endgameDns"]',
};
export const ENDGAME_FILE = {
value: '392',
domId: '[data-test-subj="host-stat-endgameFile"]',
};
export const ENDGAME_IMAGE_LOAD = {
value: '393',
domId: '[data-test-subj="host-stat-endgameImageLoad"]',
};
export const ENDGAME_NETWORK = {
value: '394',
domId: '[data-test-subj="host-stat-endgameNetwork"]',
};
export const ENDGAME_PROCESS = {
value: '395',
domId: '[data-test-subj="host-stat-endgameProcess"]',
};
export const ENDGAME_REGISTRY = {
value: '396',
domId: '[data-test-subj="host-stat-endgameRegistry"]',
};
export const ENDGAME_SECURITY = {
value: '397',
domId: '[data-test-subj="host-stat-endgameSecurity"]',
};
export const STAT_FILEBEAT = {
value: '890',
domId: '[data-test-subj="host-stat-filebeatSystemModule"]',
@ -40,6 +68,13 @@ export const STAT_WINLOGBEAT = {
export const HOST_STATS = [
STAT_AUDITD,
ENDGAME_DNS,
ENDGAME_FILE,
ENDGAME_IMAGE_LOAD,
ENDGAME_NETWORK,
ENDGAME_PROCESS,
ENDGAME_REGISTRY,
ENDGAME_SECURITY,
STAT_FILEBEAT,
STAT_FIM,
STAT_LOGIN,

14
x-pack/legacy/plugins/siem/default_index_pattern.ts Normal file
View file

@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
/** The comma-delimited list of Elasticsearch indices from which the SIEM app collects events */
export const defaultIndexPattern = [
'auditbeat-*',
'endgame-*',
'filebeat-*',
'packetbeat-*',
'winlogbeat-*',
];

3
x-pack/legacy/plugins/siem/index.ts
View file

@ -25,6 +25,7 @@ import {
DEFAULT_TO,
} from './common/constants';
import { signalsAlertType } from './server/lib/detection_engine/alerts/signals_alert_type';
import { defaultIndexPattern } from './default_index_pattern';
// eslint-disable-next-line @typescript-eslint/no-explicit-any
export function siem(kibana: any) {
@ -98,7 +99,7 @@ export function siem(kibana: any) {
name: i18n.translate('xpack.siem.uiSettings.defaultIndexLabel', {
defaultMessage: 'Elasticsearch indices',
}),
value: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
value: defaultIndexPattern,
description: i18n.translate('xpack.siem.uiSettings.defaultIndexDescription', {
defaultMessage:
'<p>Comma-delimited list of Elasticsearch indices from which the SIEM app collects events.</p>',

1
x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap generated
View file

@ -371,6 +371,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/draggable_wrapper.test.tsx.snap generated
View file

@ -371,6 +371,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/droppable_wrapper.test.tsx.snap generated
View file

@ -371,6 +371,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/event_details/__snapshots__/event_details.test.tsx.snap generated
View file

@ -367,6 +367,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

2057
x-pack/legacy/plugins/siem/public/components/events_viewer/mock.ts
View file

File diff suppressed because it is too large Load diff

7
x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap generated
View file

@ -10,6 +10,13 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
"auditbeatPackage": 2003,
"auditbeatProcess": 1200,
"auditbeatUser": 1979,
"endgameDns": 39123,
"endgameFile": 39456,
"endgameImageLoad": 39789,
"endgameNetwork": 39101112,
"endgameProcess": 39131415,
"endgameRegistry": 39161718,
"endgameSecurity": 39202122,
"filebeatSystemModule": 568,
"winlogbeat": 296999,
}

86
x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx
View file

@ -25,6 +25,7 @@ interface OverviewHostProps {
loading: boolean;
}
// eslint-disable-next-line complexity
const overviewHostStats = (data: OverviewHostData) => [
{
description:
@ -104,6 +105,91 @@ const overviewHostStats = (data: OverviewHostData) => [
),
id: 'auditbeatUser',
},
{
description:
has('endgameDns', data) && data.endgameDns !== null
? numeral(data.endgameDns).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage id="xpack.siem.overview.endgameDnsTitle" defaultMessage="Endgame DNS" />
),
id: 'endgameDns',
},
{
description:
has('endgameFile', data) && data.endgameFile !== null
? numeral(data.endgameFile).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage id="xpack.siem.overview.endgameFileTitle" defaultMessage="Endgame File" />
),
id: 'endgameFile',
},
{
description:
has('endgameImageLoad', data) && data.endgameImageLoad !== null
? numeral(data.endgameImageLoad).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.endgameImageLoadTitle"
defaultMessage="Endgame Image Load"
/>
),
id: 'endgameImageLoad',
},
{
description:
has('endgameNetwork', data) && data.endgameNetwork !== null
? numeral(data.endgameNetwork).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.endgameNetworkTitle"
defaultMessage="Endgame Network"
/>
),
id: 'endgameNetwork',
},
{
description:
has('endgameProcess', data) && data.endgameProcess !== null
? numeral(data.endgameProcess).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.endgameProcessTitle"
defaultMessage="Endgame Process"
/>
),
id: 'endgameProcess',
},
{
description:
has('endgameRegistry', data) && data.endgameRegistry !== null
? numeral(data.endgameRegistry).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.endgameRegistryTitle"
defaultMessage="Endgame Registry"
/>
),
id: 'endgameRegistry',
},
{
description:
has('endgameSecurity', data) && data.endgameSecurity !== null
? numeral(data.endgameSecurity).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.endgameSecurityTitle"
defaultMessage="Endgame Security"
/>
),
id: 'endgameSecurity',
},
{
description:
has('filebeatSystemModule', data) && data.filebeatSystemModule !== null

7
x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts
View file

@ -14,6 +14,13 @@ export const mockData: { OverviewHost: OverviewHostData } = {
auditbeatPackage: 2003,
auditbeatProcess: 1200,
auditbeatUser: 1979,
endgameDns: 39123,
endgameFile: 39456,
endgameImageLoad: 39789,
endgameNetwork: 39101112,
endgameProcess: 39131415,
endgameRegistry: 39161718,
endgameSecurity: 39202122,
filebeatSystemModule: 568,
winlogbeat: 296999,
},

1
x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap generated
View file

@ -378,6 +378,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/__snapshots__/suricata_details.test.tsx.snap generated
View file

@ -366,6 +366,7 @@ exports[`SuricataDetails rendering it renders the default SuricataDetails 1`] =
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/suricata/__snapshots__/suricata_row_renderer.test.tsx.snap generated
View file

@ -371,6 +371,7 @@ exports[`suricata_row_renderer renders correctly against snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/__snapshots__/zeek_details.test.tsx.snap generated
View file

@ -366,6 +366,7 @@ exports[`ZeekDetails rendering it renders the default ZeekDetails 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

1
x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/zeek/__snapshots__/zeek_row_renderer.test.tsx.snap generated
View file

@ -371,6 +371,7 @@ exports[`zeek_row_renderer renders correctly against snapshot 1`] = `
"format": "",
"indexes": Array [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*",

3
x-pack/legacy/plugins/siem/public/containers/events/last_event_time/mock.ts
View file

@ -4,6 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../../default_index_pattern';
import { GetLastEventTimeQuery, LastEventIndexKey } from '../../../graphql/types';
import { LastEventTimeGqlQuery } from './last_event_time.gql_query';
@ -42,7 +43,7 @@ export const mockLastEventTimeQuery: MockLastEventTimeQuery[] = [
sourceId: 'default',
indexKey: LastEventIndexKey.hosts,
details: {},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
},
},
result: {

3
x-pack/legacy/plugins/siem/public/containers/hosts/first_last_seen/mock.ts
View file

@ -4,6 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../../default_index_pattern';
import { GetHostFirstLastSeenQuery } from '../../../graphql/types';
import { HostFirstLastSeenGqlQuery } from './first_last_seen.gql_query';
@ -33,7 +34,7 @@ export const mockFirstLastSeenHostQuery: MockedProvidedQuery[] = [
variables: {
sourceId: 'default',
hostName: 'kibana-siem',
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
},
},
result: {

7
x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts
View file

@ -23,6 +23,13 @@ export const overviewHostQuery = gql`
auditbeatPackage
auditbeatProcess
auditbeatUser
endgameDns
endgameFile
endgameImageLoad
endgameNetwork
endgameProcess
endgameRegistry
endgameSecurity
filebeatSystemModule
winlogbeat
inspect @include(if: $inspect) {

7
x-pack/legacy/plugins/siem/public/containers/source/mock.ts
View file

@ -6,6 +6,7 @@
import { BrowserFields } from '.';
import { sourceQuery } from './index.gql_query';
import { defaultIndexPattern } from '../../../default_index_pattern';
export const mocksSource = [
{
@ -13,7 +14,7 @@ export const mocksSource = [
query: sourceQuery,
variables: {
sourceId: 'default',
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
},
},
result: {
@ -332,7 +333,7 @@ export const mocksSource = [
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
format: '',
indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
indexes: defaultIndexPattern,
name: 'event.end',
searchable: true,
type: 'date',
@ -660,7 +661,7 @@ export const mockBrowserFields: BrowserFields = {
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
format: '',
indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
indexes: defaultIndexPattern,
name: 'event.end',
searchable: true,
type: 'date',

34
x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts
View file

@ -71,6 +71,7 @@ export const timelineQuery = gql`
event {
action
category
code
created
dataset
duration
@ -112,6 +113,7 @@ export const timelineQuery = gql`
}
}
file {
name
path
target_path
extension
@ -160,6 +162,29 @@ export const timelineQuery = gql`
region_name
}
}
dns {
question {
name
type
}
resolved_ip
response_code
}
endgame {
exit_code
file_name
file_path
logon_type
parent_process_name
pid
process_name
subject_domain_name
subject_logon_id
subject_user_name
target_domain_name
target_logon_id
target_user_name
}
geo {
region_name
country_iso_code
@ -224,9 +249,18 @@ export const timelineQuery = gql`
password
}
user {
domain
name
}
winlog {
event_id
}
process {
hash {
md5
sha1
sha256
}
pid
name
ppid

343
x-pack/legacy/plugins/siem/public/graphql/introspection.json
View file

@ -2590,6 +2590,14 @@
"name": "UserEcsFields",
"description": "",
"fields": [
{
"name": "domain",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "id",
"description": "",
@ -3410,6 +3418,22 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "dns",
"description": "",
"args": [],
"type": { "kind": "OBJECT", "name": "DnsEcsFields", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgame",
"description": "",
"args": [],
"type": { "kind": "OBJECT", "name": "EndgameEcsFields", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "event",
"description": "",
@ -3514,6 +3538,14 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "winlog",
"description": "",
"args": [],
"type": { "kind": "OBJECT", "name": "WinlogEcsFields", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "process",
"description": "",
@ -3775,6 +3807,183 @@
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "DnsEcsFields",
"description": "",
"fields": [
{
"name": "question",
"description": "",
"args": [],
"type": { "kind": "OBJECT", "name": "DnsQuestionData", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "resolved_ip",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "response_code",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "DnsQuestionData",
"description": "",
"fields": [
{
"name": "name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "type",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "EndgameEcsFields",
"description": "",
"fields": [
{
"name": "exit_code",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "file_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "file_path",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "logon_type",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "parent_process_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "pid",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "process_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "subject_domain_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "subject_logon_id",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "subject_user_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "target_domain_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "target_logon_id",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "target_user_name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "EventEcsFields",
@ -3796,6 +4005,14 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "code",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "created",
"description": "",
@ -4936,11 +5153,38 @@
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "WinlogEcsFields",
"description": "",
"fields": [
{
"name": "event_id",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "ProcessEcsFields",
"description": "",
"fields": [
{
"name": "hash",
"description": "",
"args": [],
"type": { "kind": "OBJECT", "name": "ProcessHashData", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "pid",
"description": "",
@ -5011,6 +5255,41 @@
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "ProcessHashData",
"description": "",
"fields": [
{
"name": "md5",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "sha1",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "sha256",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "Thread",
@ -5043,6 +5322,14 @@
"name": "FileFields",
"description": "",
"fields": [
{
"name": "name",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "path",
"description": "",
@ -8215,6 +8502,62 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameDns",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameFile",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameImageLoad",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameNetwork",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameProcess",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameRegistry",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "endgameSecurity",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatSystemModule",
"description": "",

178
x-pack/legacy/plugins/siem/public/graphql/types.ts
View file

@ -539,6 +539,8 @@ export interface AuthenticationItem {
}
export interface UserEcsFields {
domain?: Maybe<string[]>;
id?: Maybe<string[]>;
name?: Maybe<string[]>;
@ -687,6 +689,10 @@ export interface Ecs {
destination?: Maybe<DestinationEcsFields>;
dns?: Maybe<DnsEcsFields>;
endgame?: Maybe<EndgameEcsFields>;
event?: Maybe<EventEcsFields>;
geo?: Maybe<GeoEcsFields>;
@ -713,6 +719,8 @@ export interface Ecs {
user?: Maybe<UserEcsFields>;
winlog?: Maybe<WinlogEcsFields>;
process?: Maybe<ProcessEcsFields>;
file?: Maybe<FileFields>;
@ -774,11 +782,55 @@ export interface DestinationEcsFields {
packets?: Maybe<number[]>;
}
export interface DnsEcsFields {
question?: Maybe<DnsQuestionData>;
resolved_ip?: Maybe<string[]>;
response_code?: Maybe<string[]>;
}
export interface DnsQuestionData {
name?: Maybe<string[]>;
type?: Maybe<string[]>;
}
export interface EndgameEcsFields {
exit_code?: Maybe<number[]>;
file_name?: Maybe<string[]>;
file_path?: Maybe<string[]>;
logon_type?: Maybe<number[]>;
parent_process_name?: Maybe<string[]>;
pid?: Maybe<number[]>;
process_name?: Maybe<string[]>;
subject_domain_name?: Maybe<string[]>;
subject_logon_id?: Maybe<string[]>;
subject_user_name?: Maybe<string[]>;
target_domain_name?: Maybe<string[]>;
target_logon_id?: Maybe<string[]>;
target_user_name?: Maybe<string[]>;
}
export interface EventEcsFields {
action?: Maybe<string[]>;
category?: Maybe<string[]>;
code?: Maybe<string[]>;
created?: Maybe<string[]>;
dataset?: Maybe<string[]>;
@ -1042,7 +1094,13 @@ export interface UrlEcsFields {
password?: Maybe<string[]>;
}
export interface WinlogEcsFields {
event_id?: Maybe<number[]>;
}
export interface ProcessEcsFields {
hash?: Maybe<ProcessHashData>;
pid?: Maybe<number[]>;
name?: Maybe<string[]>;
@ -1060,6 +1118,14 @@ export interface ProcessEcsFields {
working_directory?: Maybe<string[]>;
}
export interface ProcessHashData {
md5?: Maybe<string[]>;
sha1?: Maybe<string[]>;
sha256?: Maybe<string[]>;
}
export interface Thread {
id?: Maybe<number[]>;
@ -1067,6 +1133,8 @@ export interface Thread {
}
export interface FileFields {
name?: Maybe<string[]>;
path?: Maybe<string[]>;
target_path?: Maybe<string[]>;
@ -1593,6 +1661,20 @@ export interface OverviewHostData {
auditbeatUser?: Maybe<number>;
endgameDns?: Maybe<number>;
endgameFile?: Maybe<number>;
endgameImageLoad?: Maybe<number>;
endgameNetwork?: Maybe<number>;
endgameProcess?: Maybe<number>;
endgameRegistry?: Maybe<number>;
endgameSecurity?: Maybe<number>;
filebeatSystemModule?: Maybe<number>;
winlogbeat?: Maybe<number>;
@ -3414,6 +3496,20 @@ export namespace GetOverviewHostQuery {
auditbeatUser: Maybe<number>;
endgameDns: Maybe<number>;
endgameFile: Maybe<number>;
endgameImageLoad: Maybe<number>;
endgameNetwork: Maybe<number>;
endgameProcess: Maybe<number>;
endgameRegistry: Maybe<number>;
endgameSecurity: Maybe<number>;
filebeatSystemModule: Maybe<number>;
winlogbeat: Maybe<number>;
@ -3843,6 +3939,10 @@ export namespace GetTimelineQuery {
destination: Maybe<Destination>;
dns: Maybe<Dns>;
endgame: Maybe<Endgame>;
geo: Maybe<__Geo>;
suricata: Maybe<Suricata>;
@ -3857,6 +3957,8 @@ export namespace GetTimelineQuery {
user: Maybe<User>;
winlog: Maybe<Winlog>;
process: Maybe<Process>;
zeek: Maybe<Zeek>;
@ -3913,6 +4015,8 @@ export namespace GetTimelineQuery {
category: Maybe<string[]>;
code: Maybe<string[]>;
created: Maybe<string[]>;
dataset: Maybe<string[]>;
@ -4003,6 +4107,8 @@ export namespace GetTimelineQuery {
export type File = {
__typename?: 'FileFields';
name: Maybe<string[]>;
path: Maybe<string[]>;
target_path: Maybe<string[]>;
@ -4102,6 +4208,54 @@ export namespace GetTimelineQuery {
region_name: Maybe<string[]>;
};
export type Dns = {
__typename?: 'DnsEcsFields';
question: Maybe<Question>;
resolved_ip: Maybe<string[]>;
response_code: Maybe<string[]>;
};
export type Question = {
__typename?: 'DnsQuestionData';
name: Maybe<string[]>;
type: Maybe<string[]>;
};
export type Endgame = {
__typename?: 'EndgameEcsFields';
exit_code: Maybe<number[]>;
file_name: Maybe<string[]>;
file_path: Maybe<string[]>;
logon_type: Maybe<number[]>;
parent_process_name: Maybe<string[]>;
pid: Maybe<number[]>;
process_name: Maybe<string[]>;
subject_domain_name: Maybe<string[]>;
subject_logon_id: Maybe<string[]>;
subject_user_name: Maybe<string[]>;
target_domain_name: Maybe<string[]>;
target_logon_id: Maybe<string[]>;
target_user_name: Maybe<string[]>;
};
export type __Geo = {
__typename?: 'GeoEcsFields';
@ -4255,12 +4409,22 @@ export namespace GetTimelineQuery {
export type User = {
__typename?: 'UserEcsFields';
domain: Maybe<string[]>;
name: Maybe<string[]>;
};
export type Winlog = {
__typename?: 'WinlogEcsFields';
event_id: Maybe<number[]>;
};
export type Process = {
__typename?: 'ProcessEcsFields';
hash: Maybe<Hash>;
pid: Maybe<number[]>;
name: Maybe<string[]>;
@ -4276,6 +4440,16 @@ export namespace GetTimelineQuery {
working_directory: Maybe<string[]>;
};
export type Hash = {
__typename?: 'ProcessHashData';
md5: Maybe<string[]>;
sha1: Maybe<string[]>;
sha256: Maybe<string[]>;
};
export type Zeek = {
__typename?: 'ZeekEcsFields';
@ -4285,7 +4459,7 @@ export namespace GetTimelineQuery {
notice: Maybe<Notice>;
dns: Maybe<Dns>;
dns: Maybe<_Dns>;
http: Maybe<_Http>;
@ -4326,7 +4500,7 @@ export namespace GetTimelineQuery {
peer_descr: Maybe<string[]>;
};
export type Dns = {
export type _Dns = {
__typename?: 'ZeekDnsData';
AA: Maybe<boolean[]>;

3
x-pack/legacy/plugins/siem/public/mock/ui_settings.ts
View file

@ -18,6 +18,7 @@ import {
DEFAULT_INTERVAL_PAUSE,
DEFAULT_INTERVAL_VALUE,
} from '../../common/constants';
import { defaultIndexPattern } from '../../default_index_pattern';
chrome.getUiSettingsClient().get.mockImplementation((key: string) => {
switch (key) {
@ -36,7 +37,7 @@ chrome.getUiSettingsClient().get.mockImplementation((key: string) => {
value: DEFAULT_INTERVAL_VALUE,
};
case DEFAULT_INDEX_KEY:
return ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'];
return defaultIndexPattern;
case DEFAULT_DATE_FORMAT_TZ:
return 'Asia/Taipei';
case DEFAULT_DARK_MODE:

5
x-pack/legacy/plugins/siem/public/pages/hosts/details/body.test.tsx
View file

@ -51,7 +51,10 @@ describe('body', () => {
endDate: 0,
filterQuery: { term: { 'host.name': 'host-1' } },
hostName: 'host-1',
indexPattern: { fields: [], title: 'auditbeat-*,filebeat-*,packetbeat-*,winlogbeat-*' },
indexPattern: {
fields: [],
title: 'auditbeat-*,endgame-*,filebeat-*,packetbeat-*,winlogbeat-*',
},
kqlQueryExpression: 'host.name: "host-1"',
skip: false,
startDate: 0,

44
x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts
View file

@ -12,6 +12,7 @@ export const ecsSchema = gql`
type EventEcsFields {
action: ToStringArray
category: ToStringArray
code: ToStringArray
created: ToDateArray
dataset: ToStringArray
duration: ToNumberArray
@ -97,7 +98,14 @@ export const ecsSchema = gql`
start: ToStringArray
}
type ProcessHashData {
md5: ToStringArray
sha1: ToStringArray
sha256: ToStringArray
}
type ProcessEcsFields {
hash: ProcessHashData
pid: ToNumberArray
name: ToStringArray
ppid: ToNumberArray
@ -126,6 +134,33 @@ export const ecsSchema = gql`
packets: ToNumberArray
}
type DnsQuestionData {
name: ToStringArray
type: ToStringArray
}
type DnsEcsFields {
question: DnsQuestionData
resolved_ip: ToStringArray
response_code: ToStringArray
}
type EndgameEcsFields {
exit_code: ToNumberArray
file_name: ToStringArray
file_path: ToStringArray
logon_type: ToNumberArray
parent_process_name: ToStringArray
pid: ToNumberArray
process_name: ToStringArray
subject_domain_name: ToStringArray
subject_logon_id: ToStringArray
subject_user_name: ToStringArray
target_domain_name: ToStringArray
target_logon_id: ToStringArray
target_user_name: ToStringArray
}
type SuricataAlertData {
signature: ToStringArray
signature_id: ToNumberArray
@ -200,6 +235,7 @@ export const ecsSchema = gql`
}
type FileFields {
name: ToStringArray
path: ToStringArray
target_path: ToStringArray
extension: ToStringArray
@ -294,6 +330,7 @@ export const ecsSchema = gql`
}
type UserEcsFields {
domain: ToStringArray
id: ToStringArray
name: ToStringArray
full_name: ToStringArray
@ -302,6 +339,10 @@ export const ecsSchema = gql`
group: ToStringArray
}
type WinlogEcsFields {
event_id: ToNumberArray
}
type NetworkEcsField {
bytes: ToNumberArray
community_id: ToStringArray
@ -343,6 +384,8 @@ export const ecsSchema = gql`
_index: String
auditd: AuditdEcsFields
destination: DestinationEcsFields
dns: DnsEcsFields
endgame: EndgameEcsFields
event: EventEcsFields
geo: GeoEcsFields
host: HostEcsFields
@ -356,6 +399,7 @@ export const ecsSchema = gql`
timestamp: Date
message: ToStringArray
user: UserEcsFields
winlog: WinlogEcsFields
process: ProcessEcsFields
file: FileFields
system: SystemEcsField

7
x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts
View file

@ -27,6 +27,13 @@ export const overviewSchema = gql`
auditbeatPackage: Float
auditbeatProcess: Float
auditbeatUser: Float
endgameDns: Float
endgameFile: Float
endgameImageLoad: Float
endgameNetwork: Float
endgameProcess: Float
endgameRegistry: Float
endgameSecurity: Float
filebeatSystemModule: Float
winlogbeat: Float
inspect: Inspect

364
x-pack/legacy/plugins/siem/server/graphql/types.ts
View file

@ -541,6 +541,8 @@ export interface AuthenticationItem {
}
export interface UserEcsFields {
domain?: Maybe<string[] | string>;
id?: Maybe<string[] | string>;
name?: Maybe<string[] | string>;
@ -689,6 +691,10 @@ export interface Ecs {
destination?: Maybe<DestinationEcsFields>;
dns?: Maybe<DnsEcsFields>;
endgame?: Maybe<EndgameEcsFields>;
event?: Maybe<EventEcsFields>;
geo?: Maybe<GeoEcsFields>;
@ -715,6 +721,8 @@ export interface Ecs {
user?: Maybe<UserEcsFields>;
winlog?: Maybe<WinlogEcsFields>;
process?: Maybe<ProcessEcsFields>;
file?: Maybe<FileFields>;
@ -776,11 +784,55 @@ export interface DestinationEcsFields {
packets?: Maybe<number[] | number>;
}
export interface DnsEcsFields {
question?: Maybe<DnsQuestionData>;
resolved_ip?: Maybe<string[] | string>;
response_code?: Maybe<string[] | string>;
}
export interface DnsQuestionData {
name?: Maybe<string[] | string>;
type?: Maybe<string[] | string>;
}
export interface EndgameEcsFields {
exit_code?: Maybe<number[] | number>;
file_name?: Maybe<string[] | string>;
file_path?: Maybe<string[] | string>;
logon_type?: Maybe<number[] | number>;
parent_process_name?: Maybe<string[] | string>;
pid?: Maybe<number[] | number>;
process_name?: Maybe<string[] | string>;
subject_domain_name?: Maybe<string[] | string>;
subject_logon_id?: Maybe<string[] | string>;
subject_user_name?: Maybe<string[] | string>;
target_domain_name?: Maybe<string[] | string>;
target_logon_id?: Maybe<string[] | string>;
target_user_name?: Maybe<string[] | string>;
}
export interface EventEcsFields {
action?: Maybe<string[] | string>;
category?: Maybe<string[] | string>;
code?: Maybe<string[] | string>;
created?: Maybe<string[] | string>;
dataset?: Maybe<string[] | string>;
@ -1044,7 +1096,13 @@ export interface UrlEcsFields {
password?: Maybe<string[] | string>;
}
export interface WinlogEcsFields {
event_id?: Maybe<number[] | number>;
}
export interface ProcessEcsFields {
hash?: Maybe<ProcessHashData>;
pid?: Maybe<number[] | number>;
name?: Maybe<string[] | string>;
@ -1062,6 +1120,14 @@ export interface ProcessEcsFields {
working_directory?: Maybe<string[] | string>;
}
export interface ProcessHashData {
md5?: Maybe<string[] | string>;
sha1?: Maybe<string[] | string>;
sha256?: Maybe<string[] | string>;
}
export interface Thread {
id?: Maybe<number[] | number>;
@ -1069,6 +1135,8 @@ export interface Thread {
}
export interface FileFields {
name?: Maybe<string[] | string>;
path?: Maybe<string[] | string>;
target_path?: Maybe<string[] | string>;
@ -1595,6 +1663,20 @@ export interface OverviewHostData {
auditbeatUser?: Maybe<number>;
endgameDns?: Maybe<number>;
endgameFile?: Maybe<number>;
endgameImageLoad?: Maybe<number>;
endgameNetwork?: Maybe<number>;
endgameProcess?: Maybe<number>;
endgameRegistry?: Maybe<number>;
endgameSecurity?: Maybe<number>;
filebeatSystemModule?: Maybe<number>;
winlogbeat?: Maybe<number>;
@ -3185,6 +3267,8 @@ export namespace AuthenticationItemResolvers {
export namespace UserEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = UserEcsFields> {
domain?: DomainResolver<Maybe<string[] | string>, TypeParent, TContext>;
id?: IdResolver<Maybe<string[] | string>, TypeParent, TContext>;
name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -3198,6 +3282,11 @@ export namespace UserEcsFieldsResolvers {
group?: GroupResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type DomainResolver<
R = Maybe<string[] | string>,
Parent = UserEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type IdResolver<
R = Maybe<string[] | string>,
Parent = UserEcsFields,
@ -3655,6 +3744,10 @@ export namespace EcsResolvers {
destination?: DestinationResolver<Maybe<DestinationEcsFields>, TypeParent, TContext>;
dns?: DnsResolver<Maybe<DnsEcsFields>, TypeParent, TContext>;
endgame?: EndgameResolver<Maybe<EndgameEcsFields>, TypeParent, TContext>;
event?: EventResolver<Maybe<EventEcsFields>, TypeParent, TContext>;
geo?: GeoResolver<Maybe<GeoEcsFields>, TypeParent, TContext>;
@ -3681,6 +3774,8 @@ export namespace EcsResolvers {
user?: UserResolver<Maybe<UserEcsFields>, TypeParent, TContext>;
winlog?: WinlogResolver<Maybe<WinlogEcsFields>, TypeParent, TContext>;
process?: ProcessResolver<Maybe<ProcessEcsFields>, TypeParent, TContext>;
file?: FileResolver<Maybe<FileFields>, TypeParent, TContext>;
@ -3708,6 +3803,16 @@ export namespace EcsResolvers {
Parent = Ecs,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type DnsResolver<R = Maybe<DnsEcsFields>, Parent = Ecs, TContext = SiemContext> = Resolver<
R,
Parent,
TContext
>;
export type EndgameResolver<
R = Maybe<EndgameEcsFields>,
Parent = Ecs,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EventResolver<
R = Maybe<EventEcsFields>,
Parent = Ecs,
@ -3773,6 +3878,11 @@ export namespace EcsResolvers {
Parent = Ecs,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type WinlogResolver<
R = Maybe<WinlogEcsFields>,
Parent = Ecs,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type ProcessResolver<
R = Maybe<ProcessEcsFields>,
Parent = Ecs,
@ -3969,12 +4079,155 @@ export namespace DestinationEcsFieldsResolvers {
> = Resolver<R, Parent, TContext>;
}
export namespace DnsEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = DnsEcsFields> {
question?: QuestionResolver<Maybe<DnsQuestionData>, TypeParent, TContext>;
resolved_ip?: ResolvedIpResolver<Maybe<string[] | string>, TypeParent, TContext>;
response_code?: ResponseCodeResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type QuestionResolver<
R = Maybe<DnsQuestionData>,
Parent = DnsEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type ResolvedIpResolver<
R = Maybe<string[] | string>,
Parent = DnsEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type ResponseCodeResolver<
R = Maybe<string[] | string>,
Parent = DnsEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
}
export namespace DnsQuestionDataResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = DnsQuestionData> {
name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
type?: TypeResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type NameResolver<
R = Maybe<string[] | string>,
Parent = DnsQuestionData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type TypeResolver<
R = Maybe<string[] | string>,
Parent = DnsQuestionData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
}
export namespace EndgameEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = EndgameEcsFields> {
exit_code?: ExitCodeResolver<Maybe<number[] | number>, TypeParent, TContext>;
file_name?: FileNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
file_path?: FilePathResolver<Maybe<string[] | string>, TypeParent, TContext>;
logon_type?: LogonTypeResolver<Maybe<number[] | number>, TypeParent, TContext>;
parent_process_name?: ParentProcessNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
pid?: PidResolver<Maybe<number[] | number>, TypeParent, TContext>;
process_name?: ProcessNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
subject_domain_name?: SubjectDomainNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
subject_logon_id?: SubjectLogonIdResolver<Maybe<string[] | string>, TypeParent, TContext>;
subject_user_name?: SubjectUserNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
target_domain_name?: TargetDomainNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
target_logon_id?: TargetLogonIdResolver<Maybe<string[] | string>, TypeParent, TContext>;
target_user_name?: TargetUserNameResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type ExitCodeResolver<
R = Maybe<number[] | number>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type FileNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type FilePathResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type LogonTypeResolver<
R = Maybe<number[] | number>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type ParentProcessNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type PidResolver<
R = Maybe<number[] | number>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type ProcessNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type SubjectDomainNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type SubjectLogonIdResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type SubjectUserNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type TargetDomainNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type TargetLogonIdResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type TargetUserNameResolver<
R = Maybe<string[] | string>,
Parent = EndgameEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
}
export namespace EventEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = EventEcsFields> {
action?: ActionResolver<Maybe<string[] | string>, TypeParent, TContext>;
category?: CategoryResolver<Maybe<string[] | string>, TypeParent, TContext>;
code?: CodeResolver<Maybe<string[] | string>, TypeParent, TContext>;
created?: CreatedResolver<Maybe<string[] | string>, TypeParent, TContext>;
dataset?: DatasetResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4018,6 +4271,11 @@ export namespace EventEcsFieldsResolvers {
Parent = EventEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type CodeResolver<
R = Maybe<string[] | string>,
Parent = EventEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type CreatedResolver<
R = Maybe<string[] | string>,
Parent = EventEcsFields,
@ -4869,8 +5127,22 @@ export namespace UrlEcsFieldsResolvers {
> = Resolver<R, Parent, TContext>;
}
export namespace WinlogEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = WinlogEcsFields> {
event_id?: EventIdResolver<Maybe<number[] | number>, TypeParent, TContext>;
}
export type EventIdResolver<
R = Maybe<number[] | number>,
Parent = WinlogEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
}
export namespace ProcessEcsFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = ProcessEcsFields> {
hash?: HashResolver<Maybe<ProcessHashData>, TypeParent, TContext>;
pid?: PidResolver<Maybe<number[] | number>, TypeParent, TContext>;
name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4888,6 +5160,11 @@ export namespace ProcessEcsFieldsResolvers {
working_directory?: WorkingDirectoryResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type HashResolver<
R = Maybe<ProcessHashData>,
Parent = ProcessEcsFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type PidResolver<
R = Maybe<number[] | number>,
Parent = ProcessEcsFields,
@ -4930,6 +5207,32 @@ export namespace ProcessEcsFieldsResolvers {
> = Resolver<R, Parent, TContext>;
}
export namespace ProcessHashDataResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = ProcessHashData> {
md5?: Md5Resolver<Maybe<string[] | string>, TypeParent, TContext>;
sha1?: Sha1Resolver<Maybe<string[] | string>, TypeParent, TContext>;
sha256?: Sha256Resolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type Md5Resolver<
R = Maybe<string[] | string>,
Parent = ProcessHashData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type Sha1Resolver<
R = Maybe<string[] | string>,
Parent = ProcessHashData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type Sha256Resolver<
R = Maybe<string[] | string>,
Parent = ProcessHashData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
}
export namespace ThreadResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = Thread> {
id?: IdResolver<Maybe<number[] | number>, TypeParent, TContext>;
@ -4951,6 +5254,8 @@ export namespace ThreadResolvers {
export namespace FileFieldsResolvers {
export interface Resolvers<TContext = SiemContext, TypeParent = FileFields> {
name?: NameResolver<Maybe<string[] | string>, TypeParent, TContext>;
path?: PathResolver<Maybe<string[] | string>, TypeParent, TContext>;
target_path?: TargetPathResolver<Maybe<string[] | string>, TypeParent, TContext>;
@ -4980,6 +5285,11 @@ export namespace FileFieldsResolvers {
ctime?: CtimeResolver<Maybe<string[] | string>, TypeParent, TContext>;
}
export type NameResolver<
R = Maybe<string[] | string>,
Parent = FileFields,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type PathResolver<
R = Maybe<string[] | string>,
Parent = FileFields,
@ -6702,6 +7012,20 @@ export namespace OverviewHostDataResolvers {
auditbeatUser?: AuditbeatUserResolver<Maybe<number>, TypeParent, TContext>;
endgameDns?: EndgameDnsResolver<Maybe<number>, TypeParent, TContext>;
endgameFile?: EndgameFileResolver<Maybe<number>, TypeParent, TContext>;
endgameImageLoad?: EndgameImageLoadResolver<Maybe<number>, TypeParent, TContext>;
endgameNetwork?: EndgameNetworkResolver<Maybe<number>, TypeParent, TContext>;
endgameProcess?: EndgameProcessResolver<Maybe<number>, TypeParent, TContext>;
endgameRegistry?: EndgameRegistryResolver<Maybe<number>, TypeParent, TContext>;
endgameSecurity?: EndgameSecurityResolver<Maybe<number>, TypeParent, TContext>;
filebeatSystemModule?: FilebeatSystemModuleResolver<Maybe<number>, TypeParent, TContext>;
winlogbeat?: WinlogbeatResolver<Maybe<number>, TypeParent, TContext>;
@ -6739,6 +7063,41 @@ export namespace OverviewHostDataResolvers {
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameDnsResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameFileResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameImageLoadResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameNetworkResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameProcessResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameRegistryResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type EndgameSecurityResolver<
R = Maybe<number>,
Parent = OverviewHostData,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type FilebeatSystemModuleResolver<
R = Maybe<number>,
Parent = OverviewHostData,
@ -7781,6 +8140,9 @@ export type IResolvers<TContext = SiemContext> = {
Summary?: SummaryResolvers.Resolvers<TContext>;
PrimarySecondary?: PrimarySecondaryResolvers.Resolvers<TContext>;
DestinationEcsFields?: DestinationEcsFieldsResolvers.Resolvers<TContext>;
DnsEcsFields?: DnsEcsFieldsResolvers.Resolvers<TContext>;
DnsQuestionData?: DnsQuestionDataResolvers.Resolvers<TContext>;
EndgameEcsFields?: EndgameEcsFieldsResolvers.Resolvers<TContext>;
EventEcsFields?: EventEcsFieldsResolvers.Resolvers<TContext>;
NetworkEcsField?: NetworkEcsFieldResolvers.Resolvers<TContext>;
SuricataEcsFields?: SuricataEcsFieldsResolvers.Resolvers<TContext>;
@ -7804,7 +8166,9 @@ export type IResolvers<TContext = SiemContext> = {
HttpBodyData?: HttpBodyDataResolvers.Resolvers<TContext>;
HttpResponseData?: HttpResponseDataResolvers.Resolvers<TContext>;
UrlEcsFields?: UrlEcsFieldsResolvers.Resolvers<TContext>;
WinlogEcsFields?: WinlogEcsFieldsResolvers.Resolvers<TContext>;
ProcessEcsFields?: ProcessEcsFieldsResolvers.Resolvers<TContext>;
ProcessHashData?: ProcessHashDataResolvers.Resolvers<TContext>;
Thread?: ThreadResolvers.Resolvers<TContext>;
FileFields?: FileFieldsResolvers.Resolvers<TContext>;
SystemEcsField?: SystemEcsFieldResolvers.Resolvers<TContext>;

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/build_events_query.ts
View file

@ -4,12 +4,14 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../../default_index_pattern';
// TODO: See build_events_reindex.ts for all the spots to make things "configurable"
// here but this is intended to replace the build_events_reindex.ts
export const buildEventsQuery = () => {
return {
allowNoIndices: true,
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
index: defaultIndexPattern,
ignoreUnavailable: true,
body: {
query: {

36
x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts
View file

@ -33,6 +33,7 @@ export const cloudFieldsMap: Readonly<Record<string, string>> = {
};
export const fileMap: Readonly<Record<string, string>> = {
'file.name': 'file.name',
'file.path': 'file.path',
'file.target_path': 'file.target_path',
'file.extension': 'file.extension',
@ -68,6 +69,9 @@ export const hostFieldsMap: Readonly<Record<string, string>> = {
};
export const processFieldsMap: Readonly<Record<string, string>> = {
'process.hash.md5': 'process.hash.md5',
'process.hash.sha1': 'process.hash.sha1',
'process.hash.sha256': 'process.hash.sha256',
'process.pid': 'process.pid',
'process.name': 'process.name',
'process.ppid': 'process.ppid',
@ -79,6 +83,7 @@ export const processFieldsMap: Readonly<Record<string, string>> = {
};
export const userFieldsMap: Readonly<Record<string, string>> = {
'user.domain': 'user.domain',
'user.id': 'user.id',
'user.name': 'user.name',
// NOTE: This field is not tested and available from ECS. Please remove this tag once it is
@ -91,6 +96,10 @@ export const userFieldsMap: Readonly<Record<string, string>> = {
'user.group': 'user.group',
};
export const winlogFieldsMap: Readonly<Record<string, string>> = {
'winlog.event_id': 'winlog.event_id',
};
export const suricataFieldsMap: Readonly<Record<string, string>> = {
'suricata.eve.flow_id': 'suricata.eve.flow_id',
'suricata.eve.proto': 'suricata.eve.proto',
@ -219,9 +228,33 @@ export const geoFieldsMap: Readonly<Record<string, string>> = {
'geo.country_iso_code': 'destination.geo.country_iso_code',
};
export const dnsFieldsMap: Readonly<Record<string, string>> = {
'dns.question.name': 'dns.question.name',
'dns.question.type': 'dns.question.type',
'dns.resolved_ip': 'dns.resolved_ip',
'dns.response_code': 'dns.response_code',
};
export const endgameFieldsMap: Readonly<Record<string, string>> = {
'endgame.exit_code': 'endgame.exit_code',
'endgame.file_name': 'endgame.file_name',
'endgame.file_path': 'endgame.file_path',
'endgame.logon_type': 'endgame.logon_type',
'endgame.parent_process_name': 'endgame.parent_process_name',
'endgame.pid': 'endgame.pid',
'endgame.process_name': 'endgame.process_name',
'endgame.subject_domain_name': 'endgame.subject_domain_name',
'endgame.subject_logon_id': 'endgame.subject_logon_id',
'endgame.subject_user_name': 'endgame.subject_user_name',
'endgame.target_domain_name': 'endgame.target_domain_name',
'endgame.target_logon_id': 'endgame.target_logon_id',
'endgame.target_user_name': 'endgame.target_user_name',
};
export const eventBaseFieldsMap: Readonly<Record<string, string>> = {
'event.action': 'event.action',
'event.category': 'event.category',
'event.code': 'event.code',
'event.created': 'event.created',
'event.dataset': 'event.dataset',
'event.duration': 'event.duration',
@ -257,6 +290,8 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
message: 'message',
...{ ...auditdMap },
...{ ...destinationFieldsMap },
...{ ...dnsFieldsMap },
...{ ...endgameFieldsMap },
...{ ...eventBaseFieldsMap },
...{ ...geoFieldsMap },
...{ ...hostFieldsMap },
@ -268,6 +303,7 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
...{ ...zeekFieldsMap },
...{ ...httpFieldsMap },
...{ ...userFieldsMap },
...{ ...winlogFieldsMap },
...{ ...processFieldsMap },
...{ ...fileMap },
};

3
x-pack/legacy/plugins/siem/server/lib/events/mock.ts
View file

@ -5,6 +5,7 @@
*/
import { cloneDeep } from 'lodash/fp';
import { defaultIndexPattern } from '../../../default_index_pattern';
import { RequestDetailsOptions } from './types';
export const mockResponseSearchTimelineDetails = {
@ -184,7 +185,7 @@ export const mockResponseSearchTimelineDetails = {
export const mockOptions: RequestDetailsOptions = {
indexName: 'auditbeat-8.0.0-2019.03.29-000003',
eventId: 'TUfUymkBCQofM5eXGBYL',
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
};
export const mockRequest = {

7
x-pack/legacy/plugins/siem/server/lib/hosts/mock.ts
View file

@ -5,6 +5,7 @@
*/
import { Direction, HostsFields } from '../../graphql/types';
import { defaultIndexPattern } from '../../../default_index_pattern';
import {
HostOverviewRequestOptions,
@ -13,7 +14,7 @@ import {
} from '.';
export const mockGetHostsOptions: HostsRequestOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',
@ -298,7 +299,7 @@ export const mockGetHostOverviewOptions: HostOverviewRequestOptions = {
},
},
timerange: { interval: '12h', to: 1554824274610, from: 1554737874610 },
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
fields: [
'_id',
'host.architecture',
@ -504,7 +505,7 @@ export const mockGetHostOverviewResult = {
};
export const mockGetHostLastFirstSeenOptions: HostLastFirstSeenRequestOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',

7
x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts
View file

@ -4,13 +4,14 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../default_index_pattern';
import { RequestBasicOptions } from '../framework/types';
const FROM = new Date('2019-05-03T13:24:00.660Z').valueOf();
const TO = new Date('2019-05-04T13:24:00.660Z').valueOf();
export const mockKpiHostsOptions: RequestBasicOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',
@ -26,7 +27,7 @@ export const mockKpiHostsOptions: RequestBasicOptions = {
};
export const mockKpiHostDetailsOptions: RequestBasicOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',
@ -293,7 +294,7 @@ export const mockKpiHostsResponse = {
export const mockKpiHostsResponseNodata = { responses: [null, null, null] };
const mockMsearchHeader = {
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
index: defaultIndexPattern,
allowNoIndices: true,
ignoreUnavailable: true,
};

3
x-pack/legacy/plugins/siem/server/lib/kpi_network/mock.ts
View file

@ -4,10 +4,11 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../default_index_pattern';
import { RequestBasicOptions } from '../framework/types';
export const mockOptions: RequestBasicOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',

3
x-pack/legacy/plugins/siem/server/lib/network/mock.ts
View file

@ -4,12 +4,13 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../default_index_pattern';
import { Direction, FlowTargetNew, NetworkTopNFlowFields } from '../../graphql/types';
import { NetworkTopNFlowRequestOptions } from '.';
export const mockOptions: NetworkTopNFlowRequestOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',

14
x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts
View file

@ -136,6 +136,13 @@ describe('Siem Overview elasticsearch_adapter', () => {
describe('Unhappy Path - No data', () => {
const mockNoDataResponse = cloneDeep(mockResponseHost);
mockNoDataResponse.aggregations.auditd_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.dns_event_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.file_event_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.image_load_event_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.network_event_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.process_event_count.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.registry_event.doc_count = 0;
mockNoDataResponse.aggregations.endgame_module.security_event_count.doc_count = 0;
mockNoDataResponse.aggregations.fim_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.login_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0;
@ -174,6 +181,13 @@ describe('Siem Overview elasticsearch_adapter', () => {
auditbeatPackage: 0,
auditbeatProcess: 0,
auditbeatUser: 0,
endgameDns: 0,
endgameFile: 0,
endgameImageLoad: 0,
endgameNetwork: 0,
endgameProcess: 0,
endgameRegistry: 0,
endgameSecurity: 0,
filebeatSystemModule: 0,
winlogbeat: 0,
});

27
x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts
View file

@ -85,6 +85,33 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response),
auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response),
auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response),
endgameDns: getOr(null, 'aggregations.endgame_module.dns_event_count.doc_count', response),
endgameFile: getOr(null, 'aggregations.endgame_module.file_event_count.doc_count', response),
endgameImageLoad: getOr(
null,
'aggregations.endgame_module.image_load_event_count.doc_count',
response
),
endgameNetwork: getOr(
null,
'aggregations.endgame_module.network_event_count.doc_count',
response
),
endgameProcess: getOr(
null,
'aggregations.endgame_module.process_event_count.doc_count',
response
),
endgameRegistry: getOr(
null,
'aggregations.endgame_module.registry_event.doc_count',
response
),
endgameSecurity: getOr(
null,
'aggregations.endgame_module.security_event_count.doc_count',
response
),
filebeatSystemModule: getOr(
null,
'aggregations.system_module.filebeat_count.doc_count',

22
x-pack/legacy/plugins/siem/server/lib/overview/mock.ts
View file

@ -4,10 +4,11 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { defaultIndexPattern } from '../../../default_index_pattern';
import { RequestBasicOptions } from '../framework/types';
export const mockOptionsNetwork: RequestBasicOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',
@ -80,7 +81,7 @@ export const mockResultNetwork = {
};
export const mockOptionsHost: RequestBasicOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
container: 'docker.container.name',
@ -117,6 +118,16 @@ export const mockResponseHost = {
hits: { total: { value: 950867, relation: 'eq' }, max_score: null, hits: [] },
aggregations: {
auditd_count: { doc_count: 73847 },
endgame_module: {
doc_count: 6258,
dns_event_count: { doc_count: 891 },
file_event_count: { doc_count: 892 },
image_load_event_count: { doc_count: 893 },
network_event_count: { doc_count: 894 },
process_event_count: { doc_count: 895 },
registry_event: { doc_count: 896 },
security_event_count: { doc_count: 897 },
},
fim_count: { doc_count: 107307 },
system_module: {
doc_count: 20000000,
@ -141,6 +152,13 @@ export const mockResultHost = {
auditbeatPackage: 2003,
auditbeatProcess: 1200,
auditbeatUser: 1979,
endgameDns: 891,
endgameFile: 892,
endgameImageLoad: 893,
endgameNetwork: 894,
endgameProcess: 895,
endgameRegistry: 896,
endgameSecurity: 897,
filebeatSystemModule: 225,
winlogbeat: 737,
};

58
x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts
View file

@ -138,6 +138,64 @@ export const buildOverviewHostQuery = ({
},
},
},
endgame_module: {
filter: {
term: {
'event.module': 'endgame',
},
},
aggs: {
dns_event_count: {
filter: {
term: {
'endgame.event_type_full': 'dns_event',
},
},
},
file_event_count: {
filter: {
term: {
'endgame.event_type_full': 'file_event',
},
},
},
image_load_event_count: {
filter: {
term: {
'endgame.event_type_full': 'image_load_event',
},
},
},
network_event_count: {
filter: {
term: {
'endgame.event_type_full': 'network_event',
},
},
},
process_event_count: {
filter: {
term: {
'endgame.event_type_full': 'process_event',
},
},
},
registry_event: {
filter: {
term: {
'endgame.event_type_full': 'registry_event',
},
},
},
security_event_count: {
filter: {
term: {
'endgame.event_type_full': 'security_event',
},
},
},
},
},
fim_count: {
filter: {
term: {

23
x-pack/legacy/plugins/siem/server/lib/overview/types.ts
View file

@ -59,6 +59,29 @@ export interface OverviewHostHit extends SearchHit {
auditd_count: {
doc_count: number;
};
endgame_module: {
dns_event_count: {
doc_count: number;
};
file_event_count: {
doc_count: number;
};
image_load_event_count: {
doc_count: number;
};
network_event_count: {
doc_count: number;
};
process_event_count: {
doc_count: number;
};
registry_event: {
doc_count: number;
};
security_event_count: {
doc_count: number;
};
};
fim_count: {
doc_count: number;
};

3
x-pack/legacy/plugins/siem/server/lib/sources/configuration.test.ts
View file

@ -5,6 +5,7 @@
*/
import { InmemoryConfigurationAdapter } from '../configuration/inmemory_configuration_adapter';
import { defaultIndexPattern } from '../../../default_index_pattern';
import { ConfigurationSourcesAdapter } from './configuration';
import { PartialSourceConfiguration } from './types';
@ -75,7 +76,7 @@ describe('the ConfigurationSourcesAdapter', () => {
new InmemoryConfigurationAdapter({
sources: {
sourceOne: {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
fields: {
container: 'DIFFERENT_CONTAINER_FIELD',
},

7
x-pack/legacy/plugins/siem/server/utils/build_query/create_options.test.ts
View file

@ -6,6 +6,7 @@
import { omit } from 'lodash/fp';
import { defaultIndexPattern } from '../../../default_index_pattern';
import { Direction } from '../../graphql/types';
import { RequestOptions } from '../../lib/framework';
@ -29,7 +30,7 @@ describe('createOptions', () => {
},
};
args = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
pagination: {
limit: 5,
},
@ -56,7 +57,7 @@ describe('createOptions', () => {
test('should create options given all input including sort field', () => {
const options = createOptions(source, args, info);
const expected: RequestOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
host: 'host-1',
@ -86,7 +87,7 @@ describe('createOptions', () => {
const argsWithoutSort: Args = omit('sortField', args);
const options = createOptions(source, argsWithoutSort, info);
const expected: RequestOptions = {
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
sourceConfiguration: {
fields: {
host: 'host-1',

10
x-pack/test/api_integration/apis/siem/overview_host.ts
View file

@ -8,6 +8,7 @@ import expect from '@kbn/expect';
import { overviewHostQuery } from '../../../../legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query';
import { GetOverviewHostQuery } from '../../../../legacy/plugins/siem/public/graphql/types';
import { FtrProviderContext } from '../../ftr_provider_context';
import { defaultIndexPattern } from '../../../../legacy/plugins/siem/default_index_pattern';
export default function({ getService }: FtrProviderContext) {
const esArchiver = getService('esArchiver');
@ -26,6 +27,13 @@ export default function({ getService }: FtrProviderContext) {
auditbeatPackage: 3,
auditbeatProcess: 7,
auditbeatUser: 6,
endgameDns: 1,
endgameFile: 2,
endgameImageLoad: 1,
endgameNetwork: 4,
endgameProcess: 2,
endgameRegistry: 1,
endgameSecurity: 4,
filebeatSystemModule: 0,
winlogbeat: 1,
__typename: 'OverviewHostData',
@ -42,7 +50,7 @@ export default function({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: defaultIndexPattern,
inspect: false,
},
})

BIN
x-pack/test/functional/es_archives/auditbeat/overview/data.json.gz
View file

Binary file not shown.