Go to file

Frank Hassanabad 5f53597d75 [SIEM][Detection Engine][Lists] Adds additional data types to value based lists ## Summary Adds these data types to the value based lists end points from [Elasticsearch field data types](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html): Single value based list types: * binary * boolean * byte * date * date_nanos * date_range * double * float * integer * ip * half_float * keyword * text * long * short Range value based list types: * double_range * float_range * integer_range * ip_range * long_range Geo value based list types: (caveat is that you cannot query them using other geometry just yet ... you can only these and export them) * geo_point * geo_shape * shape For importing and exporting different values such as ranges, geo, or single values, this introduces a serialize and deserialize option for the endpoints. For example if you want to serialize in an ip_range such as 192.168.0.1,192.168.0.3 which has a comma between the two would use the following: ```ts POST /api/lists { "name": "List with an ip range", "serializer": "(?<gte>.+),(?<lte>.+)", "deserializer": "{{gte}},{{lte}}", "description": "This list has ip ranges", "type": "date_range" } ``` If you want to serialize in keywords from a list that _only_ match a particular value you would use the following: ```ts POST /api/lists { "id": "keyword_custom_format_list", "name": "Simple list with a keyword using a custom format", "description": "This parses the first found ipv4 only", "serializer": "(?<value>((25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?).){3}(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?))", "deserializer": "{{value}}", "type": "keyword" } ``` The serializer is a [named capturing group](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/match) while the deserializer is using [MustacheJS](https://github.com/janl/mustache.js/). The range type, single value types, and geo types all have default captures for their serialize and default mustache templates if none are configured with an endpoint. The default capture groups and mustache handles for each are: * shape, geo_point, geo_shape: `(?<lat>.+),(?<lon>.+)` * date_range: `(?<gte>.+),(?<lte>.+)\|(?<value>.+)` * other ranges are: `(?<gte>.+)-(?<lte>.+)\|(?<value>.+)` * all single data types: `(?<value>.+)` For ranges you can use both `gte, lte`, and `value` together. If `gte` _and_ `lte` matches it will use that for the greater than, less than elastic range and ignore `value` even if `value` also matched. If _only_ `value` matches and `gte`, `lte` does not match then it will use `value` and put `value` as _both_ the `gte`, and `lte`. For example, if you are serializing in a list of ip ranges as the list data type, `ip_range` and you have these 3 entries in the file: ```ts 127.0.0.1 127.0.0.2-5 ``` The default `serializer` will use `(?<gte>.+)-(?<lte>.+)\|(?<value>.+)` and you will get two elastic documents like so: ```ts { "_source" : { "ip_range" : { "gte" : "127.0.0.1", "lte" : "127.0.0.1" } } { "_source" : { "ip_range" : { "gte" : "127.0.0.2", "lte" : "127.0.0.5" } } ``` The default mustache handles for each are: * shape, geo_point, geo_shape: `{{{lat}}},{{{lon}}}` * date_range: `{{{gte}}},{{{lte}}}` * other ranges are: `{{{gte}}}-{{{lte}}}` * all values are: `{{{value}}}` I use three instead of two handle bars (`{{{` vs.` {{`) so that HTML is not escaped for the lists. You can override and change it if you need or want the escaping. If during the deserializer phase it detects that a `gte` and `lte` are exactly the same it will still output them as a two items and use the mustache deserialize value. Using the ip-range example above that will be outputted like so since it detects that the lte-gte are exactly the same value: ```ts 127.0.0.1-127.0.0.1 127.0.0.2-127.0.0.5 ``` --- Interesting queries to run from the lists scripts folder for testing: Load some small test files from `./lists/files` for example: ```ts ./import_list_items_by_filename.sh ip_range ./lists/files/ip_range_cidr.txt ./import_list_items_by_filename.sh ip_range ./lists/files/ip_range.txt ./import_list_items_by_filename.sh date ./lists/files/date.txt ./import_list_items_by_filename.sh ip_range ./lists/files/ip_range_mixed.txt ... ``` Export them ```ts ./export_list_items.sh ip_range_cidr.txt ./export_list_items.sh ip_range.txt ./export_list_items.sh date.txt ./export_list_items.sh ip_range_mixed.txt ... ``` Find on them ```ts ./find_list_items.sh ip_range_cidr.txt ./find_list_items.sh ip_range.txt ./find_list_items.sh date.txt ./find_list_items.sh ip_range_mixed.txt ... ``` Find specific values such as: ```ts ./get_list_item_by_value.sh ip_range_mixed.txt 192.168.0.1 ./get_list_item_by_value.sh date.txt 2020-08-25T17:57:01.978Z ... ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios		2020-07-07 19:15:43 -06:00
.ci	[CI] Add pipeline task queue framework and merge workers into one (#64011 )	2020-07-07 14:14:30 -04:00
.github	CI Reporter for saved objects field count (#70580 )	2020-07-07 16:53:47 +02:00
common/graphql
config	Fix typos (#66984 )	2020-05-27 13:44:41 -06:00
data
docs	Improve search typescript (#69333 )	2020-07-08 00:34:28 +03:00
examples	Improve search typescript (#69333 )	2020-07-08 00:34:28 +03:00
licenses
packages	Update dependency @elastic/charts to v19.8.0 (#70803 )	2020-07-07 15:42:53 +02:00
rfcs	[rfc][skip-ci][reporting] Rendering API RFC (#64372 )	2020-06-18 09:26:05 -07:00
scripts	[Dashboard] Add visualization by value to dashboard (#69898 )	2020-06-30 12:38:12 +01:00
src	Migrate service settings test to jest (#70992 )	2020-07-07 20:12:00 -04:00
tasks	[CI] Add pipeline task queue framework and merge workers into one (#64011 )	2020-07-07 14:14:30 -04:00
test	Improve search typescript (#69333 )	2020-07-08 00:34:28 +03:00
typings	chore(NA): upgrade to lodash@4 (#69868 )	2020-07-03 01:30:13 +01:00
utilities	apply prettier styles	2020-05-22 09:08:58 +02:00
vars	[savedObjects field count] run in baseline job (#70999 )	2020-07-07 14:32:04 -07:00
webpackShims	upgrade elastic/numeral and complete migration away from numeral (#68035 )	2020-06-03 10:07:11 -07:00
x-pack	[SIEM][Detection Engine][Lists] Adds additional data types to value based lists	2020-07-07 19:15:43 -06:00
.backportrc.json	Add master branch to backport config (#69893 )	2020-06-25 14:00:45 +02:00
.browserslistrc	build immutable bundles for new platform plugins (#53976 )	2020-02-12 19:42:42 -07:00
.editorconfig
.eslintignore	Add reporting assets to the eslint ignore file (#69968 )	2020-06-25 14:48:31 -07:00
.eslintrc.js	[APM] Add API test for service maps (#70185 )	2020-06-30 16:35:52 +02:00
.fossa.yml	Adds FOSSA CLI configuration file (#70137 )	2020-07-02 08:37:37 -07:00
.gitattributes
.gitignore	[CI] Add pipeline task queue framework and merge workers into one (#64011 )	2020-07-07 14:14:30 -04:00
.i18nrc.json	Move apm tutorial from apm plugin into apm_oss plugin (#66432 )	2020-05-20 14:40:37 +03:00
.node-version	Update Node.js to version 10.21.0 (#68059 )	2020-06-05 08:31:59 +02:00
.nvmrc	Update Node.js to version 10.21.0 (#68059 )	2020-06-05 08:31:59 +02:00
.prettierrc
.sass-lint.yml	[Monitoring] SASS modularization (#68726 )	2020-06-11 13:36:47 -07:00
.telemetryrc.json	[Telemetry] Collector Schema (#64942 )	2020-06-27 02:52:26 +03:00
.yarnrc
api-documenter.json	Normalize EOL symbol in platform docs (#56021 )	2020-01-27 18:42:45 +01:00
CONTRIBUTING.md	[kbn/optimizer] only build specified themes (#70389 )	2020-07-02 15:06:32 -07:00
FAQ.md
github_checks_reporter.json	implementing github checks - second attempt (#35757 )	2019-05-01 16:02:33 -05:00
Gruntfile.js	apply prettier styles	2020-05-22 09:08:58 +02:00
Jenkinsfile	[CI] Add pipeline task queue framework and merge workers into one (#64011 )	2020-07-07 14:14:30 -04:00
kibana.d.ts	Move `src/legacy/server/index_patterns` to data plugin (server) (Remove step) (#61618 )	2020-04-02 12:53:14 +03:00
LICENSE.txt
NOTICE.txt	[Console] Added license headers to worker files (#69387 )	2020-06-18 19:46:26 +02:00
package.json	Update dependency @elastic/charts to v19.8.0 (#70803 )	2020-07-07 15:42:53 +02:00
preinstall_check.js
README.md	chore: point issue links to choose (#49616 )	2019-10-29 15:54:27 +01:00
renovate.json5	chore(NA): upgrade to lodash@4 (#69868 )	2020-07-03 01:30:13 +01:00
STYLEGUIDE.md	Remove Kibana a11y guide in favor of EUI (#57021 )	2020-02-07 10:55:29 -05:00
tsconfig.browser.json
tsconfig.json	Bump jest related packages (#58095 )	2020-06-20 21:05:09 +02:00
tsconfig.types.json	[data.search.aggs]: Add AggConfig.toSerializedFieldFormat (#69114 )	2020-06-24 07:52:21 -06:00
TYPESCRIPT.md	Update deprecated React.SFC and React.StatelessComponent types (#50852 )	2019-11-21 20:53:54 +01:00
yarn.lock	Update dependency @elastic/charts to v19.8.0 (#70803 )	2020-07-07 15:42:53 +02:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.md.
Learn more about our UI code with UI_SYSTEMS.md.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	5.1.2	5.1.2	💚 OK
ES patch number is newer.	5.1.2	5.1.5	⚠️ Logged warning
ES minor number is newer.	5.1.2	5.5.0	⚠️ Logged warning
ES major number is newer.	5.1.2	6.0.0	🚫 Fatal error
ES patch number is older.	5.1.2	5.1.0	⚠️ Logged warning
ES minor number is older.	5.1.2	5.0.0	🚫 Fatal error
ES major number is older.	5.1.2	4.0.0	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.