[SIEM] Server cutover to New Platform #63430

rylnd · 2020-04-13T23:35:48Z

Summary

Addresses the server side of #45831.

This does half of the work in #59624. Due to the current issues with the maps embeddables, we're going to migrate the backend now for 7.8, and circle back to the frontend once #58178 is complete.

Due to the noise related to moving/modifying these files in a single PR, I've tried my best to split that into two consecutive steps:

Moving of files
- includes updates of relative import paths
Everything else
- Updating of codified paths (configuration, scripts, etc. not discoverable by typescript)
- Migration to NP Config API
  - Four new server config fields for SO import/export:
    - xpack.siem.max{Rule,Timeline}ImportExportSize
    - xpack.siem.max{Rule,Timeline}ImportPayloadBytes
- Declaration of plugin dependencies in kibana.json
upstream resolutions

Checklist

Documentation was added for features that require explanation or tutorials
Unit or functional tests were updated or added to match the most common scenarios

For maintainers

This was checked for breaking API changes and was labeled appropriately

elasticmachine · 2020-04-13T23:35:51Z

Pinging @elastic/siem (Team:SIEM)

rylnd · 2020-04-14T00:34:08Z

@MadameSheema ~~would you be able to check my work on the cypress changes, here? The SIEM app runs fine locally, but tests fail with the following screenshot (at least locally):~~

Update: the previous error was some temporary issue, as cypress now passes both locally and on CI. @MadameSheema if you wouldn't mind giving the cypress changes a once-over to verify I didn't break anything, I'd appreciate it! The relevant changes should be:

moving the cypress folder relative to kibana root
moving of cypress.json and reporter_config.json into the cypress/ folder

rylnd · 2020-04-15T20:46:36Z

@rudolf I didn't want to add them here, but FYI I plan on following this up with a "Good Kibana Citizen" PR that slightly reworks the siem client, adds mocks, and renames a few non-standard/confusing exported types.

* NP config is not yet used * Relative imports are somewhat broken

These are mostly updating imports to the common/ folder on the UI side (since things changed relative to those files).

A few of these were moved into the cypress folder as they're cypress-specific. I tried to update all the relative paths but some are likely broken. I'm not going to know until other stuff is fixed, though.

The other default values live in there, this is no different.

If this was referencing the full project, it now references both paths (legacy for UI, and NP for server).

* Updates plugin to use NP config * defines new config previously coming from savedObjects config * cleans up legacy types Conflicts: x-pack/plugins/siem/server/lib/detection_engine/routes/rules/export_rules_route.ts x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts x-pack/plugins/siem/server/lib/detection_engine/rules/types.ts x-pack/plugins/siem/server/plugin.ts x-pack/plugins/siem/server/routes/index.ts x-pack/plugins/siem/server/types.ts

This was originally added to address an issue with tsserver, but that issue is no longer relevant. The presence of this file confuses typescript into thinking that siem is a separate TS project.

These are not necessarily correct in terms of what's required/optional, but this is what's declared in our types.

* Removes legacy instantiation of server plugin, which is now handled by NP * Loosens legacy config spec so we no longer have to duplicate config types

These were written against the old Hapi config function; now, we just have a POJO.

x-pack/legacy/plugins/siem/index.ts

dhurley14 · 2020-04-16T22:43:24Z

x-pack/legacy/plugins/siem/index.ts

  IP_REPUTATION_LINKS_SETTING,
  IP_REPUTATION_LINKS_SETTING_DEFAULT,
-} from './common/constants';
-import { defaultIndexPattern } from './default_index_pattern';


It looks like we are not using this elsewhere in the codebase. Do you think we could just delete default_index_pattern.ts?

That file was meant to be deleted, good catch 👍

spong · 2020-04-16T23:44:03Z

x-pack/plugins/siem/package.json

+  "private": true,
+  "license": "Elastic-License",
+  "scripts": {
+    "extract-mitre-attacks": "node scripts/extract_tactics_techniques_mitre.js & node ../../../scripts/eslint ../../legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts --fix",


When running yarn extract-mitre-attacks I'm seeing this diff with the generated file. Seems there's a difference in the lint config?

Yeah, I noticed that as well but forgot to circle back. I'll verify that it's working correctly on master and then figure out what's changed.

It looks like the eslint forget to do its jobs maybe the path change
node scripts/extract_tactics_techniques_mitre.js & node ../../../../scripts/eslint ./public/pages/detection_engine/mitre/mitre_tactics_techniques.ts --fix

I figured out the fix in #64010 👀

spong · 2020-04-16T23:58:22Z

This file was moved and has a relative path within it:

kibana/x-pack/plugins/siem/cypress/tasks/login.ts

Line 13 in 6b09a1f

const KIBANA_DEV_YML_PATH = '../../../../config/kibana.dev.yml';

When running yarn cypress:open to run a test the test timed out as the kibana.dev.yml could not be located. This might be leftover from the recent local vs ci cypress changes, but just wanted to leave a note... 🙂

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts

spong · 2020-04-17T00:55:36Z

x-pack/plugins/siem/kibana.json

+  "requiredPlugins": ["actions", "alerting", "features", "licensing"],
+  "optionalPlugins": ["encryptedSavedObjects", "ml", "security", "spaces"],


Why doesn't case need to be declared here? Do all the necessary references just happen in x-pack/plugins/siem/server/plugin.ts?

Heh, I think it's not there because we have no references to the case plugin contract in our code (i.e. "I missed it"). I'll follow up with an audit of all of our imports, because I know that we pull in code from other plugins as well.

/cc @rudolf: If we're importing arbitrary code paths from another plugin it needs to be declared as a dependency, right?

Importing code from another plugin will add that code to your plugin's bundle so you can safely call it. But it doesn't make that plugin run or guarantee that it's running in the background. Any exported code should be stateless and if that's the case then this isn't a problem.

When you start using another plugin's setup / start API's you need to declare a dependency.

Having said that, I couldn't see any imports or setup / start API's being used from Case, but might have missed it.

x-pack/plugins/siem/cypress/README.md

spong · 2020-04-17T01:37:58Z

x-pack/legacy/plugins/siem/public/components/draggables/index.tsx

@@ -8,7 +8,6 @@ import { EuiBadge, EuiToolTip, IconType } from '@elastic/eui';
 import React from 'react';
 import styled from 'styled-components';

-import { Omit } from '../../../common/utility_types';


I think (as per my IDE) this was the last ref to this export:

kibana/x-pack/plugins/siem/common/utility_types.ts

Line 13 in 27f5eaa

export type Omit<T, K extends keyof T> = Pick<T, Exclude<keyof T, K>>;

dhurley14 · 2020-04-17T01:39:06Z

x-pack/plugins/siem/server/lib/timeline/routes/__mocks__/import_timelines.ts

@@ -163,13 +163,6 @@ export const mockParsedTimelineObject = omit(
  mockUniqueParsedObjects[0]
 );

-export const mockConfig = {
-  get: () => {
-    return 100000000;


This value (which I think is used for the maxImportPayloadBytes) is an order of magnitude larger than the value in the mock config in detection engine directory which we are using in lieu of this. Not sure if that difference is important for the tests on timelines but just wanted to point it out.

https://github.com/elastic/kibana/pull/63430/files?w=1#diff-12565563a255e05c185b90d50337ec51L46-L48

edit: CC @angorayc

spong · 2020-04-17T01:45:47Z

x-pack/legacy/plugins/siem/package.json

@@ -1,16 +1,10 @@
 {
  "author": "Elastic",
-  "name": "siem",
+  "name": "siem-legacy-ui",


This change is just to explicitly state that the client UI is still on the old platform (and disambiguate from the non-legacy package.json), correct? Are there any downstream effects of changing the app name here, or does all of the magic that keys off app name/id/title happen from what is set in legacy register_feature.ts?

kibana/x-pack/legacy/plugins/siem/public/register_feature.ts

Lines 11 to 14 in 27f5eaa

// TODO(rylnd): move this into Plugin.setup once we're on NP

npSetup.plugins.home.featureCatalogue.register({

id: APP_ID,

title: 'SIEM',

@spong correct, the name here is just to disambiguate; there's a check in the build process that actually verifies that each package.json has a unique name. I have not seen anything to indicate that this name affects the build process but I'll verify that with platform.

dhurley14

One question on a mock but I ran locally and this LGTM!!! 🚀

MadameSheema

LGTM :)

MadameSheema

LGTM :)

Conflicts: x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.ts x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_list.json x-pack/plugins/siem/server/lib/detection_engine/signals/get_filter.ts

These are strings that wouldn't be caught by typescript.

spong

Looks like we've made it! 🎉 Great job here @rylnd! Thanks for all the hard work and collaboration with the platform team to make this happen! Feels good to 👋bye to the legacy directory! 🙂

mistic

Changes in the files under operations team code owners LGTM

kibanamachine · 2020-04-17T17:28:30Z

💛 Build succeeded, but was flaky

continuous-integration/kibana-ci/pull-request
Commit: 4baa5bb
Flaky suites:
- xpack-kibana-ciGroup1

Test Failures

Kibana Pipeline / kibana-xpack-agent / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/find_statuses·ts.detection engine api security and spaces enabled find_statuses should return a single rule status when a single rule is loaded from a find status with defaults added

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 9 times on tracked branches: https://github.com/elastic/kibana/issues/63747

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook
[00:02:16]           └-: find_statuses
[00:02:16]             └-> "before all" hook
[00:02:16]             └-> should return an empty find statuses body correctly if no statuses are loaded
[00:02:16]               └-> "before each" hook: global before each
[00:02:16]               └-> "before each" hook
[00:02:16]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] adding index lifecycle policy [.siem-signals-default]
[00:02:16]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:16]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] applying create index request using v1 templates [{".siem-signals-default":{"order":0,"index_patterns":[".siem-signals-default-*"],"settings":{"index":{"lifecycle":{"name":".siem-signals-default","rollover_alias":".siem-signals-default"}}},"mappings":{"_doc":{"dynamic":false,"properties":{"container":{"properties":{"image":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"tag":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"runtime":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"labels":{"type":"object"}}},"server":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"agent":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"log":{"properties":{"original":{"ignore_above":1024,"index":false,"type":"keyword","doc_values":false},"level":{"ignore_above":1024,"type":"keyword"},"logger":{"ignore_above":1024,"type":"keyword"},"origin":{"properties":{"file":{"properties":{"line":{"type":"integer"},"name":{"ignore_above":1024,"type":"keyword"}}},"function":{"ignore_above":1024,"type":"keyword"}}},"syslog":{"type":"object","properties":{"severity":{"properties":{"code":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"}}},"priority":{"type":"long"},"facility":{"properties":{"code":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"}}}}}}},"destination":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"rule":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"ruleset":{"ignore_above":1024,"type":"keyword"},"description":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"uuid":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"source":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"error":{"properties":{"code":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"stack_trace":{"ignore_above":1024,"index":false,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword","doc_values":false},"message":{"norms":false,"type":"text"},"type":{"ignore_above":1024,"type":"keyword"}}},"network":{"properties":{"community_id":{"ignore_above":1024,"type":"keyword"},"forwarded_ip":{"type":"ip"},"protocol":{"ignore_above":1024,"type":"keyword"},"application":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"transport":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"iana_number":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"direction":{"ignore_above":1024,"type":"keyword"}}},"cloud":{"properties":{"availability_zone":{"ignore_above":1024,"type":"keyword"},"instance":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"provider":{"ignore_above":1024,"type":"keyword"},"machine":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},"region":{"ignore_above":1024,"type":"keyword"},"account":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}}}},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"observer":{"properties":{"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"product":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"vendor":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"name":{"ignore_above":1024,"type":"keyword"},"serial_number":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"mac":{"ignore_above":1024,"type":"keyword"}}},"trace":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}},"file":{"properties":{"owner":{"ignore_above":1024,"type":"keyword"},"extension":{"ignore_above":1024,"type":"keyword"},"gid":{"ignore_above":1024,"type":"keyword"},"drive_letter":{"ignore_above":1,"type":"keyword"},"created":{"type":"date"},"accessed":{"type":"date"},"mtime":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"directory":{"ignore_above":1024,"type":"keyword"},"target_path":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"inode":{"ignore_above":1024,"type":"keyword"},"mode":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"uid":{"ignore_above":1024,"type":"keyword"},"size":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"ctime":{"type":"date"},"attributes":{"ignore_above":1024,"type":"keyword"},"device":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"group":{"ignore_above":1024,"type":"keyword"}}},"ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},"related":{"properties":{"ip":{"type":"ip"},"user":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"}}},"host":{"properties":{"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"architecture":{"ignore_above":1024,"type":"keyword"},"uptime":{"type":"long"}}},"client":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"event":{"properties":{"severity":{"type":"long"},"code":{"ignore_above":1024,"type":"keyword"},"original":{"ignore_above":1024,"index":false,"type":"keyword","doc_values":false},"risk_score":{"type":"float"},"created":{"type":"date"},"kind":{"ignore_above":1024,"type":"keyword"},"timezone":{"ignore_above":1024,"type":"keyword"},"module":{"ignore_above":1024,"type":"keyword"},"start":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"duration":{"type":"long"},"sequence":{"type":"long"},"ingested":{"type":"date"},"provider":{"ignore_above":1024,"type":"keyword"},"risk_score_norm":{"type":"float"},"action":{"ignore_above":1024,"type":"keyword"},"end":{"type":"date"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"dataset":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"outcome":{"ignore_above":1024,"type":"keyword"}}},"signal":{"properties":{"parent":{"properties":{"depth":{"type":"long"},"rule":{"type":"keyword"},"index":{"type":"keyword"},"id":{"type":"keyword"},"type":{"type":"keyword"}}},"rule":{"properties":{"note":{"type":"text"},"references":{"type":"keyword"},"description":{"type":"keyword"},"created_at":{"type":"date"},"language":{"type":"keyword"},"output_index":{"type":"keyword"},"type":{"type":"keyword"},"enabled":{"type":"keyword"},"updated_at":{"type":"date"},"from":{"type":"keyword"},"id":{"type":"keyword"},"timeline_id":{"type":"keyword"},"max_signals":{"type":"keyword"},"severity":{"type":"keyword"},"risk_score":{"type":"keyword"},"query":{"type":"keyword"},"index":{"type":"keyword"},"filters":{"type":"object"},"c
[00:02:16]                 │ info reated_by":{"type":"keyword"},"version":{"type":"keyword"},"saved_id":{"type":"keyword"},"tags":{"type":"keyword"},"rule_id":{"type":"keyword"},"immutable":{"type":"keyword"},"size":{"type":"keyword"},"timeline_title":{"type":"keyword"},"name":{"type":"keyword"},"updated_by":{"type":"keyword"},"interval":{"type":"keyword"},"false_positives":{"type":"keyword"},"threat":{"properties":{"framework":{"type":"keyword"},"technique":{"properties":{"reference":{"type":"keyword"},"name":{"type":"keyword"},"id":{"type":"keyword"}}},"tactic":{"properties":{"reference":{"type":"keyword"},"name":{"type":"keyword"},"id":{"type":"keyword"}}}}},"to":{"type":"keyword"}}},"original_time":{"type":"date"},"ancestors":{"properties":{"depth":{"type":"long"},"rule":{"type":"keyword"},"id":{"type":"keyword"},"type":{"type":"keyword"}}},"original_event":{"properties":{"severity":{"type":"long"},"code":{"type":"keyword"},"original":{"index":false,"type":"keyword","doc_values":false},"risk_score":{"type":"float"},"created":{"type":"date"},"kind":{"type":"keyword"},"timezone":{"type":"keyword"},"module":{"type":"keyword"},"start":{"type":"date"},"type":{"type":"keyword"},"duration":{"type":"long"},"sequence":{"type":"long"},"provider":{"type":"keyword"},"risk_score_norm":{"type":"float"},"action":{"type":"keyword"},"end":{"type":"date"},"id":{"type":"keyword"},"category":{"type":"keyword"},"dataset":{"type":"keyword"},"hash":{"type":"keyword"},"outcome":{"type":"keyword"}}},"status":{"type":"keyword"}}},"user_agent":{"properties":{"original":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"device":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"version":{"ignore_above":1024,"type":"keyword"}}},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"registry":{"properties":{"hive":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"data":{"properties":{"strings":{"ignore_above":1024,"type":"keyword"},"bytes":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"}}},"value":{"ignore_above":1024,"type":"keyword"},"key":{"ignore_above":1024,"type":"keyword"}}},"process":{"properties":{"parent":{"properties":{"pgid":{"type":"long"},"start":{"type":"date"},"pid":{"type":"long"},"working_directory":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"thread":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"}}},"title":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"executable":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"ppid":{"type":"long"},"uptime":{"type":"long"},"args":{"ignore_above":1024,"type":"keyword"},"exit_code":{"type":"long"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"args_count":{"type":"long"},"command_line":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"pgid":{"type":"long"},"start":{"type":"date"},"pid":{"type":"long"},"working_directory":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"thread":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"}}},"title":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"executable":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"ppid":{"type":"long"},"uptime":{"type":"long"},"args":{"ignore_above":1024,"type":"keyword"},"exit_code":{"type":"long"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"args_count":{"type":"long"},"command_line":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}}}},"package":{"properties":{"installed":{"type":"date"},"build_version":{"ignore_above":1024,"type":"keyword"},"description":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"reference":{"ignore_above":1024,"type":"keyword"},"license":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"install_scope":{"ignore_above":1024,"type":"keyword"},"size":{"type":"long"},"checksum":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"architecture":{"ignore_above":1024,"type":"keyword"}}},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"dns":{"properties":{"op_code":{"ignore_above":1024,"type":"keyword"},"resolved_ip":{"type":"ip"},"response_code":{"ignore_above":1024,"type":"keyword"},"question":{"properties":{"registered_domain":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"subdomain":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"class":{"ignore_above":1024,"type":"keyword"}}},"answers":{"type":"object","properties":{"data":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"class":{"ignore_above":1024,"type":"keyword"},"ttl":{"type":"long"}}},"header_flags":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"}}},"vulnerability":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"severity":{"ignore_above":1024,"type":"keyword"},"score":{"properties":{"environmental":{"type":"float"},"version":{"ignore_above":1024,"type":"keyword"},"temporal":{"type":"float"},"base":{"type":"float"}}},"report_id":{"ignore_above":1024,"type":"keyword"},"scanner":{"properties":{"vendor":{"ignore_above":1024,"type":"keyword"}}},"description":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"classification":{"ignore_above":1024,"type":"keyword"},"enumeration":{"ignore_above":1024,"type":"keyword"}}},"message":{"norms":false,"type":"text"},"url":{"properties":{"extension":{"ignore_above":1024,"type":"keyword"},"original":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"scheme":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"query":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"fragment":{"ignore_above":1024,"type":"keyword"},"password":{"ignore_above":1024,"type":"keyword"},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"username":{"ignore_above":1024,"type":"keyword"}}},"labels":{"type":"object"},"tags":{"ignore_above":1024,"type":"keyword"},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"@timestamp":{"type":"date"},"service":{"properties":{"node":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"state":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"http":{"properties":{"request":{"properties":{"referrer":{"ignore_above":1024,"type":"keyword"},"method":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"response":{"properties":{"status_code":{"type":"long"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"version":{"ignore_above":1024,"type":"keyword"}}},"tls":{"properties":{"cipher":{"ignore_above":1024,"type":"keyword"},"established":{"type":"boolean"},"server":{"properties":{"not_after":{"type":"date"},"ja3s":{"ignore_above":1024,"type":"keyword"},"not_before":{"type":"date"},"subject":{"ignore_above":1024,"type":"keyword"},"certificate":{"ignore_above":1024,"type":"keyword"},"certificate_chain":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"issuer":{"ignore_above":1024,"type":"keyword"}}},"curve":{"ignore_above":1024,"type":"keyword"},"client":{"properties":{"not_after":{"type":"date"},"server_name":{"ignore_above":1024,"type":"keyword"},"not_before":{"type":"date"},"subject":{"ignore_above":1024,"type":"keyword"},"supported_ciphers":{"ignore_above":1024,"type":"keyword"},"certificate":{"ignore_above":1024,"type":"keyword"},"ja3":{"ignore_above":1024,"type":"keyword"},"certificate_chain":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"issuer":{"ignore_above":1024,"type":"keyword"}}},"next_protocol":{"ignore_above":1024,"type":"keyword"},"resumed":{"type":"boolean"},"version":{"ignore_above":1024,"type":"keyword"},"version_protocol":{"ignore_above":1024,"type":"keyword"}}},"threat":{"properties":{"framework":{"ignore_above":1024,"type":"keyword"},"technique":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"tactic":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"transaction":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}}}}},"aliases":{}}}]
[00:02:16]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:16]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:16]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:16]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:16]               └- ✓ pass  (58ms) "detection engine api security and spaces enabled find_statuses should return an empty find statuses body correctly if no statuses are loaded"
[00:02:16]             └-> "after each" hook
[00:02:16]               │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] [.siem-signals-default-000001/DlfUMLm_Rz-UGRzx_NII6A] deleting index
[00:02:16]               │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] removing template [.siem-signals-default]
[00:02:16]             └-> should return a single rule status when a single rule is loaded from a find status with defaults added
[00:02:16]               └-> "before each" hook: global before each
[00:02:16]               └-> "before each" hook
[00:02:16]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] adding index lifecycle policy [.siem-signals-default]
[00:02:16]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:16]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] applying create index request using v1 templates [{".siem-signals-default":{"order":0,"index_patterns":[".siem-signals-default-*"],"settings":{"index":{"lifecycle":{"name":".siem-signals-default","rollover_alias":".siem-signals-default"}}},"mappings":{"_doc":{"dynamic":false,"properties":{"container":{"properties":{"image":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"tag":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"runtime":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"labels":{"type":"object"}}},"server":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"agent":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"log":{"properties":{"original":{"ignore_above":1024,"index":false,"type":"keyword","doc_values":false},"level":{"ignore_above":1024,"type":"keyword"},"logger":{"ignore_above":1024,"type":"keyword"},"origin":{"properties":{"file":{"properties":{"line":{"type":"integer"},"name":{"ignore_above":1024,"type":"keyword"}}},"function":{"ignore_above":1024,"type":"keyword"}}},"syslog":{"type":"object","properties":{"severity":{"properties":{"code":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"}}},"priority":{"type":"long"},"facility":{"properties":{"code":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"}}}}}}},"destination":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"rule":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"ruleset":{"ignore_above":1024,"type":"keyword"},"description":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"uuid":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"source":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"error":{"properties":{"code":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"stack_trace":{"ignore_above":1024,"index":false,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword","doc_values":false},"message":{"norms":false,"type":"text"},"type":{"ignore_above":1024,"type":"keyword"}}},"network":{"properties":{"community_id":{"ignore_above":1024,"type":"keyword"},"forwarded_ip":{"type":"ip"},"protocol":{"ignore_above":1024,"type":"keyword"},"application":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"transport":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"iana_number":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"direction":{"ignore_above":1024,"type":"keyword"}}},"cloud":{"properties":{"availability_zone":{"ignore_above":1024,"type":"keyword"},"instance":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"provider":{"ignore_above":1024,"type":"keyword"},"machine":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},"region":{"ignore_above":1024,"type":"keyword"},"account":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}}}},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"observer":{"properties":{"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"product":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"vendor":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"name":{"ignore_above":1024,"type":"keyword"},"serial_number":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"mac":{"ignore_above":1024,"type":"keyword"}}},"trace":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}},"file":{"properties":{"owner":{"ignore_above":1024,"type":"keyword"},"extension":{"ignore_above":1024,"type":"keyword"},"gid":{"ignore_above":1024,"type":"keyword"},"drive_letter":{"ignore_above":1,"type":"keyword"},"created":{"type":"date"},"accessed":{"type":"date"},"mtime":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"directory":{"ignore_above":1024,"type":"keyword"},"target_path":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"inode":{"ignore_above":1024,"type":"keyword"},"mode":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"uid":{"ignore_above":1024,"type":"keyword"},"size":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"ctime":{"type":"date"},"attributes":{"ignore_above":1024,"type":"keyword"},"device":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"group":{"ignore_above":1024,"type":"keyword"}}},"ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},"related":{"properties":{"ip":{"type":"ip"},"user":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"}}},"host":{"properties":{"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"architecture":{"ignore_above":1024,"type":"keyword"},"uptime":{"type":"long"}}},"client":{"properties":{"nat":{"properties":{"port":{"type":"long"},"ip":{"type":"ip"}}},"address":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"event":{"properties":{"severity":{"type":"long"},"code":{"ignore_above":1024,"type":"keyword"},"original":{"ignore_above":1024,"index":false,"type":"keyword","doc_values":false},"risk_score":{"type":"float"},"created":{"type":"date"},"kind":{"ignore_above":1024,"type":"keyword"},"timezone":{"ignore_above":1024,"type":"keyword"},"module":{"ignore_above":1024,"type":"keyword"},"start":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"duration":{"type":"long"},"sequence":{"type":"long"},"ingested":{"type":"date"},"provider":{"ignore_above":1024,"type":"keyword"},"risk_score_norm":{"type":"float"},"action":{"ignore_above":1024,"type":"keyword"},"end":{"type":"date"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"dataset":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"outcome":{"ignore_above":1024,"type":"keyword"}}},"signal":{"properties":{"parent":{"properties":{"depth":{"type":"long"},"rule":{"type":"keyword"},"index":{"type":"keyword"},"id":{"type":"keyword"},"type":{"type":"keyword"}}},"rule":{"properties":{"note":{"type":"text"},"references":{"type":"keyword"},"description":{"type":"keyword"},"created_at":{"type":"date"},"language":{"type":"keyword"},"output_index":{"type":"keyword"},"type":{"type":"keyword"},"enabled":{"type":"keyword"},"updated_at":{"type":"date"},"from":{"type":"keyword"},"id":{"type":"keyword"},"timeline_id":{"type":"keyword"},"max_signals":{"type":"keyword"},"severity":{"type":"keyword"},"risk_score":{"type":"keyword"},"query":{"type":"keyword"},"index":{"type":"keyword"},"filters":{"type":"object"},"c
[00:02:16]                 │ info reated_by":{"type":"keyword"},"version":{"type":"keyword"},"saved_id":{"type":"keyword"},"tags":{"type":"keyword"},"rule_id":{"type":"keyword"},"immutable":{"type":"keyword"},"size":{"type":"keyword"},"timeline_title":{"type":"keyword"},"name":{"type":"keyword"},"updated_by":{"type":"keyword"},"interval":{"type":"keyword"},"false_positives":{"type":"keyword"},"threat":{"properties":{"framework":{"type":"keyword"},"technique":{"properties":{"reference":{"type":"keyword"},"name":{"type":"keyword"},"id":{"type":"keyword"}}},"tactic":{"properties":{"reference":{"type":"keyword"},"name":{"type":"keyword"},"id":{"type":"keyword"}}}}},"to":{"type":"keyword"}}},"original_time":{"type":"date"},"ancestors":{"properties":{"depth":{"type":"long"},"rule":{"type":"keyword"},"id":{"type":"keyword"},"type":{"type":"keyword"}}},"original_event":{"properties":{"severity":{"type":"long"},"code":{"type":"keyword"},"original":{"index":false,"type":"keyword","doc_values":false},"risk_score":{"type":"float"},"created":{"type":"date"},"kind":{"type":"keyword"},"timezone":{"type":"keyword"},"module":{"type":"keyword"},"start":{"type":"date"},"type":{"type":"keyword"},"duration":{"type":"long"},"sequence":{"type":"long"},"provider":{"type":"keyword"},"risk_score_norm":{"type":"float"},"action":{"type":"keyword"},"end":{"type":"date"},"id":{"type":"keyword"},"category":{"type":"keyword"},"dataset":{"type":"keyword"},"hash":{"type":"keyword"},"outcome":{"type":"keyword"}}},"status":{"type":"keyword"}}},"user_agent":{"properties":{"original":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"device":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"version":{"ignore_above":1024,"type":"keyword"}}},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"registry":{"properties":{"hive":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"data":{"properties":{"strings":{"ignore_above":1024,"type":"keyword"},"bytes":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"}}},"value":{"ignore_above":1024,"type":"keyword"},"key":{"ignore_above":1024,"type":"keyword"}}},"process":{"properties":{"parent":{"properties":{"pgid":{"type":"long"},"start":{"type":"date"},"pid":{"type":"long"},"working_directory":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"thread":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"}}},"title":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"executable":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"ppid":{"type":"long"},"uptime":{"type":"long"},"args":{"ignore_above":1024,"type":"keyword"},"exit_code":{"type":"long"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"args_count":{"type":"long"},"command_line":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"pgid":{"type":"long"},"start":{"type":"date"},"pid":{"type":"long"},"working_directory":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"thread":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"}}},"title":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"executable":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"ppid":{"type":"long"},"uptime":{"type":"long"},"args":{"ignore_above":1024,"type":"keyword"},"exit_code":{"type":"long"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"args_count":{"type":"long"},"command_line":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}}}},"package":{"properties":{"installed":{"type":"date"},"build_version":{"ignore_above":1024,"type":"keyword"},"description":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"reference":{"ignore_above":1024,"type":"keyword"},"license":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"install_scope":{"ignore_above":1024,"type":"keyword"},"size":{"type":"long"},"checksum":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"architecture":{"ignore_above":1024,"type":"keyword"}}},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}},"dns":{"properties":{"op_code":{"ignore_above":1024,"type":"keyword"},"resolved_ip":{"type":"ip"},"response_code":{"ignore_above":1024,"type":"keyword"},"question":{"properties":{"registered_domain":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"subdomain":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"class":{"ignore_above":1024,"type":"keyword"}}},"answers":{"type":"object","properties":{"data":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"class":{"ignore_above":1024,"type":"keyword"},"ttl":{"type":"long"}}},"header_flags":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"}}},"vulnerability":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"severity":{"ignore_above":1024,"type":"keyword"},"score":{"properties":{"environmental":{"type":"float"},"version":{"ignore_above":1024,"type":"keyword"},"temporal":{"type":"float"},"base":{"type":"float"}}},"report_id":{"ignore_above":1024,"type":"keyword"},"scanner":{"properties":{"vendor":{"ignore_above":1024,"type":"keyword"}}},"description":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"classification":{"ignore_above":1024,"type":"keyword"},"enumeration":{"ignore_above":1024,"type":"keyword"}}},"message":{"norms":false,"type":"text"},"url":{"properties":{"extension":{"ignore_above":1024,"type":"keyword"},"original":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"scheme":{"ignore_above":1024,"type":"keyword"},"top_level_domain":{"ignore_above":1024,"type":"keyword"},"query":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"fragment":{"ignore_above":1024,"type":"keyword"},"password":{"ignore_above":1024,"type":"keyword"},"registered_domain":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"username":{"ignore_above":1024,"type":"keyword"}}},"labels":{"type":"object"},"tags":{"ignore_above":1024,"type":"keyword"},"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"@timestamp":{"type":"date"},"service":{"properties":{"node":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"state":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"organization":{"properties":{"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"http":{"properties":{"request":{"properties":{"referrer":{"ignore_above":1024,"type":"keyword"},"method":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"response":{"properties":{"status_code":{"type":"long"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"}}}}},"version":{"ignore_above":1024,"type":"keyword"}}},"tls":{"properties":{"cipher":{"ignore_above":1024,"type":"keyword"},"established":{"type":"boolean"},"server":{"properties":{"not_after":{"type":"date"},"ja3s":{"ignore_above":1024,"type":"keyword"},"not_before":{"type":"date"},"subject":{"ignore_above":1024,"type":"keyword"},"certificate":{"ignore_above":1024,"type":"keyword"},"certificate_chain":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"issuer":{"ignore_above":1024,"type":"keyword"}}},"curve":{"ignore_above":1024,"type":"keyword"},"client":{"properties":{"not_after":{"type":"date"},"server_name":{"ignore_above":1024,"type":"keyword"},"not_before":{"type":"date"},"subject":{"ignore_above":1024,"type":"keyword"},"supported_ciphers":{"ignore_above":1024,"type":"keyword"},"certificate":{"ignore_above":1024,"type":"keyword"},"ja3":{"ignore_above":1024,"type":"keyword"},"certificate_chain":{"ignore_above":1024,"type":"keyword"},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"issuer":{"ignore_above":1024,"type":"keyword"}}},"next_protocol":{"ignore_above":1024,"type":"keyword"},"resumed":{"type":"boolean"},"version":{"ignore_above":1024,"type":"keyword"},"version_protocol":{"ignore_above":1024,"type":"keyword"}}},"threat":{"properties":{"framework":{"ignore_above":1024,"type":"keyword"},"technique":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"tactic":{"properties":{"reference":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"user":{"properties":{"full_name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"fields":{"text":{"norms":false,"type":"text"}},"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"domain":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"hash":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"sha256":{"ignore_above":1024,"type":"keyword"},"sha512":{"ignore_above":1024,"type":"keyword"},"md5":{"ignore_above":1024,"type":"keyword"}}},"transaction":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}}}}},"aliases":{}}}]
[00:02:16]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:17]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:17]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:17]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xl-1587137560877964236] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:21]               └- ✖ fail: "detection engine api security and spaces enabled find_statuses should return a single rule status when a single rule is loaded from a find status with defaults added"
[00:02:21]               │

Stack Trace

TypeError: Cannot read property 'status' of null
    at Promise.then (test/detection_engine_api_integration/security_and_spaces/tests/find_statuses.ts:62:90)

History

💚 Build #41408 succeeded 6b09a1f
💔 Build #41368 failed 7f34e2e
💚 Build #40858 succeeded 8b182e7
💚 Build #40700 succeeded d4ea136
💔 Build #40571 failed e910c37

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

* Move server code into NP folder * NP config is not yet used * Relative imports are somewhat broken * Move common folder into NP * Move cypress folder into NP * Move scripts folder into NP * Move misc. config into NP folder A few of these were moved into the cypress folder as they're cypress-specific. I tried to update all the relative paths but some are likely broken. I'm not going to know until other stuff is fixed, though. * Move value for siem index pattern into common/constants The other default values live in there, this is no different. * Update paths following file move If this was referencing the full project, it now references both paths (legacy for UI, and NP for server). * Fix typescript errors related to module resolution These are mostly updating imports to the common/ folder on the UI side (since things changed relative to those files). * Replace Legacy Config with NP Config * Updates plugin to use NP config * defines new config previously coming from savedObjects config * cleans up legacy types Conflicts: x-pack/plugins/siem/server/lib/detection_engine/routes/rules/export_rules_route.ts x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts x-pack/plugins/siem/server/lib/detection_engine/rules/types.ts x-pack/plugins/siem/server/plugin.ts x-pack/plugins/siem/server/routes/index.ts x-pack/plugins/siem/server/types.ts * Remove local SIEM tsconfig This was originally added to address an issue with tsserver, but that issue is no longer relevant. The presence of this file confuses typescript into thinking that siem is a separate TS project. * Update kibana.json to declare our dependencies These are not necessarily correct in terms of what's required/optional, but this is what's declared in our types. * Remove legacy plugin instantiation * Removes legacy instantiation of server plugin, which is now handled by NP * Loosens legacy config spec so we no longer have to duplicate config types * Update tests with NP config These were written against the old Hapi config function; now, we just have a POJO. * Update es_archiver helpers' paths I'm not quite sure if these are working yet, but they're no longer throwing errors. * Ignore restricted path on script This was cribbed from infra, who has made a similar change. * Ignore restricted path on temporary savedObject mappings import This will be changed subsequently when we switch to the NP form of savedObject type registration. * Add symlink to lockfile * Fix paths on circular deps script * Add separate config for Rule and Timeline saved objects We had previously used the savedObjects' config, but those are not currently exposed to us on New Platform. For now, we're going to split this into two sets of values for the SOs we deal with importing/exporting within the SIEM app, with the same defaults as savedObjects. * Fixing relative paths within cypress These are strings that wouldn't be caught by typescript.

elasticmachine · 2021-09-23T14:36:37Z

Pinging @elastic/security-solution (Team: SecuritySolution)

rylnd added Feature:New Platform Team:SIEM v8.0.0 v7.8.0 labels Apr 13, 2020

rylnd self-assigned this Apr 13, 2020

rylnd changed the title ~~[SIEM] Server cutover to NP~~ [SIEM] Server cutover to New Platform Apr 13, 2020

rylnd requested a review from MadameSheema April 14, 2020 16:58

spong requested a review from a team April 14, 2020 18:58

rylnd marked this pull request as ready for review April 14, 2020 19:00

rylnd requested review from a team as code owners April 14, 2020 19:00

rylnd requested review from spong and rudolf April 14, 2020 19:01

rylnd force-pushed the siem_server_np_redux branch from 8b182e7 to 7f34e2e Compare April 16, 2020 19:58

rylnd added 13 commits April 16, 2020 16:52

Move server code into NP folder

cb3c4f8

* NP config is not yet used * Relative imports are somewhat broken

Move common folder into NP

27f5eaa

Move cypress folder into NP

4caf083

Move scripts folder into NP

e3440ea

Fix typescript errors related to module resolution

07bea5b

These are mostly updating imports to the common/ folder on the UI side (since things changed relative to those files).

Move misc. config into NP folder

f24c1db

A few of these were moved into the cypress folder as they're cypress-specific. I tried to update all the relative paths but some are likely broken. I'm not going to know until other stuff is fixed, though.

Move value for siem index pattern into common/constants

1b36855

The other default values live in there, this is no different.

Update paths following file move

e528bea

If this was referencing the full project, it now references both paths (legacy for UI, and NP for server).

Remove local SIEM tsconfig

c3c487f

This was originally added to address an issue with tsserver, but that issue is no longer relevant. The presence of this file confuses typescript into thinking that siem is a separate TS project.

Update kibana.json to declare our dependencies

faa3d93

These are not necessarily correct in terms of what's required/optional, but this is what's declared in our types.

Remove legacy plugin instantiation

3b66124

* Removes legacy instantiation of server plugin, which is now handled by NP * Loosens legacy config spec so we no longer have to duplicate config types

Update tests with NP config

6030b1b

These were written against the old Hapi config function; now, we just have a POJO.

dhurley14 reviewed Apr 16, 2020

View reviewed changes

x-pack/legacy/plugins/siem/index.ts Show resolved Hide resolved

dhurley14 reviewed Apr 16, 2020

View reviewed changes

spong reviewed Apr 16, 2020

View reviewed changes

spong reviewed Apr 17, 2020

View reviewed changes

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts Show resolved Hide resolved

spong reviewed Apr 17, 2020

View reviewed changes

x-pack/plugins/siem/cypress/README.md Outdated Show resolved Hide resolved

spong reviewed Apr 17, 2020

View reviewed changes

dhurley14 reviewed Apr 17, 2020

View reviewed changes

spong reviewed Apr 17, 2020

View reviewed changes

dhurley14 approved these changes Apr 17, 2020

View reviewed changes

MadameSheema approved these changes Apr 17, 2020

View reviewed changes

rylnd added 2 commits April 17, 2020 10:25

Fixing relative paths within cypress

4baa5bb

These are strings that wouldn't be caught by typescript.

spong approved these changes Apr 17, 2020

View reviewed changes

mistic approved these changes Apr 17, 2020

View reviewed changes

rylnd merged commit 40f8222 into elastic:master Apr 17, 2020

rylnd deleted the siem_server_np_redux branch April 17, 2020 17:32

This was referenced Apr 17, 2020

Code coverage: run more configs with functional tests #63680

Merged

[7.x] [SIEM] Server cutover to New Platform (#63430) #63912

Merged

This was referenced Apr 20, 2020

[SIEM] Server NP Followup #64010

Merged

[SIEM] Client NP Cutover #64251

Merged

This was referenced Apr 27, 2020

[SIEM] New Platform Cutover #59624

Closed

[SIEM] Shim backend for new platform migration #49529

Closed

FrankHassanabad mentioned this pull request Jul 6, 2021

[DOCS] Add documentation for other kibana.yml settings we have from security solutions elastic/security-docs#787

Closed

MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SIEM] Server cutover to New Platform #63430

[SIEM] Server cutover to New Platform #63430

rylnd commented Apr 13, 2020 •

edited

Loading

elasticmachine commented Apr 13, 2020

rylnd commented Apr 14, 2020 •

edited

Loading

rylnd commented Apr 15, 2020

dhurley14 Apr 16, 2020

rylnd Apr 17, 2020

spong Apr 16, 2020

rylnd Apr 17, 2020

XavierM Apr 17, 2020

rylnd Apr 20, 2020

spong commented Apr 16, 2020

spong Apr 17, 2020

rylnd Apr 17, 2020

rudolf Apr 17, 2020

spong Apr 17, 2020

dhurley14 Apr 17, 2020 •

edited

Loading

spong Apr 17, 2020

rylnd Apr 20, 2020

dhurley14 left a comment

MadameSheema left a comment

MadameSheema left a comment

spong left a comment •

edited

Loading

mistic left a comment

kibanamachine commented Apr 17, 2020

Standard Out

Stack Trace

elasticmachine commented Sep 23, 2021

		"requiredPlugins": ["actions", "alerting", "features", "licensing"],
		"optionalPlugins": ["encryptedSavedObjects", "ml", "security", "spaces"],

	// TODO(rylnd): move this into Plugin.setup once we're on NP
	npSetup.plugins.home.featureCatalogue.register({
	id: APP_ID,
	title: 'SIEM',

[SIEM] Server cutover to New Platform #63430

[SIEM] Server cutover to New Platform #63430

Conversation

rylnd commented Apr 13, 2020 • edited Loading

Summary

Checklist

For maintainers

elasticmachine commented Apr 13, 2020

rylnd commented Apr 14, 2020 • edited Loading

rylnd commented Apr 15, 2020

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

spong commented Apr 16, 2020

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

dhurley14 Apr 17, 2020 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

dhurley14 left a comment

Choose a reason for hiding this comment

MadameSheema left a comment

Choose a reason for hiding this comment

MadameSheema left a comment

Choose a reason for hiding this comment

spong left a comment • edited Loading

Choose a reason for hiding this comment

mistic left a comment

Choose a reason for hiding this comment

kibanamachine commented Apr 17, 2020

💛 Build succeeded, but was flaky

Standard Out

Stack Trace

History

elasticmachine commented Sep 23, 2021

rylnd commented Apr 13, 2020 •

edited

Loading

rylnd commented Apr 14, 2020 •

edited

Loading

dhurley14 Apr 17, 2020 •

edited

Loading

spong left a comment •

edited

Loading