From 046345d89641ba11d482ef1a828601ef5c9fc75c Mon Sep 17 00:00:00 2001 From: Angela Chuang <6295984+angorayc@users.noreply.github.com> Date: Thu, 10 Sep 2020 20:39:06 +0100 Subject: [PATCH] [Security Solution] Add unit tests for histograms (#77081) * init tests * add unit tests for histograms * fix types Co-authored-by: Elastic Machine --- .../factory/hosts/details/__mocks__/index.ts | 2232 +++++++++++++++++ .../factory/hosts/details/index.test.tsx | 35 + .../details/query.host_details.dsl.test.ts | 13 + .../matrix_histogram/__mocks__/index.ts | 1305 ++++++++++ .../alerts/__mocks__/index.ts | 87 + .../matrix_histogram/alerts/index.test.ts | 22 + .../alerts/query.alerts_histogram.dsl.test.ts | 13 + .../anomalies/__mocks__/index.ts | 73 + .../matrix_histogram/anomalies/index.test.ts | 22 + .../query.anomalies_histogram.dsl.test.ts | 13 + .../authentications/__mocks__/index.ts | 78 + .../authentications/index.test.ts | 22 + ...uery.authentications_histogram.dsl.test.ts | 13 + .../matrix_histogram/dns/__mocks__/index.ts | 72 + .../matrix_histogram/dns/index.test.ts | 28 + .../dns/query.dns_histogram.dsl.test.ts | 13 + .../events/__mocks__/index.ts | 82 + .../matrix_histogram/events/index.test.ts | 22 + .../events/query.events_histogram.dsl.test.ts | 13 + .../factory/matrix_histogram/index.test.ts | 211 ++ 20 files changed, 4369 insertions(+) create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/index.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/query.alerts_histogram.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/index.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/query.anomalies_histogram.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/index.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/query.authentications_histogram.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/index.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/query.dns_histogram.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/index.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/query.events_histogram.dsl.test.ts create mode 100644 x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/index.test.ts diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts new file mode 100644 index 0000000000000..7403adfd9a659 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts @@ -0,0 +1,2232 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/data/common'; +import { + HostsQueries, + HostDetailsRequestOptions, +} from '../../../../../../../common/search_strategy'; + +export const mockOptions: HostDetailsRequestOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + docValueFields: [ + { + field: '@timestamp', + format: 'date_time', + }, + { + field: 'event.created', + format: 'date_time', + }, + { + field: 'event.end', + format: 'date_time', + }, + { + field: 'event.ingested', + format: 'date_time', + }, + { + field: 'event.start', + format: 'date_time', + }, + { + field: 'file.accessed', + format: 'date_time', + }, + { + field: 'file.created', + format: 'date_time', + }, + { + field: 'file.ctime', + format: 'date_time', + }, + { + field: 'file.mtime', + format: 'date_time', + }, + { + field: 'package.installed', + format: 'date_time', + }, + { + field: 'process.parent.start', + format: 'date_time', + }, + { + field: 'process.start', + format: 'date_time', + }, + { + field: 'system.audit.host.boottime', + format: 'date_time', + }, + { + field: 'system.audit.package.installtime', + format: 'date_time', + }, + { + field: 'system.audit.user.password.last_changed', + format: 'date_time', + }, + { + field: 'tls.client.not_after', + format: 'date_time', + }, + { + field: 'tls.client.not_before', + format: 'date_time', + }, + { + field: 'tls.server.not_after', + format: 'date_time', + }, + { + field: 'tls.server.not_before', + format: 'date_time', + }, + { + field: 'aws.cloudtrail.user_identity.session_context.creation_date', + format: 'date_time', + }, + { + field: 'azure.auditlogs.properties.activity_datetime', + format: 'date_time', + }, + { + field: 'azure.enqueued_time', + format: 'date_time', + }, + { + field: 'azure.signinlogs.properties.created_at', + format: 'date_time', + }, + { + field: 'cef.extensions.agentReceiptTime', + format: 'date_time', + }, + { + field: 'cef.extensions.deviceCustomDate1', + format: 'date_time', + }, + { + field: 'cef.extensions.deviceCustomDate2', + format: 'date_time', + }, + { + field: 'cef.extensions.deviceReceiptTime', + format: 'date_time', + }, + { + field: 'cef.extensions.endTime', + format: 'date_time', + }, + { + field: 'cef.extensions.fileCreateTime', + format: 'date_time', + }, + { + field: 'cef.extensions.fileModificationTime', + format: 'date_time', + }, + { + field: 'cef.extensions.flexDate1', + format: 'date_time', + }, + { + field: 'cef.extensions.managerReceiptTime', + format: 'date_time', + }, + { + field: 'cef.extensions.oldFileCreateTime', + format: 'date_time', + }, + { + field: 'cef.extensions.oldFileModificationTime', + format: 'date_time', + }, + { + field: 'cef.extensions.startTime', + format: 'date_time', + }, + { + field: 'checkpoint.subs_exp', + format: 'date_time', + }, + { + field: 'crowdstrike.event.EndTimestamp', + format: 'date_time', + }, + { + field: 'crowdstrike.event.IncidentEndTime', + format: 'date_time', + }, + { + field: 'crowdstrike.event.IncidentStartTime', + format: 'date_time', + }, + { + field: 'crowdstrike.event.ProcessEndTime', + format: 'date_time', + }, + { + field: 'crowdstrike.event.ProcessStartTime', + format: 'date_time', + }, + { + field: 'crowdstrike.event.StartTimestamp', + format: 'date_time', + }, + { + field: 'crowdstrike.event.Timestamp', + format: 'date_time', + }, + { + field: 'crowdstrike.event.UTCTimestamp', + format: 'date_time', + }, + { + field: 'crowdstrike.metadata.eventCreationTime', + format: 'date_time', + }, + { + field: 'gsuite.admin.email.log_search_filter.end_date', + format: 'date_time', + }, + { + field: 'gsuite.admin.email.log_search_filter.start_date', + format: 'date_time', + }, + { + field: 'gsuite.admin.user.birthdate', + format: 'date_time', + }, + { + field: 'kafka.block_timestamp', + format: 'date_time', + }, + { + field: 'microsoft.defender_atp.lastUpdateTime', + format: 'date_time', + }, + { + field: 'microsoft.defender_atp.resolvedTime', + format: 'date_time', + }, + { + field: 'misp.campaign.first_seen', + format: 'date_time', + }, + { + field: 'misp.campaign.last_seen', + format: 'date_time', + }, + { + field: 'misp.intrusion_set.first_seen', + format: 'date_time', + }, + { + field: 'misp.intrusion_set.last_seen', + format: 'date_time', + }, + { + field: 'misp.observed_data.first_observed', + format: 'date_time', + }, + { + field: 'misp.observed_data.last_observed', + format: 'date_time', + }, + { + field: 'misp.report.published', + format: 'date_time', + }, + { + field: 'misp.threat_indicator.valid_from', + format: 'date_time', + }, + { + field: 'misp.threat_indicator.valid_until', + format: 'date_time', + }, + { + field: 'netflow.collection_time_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.exporter.timestamp', + format: 'date_time', + }, + { + field: 'netflow.flow_end_microseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_end_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_end_nanoseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_end_seconds', + format: 'date_time', + }, + { + field: 'netflow.flow_start_microseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_start_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_start_nanoseconds', + format: 'date_time', + }, + { + field: 'netflow.flow_start_seconds', + format: 'date_time', + }, + { + field: 'netflow.max_export_seconds', + format: 'date_time', + }, + { + field: 'netflow.max_flow_end_microseconds', + format: 'date_time', + }, + { + field: 'netflow.max_flow_end_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.max_flow_end_nanoseconds', + format: 'date_time', + }, + { + field: 'netflow.max_flow_end_seconds', + format: 'date_time', + }, + { + field: 'netflow.min_export_seconds', + format: 'date_time', + }, + { + field: 'netflow.min_flow_start_microseconds', + format: 'date_time', + }, + { + field: 'netflow.min_flow_start_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.min_flow_start_nanoseconds', + format: 'date_time', + }, + { + field: 'netflow.min_flow_start_seconds', + format: 'date_time', + }, + { + field: 'netflow.monitoring_interval_end_milli_seconds', + format: 'date_time', + }, + { + field: 'netflow.monitoring_interval_start_milli_seconds', + format: 'date_time', + }, + { + field: 'netflow.observation_time_microseconds', + format: 'date_time', + }, + { + field: 'netflow.observation_time_milliseconds', + format: 'date_time', + }, + { + field: 'netflow.observation_time_nanoseconds', + format: 'date_time', + }, + { + field: 'netflow.observation_time_seconds', + format: 'date_time', + }, + { + field: 'netflow.system_init_time_milliseconds', + format: 'date_time', + }, + { + field: 'rsa.internal.lc_ctime', + format: 'date_time', + }, + { + field: 'rsa.internal.time', + format: 'date_time', + }, + { + field: 'rsa.time.effective_time', + format: 'date_time', + }, + { + field: 'rsa.time.endtime', + format: 'date_time', + }, + { + field: 'rsa.time.event_queue_time', + format: 'date_time', + }, + { + field: 'rsa.time.event_time', + format: 'date_time', + }, + { + field: 'rsa.time.expire_time', + format: 'date_time', + }, + { + field: 'rsa.time.recorded_time', + format: 'date_time', + }, + { + field: 'rsa.time.stamp', + format: 'date_time', + }, + { + field: 'rsa.time.starttime', + format: 'date_time', + }, + { + field: 'sophos.xg.date', + format: 'date_time', + }, + { + field: 'sophos.xg.eventtime', + format: 'date_time', + }, + { + field: 'sophos.xg.start_time', + format: 'date_time', + }, + ], + factoryQueryType: HostsQueries.authentications, + filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + pagination: { + activePage: 0, + cursorStart: 0, + fakePossibleCount: 50, + querySize: 10, + }, + timerange: { + interval: '12h', + from: '2020-09-02T15:17:13.678Z', + to: '2020-09-03T15:17:13.678Z', + }, + hostName: 'bastion00', +}; + +export const mockSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 14, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: -1, max_score: 0, hits: [] }, + aggregations: { + group_by_users: { + doc_count_error_upper_bound: -1, + sum_other_doc_count: 408, + buckets: [ + { + key: 'SYSTEM', + doc_count: 281, + failures: { + meta: {}, + doc_count: 0, + lastFailure: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + successes: { + meta: {}, + doc_count: 4, + lastSuccess: { + hits: { + total: 4, + max_score: 0, + hits: [ + { + _index: 'winlogbeat-8.0.0-2020.09.02-000001', + _id: 'zqY7WXQBA6bGZw2uLeKI', + _score: null, + _source: { + process: { + name: 'services.exe', + pid: 564, + executable: 'C:\\Windows\\System32\\services.exe', + }, + agent: { + build_date: '2020-07-16 09:16:27 +0000 UTC ', + name: 'siem-windows', + commit: '4dcbde39492bdc3843034bba8db811c68cb44b97 ', + id: '05e1bff7-d7a8-416a-8554-aa10288fa07d', + type: 'winlogbeat', + ephemeral_id: '655abd6c-6c33-435d-a2eb-79b2a01e6d61', + version: '8.0.0', + user: { name: 'inside_winlogbeat_user' }, + }, + winlog: { + computer_name: 'siem-windows', + process: { pid: 576, thread: { id: 880 } }, + keywords: ['Audit Success'], + logon: { id: '0x3e7', type: 'Service' }, + channel: 'Security', + event_data: { + LogonGuid: '{00000000-0000-0000-0000-000000000000}', + TargetOutboundDomainName: '-', + VirtualAccount: '%%1843', + LogonType: '5', + IpPort: '-', + TransmittedServices: '-', + SubjectLogonId: '0x3e7', + LmPackageName: '-', + TargetOutboundUserName: '-', + KeyLength: '0', + TargetLogonId: '0x3e7', + RestrictedAdminMode: '-', + SubjectUserName: 'SIEM-WINDOWS$', + TargetLinkedLogonId: '0x0', + ElevatedToken: '%%1842', + SubjectDomainName: 'WORKGROUP', + IpAddress: '-', + ImpersonationLevel: '%%1833', + TargetUserName: 'SYSTEM', + LogonProcessName: 'Advapi ', + TargetDomainName: 'NT AUTHORITY', + SubjectUserSid: 'S-1-5-18', + TargetUserSid: 'S-1-5-18', + AuthenticationPackageName: 'Negotiate', + }, + opcode: 'Info', + version: 2, + record_id: 57818, + task: 'Logon', + event_id: 4624, + provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', + activity_id: '{d2485217-6bac-0000-8fbb-3f7e2571d601}', + api: 'wineventlog', + provider_name: 'Microsoft-Windows-Security-Auditing', + }, + log: { level: 'information' }, + source: { domain: '-' }, + message: + 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSIEM-WINDOWS$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t5\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x234\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', + cloud: { + availability_zone: 'us-central1-c', + instance: { name: 'siem-windows', id: '9156726559029788564' }, + provider: 'gcp', + machine: { type: 'g1-small' }, + project: { id: 'elastic-siem' }, + }, + '@timestamp': '2020-09-04T13:08:02.532Z', + related: { user: ['SYSTEM', 'SIEM-WINDOWS$'] }, + ecs: { version: '1.5.0' }, + host: { + hostname: 'siem-windows', + os: { + build: '17763.1397', + kernel: '10.0.17763.1397 (WinBuild.160101.0800)', + name: 'Windows Server 2019 Datacenter', + family: 'windows', + version: '10.0', + platform: 'windows', + }, + ip: ['fe80::ecf5:decc:3ec3:767e', '10.200.0.15'], + name: 'siem-windows', + id: 'ce1d3c9b-a815-4643-9641-ada0f2c00609', + mac: ['42:01:0a:c8:00:0f'], + architecture: 'x86_64', + }, + event: { + code: 4624, + provider: 'Microsoft-Windows-Security-Auditing', + created: '2020-09-04T13:08:03.638Z', + kind: 'event', + module: 'security', + action: 'logged-in', + category: 'authentication', + type: 'start', + outcome: 'success', + }, + user: { domain: 'NT AUTHORITY', name: 'SYSTEM', id: 'S-1-5-18' }, + }, + sort: [1599224882532], + }, + ], + }, + }, + }, + }, + { + key: 'tsg', + doc_count: 1, + failures: { + doc_count: 0, + lastFailure: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + successes: { + doc_count: 1, + lastSuccess: { + hits: { + total: 1, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: '9_sfWXQBc39KFIJbIsDh', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 20764 }, + log: { file: { path: '/var/log/auth.log' }, offset: 552463 }, + source: { + geo: { + continent_name: 'Europe', + region_iso_code: 'DE-BE', + city_name: 'Berlin', + country_iso_code: 'DE', + region_name: 'Land Berlin', + location: { lon: 13.3512, lat: 52.5727 }, + }, + as: { number: 6805, organization: { name: 'Telefonica Germany' } }, + port: 57457, + ip: '77.183.42.188', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:49:21.000Z', + system: { + auth: { + ssh: { + method: 'publickey', + signature: 'RSA SHA256:vv64JNLzKZWYA9vonnGWuW7zxWhyZrL/BFxyIGbISx8', + event: 'Accepted', + }, + }, + }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_success', + category: 'authentication', + dataset: 'system.auth', + outcome: 'success', + }, + user: { name: 'tsg' }, + }, + sort: [1599220161000], + }, + ], + }, + }, + }, + }, + { + key: 'admin', + doc_count: 23, + failures: { + doc_count: 23, + lastFailure: { + hits: { + total: 23, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'ZfxZWXQBc39KFIJbLN5U', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 22913 }, + log: { file: { path: '/var/log/auth.log' }, offset: 562910 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'KR-28', + city_name: 'Incheon', + country_iso_code: 'KR', + region_name: 'Incheon', + location: { lon: 126.7288, lat: 37.4562 }, + }, + as: { number: 4766, organization: { name: 'Korea Telecom' } }, + ip: '59.15.3.197', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:40:46.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'admin' }, + }, + sort: [1599226846000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'user', + doc_count: 21, + failures: { + doc_count: 21, + lastFailure: { + hits: { + total: 21, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'M_xLWXQBc39KFIJbY7Cb', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20671 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1028103 }, + source: { + geo: { + continent_name: 'North America', + region_iso_code: 'US-NY', + city_name: 'New York', + country_iso_code: 'US', + region_name: 'New York', + location: { lon: -74, lat: 40.7157 }, + }, + ip: '64.227.88.245', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:25:43.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['64.227.88.245'], user: ['user'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T13:25:47.034172Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'user' }, + }, + sort: [1599225943000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'ubuntu', + doc_count: 18, + failures: { + doc_count: 18, + lastFailure: { + hits: { + total: 18, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'nPxKWXQBc39KFIJb7q4w', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + type: 'filebeat', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20665 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1027372 }, + source: { + geo: { + continent_name: 'North America', + region_iso_code: 'US-NY', + city_name: 'New York', + country_iso_code: 'US', + region_name: 'New York', + location: { lon: -74, lat: 40.7157 }, + }, + ip: '64.227.88.245', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:25:07.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['64.227.88.245'], user: ['ubuntu'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T13:25:16.974606Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'ubuntu' }, + }, + sort: [1599225907000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'odoo', + doc_count: 17, + failures: { + doc_count: 17, + lastFailure: { + hits: { + total: 17, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'mPsfWXQBc39KFIJbI8HI', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + type: 'filebeat', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 21506 }, + log: { file: { path: '/var/log/auth.log' }, offset: 556761 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'IN-DL', + city_name: 'New Delhi', + country_iso_code: 'IN', + region_name: 'National Capital Territory of Delhi', + location: { lon: 77.2245, lat: 28.6358 }, + }, + as: { number: 10029, organization: { name: 'SHYAM SPECTRA PVT LTD' } }, + ip: '180.151.228.166', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T12:26:36.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'odoo' }, + }, + sort: [1599222396000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'pi', + doc_count: 17, + failures: { + doc_count: 17, + lastFailure: { + hits: { + total: 17, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'aaToWHQBA6bGZw2uR-St', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20475 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1019218 }, + source: { + geo: { + continent_name: 'Europe', + region_iso_code: 'SE-AB', + city_name: 'Stockholm', + country_iso_code: 'SE', + region_name: 'Stockholm', + location: { lon: 17.7833, lat: 59.25 }, + }, + as: { number: 8473, organization: { name: 'Bahnhof AB' } }, + ip: '178.174.148.58', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:37:22.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['178.174.148.58'], user: ['pi'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T11:37:31.797423Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'pi' }, + }, + sort: [1599219442000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'demo', + doc_count: 14, + failures: { + doc_count: 14, + lastFailure: { + hits: { + total: 14, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'VaP_V3QBA6bGZw2upUbg', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 19849 }, + log: { file: { path: '/var/log/auth.log' }, offset: 981036 }, + source: { + geo: { + continent_name: 'Europe', + country_iso_code: 'HR', + location: { lon: 15.5, lat: 45.1667 }, + }, + as: { + number: 42864, + organization: { name: 'Giganet Internet Szolgaltato Kft' }, + }, + ip: '45.95.168.157', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T07:23:22.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['45.95.168.157'], user: ['demo'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T07:23:26.046346Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'demo' }, + }, + sort: [1599204202000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'git', + doc_count: 13, + failures: { + doc_count: 13, + lastFailure: { + hits: { + total: 13, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'PqYfWXQBA6bGZw2uIhVU', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 20396 }, + log: { file: { path: '/var/log/auth.log' }, offset: 550795 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'CN-BJ', + city_name: 'Beijing', + country_iso_code: 'CN', + region_name: 'Beijing', + location: { lon: 116.3889, lat: 39.9288 }, + }, + as: { + number: 45090, + organization: { + name: 'Shenzhen Tencent Computer Systems Company Limited', + }, + }, + ip: '123.206.30.76', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:20:26.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'git' }, + }, + sort: [1599218426000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'webadmin', + doc_count: 13, + failures: { + doc_count: 13, + lastFailure: { + hits: { + total: 13, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'iMABWHQBB-gskclyitP-', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 19870 }, + log: { file: { path: '/var/log/auth.log' }, offset: 984133 }, + source: { + geo: { + continent_name: 'Europe', + country_iso_code: 'HR', + location: { lon: 15.5, lat: 45.1667 }, + }, + as: { + number: 42864, + organization: { name: 'Giganet Internet Szolgaltato Kft' }, + }, + ip: '45.95.168.157', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T07:25:28.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['45.95.168.157'], user: ['webadmin'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T07:25:30.236651Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'webadmin' }, + }, + sort: [1599204328000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + ], + }, + user_count: { value: 188 }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedSearchStrategyResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 14, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: -1, max_score: 0, hits: [] }, + aggregations: { + group_by_users: { + doc_count_error_upper_bound: -1, + sum_other_doc_count: 408, + buckets: [ + { + key: 'SYSTEM', + doc_count: 281, + failures: { + meta: {}, + doc_count: 0, + lastFailure: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + successes: { + meta: {}, + doc_count: 4, + lastSuccess: { + hits: { + total: 4, + max_score: 0, + hits: [ + { + _index: 'winlogbeat-8.0.0-2020.09.02-000001', + _id: 'zqY7WXQBA6bGZw2uLeKI', + _score: null, + _source: { + process: { + name: 'services.exe', + pid: 564, + executable: 'C:\\Windows\\System32\\services.exe', + }, + agent: { + build_date: '2020-07-16 09:16:27 +0000 UTC ', + name: 'siem-windows', + commit: '4dcbde39492bdc3843034bba8db811c68cb44b97 ', + id: '05e1bff7-d7a8-416a-8554-aa10288fa07d', + type: 'winlogbeat', + ephemeral_id: '655abd6c-6c33-435d-a2eb-79b2a01e6d61', + version: '8.0.0', + user: { name: 'inside_winlogbeat_user' }, + }, + winlog: { + computer_name: 'siem-windows', + process: { pid: 576, thread: { id: 880 } }, + keywords: ['Audit Success'], + logon: { id: '0x3e7', type: 'Service' }, + channel: 'Security', + event_data: { + LogonGuid: '{00000000-0000-0000-0000-000000000000}', + TargetOutboundDomainName: '-', + VirtualAccount: '%%1843', + LogonType: '5', + IpPort: '-', + TransmittedServices: '-', + SubjectLogonId: '0x3e7', + LmPackageName: '-', + TargetOutboundUserName: '-', + KeyLength: '0', + TargetLogonId: '0x3e7', + RestrictedAdminMode: '-', + SubjectUserName: 'SIEM-WINDOWS$', + TargetLinkedLogonId: '0x0', + ElevatedToken: '%%1842', + SubjectDomainName: 'WORKGROUP', + IpAddress: '-', + ImpersonationLevel: '%%1833', + TargetUserName: 'SYSTEM', + LogonProcessName: 'Advapi ', + TargetDomainName: 'NT AUTHORITY', + SubjectUserSid: 'S-1-5-18', + TargetUserSid: 'S-1-5-18', + AuthenticationPackageName: 'Negotiate', + }, + opcode: 'Info', + version: 2, + record_id: 57818, + task: 'Logon', + event_id: 4624, + provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', + activity_id: '{d2485217-6bac-0000-8fbb-3f7e2571d601}', + api: 'wineventlog', + provider_name: 'Microsoft-Windows-Security-Auditing', + }, + log: { level: 'information' }, + source: { domain: '-' }, + message: + 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSIEM-WINDOWS$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t5\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x234\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', + cloud: { + availability_zone: 'us-central1-c', + instance: { name: 'siem-windows', id: '9156726559029788564' }, + provider: 'gcp', + machine: { type: 'g1-small' }, + project: { id: 'elastic-siem' }, + }, + '@timestamp': '2020-09-04T13:08:02.532Z', + related: { user: ['SYSTEM', 'SIEM-WINDOWS$'] }, + ecs: { version: '1.5.0' }, + host: { + hostname: 'siem-windows', + os: { + build: '17763.1397', + kernel: '10.0.17763.1397 (WinBuild.160101.0800)', + name: 'Windows Server 2019 Datacenter', + family: 'windows', + version: '10.0', + platform: 'windows', + }, + ip: ['fe80::ecf5:decc:3ec3:767e', '10.200.0.15'], + name: 'siem-windows', + id: 'ce1d3c9b-a815-4643-9641-ada0f2c00609', + mac: ['42:01:0a:c8:00:0f'], + architecture: 'x86_64', + }, + event: { + code: 4624, + provider: 'Microsoft-Windows-Security-Auditing', + created: '2020-09-04T13:08:03.638Z', + kind: 'event', + module: 'security', + action: 'logged-in', + category: 'authentication', + type: 'start', + outcome: 'success', + }, + user: { domain: 'NT AUTHORITY', name: 'SYSTEM', id: 'S-1-5-18' }, + }, + sort: [1599224882532], + }, + ], + }, + }, + }, + }, + { + key: 'tsg', + doc_count: 1, + failures: { doc_count: 0, lastFailure: { hits: { total: 0, max_score: 0, hits: [] } } }, + successes: { + doc_count: 1, + lastSuccess: { + hits: { + total: 1, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: '9_sfWXQBc39KFIJbIsDh', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 20764 }, + log: { file: { path: '/var/log/auth.log' }, offset: 552463 }, + source: { + geo: { + continent_name: 'Europe', + region_iso_code: 'DE-BE', + city_name: 'Berlin', + country_iso_code: 'DE', + region_name: 'Land Berlin', + location: { lon: 13.3512, lat: 52.5727 }, + }, + as: { number: 6805, organization: { name: 'Telefonica Germany' } }, + port: 57457, + ip: '77.183.42.188', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:49:21.000Z', + system: { + auth: { + ssh: { + method: 'publickey', + signature: 'RSA SHA256:vv64JNLzKZWYA9vonnGWuW7zxWhyZrL/BFxyIGbISx8', + event: 'Accepted', + }, + }, + }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_success', + category: 'authentication', + dataset: 'system.auth', + outcome: 'success', + }, + user: { name: 'tsg' }, + }, + sort: [1599220161000], + }, + ], + }, + }, + }, + }, + { + key: 'admin', + doc_count: 23, + failures: { + doc_count: 23, + lastFailure: { + hits: { + total: 23, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'ZfxZWXQBc39KFIJbLN5U', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 22913 }, + log: { file: { path: '/var/log/auth.log' }, offset: 562910 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'KR-28', + city_name: 'Incheon', + country_iso_code: 'KR', + region_name: 'Incheon', + location: { lon: 126.7288, lat: 37.4562 }, + }, + as: { number: 4766, organization: { name: 'Korea Telecom' } }, + ip: '59.15.3.197', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:40:46.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'admin' }, + }, + sort: [1599226846000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'user', + doc_count: 21, + failures: { + doc_count: 21, + lastFailure: { + hits: { + total: 21, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'M_xLWXQBc39KFIJbY7Cb', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20671 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1028103 }, + source: { + geo: { + continent_name: 'North America', + region_iso_code: 'US-NY', + city_name: 'New York', + country_iso_code: 'US', + region_name: 'New York', + location: { lon: -74, lat: 40.7157 }, + }, + ip: '64.227.88.245', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:25:43.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['64.227.88.245'], user: ['user'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T13:25:47.034172Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'user' }, + }, + sort: [1599225943000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'ubuntu', + doc_count: 18, + failures: { + doc_count: 18, + lastFailure: { + hits: { + total: 18, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'nPxKWXQBc39KFIJb7q4w', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + type: 'filebeat', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20665 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1027372 }, + source: { + geo: { + continent_name: 'North America', + region_iso_code: 'US-NY', + city_name: 'New York', + country_iso_code: 'US', + region_name: 'New York', + location: { lon: -74, lat: 40.7157 }, + }, + ip: '64.227.88.245', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T13:25:07.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['64.227.88.245'], user: ['ubuntu'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T13:25:16.974606Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'ubuntu' }, + }, + sort: [1599225907000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'odoo', + doc_count: 17, + failures: { + doc_count: 17, + lastFailure: { + hits: { + total: 17, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'mPsfWXQBc39KFIJbI8HI', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + type: 'filebeat', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 21506 }, + log: { file: { path: '/var/log/auth.log' }, offset: 556761 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'IN-DL', + city_name: 'New Delhi', + country_iso_code: 'IN', + region_name: 'National Capital Territory of Delhi', + location: { lon: 77.2245, lat: 28.6358 }, + }, + as: { number: 10029, organization: { name: 'SHYAM SPECTRA PVT LTD' } }, + ip: '180.151.228.166', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T12:26:36.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'odoo' }, + }, + sort: [1599222396000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'pi', + doc_count: 17, + failures: { + doc_count: 17, + lastFailure: { + hits: { + total: 17, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'aaToWHQBA6bGZw2uR-St', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 20475 }, + log: { file: { path: '/var/log/auth.log' }, offset: 1019218 }, + source: { + geo: { + continent_name: 'Europe', + region_iso_code: 'SE-AB', + city_name: 'Stockholm', + country_iso_code: 'SE', + region_name: 'Stockholm', + location: { lon: 17.7833, lat: 59.25 }, + }, + as: { number: 8473, organization: { name: 'Bahnhof AB' } }, + ip: '178.174.148.58', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:37:22.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['178.174.148.58'], user: ['pi'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T11:37:31.797423Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'pi' }, + }, + sort: [1599219442000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'demo', + doc_count: 14, + failures: { + doc_count: 14, + lastFailure: { + hits: { + total: 14, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'VaP_V3QBA6bGZw2upUbg', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 19849 }, + log: { file: { path: '/var/log/auth.log' }, offset: 981036 }, + source: { + geo: { + continent_name: 'Europe', + country_iso_code: 'HR', + location: { lon: 15.5, lat: 45.1667 }, + }, + as: { + number: 42864, + organization: { name: 'Giganet Internet Szolgaltato Kft' }, + }, + ip: '45.95.168.157', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T07:23:22.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['45.95.168.157'], user: ['demo'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T07:23:26.046346Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'demo' }, + }, + sort: [1599204202000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'git', + doc_count: 13, + failures: { + doc_count: 13, + lastFailure: { + hits: { + total: 13, + max_score: 0, + hits: [ + { + _index: '.ds-logs-system.auth-default-000001', + _id: 'PqYfWXQBA6bGZw2uIhVU', + _score: null, + _source: { + agent: { + hostname: 'siem-kibana', + name: 'siem-kibana', + id: 'aa3d9dc7-fef1-4c2f-a68d-25785d624e35', + ephemeral_id: 'e503bd85-11c7-4bc9-ae7d-70be1d919fb7', + type: 'filebeat', + version: '7.9.1', + }, + process: { name: 'sshd', pid: 20396 }, + log: { file: { path: '/var/log/auth.log' }, offset: 550795 }, + source: { + geo: { + continent_name: 'Asia', + region_iso_code: 'CN-BJ', + city_name: 'Beijing', + country_iso_code: 'CN', + region_name: 'Beijing', + location: { lon: 116.3889, lat: 39.9288 }, + }, + as: { + number: 45090, + organization: { + name: 'Shenzhen Tencent Computer Systems Company Limited', + }, + }, + ip: '123.206.30.76', + }, + cloud: { + availability_zone: 'us-east1-b', + instance: { name: 'siem-kibana', id: '5412578377715150143' }, + provider: 'gcp', + machine: { type: 'n1-standard-2' }, + project: { id: 'elastic-beats' }, + }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T11:20:26.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + data_stream: { namespace: 'default', type: 'logs', dataset: 'system.auth' }, + host: { + hostname: 'siem-kibana', + os: { + kernel: '4.9.0-8-amd64', + codename: 'stretch', + name: 'Debian GNU/Linux', + family: 'debian', + version: '9 (stretch)', + platform: 'debian', + }, + containerized: false, + ip: ['10.142.0.7', 'fe80::4001:aff:fe8e:7'], + name: 'siem-kibana', + id: 'aa7ca589f1b8220002f2fc61c64cfbf1', + mac: ['42:01:0a:8e:00:07'], + architecture: 'x86_64', + }, + event: { + timezone: '+00:00', + action: 'ssh_login', + type: 'authentication_failure', + category: 'authentication', + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'git' }, + }, + sort: [1599218426000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + { + key: 'webadmin', + doc_count: 13, + failures: { + doc_count: 13, + lastFailure: { + hits: { + total: 13, + max_score: 0, + hits: [ + { + _index: 'filebeat-8.0.0-2020.09.02-000001', + _id: 'iMABWHQBB-gskclyitP-', + _score: null, + _source: { + agent: { + name: 'bastion00.siem.estc.dev', + id: 'f9a321c1-ec27-49fa-aacf-6a50ef6d836f', + type: 'filebeat', + ephemeral_id: '734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc', + version: '8.0.0', + }, + process: { name: 'sshd', pid: 19870 }, + log: { file: { path: '/var/log/auth.log' }, offset: 984133 }, + source: { + geo: { + continent_name: 'Europe', + country_iso_code: 'HR', + location: { lon: 15.5, lat: 45.1667 }, + }, + as: { + number: 42864, + organization: { name: 'Giganet Internet Szolgaltato Kft' }, + }, + ip: '45.95.168.157', + }, + fileset: { name: 'auth' }, + input: { type: 'log' }, + '@timestamp': '2020-09-04T07:25:28.000Z', + system: { auth: { ssh: { event: 'Invalid' } } }, + ecs: { version: '1.5.0' }, + related: { ip: ['45.95.168.157'], user: ['webadmin'] }, + service: { type: 'system' }, + host: { hostname: 'bastion00', name: 'bastion00.siem.estc.dev' }, + event: { + ingested: '2020-09-04T07:25:30.236651Z', + timezone: '+00:00', + kind: 'event', + module: 'system', + action: 'ssh_login', + type: ['authentication_failure', 'info'], + category: ['authentication'], + dataset: 'system.auth', + outcome: 'failure', + }, + user: { name: 'webadmin' }, + }, + sort: [1599204328000], + }, + ], + }, + }, + }, + successes: { + doc_count: 0, + lastSuccess: { hits: { total: 0, max_score: 0, hits: [] } }, + }, + }, + ], + }, + user_count: { value: 188 }, + }, + }, + total: 21, + loaded: 21, + inspect: { + dsl: [ + '{\n "allowNoIndices": true,\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "ignoreUnavailable": true,\n "body": {\n "aggregations": {\n "host_architecture": {\n "terms": {\n "field": "host.architecture",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_id": {\n "terms": {\n "field": "host.id",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_ip": {\n "terms": {\n "field": "host.ip",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_mac": {\n "terms": {\n "field": "host.mac",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_name": {\n "terms": {\n "field": "host.name",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_os_family": {\n "terms": {\n "field": "host.os.family",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_os_name": {\n "terms": {\n "field": "host.os.name",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_os_platform": {\n "terms": {\n "field": "host.os.platform",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "host_os_version": {\n "terms": {\n "field": "host.os.version",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "cloud_instance_id": {\n "terms": {\n "field": "cloud.instance.id",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "cloud_machine_type": {\n "terms": {\n "field": "cloud.machine.type",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "cloud_provider": {\n "terms": {\n "field": "cloud.provider",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n },\n "cloud_region": {\n "terms": {\n "field": "cloud.region",\n "size": 10,\n "order": {\n "timestamp": "desc"\n }\n },\n "aggs": {\n "timestamp": {\n "max": {\n "field": "@timestamp"\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n {\n "term": {\n "host.name": "bastion00"\n }\n },\n {\n "range": {\n "@timestamp": {\n "format": "strict_date_optional_time",\n "gte": "2020-09-02T15:17:13.678Z",\n "lte": "2020-09-03T15:17:13.678Z"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": false\n }\n}', + ], + response: [ + '{\n "isPartial": false,\n "isRunning": false,\n "rawResponse": {\n "took": 14,\n "timed_out": false,\n "_shards": {\n "total": 21,\n "successful": 21,\n "skipped": 0,\n "failed": 0\n },\n "hits": {\n "total": -1,\n "max_score": 0,\n "hits": []\n },\n "aggregations": {\n "group_by_users": {\n "doc_count_error_upper_bound": -1,\n "sum_other_doc_count": 408,\n "buckets": [\n {\n "key": "SYSTEM",\n "doc_count": 281,\n "failures": {\n "meta": {},\n "doc_count": 0,\n "lastFailure": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n },\n "successes": {\n "meta": {},\n "doc_count": 4,\n "lastSuccess": {\n "hits": {\n "total": 4,\n "max_score": 0,\n "hits": [\n {\n "_index": "winlogbeat-8.0.0-2020.09.02-000001",\n "_id": "zqY7WXQBA6bGZw2uLeKI",\n "_score": null,\n "_source": {\n "process": {\n "name": "services.exe",\n "pid": 564,\n "executable": "C:\\\\Windows\\\\System32\\\\services.exe"\n },\n "agent": {\n "build_date": "2020-07-16 09:16:27 +0000 UTC ",\n "name": "siem-windows",\n "commit": "4dcbde39492bdc3843034bba8db811c68cb44b97 ",\n "id": "05e1bff7-d7a8-416a-8554-aa10288fa07d",\n "type": "winlogbeat",\n "ephemeral_id": "655abd6c-6c33-435d-a2eb-79b2a01e6d61",\n "version": "8.0.0",\n "user": {\n "name": "inside_winlogbeat_user"\n }\n },\n "winlog": {\n "computer_name": "siem-windows",\n "process": {\n "pid": 576,\n "thread": {\n "id": 880\n }\n },\n "keywords": [\n "Audit Success"\n ],\n "logon": {\n "id": "0x3e7",\n "type": "Service"\n },\n "channel": "Security",\n "event_data": {\n "LogonGuid": "{00000000-0000-0000-0000-000000000000}",\n "TargetOutboundDomainName": "-",\n "VirtualAccount": "%%1843",\n "LogonType": "5",\n "IpPort": "-",\n "TransmittedServices": "-",\n "SubjectLogonId": "0x3e7",\n "LmPackageName": "-",\n "TargetOutboundUserName": "-",\n "KeyLength": "0",\n "TargetLogonId": "0x3e7",\n "RestrictedAdminMode": "-",\n "SubjectUserName": "SIEM-WINDOWS$",\n "TargetLinkedLogonId": "0x0",\n "ElevatedToken": "%%1842",\n "SubjectDomainName": "WORKGROUP",\n "IpAddress": "-",\n "ImpersonationLevel": "%%1833",\n "TargetUserName": "SYSTEM",\n "LogonProcessName": "Advapi ",\n "TargetDomainName": "NT AUTHORITY",\n "SubjectUserSid": "S-1-5-18",\n "TargetUserSid": "S-1-5-18",\n "AuthenticationPackageName": "Negotiate"\n },\n "opcode": "Info",\n "version": 2,\n "record_id": 57818,\n "task": "Logon",\n "event_id": 4624,\n "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",\n "activity_id": "{d2485217-6bac-0000-8fbb-3f7e2571d601}",\n "api": "wineventlog",\n "provider_name": "Microsoft-Windows-Security-Auditing"\n },\n "log": {\n "level": "information"\n },\n "source": {\n "domain": "-"\n },\n "message": "An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\tSIEM-WINDOWS$\\n\\tAccount Domain:\\t\\tWORKGROUP\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t5\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tYes\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\tSYSTEM\\n\\tAccount Domain:\\t\\tNT AUTHORITY\\n\\tLogon ID:\\t\\t0x3E7\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x234\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\t-\\n\\tSource Network Address:\\t-\\n\\tSource Port:\\t\\t-\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tAdvapi \\n\\tAuthentication Package:\\tNegotiate\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",\n "cloud": {\n "availability_zone": "us-central1-c",\n "instance": {\n "name": "siem-windows",\n "id": "9156726559029788564"\n },\n "provider": "gcp",\n "machine": {\n "type": "g1-small"\n },\n "project": {\n "id": "elastic-siem"\n }\n },\n "@timestamp": "2020-09-04T13:08:02.532Z",\n "related": {\n "user": [\n "SYSTEM",\n "SIEM-WINDOWS$"\n ]\n },\n "ecs": {\n "version": "1.5.0"\n },\n "host": {\n "hostname": "siem-windows",\n "os": {\n "build": "17763.1397",\n "kernel": "10.0.17763.1397 (WinBuild.160101.0800)",\n "name": "Windows Server 2019 Datacenter",\n "family": "windows",\n "version": "10.0",\n "platform": "windows"\n },\n "ip": [\n "fe80::ecf5:decc:3ec3:767e",\n "10.200.0.15"\n ],\n "name": "siem-windows",\n "id": "ce1d3c9b-a815-4643-9641-ada0f2c00609",\n "mac": [\n "42:01:0a:c8:00:0f"\n ],\n "architecture": "x86_64"\n },\n "event": {\n "code": 4624,\n "provider": "Microsoft-Windows-Security-Auditing",\n "created": "2020-09-04T13:08:03.638Z",\n "kind": "event",\n "module": "security",\n "action": "logged-in",\n "category": "authentication",\n "type": "start",\n "outcome": "success"\n },\n "user": {\n "domain": "NT AUTHORITY",\n "name": "SYSTEM",\n "id": "S-1-5-18"\n }\n },\n "sort": [\n 1599224882532\n ]\n }\n ]\n }\n }\n }\n },\n {\n "key": "tsg",\n "doc_count": 1,\n "failures": {\n "doc_count": 0,\n "lastFailure": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n },\n "successes": {\n "doc_count": 1,\n "lastSuccess": {\n "hits": {\n "total": 1,\n "max_score": 0,\n "hits": [\n {\n "_index": ".ds-logs-system.auth-default-000001",\n "_id": "9_sfWXQBc39KFIJbIsDh",\n "_score": null,\n "_source": {\n "agent": {\n "hostname": "siem-kibana",\n "name": "siem-kibana",\n "id": "aa3d9dc7-fef1-4c2f-a68d-25785d624e35",\n "ephemeral_id": "e503bd85-11c7-4bc9-ae7d-70be1d919fb7",\n "type": "filebeat",\n "version": "7.9.1"\n },\n "process": {\n "name": "sshd",\n "pid": 20764\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 552463\n },\n "source": {\n "geo": {\n "continent_name": "Europe",\n "region_iso_code": "DE-BE",\n "city_name": "Berlin",\n "country_iso_code": "DE",\n "region_name": "Land Berlin",\n "location": {\n "lon": 13.3512,\n "lat": 52.5727\n }\n },\n "as": {\n "number": 6805,\n "organization": {\n "name": "Telefonica Germany"\n }\n },\n "port": 57457,\n "ip": "77.183.42.188"\n },\n "cloud": {\n "availability_zone": "us-east1-b",\n "instance": {\n "name": "siem-kibana",\n "id": "5412578377715150143"\n },\n "provider": "gcp",\n "machine": {\n "type": "n1-standard-2"\n },\n "project": {\n "id": "elastic-beats"\n }\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T11:49:21.000Z",\n "system": {\n "auth": {\n "ssh": {\n "method": "publickey",\n "signature": "RSA SHA256:vv64JNLzKZWYA9vonnGWuW7zxWhyZrL/BFxyIGbISx8",\n "event": "Accepted"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "data_stream": {\n "namespace": "default",\n "type": "logs",\n "dataset": "system.auth"\n },\n "host": {\n "hostname": "siem-kibana",\n "os": {\n "kernel": "4.9.0-8-amd64",\n "codename": "stretch",\n "name": "Debian GNU/Linux",\n "family": "debian",\n "version": "9 (stretch)",\n "platform": "debian"\n },\n "containerized": false,\n "ip": [\n "10.142.0.7",\n "fe80::4001:aff:fe8e:7"\n ],\n "name": "siem-kibana",\n "id": "aa7ca589f1b8220002f2fc61c64cfbf1",\n "mac": [\n "42:01:0a:8e:00:07"\n ],\n "architecture": "x86_64"\n },\n "event": {\n "timezone": "+00:00",\n "action": "ssh_login",\n "type": "authentication_success",\n "category": "authentication",\n "dataset": "system.auth",\n "outcome": "success"\n },\n "user": {\n "name": "tsg"\n }\n },\n "sort": [\n 1599220161000\n ]\n }\n ]\n }\n }\n }\n },\n {\n "key": "admin",\n "doc_count": 23,\n "failures": {\n "doc_count": 23,\n "lastFailure": {\n "hits": {\n "total": 23,\n "max_score": 0,\n "hits": [\n {\n "_index": ".ds-logs-system.auth-default-000001",\n "_id": "ZfxZWXQBc39KFIJbLN5U",\n "_score": null,\n "_source": {\n "agent": {\n "hostname": "siem-kibana",\n "name": "siem-kibana",\n "id": "aa3d9dc7-fef1-4c2f-a68d-25785d624e35",\n "ephemeral_id": "e503bd85-11c7-4bc9-ae7d-70be1d919fb7",\n "type": "filebeat",\n "version": "7.9.1"\n },\n "process": {\n "name": "sshd",\n "pid": 22913\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 562910\n },\n "source": {\n "geo": {\n "continent_name": "Asia",\n "region_iso_code": "KR-28",\n "city_name": "Incheon",\n "country_iso_code": "KR",\n "region_name": "Incheon",\n "location": {\n "lon": 126.7288,\n "lat": 37.4562\n }\n },\n "as": {\n "number": 4766,\n "organization": {\n "name": "Korea Telecom"\n }\n },\n "ip": "59.15.3.197"\n },\n "cloud": {\n "availability_zone": "us-east1-b",\n "instance": {\n "name": "siem-kibana",\n "id": "5412578377715150143"\n },\n "provider": "gcp",\n "machine": {\n "type": "n1-standard-2"\n },\n "project": {\n "id": "elastic-beats"\n }\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T13:40:46.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "data_stream": {\n "namespace": "default",\n "type": "logs",\n "dataset": "system.auth"\n },\n "host": {\n "hostname": "siem-kibana",\n "os": {\n "kernel": "4.9.0-8-amd64",\n "codename": "stretch",\n "name": "Debian GNU/Linux",\n "family": "debian",\n "version": "9 (stretch)",\n "platform": "debian"\n },\n "containerized": false,\n "ip": [\n "10.142.0.7",\n "fe80::4001:aff:fe8e:7"\n ],\n "name": "siem-kibana",\n "id": "aa7ca589f1b8220002f2fc61c64cfbf1",\n "mac": [\n "42:01:0a:8e:00:07"\n ],\n "architecture": "x86_64"\n },\n "event": {\n "timezone": "+00:00",\n "action": "ssh_login",\n "type": "authentication_failure",\n "category": "authentication",\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "admin"\n }\n },\n "sort": [\n 1599226846000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "user",\n "doc_count": 21,\n "failures": {\n "doc_count": 21,\n "lastFailure": {\n "hits": {\n "total": 21,\n "max_score": 0,\n "hits": [\n {\n "_index": "filebeat-8.0.0-2020.09.02-000001",\n "_id": "M_xLWXQBc39KFIJbY7Cb",\n "_score": null,\n "_source": {\n "agent": {\n "name": "bastion00.siem.estc.dev",\n "id": "f9a321c1-ec27-49fa-aacf-6a50ef6d836f",\n "type": "filebeat",\n "ephemeral_id": "734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc",\n "version": "8.0.0"\n },\n "process": {\n "name": "sshd",\n "pid": 20671\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 1028103\n },\n "source": {\n "geo": {\n "continent_name": "North America",\n "region_iso_code": "US-NY",\n "city_name": "New York",\n "country_iso_code": "US",\n "region_name": "New York",\n "location": {\n "lon": -74,\n "lat": 40.7157\n }\n },\n "ip": "64.227.88.245"\n },\n "fileset": {\n "name": "auth"\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T13:25:43.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "related": {\n "ip": [\n "64.227.88.245"\n ],\n "user": [\n "user"\n ]\n },\n "service": {\n "type": "system"\n },\n "host": {\n "hostname": "bastion00",\n "name": "bastion00.siem.estc.dev"\n },\n "event": {\n "ingested": "2020-09-04T13:25:47.034172Z",\n "timezone": "+00:00",\n "kind": "event",\n "module": "system",\n "action": "ssh_login",\n "type": [\n "authentication_failure",\n "info"\n ],\n "category": [\n "authentication"\n ],\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "user"\n }\n },\n "sort": [\n 1599225943000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "ubuntu",\n "doc_count": 18,\n "failures": {\n "doc_count": 18,\n "lastFailure": {\n "hits": {\n "total": 18,\n "max_score": 0,\n "hits": [\n {\n "_index": "filebeat-8.0.0-2020.09.02-000001",\n "_id": "nPxKWXQBc39KFIJb7q4w",\n "_score": null,\n "_source": {\n "agent": {\n "name": "bastion00.siem.estc.dev",\n "id": "f9a321c1-ec27-49fa-aacf-6a50ef6d836f",\n "ephemeral_id": "734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc",\n "type": "filebeat",\n "version": "8.0.0"\n },\n "process": {\n "name": "sshd",\n "pid": 20665\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 1027372\n },\n "source": {\n "geo": {\n "continent_name": "North America",\n "region_iso_code": "US-NY",\n "city_name": "New York",\n "country_iso_code": "US",\n "region_name": "New York",\n "location": {\n "lon": -74,\n "lat": 40.7157\n }\n },\n "ip": "64.227.88.245"\n },\n "fileset": {\n "name": "auth"\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T13:25:07.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "related": {\n "ip": [\n "64.227.88.245"\n ],\n "user": [\n "ubuntu"\n ]\n },\n "service": {\n "type": "system"\n },\n "host": {\n "hostname": "bastion00",\n "name": "bastion00.siem.estc.dev"\n },\n "event": {\n "ingested": "2020-09-04T13:25:16.974606Z",\n "timezone": "+00:00",\n "kind": "event",\n "module": "system",\n "action": "ssh_login",\n "type": [\n "authentication_failure",\n "info"\n ],\n "category": [\n "authentication"\n ],\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "ubuntu"\n }\n },\n "sort": [\n 1599225907000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "odoo",\n "doc_count": 17,\n "failures": {\n "doc_count": 17,\n "lastFailure": {\n "hits": {\n "total": 17,\n "max_score": 0,\n "hits": [\n {\n "_index": ".ds-logs-system.auth-default-000001",\n "_id": "mPsfWXQBc39KFIJbI8HI",\n "_score": null,\n "_source": {\n "agent": {\n "hostname": "siem-kibana",\n "name": "siem-kibana",\n "id": "aa3d9dc7-fef1-4c2f-a68d-25785d624e35",\n "type": "filebeat",\n "ephemeral_id": "e503bd85-11c7-4bc9-ae7d-70be1d919fb7",\n "version": "7.9.1"\n },\n "process": {\n "name": "sshd",\n "pid": 21506\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 556761\n },\n "source": {\n "geo": {\n "continent_name": "Asia",\n "region_iso_code": "IN-DL",\n "city_name": "New Delhi",\n "country_iso_code": "IN",\n "region_name": "National Capital Territory of Delhi",\n "location": {\n "lon": 77.2245,\n "lat": 28.6358\n }\n },\n "as": {\n "number": 10029,\n "organization": {\n "name": "SHYAM SPECTRA PVT LTD"\n }\n },\n "ip": "180.151.228.166"\n },\n "cloud": {\n "availability_zone": "us-east1-b",\n "instance": {\n "name": "siem-kibana",\n "id": "5412578377715150143"\n },\n "provider": "gcp",\n "machine": {\n "type": "n1-standard-2"\n },\n "project": {\n "id": "elastic-beats"\n }\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T12:26:36.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "data_stream": {\n "namespace": "default",\n "type": "logs",\n "dataset": "system.auth"\n },\n "host": {\n "hostname": "siem-kibana",\n "os": {\n "kernel": "4.9.0-8-amd64",\n "codename": "stretch",\n "name": "Debian GNU/Linux",\n "family": "debian",\n "version": "9 (stretch)",\n "platform": "debian"\n },\n "containerized": false,\n "ip": [\n "10.142.0.7",\n "fe80::4001:aff:fe8e:7"\n ],\n "name": "siem-kibana",\n "id": "aa7ca589f1b8220002f2fc61c64cfbf1",\n "mac": [\n "42:01:0a:8e:00:07"\n ],\n "architecture": "x86_64"\n },\n "event": {\n "timezone": "+00:00",\n "action": "ssh_login",\n "type": "authentication_failure",\n "category": "authentication",\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "odoo"\n }\n },\n "sort": [\n 1599222396000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "pi",\n "doc_count": 17,\n "failures": {\n "doc_count": 17,\n "lastFailure": {\n "hits": {\n "total": 17,\n "max_score": 0,\n "hits": [\n {\n "_index": "filebeat-8.0.0-2020.09.02-000001",\n "_id": "aaToWHQBA6bGZw2uR-St",\n "_score": null,\n "_source": {\n "agent": {\n "name": "bastion00.siem.estc.dev",\n "id": "f9a321c1-ec27-49fa-aacf-6a50ef6d836f",\n "type": "filebeat",\n "ephemeral_id": "734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc",\n "version": "8.0.0"\n },\n "process": {\n "name": "sshd",\n "pid": 20475\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 1019218\n },\n "source": {\n "geo": {\n "continent_name": "Europe",\n "region_iso_code": "SE-AB",\n "city_name": "Stockholm",\n "country_iso_code": "SE",\n "region_name": "Stockholm",\n "location": {\n "lon": 17.7833,\n "lat": 59.25\n }\n },\n "as": {\n "number": 8473,\n "organization": {\n "name": "Bahnhof AB"\n }\n },\n "ip": "178.174.148.58"\n },\n "fileset": {\n "name": "auth"\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T11:37:22.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "related": {\n "ip": [\n "178.174.148.58"\n ],\n "user": [\n "pi"\n ]\n },\n "service": {\n "type": "system"\n },\n "host": {\n "hostname": "bastion00",\n "name": "bastion00.siem.estc.dev"\n },\n "event": {\n "ingested": "2020-09-04T11:37:31.797423Z",\n "timezone": "+00:00",\n "kind": "event",\n "module": "system",\n "action": "ssh_login",\n "type": [\n "authentication_failure",\n "info"\n ],\n "category": [\n "authentication"\n ],\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "pi"\n }\n },\n "sort": [\n 1599219442000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "demo",\n "doc_count": 14,\n "failures": {\n "doc_count": 14,\n "lastFailure": {\n "hits": {\n "total": 14,\n "max_score": 0,\n "hits": [\n {\n "_index": "filebeat-8.0.0-2020.09.02-000001",\n "_id": "VaP_V3QBA6bGZw2upUbg",\n "_score": null,\n "_source": {\n "agent": {\n "name": "bastion00.siem.estc.dev",\n "id": "f9a321c1-ec27-49fa-aacf-6a50ef6d836f",\n "type": "filebeat",\n "ephemeral_id": "734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc",\n "version": "8.0.0"\n },\n "process": {\n "name": "sshd",\n "pid": 19849\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 981036\n },\n "source": {\n "geo": {\n "continent_name": "Europe",\n "country_iso_code": "HR",\n "location": {\n "lon": 15.5,\n "lat": 45.1667\n }\n },\n "as": {\n "number": 42864,\n "organization": {\n "name": "Giganet Internet Szolgaltato Kft"\n }\n },\n "ip": "45.95.168.157"\n },\n "fileset": {\n "name": "auth"\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T07:23:22.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "related": {\n "ip": [\n "45.95.168.157"\n ],\n "user": [\n "demo"\n ]\n },\n "service": {\n "type": "system"\n },\n "host": {\n "hostname": "bastion00",\n "name": "bastion00.siem.estc.dev"\n },\n "event": {\n "ingested": "2020-09-04T07:23:26.046346Z",\n "timezone": "+00:00",\n "kind": "event",\n "module": "system",\n "action": "ssh_login",\n "type": [\n "authentication_failure",\n "info"\n ],\n "category": [\n "authentication"\n ],\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "demo"\n }\n },\n "sort": [\n 1599204202000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "git",\n "doc_count": 13,\n "failures": {\n "doc_count": 13,\n "lastFailure": {\n "hits": {\n "total": 13,\n "max_score": 0,\n "hits": [\n {\n "_index": ".ds-logs-system.auth-default-000001",\n "_id": "PqYfWXQBA6bGZw2uIhVU",\n "_score": null,\n "_source": {\n "agent": {\n "hostname": "siem-kibana",\n "name": "siem-kibana",\n "id": "aa3d9dc7-fef1-4c2f-a68d-25785d624e35",\n "ephemeral_id": "e503bd85-11c7-4bc9-ae7d-70be1d919fb7",\n "type": "filebeat",\n "version": "7.9.1"\n },\n "process": {\n "name": "sshd",\n "pid": 20396\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 550795\n },\n "source": {\n "geo": {\n "continent_name": "Asia",\n "region_iso_code": "CN-BJ",\n "city_name": "Beijing",\n "country_iso_code": "CN",\n "region_name": "Beijing",\n "location": {\n "lon": 116.3889,\n "lat": 39.9288\n }\n },\n "as": {\n "number": 45090,\n "organization": {\n "name": "Shenzhen Tencent Computer Systems Company Limited"\n }\n },\n "ip": "123.206.30.76"\n },\n "cloud": {\n "availability_zone": "us-east1-b",\n "instance": {\n "name": "siem-kibana",\n "id": "5412578377715150143"\n },\n "provider": "gcp",\n "machine": {\n "type": "n1-standard-2"\n },\n "project": {\n "id": "elastic-beats"\n }\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T11:20:26.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "data_stream": {\n "namespace": "default",\n "type": "logs",\n "dataset": "system.auth"\n },\n "host": {\n "hostname": "siem-kibana",\n "os": {\n "kernel": "4.9.0-8-amd64",\n "codename": "stretch",\n "name": "Debian GNU/Linux",\n "family": "debian",\n "version": "9 (stretch)",\n "platform": "debian"\n },\n "containerized": false,\n "ip": [\n "10.142.0.7",\n "fe80::4001:aff:fe8e:7"\n ],\n "name": "siem-kibana",\n "id": "aa7ca589f1b8220002f2fc61c64cfbf1",\n "mac": [\n "42:01:0a:8e:00:07"\n ],\n "architecture": "x86_64"\n },\n "event": {\n "timezone": "+00:00",\n "action": "ssh_login",\n "type": "authentication_failure",\n "category": "authentication",\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "git"\n }\n },\n "sort": [\n 1599218426000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n },\n {\n "key": "webadmin",\n "doc_count": 13,\n "failures": {\n "doc_count": 13,\n "lastFailure": {\n "hits": {\n "total": 13,\n "max_score": 0,\n "hits": [\n {\n "_index": "filebeat-8.0.0-2020.09.02-000001",\n "_id": "iMABWHQBB-gskclyitP-",\n "_score": null,\n "_source": {\n "agent": {\n "name": "bastion00.siem.estc.dev",\n "id": "f9a321c1-ec27-49fa-aacf-6a50ef6d836f",\n "type": "filebeat",\n "ephemeral_id": "734ee3da-1a4f-4bc9-b400-e0cf0e5eeebc",\n "version": "8.0.0"\n },\n "process": {\n "name": "sshd",\n "pid": 19870\n },\n "log": {\n "file": {\n "path": "/var/log/auth.log"\n },\n "offset": 984133\n },\n "source": {\n "geo": {\n "continent_name": "Europe",\n "country_iso_code": "HR",\n "location": {\n "lon": 15.5,\n "lat": 45.1667\n }\n },\n "as": {\n "number": 42864,\n "organization": {\n "name": "Giganet Internet Szolgaltato Kft"\n }\n },\n "ip": "45.95.168.157"\n },\n "fileset": {\n "name": "auth"\n },\n "input": {\n "type": "log"\n },\n "@timestamp": "2020-09-04T07:25:28.000Z",\n "system": {\n "auth": {\n "ssh": {\n "event": "Invalid"\n }\n }\n },\n "ecs": {\n "version": "1.5.0"\n },\n "related": {\n "ip": [\n "45.95.168.157"\n ],\n "user": [\n "webadmin"\n ]\n },\n "service": {\n "type": "system"\n },\n "host": {\n "hostname": "bastion00",\n "name": "bastion00.siem.estc.dev"\n },\n "event": {\n "ingested": "2020-09-04T07:25:30.236651Z",\n "timezone": "+00:00",\n "kind": "event",\n "module": "system",\n "action": "ssh_login",\n "type": [\n "authentication_failure",\n "info"\n ],\n "category": [\n "authentication"\n ],\n "dataset": "system.auth",\n "outcome": "failure"\n },\n "user": {\n "name": "webadmin"\n }\n },\n "sort": [\n 1599204328000\n ]\n }\n ]\n }\n }\n },\n "successes": {\n "doc_count": 0,\n "lastSuccess": {\n "hits": {\n "total": 0,\n "max_score": 0,\n "hits": []\n }\n }\n }\n }\n ]\n },\n "user_count": {\n "value": 188\n }\n }\n },\n "total": 21,\n "loaded": 21\n}', + ], + }, + hostDetails: {}, +}; + +export const expectedDsl = { + allowNoIndices: true, + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + ignoreUnavailable: true, + body: { + aggregations: { + host_architecture: { + terms: { field: 'host.architecture', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_id: { + terms: { field: 'host.id', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_ip: { + terms: { field: 'host.ip', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_mac: { + terms: { field: 'host.mac', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_name: { + terms: { field: 'host.name', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_os_family: { + terms: { field: 'host.os.family', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_os_name: { + terms: { field: 'host.os.name', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_os_platform: { + terms: { field: 'host.os.platform', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + host_os_version: { + terms: { field: 'host.os.version', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + cloud_instance_id: { + terms: { field: 'cloud.instance.id', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + cloud_machine_type: { + terms: { field: 'cloud.machine.type', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + cloud_provider: { + terms: { field: 'cloud.provider', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + cloud_region: { + terms: { field: 'cloud.region', size: 10, order: { timestamp: 'desc' } }, + aggs: { timestamp: { max: { field: '@timestamp' } } }, + }, + }, + query: { + bool: { + filter: [ + { term: { 'host.name': 'bastion00' } }, + { + range: { + '@timestamp': { + format: 'strict_date_optional_time', + gte: '2020-09-02T15:17:13.678Z', + lte: '2020-09-03T15:17:13.678Z', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: false, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx new file mode 100644 index 0000000000000..816b9b2081c63 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import * as buildQuery from './query.host_details.dsl'; +import { hostDetails } from '.'; +import { + mockOptions, + mockSearchStrategyResponse, + formattedSearchStrategyResponse, +} from './__mocks__'; + +describe('hostDetails search strategy', () => { + const buildHostDetailsQuery = jest.spyOn(buildQuery, 'buildHostDetailsQuery'); + + afterEach(() => { + buildHostDetailsQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + hostDetails.buildDsl(mockOptions); + expect(buildHostDetailsQuery).toHaveBeenCalledWith(mockOptions); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await hostDetails.parse(mockOptions, mockSearchStrategyResponse); + expect(result).toMatchObject(formattedSearchStrategyResponse); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.test.ts new file mode 100644 index 0000000000000..eab1966434859 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildHostDetailsQuery as buildQuery } from './query.host_details.dsl'; +import { mockOptions, expectedDsl } from './__mocks__/'; + +describe('buildQuery', () => { + test('build query from options correctly', () => { + expect(buildQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts new file mode 100644 index 0000000000000..73cf74087aad6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts @@ -0,0 +1,1305 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common'; + +import { MatrixHistogramStrategyResponse } from '../../../../../../common/search_strategy'; + +export const mockAlertsSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 11, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: 0, max_score: 0, hits: [] }, + aggregations: { + alertsGroup: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedAlertsSearchStrategyResponse: MatrixHistogramStrategyResponse = { + ...mockAlertsSearchStrategyResponse, + inspect: { + dsl: [ + '{\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "allowNoIndices": true,\n "ignoreUnavailable": true,\n "body": {\n "aggregations": {\n "alertsGroup": {\n "terms": {\n "field": "event.module",\n "missing": "All others",\n "order": {\n "_count": "desc"\n },\n "size": 10\n },\n "aggs": {\n "alerts": {\n "date_histogram": {\n "field": "@timestamp",\n "fixed_interval": "2700000ms",\n "min_doc_count": 0,\n "extended_bounds": {\n "min": 1599574984482,\n "max": 1599661384482\n }\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"host.name\\"}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n {\n "bool": {\n "filter": [\n {\n "bool": {\n "should": [\n {\n "match": {\n "event.kind": "alert"\n }\n }\n ],\n "minimum_should_match": 1\n }\n }\n ]\n }\n },\n {\n "range": {\n "@timestamp": {\n "gte": "2020-09-08T14:23:04.482Z",\n "lte": "2020-09-09T14:23:04.482Z",\n "format": "strict_date_optional_time"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": true\n }\n}', + ], + }, + matrixHistogramData: [], + totalCount: 0, +}; + +export const expectedDsl = { + allowNoIndices: true, + body: { + aggregations: { + host_count: { cardinality: { field: 'host.name' } }, + host_data: { + aggs: { + lastSeen: { max: { field: '@timestamp' } }, + os: { + top_hits: { + _source: { includes: ['host.os.*'] }, + size: 1, + sort: [{ '@timestamp': { order: 'desc' } }], + }, + }, + }, + terms: { field: 'host.name', order: { lastSeen: 'desc' }, size: 10 }, + }, + }, + query: { + bool: { + filter: [ + { bool: { filter: [{ match_all: {} }], must: [], must_not: [], should: [] } }, + { + range: { + '@timestamp': { + format: 'strict_date_optional_time', + gte: '2020-09-03T09:15:21.415Z', + lte: '2020-09-04T09:15:21.415Z', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: false, + }, + ignoreUnavailable: true, + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], +}; + +export const mockAnomaliesSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 9, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: 0, max_score: 0, hits: [] }, + aggregations: { + anomalyActionGroup: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedAnomaliesSearchStrategyResponse: MatrixHistogramStrategyResponse = { + ...mockAnomaliesSearchStrategyResponse, + inspect: { + dsl: [ + '{\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "allowNoIndices": true,\n "ignoreUnavailable": true,\n "body": {\n "aggs": {\n "anomalyActionGroup": {\n "terms": {\n "field": "job_id",\n "order": {\n "_count": "desc"\n },\n "size": 10\n },\n "aggs": {\n "anomalies": {\n "date_histogram": {\n "field": "timestamp",\n "fixed_interval": "2700000ms",\n "min_doc_count": 0,\n "extended_bounds": {\n "min": 1599578075566,\n "max": 1599664475566\n }\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"should\\":[],\\"minimum_should_match\\":1}},{\\"match_phrase\\":{\\"result_type\\":\\"record\\"}},null,{\\"range\\":{\\"record_score\\":{\\"gte\\":50}}}],\\"should\\":[{\\"exists\\":{\\"field\\":\\"source.ip\\"}},{\\"exists\\":{\\"field\\":\\"destination.ip\\"}}],\\"must_not\\":[],\\"minimum_should_match\\":1}}",\n {\n "range": {\n "timestamp": {\n "gte": "2020-09-08T15:14:35.566Z",\n "lte": "2020-09-09T15:14:35.566Z",\n "format": "strict_date_optional_time"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": true\n }\n}', + ], + }, + matrixHistogramData: [], + totalCount: 0, +}; + +export const mockAuthenticationsSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 6, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: 0, max_score: 0, hits: [] }, + aggregations: { + eventActionGroup: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [ + { + key: 'failure', + doc_count: 379, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:00:00.000Z', key: 1599577200000, doc_count: 1 }, + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 4 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 34 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 1 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 3 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 20 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 24 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 37 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 4 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 22 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 3 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 0 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 2 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 21 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 28 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 30 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 19 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 4 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 1 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 6 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 18 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 5 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 23 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 15 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 2 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 0 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 5 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 2 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 4 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 6 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 11 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 0 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 24 }, + ], + }, + }, + { + key: 'success', + doc_count: 191, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:00:00.000Z', key: 1599577200000, doc_count: 2 }, + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 5 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 5 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 2 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 4 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 6 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 4 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 13 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 6 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 3 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 1 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 9 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 5 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 6 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 8 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 2 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 9 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 2 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 5 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 2 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 14 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 7 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 13 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 10 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 5 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 2 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 6 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 7 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 5 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 6 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 5 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 10 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 2 }, + ], + }, + }, + ], + }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedAuthenticationsSearchStrategyResponse: MatrixHistogramStrategyResponse = { + ...mockAuthenticationsSearchStrategyResponse, + inspect: { + dsl: [ + '{\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "allowNoIndices": true,\n "ignoreUnavailable": true,\n "body": {\n "aggregations": {\n "eventActionGroup": {\n "terms": {\n "field": "event.outcome",\n "include": [\n "success",\n "failure"\n ],\n "order": {\n "_count": "desc"\n },\n "size": 2\n },\n "aggs": {\n "events": {\n "date_histogram": {\n "field": "@timestamp",\n "fixed_interval": "2700000ms",\n "min_doc_count": 0,\n "extended_bounds": {\n "min": 1599578520325,\n "max": 1599664920325\n }\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n {\n "bool": {\n "must": [\n {\n "term": {\n "event.category": "authentication"\n }\n }\n ]\n }\n },\n {\n "range": {\n "@timestamp": {\n "gte": "2020-09-08T15:22:00.325Z",\n "lte": "2020-09-09T15:22:00.325Z",\n "format": "strict_date_optional_time"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": true\n }\n}', + ], + }, + matrixHistogramData: [ + { x: 1599577200000, y: 1, g: 'failure' }, + { x: 1599579900000, y: 4, g: 'failure' }, + { x: 1599582600000, y: 34, g: 'failure' }, + { x: 1599585300000, y: 1, g: 'failure' }, + { x: 1599588000000, y: 3, g: 'failure' }, + { x: 1599590700000, y: 20, g: 'failure' }, + { x: 1599593400000, y: 24, g: 'failure' }, + { x: 1599596100000, y: 37, g: 'failure' }, + { x: 1599598800000, y: 4, g: 'failure' }, + { x: 1599601500000, y: 22, g: 'failure' }, + { x: 1599604200000, y: 3, g: 'failure' }, + { x: 1599606900000, y: 0, g: 'failure' }, + { x: 1599609600000, y: 2, g: 'failure' }, + { x: 1599612300000, y: 21, g: 'failure' }, + { x: 1599615000000, y: 28, g: 'failure' }, + { x: 1599617700000, y: 30, g: 'failure' }, + { x: 1599620400000, y: 19, g: 'failure' }, + { x: 1599623100000, y: 4, g: 'failure' }, + { x: 1599625800000, y: 1, g: 'failure' }, + { x: 1599628500000, y: 6, g: 'failure' }, + { x: 1599631200000, y: 18, g: 'failure' }, + { x: 1599633900000, y: 5, g: 'failure' }, + { x: 1599636600000, y: 23, g: 'failure' }, + { x: 1599639300000, y: 15, g: 'failure' }, + { x: 1599642000000, y: 2, g: 'failure' }, + { x: 1599644700000, y: 0, g: 'failure' }, + { x: 1599647400000, y: 5, g: 'failure' }, + { x: 1599650100000, y: 2, g: 'failure' }, + { x: 1599652800000, y: 4, g: 'failure' }, + { x: 1599655500000, y: 6, g: 'failure' }, + { x: 1599658200000, y: 11, g: 'failure' }, + { x: 1599660900000, y: 0, g: 'failure' }, + { x: 1599663600000, y: 24, g: 'failure' }, + { x: 1599577200000, y: 2, g: 'success' }, + { x: 1599579900000, y: 5, g: 'success' }, + { x: 1599582600000, y: 5, g: 'success' }, + { x: 1599585300000, y: 2, g: 'success' }, + { x: 1599588000000, y: 4, g: 'success' }, + { x: 1599590700000, y: 6, g: 'success' }, + { x: 1599593400000, y: 4, g: 'success' }, + { x: 1599596100000, y: 13, g: 'success' }, + { x: 1599598800000, y: 6, g: 'success' }, + { x: 1599601500000, y: 3, g: 'success' }, + { x: 1599604200000, y: 1, g: 'success' }, + { x: 1599606900000, y: 9, g: 'success' }, + { x: 1599609600000, y: 5, g: 'success' }, + { x: 1599612300000, y: 6, g: 'success' }, + { x: 1599615000000, y: 8, g: 'success' }, + { x: 1599617700000, y: 2, g: 'success' }, + { x: 1599620400000, y: 9, g: 'success' }, + { x: 1599623100000, y: 2, g: 'success' }, + { x: 1599625800000, y: 5, g: 'success' }, + { x: 1599628500000, y: 2, g: 'success' }, + { x: 1599631200000, y: 14, g: 'success' }, + { x: 1599633900000, y: 7, g: 'success' }, + { x: 1599636600000, y: 13, g: 'success' }, + { x: 1599639300000, y: 10, g: 'success' }, + { x: 1599642000000, y: 5, g: 'success' }, + { x: 1599644700000, y: 2, g: 'success' }, + { x: 1599647400000, y: 6, g: 'success' }, + { x: 1599650100000, y: 7, g: 'success' }, + { x: 1599652800000, y: 5, g: 'success' }, + { x: 1599655500000, y: 6, g: 'success' }, + { x: 1599658200000, y: 5, g: 'success' }, + { x: 1599660900000, y: 10, g: 'success' }, + { x: 1599663600000, y: 2, g: 'success' }, + ], + totalCount: 0, +}; + +export const mockEventsSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 198, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: 0, max_score: 0, hits: [] }, + aggregations: { + eventActionGroup: { + doc_count_error_upper_bound: 3, + sum_other_doc_count: 4090, + buckets: [ + { + key: 'All others', + doc_count: 1556741, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 26124 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 62910 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 60326 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 56144 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 53614 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 53228 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 61195 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 52082 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 52697 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 41094 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 50164 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 41500 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 42373 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 49785 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 42237 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 43114 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 40716 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 39248 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 37674 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 41072 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 37049 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 38561 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 40895 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 45490 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 46559 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 40020 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 44335 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 47252 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 48744 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 55756 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 56887 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 66920 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 40976 }, + ], + }, + }, + { + key: 'end', + doc_count: 18413, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 226 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 547 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 532 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 551 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 543 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 547 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 656 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 543 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 616 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 539 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 539 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 547 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 616 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 640 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 614 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 545 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 537 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 544 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 571 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 743 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 560 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 598 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 613 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 563 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 540 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 538 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 549 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 561 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 554 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 561 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 542 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 712 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 326 }, + ], + }, + }, + { + key: 'fork', + doc_count: 18412, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 226 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 546 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 532 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 551 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 543 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 547 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 656 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 543 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 616 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 539 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 539 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 547 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 616 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 640 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 614 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 545 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 537 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 544 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 571 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 743 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 560 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 598 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 613 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 563 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 540 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 538 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 549 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 561 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 554 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 561 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 542 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 712 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 326 }, + ], + }, + }, + { + key: 'exec', + doc_count: 15183, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 189 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 456 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 445 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 458 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 455 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 457 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 511 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 455 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 493 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 451 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 453 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 460 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 521 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 504 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 490 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 457 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 447 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 454 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 469 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 642 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 465 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 481 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 489 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 466 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 452 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 448 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 457 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 471 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 460 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 463 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 455 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 547 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 262 }, + ], + }, + }, + { + key: 'disconnect_received', + doc_count: 4998, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 59 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 151 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 139 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 144 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 143 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 144 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 202 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 142 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 180 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 144 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 143 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 137 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 150 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 195 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 178 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 144 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 143 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 142 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 157 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 166 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 153 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 168 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 175 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 158 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 142 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 144 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 147 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 139 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 145 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 158 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 137 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 234 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 95 }, + ], + }, + }, + { + key: 'connection_attempted', + doc_count: 4534, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 60 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 145 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 138 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 144 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 140 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 144 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 145 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 137 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 142 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 142 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 143 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 132 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 153 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 143 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 142 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 143 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 142 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 140 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 140 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 148 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 142 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 139 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 139 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 142 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 142 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 143 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 141 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 137 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 141 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 144 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 138 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 145 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 78 }, + ], + }, + }, + { + key: 'creation', + doc_count: 1880, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 24 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 53 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 50 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 54 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 55 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 53 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 54 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 54 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 55 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 52 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 51 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 58 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 122 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 54 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 54 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 56 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 53 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 55 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 51 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 144 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 54 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 53 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 51 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 57 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 55 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 52 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 52 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 57 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 56 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 53 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 51 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 56 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 31 }, + ], + }, + }, + { + key: 'deletion', + doc_count: 1869, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 23 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 53 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 50 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 54 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 54 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 53 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 53 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 54 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 55 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 52 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 51 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 55 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 121 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 54 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 53 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 55 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 53 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 54 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 51 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 146 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 54 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 53 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 51 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 55 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 55 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 52 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 55 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 55 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 55 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 53 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 51 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 55 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 31 }, + ], + }, + }, + { + key: 'File Delete (rule: FileDelete)', + doc_count: 1831, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 19 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 46 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 47 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 47 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 47 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 45 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 48 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 46 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 45 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 47 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 47 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 60 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 45 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 46 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 46 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 47 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 88 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 53 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 46 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 49 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 45 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 48 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 46 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 46 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 45 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 47 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 47 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 45 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 331 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 45 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 47 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 47 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 28 }, + ], + }, + }, + { + key: 'session_id_change', + doc_count: 647, + events: { + buckets: [ + { key_as_string: '2020-09-08T15:45:00.000Z', key: 1599579900000, doc_count: 3 }, + { key_as_string: '2020-09-08T16:30:00.000Z', key: 1599582600000, doc_count: 9 }, + { key_as_string: '2020-09-08T17:15:00.000Z', key: 1599585300000, doc_count: 7 }, + { key_as_string: '2020-09-08T18:00:00.000Z', key: 1599588000000, doc_count: 10 }, + { key_as_string: '2020-09-08T18:45:00.000Z', key: 1599590700000, doc_count: 7 }, + { key_as_string: '2020-09-08T19:30:00.000Z', key: 1599593400000, doc_count: 10 }, + { key_as_string: '2020-09-08T20:15:00.000Z', key: 1599596100000, doc_count: 63 }, + { key_as_string: '2020-09-08T21:00:00.000Z', key: 1599598800000, doc_count: 7 }, + { key_as_string: '2020-09-08T21:45:00.000Z', key: 1599601500000, doc_count: 45 }, + { key_as_string: '2020-09-08T22:30:00.000Z', key: 1599604200000, doc_count: 4 }, + { key_as_string: '2020-09-08T23:15:00.000Z', key: 1599606900000, doc_count: 5 }, + { key_as_string: '2020-09-09T00:00:00.000Z', key: 1599609600000, doc_count: 6 }, + { key_as_string: '2020-09-09T00:45:00.000Z', key: 1599612300000, doc_count: 6 }, + { key_as_string: '2020-09-09T01:30:00.000Z', key: 1599615000000, doc_count: 55 }, + { key_as_string: '2020-09-09T02:15:00.000Z', key: 1599617700000, doc_count: 43 }, + { key_as_string: '2020-09-09T03:00:00.000Z', key: 1599620400000, doc_count: 8 }, + { key_as_string: '2020-09-09T03:45:00.000Z', key: 1599623100000, doc_count: 9 }, + { key_as_string: '2020-09-09T04:30:00.000Z', key: 1599625800000, doc_count: 7 }, + { key_as_string: '2020-09-09T05:15:00.000Z', key: 1599628500000, doc_count: 21 }, + { key_as_string: '2020-09-09T06:00:00.000Z', key: 1599631200000, doc_count: 26 }, + { key_as_string: '2020-09-09T06:45:00.000Z', key: 1599633900000, doc_count: 17 }, + { key_as_string: '2020-09-09T07:30:00.000Z', key: 1599636600000, doc_count: 34 }, + { key_as_string: '2020-09-09T08:15:00.000Z', key: 1599639300000, doc_count: 41 }, + { key_as_string: '2020-09-09T09:00:00.000Z', key: 1599642000000, doc_count: 18 }, + { key_as_string: '2020-09-09T09:45:00.000Z', key: 1599644700000, doc_count: 4 }, + { key_as_string: '2020-09-09T10:30:00.000Z', key: 1599647400000, doc_count: 11 }, + { key_as_string: '2020-09-09T11:15:00.000Z', key: 1599650100000, doc_count: 9 }, + { key_as_string: '2020-09-09T12:00:00.000Z', key: 1599652800000, doc_count: 7 }, + { key_as_string: '2020-09-09T12:45:00.000Z', key: 1599655500000, doc_count: 12 }, + { key_as_string: '2020-09-09T13:30:00.000Z', key: 1599658200000, doc_count: 16 }, + { key_as_string: '2020-09-09T14:15:00.000Z', key: 1599660900000, doc_count: 7 }, + { key_as_string: '2020-09-09T15:00:00.000Z', key: 1599663600000, doc_count: 99 }, + { key_as_string: '2020-09-09T15:45:00.000Z', key: 1599666300000, doc_count: 21 }, + ], + }, + }, + ], + }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedEventsSearchStrategyResponse: MatrixHistogramStrategyResponse = { + ...mockEventsSearchStrategyResponse, + inspect: { + dsl: [ + '{\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "allowNoIndices": true,\n "ignoreUnavailable": true,\n "body": {\n "aggregations": {\n "eventActionGroup": {\n "terms": {\n "field": "event.action",\n "missing": "All others",\n "order": {\n "_count": "desc"\n },\n "size": 10\n },\n "aggs": {\n "events": {\n "date_histogram": {\n "field": "@timestamp",\n "fixed_interval": "2700000ms",\n "min_doc_count": 0,\n "extended_bounds": {\n "min": 1599581486215,\n "max": 1599667886215\n }\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n {\n "range": {\n "@timestamp": {\n "gte": "2020-09-08T16:11:26.215Z",\n "lte": "2020-09-09T16:11:26.215Z",\n "format": "strict_date_optional_time"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": true\n }\n}', + ], + }, + totalCount: 0, + matrixHistogramData: [ + { x: 1599579900000, y: 26124, g: 'All others' }, + { x: 1599582600000, y: 62910, g: 'All others' }, + { x: 1599585300000, y: 60326, g: 'All others' }, + { x: 1599588000000, y: 56144, g: 'All others' }, + { x: 1599590700000, y: 53614, g: 'All others' }, + { x: 1599593400000, y: 53228, g: 'All others' }, + { x: 1599596100000, y: 61195, g: 'All others' }, + { x: 1599598800000, y: 52082, g: 'All others' }, + { x: 1599601500000, y: 52697, g: 'All others' }, + { x: 1599604200000, y: 41094, g: 'All others' }, + { x: 1599606900000, y: 50164, g: 'All others' }, + { x: 1599609600000, y: 41500, g: 'All others' }, + { x: 1599612300000, y: 42373, g: 'All others' }, + { x: 1599615000000, y: 49785, g: 'All others' }, + { x: 1599617700000, y: 42237, g: 'All others' }, + { x: 1599620400000, y: 43114, g: 'All others' }, + { x: 1599623100000, y: 40716, g: 'All others' }, + { x: 1599625800000, y: 39248, g: 'All others' }, + { x: 1599628500000, y: 37674, g: 'All others' }, + { x: 1599631200000, y: 41072, g: 'All others' }, + { x: 1599633900000, y: 37049, g: 'All others' }, + { x: 1599636600000, y: 38561, g: 'All others' }, + { x: 1599639300000, y: 40895, g: 'All others' }, + { x: 1599642000000, y: 45490, g: 'All others' }, + { x: 1599644700000, y: 46559, g: 'All others' }, + { x: 1599647400000, y: 40020, g: 'All others' }, + { x: 1599650100000, y: 44335, g: 'All others' }, + { x: 1599652800000, y: 47252, g: 'All others' }, + { x: 1599655500000, y: 48744, g: 'All others' }, + { x: 1599658200000, y: 55756, g: 'All others' }, + { x: 1599660900000, y: 56887, g: 'All others' }, + { x: 1599663600000, y: 66920, g: 'All others' }, + { x: 1599666300000, y: 40976, g: 'All others' }, + { x: 1599579900000, y: 226, g: 'end' }, + { x: 1599582600000, y: 547, g: 'end' }, + { x: 1599585300000, y: 532, g: 'end' }, + { x: 1599588000000, y: 551, g: 'end' }, + { x: 1599590700000, y: 543, g: 'end' }, + { x: 1599593400000, y: 547, g: 'end' }, + { x: 1599596100000, y: 656, g: 'end' }, + { x: 1599598800000, y: 543, g: 'end' }, + { x: 1599601500000, y: 616, g: 'end' }, + { x: 1599604200000, y: 539, g: 'end' }, + { x: 1599606900000, y: 539, g: 'end' }, + { x: 1599609600000, y: 547, g: 'end' }, + { x: 1599612300000, y: 616, g: 'end' }, + { x: 1599615000000, y: 640, g: 'end' }, + { x: 1599617700000, y: 614, g: 'end' }, + { x: 1599620400000, y: 545, g: 'end' }, + { x: 1599623100000, y: 537, g: 'end' }, + { x: 1599625800000, y: 544, g: 'end' }, + { x: 1599628500000, y: 571, g: 'end' }, + { x: 1599631200000, y: 743, g: 'end' }, + { x: 1599633900000, y: 560, g: 'end' }, + { x: 1599636600000, y: 598, g: 'end' }, + { x: 1599639300000, y: 613, g: 'end' }, + { x: 1599642000000, y: 563, g: 'end' }, + { x: 1599644700000, y: 540, g: 'end' }, + { x: 1599647400000, y: 538, g: 'end' }, + { x: 1599650100000, y: 549, g: 'end' }, + { x: 1599652800000, y: 561, g: 'end' }, + { x: 1599655500000, y: 554, g: 'end' }, + { x: 1599658200000, y: 561, g: 'end' }, + { x: 1599660900000, y: 542, g: 'end' }, + { x: 1599663600000, y: 712, g: 'end' }, + { x: 1599666300000, y: 326, g: 'end' }, + { x: 1599579900000, y: 226, g: 'fork' }, + { x: 1599582600000, y: 546, g: 'fork' }, + { x: 1599585300000, y: 532, g: 'fork' }, + { x: 1599588000000, y: 551, g: 'fork' }, + { x: 1599590700000, y: 543, g: 'fork' }, + { x: 1599593400000, y: 547, g: 'fork' }, + { x: 1599596100000, y: 656, g: 'fork' }, + { x: 1599598800000, y: 543, g: 'fork' }, + { x: 1599601500000, y: 616, g: 'fork' }, + { x: 1599604200000, y: 539, g: 'fork' }, + { x: 1599606900000, y: 539, g: 'fork' }, + { x: 1599609600000, y: 547, g: 'fork' }, + { x: 1599612300000, y: 616, g: 'fork' }, + { x: 1599615000000, y: 640, g: 'fork' }, + { x: 1599617700000, y: 614, g: 'fork' }, + { x: 1599620400000, y: 545, g: 'fork' }, + { x: 1599623100000, y: 537, g: 'fork' }, + { x: 1599625800000, y: 544, g: 'fork' }, + { x: 1599628500000, y: 571, g: 'fork' }, + { x: 1599631200000, y: 743, g: 'fork' }, + { x: 1599633900000, y: 560, g: 'fork' }, + { x: 1599636600000, y: 598, g: 'fork' }, + { x: 1599639300000, y: 613, g: 'fork' }, + { x: 1599642000000, y: 563, g: 'fork' }, + { x: 1599644700000, y: 540, g: 'fork' }, + { x: 1599647400000, y: 538, g: 'fork' }, + { x: 1599650100000, y: 549, g: 'fork' }, + { x: 1599652800000, y: 561, g: 'fork' }, + { x: 1599655500000, y: 554, g: 'fork' }, + { x: 1599658200000, y: 561, g: 'fork' }, + { x: 1599660900000, y: 542, g: 'fork' }, + { x: 1599663600000, y: 712, g: 'fork' }, + { x: 1599666300000, y: 326, g: 'fork' }, + { x: 1599579900000, y: 189, g: 'exec' }, + { x: 1599582600000, y: 456, g: 'exec' }, + { x: 1599585300000, y: 445, g: 'exec' }, + { x: 1599588000000, y: 458, g: 'exec' }, + { x: 1599590700000, y: 455, g: 'exec' }, + { x: 1599593400000, y: 457, g: 'exec' }, + { x: 1599596100000, y: 511, g: 'exec' }, + { x: 1599598800000, y: 455, g: 'exec' }, + { x: 1599601500000, y: 493, g: 'exec' }, + { x: 1599604200000, y: 451, g: 'exec' }, + { x: 1599606900000, y: 453, g: 'exec' }, + { x: 1599609600000, y: 460, g: 'exec' }, + { x: 1599612300000, y: 521, g: 'exec' }, + { x: 1599615000000, y: 504, g: 'exec' }, + { x: 1599617700000, y: 490, g: 'exec' }, + { x: 1599620400000, y: 457, g: 'exec' }, + { x: 1599623100000, y: 447, g: 'exec' }, + { x: 1599625800000, y: 454, g: 'exec' }, + { x: 1599628500000, y: 469, g: 'exec' }, + { x: 1599631200000, y: 642, g: 'exec' }, + { x: 1599633900000, y: 465, g: 'exec' }, + { x: 1599636600000, y: 481, g: 'exec' }, + { x: 1599639300000, y: 489, g: 'exec' }, + { x: 1599642000000, y: 466, g: 'exec' }, + { x: 1599644700000, y: 452, g: 'exec' }, + { x: 1599647400000, y: 448, g: 'exec' }, + { x: 1599650100000, y: 457, g: 'exec' }, + { x: 1599652800000, y: 471, g: 'exec' }, + { x: 1599655500000, y: 460, g: 'exec' }, + { x: 1599658200000, y: 463, g: 'exec' }, + { x: 1599660900000, y: 455, g: 'exec' }, + { x: 1599663600000, y: 547, g: 'exec' }, + { x: 1599666300000, y: 262, g: 'exec' }, + { x: 1599579900000, y: 59, g: 'disconnect_received' }, + { x: 1599582600000, y: 151, g: 'disconnect_received' }, + { x: 1599585300000, y: 139, g: 'disconnect_received' }, + { x: 1599588000000, y: 144, g: 'disconnect_received' }, + { x: 1599590700000, y: 143, g: 'disconnect_received' }, + { x: 1599593400000, y: 144, g: 'disconnect_received' }, + { x: 1599596100000, y: 202, g: 'disconnect_received' }, + { x: 1599598800000, y: 142, g: 'disconnect_received' }, + { x: 1599601500000, y: 180, g: 'disconnect_received' }, + { x: 1599604200000, y: 144, g: 'disconnect_received' }, + { x: 1599606900000, y: 143, g: 'disconnect_received' }, + { x: 1599609600000, y: 137, g: 'disconnect_received' }, + { x: 1599612300000, y: 150, g: 'disconnect_received' }, + { x: 1599615000000, y: 195, g: 'disconnect_received' }, + { x: 1599617700000, y: 178, g: 'disconnect_received' }, + { x: 1599620400000, y: 144, g: 'disconnect_received' }, + { x: 1599623100000, y: 143, g: 'disconnect_received' }, + { x: 1599625800000, y: 142, g: 'disconnect_received' }, + { x: 1599628500000, y: 157, g: 'disconnect_received' }, + { x: 1599631200000, y: 166, g: 'disconnect_received' }, + { x: 1599633900000, y: 153, g: 'disconnect_received' }, + { x: 1599636600000, y: 168, g: 'disconnect_received' }, + { x: 1599639300000, y: 175, g: 'disconnect_received' }, + { x: 1599642000000, y: 158, g: 'disconnect_received' }, + { x: 1599644700000, y: 142, g: 'disconnect_received' }, + { x: 1599647400000, y: 144, g: 'disconnect_received' }, + { x: 1599650100000, y: 147, g: 'disconnect_received' }, + { x: 1599652800000, y: 139, g: 'disconnect_received' }, + { x: 1599655500000, y: 145, g: 'disconnect_received' }, + { x: 1599658200000, y: 158, g: 'disconnect_received' }, + { x: 1599660900000, y: 137, g: 'disconnect_received' }, + { x: 1599663600000, y: 234, g: 'disconnect_received' }, + { x: 1599666300000, y: 95, g: 'disconnect_received' }, + { x: 1599579900000, y: 60, g: 'connection_attempted' }, + { x: 1599582600000, y: 145, g: 'connection_attempted' }, + { x: 1599585300000, y: 138, g: 'connection_attempted' }, + { x: 1599588000000, y: 144, g: 'connection_attempted' }, + { x: 1599590700000, y: 140, g: 'connection_attempted' }, + { x: 1599593400000, y: 144, g: 'connection_attempted' }, + { x: 1599596100000, y: 145, g: 'connection_attempted' }, + { x: 1599598800000, y: 137, g: 'connection_attempted' }, + { x: 1599601500000, y: 142, g: 'connection_attempted' }, + { x: 1599604200000, y: 142, g: 'connection_attempted' }, + { x: 1599606900000, y: 143, g: 'connection_attempted' }, + { x: 1599609600000, y: 132, g: 'connection_attempted' }, + { x: 1599612300000, y: 153, g: 'connection_attempted' }, + { x: 1599615000000, y: 143, g: 'connection_attempted' }, + { x: 1599617700000, y: 142, g: 'connection_attempted' }, + { x: 1599620400000, y: 143, g: 'connection_attempted' }, + { x: 1599623100000, y: 142, g: 'connection_attempted' }, + { x: 1599625800000, y: 140, g: 'connection_attempted' }, + { x: 1599628500000, y: 140, g: 'connection_attempted' }, + { x: 1599631200000, y: 148, g: 'connection_attempted' }, + { x: 1599633900000, y: 142, g: 'connection_attempted' }, + { x: 1599636600000, y: 139, g: 'connection_attempted' }, + { x: 1599639300000, y: 139, g: 'connection_attempted' }, + { x: 1599642000000, y: 142, g: 'connection_attempted' }, + { x: 1599644700000, y: 142, g: 'connection_attempted' }, + { x: 1599647400000, y: 143, g: 'connection_attempted' }, + { x: 1599650100000, y: 141, g: 'connection_attempted' }, + { x: 1599652800000, y: 137, g: 'connection_attempted' }, + { x: 1599655500000, y: 141, g: 'connection_attempted' }, + { x: 1599658200000, y: 144, g: 'connection_attempted' }, + { x: 1599660900000, y: 138, g: 'connection_attempted' }, + { x: 1599663600000, y: 145, g: 'connection_attempted' }, + { x: 1599666300000, y: 78, g: 'connection_attempted' }, + { x: 1599579900000, y: 24, g: 'creation' }, + { x: 1599582600000, y: 53, g: 'creation' }, + { x: 1599585300000, y: 50, g: 'creation' }, + { x: 1599588000000, y: 54, g: 'creation' }, + { x: 1599590700000, y: 55, g: 'creation' }, + { x: 1599593400000, y: 53, g: 'creation' }, + { x: 1599596100000, y: 54, g: 'creation' }, + { x: 1599598800000, y: 54, g: 'creation' }, + { x: 1599601500000, y: 55, g: 'creation' }, + { x: 1599604200000, y: 52, g: 'creation' }, + { x: 1599606900000, y: 51, g: 'creation' }, + { x: 1599609600000, y: 58, g: 'creation' }, + { x: 1599612300000, y: 122, g: 'creation' }, + { x: 1599615000000, y: 54, g: 'creation' }, + { x: 1599617700000, y: 54, g: 'creation' }, + { x: 1599620400000, y: 56, g: 'creation' }, + { x: 1599623100000, y: 53, g: 'creation' }, + { x: 1599625800000, y: 55, g: 'creation' }, + { x: 1599628500000, y: 51, g: 'creation' }, + { x: 1599631200000, y: 144, g: 'creation' }, + { x: 1599633900000, y: 54, g: 'creation' }, + { x: 1599636600000, y: 53, g: 'creation' }, + { x: 1599639300000, y: 51, g: 'creation' }, + { x: 1599642000000, y: 57, g: 'creation' }, + { x: 1599644700000, y: 55, g: 'creation' }, + { x: 1599647400000, y: 52, g: 'creation' }, + { x: 1599650100000, y: 52, g: 'creation' }, + { x: 1599652800000, y: 57, g: 'creation' }, + { x: 1599655500000, y: 56, g: 'creation' }, + { x: 1599658200000, y: 53, g: 'creation' }, + { x: 1599660900000, y: 51, g: 'creation' }, + { x: 1599663600000, y: 56, g: 'creation' }, + { x: 1599666300000, y: 31, g: 'creation' }, + { x: 1599579900000, y: 23, g: 'deletion' }, + { x: 1599582600000, y: 53, g: 'deletion' }, + { x: 1599585300000, y: 50, g: 'deletion' }, + { x: 1599588000000, y: 54, g: 'deletion' }, + { x: 1599590700000, y: 54, g: 'deletion' }, + { x: 1599593400000, y: 53, g: 'deletion' }, + { x: 1599596100000, y: 53, g: 'deletion' }, + { x: 1599598800000, y: 54, g: 'deletion' }, + { x: 1599601500000, y: 55, g: 'deletion' }, + { x: 1599604200000, y: 52, g: 'deletion' }, + { x: 1599606900000, y: 51, g: 'deletion' }, + { x: 1599609600000, y: 55, g: 'deletion' }, + { x: 1599612300000, y: 121, g: 'deletion' }, + { x: 1599615000000, y: 54, g: 'deletion' }, + { x: 1599617700000, y: 53, g: 'deletion' }, + { x: 1599620400000, y: 55, g: 'deletion' }, + { x: 1599623100000, y: 53, g: 'deletion' }, + { x: 1599625800000, y: 54, g: 'deletion' }, + { x: 1599628500000, y: 51, g: 'deletion' }, + { x: 1599631200000, y: 146, g: 'deletion' }, + { x: 1599633900000, y: 54, g: 'deletion' }, + { x: 1599636600000, y: 53, g: 'deletion' }, + { x: 1599639300000, y: 51, g: 'deletion' }, + { x: 1599642000000, y: 55, g: 'deletion' }, + { x: 1599644700000, y: 55, g: 'deletion' }, + { x: 1599647400000, y: 52, g: 'deletion' }, + { x: 1599650100000, y: 55, g: 'deletion' }, + { x: 1599652800000, y: 55, g: 'deletion' }, + { x: 1599655500000, y: 55, g: 'deletion' }, + { x: 1599658200000, y: 53, g: 'deletion' }, + { x: 1599660900000, y: 51, g: 'deletion' }, + { x: 1599663600000, y: 55, g: 'deletion' }, + { x: 1599666300000, y: 31, g: 'deletion' }, + { x: 1599579900000, y: 19, g: 'File Delete (rule: FileDelete)' }, + { x: 1599582600000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599585300000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599588000000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599590700000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599593400000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599596100000, y: 48, g: 'File Delete (rule: FileDelete)' }, + { x: 1599598800000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599601500000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599604200000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599606900000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599609600000, y: 60, g: 'File Delete (rule: FileDelete)' }, + { x: 1599612300000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599615000000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599617700000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599620400000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599623100000, y: 88, g: 'File Delete (rule: FileDelete)' }, + { x: 1599625800000, y: 53, g: 'File Delete (rule: FileDelete)' }, + { x: 1599628500000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599631200000, y: 49, g: 'File Delete (rule: FileDelete)' }, + { x: 1599633900000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599636600000, y: 48, g: 'File Delete (rule: FileDelete)' }, + { x: 1599639300000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599642000000, y: 46, g: 'File Delete (rule: FileDelete)' }, + { x: 1599644700000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599647400000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599650100000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599652800000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599655500000, y: 331, g: 'File Delete (rule: FileDelete)' }, + { x: 1599658200000, y: 45, g: 'File Delete (rule: FileDelete)' }, + { x: 1599660900000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599663600000, y: 47, g: 'File Delete (rule: FileDelete)' }, + { x: 1599666300000, y: 28, g: 'File Delete (rule: FileDelete)' }, + { x: 1599579900000, y: 3, g: 'session_id_change' }, + { x: 1599582600000, y: 9, g: 'session_id_change' }, + { x: 1599585300000, y: 7, g: 'session_id_change' }, + { x: 1599588000000, y: 10, g: 'session_id_change' }, + { x: 1599590700000, y: 7, g: 'session_id_change' }, + { x: 1599593400000, y: 10, g: 'session_id_change' }, + { x: 1599596100000, y: 63, g: 'session_id_change' }, + { x: 1599598800000, y: 7, g: 'session_id_change' }, + { x: 1599601500000, y: 45, g: 'session_id_change' }, + { x: 1599604200000, y: 4, g: 'session_id_change' }, + { x: 1599606900000, y: 5, g: 'session_id_change' }, + { x: 1599609600000, y: 6, g: 'session_id_change' }, + { x: 1599612300000, y: 6, g: 'session_id_change' }, + { x: 1599615000000, y: 55, g: 'session_id_change' }, + { x: 1599617700000, y: 43, g: 'session_id_change' }, + { x: 1599620400000, y: 8, g: 'session_id_change' }, + { x: 1599623100000, y: 9, g: 'session_id_change' }, + { x: 1599625800000, y: 7, g: 'session_id_change' }, + { x: 1599628500000, y: 21, g: 'session_id_change' }, + { x: 1599631200000, y: 26, g: 'session_id_change' }, + { x: 1599633900000, y: 17, g: 'session_id_change' }, + { x: 1599636600000, y: 34, g: 'session_id_change' }, + { x: 1599639300000, y: 41, g: 'session_id_change' }, + { x: 1599642000000, y: 18, g: 'session_id_change' }, + { x: 1599644700000, y: 4, g: 'session_id_change' }, + { x: 1599647400000, y: 11, g: 'session_id_change' }, + { x: 1599650100000, y: 9, g: 'session_id_change' }, + { x: 1599652800000, y: 7, g: 'session_id_change' }, + { x: 1599655500000, y: 12, g: 'session_id_change' }, + { x: 1599658200000, y: 16, g: 'session_id_change' }, + { x: 1599660900000, y: 7, g: 'session_id_change' }, + { x: 1599663600000, y: 99, g: 'session_id_change' }, + { x: 1599666300000, y: 21, g: 'session_id_change' }, + ], +}; + +export const mockDnsSearchStrategyResponse: IEsSearchResponse = { + isPartial: false, + isRunning: false, + rawResponse: { + took: 150, + timed_out: false, + _shards: { total: 21, successful: 21, skipped: 0, failed: 0 }, + hits: { total: 0, max_score: 0, hits: [] }, + aggregations: { + NetworkDns: { + buckets: [ + { + key_as_string: '2020-09-08T15:00:00.000Z', + key: 1599577200000, + doc_count: 7083, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T15:45:00.000Z', + key: 1599579900000, + doc_count: 146148, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T16:30:00.000Z', + key: 1599582600000, + doc_count: 65025, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T17:15:00.000Z', + key: 1599585300000, + doc_count: 62317, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T18:00:00.000Z', + key: 1599588000000, + doc_count: 58223, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T18:45:00.000Z', + key: 1599590700000, + doc_count: 55712, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T19:30:00.000Z', + key: 1599593400000, + doc_count: 55328, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T20:15:00.000Z', + key: 1599596100000, + doc_count: 63878, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T21:00:00.000Z', + key: 1599598800000, + doc_count: 54151, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T21:45:00.000Z', + key: 1599601500000, + doc_count: 55170, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T22:30:00.000Z', + key: 1599604200000, + doc_count: 43115, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-08T23:15:00.000Z', + key: 1599606900000, + doc_count: 52204, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T00:00:00.000Z', + key: 1599609600000, + doc_count: 43609, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T00:45:00.000Z', + key: 1599612300000, + doc_count: 44825, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T01:30:00.000Z', + key: 1599615000000, + doc_count: 52374, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T02:15:00.000Z', + key: 1599617700000, + doc_count: 44667, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T03:00:00.000Z', + key: 1599620400000, + doc_count: 45231, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T03:45:00.000Z', + key: 1599623100000, + doc_count: 42871, + dns: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [ + { key: 'google.com', doc_count: 1, orderAgg: { value: 1 } }, + { key: 'google.internal', doc_count: 1, orderAgg: { value: 1 } }, + ], + }, + }, + { + key_as_string: '2020-09-09T04:30:00.000Z', + key: 1599625800000, + doc_count: 41327, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T05:15:00.000Z', + key: 1599628500000, + doc_count: 39860, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T06:00:00.000Z', + key: 1599631200000, + doc_count: 44061, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T06:45:00.000Z', + key: 1599633900000, + doc_count: 39193, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T07:30:00.000Z', + key: 1599636600000, + doc_count: 40909, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T08:15:00.000Z', + key: 1599639300000, + doc_count: 43293, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T09:00:00.000Z', + key: 1599642000000, + doc_count: 47640, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T09:45:00.000Z', + key: 1599644700000, + doc_count: 48605, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T10:30:00.000Z', + key: 1599647400000, + doc_count: 42072, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T11:15:00.000Z', + key: 1599650100000, + doc_count: 46398, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T12:00:00.000Z', + key: 1599652800000, + doc_count: 49378, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T12:45:00.000Z', + key: 1599655500000, + doc_count: 51171, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T13:30:00.000Z', + key: 1599658200000, + doc_count: 57911, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T14:15:00.000Z', + key: 1599660900000, + doc_count: 58909, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + { + key_as_string: '2020-09-09T15:00:00.000Z', + key: 1599663600000, + doc_count: 62358, + dns: { doc_count_error_upper_bound: 0, sum_other_doc_count: 0, buckets: [] }, + }, + ], + }, + }, + }, + total: 21, + loaded: 21, +}; + +export const formattedDnsSearchStrategyResponse: MatrixHistogramStrategyResponse = { + ...mockDnsSearchStrategyResponse, + inspect: { + dsl: [ + '{\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "allowNoIndices": true,\n "ignoreUnavailable": true,\n "body": {\n "aggregations": {\n "NetworkDns": {\n "date_histogram": {\n "field": "@timestamp",\n "fixed_interval": "2700000ms"\n },\n "aggs": {\n "dns": {\n "terms": {\n "field": "dns.question.registered_domain",\n "order": {\n "orderAgg": "desc"\n },\n "size": 10\n },\n "aggs": {\n "orderAgg": {\n "cardinality": {\n "field": "dns.question.name"\n }\n }\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "filter": [\n "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n {\n "range": {\n "@timestamp": {\n "gte": "2020-09-08T15:41:15.528Z",\n "lte": "2020-09-09T15:41:15.529Z",\n "format": "strict_date_optional_time"\n }\n }\n }\n ]\n }\n },\n "size": 0,\n "track_total_hits": true\n }\n}', + ], + }, + matrixHistogramData: [ + { x: 1599623100000, y: 1, g: 'google.com' }, + { x: 1599623100000, y: 1, g: 'google.internal' }, + ], + totalCount: 0, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts new file mode 100644 index 0000000000000..8b2e666ad0103 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts @@ -0,0 +1,87 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { MatrixHistogramType } from '../../../../../../../common/search_strategy'; + +export const mockOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filterQuery: + '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}', + histogramType: MatrixHistogramType.alerts, + timerange: { interval: '12h', from: '2020-09-08T14:23:04.482Z', to: '2020-09-09T14:23:04.482Z' }, + stackByField: 'event.module', +}; + +export const expectedDsl = { + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + allowNoIndices: true, + ignoreUnavailable: true, + body: { + aggregations: { + alertsGroup: { + terms: { + field: 'event.module', + missing: 'All others', + order: { _count: 'desc' }, + size: 10, + }, + aggs: { + alerts: { + date_histogram: { + field: '@timestamp', + fixed_interval: '2700000ms', + min_doc_count: 0, + extended_bounds: { min: 1599574984482, max: 1599661384482 }, + }, + }, + }, + }, + }, + query: { + bool: { + filter: [ + '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}', + { + bool: { + filter: [ + { + bool: { should: [{ match: { 'event.kind': 'alert' } }], minimum_should_match: 1 }, + }, + ], + }, + }, + { + range: { + '@timestamp': { + gte: '2020-09-08T14:23:04.482Z', + lte: '2020-09-09T14:23:04.482Z', + format: 'strict_date_optional_time', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: true, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/index.test.ts new file mode 100644 index 0000000000000..3b1e57ea50a87 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/index.test.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { alertsMatrixHistogramConfig } from '.'; +import { buildAlertsHistogramQuery } from './query.alerts_histogram.dsl'; + +jest.mock('./query.alerts_histogram.dsl', () => ({ + buildAlertsHistogramQuery: jest.fn(), +})); + +describe('alertsMatrixHistogramConfig', () => { + test('should export alertsMatrixHistogramConfig corrrectly', () => { + expect(alertsMatrixHistogramConfig).toEqual({ + aggName: 'aggregations.alertsGroup.buckets', + parseKey: 'alerts.buckets', + buildDsl: buildAlertsHistogramQuery, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/query.alerts_histogram.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/query.alerts_histogram.dsl.test.ts new file mode 100644 index 0000000000000..89a28b10dd684 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/query.alerts_histogram.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildAlertsHistogramQuery } from './query.alerts_histogram.dsl'; +import { mockOptions, expectedDsl } from './__mocks__/'; + +describe('buildAlertsHistogramQuery', () => { + test('build query from options correctly', () => { + expect(buildAlertsHistogramQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts new file mode 100644 index 0000000000000..6ca3c785e2e75 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { MatrixHistogramType } from '../../../../../../../common/search_strategy'; + +export const mockOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filterQuery: + '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"should":[],"minimum_should_match":1}},{"match_phrase":{"result_type":"record"}},null,{"range":{"record_score":{"gte":50}}}],"should":[{"exists":{"field":"source.ip"}},{"exists":{"field":"destination.ip"}}],"must_not":[],"minimum_should_match":1}}', + histogramType: MatrixHistogramType.anomalies, + timerange: { interval: '12h', from: '2020-09-08T15:14:35.566Z', to: '2020-09-09T15:14:35.566Z' }, + stackByField: 'job_id', +}; + +export const expectedDsl = { + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + allowNoIndices: true, + ignoreUnavailable: true, + body: { + aggs: { + anomalyActionGroup: { + terms: { field: 'job_id', order: { _count: 'desc' }, size: 10 }, + aggs: { + anomalies: { + date_histogram: { + field: 'timestamp', + fixed_interval: '2700000ms', + min_doc_count: 0, + extended_bounds: { min: 1599578075566, max: 1599664475566 }, + }, + }, + }, + }, + }, + query: { + bool: { + filter: [ + '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"should":[],"minimum_should_match":1}},{"match_phrase":{"result_type":"record"}},null,{"range":{"record_score":{"gte":50}}}],"should":[{"exists":{"field":"source.ip"}},{"exists":{"field":"destination.ip"}}],"must_not":[],"minimum_should_match":1}}', + { + range: { + timestamp: { + gte: '2020-09-08T15:14:35.566Z', + lte: '2020-09-09T15:14:35.566Z', + format: 'strict_date_optional_time', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: true, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/index.test.ts new file mode 100644 index 0000000000000..d1466a057553d --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/index.test.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { anomaliesMatrixHistogramConfig } from '.'; +import { buildAnomaliesHistogramQuery } from './query.anomalies_histogram.dsl'; + +jest.mock('./query.anomalies_histogram.dsl', () => ({ + buildAnomaliesHistogramQuery: jest.fn(), +})); + +describe('anomaliesMatrixHistogramConfig', () => { + test('should export anomaliesMatrixHistogramConfig corrrectly', () => { + expect(anomaliesMatrixHistogramConfig).toEqual({ + aggName: 'aggregations.anomalyActionGroup.buckets', + parseKey: 'anomalies.buckets', + buildDsl: buildAnomaliesHistogramQuery, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/query.anomalies_histogram.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/query.anomalies_histogram.dsl.test.ts new file mode 100644 index 0000000000000..7c10005853b26 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/query.anomalies_histogram.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildAnomaliesHistogramQuery } from './query.anomalies_histogram.dsl'; +import { mockOptions, expectedDsl } from './__mocks__'; + +describe('buildAnomaliesHistogramQuery', () => { + test('build query from options correctly', () => { + expect(buildAnomaliesHistogramQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts new file mode 100644 index 0000000000000..1fd420dbb94cb --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts @@ -0,0 +1,78 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { MatrixHistogramType } from '../../../../../../../common/search_strategy'; + +export const mockOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + histogramType: MatrixHistogramType.authentications, + timerange: { interval: '12h', from: '2020-09-08T15:22:00.325Z', to: '2020-09-09T15:22:00.325Z' }, + stackByField: 'event.outcome', +}; + +export const expectedDsl = { + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + allowNoIndices: true, + ignoreUnavailable: true, + body: { + aggregations: { + eventActionGroup: { + terms: { + field: 'event.outcome', + include: ['success', 'failure'], + order: { _count: 'desc' }, + size: 2, + }, + aggs: { + events: { + date_histogram: { + field: '@timestamp', + fixed_interval: '2700000ms', + min_doc_count: 0, + extended_bounds: { min: 1599578520325, max: 1599664920325 }, + }, + }, + }, + }, + }, + query: { + bool: { + filter: [ + '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + { bool: { must: [{ term: { 'event.category': 'authentication' } }] } }, + { + range: { + '@timestamp': { + gte: '2020-09-08T15:22:00.325Z', + lte: '2020-09-09T15:22:00.325Z', + format: 'strict_date_optional_time', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: true, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/index.test.ts new file mode 100644 index 0000000000000..54f1459b24933 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/index.test.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { authenticationsMatrixHistogramConfig } from '.'; +import { buildAuthenticationsHistogramQuery } from './query.authentications_histogram.dsl'; + +jest.mock('./query.authentications_histogram.dsl', () => ({ + buildAuthenticationsHistogramQuery: jest.fn(), +})); + +describe('authenticationsMatrixHistogramConfig', () => { + test('should export authenticationsMatrixHistogramConfig corrrectly', () => { + expect(authenticationsMatrixHistogramConfig).toEqual({ + aggName: 'aggregations.eventActionGroup.buckets', + parseKey: 'events.buckets', + buildDsl: buildAuthenticationsHistogramQuery, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/query.authentications_histogram.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/query.authentications_histogram.dsl.test.ts new file mode 100644 index 0000000000000..67d681d8ba870 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/query.authentications_histogram.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildAuthenticationsHistogramQuery } from './query.authentications_histogram.dsl'; +import { mockOptions, expectedDsl } from './__mocks__/'; + +describe('buildAuthenticationsHistogramQuery', () => { + test('build query from options correctly', () => { + expect(buildAuthenticationsHistogramQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts new file mode 100644 index 0000000000000..94ba20327a404 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts @@ -0,0 +1,72 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { MatrixHistogramType } from '../../../../../../../common/search_strategy'; + +export const mockOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + histogramType: MatrixHistogramType.dns, + timerange: { interval: '12h', from: '2020-09-08T15:41:15.528Z', to: '2020-09-09T15:41:15.529Z' }, + stackByField: 'dns.question.registered_domain', +}; + +export const expectedDsl = { + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + allowNoIndices: true, + ignoreUnavailable: true, + body: { + aggregations: { + NetworkDns: { + date_histogram: { field: '@timestamp', fixed_interval: '2700000ms' }, + aggs: { + dns: { + terms: { + field: 'dns.question.registered_domain', + order: { orderAgg: 'desc' }, + size: 10, + }, + aggs: { orderAgg: { cardinality: { field: 'dns.question.name' } } }, + }, + }, + }, + }, + query: { + bool: { + filter: [ + '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + { + range: { + '@timestamp': { + gte: '2020-09-08T15:41:15.528Z', + lte: '2020-09-09T15:41:15.529Z', + format: 'strict_date_optional_time', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: true, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/index.test.ts new file mode 100644 index 0000000000000..8afc764d97f87 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/index.test.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { dnsMatrixHistogramConfig } from '.'; +import { buildDnsHistogramQuery } from './query.dns_histogram.dsl'; +import { getDnsParsedData } from './helpers'; + +jest.mock('./query.dns_histogram.dsl', () => ({ + buildDnsHistogramQuery: jest.fn(), +})); + +jest.mock('./helpers', () => ({ + getDnsParsedData: jest.fn(), +})); + +describe('dnsMatrixHistogramConfig', () => { + test('should export dnsMatrixHistogramConfig corrrectly', () => { + expect(dnsMatrixHistogramConfig).toEqual({ + aggName: 'aggregations.NetworkDns.buckets', + parseKey: 'dns.buckets', + buildDsl: buildDnsHistogramQuery, + parser: getDnsParsedData, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/query.dns_histogram.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/query.dns_histogram.dsl.test.ts new file mode 100644 index 0000000000000..a3d562a28d07f --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/query.dns_histogram.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildDnsHistogramQuery } from './query.dns_histogram.dsl'; +import { mockOptions, expectedDsl } from './__mocks__/'; + +describe('buildDnsHistogramQuery', () => { + test('build query from options correctly', () => { + expect(buildDnsHistogramQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts new file mode 100644 index 0000000000000..09b710ab33c76 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { + MatrixHistogramQuery, + MatrixHistogramRequestOptions, + MatrixHistogramType, +} from '../../../../../../../common/search_strategy'; + +export const mockOptions: MatrixHistogramRequestOptions = { + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + factoryQueryType: MatrixHistogramQuery, + filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + histogramType: MatrixHistogramType.events, + timerange: { interval: '12h', from: '2020-09-08T16:11:26.215Z', to: '2020-09-09T16:11:26.215Z' }, + stackByField: 'event.action', +}; + +export const expectedDsl = { + index: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + allowNoIndices: true, + ignoreUnavailable: true, + body: { + aggregations: { + eventActionGroup: { + terms: { + field: 'event.action', + missing: 'All others', + order: { _count: 'desc' }, + size: 10, + }, + aggs: { + events: { + date_histogram: { + field: '@timestamp', + fixed_interval: '2700000ms', + min_doc_count: 0, + extended_bounds: { min: 1599581486215, max: 1599667886215 }, + }, + }, + }, + }, + }, + query: { + bool: { + filter: [ + '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', + { + range: { + '@timestamp': { + gte: '2020-09-08T16:11:26.215Z', + lte: '2020-09-09T16:11:26.215Z', + format: 'strict_date_optional_time', + }, + }, + }, + ], + }, + }, + size: 0, + track_total_hits: true, + }, +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/index.test.ts new file mode 100644 index 0000000000000..f67307eac67ed --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/index.test.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { eventsMatrixHistogramConfig } from '.'; +import { buildEventsHistogramQuery } from './query.events_histogram.dsl'; + +jest.mock('./query.events_histogram.dsl.ts', () => ({ + buildEventsHistogramQuery: jest.fn(), +})); + +describe('eventsMatrixHistogramConfig', () => { + test('should export eventsMatrixHistogramConfig corrrectly', () => { + expect(eventsMatrixHistogramConfig).toEqual({ + aggName: 'aggregations.eventActionGroup.buckets', + parseKey: 'events.buckets', + buildDsl: buildEventsHistogramQuery, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/query.events_histogram.dsl.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/query.events_histogram.dsl.test.ts new file mode 100644 index 0000000000000..72cb9de9f0e7a --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/query.events_histogram.dsl.test.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { buildEventsHistogramQuery } from './query.events_histogram.dsl'; +import { mockOptions, expectedDsl } from './__mocks__/'; + +describe('buildEventsHistogramQuery', () => { + test('build query from options correctly', () => { + expect(buildEventsHistogramQuery(mockOptions)).toEqual(expectedDsl); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/index.test.ts new file mode 100644 index 0000000000000..3fd7240eba93b --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/index.test.ts @@ -0,0 +1,211 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { + MatrixHistogramRequestOptions, + MatrixHistogramType, +} from '../../../../../common/search_strategy/security_solution'; +import { matrixHistogram } from '.'; +import { + formattedAlertsSearchStrategyResponse, + formattedAnomaliesSearchStrategyResponse, + formattedAuthenticationsSearchStrategyResponse, + formattedEventsSearchStrategyResponse, + formattedDnsSearchStrategyResponse, + mockAlertsSearchStrategyResponse, + mockAnomaliesSearchStrategyResponse, + mockAuthenticationsSearchStrategyResponse, + mockEventsSearchStrategyResponse, + mockDnsSearchStrategyResponse, +} from './__mocks__'; +import { alertsMatrixHistogramConfig } from './alerts'; +import { anomaliesMatrixHistogramConfig } from './anomalies'; +import { authenticationsMatrixHistogramConfig } from './authentications'; +import { eventsMatrixHistogramConfig } from './events'; +import { dnsMatrixHistogramConfig } from './dns'; + +import { mockOptions as mockAlertsOptions } from './alerts/__mocks__'; +import { mockOptions as mockAnomaliesOptions } from './anomalies/__mocks__'; +import { mockOptions as mockAuthenticationsOptions } from './authentications/__mocks__'; +import { mockOptions as mockEventsOptions } from './events/__mocks__'; +import { mockOptions as mockDnsOptions } from './dns/__mocks__'; + +describe('Alerts matrixHistogram search strategy', () => { + const buildMatrixHistogramQuery = jest.spyOn(alertsMatrixHistogramConfig, 'buildDsl'); + + afterEach(() => { + buildMatrixHistogramQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + matrixHistogram.buildDsl(mockAlertsOptions); + expect(buildMatrixHistogramQuery).toHaveBeenCalledWith(mockAlertsOptions); + }); + + test('should throw error if histogramType is invalid', () => { + const invalidOptions: MatrixHistogramRequestOptions = { + ...mockAlertsOptions, + histogramType: 'xxx' as MatrixHistogramType, + } as MatrixHistogramRequestOptions; + + expect(() => { + matrixHistogram.buildDsl(invalidOptions); + }).toThrowError(`This histogram type xxx is unknown to the server side`); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await matrixHistogram.parse( + mockAlertsOptions, + mockAlertsSearchStrategyResponse + ); + expect(result).toMatchObject(formattedAlertsSearchStrategyResponse); + }); + }); +}); + +describe('Anomalies matrixHistogram search strategy', () => { + const buildMatrixHistogramQuery = jest.spyOn(anomaliesMatrixHistogramConfig, 'buildDsl'); + + afterEach(() => { + buildMatrixHistogramQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + matrixHistogram.buildDsl(mockAnomaliesOptions); + expect(buildMatrixHistogramQuery).toHaveBeenCalledWith(mockAnomaliesOptions); + }); + + test('should throw error if histogramType is invalid', () => { + const invalidOptions: MatrixHistogramRequestOptions = { + ...mockAnomaliesOptions, + histogramType: 'xxx' as MatrixHistogramType, + } as MatrixHistogramRequestOptions; + + expect(() => { + matrixHistogram.buildDsl(invalidOptions); + }).toThrowError(`This histogram type xxx is unknown to the server side`); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await matrixHistogram.parse( + mockAnomaliesOptions, + mockAnomaliesSearchStrategyResponse + ); + expect(result).toMatchObject(formattedAnomaliesSearchStrategyResponse); + }); + }); +}); + +describe('Authentications matrixHistogram search strategy', () => { + const buildMatrixHistogramQuery = jest.spyOn(authenticationsMatrixHistogramConfig, 'buildDsl'); + + afterEach(() => { + buildMatrixHistogramQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + matrixHistogram.buildDsl(mockAuthenticationsOptions); + expect(buildMatrixHistogramQuery).toHaveBeenCalledWith(mockAuthenticationsOptions); + }); + + test('should throw error if histogramType is invalid', () => { + const invalidOptions = { + ...mockAuthenticationsOptions, + histogramType: 'xxx' as MatrixHistogramType, + } as MatrixHistogramRequestOptions; + + expect(() => { + matrixHistogram.buildDsl(invalidOptions); + }).toThrowError(`This histogram type xxx is unknown to the server side`); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await matrixHistogram.parse( + mockAuthenticationsOptions, + mockAuthenticationsSearchStrategyResponse + ); + expect(result).toMatchObject(formattedAuthenticationsSearchStrategyResponse); + }); + }); +}); + +describe('Events matrixHistogram search strategy', () => { + const buildMatrixHistogramQuery = jest.spyOn(eventsMatrixHistogramConfig, 'buildDsl'); + + afterEach(() => { + buildMatrixHistogramQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + matrixHistogram.buildDsl(mockEventsOptions); + expect(buildMatrixHistogramQuery).toHaveBeenCalledWith(mockEventsOptions); + }); + + test('should throw error if histogramType is invalid', () => { + const invalidOptions = { + ...mockEventsOptions, + histogramType: 'xxx' as MatrixHistogramType, + } as MatrixHistogramRequestOptions; + + expect(() => { + matrixHistogram.buildDsl(invalidOptions); + }).toThrowError(`This histogram type xxx is unknown to the server side`); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await matrixHistogram.parse( + mockEventsOptions, + mockEventsSearchStrategyResponse + ); + expect(result).toMatchObject(formattedEventsSearchStrategyResponse); + }); + }); +}); + +describe('Dns matrixHistogram search strategy', () => { + const buildMatrixHistogramQuery = jest.spyOn(dnsMatrixHistogramConfig, 'buildDsl'); + + afterEach(() => { + buildMatrixHistogramQuery.mockClear(); + }); + + describe('buildDsl', () => { + test('should build dsl query', () => { + matrixHistogram.buildDsl(mockDnsOptions); + expect(buildMatrixHistogramQuery).toHaveBeenCalledWith(mockDnsOptions); + }); + + test('should throw error if histogramType is invalid', () => { + const invalidOptions = { + ...mockDnsOptions, + histogramType: 'xxx' as MatrixHistogramType, + } as MatrixHistogramRequestOptions; + + expect(() => { + matrixHistogram.buildDsl(invalidOptions); + }).toThrowError(`This histogram type xxx is unknown to the server side`); + }); + }); + + describe('parse', () => { + test('should parse data correctly', async () => { + const result = await matrixHistogram.parse(mockDnsOptions, mockDnsSearchStrategyResponse); + expect(result).toMatchObject(formattedDnsSearchStrategyResponse); + }); + }); +});