diff --git a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json index 34f755702c7b1..64010411f7043 100644 --- a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json +++ b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json @@ -15205,4417 +15205,6 @@ } } }, - "security_solution": { - "properties": { - "detectionMetrics": { - "properties": { - "detection_rules": { - "properties": { - "detection_rule_usage": { - "properties": { - "query": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of query rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of query rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by query rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to query detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled query rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled query rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of query rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of query rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of query rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of query rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of query rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of query rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of query rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "threshold": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of threshold rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of threshold rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by threshold rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to threshold detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled threshold rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled threshold rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of threshold rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "eql": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of eql rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of eql rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by eql rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to eql detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled eql rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled eql rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of eql rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "machine_learning": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by machine_learning rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to machine_learning detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled machine_learning rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled machine_learning rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "threat_match": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by threat_match rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to threat_match detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled threat_match rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled threat_match rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "new_terms": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by new_terms rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to new_terms detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled new_terms rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled new_terms rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "esql": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of esql rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of esql rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by esql rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to esql detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled esql rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled esql rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of esql rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "elastic_total": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of elastic rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of elastic rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by elastic rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to elastic detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled elastic rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled elastic rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of elastic rules configured do not suppress alerts with missing fields" - } - } - } - } - } - }, - "custom_total": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of custom rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of custom rules disabled" - } - }, - "alerts": { - "type": "long", - "_meta": { - "description": "Number of alerts generated by custom rules" - } - }, - "cases": { - "type": "long", - "_meta": { - "description": "Number of cases attached to custom detection rule alerts" - } - }, - "legacy_notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications enabled" - } - }, - "legacy_notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of legacy notifications disabled" - } - }, - "notifications_enabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "notifications_disabled": { - "type": "long", - "_meta": { - "description": "Number of notifications enabled" - } - }, - "legacy_investigation_fields": { - "type": "long", - "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" - } - }, - "alert_suppression": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "Number of enabled custom rules configured with suppression" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "Number of disabled custom rules configured with suppression" - } - }, - "suppressed_fields_count": { - "properties": { - "one": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured with one suppression field" - } - }, - "two": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured with two suppression field" - } - }, - "three": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured with three suppression field" - } - } - } - }, - "suppressed_per_time_period": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured with suppression per time period" - } - }, - "suppressed_per_rule_execution": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured with suppression per rule execution" - } - }, - "suppresses_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured to suppress alerts with missing fields" - } - }, - "does_not_suppress_missing_fields": { - "type": "long", - "_meta": { - "description": "Number of custom rules configured do not suppress alerts with missing fields" - } - } - } - } - } - } - } - }, - "detection_rule_detail": { - "type": "array", - "items": { - "properties": { - "rule_name": { - "type": "keyword", - "_meta": { - "description": "The name of the detection rule" - } - }, - "rule_id": { - "type": "keyword", - "_meta": { - "description": "The UUID id of the detection rule" - } - }, - "rule_type": { - "type": "keyword", - "_meta": { - "description": "The type of detection rule. ie eql, query..." - } - }, - "rule_version": { - "type": "long", - "_meta": { - "description": "The version of the rule" - } - }, - "enabled": { - "type": "boolean", - "_meta": { - "description": "If the detection rule has been enabled by the user" - } - }, - "elastic_rule": { - "type": "boolean", - "_meta": { - "description": "If the detection rule has been authored by Elastic" - } - }, - "created_on": { - "type": "keyword", - "_meta": { - "description": "When the detection rule was created on the cluster" - } - }, - "updated_on": { - "type": "keyword", - "_meta": { - "description": "When the detection rule was updated on the cluster" - } - }, - "alert_count_daily": { - "type": "long", - "_meta": { - "description": "The number of daily alerts generated by a rule" - } - }, - "cases_count_total": { - "type": "long", - "_meta": { - "description": "The number of total cases generated by a rule" - } - }, - "has_legacy_notification": { - "type": "boolean", - "_meta": { - "description": "True if this rule has a legacy notification" - } - }, - "has_notification": { - "type": "boolean", - "_meta": { - "description": "True if this rule has a notification" - } - } - } - } - }, - "detection_rule_status": { - "properties": { - "all_rules": { - "properties": { - "eql": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threat_match": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "machine_learning": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "saved_query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threshold": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "total": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of succeeded rules" - } - } - } - } - } - }, - "elastic_rules": { - "properties": { - "eql": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threat_match": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "machine_learning": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "saved_query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threshold": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "total": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of succeeded rules" - } - } - } - } - } - }, - "custom_rules": { - "properties": { - "eql": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threat_match": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "machine_learning": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "saved_query": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "threshold": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "top_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "top_partial_failures": { - "type": "array", - "items": { - "properties": { - "message": { - "type": "keyword", - "_meta": { - "description": "Failed rule message" - } - }, - "count": { - "type": "long", - "_meta": { - "description": "Number of times the message occurred" - } - } - } - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of successful rules" - } - }, - "index_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "search_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "enrichment_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_duration": { - "properties": { - "max": { - "type": "float", - "_meta": { - "description": "The max duration" - } - }, - "avg": { - "type": "float", - "_meta": { - "description": "The avg duration" - } - }, - "min": { - "type": "float", - "_meta": { - "description": "The min duration" - } - } - } - }, - "gap_count": { - "type": "long", - "_meta": { - "description": "The count of gaps" - } - } - } - }, - "total": { - "properties": { - "failures": { - "type": "long", - "_meta": { - "description": "The number of failed rules" - } - }, - "partial_failures": { - "type": "long", - "_meta": { - "description": "The number of partial failure rules" - } - }, - "succeeded": { - "type": "long", - "_meta": { - "description": "The number of succeeded rules" - } - } - } - } - } - } - } - } - } - }, - "ml_jobs": { - "properties": { - "ml_job_usage": { - "properties": { - "custom": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "The number of custom ML jobs rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "The number of custom ML jobs rules disabled" - } - } - } - }, - "elastic": { - "properties": { - "enabled": { - "type": "long", - "_meta": { - "description": "The number of elastic provided ML jobs rules enabled" - } - }, - "disabled": { - "type": "long", - "_meta": { - "description": "The number of elastic provided ML jobs rules disabled" - } - } - } - } - } - }, - "ml_job_metrics": { - "type": "array", - "items": { - "properties": { - "job_id": { - "type": "keyword", - "_meta": { - "description": "Identifier for the anomaly detection job" - } - }, - "open_time": { - "type": "keyword", - "_meta": { - "description": "For open jobs only, the elapsed time for which the job has been open" - } - }, - "create_time": { - "type": "keyword", - "_meta": { - "description": "The time the job was created" - } - }, - "finished_time": { - "type": "keyword", - "_meta": { - "description": "If the job closed or failed, this is the time the job finished" - } - }, - "state": { - "type": "keyword", - "_meta": { - "description": "The status of the anomaly detection job" - } - }, - "data_counts": { - "properties": { - "bucket_count": { - "type": "long", - "_meta": { - "description": "The number of buckets processed" - } - }, - "empty_bucket_count": { - "type": "long", - "_meta": { - "description": "The number of buckets which did not contain any data" - } - }, - "input_bytes": { - "type": "long", - "_meta": { - "description": "The number of bytes of input data posted to the anomaly detection job" - } - }, - "input_record_count": { - "type": "long", - "_meta": { - "description": "The number of input documents posted to the anomaly detection job" - } - }, - "last_data_time": { - "type": "long", - "_meta": { - "description": "The timestamp at which data was last analyzed, according to server time" - } - }, - "processed_record_count": { - "type": "long", - "_meta": { - "description": "The number of input documents that have been processed by the anomaly detection job" - } - } - } - }, - "model_size_stats": { - "properties": { - "bucket_allocation_failures_count": { - "type": "long", - "_meta": { - "description": "The number of buckets for which new entities in incoming data were not processed due to insufficient model memory" - } - }, - "model_bytes": { - "type": "long", - "_meta": { - "description": "The number of bytes of memory used by the models" - } - }, - "model_bytes_exceeded": { - "type": "long", - "_meta": { - "description": "The number of bytes over the high limit for memory usage at the last allocation failure" - } - }, - "model_bytes_memory_limit": { - "type": "long", - "_meta": { - "description": "The upper limit for model memory usage, checked on increasing values" - } - }, - "peak_model_bytes": { - "type": "long", - "_meta": { - "description": "The peak number of bytes of memory ever used by the models" - } - } - } - }, - "timing_stats": { - "properties": { - "bucket_count": { - "type": "long", - "_meta": { - "description": "The number of buckets processed" - } - }, - "exponential_average_bucket_processing_time_ms": { - "type": "long", - "_meta": { - "description": "Exponential moving average of all bucket processing times, in milliseconds" - } - }, - "exponential_average_bucket_processing_time_per_hour_ms": { - "type": "long", - "_meta": { - "description": "Exponentially-weighted moving average of bucket processing times calculated in a 1 hour time window, in milliseconds" - } - }, - "maximum_bucket_processing_time_ms": { - "type": "long", - "_meta": { - "description": "Maximum among all bucket processing times, in milliseconds" - } - }, - "minimum_bucket_processing_time_ms": { - "type": "long", - "_meta": { - "description": "Minimum among all bucket processing times, in milliseconds" - } - }, - "total_bucket_processing_time_ms": { - "type": "long", - "_meta": { - "description": "Sum of all bucket processing times, in milliseconds" - } - } - } - }, - "datafeed": { - "properties": { - "datafeed_id": { - "type": "keyword", - "_meta": { - "description": "A numerical character string that uniquely identifies the datafeed" - } - }, - "state": { - "type": "keyword", - "_meta": { - "description": "The status of the datafeed" - } - }, - "timing_stats": { - "properties": { - "average_search_time_per_bucket_ms": { - "type": "long", - "_meta": { - "description": "The average search time per bucket, in milliseconds" - } - }, - "bucket_count": { - "type": "long", - "_meta": { - "description": "The number of buckets processed" - } - }, - "exponential_average_search_time_per_hour_ms": { - "type": "long", - "_meta": { - "description": "The exponential average search time per hour, in milliseconds" - } - }, - "search_count": { - "type": "long", - "_meta": { - "description": "The number of searches run by the datafeed" - } - }, - "total_search_time_ms": { - "type": "long", - "_meta": { - "description": "The total time the datafeed spent searching, in milliseconds" - } - } - } - } - } - } - } - } - } - } - }, - "legacy_siem_signals": { - "properties": { - "non_migrated_indices_total": { - "type": "long", - "_meta": { - "description": "Total number of non migrated legacy siem signals indices" - } - }, - "spaces_total": { - "type": "long", - "_meta": { - "description": "Total number of Kibana spaces that have non migrated legacy siem signals indices" - } - } - } - } - } - }, - "endpointMetrics": { - "properties": { - "unique_endpoint_count": { - "type": "long", - "_meta": { - "description": "Number of active unique endpoints in last 24 hours" - } - } - } - }, - "dashboardMetrics": { - "properties": { - "dashboard_tag": { - "properties": { - "created_at": { - "type": "keyword", - "_meta": { - "description": "The time the tab was created" - } - }, - "linked_dashboards_count": { - "type": "long", - "_meta": { - "description": "Number of associated dashboards" - } - } - } - }, - "dashboards": { - "type": "array", - "items": { - "properties": { - "created_at": { - "type": "keyword", - "_meta": { - "description": "The time the dashboard was created" - } - }, - "dashboard_id": { - "type": "keyword", - "_meta": { - "description": "The dashboard saved object id" - } - }, - "error_message": { - "type": "keyword", - "_meta": { - "description": "The relevant error message" - } - }, - "error_status_code": { - "type": "long", - "_meta": { - "description": "The relevant error status code" - } - } - } - } - } - } - }, - "riskEngineMetrics": { - "properties": { - "unique_user_risk_score_total": { - "type": "long", - "_meta": { - "description": "Total unique user risk scores" - } - }, - "unique_host_risk_score_total": { - "type": "long", - "_meta": { - "description": "Total unique host risk scores" - } - }, - "unique_user_risk_score_day": { - "type": "long", - "_meta": { - "description": "Unique user risk scores per day" - } - }, - "unique_host_risk_score_day": { - "type": "long", - "_meta": { - "description": "Unique host risk scores per day" - } - }, - "all_host_risk_scores_total": { - "type": "long", - "_meta": { - "description": "Total number of host risk score records" - } - }, - "all_user_risk_scores_total": { - "type": "long", - "_meta": { - "description": "Total number of user risk score records" - } - }, - "all_host_risk_scores_total_day": { - "type": "long", - "_meta": { - "description": "Number of host risk score records per day" - } - }, - "all_user_risk_scores_total_day": { - "type": "long", - "_meta": { - "description": "Number of user risk score records per day" - } - }, - "all_risk_scores_index_size": { - "type": "long", - "_meta": { - "description": "Total size of the all Risk Score indices (MB)" - } - }, - "unique_risk_scores_index_size": { - "type": "long", - "_meta": { - "description": "Total size of the unique Risk Score indices (MB)" - } - } - } - } - } - }, "slo": { "properties": { "slo": { diff --git a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_security.json b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_security.json index d5b0514b64918..e777c123fdeba 100644 --- a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_security.json +++ b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_security.json @@ -1,3 +1,4415 @@ { - "properties": {} + "properties": { + "security_solution": { + "properties": { + "detectionMetrics": { + "properties": { + "detection_rules": { + "properties": { + "detection_rule_usage": { + "properties": { + "query": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of query rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of query rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by query rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to query detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled query rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled query rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of query rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of query rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of query rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of query rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of query rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of query rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of query rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "threshold": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of threshold rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of threshold rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by threshold rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to threshold detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled threshold rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled threshold rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "eql": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of eql rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of eql rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by eql rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to eql detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled eql rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled eql rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "machine_learning": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by machine_learning rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to machine_learning detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled machine_learning rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled machine_learning rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "threat_match": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by threat_match rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to threat_match detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled threat_match rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled threat_match rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "new_terms": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by new_terms rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to new_terms detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled new_terms rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled new_terms rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of new_terms rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "esql": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of esql rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of esql rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by esql rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to esql detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled esql rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled esql rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of esql rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "elastic_total": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of elastic rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of elastic rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by elastic rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to elastic detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled elastic rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled elastic rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of elastic rules configured do not suppress alerts with missing fields" + } + } + } + } + } + }, + "custom_total": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of custom rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of custom rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by custom rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to custom detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom rules configured do not suppress alerts with missing fields" + } + } + } + } + } + } + } + }, + "detection_rule_detail": { + "type": "array", + "items": { + "properties": { + "rule_name": { + "type": "keyword", + "_meta": { + "description": "The name of the detection rule" + } + }, + "rule_id": { + "type": "keyword", + "_meta": { + "description": "The UUID id of the detection rule" + } + }, + "rule_type": { + "type": "keyword", + "_meta": { + "description": "The type of detection rule. ie eql, query..." + } + }, + "rule_version": { + "type": "long", + "_meta": { + "description": "The version of the rule" + } + }, + "enabled": { + "type": "boolean", + "_meta": { + "description": "If the detection rule has been enabled by the user" + } + }, + "elastic_rule": { + "type": "boolean", + "_meta": { + "description": "If the detection rule has been authored by Elastic" + } + }, + "created_on": { + "type": "keyword", + "_meta": { + "description": "When the detection rule was created on the cluster" + } + }, + "updated_on": { + "type": "keyword", + "_meta": { + "description": "When the detection rule was updated on the cluster" + } + }, + "alert_count_daily": { + "type": "long", + "_meta": { + "description": "The number of daily alerts generated by a rule" + } + }, + "cases_count_total": { + "type": "long", + "_meta": { + "description": "The number of total cases generated by a rule" + } + }, + "has_legacy_notification": { + "type": "boolean", + "_meta": { + "description": "True if this rule has a legacy notification" + } + }, + "has_notification": { + "type": "boolean", + "_meta": { + "description": "True if this rule has a notification" + } + } + } + } + }, + "detection_rule_status": { + "properties": { + "all_rules": { + "properties": { + "eql": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threat_match": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "machine_learning": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "saved_query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threshold": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "total": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of succeeded rules" + } + } + } + } + } + }, + "elastic_rules": { + "properties": { + "eql": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threat_match": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "machine_learning": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "saved_query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threshold": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "total": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of succeeded rules" + } + } + } + } + } + }, + "custom_rules": { + "properties": { + "eql": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threat_match": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "machine_learning": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "saved_query": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "threshold": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "top_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "top_partial_failures": { + "type": "array", + "items": { + "properties": { + "message": { + "type": "keyword", + "_meta": { + "description": "Failed rule message" + } + }, + "count": { + "type": "long", + "_meta": { + "description": "Number of times the message occurred" + } + } + } + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of successful rules" + } + }, + "index_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "search_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "enrichment_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_duration": { + "properties": { + "max": { + "type": "float", + "_meta": { + "description": "The max duration" + } + }, + "avg": { + "type": "float", + "_meta": { + "description": "The avg duration" + } + }, + "min": { + "type": "float", + "_meta": { + "description": "The min duration" + } + } + } + }, + "gap_count": { + "type": "long", + "_meta": { + "description": "The count of gaps" + } + } + } + }, + "total": { + "properties": { + "failures": { + "type": "long", + "_meta": { + "description": "The number of failed rules" + } + }, + "partial_failures": { + "type": "long", + "_meta": { + "description": "The number of partial failure rules" + } + }, + "succeeded": { + "type": "long", + "_meta": { + "description": "The number of succeeded rules" + } + } + } + } + } + } + } + } + } + }, + "ml_jobs": { + "properties": { + "ml_job_usage": { + "properties": { + "custom": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "The number of custom ML jobs rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "The number of custom ML jobs rules disabled" + } + } + } + }, + "elastic": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "The number of elastic provided ML jobs rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "The number of elastic provided ML jobs rules disabled" + } + } + } + } + } + }, + "ml_job_metrics": { + "type": "array", + "items": { + "properties": { + "job_id": { + "type": "keyword", + "_meta": { + "description": "Identifier for the anomaly detection job" + } + }, + "open_time": { + "type": "keyword", + "_meta": { + "description": "For open jobs only, the elapsed time for which the job has been open" + } + }, + "create_time": { + "type": "keyword", + "_meta": { + "description": "The time the job was created" + } + }, + "finished_time": { + "type": "keyword", + "_meta": { + "description": "If the job closed or failed, this is the time the job finished" + } + }, + "state": { + "type": "keyword", + "_meta": { + "description": "The status of the anomaly detection job" + } + }, + "data_counts": { + "properties": { + "bucket_count": { + "type": "long", + "_meta": { + "description": "The number of buckets processed" + } + }, + "empty_bucket_count": { + "type": "long", + "_meta": { + "description": "The number of buckets which did not contain any data" + } + }, + "input_bytes": { + "type": "long", + "_meta": { + "description": "The number of bytes of input data posted to the anomaly detection job" + } + }, + "input_record_count": { + "type": "long", + "_meta": { + "description": "The number of input documents posted to the anomaly detection job" + } + }, + "last_data_time": { + "type": "long", + "_meta": { + "description": "The timestamp at which data was last analyzed, according to server time" + } + }, + "processed_record_count": { + "type": "long", + "_meta": { + "description": "The number of input documents that have been processed by the anomaly detection job" + } + } + } + }, + "model_size_stats": { + "properties": { + "bucket_allocation_failures_count": { + "type": "long", + "_meta": { + "description": "The number of buckets for which new entities in incoming data were not processed due to insufficient model memory" + } + }, + "model_bytes": { + "type": "long", + "_meta": { + "description": "The number of bytes of memory used by the models" + } + }, + "model_bytes_exceeded": { + "type": "long", + "_meta": { + "description": "The number of bytes over the high limit for memory usage at the last allocation failure" + } + }, + "model_bytes_memory_limit": { + "type": "long", + "_meta": { + "description": "The upper limit for model memory usage, checked on increasing values" + } + }, + "peak_model_bytes": { + "type": "long", + "_meta": { + "description": "The peak number of bytes of memory ever used by the models" + } + } + } + }, + "timing_stats": { + "properties": { + "bucket_count": { + "type": "long", + "_meta": { + "description": "The number of buckets processed" + } + }, + "exponential_average_bucket_processing_time_ms": { + "type": "long", + "_meta": { + "description": "Exponential moving average of all bucket processing times, in milliseconds" + } + }, + "exponential_average_bucket_processing_time_per_hour_ms": { + "type": "long", + "_meta": { + "description": "Exponentially-weighted moving average of bucket processing times calculated in a 1 hour time window, in milliseconds" + } + }, + "maximum_bucket_processing_time_ms": { + "type": "long", + "_meta": { + "description": "Maximum among all bucket processing times, in milliseconds" + } + }, + "minimum_bucket_processing_time_ms": { + "type": "long", + "_meta": { + "description": "Minimum among all bucket processing times, in milliseconds" + } + }, + "total_bucket_processing_time_ms": { + "type": "long", + "_meta": { + "description": "Sum of all bucket processing times, in milliseconds" + } + } + } + }, + "datafeed": { + "properties": { + "datafeed_id": { + "type": "keyword", + "_meta": { + "description": "A numerical character string that uniquely identifies the datafeed" + } + }, + "state": { + "type": "keyword", + "_meta": { + "description": "The status of the datafeed" + } + }, + "timing_stats": { + "properties": { + "average_search_time_per_bucket_ms": { + "type": "long", + "_meta": { + "description": "The average search time per bucket, in milliseconds" + } + }, + "bucket_count": { + "type": "long", + "_meta": { + "description": "The number of buckets processed" + } + }, + "exponential_average_search_time_per_hour_ms": { + "type": "long", + "_meta": { + "description": "The exponential average search time per hour, in milliseconds" + } + }, + "search_count": { + "type": "long", + "_meta": { + "description": "The number of searches run by the datafeed" + } + }, + "total_search_time_ms": { + "type": "long", + "_meta": { + "description": "The total time the datafeed spent searching, in milliseconds" + } + } + } + } + } + } + } + } + } + } + }, + "legacy_siem_signals": { + "properties": { + "non_migrated_indices_total": { + "type": "long", + "_meta": { + "description": "Total number of non migrated legacy siem signals indices" + } + }, + "spaces_total": { + "type": "long", + "_meta": { + "description": "Total number of Kibana spaces that have non migrated legacy siem signals indices" + } + } + } + } + } + }, + "endpointMetrics": { + "properties": { + "unique_endpoint_count": { + "type": "long", + "_meta": { + "description": "Number of active unique endpoints in last 24 hours" + } + } + } + }, + "dashboardMetrics": { + "properties": { + "dashboard_tag": { + "properties": { + "created_at": { + "type": "keyword", + "_meta": { + "description": "The time the tab was created" + } + }, + "linked_dashboards_count": { + "type": "long", + "_meta": { + "description": "Number of associated dashboards" + } + } + } + }, + "dashboards": { + "type": "array", + "items": { + "properties": { + "created_at": { + "type": "keyword", + "_meta": { + "description": "The time the dashboard was created" + } + }, + "dashboard_id": { + "type": "keyword", + "_meta": { + "description": "The dashboard saved object id" + } + }, + "error_message": { + "type": "keyword", + "_meta": { + "description": "The relevant error message" + } + }, + "error_status_code": { + "type": "long", + "_meta": { + "description": "The relevant error status code" + } + } + } + } + } + } + }, + "riskEngineMetrics": { + "properties": { + "unique_user_risk_score_total": { + "type": "long", + "_meta": { + "description": "Total unique user risk scores" + } + }, + "unique_host_risk_score_total": { + "type": "long", + "_meta": { + "description": "Total unique host risk scores" + } + }, + "unique_user_risk_score_day": { + "type": "long", + "_meta": { + "description": "Unique user risk scores per day" + } + }, + "unique_host_risk_score_day": { + "type": "long", + "_meta": { + "description": "Unique host risk scores per day" + } + }, + "all_host_risk_scores_total": { + "type": "long", + "_meta": { + "description": "Total number of host risk score records" + } + }, + "all_user_risk_scores_total": { + "type": "long", + "_meta": { + "description": "Total number of user risk score records" + } + }, + "all_host_risk_scores_total_day": { + "type": "long", + "_meta": { + "description": "Number of host risk score records per day" + } + }, + "all_user_risk_scores_total_day": { + "type": "long", + "_meta": { + "description": "Number of user risk score records per day" + } + }, + "all_risk_scores_index_size": { + "type": "long", + "_meta": { + "description": "Total size of the all Risk Score indices (MB)" + } + }, + "unique_risk_scores_index_size": { + "type": "long", + "_meta": { + "description": "Total size of the unique Risk Score indices (MB)" + } + } + } + } + } + } + } }