From 7c16e1db85db68a4c38d6191801dc81649f7babd Mon Sep 17 00:00:00 2001 From: Patryk Kopycinski Date: Thu, 24 Sep 2020 12:54:32 +0200 Subject: [PATCH 1/4] [Security Solution] Cleanup graphql --- .../common/ecs/network/index.ts | 5 - .../security_solution/network/common/index.ts | 11 + .../components/event_details/json_view.tsx | 6 +- .../common/components/event_details/types.ts | 4 +- .../components/last_event_time/index.test.tsx | 10 +- .../components/last_event_time/index.tsx | 3 +- .../components/matrix_histogram/utils.test.ts | 4 +- .../components/matrix_histogram/utils.ts | 6 +- .../last_event_time.gql_query.ts | 29 - .../containers/events/last_event_time/mock.ts | 52 +- .../matrix_histogram/index.gql_query.ts | 41 - .../public/common/mock/mock_detail_item.ts | 4 +- .../public/common/mock/timeline_results.ts | 11 +- .../components/alerts_table/actions.test.tsx | 15 + .../components/alerts_table/actions.tsx | 31 +- .../components/alerts_table/helpers.ts | 13 +- .../investigate_in_timeline_action.tsx | 14 +- .../components/alerts_table/types.ts | 2 + .../public/graphql/introspection.json | 10565 ++++++---------- .../security_solution/public/graphql/types.ts | 4284 ++----- .../authentications/index.gql_query.ts | 74 - .../kpi_host_details/index.gql_query.tsx | 52 - .../containers/kpi_host_details/index.tsx | 93 - .../containers/kpi_hosts/index.gql_query.ts | 52 - .../public/hosts/pages/details/index.tsx | 3 +- .../public/hosts/pages/hosts.tsx | 2 +- .../network/components/direction/index.tsx | 2 +- .../__snapshots__/index.test.tsx.snap | 2 +- .../components/network_dns_table/columns.tsx | 2 +- .../network_dns_table/index.test.tsx | 26 +- .../components/network_dns_table/index.tsx | 216 +- .../components/network_dns_table/mock.ts | 345 +- .../network_http_table/index.test.tsx | 26 +- .../components/network_http_table/mock.ts | 144 +- .../__snapshots__/index.test.tsx.snap | 12 +- .../network_top_n_flow_table/columns.tsx | 2 +- .../network_top_n_flow_table/index.test.tsx | 40 +- .../network_top_n_flow_table/index.tsx | 83 +- .../network_top_n_flow_table/mock.ts | 130 +- .../containers/kpi_network/index.gql_query.ts | 44 - .../containers/network_dns/index.gql_query.ts | 58 - .../network/containers/network_dns/index.tsx | 2 +- .../network_http/index.gql_query.ts | 57 - .../network/containers/network_http/index.tsx | 3 +- .../network_top_countries/index.gql_query.ts | 68 - .../network_top_n_flow/index.gql_query.ts | 98 - .../public/network/pages/details/index.tsx | 4 +- .../public/network/pages/network.tsx | 2 +- .../components/timeline/footer/index.test.tsx | 39 +- .../components/timeline/footer/mock.ts | 86 - .../containers/details/index.gql_query.ts | 33 - .../timelines/containers/index.gql_query.ts | 375 - .../server/graphql/authentications/index.ts | 8 - .../graphql/authentications/resolvers.ts | 35 - .../graphql/authentications/schema.gql.ts | 47 - .../server/graphql/events/index.ts | 8 - .../server/graphql/events/resolvers.ts | 105 - .../server/graphql/events/schema.gql.ts | 95 - .../security_solution/server/graphql/index.ts | 12 - .../server/graphql/kpi_hosts/index.ts | 8 - .../server/graphql/kpi_hosts/resolvers.ts | 45 - .../server/graphql/kpi_hosts/schema.gql.ts | 56 - .../server/graphql/kpi_network/index.ts | 8 - .../server/graphql/kpi_network/resolvers.ts | 35 - .../server/graphql/kpi_network/schema.gql.ts | 35 - .../server/graphql/matrix_histogram/index.ts | 8 - .../graphql/matrix_histogram/resolvers.ts | 39 - .../graphql/matrix_histogram/schema.gql.ts | 39 - .../server/graphql/network/index.ts | 8 - .../server/graphql/network/resolvers.ts | 83 - .../server/graphql/network/schema.gql.ts | 253 - .../security_solution/server/graphql/types.ts | 9372 +++++--------- .../security_solution/server/init_server.ts | 13 - .../elasticsearch_adapter.test.ts | 135 - .../authentications/elasticsearch_adapter.ts | 119 - .../server/lib/authentications/index.ts | 21 - .../server/lib/authentications/query.dsl.ts | 121 - .../server/lib/authentications/types.ts | 62 - .../server/lib/compose/kibana.ts | 15 - .../lib/events/elasticsearch_adapter.test.ts | 549 - .../lib/events/elasticsearch_adapter.ts | 264 - .../server/lib/events/index.ts | 40 - .../server/lib/events/mock.ts | 3412 ----- .../server/lib/events/query.dsl.ts | 104 - .../lib/events/query.last_event_time.dsl.ts | 91 - .../server/lib/events/types.ts | 97 - .../server/lib/framework/types.ts | 7 - .../kpi_hosts/elasticsearch_adapter.test.ts | 282 - .../lib/kpi_hosts/elasticsearch_adapter.ts | 205 - .../server/lib/kpi_hosts/helpers.test.ts | 21 - .../server/lib/kpi_hosts/helpers.ts | 11 - .../server/lib/kpi_hosts/index.ts | 28 - .../server/lib/kpi_hosts/mock.ts | 606 - .../query_authentication.dsl.test.ts | 30 - .../lib/kpi_hosts/query_authentication.dsl.ts | 105 - .../server/lib/kpi_hosts/query_hosts.dsl.ts | 69 - .../kpi_hosts/query_unique_ips.dsl.test.ts | 24 - .../lib/kpi_hosts/query_unique_ips.dsl.ts | 87 - .../server/lib/kpi_hosts/types.ts | 126 - .../lib/kpi_network/elastic_adapter.test.ts | 147 - .../lib/kpi_network/elasticsearch_adapter.ts | 113 - .../server/lib/kpi_network/helpers.ts | 25 - .../server/lib/kpi_network/index.ts | 21 - .../server/lib/kpi_network/mock.ts | 335 - .../server/lib/kpi_network/query_dns.dsl.ts | 78 - .../lib/kpi_network/query_network_events.ts | 52 - .../kpi_network/query_tls_handshakes.dsl.ts | 78 - .../lib/kpi_network/query_unique_flow.ts | 59 - .../query_unique_private_ips.dsl.ts | 108 - .../server/lib/kpi_network/types.ts | 50 - .../matrix_histogram/elasticsearch_adapter.ts | 81 - .../elasticseatch_adapter.test.ts | 56 - .../server/lib/matrix_histogram/index.ts | 21 - .../server/lib/matrix_histogram/mock.ts | 118 - .../query.anomalies_over_time.dsl.ts | 78 - .../query.authentications_over_time.dsl.ts | 92 - .../query.events_over_time.dsl.ts | 93 - .../lib/matrix_histogram/query_alerts.dsl.ts | 121 - .../query_dns_histogram.dsl.ts | 84 - .../lib/matrix_histogram/translations.ts | 14 - .../server/lib/matrix_histogram/types.ts | 144 - .../server/lib/matrix_histogram/utils.ts | 50 - .../elastic_adapter.test.ts.snap | 1366 -- .../lib/network/elastic_adapter.test.ts | 171 - .../lib/network/elasticsearch_adapter.ts | 361 - .../server/lib/network/index.ts | 77 - .../server/lib/network/mock.ts | 1675 --- .../server/lib/network/query_dns.dsl.ts | 134 - .../server/lib/network/query_http.dsl.ts | 116 - .../lib/network/query_top_countries.dsl.ts | 153 - .../lib/network/query_top_n_flow.dsl.ts | 194 - .../server/lib/network/types.ts | 165 - .../security_solution/server/lib/types.ts | 12 - .../apis/security_solution/index.js | 10 +- .../security_solution/kpi_host_details.ts | 2 + .../apis/security_solution/kpi_hosts.ts | 2 + .../apis/security_solution/kpi_network.ts | 2 + .../apis/security_solution/timeline.ts | 2 + .../security_solution/timeline_details.ts | 3 + 139 files changed, 8595 insertions(+), 32096 deletions(-) delete mode 100644 x-pack/plugins/security_solution/public/common/containers/events/last_event_time/last_event_time.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/common/containers/matrix_histogram/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/hosts/containers/authentications/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.gql_query.tsx delete mode 100644 x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.tsx delete mode 100644 x-pack/plugins/security_solution/public/hosts/containers/kpi_hosts/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/network/containers/kpi_network/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/network/containers/network_dns/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/network/containers/network_http/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/network/containers/network_top_n_flow/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/timelines/components/timeline/footer/mock.ts delete mode 100644 x-pack/plugins/security_solution/public/timelines/containers/details/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/public/timelines/containers/index.gql_query.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/authentications/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/authentications/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/authentications/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/events/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/events/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/events/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_hosts/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_hosts/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_hosts/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_network/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_network/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/kpi_network/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/matrix_histogram/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/matrix_histogram/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/matrix_histogram/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/network/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/network/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/network/schema.gql.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/authentications/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/authentications/query.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/authentications/types.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/mock.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/query.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/query.last_event_time.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/events/types.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/mock.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/query_hosts.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_hosts/types.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/elastic_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/helpers.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/mock.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/query_dns.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/query_network_events.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/query_tls_handshakes.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_flow.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_private_ips.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/kpi_network/types.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticseatch_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/mock.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/query.anomalies_over_time.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/query.events_over_time.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/query_alerts.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/query_dns_histogram.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/translations.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/types.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/matrix_histogram/utils.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/__snapshots__/elastic_adapter.test.ts.snap delete mode 100644 x-pack/plugins/security_solution/server/lib/network/elastic_adapter.test.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/elasticsearch_adapter.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/mock.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/query_dns.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/query_http.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/query_top_countries.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/query_top_n_flow.dsl.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/network/types.ts diff --git a/x-pack/plugins/security_solution/common/ecs/network/index.ts b/x-pack/plugins/security_solution/common/ecs/network/index.ts index c2fc3cb4b9f48..18f7583d12231 100644 --- a/x-pack/plugins/security_solution/common/ecs/network/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/network/index.ts @@ -6,14 +6,9 @@ export interface NetworkEcs { bytes?: number[]; - community_id?: string[]; - direction?: string[]; - packets?: number[]; - protocol?: string[]; - transport?: string[]; } diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/common/index.ts index 19521741c5f66..b557755b07a03 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/common/index.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/common/index.ts @@ -7,6 +7,17 @@ import { GeoEcs } from '../../../../ecs/geo'; import { Maybe } from '../../..'; +export enum NetworkDirectionEcs { + inbound = 'inbound', + outbound = 'outbound', + internal = 'internal', + external = 'external', + incoming = 'incoming', + outgoing = 'outgoing', + listening = 'listening', + unknown = 'unknown', +} + export enum NetworkTopTablesFields { bytes_in = 'bytes_in', bytes_out = 'bytes_out', diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/json_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/json_view.tsx index 1b8177b2038ae..168fe6e65564d 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/json_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/json_view.tsx @@ -9,11 +9,11 @@ import { set } from '@elastic/safer-lodash-set/fp'; import React from 'react'; import styled from 'styled-components'; -import { DetailItem } from '../../../graphql/types'; +import { TimelineEventsDetailsItem } from '../../../../common/search_strategy'; import { omitTypenameAndEmpty } from '../../../timelines/components/timeline/body/helpers'; interface Props { - data: DetailItem[]; + data: TimelineEventsDetailsItem[]; } const JsonEditor = styled.div` @@ -40,5 +40,5 @@ export const JsonView = React.memo(({ data }) => ( JsonView.displayName = 'JsonView'; -export const buildJsonView = (data: DetailItem[]) => +export const buildJsonView = (data: TimelineEventsDetailsItem[]) => data.reduce((accumulator, item) => set(item.field, item.originalValue, accumulator), {}); diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/types.ts b/x-pack/plugins/security_solution/public/common/components/event_details/types.ts index db53f411fa518..ed27a57745787 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/types.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/types.ts @@ -5,6 +5,6 @@ */ import { BrowserField } from '../../containers/source'; -import { DetailItem } from '../../../graphql/types'; +import { TimelineEventsDetailsItem } from '../../../../common/search_strategy'; -export type EventFieldsData = BrowserField & DetailItem; +export type EventFieldsData = BrowserField & TimelineEventsDetailsItem; diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx index c2800b0705b43..cc0c4d4c837a3 100644 --- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx @@ -7,7 +7,7 @@ import React from 'react'; import { getEmptyValue } from '../empty_value'; -import { LastEventIndexKey } from '../../../graphql/types'; +import { LastEventIndexKey } from '../../../../common/search_strategy'; import { mockLastEventTimeQuery } from '../../containers/events/last_event_time/mock'; import { useMountAppended } from '../../utils/use_mount_appended'; @@ -48,8 +48,8 @@ describe('Last Event Time Stat', () => { (useTimelineLastEventTime as jest.Mock).mockReturnValue([ false, { - lastSeen: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.lastSeen, - errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage, + lastSeen: mockLastEventTimeQuery.lastSeen, + errorMessage: mockLastEventTimeQuery.errorMessage, }, ]); const wrapper = mount( @@ -64,7 +64,7 @@ describe('Last Event Time Stat', () => { false, { lastSeen: 'something-invalid', - errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage, + errorMessage: mockLastEventTimeQuery.errorMessage, }, ]); const wrapper = mount( @@ -80,7 +80,7 @@ describe('Last Event Time Stat', () => { false, { lastSeen: null, - errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage, + errorMessage: mockLastEventTimeQuery.errorMessage, }, ]); const wrapper = mount( diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx index d508040f84239..fe827b3ab324c 100644 --- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx @@ -8,8 +8,7 @@ import { EuiIcon, EuiLoadingSpinner, EuiToolTip } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; import React, { memo } from 'react'; -import { DocValueFields } from '../../../../common/search_strategy'; -import { LastEventIndexKey } from '../../../graphql/types'; +import { DocValueFields, LastEventIndexKey } from '../../../../common/search_strategy'; import { useTimelineLastEventTime } from '../../containers/events/last_event_time'; import { getEmptyTagValue } from '../empty_value'; import { FormattedRelativePreferenceDate } from '../formatted_date'; diff --git a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.test.ts b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.test.ts index 7a3f44d3ea729..03fa55a3c9fa6 100644 --- a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.test.ts @@ -13,7 +13,7 @@ import { } from './utils'; import { UpdateDateRange } from '../charts/common'; import { Position } from '@elastic/charts'; -import { MatrixOverTimeHistogramData } from '../../../graphql/types'; +import { MatrixHistogramData } from '../../../../common/search_strategy'; import { BarchartConfigs } from './types'; describe('utils', () => { @@ -77,7 +77,7 @@ describe('utils', () => { describe('formatToChartDataItem', () => { test('it should format data correctly', () => { - const data: [string, MatrixOverTimeHistogramData[]] = [ + const data: [string, MatrixHistogramData[]] = [ 'g1', [ { x: 1, y: 2, g: 'g1' }, diff --git a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.ts b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.ts index 9474929d35a51..5b5b56cf0ec45 100644 --- a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.ts +++ b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/utils.ts @@ -8,7 +8,7 @@ import { get, groupBy, map, toPairs } from 'lodash/fp'; import { UpdateDateRange, ChartSeriesData } from '../charts/common'; import { MatrixHistogramMappingTypes, BarchartConfigs } from './types'; -import { MatrixOverTimeHistogramData } from '../../../graphql/types'; +import { MatrixHistogramData } from '../../../../common/search_strategy'; import { histogramDateTimeFormatter } from '../utils'; interface GetBarchartConfigsProps { @@ -84,14 +84,14 @@ export const defaultLegendColors = [ export const formatToChartDataItem = ([key, value]: [ string, - MatrixOverTimeHistogramData[] + MatrixHistogramData[] ]): ChartSeriesData => ({ key, value, }); export const getCustomChartData = ( - data: MatrixOverTimeHistogramData[] | null, + data: MatrixHistogramData[] | null, mapping?: MatrixHistogramMappingTypes ): ChartSeriesData[] => { if (!data) return []; diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/last_event_time.gql_query.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/last_event_time.gql_query.ts deleted file mode 100644 index 36305ef0dc882..0000000000000 --- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/last_event_time.gql_query.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const LastEventTimeGqlQuery = gql` - query GetLastEventTimeQuery( - $sourceId: ID! - $indexKey: LastEventIndexKey! - $details: LastTimeDetails! - $defaultIndex: [String!]! - $docValueFields: [docValueFieldsInput!]! - ) { - source(id: $sourceId) { - id - LastEventTime( - indexKey: $indexKey - details: $details - defaultIndex: $defaultIndex - docValueFields: $docValueFields - ) { - lastSeen - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/mock.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/mock.ts index bdeb1db4e1b28..208c03b453e04 100644 --- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/mock.ts +++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/mock.ts @@ -4,28 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ -import { DEFAULT_INDEX_PATTERN } from '../../../../../common/constants'; -import { GetLastEventTimeQuery, LastEventIndexKey } from '../../../../graphql/types'; - -import { LastEventTimeGqlQuery } from './last_event_time.gql_query'; - interface MockLastEventTimeQuery { - request: { - query: GetLastEventTimeQuery.Query; - variables: GetLastEventTimeQuery.Variables; - }; - result: { - data?: { - source: { - id: string; - LastEventTime: { - lastSeen: string | null; - errorMessage: string | null; - }; - }; - }; - errors?: [{ message: string }]; - }; + lastSeen: string | null; + errorMessage: string | null; } const getTimeTwelveMinutesAgo = () => { @@ -35,28 +16,7 @@ const getTimeTwelveMinutesAgo = () => { return new Date(twelveMinutes).toISOString(); }; -export const mockLastEventTimeQuery: MockLastEventTimeQuery[] = [ - { - request: { - query: LastEventTimeGqlQuery, - variables: { - sourceId: 'default', - indexKey: LastEventIndexKey.hosts, - details: {}, - defaultIndex: DEFAULT_INDEX_PATTERN, - docValueFields: [], - }, - }, - result: { - data: { - source: { - id: 'default', - LastEventTime: { - lastSeen: getTimeTwelveMinutesAgo(), - errorMessage: null, - }, - }, - }, - }, - }, -]; +export const mockLastEventTimeQuery: MockLastEventTimeQuery = { + lastSeen: getTimeTwelveMinutesAgo(), + errorMessage: null, +}; diff --git a/x-pack/plugins/security_solution/public/common/containers/matrix_histogram/index.gql_query.ts b/x-pack/plugins/security_solution/public/common/containers/matrix_histogram/index.gql_query.ts deleted file mode 100644 index 6fb729ca7e9a0..0000000000000 --- a/x-pack/plugins/security_solution/public/common/containers/matrix_histogram/index.gql_query.ts +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const MatrixHistogramGqlQuery = gql` - query GetMatrixHistogramQuery( - $defaultIndex: [String!]! - $filterQuery: String - $histogramType: HistogramType! - $inspect: Boolean! - $sourceId: ID! - $stackByField: String! - $timerange: TimerangeInput! - ) { - source(id: $sourceId) { - id - MatrixHistogram( - timerange: $timerange - filterQuery: $filterQuery - defaultIndex: $defaultIndex - stackByField: $stackByField - histogramType: $histogramType - ) { - matrixHistogramData { - x - y - g - } - totalCount - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts b/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts index 2395010a0ba2e..c5d881c540eec 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts @@ -4,11 +4,11 @@ * you may not use this file except in compliance with the Elastic License. */ -import { DetailItem } from '../../graphql/types'; +import { TimelineEventsDetailsItem } from '../../../common/search_strategy'; export const mockDetailItemDataId = 'Y-6TfmcB0WOhS6qyMv3s'; -export const mockDetailItemData: DetailItem[] = [ +export const mockDetailItemData: TimelineEventsDetailsItem[] = [ { field: '_id', originalValue: 'pEMaMmkBUV60JmNWmWVi', diff --git a/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts b/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts index 6403a50ad4a1d..9f26fc22ede53 100644 --- a/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts +++ b/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts @@ -8,13 +8,8 @@ import { FilterStateStore } from '../../../../../../src/plugins/data/common/es_q import { TimelineId, TimelineType, TimelineStatus } from '../../../common/types/timeline'; import { OpenTimelineResult } from '../../timelines/components/open_timeline/types'; -import { - GetAllTimeline, - SortFieldTimeline, - TimelineResult, - Direction, - DetailItem, -} from '../../graphql/types'; +import { GetAllTimeline, SortFieldTimeline, TimelineResult, Direction } from '../../graphql/types'; +import { TimelineEventsDetailsItem } from '../../../common/search_strategy'; import { allTimelinesQuery } from '../../timelines/containers/all/index.gql_query'; import { CreateTimelineProps } from '../../detections/components/alerts_table/types'; import { TimelineModel } from '../../timelines/store/timeline/model'; @@ -2264,7 +2259,7 @@ export const defaultTimelineProps: CreateTimelineProps = { ruleNote: '# this is some markdown documentation', }; -export const mockTimelineDetails: DetailItem[] = [ +export const mockTimelineDetails: TimelineEventsDetailsItem[] = [ { field: 'host.name', values: ['apache'], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx index e3440f4158513..f326d5ad54ef2 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx @@ -15,10 +15,12 @@ import { apolloClient, mockTimelineApolloResult, mockTimelineDetailsApollo, + mockTimelineDetails, } from '../../../common/mock/'; import { CreateTimeline, UpdateTimelineLoading } from './types'; import { Ecs } from '../../../../common/ecs'; import { TimelineId, TimelineType, TimelineStatus } from '../../../../common/types/timeline'; +import { ISearchStart } from '../../../../../../../src/plugins/data/public'; jest.mock('apollo-client'); @@ -27,6 +29,7 @@ describe('alert actions', () => { const unix = moment(anchor).valueOf(); let createTimeline: CreateTimeline; let updateTimelineIsLoading: UpdateTimelineLoading; + let searchStrategyClient: ISearchStart; let clock: sinon.SinonFakeTimers; beforeEach(() => { @@ -39,6 +42,11 @@ describe('alert actions', () => { createTimeline = jest.fn() as jest.Mocked; updateTimelineIsLoading = jest.fn() as jest.Mocked; + searchStrategyClient = { + aggs: {} as ISearchStart['aggs'], + search: jest.fn().mockResolvedValue({ data: mockTimelineDetails }), + searchSource: {} as ISearchStart['searchSource'], + }; jest.spyOn(apolloClient, 'query').mockImplementation((obj) => { const id = get('variables.id', obj); @@ -64,6 +72,7 @@ describe('alert actions', () => { ecsData: mockEcsDataWithAlert, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); expect(updateTimelineIsLoading).toHaveBeenCalledTimes(1); @@ -80,6 +89,7 @@ describe('alert actions', () => { ecsData: mockEcsDataWithAlert, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); const expected = { from: '2018-11-05T18:58:25.937Z', @@ -268,6 +278,7 @@ describe('alert actions', () => { ecsData: mockEcsDataWithAlert, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); const createTimelineArg = (createTimeline as jest.Mock).mock.calls[0][0]; @@ -297,6 +308,7 @@ describe('alert actions', () => { ecsData: mockEcsDataWithAlert, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); const createTimelineArg = (createTimeline as jest.Mock).mock.calls[0][0]; @@ -315,6 +327,7 @@ describe('alert actions', () => { ecsData: mockEcsDataWithAlert, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); expect(updateTimelineIsLoading).toHaveBeenCalledWith({ @@ -349,6 +362,7 @@ describe('alert actions', () => { ecsData: ecsDataMock, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); expect(updateTimelineIsLoading).not.toHaveBeenCalled(); @@ -374,6 +388,7 @@ describe('alert actions', () => { ecsData: ecsDataMock, nonEcsData: [], updateTimelineIsLoading, + searchStrategyClient, }); expect(updateTimelineIsLoading).not.toHaveBeenCalled(); diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index 7f98d3b2f71de..0e2aee5abd42e 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -15,10 +15,13 @@ import { TimelineId, TimelineStatus, TimelineType } from '../../../../common/typ import { updateAlertStatus } from '../../containers/detection_engine/alerts/api'; import { SendAlertToTimelineActionProps, UpdateAlertStatusActionProps } from './types'; import { Ecs } from '../../../../common/ecs'; -import { GetOneTimeline, TimelineResult, GetTimelineDetailsQuery } from '../../../graphql/types'; +import { GetOneTimeline, TimelineResult } from '../../../graphql/types'; import { TimelineNonEcsData, TimelineEventsDetailsItem, + TimelineEventsDetailsRequestOptions, + TimelineEventsDetailsStrategyResponse, + TimelineEventsQueries, } from '../../../../common/search_strategy/timeline'; import { oneTimelineQuery } from '../../../timelines/containers/one/index.gql_query'; import { timelineDefaults } from '../../../timelines/store/timeline/defaults'; @@ -34,7 +37,6 @@ import { } from './helpers'; import { KueryFilterQueryKind } from '../../../common/store'; import { DataProvider } from '../../../timelines/components/timeline/data_providers/data_provider'; -import { timelineDetailsQuery } from '../../../timelines/containers/details/index.gql_query'; export const getUpdateAlertsQuery = (eventIds: Readonly) => { return { @@ -154,6 +156,7 @@ export const sendAlertToTimelineAction = async ({ ecsData, nonEcsData, updateTimelineIsLoading, + searchStrategyClient, }: SendAlertToTimelineActionProps) => { let openAlertInBasicTimeline = true; const noteContent = ecsData.signal?.rule?.note != null ? ecsData.signal?.rule?.note[0] : ''; @@ -172,24 +175,24 @@ export const sendAlertToTimelineAction = async ({ id: timelineId, }, }), - apolloClient.query({ - query: timelineDetailsQuery, - fetchPolicy: 'no-cache', - variables: { + searchStrategyClient.search< + TimelineEventsDetailsRequestOptions, + TimelineEventsDetailsStrategyResponse + >( + { defaultIndex: [], docValueFields: [], - eventId: ecsData._id, indexName: ecsData._index ?? '', - sourceId: 'default', + eventId: ecsData._id, + factoryQueryType: TimelineEventsQueries.details, }, - }), + { + strategy: 'securitySolutionTimelineSearchStrategy', + } + ), ]); const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline); - const eventData: TimelineEventsDetailsItem[] = getOr( - [], - 'data.source.TimelineDetails.data', - eventDataResp - ); + const eventData: TimelineEventsDetailsItem[] = getOr([], 'data', eventDataResp); if (!isEmpty(resultingTimeline)) { const timelineTemplate: TimelineResult = omitTypenameInTimeline(resultingTimeline); openAlertInBasicTimeline = false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/helpers.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/helpers.ts index 20c233a03a8cf..b386ce0c9631b 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/helpers.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/helpers.ts @@ -11,7 +11,8 @@ import { DataProviderType, DataProvidersAnd, } from '../../../timelines/components/timeline/data_providers/data_provider'; -import { DetailItem, TimelineType } from '../../../graphql/types'; +import { TimelineEventsDetailsItem } from '../../../../common/search_strategy'; +import { TimelineType } from '../../../graphql/types'; interface FindValueToChangeInQuery { field: string; @@ -49,7 +50,7 @@ const templateFields = [ */ export const getStringArray = ( field: string, - data: DetailItem[], + data: TimelineEventsDetailsItem[], localConsole = console ): string[] => { const value: unknown | undefined = data.find((d) => d.field === field)?.values ?? null; @@ -108,7 +109,7 @@ export const findValueToChangeInQuery = ( export const replaceTemplateFieldFromQuery = ( query: string, - eventData: DetailItem[], + eventData: TimelineEventsDetailsItem[], timelineType: TimelineType = TimelineType.default ): string => { if (timelineType === TimelineType.default) { @@ -132,7 +133,7 @@ export const replaceTemplateFieldFromQuery = ( export const replaceTemplateFieldFromMatchFilters = ( filters: Filter[], - eventData: DetailItem[] + eventData: TimelineEventsDetailsItem[] ): Filter[] => filters.map((filter) => { if ( @@ -151,7 +152,7 @@ export const replaceTemplateFieldFromMatchFilters = ( export const reformatDataProviderWithNewValue = ( dataProvider: T, - eventData: DetailItem[], + eventData: TimelineEventsDetailsItem[], timelineType: TimelineType = TimelineType.default ): T => { // Support for legacy "template-like" timeline behavior that is using hardcoded list of templateFields @@ -201,7 +202,7 @@ export const reformatDataProviderWithNewValue = dataProviders.map((dataProvider) => { diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx index f4649b016f67c..8960b7a76660b 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx @@ -7,6 +7,7 @@ import React, { useCallback } from 'react'; import { useDispatch } from 'react-redux'; +import { useKibana } from '../../../../common/lib/kibana'; import { TimelineId } from '../../../../../common/types/timeline'; import { Ecs } from '../../../../../common/ecs'; import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline'; @@ -30,6 +31,9 @@ const InvestigateInTimelineActionComponent: React.FC { + const { + data: { search: searchStrategyClient }, + } = useKibana().services; const dispatch = useDispatch(); const apolloClient = useApolloClient(); @@ -66,9 +70,17 @@ const InvestigateInTimelineActionComponent: React.FC void; diff --git a/x-pack/plugins/security_solution/public/graphql/introspection.json b/x-pack/plugins/security_solution/public/graphql/introspection.json index ece0712414349..ccd68195271e2 100644 --- a/x-pack/plugins/security_solution/public/graphql/introspection.json +++ b/x-pack/plugins/security_solution/public/graphql/introspection.json @@ -683,9 +683,15 @@ "deprecationReason": null }, { - "name": "Authentications", - "description": "Gets Authentication success and failures based on a timerange", + "name": "Hosts", + "description": "Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified", "args": [ + { + "name": "id", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { "name": "timerange", "description": "", @@ -710,6 +716,16 @@ }, "defaultValue": null }, + { + "name": "sort", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "HostsSortField", "ofType": null } + }, + "defaultValue": null + }, { "name": "filterQuery", "description": "", @@ -760,37 +776,43 @@ "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "AuthenticationsData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "HostsData", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "Timeline", + "name": "HostOverview", "description": "", "args": [ { - "name": "pagination", + "name": "id", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "hostName", "description": "", "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "PaginationInput", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } }, "defaultValue": null }, { - "name": "sortField", + "name": "timerange", "description": "", "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "SortField", "ofType": null } + "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } }, "defaultValue": null }, { - "name": "fieldRequested", + "name": "defaultIndex", "description": "", "type": { "kind": "NON_NULL", @@ -806,17 +828,34 @@ } }, "defaultValue": null - }, + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "HostItem", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "HostFirstLastSeen", + "description": "", + "args": [ { - "name": "timerange", + "name": "id", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "defaultValue": null }, { - "name": "filterQuery", + "name": "hostName", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "defaultValue": null }, { @@ -863,35 +902,148 @@ "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "FirstLastSeenHost", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "TimelineDetails", - "description": "", - "args": [ - { - "name": "eventId", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "indexName", - "description": "", - "type": { + "name": "whoAmI", + "description": "Just a simple example to get the app name", + "args": [], + "type": { "kind": "OBJECT", "name": "SayMyName", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SourceConfiguration", + "description": "A set of configuration options for a security data source", + "fields": [ + { + "name": "fields", + "description": "The field mapping to use for this source", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "SourceFields", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SourceFields", + "description": "A mapping of semantic fields to their document counterparts", + "fields": [ + { + "name": "container", + "description": "The field to identify a container by", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "host", + "description": "The fields to identify a host by", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "message", + "description": "The fields that may contain the log event message. The first field found win.", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "NON_NULL", "name": null, "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, + } + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "pod", + "description": "The field to identify a pod by", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "tiebreaker", + "description": "The field to use as a tiebreaker for log events that have identical timestamps", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "timestamp", + "description": "The field to use as a timestamp for metrics and logs", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SourceStatus", + "description": "The status of an infrastructure data source", + "fields": [ + { + "name": "indicesExist", + "description": "Whether the configured alias or wildcard pattern resolve to any auditbeat indices", + "args": [ { "name": "defaultIndex", "description": "", @@ -909,9 +1061,22 @@ } }, "defaultValue": null - }, + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "indexFields", + "description": "The list of fields defined in the index mappings", + "args": [ { - "name": "docValueFields", + "name": "defaultIndex", "description": "", "type": { "kind": "NON_NULL", @@ -922,11 +1087,7 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "ofType": null - } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } } } }, @@ -936,2618 +1097,18 @@ "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineDetailsData", "ofType": null } + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + } }, "isDeprecated": false, "deprecationReason": null - }, - { - "name": "LastEventTime", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "indexKey", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "LastEventIndexKey", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "details", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "LastTimeDetails", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - }, - { - "name": "docValueFields", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "ofType": null - } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "LastEventTimeData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "Hosts", - "description": "Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "pagination", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "sort", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "HostsSortField", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - }, - { - "name": "docValueFields", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "ofType": null - } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "HostsData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "HostOverview", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "hostName", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "HostItem", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "HostFirstLastSeen", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "hostName", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - }, - { - "name": "docValueFields", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "ofType": null - } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "FirstLastSeenHost", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "KpiNetwork", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { "kind": "OBJECT", "name": "KpiNetworkData", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "KpiHosts", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostsData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "KpiHostDetails", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostDetailsData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "MatrixHistogram", - "description": "", - "args": [ - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "stackByField", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "histogramType", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "HistogramType", "ofType": null } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "MatrixHistogramOverTimeData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "NetworkTopCountries", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "ip", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "flowTarget", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "FlowTargetSourceDest", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "pagination", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "sort", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "NetworkTopTablesSortField", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopCountriesData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "NetworkTopNFlow", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "ip", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "flowTarget", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "FlowTargetSourceDest", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "pagination", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "sort", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "NetworkTopTablesSortField", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopNFlowData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "NetworkDns", - "description": "", - "args": [ - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "isPtrIncluded", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "pagination", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "sort", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "NetworkDnsSortField", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "stackByField", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkDnsData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "NetworkDnsHistogram", - "description": "", - "args": [ - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "stackByField", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "docValueFields", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "ofType": null - } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkDsOverTimeData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "NetworkHttp", - "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "filterQuery", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "ip", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "pagination", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "sort", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "INPUT_OBJECT", - "name": "NetworkHttpSortField", - "ofType": null - } - }, - "defaultValue": null - }, - { - "name": "timerange", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimerangeInput", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkHttpData", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "whoAmI", - "description": "Just a simple example to get the app name", - "args": [], - "type": { "kind": "OBJECT", "name": "SayMyName", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SourceConfiguration", - "description": "A set of configuration options for a security data source", - "fields": [ - { - "name": "fields", - "description": "The field mapping to use for this source", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "SourceFields", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SourceFields", - "description": "A mapping of semantic fields to their document counterparts", - "fields": [ - { - "name": "container", - "description": "The field to identify a container by", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "host", - "description": "The fields to identify a host by", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "message", - "description": "The fields that may contain the log event message. The first field found win.", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "pod", - "description": "The field to identify a pod by", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "tiebreaker", - "description": "The field to use as a tiebreaker for log events that have identical timestamps", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "timestamp", - "description": "The field to use as a timestamp for metrics and logs", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SourceStatus", - "description": "The status of an infrastructure data source", - "fields": [ - { - "name": "indicesExist", - "description": "Whether the configured alias or wildcard pattern resolve to any auditbeat indices", - "args": [ - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "indexFields", - "description": "The list of fields defined in the index mappings", - "args": [ - { - "name": "defaultIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "Boolean", - "description": "The `Boolean` scalar type represents `true` or `false`.", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "TimerangeInput", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "interval", - "description": "The interval string to use for last bucket. The format is '{value}{unit}'. For example '5m' would return the metrics for the last 5 minutes of the timespan.", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "to", - "description": "The end of the timerange", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "from", - "description": "The beginning of the timerange", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "PaginationInputPaginated", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "activePage", - "description": "The activePage parameter defines the page of results you want to fetch", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "cursorStart", - "description": "The cursorStart parameter defines the start of the results to be displayed", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "fakePossibleCount", - "description": "The fakePossibleCount parameter determines the total count in order to show 5 additional pages", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "querySize", - "description": "The querySize parameter is the number of items to be returned", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "docValueFieldsInput", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "field", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "format", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuthenticationsData", - "description": "", - "fields": [ - { - "name": "edges", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "AuthenticationsEdges", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "totalCount", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "pageInfo", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuthenticationsEdges", - "description": "", - "fields": [ - { - "name": "node", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "AuthenticationItem", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "cursor", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuthenticationItem", - "description": "", - "fields": [ - { - "name": "_id", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "failures", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "successes", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "user", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "UserEcsFields", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastSuccess", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "LastSourceHost", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastFailure", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "LastSourceHost", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "UserEcsFields", - "description": "", - "fields": [ - { - "name": "domain", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "full_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "email", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "hash", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "group", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "ToStringArray", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "LastSourceHost", - "description": "", - "fields": [ - { - "name": "timestamp", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "source", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SourceEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "host", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "Date", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SourceEcsFields", - "description": "", - "fields": [ - { - "name": "bytes", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "ip", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "port", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "domain", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "geo", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "packets", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "ToNumberArray", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "GeoEcsFields", - "description": "", - "fields": [ - { - "name": "city_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "continent_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "country_iso_code", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "country_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "location", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Location", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "region_iso_code", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "region_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "Location", - "description": "", - "fields": [ - { - "name": "lon", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lat", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "HostEcsFields", - "description": "", - "fields": [ - { - "name": "architecture", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "ip", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "mac", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "os", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "OsEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "type", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "OsEcsFields", - "description": "", - "fields": [ - { - "name": "platform", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "full", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "family", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "version", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "kernel", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "CursorType", - "description": "", - "fields": [ - { - "name": "value", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "tiebreaker", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "PageInfoPaginated", - "description": "", - "fields": [ - { - "name": "activePage", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "fakeTotalCount", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "showMorePagesIndicator", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "Inspect", - "description": "", - "fields": [ - { - "name": "dsl", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "response", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "PaginationInput", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "limit", - "description": "The limit parameter allows you to configure the maximum amount of items to be returned", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "cursor", - "description": "The cursor parameter defines the next result you want to fetch", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "tiebreaker", - "description": "The tiebreaker parameter allow to be more precise to fetch the next item", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "SortField", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "sortFieldId", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "direction", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TimelineData", - "description": "", - "fields": [ - { - "name": "edges", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineEdges", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "totalCount", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "pageInfo", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfo", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TimelineEdges", - "description": "", - "fields": [ - { - "name": "node", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineItem", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "cursor", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TimelineItem", - "description": "", - "fields": [ - { - "name": "_id", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "_index", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "data", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineNonEcsData", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "ecs", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ECS", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TimelineNonEcsData", - "description": "", - "fields": [ - { - "name": "field", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "value", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "ECS", - "description": "", - "fields": [ - { - "name": "_id", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "_index", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "agent", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AgentEcsField", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "auditd", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AuditdEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "destination", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "DestinationEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "dns", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "DnsEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "endgame", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "EndgameEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "event", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "EventEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "geo", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "host", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "network", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "NetworkEcsField", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "rule", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "RuleEcsField", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "signal", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SignalField", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "source", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SourceEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "suricata", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SuricataEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "tls", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TlsEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "zeek", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "ZeekEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "http", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HttpEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "url", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "UrlEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "timestamp", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "message", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "user", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "UserEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "winlog", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "WinlogEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "process", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "ProcessEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "file", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "FileFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "system", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SystemEcsField", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AgentEcsField", - "description": "", - "fields": [ - { - "name": "type", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuditdEcsFields", - "description": "", - "fields": [ - { - "name": "result", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "session", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "data", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AuditdData", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "summary", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Summary", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "sequence", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuditdData", - "description": "", - "fields": [ - { - "name": "acct", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "terminal", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "op", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null } ], "inputFields": null, @@ -3556,318 +1117,246 @@ "possibleTypes": null }, { - "kind": "OBJECT", - "name": "Summary", - "description": "", - "fields": [ - { - "name": "actor", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "PrimarySecondary", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "object", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "PrimarySecondary", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "how", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "message_type", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "sequence", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], + "kind": "SCALAR", + "name": "Boolean", + "description": "The `Boolean` scalar type represents `true` or `false`.", + "fields": null, "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "PrimarySecondary", + "kind": "INPUT_OBJECT", + "name": "TimerangeInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "primary", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "interval", + "description": "The interval string to use for last bucket. The format is '{value}{unit}'. For example '5m' would return the metrics for the last 5 minutes of the timespan.", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null }, { - "name": "secondary", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "to", + "description": "The end of the timerange", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null }, { - "name": "type", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "from", + "description": "The beginning of the timerange", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "DestinationEcsFields", + "kind": "INPUT_OBJECT", + "name": "PaginationInputPaginated", "description": "", - "fields": [ - { - "name": "bytes", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "ip", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "fields": null, + "inputFields": [ { - "name": "port", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "activePage", + "description": "The activePage parameter defines the page of results you want to fetch", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null }, { - "name": "domain", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "cursorStart", + "description": "The cursorStart parameter defines the start of the results to be displayed", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null }, { - "name": "geo", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "fakePossibleCount", + "description": "The fakePossibleCount parameter determines the total count in order to show 5 additional pages", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null }, { - "name": "packets", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "querySize", + "description": "The querySize parameter is the number of items to be returned", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "DnsEcsFields", + "kind": "INPUT_OBJECT", + "name": "HostsSortField", "description": "", - "fields": [ - { - "name": "question", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "DnsQuestionData", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "fields": null, + "inputFields": [ { - "name": "resolved_ip", + "name": "field", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "HostsFields", "ofType": null } + }, + "defaultValue": null }, { - "name": "response_code", + "name": "direction", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } + }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "DnsQuestionData", + "kind": "ENUM", + "name": "HostsFields", "description": "", - "fields": [ + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ { - "name": "name", + "name": "hostName", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "lastSeen", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "EndgameEcsFields", + "kind": "INPUT_OBJECT", + "name": "docValueFieldsInput", "description": "", - "fields": [ - { - "name": "exit_code", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "file_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "file_path", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "logon_type", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "parent_process_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "pid", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "process_name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "fields": null, + "inputFields": [ { - "name": "subject_domain_name", + "name": "field", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null }, { - "name": "subject_logon_id", + "name": "format", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null + } + ], + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "HostsData", + "description": "", + "fields": [ { - "name": "subject_user_name", + "name": "edges", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "HostsEdges", "ofType": null } + } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "target_domain_name", + "name": "totalCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "target_logon_id", + "name": "pageInfo", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "target_user_name", + "name": "inspect", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -3879,158 +1368,221 @@ }, { "kind": "OBJECT", - "name": "EventEcsFields", + "name": "HostsEdges", "description": "", "fields": [ { - "name": "action", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "category", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "code", + "name": "node", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "HostItem", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "created", + "name": "cursor", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "HostItem", + "description": "", + "fields": [ { - "name": "dataset", + "name": "_id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "duration", + "name": "cloud", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "CloudFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "end", + "name": "endpoint", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "EndpointFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "hash", + "name": "host", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "id", + "name": "inspect", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "kind", + "name": "lastSeen", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "CloudFields", + "description": "", + "fields": [ { - "name": "module", + "name": "instance", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "CloudInstance", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "original", + "name": "machine", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "CloudMachine", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "outcome", + "name": "provider", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "risk_score", + "name": "region", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "CloudInstance", + "description": "", + "fields": [ { - "name": "risk_score_norm", + "name": "id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "CloudMachine", + "description": "", + "fields": [ { - "name": "severity", + "name": "type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "EndpointFields", + "description": "", + "fields": [ { - "name": "start", + "name": "endpointPolicy", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "timezone", + "name": "sensorVersion", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "policyStatus", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "ENUM", "name": "HostPolicyResponseActionStatus", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -4041,30 +1593,44 @@ "possibleTypes": null }, { - "kind": "SCALAR", - "name": "ToDateArray", + "kind": "ENUM", + "name": "HostPolicyResponseActionStatus", "description": "", "fields": null, "inputFields": null, "interfaces": null, - "enumValues": null, + "enumValues": [ + { + "name": "success", + "description": "", + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "failure", + "description": "", + "isDeprecated": false, + "deprecationReason": null + }, + { "name": "warning", "description": "", "isDeprecated": false, "deprecationReason": null } + ], "possibleTypes": null }, { "kind": "OBJECT", - "name": "NetworkEcsField", + "name": "HostEcsFields", "description": "", "fields": [ { - "name": "bytes", + "name": "architecture", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "community_id", + "name": "id", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4072,7 +1638,7 @@ "deprecationReason": null }, { - "name": "direction", + "name": "ip", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4080,23 +1646,31 @@ "deprecationReason": null }, { - "name": "packets", + "name": "mac", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "name", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "protocol", + "name": "os", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "OsEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "transport", + "name": "type", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4110,39 +1684,30 @@ "possibleTypes": null }, { - "kind": "OBJECT", - "name": "RuleEcsField", + "kind": "SCALAR", + "name": "ToStringArray", "description": "", - "fields": [ - { - "name": "reference", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], + "fields": null, "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "SignalField", + "name": "OsEcsFields", "description": "", "fields": [ { - "name": "rule", + "name": "platform", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "RuleField", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "original_time", + "name": "name", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4150,26 +1715,15 @@ "deprecationReason": null }, { - "name": "status", + "name": "full", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "RuleField", - "description": "", - "fields": [ + }, { - "name": "id", + "name": "family", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4177,7 +1731,7 @@ "deprecationReason": null }, { - "name": "rule_id", + "name": "version", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, @@ -4185,7 +1739,26 @@ "deprecationReason": null }, { - "name": "false_positives", + "name": "kernel", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "Inspect", + "description": "", + "fields": [ + { + "name": "dsl", "description": "", "args": [], "type": { @@ -4205,170 +1778,295 @@ "deprecationReason": null }, { - "name": "saved_id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "timeline_id", + "name": "response", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "Date", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "CursorType", + "description": "", + "fields": [ { - "name": "timeline_title", + "name": "value", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "max_signals", + "name": "tiebreaker", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "PageInfoPaginated", + "description": "", + "fields": [ { - "name": "risk_score", + "name": "activePage", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "output_index", + "name": "fakeTotalCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", + "name": "showMorePagesIndicator", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "FirstLastSeenHost", + "description": "", + "fields": [ { - "name": "from", + "name": "inspect", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "immutable", + "name": "firstSeen", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "index", + "name": "lastSeen", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SayMyName", + "description": "", + "fields": [ { - "name": "interval", - "description": "", + "name": "appName", + "description": "The id of the source", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TimelineResult", + "description": "", + "fields": [ { - "name": "language", + "name": "columns", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "ColumnHeaderResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "query", + "name": "created", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "references", + "name": "createdBy", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "severity", + "name": "dataProviders", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "DataProviderResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "tags", + "name": "dateRange", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "DateRangePickerResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "threat", + "name": "description", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "eventIdToNoteIds", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "size", + "name": "eventType", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "to", + "name": "excludedRowRendererIds", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "RowRendererId", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "enabled", + "name": "favorite", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "FavoriteTimelineResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, @@ -4376,226 +2074,207 @@ "name": "filters", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "FilterTimelineResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "created_at", + "name": "kqlMode", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "updated_at", + "name": "kqlQuery", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "SerializedFilterQueryResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "created_by", + "name": "indexNames", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "updated_by", + "name": "notes", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "version", + "name": "noteIds", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "note", + "name": "pinnedEventIds", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "threshold", + "name": "pinnedEventsSaveObject", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "PinnedEvent", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "exceptions_list", + "name": "savedQueryId", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "ToBooleanArray", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "ToAny", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SuricataEcsFields", - "description": "", - "fields": [ + }, { - "name": "eve", + "name": "savedObjectId", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "SuricataEveData", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SuricataEveData", - "description": "", - "fields": [ + }, { - "name": "alert", + "name": "sort", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "SuricataAlertData", "ofType": null }, + "type": { "kind": "OBJECT", "name": "SortTimelineResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "flow_id", + "name": "status", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "ENUM", "name": "TimelineStatus", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "proto", + "name": "title", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SuricataAlertData", - "description": "", - "fields": [ + }, { - "name": "signature", + "name": "templateTimelineId", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "signature_id", + "name": "templateTimelineVersion", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Int", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TlsEcsFields", - "description": "", - "fields": [ + }, { - "name": "client_certificate", + "name": "timelineType", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "TlsClientCertificateData", "ofType": null }, + "type": { "kind": "ENUM", "name": "TimelineType", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "fingerprints", + "name": "updated", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "TlsFingerprintsData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "server_certificate", + "name": "updatedBy", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "TlsServerCertificateData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TlsClientCertificateData", - "description": "", - "fields": [ + "deprecationReason": null + }, { - "name": "fingerprint", + "name": "version", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "FingerprintData", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null } @@ -4607,138 +2286,102 @@ }, { "kind": "OBJECT", - "name": "FingerprintData", + "name": "ColumnHeaderResult", "description": "", "fields": [ { - "name": "sha1", + "name": "aggregatable", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TlsFingerprintsData", - "description": "", - "fields": [ + }, { - "name": "ja3", + "name": "category", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "TlsJa3Data", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TlsJa3Data", - "description": "", - "fields": [ + }, { - "name": "hash", + "name": "columnHeaderType", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TlsServerCertificateData", - "description": "", - "fields": [ + }, { - "name": "fingerprint", + "name": "description", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "FingerprintData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "ZeekEcsFields", - "description": "", - "fields": [ + }, { - "name": "session_id", + "name": "example", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "connection", + "name": "indexes", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekConnectionData", "ofType": null }, + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "notice", + "name": "id", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekNoticeData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dns", + "name": "name", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekDnsData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "http", + "name": "placeholder", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekHttpData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "files", + "name": "searchable", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekFileData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ssl", + "name": "type", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ZeekSslData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -4750,46 +2393,78 @@ }, { "kind": "OBJECT", - "name": "ZeekConnectionData", + "name": "DataProviderResult", "description": "", "fields": [ { - "name": "local_resp", + "name": "id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "local_orig", + "name": "name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "missed_bytes", + "name": "enabled", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "state", + "name": "excluded", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "history", + "name": "kqlQuery", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "queryMatch", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "QueryMatchResult", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "type", + "description": "", + "args": [], + "type": { "kind": "ENUM", "name": "DataProviderType", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "and", + "description": "", + "args": [], + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "DataProviderResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null } @@ -4801,212 +2476,210 @@ }, { "kind": "OBJECT", - "name": "ZeekNoticeData", + "name": "QueryMatchResult", "description": "", "fields": [ { - "name": "suppress_for", + "name": "field", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "msg", + "name": "displayField", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "note", + "name": "value", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sub", + "name": "displayValue", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dst", + "name": "operator", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "ENUM", + "name": "DataProviderType", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ { - "name": "dropped", + "name": "default", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "peer_descr", + "name": "template", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "ZeekDnsData", + "name": "DateRangePickerResult", "description": "", "fields": [ { - "name": "AA", + "name": "start", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "qclass_name", + "name": "end", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "ToAny", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "ENUM", + "name": "RowRendererId", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ + { "name": "auditd", "description": "", "isDeprecated": false, "deprecationReason": null }, + { + "name": "auditd_file", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "RD", + "name": "netflow", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, + { "name": "plain", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "qtype_name", + "name": "suricata", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, + { "name": "system", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "rejected", + "name": "system_dns", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "qtype", + "name": "system_endgame_process", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "query", + "name": "system_file", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "trans_id", + "name": "system_fim", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "qclass", + "name": "system_security_event", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "RA", + "name": "system_socket", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, - { - "name": "TC", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } + { "name": "zeek", "description": "", "isDeprecated": false, "deprecationReason": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "ZeekHttpData", + "name": "FavoriteTimelineResult", "description": "", "fields": [ { - "name": "resp_mime_types", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "trans_depth", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "status_msg", + "name": "fullName", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "resp_fuids", + "name": "userName", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "tags", + "name": "favoriteDate", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -5018,193 +2691,161 @@ }, { "kind": "OBJECT", - "name": "ZeekFileData", + "name": "FilterTimelineResult", "description": "", "fields": [ { - "name": "session_ids", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "timedout", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "local_orig", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "tx_host", + "name": "exists", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "source", + "name": "meta", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "FilterMetaTimelineResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "is_orig", + "name": "match_all", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "overflow_bytes", + "name": "missing", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sha1", + "name": "query", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "duration", + "name": "range", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "depth", + "name": "script", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "FilterMetaTimelineResult", + "description": "", + "fields": [ { - "name": "analyzers", + "name": "alias", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "mime_type", + "name": "controlledBy", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "rx_host", + "name": "disabled", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "total_bytes", + "name": "field", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "fuid", + "name": "formattedValue", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "seen_bytes", + "name": "index", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "missing_bytes", + "name": "key", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "md5", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "ZeekSslData", - "description": "", - "fields": [ - { - "name": "cipher", + "name": "negate", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "established", + "name": "params", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "resumed", + "name": "type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "version", + "name": "value", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -5216,30 +2857,14 @@ }, { "kind": "OBJECT", - "name": "HttpEcsFields", + "name": "SerializedFilterQueryResult", "description": "", "fields": [ { - "name": "version", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "request", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HttpRequestData", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "response", + "name": "filterQuery", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "HttpResponseData", "ofType": null }, + "type": { "kind": "OBJECT", "name": "SerializedKueryQueryResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -5251,38 +2876,22 @@ }, { "kind": "OBJECT", - "name": "HttpRequestData", + "name": "SerializedKueryQueryResult", "description": "", "fields": [ { - "name": "method", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "body", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HttpBodyData", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "referrer", + "name": "kuery", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "OBJECT", "name": "KueryFilterQueryResult", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "bytes", + "name": "serializedQuery", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -5294,22 +2903,22 @@ }, { "kind": "OBJECT", - "name": "HttpBodyData", + "name": "KueryFilterQueryResult", "description": "", "fields": [ { - "name": "content", + "name": "kind", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "bytes", + "name": "expression", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -5321,218 +2930,504 @@ }, { "kind": "OBJECT", - "name": "HttpResponseData", + "name": "SortTimelineResult", "description": "", "fields": [ { - "name": "status_code", + "name": "columnId", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "body", + "name": "sortDirection", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "HttpBodyData", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "ENUM", + "name": "TimelineStatus", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ + { "name": "active", "description": "", "isDeprecated": false, "deprecationReason": null }, + { "name": "draft", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "bytes", + "name": "immutable", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } ], + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "Int", + "description": "The `Int` scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1. ", + "fields": null, "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "UrlEcsFields", + "kind": "ENUM", + "name": "TimelineType", "description": "", - "fields": [ + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ { - "name": "domain", + "name": "default", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "original", + "name": "template", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null + } + ], + "possibleTypes": null + }, + { + "kind": "INPUT_OBJECT", + "name": "PageInfoTimeline", + "description": "", + "fields": null, + "inputFields": [ + { + "name": "pageIndex", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null }, { - "name": "username", + "name": "pageSize", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null + } + ], + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "INPUT_OBJECT", + "name": "SortTimeline", + "description": "", + "fields": null, + "inputFields": [ + { + "name": "sortField", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "SortFieldTimeline", "ofType": null } + }, + "defaultValue": null }, { - "name": "password", + "name": "sortOrder", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } + }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "WinlogEcsFields", + "kind": "ENUM", + "name": "SortFieldTimeline", "description": "", - "fields": [ + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ + { "name": "title", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "event_id", + "name": "description", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } + }, + { + "name": "updated", + "description": "", + "isDeprecated": false, + "deprecationReason": null + }, + { "name": "created", "description": "", "isDeprecated": false, "deprecationReason": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "ProcessEcsFields", + "name": "ResponseTimelines", "description": "", "fields": [ { - "name": "hash", + "name": "timeline", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "ProcessHashData", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { "kind": "OBJECT", "name": "TimelineResult", "ofType": null } + } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pid", + "name": "totalCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "name", + "name": "defaultTimelineCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ppid", + "name": "templateTimelineCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "args", + "name": "elasticTemplateTimelineCount", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "customTemplateTimelineCount", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "favoriteCount", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "Mutation", + "description": "", + "fields": [ + { + "name": "persistNote", + "description": "Persists a note", + "args": [ + { + "name": "noteId", + "description": "", + "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, + "defaultValue": null + }, + { + "name": "version", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "note", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "NoteInput", "ofType": null } + }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "ResponseNote", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "entity_id", + "name": "deleteNote", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "args": [ + { + "name": "id", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + } + } + }, + "defaultValue": null + } + ], + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "executable", + "name": "deleteNoteByTimelineId", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "args": [ + { + "name": "timelineId", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + }, + "defaultValue": null + }, + { + "name": "version", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + } + ], + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "title", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "name": "persistPinnedEventOnTimeline", + "description": "Persists a pinned event in a timeline", + "args": [ + { + "name": "pinnedEventId", + "description": "", + "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, + "defaultValue": null + }, + { + "name": "eventId", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + }, + "defaultValue": null + }, + { + "name": "timelineId", + "description": "", + "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, + "defaultValue": null + } + ], + "type": { "kind": "OBJECT", "name": "PinnedEvent", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "thread", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Thread", "ofType": null }, + "name": "deletePinnedEventOnTimeline", + "description": "Remove a pinned events in a timeline", + "args": [ + { + "name": "id", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + } + } + }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "working_directory", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "name": "deleteAllPinnedEventsOnTimeline", + "description": "Remove all pinned events in a timeline", + "args": [ + { + "name": "timelineId", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "ProcessHashData", - "description": "", - "fields": [ + }, { - "name": "md5", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "name": "persistTimeline", + "description": "Persists a timeline", + "args": [ + { + "name": "id", + "description": "", + "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, + "defaultValue": null + }, + { + "name": "version", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "timeline", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "TimelineInput", "ofType": null } + }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "ResponseTimeline", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sha1", + "name": "persistFavorite", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "args": [ + { + "name": "timelineId", + "description": "", + "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "ResponseFavoriteTimeline", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sha256", + "name": "deleteTimeline", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "args": [ + { + "name": "id", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } + } + } + }, + "defaultValue": null + } + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null } @@ -5543,524 +3438,416 @@ "possibleTypes": null }, { - "kind": "OBJECT", - "name": "Thread", + "kind": "INPUT_OBJECT", + "name": "NoteInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "id", + "name": "eventId", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "start", + "name": "note", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "timelineId", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "FileFields", + "name": "ResponseNote", "description": "", "fields": [ { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "path", + "name": "code", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "target_path", + "name": "message", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "extension", + "name": "note", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "INPUT_OBJECT", + "name": "TimelineInput", + "description": "", + "fields": null, + "inputFields": [ { - "name": "type", + "name": "columns", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "ColumnHeaderInput", "ofType": null } + } + }, + "defaultValue": null }, { - "name": "device", + "name": "dataProviders", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "DataProviderInput", "ofType": null } + } + }, + "defaultValue": null }, { - "name": "inode", + "name": "description", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "uid", + "name": "eventType", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "owner", + "name": "excludedRowRendererIds", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "RowRendererId", "ofType": null } + } + }, + "defaultValue": null }, { - "name": "gid", + "name": "filters", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "FilterTimelineInput", "ofType": null } + } + }, + "defaultValue": null }, { - "name": "group", + "name": "kqlMode", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "mode", + "name": "kqlQuery", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "INPUT_OBJECT", + "name": "SerializedFilterQueryInput", + "ofType": null + }, + "defaultValue": null }, { - "name": "size", + "name": "indexNames", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + } + }, + "defaultValue": null }, { - "name": "mtime", + "name": "title", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "ctime", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SystemEcsField", - "description": "", - "fields": [ - { - "name": "audit", + "name": "templateTimelineId", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AuditEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "auth", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AuthEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AuditEcsFields", - "description": "", - "fields": [ - { - "name": "package", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "PackageEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "PackageEcsFields", - "description": "", - "fields": [ - { - "name": "arch", + "name": "templateTimelineVersion", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "Int", "ofType": null }, + "defaultValue": null }, { - "name": "entity_id", + "name": "timelineType", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "ENUM", "name": "TimelineType", "ofType": null }, + "defaultValue": null }, { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "name": "dateRange", + "description": "", + "type": { "kind": "INPUT_OBJECT", "name": "DateRangePickerInput", "ofType": null }, + "defaultValue": null }, { - "name": "size", + "name": "savedQueryId", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "summary", + "name": "sort", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "INPUT_OBJECT", "name": "SortTimelineInput", "ofType": null }, + "defaultValue": null }, { - "name": "version", + "name": "status", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "ENUM", "name": "TimelineStatus", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "AuthEcsFields", + "kind": "INPUT_OBJECT", + "name": "ColumnHeaderInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "ssh", + "name": "aggregatable", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "SshEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SshEcsFields", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": null + }, { - "name": "method", + "name": "category", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "signature", + "name": "columnHeaderType", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "PageInfo", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { - "name": "endCursor", + "name": "description", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "CursorType", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "hasNextPage", + "name": "example", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TimelineDetailsData", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { - "name": "data", + "name": "indexes", "description": "", - "args": [], "type": { "kind": "LIST", "name": null, "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "DetailItem", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } } }, - "isDeprecated": false, - "deprecationReason": null + "defaultValue": null }, { - "name": "inspect", + "name": "id", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "DetailItem", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { - "name": "field", + "name": "name", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "values", + "name": "placeholder", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "originalValue", + "name": "searchable", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "EsValue", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": null + }, + { + "name": "type", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "EsValue", - "description": "", - "fields": null, - "inputFields": null, "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "ENUM", - "name": "LastEventIndexKey", + "kind": "INPUT_OBJECT", + "name": "DataProviderInput", "description": "", "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + "inputFields": [ { - "name": "hostDetails", + "name": "id", "description": "", - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, - { "name": "hosts", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "ipDetails", + "name": "name", "description": "", - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, - { "name": "network", "description": "", "isDeprecated": false, "deprecationReason": null } - ], - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "LastTimeDetails", - "description": "", - "fields": null, - "inputFields": [ { - "name": "hostName", + "name": "enabled", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, "defaultValue": null }, { - "name": "ip", + "name": "excluded", + "description": "", + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": null + }, + { + "name": "kqlQuery", "description": "", "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "LastEventTimeData", - "description": "", - "fields": [ + }, { - "name": "lastSeen", + "name": "queryMatch", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "INPUT_OBJECT", "name": "QueryMatchInput", "ofType": null }, + "defaultValue": null }, { - "name": "inspect", + "name": "and", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "INPUT_OBJECT", "name": "DataProviderInput", "ofType": null } + } + }, + "defaultValue": null + }, + { + "name": "type", + "description": "", + "type": { "kind": "ENUM", "name": "DataProviderType", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { "kind": "INPUT_OBJECT", - "name": "HostsSortField", + "name": "QueryMatchInput", "description": "", "fields": null, "inputFields": [ { "name": "field", "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "HostsFields", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "defaultValue": null }, { - "name": "direction", + "name": "displayField", "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "value", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "displayValue", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "operator", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "defaultValue": null } ], @@ -6069,399 +3856,251 @@ "possibleTypes": null }, { - "kind": "ENUM", - "name": "HostsFields", + "kind": "INPUT_OBJECT", + "name": "FilterTimelineInput", "description": "", "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + "inputFields": [ { - "name": "hostName", + "name": "exists", "description": "", - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "lastSeen", - "description": "", - "isDeprecated": false, - "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "HostsData", - "description": "", - "fields": [ - { - "name": "edges", + "name": "meta", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "HostsEdges", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "INPUT_OBJECT", "name": "FilterMetaTimelineInput", "ofType": null }, + "defaultValue": null }, { - "name": "totalCount", + "name": "match_all", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "pageInfo", + "name": "missing", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "inspect", + "name": "query", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "HostsEdges", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { - "name": "node", + "name": "range", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "HostItem", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "cursor", + "name": "script", "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "HostItem", + "kind": "INPUT_OBJECT", + "name": "FilterMetaTimelineInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "_id", + "name": "alias", "description": "", - "args": [], "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "defaultValue": null }, { - "name": "cloud", + "name": "controlledBy", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "CloudFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "endpoint", + "name": "disabled", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "EndpointFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": null }, { - "name": "host", + "name": "field", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "inspect", + "name": "formattedValue", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "lastSeen", + "name": "index", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "CloudFields", - "description": "", - "fields": [ + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, { - "name": "instance", + "name": "key", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "CloudInstance", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "machine", + "name": "negate", "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "CloudMachine", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": null }, { - "name": "provider", + "name": "params", "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "region", + "name": "type", "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "value", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "CloudInstance", + "kind": "INPUT_OBJECT", + "name": "SerializedFilterQueryInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "id", + "name": "filterQuery", "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "INPUT_OBJECT", "name": "SerializedKueryQueryInput", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "CloudMachine", + "kind": "INPUT_OBJECT", + "name": "SerializedKueryQueryInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "type", + "name": "kuery", "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "INPUT_OBJECT", "name": "KueryFilterQueryInput", "ofType": null }, + "defaultValue": null + }, + { + "name": "serializedQuery", + "description": "", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "EndpointFields", + "kind": "INPUT_OBJECT", + "name": "KueryFilterQueryInput", "description": "", - "fields": [ + "fields": null, + "inputFields": [ { - "name": "endpointPolicy", + "name": "kind", "description": "", - "args": [], "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "defaultValue": null }, { - "name": "sensorVersion", + "name": "expression", "description": "", - "args": [], "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "policyStatus", - "description": "", - "args": [], - "type": { "kind": "ENUM", "name": "HostPolicyResponseActionStatus", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "ENUM", - "name": "HostPolicyResponseActionStatus", + "kind": "INPUT_OBJECT", + "name": "DateRangePickerInput", "description": "", "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + "inputFields": [ { - "name": "success", + "name": "start", "description": "", - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "defaultValue": null }, { - "name": "failure", + "name": "end", "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "warning", "description": "", "isDeprecated": false, "deprecationReason": null } + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "defaultValue": null + } ], + "interfaces": null, + "enumValues": null, "possibleTypes": null }, { - "kind": "OBJECT", - "name": "FirstLastSeenHost", + "kind": "INPUT_OBJECT", + "name": "SortTimelineInput", "description": "", - "fields": [ - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "fields": null, + "inputFields": [ { - "name": "firstSeen", + "name": "columnId", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null }, { - "name": "lastSeen", + "name": "sortDirection", "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null } ], - "inputFields": null, - "interfaces": [], + "interfaces": null, "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "KpiNetworkData", + "name": "ResponseTimeline", "description": "", "fields": [ { - "name": "networkEvents", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueFlowId", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueSourcePrivateIps", + "name": "code", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, @@ -6469,95 +4108,24 @@ "deprecationReason": null }, { - "name": "uniqueSourcePrivateIpsHistogram", - "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiNetworkHistogramData", "ofType": null } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueDestinationPrivateIps", + "name": "message", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueDestinationPrivateIpsHistogram", + "name": "timeline", "description": "", "args": [], "type": { - "kind": "LIST", + "kind": "NON_NULL", "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiNetworkHistogramData", "ofType": null } - } + "ofType": { "kind": "OBJECT", "name": "TimelineResult", "ofType": null } }, "isDeprecated": false, "deprecationReason": null - }, - { - "name": "dnsQueries", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "tlsHandshakes", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "KpiNetworkHistogramData", - "description": "", - "fields": [ - { - "name": "x", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "y", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null } ], "inputFields": null, @@ -6567,67 +4135,51 @@ }, { "kind": "OBJECT", - "name": "KpiHostsData", - "description": "", - "fields": [ - { - "name": "hosts", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + "name": "ResponseFavoriteTimeline", + "description": "", + "fields": [ { - "name": "hostsHistogram", + "name": "code", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authSuccess", + "name": "message", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authSuccessHistogram", + "name": "savedObjectId", "description": "", "args": [], "type": { - "kind": "LIST", + "kind": "NON_NULL", "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } - } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authFailure", + "name": "version", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authFailureHistogram", + "name": "favorite", "description": "", "args": [], "type": { @@ -6636,92 +4188,88 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "FavoriteTimelineResult", "ofType": null } } }, "isDeprecated": false, "deprecationReason": null - }, - { - "name": "uniqueSourceIps", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "__Schema", + "description": "A GraphQL Schema defines the capabilities of a GraphQL server. It exposes all available types and directives on the server, as well as the entry points for query, mutation, and subscription operations.", + "fields": [ { - "name": "uniqueSourceIpsHistogram", - "description": "", + "name": "types", + "description": "A list of all types supported by this server.", "args": [], "type": { - "kind": "LIST", + "kind": "NON_NULL", "name": null, "ofType": { - "kind": "NON_NULL", + "kind": "LIST", "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } + } } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueDestinationIps", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueDestinationIpsHistogram", - "description": "", + "name": "queryType", + "description": "The type that query operations will be rooted at.", "args": [], "type": { - "kind": "LIST", + "kind": "NON_NULL", "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } - } + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inspect", - "description": "", + "name": "mutationType", + "description": "If this server supports mutation, the type that mutation operations will be rooted at.", "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, + "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "KpiHostHistogramData", - "description": "", - "fields": [ + }, { - "name": "x", - "description": "", + "name": "subscriptionType", + "description": "If this server support subscription, the type that subscription operations will be rooted at.", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "y", - "description": "", + "name": "directives", + "description": "A list of all directives supported by this server.", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__Directive", "ofType": null } + } + } + }, "isDeprecated": false, "deprecationReason": null } @@ -6733,68 +4281,63 @@ }, { "kind": "OBJECT", - "name": "KpiHostDetailsData", - "description": "", + "name": "__Type", + "description": "The fundamental unit of any GraphQL Schema is the type. There are many kinds of types in GraphQL as represented by the `__TypeKind` enum.\n\nDepending on the kind of a type, certain fields describe information about that type. Scalar types provide no information beyond a name and description, while Enum types provide their values. Object and Interface types provide the fields they describe. Abstract types, Union and Interface, provide the Object types possible at runtime. List and NonNull types compose other types.", "fields": [ { - "name": "authSuccess", - "description": "", + "name": "kind", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "__TypeKind", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authSuccessHistogram", - "description": "", + "name": "name", + "description": null, "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authFailure", - "description": "", + "name": "description", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "authFailureHistogram", - "description": "", - "args": [], + "name": "fields", + "description": null, + "args": [ + { + "name": "includeDeprecated", + "description": null, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": "false" + } + ], "type": { "kind": "LIST", "name": null, "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "__Field", "ofType": null } } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueSourceIps", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueSourceIpsHistogram", - "description": "", + "name": "interfaces", + "description": null, "args": [], "type": { "kind": "LIST", @@ -6802,23 +4345,15 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueDestinationIps", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "uniqueDestinationIpsHistogram", - "description": "", + "name": "possibleTypes", + "description": null, "args": [], "type": { "kind": "LIST", @@ -6826,133 +4361,56 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "KpiHostHistogramData", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "HistogramType", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { - "name": "authentications", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "anomalies", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "events", "description": "", "isDeprecated": false, "deprecationReason": null }, - { "name": "alerts", "description": "", "isDeprecated": false, "deprecationReason": null }, - { "name": "dns", "description": "", "isDeprecated": false, "deprecationReason": null } - ], - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "MatrixHistogramOverTimeData", - "description": "", - "fields": [ - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "matrixHistogramData", - "description": "", - "args": [], + "name": "enumValues", + "description": null, + "args": [ + { + "name": "includeDeprecated", + "description": null, + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "defaultValue": "false" + } + ], "type": { - "kind": "NON_NULL", + "kind": "LIST", "name": null, "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "OBJECT", - "name": "MatrixOverTimeHistogramData", - "ofType": null - } - } + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__EnumValue", "ofType": null } } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", - "description": "", + "name": "inputFields", + "description": null, "args": [], "type": { - "kind": "NON_NULL", + "kind": "LIST", "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } + } }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "MatrixOverTimeHistogramData", - "description": "", - "fields": [ - { - "name": "x", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "y", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null }, { - "name": "g", - "description": "", + "name": "ofType", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -6964,83 +4422,57 @@ }, { "kind": "ENUM", - "name": "FlowTargetSourceDest", - "description": "", + "name": "__TypeKind", + "description": "An enum describing what kind of type a given `__Type` is.", "fields": null, "inputFields": null, "interfaces": null, "enumValues": [ { - "name": "destination", - "description": "", + "name": "SCALAR", + "description": "Indicates this type is a scalar.", "isDeprecated": false, "deprecationReason": null }, - { "name": "source", "description": "", "isDeprecated": false, "deprecationReason": null } - ], - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "NetworkTopTablesSortField", - "description": "", - "fields": null, - "inputFields": [ { - "name": "field", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "NetworkTopTablesFields", "ofType": null } - }, - "defaultValue": null + "name": "OBJECT", + "description": "Indicates this type is an object. `fields` and `interfaces` are valid fields.", + "isDeprecated": false, + "deprecationReason": null }, { - "name": "direction", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "NetworkTopTablesFields", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + "name": "INTERFACE", + "description": "Indicates this type is an interface. `fields` and `possibleTypes` are valid fields.", + "isDeprecated": false, + "deprecationReason": null + }, { - "name": "bytes_in", - "description": "", + "name": "UNION", + "description": "Indicates this type is a union. `possibleTypes` is a valid field.", "isDeprecated": false, "deprecationReason": null }, { - "name": "bytes_out", - "description": "", + "name": "ENUM", + "description": "Indicates this type is an enum. `enumValues` is a valid field.", "isDeprecated": false, "deprecationReason": null }, - { "name": "flows", "description": "", "isDeprecated": false, "deprecationReason": null }, { - "name": "destination_ips", - "description": "", + "name": "INPUT_OBJECT", + "description": "Indicates this type is an input object. `inputFields` is a valid field.", "isDeprecated": false, "deprecationReason": null }, { - "name": "source_ips", - "description": "", + "name": "LIST", + "description": "Indicates this type is a list. `ofType` is a valid field.", + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "NON_NULL", + "description": "Indicates this type is a non-null. `ofType` is a valid field.", "isDeprecated": false, "deprecationReason": null } @@ -7049,136 +4481,78 @@ }, { "kind": "OBJECT", - "name": "NetworkTopCountriesData", - "description": "", + "name": "__Field", + "description": "Object and Interface types are described by a list of Fields, each of which has a name, potentially a list of arguments, and a return type.", "fields": [ { - "name": "edges", - "description": "", + "name": "name", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopCountriesEdges", "ofType": null } - } - } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", - "description": "", + "name": "description", + "description": null, "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pageInfo", - "description": "", + "name": "args", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } + } + } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkTopCountriesEdges", - "description": "", - "fields": [ - { - "name": "node", - "description": "", + "name": "type", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopCountriesItem", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "cursor", - "description": "", + "name": "isDeprecated", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkTopCountriesItem", - "description": "", - "fields": [ - { - "name": "_id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "source", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TopCountriesItemSource", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "destination", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TopCountriesItemDestination", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null }, { - "name": "network", - "description": "", + "name": "deprecationReason", + "description": null, "args": [], - "type": { "kind": "OBJECT", "name": "TopNetworkTablesEcsField", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -7190,73 +4564,46 @@ }, { "kind": "OBJECT", - "name": "TopCountriesItemSource", - "description": "", + "name": "__InputValue", + "description": "Arguments provided to Fields or Directives and the input fields of an InputObject are represented as Input Values which describe their type and optionally a default value.", "fields": [ { - "name": "country", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "destination_ips", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "flows", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "location", - "description": "", + "name": "name", + "description": null, "args": [], - "type": { "kind": "OBJECT", "name": "GeoItem", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "source_ips", - "description": "", + "name": "description", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "GeoItem", - "description": "", - "fields": [ + }, { - "name": "geo", - "description": "", + "name": "type", + "description": null, "args": [], - "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "flowTarget", - "description": "", + "name": "defaultValue", + "description": "A GraphQL-formatted string representing the default value for this input value.", "args": [], - "type": { "kind": "ENUM", "name": "FlowTargetSourceDest", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -7268,46 +4615,46 @@ }, { "kind": "OBJECT", - "name": "TopCountriesItemDestination", - "description": "", + "name": "__EnumValue", + "description": "One possible value for a given Enum. Enum values are unique values, not a placeholder for a string or numeric value. However an Enum value is returned in a JSON response as a string.", "fields": [ { - "name": "country", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "destination_ips", - "description": "", + "name": "name", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "flows", - "description": "", + "name": "description", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "location", - "description": "", + "name": "isDeprecated", + "description": null, "args": [], - "type": { "kind": "OBJECT", "name": "GeoItem", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "source_ips", - "description": "", + "name": "deprecationReason", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -7319,39 +4666,32 @@ }, { "kind": "OBJECT", - "name": "TopNetworkTablesEcsField", - "description": "", + "name": "__Directive", + "description": "A Directive provides a way to describe alternate runtime execution and type validation behavior in a GraphQL document.\n\nIn some cases, you need to provide options to alter GraphQL's execution behavior in ways field arguments will not suffice, such as conditionally including or skipping a field. Directives provide this by describing additional information to the executor.", "fields": [ { - "name": "bytes_in", - "description": "", + "name": "name", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "bytes_out", - "description": "", + "name": "description", + "description": null, "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkTopNFlowData", - "description": "", - "fields": [ + }, { - "name": "edges", - "description": "", + "name": "locations", + "description": null, "args": [], "type": { "kind": "NON_NULL", @@ -7362,7 +4702,7 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopNFlowEdges", "ofType": null } + "ofType": { "kind": "ENUM", "name": "__DirectiveLocation", "ofType": null } } } }, @@ -7370,71 +4710,60 @@ "deprecationReason": null }, { - "name": "totalCount", - "description": "", + "name": "args", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } + } + } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pageInfo", - "description": "", + "name": "onOperation", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } }, - "isDeprecated": false, - "deprecationReason": null + "isDeprecated": true, + "deprecationReason": "Use `locations`." }, { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkTopNFlowEdges", - "description": "", - "fields": [ - { - "name": "node", - "description": "", + "name": "onFragment", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkTopNFlowItem", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } }, - "isDeprecated": false, - "deprecationReason": null + "isDeprecated": true, + "deprecationReason": "Use `locations`." }, { - "name": "cursor", - "description": "", + "name": "onField", + "description": null, "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } }, - "isDeprecated": false, - "deprecationReason": null + "isDeprecated": true, + "deprecationReason": "Use `locations`." } ], "inputFields": null, @@ -7443,496 +4772,335 @@ "possibleTypes": null }, { - "kind": "OBJECT", - "name": "NetworkTopNFlowItem", - "description": "", - "fields": [ + "kind": "ENUM", + "name": "__DirectiveLocation", + "description": "A Directive can be adjacent to many parts of the GraphQL language, a __DirectiveLocation describes one such possible adjacencies.", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ { - "name": "_id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "name": "QUERY", + "description": "Location adjacent to a query operation.", "isDeprecated": false, "deprecationReason": null }, { - "name": "source", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TopNFlowItemSource", "ofType": null }, + "name": "MUTATION", + "description": "Location adjacent to a mutation operation.", "isDeprecated": false, "deprecationReason": null }, { - "name": "destination", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TopNFlowItemDestination", "ofType": null }, + "name": "SUBSCRIPTION", + "description": "Location adjacent to a subscription operation.", "isDeprecated": false, "deprecationReason": null }, { - "name": "network", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "TopNetworkTablesEcsField", "ofType": null }, + "name": "FIELD", + "description": "Location adjacent to a field.", "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TopNFlowItemSource", - "description": "", - "fields": [ + }, { - "name": "autonomous_system", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AutonomousSystemItem", "ofType": null }, + "name": "FRAGMENT_DEFINITION", + "description": "Location adjacent to a fragment definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "domain", - "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "name": "FRAGMENT_SPREAD", + "description": "Location adjacent to a fragment spread.", "isDeprecated": false, "deprecationReason": null }, { - "name": "ip", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "name": "INLINE_FRAGMENT", + "description": "Location adjacent to an inline fragment.", "isDeprecated": false, "deprecationReason": null }, { - "name": "location", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "GeoItem", "ofType": null }, + "name": "SCHEMA", + "description": "Location adjacent to a schema definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "flows", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "name": "SCALAR", + "description": "Location adjacent to a scalar definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "destination_ips", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "AutonomousSystemItem", - "description": "", - "fields": [ + "name": "OBJECT", + "description": "Location adjacent to an object type definition.", + "isDeprecated": false, + "deprecationReason": null + }, { - "name": "name", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "name": "FIELD_DEFINITION", + "description": "Location adjacent to a field definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "number", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "name": "ARGUMENT_DEFINITION", + "description": "Location adjacent to an argument definition.", "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "TopNFlowItemDestination", - "description": "", - "fields": [ + }, { - "name": "autonomous_system", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "AutonomousSystemItem", "ofType": null }, + "name": "INTERFACE", + "description": "Location adjacent to an interface definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "domain", - "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "name": "UNION", + "description": "Location adjacent to a union definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "ip", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "name": "ENUM", + "description": "Location adjacent to an enum definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "location", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "GeoItem", "ofType": null }, + "name": "ENUM_VALUE", + "description": "Location adjacent to an enum value definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "flows", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "name": "INPUT_OBJECT", + "description": "Location adjacent to an input object type definition.", "isDeprecated": false, "deprecationReason": null }, { - "name": "source_ips", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "name": "INPUT_FIELD_DEFINITION", + "description": "Location adjacent to an input object field definition.", "isDeprecated": false, "deprecationReason": null } ], - "inputFields": null, - "interfaces": [], - "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "NetworkDnsSortField", + "kind": "SCALAR", + "name": "ToStringArrayNoNullable", "description": "", "fields": null, - "inputFields": [ - { - "name": "field", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "NetworkDnsFields", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "direction", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, - "defaultValue": null - } - ], + "inputFields": null, "interfaces": null, "enumValues": null, "possibleTypes": null }, { - "kind": "ENUM", - "name": "NetworkDnsFields", + "kind": "OBJECT", + "name": "EventEcsFields", "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + "fields": [ { - "name": "dnsName", + "name": "action", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "queryCount", + "name": "category", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueDomains", + "name": "code", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dnsBytesIn", + "name": "created", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dnsBytesOut", + "name": "dataset", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkDnsData", - "description": "", - "fields": [ + }, { - "name": "edges", + "name": "duration", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkDnsEdges", "ofType": null } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", + "name": "end", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pageInfo", + "name": "hash", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inspect", + "name": "id", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "histogram", + "name": "kind", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "OBJECT", - "name": "MatrixOverOrdinalHistogramData", - "ofType": null - } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkDnsEdges", - "description": "", - "fields": [ + }, { - "name": "node", + "name": "module", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkDnsItem", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "cursor", + "name": "original", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkDnsItem", - "description": "", - "fields": [ + }, { - "name": "_id", + "name": "outcome", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dnsBytesIn", + "name": "risk_score", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dnsBytesOut", + "name": "risk_score_norm", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dnsName", + "name": "severity", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "queryCount", + "name": "start", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "uniqueDomains", + "name": "timezone", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "type", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } ], "inputFields": null, - "interfaces": [], + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "ToDateArray", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "ToNumberArray", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "MatrixOverOrdinalHistogramData", + "name": "Location", "description": "", "fields": [ { - "name": "x", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "y", + "name": "lon", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "g", + "name": "lat", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -7944,134 +5112,62 @@ }, { "kind": "OBJECT", - "name": "NetworkDsOverTimeData", + "name": "GeoEcsFields", "description": "", "fields": [ { - "name": "inspect", + "name": "city_name", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "matrixHistogramData", + "name": "continent_name", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "OBJECT", - "name": "MatrixOverTimeHistogramData", - "ofType": null - } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", + "name": "country_iso_code", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "NetworkHttpSortField", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "direction", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "NetworkHttpData", - "description": "", - "fields": [ + }, { - "name": "edges", + "name": "country_name", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkHttpEdges", "ofType": null } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", + "name": "location", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, + "type": { "kind": "OBJECT", "name": "Location", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pageInfo", + "name": "region_iso_code", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfoPaginated", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inspect", + "name": "region_name", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8083,30 +5179,30 @@ }, { "kind": "OBJECT", - "name": "NetworkHttpEdges", + "name": "PrimarySecondary", "description": "", "fields": [ { - "name": "node", + "name": "primary", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NetworkHttpItem", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "cursor", + "name": "secondary", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "type", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8118,106 +5214,46 @@ }, { "kind": "OBJECT", - "name": "NetworkHttpItem", + "name": "Summary", "description": "", "fields": [ { - "name": "_id", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "domains", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastHost", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastSourceIp", + "name": "actor", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "PrimarySecondary", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "methods", + "name": "object", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, + "type": { "kind": "OBJECT", "name": "PrimarySecondary", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "path", + "name": "how", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "requestCount", + "name": "message_type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "statuses", + "name": "sequence", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8229,18 +5265,14 @@ }, { "kind": "OBJECT", - "name": "SayMyName", + "name": "AgentEcsField", "description": "", "fields": [ { - "name": "appName", - "description": "The id of the source", + "name": "type", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8251,335 +5283,294 @@ "possibleTypes": null }, { - "kind": "OBJECT", - "name": "TimelineResult", - "description": "", - "fields": [ - { - "name": "columns", - "description": "", - "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ColumnHeaderResult", "ofType": null } - } - }, + "kind": "OBJECT", + "name": "AuditdData", + "description": "", + "fields": [ + { + "name": "acct", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "created", + "name": "terminal", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "createdBy", + "name": "op", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "AuditdEcsFields", + "description": "", + "fields": [ { - "name": "dataProviders", + "name": "result", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "DataProviderResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "dateRange", + "name": "session", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "DateRangePickerResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", + "name": "data", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "AuditdData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "eventIdToNoteIds", + "name": "summary", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } - } - }, + "type": { "kind": "OBJECT", "name": "Summary", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "eventType", + "name": "sequence", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "Thread", + "description": "", + "fields": [ { - "name": "excludedRowRendererIds", + "name": "id", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "RowRendererId", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "favorite", + "name": "start", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "FavoriteTimelineResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "ProcessHashData", + "description": "", + "fields": [ { - "name": "filters", + "name": "md5", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "FilterTimelineResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "kqlMode", + "name": "sha1", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "kqlQuery", + "name": "sha256", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "SerializedFilterQueryResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "ProcessEcsFields", + "description": "", + "fields": [ { - "name": "indexNames", + "name": "hash", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "type": { "kind": "OBJECT", "name": "ProcessHashData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "notes", + "name": "pid", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "noteIds", + "name": "name", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pinnedEventIds", + "name": "ppid", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pinnedEventsSaveObject", + "name": "args", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "PinnedEvent", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "savedQueryId", + "name": "entity_id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "savedObjectId", + "name": "executable", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sort", + "name": "title", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "SortTimelineResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "status", + "name": "thread", "description": "", "args": [], - "type": { "kind": "ENUM", "name": "TimelineStatus", "ofType": null }, + "type": { "kind": "OBJECT", "name": "Thread", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "title", + "name": "working_directory", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SourceEcsFields", + "description": "", + "fields": [ { - "name": "templateTimelineId", + "name": "bytes", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "templateTimelineVersion", + "name": "ip", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Int", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "timelineType", + "name": "port", "description": "", "args": [], - "type": { "kind": "ENUM", "name": "TimelineType", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "updated", + "name": "domain", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "updatedBy", + "name": "geo", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "version", + "name": "packets", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8591,102 +5582,116 @@ }, { "kind": "OBJECT", - "name": "ColumnHeaderResult", + "name": "DestinationEcsFields", "description": "", "fields": [ { - "name": "aggregatable", + "name": "bytes", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "category", + "name": "ip", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "columnHeaderType", + "name": "port", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", + "name": "domain", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "example", + "name": "geo", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "indexes", + "name": "packets", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "DnsQuestionData", + "description": "", + "fields": [ { - "name": "id", + "name": "name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "name", + "name": "type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "DnsEcsFields", + "description": "", + "fields": [ { - "name": "placeholder", + "name": "question", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "DnsQuestionData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "searchable", + "name": "resolved_ip", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "response_code", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8698,129 +5703,110 @@ }, { "kind": "OBJECT", - "name": "DataProviderResult", + "name": "EndgameEcsFields", "description": "", "fields": [ { - "name": "id", + "name": "exit_code", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "name", + "name": "file_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "enabled", + "name": "file_path", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "excluded", + "name": "logon_type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "kqlQuery", + "name": "parent_process_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "queryMatch", + "name": "pid", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "QueryMatchResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "process_name", "description": "", "args": [], - "type": { "kind": "ENUM", "name": "DataProviderType", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "and", + "name": "subject_domain_name", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "DataProviderResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "QueryMatchResult", - "description": "", - "fields": [ + }, { - "name": "field", + "name": "subject_logon_id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "displayField", + "name": "subject_user_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "value", + "name": "target_domain_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "displayValue", + "name": "target_logon_id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "operator", + "name": "target_user_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8830,151 +5816,97 @@ "enumValues": null, "possibleTypes": null }, - { - "kind": "ENUM", - "name": "DataProviderType", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { - "name": "default", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "template", - "description": "", - "isDeprecated": false, - "deprecationReason": null - } - ], - "possibleTypes": null - }, { "kind": "OBJECT", - "name": "DateRangePickerResult", + "name": "SuricataAlertData", "description": "", "fields": [ { - "name": "start", + "name": "signature", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "end", + "name": "signature_id", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } ], "inputFields": null, "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "RowRendererId", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { "name": "auditd", "description": "", "isDeprecated": false, "deprecationReason": null }, - { - "name": "auditd_file", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "netflow", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "plain", "description": "", "isDeprecated": false, "deprecationReason": null }, - { - "name": "suricata", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "system", "description": "", "isDeprecated": false, "deprecationReason": null }, - { - "name": "system_dns", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "system_endgame_process", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "system_file", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "SuricataEveData", + "description": "", + "fields": [ { - "name": "system_fim", + "name": "alert", "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "SuricataAlertData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "system_security_event", + "name": "flow_id", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "system_socket", + "name": "proto", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, - { "name": "zeek", "description": "", "isDeprecated": false, "deprecationReason": null } + } ], + "inputFields": null, + "interfaces": [], + "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "FavoriteTimelineResult", + "name": "SuricataEcsFields", "description": "", "fields": [ { - "name": "fullName", - "description": "", - "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "userName", + "name": "eve", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "SuricataEveData", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TlsJa3Data", + "description": "", + "fields": [ { - "name": "favoriteDate", + "name": "hash", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -8986,62 +5918,106 @@ }, { "kind": "OBJECT", - "name": "FilterTimelineResult", + "name": "FingerprintData", "description": "", "fields": [ { - "name": "exists", + "name": "sha1", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TlsClientCertificateData", + "description": "", + "fields": [ { - "name": "meta", + "name": "fingerprint", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "FilterMetaTimelineResult", "ofType": null }, + "type": { "kind": "OBJECT", "name": "FingerprintData", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TlsServerCertificateData", + "description": "", + "fields": [ { - "name": "match_all", + "name": "fingerprint", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "FingerprintData", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TlsFingerprintsData", + "description": "", + "fields": [ { - "name": "missing", + "name": "ja3", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "TlsJa3Data", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "TlsEcsFields", + "description": "", + "fields": [ { - "name": "query", + "name": "client_certificate", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "TlsClientCertificateData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "range", + "name": "fingerprints", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "TlsFingerprintsData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "script", + "name": "server_certificate", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "TlsServerCertificateData", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -9053,94 +6029,123 @@ }, { "kind": "OBJECT", - "name": "FilterMetaTimelineResult", + "name": "ZeekConnectionData", "description": "", "fields": [ { - "name": "alias", + "name": "local_resp", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "controlledBy", + "name": "local_orig", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "disabled", + "name": "missed_bytes", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "field", + "name": "state", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "formattedValue", + "name": "history", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "SCALAR", + "name": "ToBooleanArray", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "ZeekNoticeData", + "description": "", + "fields": [ + { + "name": "suppress_for", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "index", + "name": "msg", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "key", + "name": "note", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "negate", + "name": "sub", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "params", + "name": "dst", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", + "name": "dropped", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "value", + "name": "peer_descr", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -9152,577 +6157,303 @@ }, { "kind": "OBJECT", - "name": "SerializedFilterQueryResult", + "name": "ZeekDnsData", "description": "", "fields": [ { - "name": "filterQuery", + "name": "AA", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "SerializedKueryQueryResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SerializedKueryQueryResult", - "description": "", - "fields": [ + }, { - "name": "kuery", + "name": "qclass_name", "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "KueryFilterQueryResult", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "serializedQuery", + "name": "RD", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "KueryFilterQueryResult", - "description": "", - "fields": [ + }, { - "name": "kind", + "name": "qtype_name", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "expression", + "name": "rejected", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "SortTimelineResult", - "description": "", - "fields": [ + }, { - "name": "columnId", + "name": "qtype", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "sortDirection", + "name": "query", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "TimelineStatus", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { "name": "active", "description": "", "isDeprecated": false, "deprecationReason": null }, - { "name": "draft", "description": "", "isDeprecated": false, "deprecationReason": null }, + }, { - "name": "immutable", + "name": "trans_id", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "Int", - "description": "The `Int` scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1. ", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "TimelineType", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + }, { - "name": "default", + "name": "qclass", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "template", + "name": "RA", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "PageInfoTimeline", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "pageIndex", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null }, { - "name": "pageSize", + "name": "TC", "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } - }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "SortTimeline", + "kind": "OBJECT", + "name": "FileFields", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "sortField", + "name": "name", "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "SortFieldTimeline", "ofType": null } - }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "sortOrder", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } - }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "SortFieldTimeline", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { "name": "title", "description": "", "isDeprecated": false, "deprecationReason": null }, - { - "name": "description", + "name": "path", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "updated", + "name": "target_path", "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, - { "name": "created", "description": "", "isDeprecated": false, "deprecationReason": null } - ], - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "ResponseTimelines", - "description": "", - "fields": [ { - "name": "timeline", + "name": "extension", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineResult", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "totalCount", + "name": "type", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "defaultTimelineCount", + "name": "device", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "templateTimelineCount", + "name": "inode", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "elasticTemplateTimelineCount", + "name": "uid", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "customTemplateTimelineCount", + "name": "owner", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "favoriteCount", + "name": "gid", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "Mutation", - "description": "", - "fields": [ + }, { - "name": "persistNote", - "description": "Persists a note", - "args": [ - { - "name": "noteId", - "description": "", - "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, - "defaultValue": null - }, - { - "name": "version", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "note", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "NoteInput", "ofType": null } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ResponseNote", "ofType": null } - }, + "name": "group", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deleteNote", + "name": "mode", "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deleteNoteByTimelineId", + "name": "size", "description": "", - "args": [ - { - "name": "timelineId", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "version", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - } - ], - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "persistPinnedEventOnTimeline", - "description": "Persists a pinned event in a timeline", - "args": [ - { - "name": "pinnedEventId", - "description": "", - "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, - "defaultValue": null - }, - { - "name": "eventId", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - }, - "defaultValue": null - }, - { - "name": "timelineId", - "description": "", - "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, - "defaultValue": null - } - ], - "type": { "kind": "OBJECT", "name": "PinnedEvent", "ofType": null }, + "name": "mtime", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deletePinnedEventOnTimeline", - "description": "Remove a pinned events in a timeline", - "args": [ - { - "name": "id", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, + "name": "ctime", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToDateArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "ZeekHttpData", + "description": "", + "fields": [ + { + "name": "resp_mime_types", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deleteAllPinnedEventsOnTimeline", - "description": "Remove all pinned events in a timeline", - "args": [ - { - "name": "timelineId", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, + "name": "trans_depth", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "persistTimeline", - "description": "Persists a timeline", - "args": [ - { - "name": "id", - "description": "", - "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, - "defaultValue": null - }, - { - "name": "version", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "timeline", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "TimelineInput", "ofType": null } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ResponseTimeline", "ofType": null } - }, + "name": "status_msg", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "persistFavorite", + "name": "resp_fuids", "description": "", - "args": [ - { - "name": "timelineId", - "description": "", - "type": { "kind": "SCALAR", "name": "ID", "ofType": null }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ResponseFavoriteTimeline", "ofType": null } - }, + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deleteTimeline", + "name": "tags", "description": "", - "args": [ - { - "name": "id", - "description": "", - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "ID", "ofType": null } - } - } - }, - "defaultValue": null - } - ], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "HttpBodyData", + "description": "", + "fields": [ + { + "name": "content", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "bytes", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -9733,64 +6464,74 @@ "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "NoteInput", + "kind": "OBJECT", + "name": "HttpRequestData", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "eventId", + "name": "method", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "note", + "name": "body", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "HttpBodyData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "timelineId", + "name": "referrer", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "bytes", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "ResponseNote", + "name": "HttpResponseData", "description": "", "fields": [ { - "name": "code", + "name": "status_code", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "message", + "name": "body", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "HttpBodyData", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "note", + "name": "bytes", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "NoteResult", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -9801,624 +6542,608 @@ "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "TimelineInput", + "kind": "OBJECT", + "name": "HttpEcsFields", "description": "", - "fields": null, - "inputFields": [ - { - "name": "columns", - "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "ColumnHeaderInput", "ofType": null } - } - }, - "defaultValue": null - }, - { - "name": "dataProviders", - "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "DataProviderInput", "ofType": null } - } - }, - "defaultValue": null - }, - { - "name": "description", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "eventType", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "excludedRowRendererIds", - "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "RowRendererId", "ofType": null } - } - }, - "defaultValue": null - }, - { - "name": "filters", - "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "FilterTimelineInput", "ofType": null } - } - }, - "defaultValue": null - }, - { - "name": "kqlMode", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "kqlQuery", - "description": "", - "type": { - "kind": "INPUT_OBJECT", - "name": "SerializedFilterQueryInput", - "ofType": null - }, - "defaultValue": null - }, - { - "name": "indexNames", - "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, - "defaultValue": null - }, - { - "name": "title", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, + "fields": [ { - "name": "templateTimelineId", + "name": "version", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "templateTimelineVersion", + "name": "request", "description": "", - "type": { "kind": "SCALAR", "name": "Int", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "HttpRequestData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "timelineType", + "name": "response", "description": "", - "type": { "kind": "ENUM", "name": "TimelineType", "ofType": null }, - "defaultValue": null - }, + "args": [], + "type": { "kind": "OBJECT", "name": "HttpResponseData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "UrlEcsFields", + "description": "", + "fields": [ { - "name": "dateRange", + "name": "domain", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "DateRangePickerInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "savedQueryId", + "name": "original", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "sort", + "name": "username", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "SortTimelineInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "status", + "name": "password", "description": "", - "type": { "kind": "ENUM", "name": "TimelineStatus", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "ColumnHeaderInput", + "kind": "OBJECT", + "name": "ZeekFileData", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "aggregatable", + "name": "session_ids", "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "category", + "name": "timedout", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "columnHeaderType", + "name": "local_orig", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "description", + "name": "tx_host", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "example", + "name": "source", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "indexes", + "name": "is_orig", "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - } - }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "id", + "name": "overflow_bytes", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "name", + "name": "sha1", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "placeholder", + "name": "duration", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "searchable", + "name": "depth", "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "type", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "DataProviderInput", - "description": "", - "fields": null, - "inputFields": [ - { - "name": "id", + "name": "analyzers", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "name", + "name": "mime_type", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "enabled", + "name": "rx_host", "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "excluded", + "name": "total_bytes", "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "kqlQuery", + "name": "fuid", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "queryMatch", + "name": "seen_bytes", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "QueryMatchInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "and", + "name": "missing_bytes", "description": "", - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "INPUT_OBJECT", "name": "DataProviderInput", "ofType": null } - } - }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "type", + "name": "md5", "description": "", - "type": { "kind": "ENUM", "name": "DataProviderType", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "QueryMatchInput", + "kind": "OBJECT", + "name": "ZeekSslData", "description": "", - "fields": null, - "inputFields": [ - { - "name": "field", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, + "fields": [ { - "name": "displayField", + "name": "cipher", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "value", + "name": "established", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "displayValue", + "name": "resumed", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "operator", + "name": "version", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "FilterTimelineInput", + "kind": "OBJECT", + "name": "ZeekEcsFields", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "exists", + "name": "session_id", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "meta", + "name": "connection", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "FilterMetaTimelineInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekConnectionData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "match_all", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "name": "notice", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekNoticeData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "missing", + "name": "dns", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekDnsData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "query", + "name": "http", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekHttpData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "range", + "name": "files", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekFileData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "script", + "name": "ssl", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekSslData", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "FilterMetaTimelineInput", + "kind": "OBJECT", + "name": "UserEcsFields", "description": "", - "fields": null, - "inputFields": [ - { - "name": "alias", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "controlledBy", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, - { - "name": "disabled", - "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null - }, - { - "name": "field", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, + "fields": [ { - "name": "formattedValue", + "name": "domain", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "index", + "name": "id", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "key", + "name": "name", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "negate", + "name": "full_name", "description": "", - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "params", + "name": "email", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "type", + "name": "hash", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "value", + "name": "group", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "SerializedFilterQueryInput", + "kind": "OBJECT", + "name": "WinlogEcsFields", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "filterQuery", + "name": "event_id", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "SerializedKueryQueryInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "SerializedKueryQueryInput", + "kind": "OBJECT", + "name": "NetworkEcsField", "description": "", - "fields": null, - "inputFields": [ + "fields": [ { - "name": "kuery", + "name": "bytes", "description": "", - "type": { "kind": "INPUT_OBJECT", "name": "KueryFilterQueryInput", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "serializedQuery", + "name": "community_id", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - } - ], - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "INPUT_OBJECT", - "name": "KueryFilterQueryInput", - "description": "", - "fields": null, - "inputFields": [ + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, { - "name": "kind", + "name": "direction", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "expression", + "name": "packets", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "protocol", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "transport", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "DateRangePickerInput", + "kind": "OBJECT", + "name": "PackageEcsFields", "description": "", - "fields": null, - "inputFields": [ + "fields": [ + { + "name": "arch", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "entity_id", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "name", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "size", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, { - "name": "start", + "name": "summary", "description": "", - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "end", + "name": "version", "description": "", - "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { - "kind": "INPUT_OBJECT", - "name": "SortTimelineInput", + "kind": "OBJECT", + "name": "AuditEcsFields", "description": "", - "fields": null, - "inputFields": [ - { - "name": "columnId", - "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null - }, + "fields": [ { - "name": "sortDirection", + "name": "package", "description": "", - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "defaultValue": null + "args": [], + "type": { "kind": "OBJECT", "name": "PackageEcsFields", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null } ], - "interfaces": null, + "inputFields": null, + "interfaces": [], "enumValues": null, "possibleTypes": null }, { "kind": "OBJECT", - "name": "ResponseTimeline", + "name": "SshEcsFields", "description": "", "fields": [ { - "name": "code", + "name": "method", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "message", + "name": "signature", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "AuthEcsFields", + "description": "", + "fields": [ { - "name": "timeline", + "name": "ssh", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "TimelineResult", "ofType": null } - }, + "type": { "kind": "OBJECT", "name": "SshEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -10430,80 +7155,56 @@ }, { "kind": "OBJECT", - "name": "ResponseFavoriteTimeline", + "name": "SystemEcsField", "description": "", "fields": [ { - "name": "code", + "name": "audit", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { "kind": "OBJECT", "name": "AuditEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "message", + "name": "auth", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "OBJECT", "name": "AuthEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "RuleField", + "description": "", + "fields": [ { - "name": "savedObjectId", + "name": "id", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "version", + "name": "rule_id", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "favorite", + "name": "false_positives", "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "FavoriteTimelineResult", "ofType": null } - } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "__Schema", - "description": "A GraphQL Schema defines the capabilities of a GraphQL server. It exposes all available types and directives on the server, as well as the entry points for query, mutation, and subscription operations.", - "fields": [ - { - "name": "types", - "description": "A list of all types supported by this server.", - "args": [], "type": { "kind": "NON_NULL", "name": null, @@ -10513,7 +7214,7 @@ "ofType": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } } } }, @@ -10521,384 +7222,242 @@ "deprecationReason": null }, { - "name": "queryType", - "description": "The type that query operations will be rooted at.", + "name": "saved_id", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "mutationType", - "description": "If this server supports mutation, the type that mutation operations will be rooted at.", + "name": "timeline_id", + "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "subscriptionType", - "description": "If this server support subscription, the type that subscription operations will be rooted at.", + "name": "timeline_title", + "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "directives", - "description": "A list of all directives supported by this server.", + "name": "max_signals", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Directive", "ofType": null } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToNumberArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "__Type", - "description": "The fundamental unit of any GraphQL Schema is the type. There are many kinds of types in GraphQL as represented by the `__TypeKind` enum.\n\nDepending on the kind of a type, certain fields describe information about that type. Scalar types provide no information beyond a name and description, while Enum types provide their values. Object and Interface types provide the fields they describe. Abstract types, Union and Interface, provide the Object types possible at runtime. List and NonNull types compose other types.", - "fields": [ + }, { - "name": "kind", - "description": null, + "name": "risk_score", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "__TypeKind", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "name", - "description": null, + "name": "output_index", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { "name": "description", - "description": null, + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "fields", - "description": null, - "args": [ - { - "name": "includeDeprecated", - "description": null, - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": "false" - } - ], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Field", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "interfaces", - "description": null, + "name": "from", + "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "possibleTypes", - "description": null, + "name": "immutable", + "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "enumValues", - "description": null, - "args": [ - { - "name": "includeDeprecated", - "description": null, - "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, - "defaultValue": "false" - } - ], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__EnumValue", "ofType": null } - } - }, + "name": "index", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "inputFields", - "description": null, + "name": "interval", + "description": "", "args": [], - "type": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ofType", - "description": null, + "name": "language", + "description": "", "args": [], - "type": { "kind": "OBJECT", "name": "__Type", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "__TypeKind", - "description": "An enum describing what kind of type a given `__Type` is.", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ + }, { - "name": "SCALAR", - "description": "Indicates this type is a scalar.", + "name": "query", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "OBJECT", - "description": "Indicates this type is an object. `fields` and `interfaces` are valid fields.", + "name": "references", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INTERFACE", - "description": "Indicates this type is an interface. `fields` and `possibleTypes` are valid fields.", + "name": "severity", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "UNION", - "description": "Indicates this type is a union. `possibleTypes` is a valid field.", + "name": "tags", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ENUM", - "description": "Indicates this type is an enum. `enumValues` is a valid field.", + "name": "threat", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INPUT_OBJECT", - "description": "Indicates this type is an input object. `inputFields` is a valid field.", + "name": "type", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "LIST", - "description": "Indicates this type is a list. `ofType` is a valid field.", + "name": "size", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "NON_NULL", - "description": "Indicates this type is a non-null. `ofType` is a valid field.", + "name": "to", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "__Field", - "description": "Object and Interface types are described by a list of Fields, each of which has a name, potentially a list of arguments, and a return type.", - "fields": [ + }, { - "name": "name", - "description": null, + "name": "enabled", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToBooleanArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", - "description": null, + "name": "filters", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "args", - "description": null, + "name": "created_at", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } - } - } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", - "description": null, + "name": "updated_at", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "isDeprecated", - "description": null, + "name": "created_by", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "deprecationReason", - "description": null, + "name": "updated_by", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "__InputValue", - "description": "Arguments provided to Fields or Directives and the input fields of an InputObject are represented as Input Values which describe their type and optionally a default value.", - "fields": [ + }, { - "name": "name", - "description": null, + "name": "version", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", - "description": null, + "name": "note", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "type", - "description": null, + "name": "threshold", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__Type", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "defaultValue", - "description": "A GraphQL-formatted string representing the default value for this input value.", + "name": "exceptions_list", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -10910,46 +7469,49 @@ }, { "kind": "OBJECT", - "name": "__EnumValue", - "description": "One possible value for a given Enum. Enum values are unique values, not a placeholder for a string or numeric value. However an Enum value is returned in a JSON response as a string.", + "name": "SignalField", + "description": "", "fields": [ { - "name": "name", - "description": null, + "name": "rule", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, + "type": { "kind": "OBJECT", "name": "RuleField", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "description", - "description": null, + "name": "original_time", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "isDeprecated", - "description": null, + "name": "status", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null - }, + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "RuleEcsField", + "description": "", + "fields": [ { - "name": "deprecationReason", - "description": null, + "name": "reference", + "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -10961,12 +7523,12 @@ }, { "kind": "OBJECT", - "name": "__Directive", - "description": "A Directive provides a way to describe alternate runtime execution and type validation behavior in a GraphQL document.\n\nIn some cases, you need to provide options to alter GraphQL's execution behavior in ways field arguments will not suffice, such as conditionally including or skipping a field. Directives provide this by describing additional information to the executor.", + "name": "ECS", + "description": "", "fields": [ { - "name": "name", - "description": null, + "name": "_id", + "description": "", "args": [], "type": { "kind": "NON_NULL", @@ -10977,250 +7539,202 @@ "deprecationReason": null }, { - "name": "description", - "description": null, + "name": "_index", + "description": "", "args": [], "type": { "kind": "SCALAR", "name": "String", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "locations", - "description": null, + "name": "agent", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "ENUM", "name": "__DirectiveLocation", "ofType": null } - } - } - }, + "type": { "kind": "OBJECT", "name": "AgentEcsField", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "args", - "description": null, + "name": "auditd", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "__InputValue", "ofType": null } - } - } - }, + "type": { "kind": "OBJECT", "name": "AuditdEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "onOperation", - "description": null, - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "isDeprecated": true, - "deprecationReason": "Use `locations`." - }, - { - "name": "onFragment", - "description": null, + "name": "destination", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "isDeprecated": true, - "deprecationReason": "Use `locations`." + "type": { "kind": "OBJECT", "name": "DestinationEcsFields", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null }, { - "name": "onField", - "description": null, + "name": "dns", + "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "Boolean", "ofType": null } - }, - "isDeprecated": true, - "deprecationReason": "Use `locations`." - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "__DirectiveLocation", - "description": "A Directive can be adjacent to many parts of the GraphQL language, a __DirectiveLocation describes one such possible adjacencies.", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { - "name": "QUERY", - "description": "Location adjacent to a query operation.", + "type": { "kind": "OBJECT", "name": "DnsEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "MUTATION", - "description": "Location adjacent to a mutation operation.", + "name": "endgame", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "EndgameEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "SUBSCRIPTION", - "description": "Location adjacent to a subscription operation.", + "name": "event", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "EventEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "FIELD", - "description": "Location adjacent to a field.", + "name": "geo", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "GeoEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "FRAGMENT_DEFINITION", - "description": "Location adjacent to a fragment definition.", + "name": "host", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "FRAGMENT_SPREAD", - "description": "Location adjacent to a fragment spread.", + "name": "network", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "NetworkEcsField", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INLINE_FRAGMENT", - "description": "Location adjacent to an inline fragment.", + "name": "rule", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "RuleEcsField", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "SCHEMA", - "description": "Location adjacent to a schema definition.", + "name": "signal", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "SignalField", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "SCALAR", - "description": "Location adjacent to a scalar definition.", + "name": "source", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "SourceEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "OBJECT", - "description": "Location adjacent to an object type definition.", + "name": "suricata", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "SuricataEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "FIELD_DEFINITION", - "description": "Location adjacent to a field definition.", + "name": "tls", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "TlsEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ARGUMENT_DEFINITION", - "description": "Location adjacent to an argument definition.", + "name": "zeek", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "ZeekEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INTERFACE", - "description": "Location adjacent to an interface definition.", + "name": "http", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "HttpEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "UNION", - "description": "Location adjacent to a union definition.", + "name": "url", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "UrlEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ENUM", - "description": "Location adjacent to an enum definition.", + "name": "timestamp", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "Date", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "ENUM_VALUE", - "description": "Location adjacent to an enum value definition.", + "name": "message", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INPUT_OBJECT", - "description": "Location adjacent to an input object type definition.", + "name": "user", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "UserEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "INPUT_FIELD_DEFINITION", - "description": "Location adjacent to an input object field definition.", - "isDeprecated": false, - "deprecationReason": null - } - ], - "possibleTypes": null - }, - { - "kind": "SCALAR", - "name": "ToStringArrayNoNullable", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": null, - "possibleTypes": null - }, - { - "kind": "OBJECT", - "name": "EcsEdges", - "description": "", - "fields": [ + "name": "winlog", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "WinlogEcsFields", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, { - "name": "node", + "name": "process", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "ECS", "ofType": null } - }, + "type": { "kind": "OBJECT", "name": "ProcessEcsFields", "ofType": null }, "isDeprecated": false, "deprecationReason": null }, { - "name": "cursor", + "name": "file", "description": "", "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } - }, + "type": { "kind": "OBJECT", "name": "FileFields", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "system", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "SystemEcsField", "ofType": null }, "isDeprecated": false, "deprecationReason": null } @@ -11232,60 +7746,32 @@ }, { "kind": "OBJECT", - "name": "EventsTimelineData", + "name": "EcsEdges", "description": "", "fields": [ { - "name": "edges", - "description": "", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { - "kind": "LIST", - "name": null, - "ofType": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "OBJECT", "name": "EcsEdges", "ofType": null } - } - } - }, - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "totalCount", + "name": "node", "description": "", "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "ECS", "ofType": null } }, "isDeprecated": false, "deprecationReason": null }, { - "name": "pageInfo", + "name": "cursor", "description": "", "args": [], "type": { "kind": "NON_NULL", "name": null, - "ofType": { "kind": "OBJECT", "name": "PageInfo", "ofType": null } + "ofType": { "kind": "OBJECT", "name": "CursorType", "ofType": null } }, "isDeprecated": false, "deprecationReason": null - }, - { - "name": "inspect", - "description": "", - "args": [], - "type": { "kind": "OBJECT", "name": "Inspect", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null } ], "inputFields": null, @@ -11427,108 +7913,6 @@ "enumValues": null, "possibleTypes": null }, - { - "kind": "ENUM", - "name": "NetworkDirectionEcs", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { - "name": "inbound", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "outbound", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "internal", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "external", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "incoming", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "outgoing", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "listening", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "unknown", "description": "", "isDeprecated": false, "deprecationReason": null } - ], - "possibleTypes": null - }, - { - "kind": "ENUM", - "name": "NetworkHttpFields", - "description": "", - "fields": null, - "inputFields": null, - "interfaces": null, - "enumValues": [ - { - "name": "domains", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastHost", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "lastSourceIp", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "methods", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { "name": "path", "description": "", "isDeprecated": false, "deprecationReason": null }, - { - "name": "requestCount", - "description": "", - "isDeprecated": false, - "deprecationReason": null - }, - { - "name": "statuses", - "description": "", - "isDeprecated": false, - "deprecationReason": null - } - ], - "possibleTypes": null - }, { "kind": "SCALAR", "name": "ToIFieldSubTypeNonNullable", @@ -11666,6 +8050,39 @@ "enumValues": null, "possibleTypes": null }, + { + "kind": "INPUT_OBJECT", + "name": "PaginationInput", + "description": "", + "fields": null, + "inputFields": [ + { + "name": "limit", + "description": "The limit parameter allows you to configure the maximum amount of items to be returned", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "defaultValue": null + }, + { + "name": "cursor", + "description": "The cursor parameter defines the next result you want to fetch", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + }, + { + "name": "tiebreaker", + "description": "The tiebreaker parameter allow to be more precise to fetch the next item", + "type": { "kind": "SCALAR", "name": "String", "ofType": null }, + "defaultValue": null + } + ], + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, { "kind": "ENUM", "name": "FlowTarget", @@ -11686,6 +8103,24 @@ ], "possibleTypes": null }, + { + "kind": "ENUM", + "name": "FlowTargetSourceDest", + "description": "", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": [ + { + "name": "destination", + "description": "", + "isDeprecated": false, + "deprecationReason": null + }, + { "name": "source", "description": "", "isDeprecated": false, "deprecationReason": null } + ], + "possibleTypes": null + }, { "kind": "ENUM", "name": "FlowDirection", @@ -11709,6 +8144,64 @@ ], "possibleTypes": null }, + { + "kind": "INPUT_OBJECT", + "name": "SortField", + "description": "", + "fields": null, + "inputFields": [ + { + "name": "sortFieldId", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } + }, + "defaultValue": null + }, + { + "name": "direction", + "description": "", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "ENUM", "name": "Direction", "ofType": null } + }, + "defaultValue": null + } + ], + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "PageInfo", + "description": "", + "fields": [ + { + "name": "endCursor", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "CursorType", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "hasNextPage", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "Boolean", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, { "kind": "INPUT_OBJECT", "name": "FavoriteTimelineInput", diff --git a/x-pack/plugins/security_solution/public/graphql/types.ts b/x-pack/plugins/security_solution/public/graphql/types.ts index 1083583cb133c..ae89beee8f160 100644 --- a/x-pack/plugins/security_solution/public/graphql/types.ts +++ b/x-pack/plugins/security_solution/public/graphql/types.ts @@ -40,53 +40,16 @@ export interface PaginationInputPaginated { querySize: number; } -export interface DocValueFieldsInput { - field: string; - - format: string; -} - -export interface PaginationInput { - /** The limit parameter allows you to configure the maximum amount of items to be returned */ - limit: number; - /** The cursor parameter defines the next result you want to fetch */ - cursor?: Maybe; - /** The tiebreaker parameter allow to be more precise to fetch the next item */ - tiebreaker?: Maybe; -} - -export interface SortField { - sortFieldId: string; - - direction: Direction; -} - -export interface LastTimeDetails { - hostName?: Maybe; - - ip?: Maybe; -} - export interface HostsSortField { field: HostsFields; direction: Direction; } -export interface NetworkTopTablesSortField { - field: NetworkTopTablesFields; - - direction: Direction; -} - -export interface NetworkDnsSortField { - field: NetworkDnsFields; - - direction: Direction; -} +export interface DocValueFieldsInput { + field: string; -export interface NetworkHttpSortField { - direction: Direction; + format: string; } export interface PageInfoTimeline { @@ -267,6 +230,21 @@ export interface SortTimelineInput { sortDirection?: Maybe; } +export interface PaginationInput { + /** The limit parameter allows you to configure the maximum amount of items to be returned */ + limit: number; + /** The cursor parameter defines the next result you want to fetch */ + cursor?: Maybe; + /** The tiebreaker parameter allow to be more precise to fetch the next item */ + tiebreaker?: Maybe; +} + +export interface SortField { + sortFieldId: string; + + direction: Direction; +} + export interface FavoriteTimelineInput { fullName?: Maybe; @@ -285,13 +263,6 @@ export enum Direction { desc = 'desc', } -export enum LastEventIndexKey { - hostDetails = 'hostDetails', - hosts = 'hosts', - ipDetails = 'ipDetails', - network = 'network', -} - export enum HostsFields { hostName = 'hostName', lastSeen = 'lastSeen', @@ -303,35 +274,6 @@ export enum HostPolicyResponseActionStatus { warning = 'warning', } -export enum HistogramType { - authentications = 'authentications', - anomalies = 'anomalies', - events = 'events', - alerts = 'alerts', - dns = 'dns', -} - -export enum FlowTargetSourceDest { - destination = 'destination', - source = 'source', -} - -export enum NetworkTopTablesFields { - bytes_in = 'bytes_in', - bytes_out = 'bytes_out', - flows = 'flows', - destination_ips = 'destination_ips', - source_ips = 'source_ips', -} - -export enum NetworkDnsFields { - dnsName = 'dnsName', - queryCount = 'queryCount', - uniqueDomains = 'uniqueDomains', - dnsBytesIn = 'dnsBytesIn', - dnsBytesOut = 'dnsBytesOut', -} - export enum DataProviderType { default = 'default', template = 'template', @@ -371,27 +313,6 @@ export enum SortFieldTimeline { created = 'created', } -export enum NetworkDirectionEcs { - inbound = 'inbound', - outbound = 'outbound', - internal = 'internal', - external = 'external', - incoming = 'incoming', - outgoing = 'outgoing', - listening = 'listening', - unknown = 'unknown', -} - -export enum NetworkHttpFields { - domains = 'domains', - lastHost = 'lastHost', - lastSourceIp = 'lastSourceIp', - methods = 'methods', - path = 'path', - requestCount = 'requestCount', - statuses = 'statuses', -} - export enum FlowTarget { client = 'client', destination = 'destination', @@ -399,6 +320,11 @@ export enum FlowTarget { source = 'source', } +export enum FlowTargetSourceDest { + destination = 'destination', + source = 'source', +} + export enum FlowDirection { uniDirectional = 'uniDirectional', biDirectional = 'biDirectional', @@ -408,17 +334,15 @@ export type ToStringArray = string[]; export type Date = string; -export type ToNumberArray = number[]; - -export type ToDateArray = string[]; +export type ToAny = any; -export type ToBooleanArray = boolean[]; +export type ToStringArrayNoNullable = any; -export type ToAny = any; +export type ToDateArray = string[]; -export type EsValue = any; +export type ToNumberArray = number[]; -export type ToStringArrayNoNullable = any; +export type ToBooleanArray = boolean[]; export type ToIFieldSubTypeNonNullable = any; @@ -509,38 +433,12 @@ export interface Source { configuration: SourceConfiguration; /** The status of the source */ status: SourceStatus; - /** Gets Authentication success and failures based on a timerange */ - Authentications: AuthenticationsData; - - Timeline: TimelineData; - - TimelineDetails: TimelineDetailsData; - - LastEventTime: LastEventTimeData; /** Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified */ Hosts: HostsData; HostOverview: HostItem; HostFirstLastSeen: FirstLastSeenHost; - - KpiNetwork?: Maybe; - - KpiHosts: KpiHostsData; - - KpiHostDetails: KpiHostDetailsData; - - MatrixHistogram: MatrixHistogramOverTimeData; - - NetworkTopCountries: NetworkTopCountriesData; - - NetworkTopNFlow: NetworkTopNFlowData; - - NetworkDns: NetworkDnsData; - - NetworkDnsHistogram: NetworkDsOverTimeData; - - NetworkHttp: NetworkHttpData; /** Just a simple example to get the app name */ whoAmI?: Maybe; } @@ -575,8 +473,8 @@ export interface SourceStatus { indexFields: string[]; } -export interface AuthenticationsData { - edges: AuthenticationsEdges[]; +export interface HostsData { + edges: HostsEdges[]; totalCount: number; @@ -585,84 +483,50 @@ export interface AuthenticationsData { inspect?: Maybe; } -export interface AuthenticationsEdges { - node: AuthenticationItem; +export interface HostsEdges { + node: HostItem; cursor: CursorType; } -export interface AuthenticationItem { - _id: string; +export interface HostItem { + _id?: Maybe; - failures: number; + cloud?: Maybe; - successes: number; + endpoint?: Maybe; - user: UserEcsFields; + host?: Maybe; - lastSuccess?: Maybe; + inspect?: Maybe; - lastFailure?: Maybe; + lastSeen?: Maybe; } -export interface UserEcsFields { - domain?: Maybe; - - id?: Maybe; - - name?: Maybe; - - full_name?: Maybe; +export interface CloudFields { + instance?: Maybe; - email?: Maybe; + machine?: Maybe; - hash?: Maybe; + provider?: Maybe<(Maybe)[]>; - group?: Maybe; + region?: Maybe<(Maybe)[]>; } -export interface LastSourceHost { - timestamp?: Maybe; - - source?: Maybe; - - host?: Maybe; +export interface CloudInstance { + id?: Maybe<(Maybe)[]>; } -export interface SourceEcsFields { - bytes?: Maybe; - - ip?: Maybe; - - port?: Maybe; - - domain?: Maybe; - - geo?: Maybe; - - packets?: Maybe; +export interface CloudMachine { + type?: Maybe<(Maybe)[]>; } -export interface GeoEcsFields { - city_name?: Maybe; - - continent_name?: Maybe; - - country_iso_code?: Maybe; - - country_name?: Maybe; - - location?: Maybe; - - region_iso_code?: Maybe; - - region_name?: Maybe; -} +export interface EndpointFields { + endpointPolicy?: Maybe; -export interface Location { - lon?: Maybe; + sensorVersion?: Maybe; - lat?: Maybe; + policyStatus?: Maybe; } export interface HostEcsFields { @@ -695,6 +559,12 @@ export interface OsEcsFields { kernel?: Maybe; } +export interface Inspect { + dsl: string[]; + + response: string[]; +} + export interface CursorType { value?: Maybe; @@ -709,196 +579,272 @@ export interface PageInfoPaginated { showMorePagesIndicator: boolean; } -export interface Inspect { - dsl: string[]; +export interface FirstLastSeenHost { + inspect?: Maybe; - response: string[]; + firstSeen?: Maybe; + + lastSeen?: Maybe; } -export interface TimelineData { - edges: TimelineEdges[]; +export interface SayMyName { + /** The id of the source */ + appName: string; +} - totalCount: number; +export interface TimelineResult { + columns?: Maybe; - pageInfo: PageInfo; + created?: Maybe; - inspect?: Maybe; -} + createdBy?: Maybe; -export interface TimelineEdges { - node: TimelineItem; + dataProviders?: Maybe; - cursor: CursorType; -} + dateRange?: Maybe; -export interface TimelineItem { - _id: string; + description?: Maybe; - _index?: Maybe; + eventIdToNoteIds?: Maybe; - data: TimelineNonEcsData[]; + eventType?: Maybe; - ecs: Ecs; -} + excludedRowRendererIds?: Maybe; -export interface TimelineNonEcsData { - field: string; + favorite?: Maybe; - value?: Maybe; -} + filters?: Maybe; -export interface Ecs { - _id: string; + kqlMode?: Maybe; - _index?: Maybe; + kqlQuery?: Maybe; - agent?: Maybe; + indexNames?: Maybe; - auditd?: Maybe; + notes?: Maybe; - destination?: Maybe; + noteIds?: Maybe; - dns?: Maybe; + pinnedEventIds?: Maybe; - endgame?: Maybe; + pinnedEventsSaveObject?: Maybe; - event?: Maybe; + savedQueryId?: Maybe; - geo?: Maybe; + savedObjectId: string; - host?: Maybe; + sort?: Maybe; - network?: Maybe; + status?: Maybe; - rule?: Maybe; + title?: Maybe; - signal?: Maybe; + templateTimelineId?: Maybe; - source?: Maybe; + templateTimelineVersion?: Maybe; - suricata?: Maybe; + timelineType?: Maybe; - tls?: Maybe; + updated?: Maybe; - zeek?: Maybe; + updatedBy?: Maybe; - http?: Maybe; + version: string; +} - url?: Maybe; +export interface ColumnHeaderResult { + aggregatable?: Maybe; - timestamp?: Maybe; + category?: Maybe; - message?: Maybe; + columnHeaderType?: Maybe; - user?: Maybe; + description?: Maybe; - winlog?: Maybe; + example?: Maybe; - process?: Maybe; + indexes?: Maybe; - file?: Maybe; + id?: Maybe; - system?: Maybe; -} + name?: Maybe; -export interface AgentEcsField { - type?: Maybe; + placeholder?: Maybe; + + searchable?: Maybe; + + type?: Maybe; } -export interface AuditdEcsFields { - result?: Maybe; +export interface DataProviderResult { + id?: Maybe; - session?: Maybe; + name?: Maybe; - data?: Maybe; + enabled?: Maybe; - summary?: Maybe; + excluded?: Maybe; - sequence?: Maybe; + kqlQuery?: Maybe; + + queryMatch?: Maybe; + + type?: Maybe; + + and?: Maybe; } -export interface AuditdData { - acct?: Maybe; +export interface QueryMatchResult { + field?: Maybe; - terminal?: Maybe; + displayField?: Maybe; - op?: Maybe; + value?: Maybe; + + displayValue?: Maybe; + + operator?: Maybe; } -export interface Summary { - actor?: Maybe; +export interface DateRangePickerResult { + start?: Maybe; - object?: Maybe; + end?: Maybe; +} - how?: Maybe; +export interface FavoriteTimelineResult { + fullName?: Maybe; - message_type?: Maybe; + userName?: Maybe; - sequence?: Maybe; + favoriteDate?: Maybe; } -export interface PrimarySecondary { - primary?: Maybe; +export interface FilterTimelineResult { + exists?: Maybe; - secondary?: Maybe; + meta?: Maybe; - type?: Maybe; + match_all?: Maybe; + + missing?: Maybe; + + query?: Maybe; + + range?: Maybe; + + script?: Maybe; } -export interface DestinationEcsFields { - bytes?: Maybe; +export interface FilterMetaTimelineResult { + alias?: Maybe; - ip?: Maybe; + controlledBy?: Maybe; - port?: Maybe; + disabled?: Maybe; - domain?: Maybe; + field?: Maybe; - geo?: Maybe; + formattedValue?: Maybe; - packets?: Maybe; + index?: Maybe; + + key?: Maybe; + + negate?: Maybe; + + params?: Maybe; + + type?: Maybe; + + value?: Maybe; } -export interface DnsEcsFields { - question?: Maybe; +export interface SerializedFilterQueryResult { + filterQuery?: Maybe; +} - resolved_ip?: Maybe; +export interface SerializedKueryQueryResult { + kuery?: Maybe; - response_code?: Maybe; + serializedQuery?: Maybe; } -export interface DnsQuestionData { - name?: Maybe; +export interface KueryFilterQueryResult { + kind?: Maybe; - type?: Maybe; + expression?: Maybe; } -export interface EndgameEcsFields { - exit_code?: Maybe; +export interface SortTimelineResult { + columnId?: Maybe; - file_name?: Maybe; + sortDirection?: Maybe; +} - file_path?: Maybe; +export interface ResponseTimelines { + timeline: (Maybe)[]; - logon_type?: Maybe; + totalCount?: Maybe; - parent_process_name?: Maybe; + defaultTimelineCount?: Maybe; - pid?: Maybe; + templateTimelineCount?: Maybe; - process_name?: Maybe; + elasticTemplateTimelineCount?: Maybe; - subject_domain_name?: Maybe; + customTemplateTimelineCount?: Maybe; - subject_logon_id?: Maybe; + favoriteCount?: Maybe; +} - subject_user_name?: Maybe; +export interface Mutation { + /** Persists a note */ + persistNote: ResponseNote; - target_domain_name?: Maybe; + deleteNote?: Maybe; - target_logon_id?: Maybe; + deleteNoteByTimelineId?: Maybe; + /** Persists a pinned event in a timeline */ + persistPinnedEventOnTimeline?: Maybe; + /** Remove a pinned events in a timeline */ + deletePinnedEventOnTimeline: boolean; + /** Remove all pinned events in a timeline */ + deleteAllPinnedEventsOnTimeline: boolean; + /** Persists a timeline */ + persistTimeline: ResponseTimeline; - target_user_name?: Maybe; + persistFavorite: ResponseFavoriteTimeline; + + deleteTimeline: boolean; +} + +export interface ResponseNote { + code?: Maybe; + + message?: Maybe; + + note: NoteResult; +} + +export interface ResponseTimeline { + code?: Maybe; + + message?: Maybe; + + timeline: TimelineResult; +} + +export interface ResponseFavoriteTimeline { + code?: Maybe; + + message?: Maybe; + + savedObjectId: string; + + version: string; + + favorite?: Maybe; } export interface EventEcsFields { @@ -941,110 +887,176 @@ export interface EventEcsFields { type?: Maybe; } -export interface NetworkEcsField { - bytes?: Maybe; +export interface Location { + lon?: Maybe; - community_id?: Maybe; + lat?: Maybe; +} - direction?: Maybe; +export interface GeoEcsFields { + city_name?: Maybe; - packets?: Maybe; + continent_name?: Maybe; - protocol?: Maybe; + country_iso_code?: Maybe; - transport?: Maybe; -} + country_name?: Maybe; -export interface RuleEcsField { - reference?: Maybe; + location?: Maybe; + + region_iso_code?: Maybe; + + region_name?: Maybe; } -export interface SignalField { - rule?: Maybe; +export interface PrimarySecondary { + primary?: Maybe; - original_time?: Maybe; + secondary?: Maybe; - status?: Maybe; + type?: Maybe; } -export interface RuleField { - id?: Maybe; +export interface Summary { + actor?: Maybe; - rule_id?: Maybe; + object?: Maybe; - false_positives: string[]; + how?: Maybe; - saved_id?: Maybe; + message_type?: Maybe; - timeline_id?: Maybe; + sequence?: Maybe; +} - timeline_title?: Maybe; +export interface AgentEcsField { + type?: Maybe; +} - max_signals?: Maybe; +export interface AuditdData { + acct?: Maybe; - risk_score?: Maybe; + terminal?: Maybe; - output_index?: Maybe; + op?: Maybe; +} - description?: Maybe; +export interface AuditdEcsFields { + result?: Maybe; - from?: Maybe; + session?: Maybe; - immutable?: Maybe; + data?: Maybe; - index?: Maybe; + summary?: Maybe; - interval?: Maybe; + sequence?: Maybe; +} - language?: Maybe; +export interface Thread { + id?: Maybe; - query?: Maybe; + start?: Maybe; +} - references?: Maybe; +export interface ProcessHashData { + md5?: Maybe; - severity?: Maybe; + sha1?: Maybe; - tags?: Maybe; + sha256?: Maybe; +} - threat?: Maybe; +export interface ProcessEcsFields { + hash?: Maybe; - type?: Maybe; + pid?: Maybe; - size?: Maybe; + name?: Maybe; - to?: Maybe; + ppid?: Maybe; - enabled?: Maybe; + args?: Maybe; - filters?: Maybe; + entity_id?: Maybe; - created_at?: Maybe; + executable?: Maybe; - updated_at?: Maybe; + title?: Maybe; - created_by?: Maybe; + thread?: Maybe; - updated_by?: Maybe; + working_directory?: Maybe; +} - version?: Maybe; +export interface SourceEcsFields { + bytes?: Maybe; - note?: Maybe; + ip?: Maybe; - threshold?: Maybe; + port?: Maybe; - exceptions_list?: Maybe; + domain?: Maybe; + + geo?: Maybe; + + packets?: Maybe; } -export interface SuricataEcsFields { - eve?: Maybe; +export interface DestinationEcsFields { + bytes?: Maybe; + + ip?: Maybe; + + port?: Maybe; + + domain?: Maybe; + + geo?: Maybe; + + packets?: Maybe; } -export interface SuricataEveData { - alert?: Maybe; +export interface DnsQuestionData { + name?: Maybe; - flow_id?: Maybe; + type?: Maybe; +} - proto?: Maybe; +export interface DnsEcsFields { + question?: Maybe; + + resolved_ip?: Maybe; + + response_code?: Maybe; +} + +export interface EndgameEcsFields { + exit_code?: Maybe; + + file_name?: Maybe; + + file_path?: Maybe; + + logon_type?: Maybe; + + parent_process_name?: Maybe; + + pid?: Maybe; + + process_name?: Maybe; + + subject_domain_name?: Maybe; + + subject_logon_id?: Maybe; + + subject_user_name?: Maybe; + + target_domain_name?: Maybe; + + target_logon_id?: Maybe; + + target_user_name?: Maybe; } export interface SuricataAlertData { @@ -1053,48 +1065,44 @@ export interface SuricataAlertData { signature_id?: Maybe; } -export interface TlsEcsFields { - client_certificate?: Maybe; +export interface SuricataEveData { + alert?: Maybe; - fingerprints?: Maybe; + flow_id?: Maybe; - server_certificate?: Maybe; + proto?: Maybe; } -export interface TlsClientCertificateData { - fingerprint?: Maybe; +export interface SuricataEcsFields { + eve?: Maybe; } -export interface FingerprintData { - sha1?: Maybe; +export interface TlsJa3Data { + hash?: Maybe; } -export interface TlsFingerprintsData { - ja3?: Maybe; +export interface FingerprintData { + sha1?: Maybe; } -export interface TlsJa3Data { - hash?: Maybe; +export interface TlsClientCertificateData { + fingerprint?: Maybe; } export interface TlsServerCertificateData { fingerprint?: Maybe; } -export interface ZeekEcsFields { - session_id?: Maybe; - - connection?: Maybe; - - notice?: Maybe; - - dns?: Maybe; +export interface TlsFingerprintsData { + ja3?: Maybe; +} - http?: Maybe; +export interface TlsEcsFields { + client_certificate?: Maybe; - files?: Maybe; + fingerprints?: Maybe; - ssl?: Maybe; + server_certificate?: Maybe; } export interface ZeekConnectionData { @@ -1149,6 +1157,38 @@ export interface ZeekDnsData { TC?: Maybe; } +export interface FileFields { + name?: Maybe; + + path?: Maybe; + + target_path?: Maybe; + + extension?: Maybe; + + type?: Maybe; + + device?: Maybe; + + inode?: Maybe; + + uid?: Maybe; + + owner?: Maybe; + + gid?: Maybe; + + group?: Maybe; + + mode?: Maybe; + + size?: Maybe; + + mtime?: Maybe; + + ctime?: Maybe; +} + export interface ZeekHttpData { resp_mime_types?: Maybe; @@ -1161,6 +1201,48 @@ export interface ZeekHttpData { tags?: Maybe; } +export interface HttpBodyData { + content?: Maybe; + + bytes?: Maybe; +} + +export interface HttpRequestData { + method?: Maybe; + + body?: Maybe; + + referrer?: Maybe; + + bytes?: Maybe; +} + +export interface HttpResponseData { + status_code?: Maybe; + + body?: Maybe; + + bytes?: Maybe; +} + +export interface HttpEcsFields { + version?: Maybe; + + request?: Maybe; + + response?: Maybe; +} + +export interface UrlEcsFields { + domain?: Maybe; + + original?: Maybe; + + username?: Maybe; + + password?: Maybe; +} + export interface ZeekFileData { session_ids?: Maybe; @@ -1209,128 +1291,54 @@ export interface ZeekSslData { version?: Maybe; } -export interface HttpEcsFields { - version?: Maybe; +export interface ZeekEcsFields { + session_id?: Maybe; - request?: Maybe; + connection?: Maybe; - response?: Maybe; -} + notice?: Maybe; -export interface HttpRequestData { - method?: Maybe; + dns?: Maybe; - body?: Maybe; + http?: Maybe; - referrer?: Maybe; + files?: Maybe; - bytes?: Maybe; + ssl?: Maybe; } -export interface HttpBodyData { - content?: Maybe; - - bytes?: Maybe; -} +export interface UserEcsFields { + domain?: Maybe; -export interface HttpResponseData { - status_code?: Maybe; + id?: Maybe; - body?: Maybe; + name?: Maybe; - bytes?: Maybe; -} + full_name?: Maybe; -export interface UrlEcsFields { - domain?: Maybe; + email?: Maybe; - original?: Maybe; + hash?: Maybe; - username?: Maybe; - - password?: Maybe; + group?: Maybe; } export interface WinlogEcsFields { event_id?: Maybe; } -export interface ProcessEcsFields { - hash?: Maybe; - - pid?: Maybe; - - name?: Maybe; - - ppid?: Maybe; - - args?: Maybe; - - entity_id?: Maybe; - - executable?: Maybe; - - title?: Maybe; - - thread?: Maybe; - - working_directory?: Maybe; -} - -export interface ProcessHashData { - md5?: Maybe; - - sha1?: Maybe; - - sha256?: Maybe; -} - -export interface Thread { - id?: Maybe; - - start?: Maybe; -} - -export interface FileFields { - name?: Maybe; - - path?: Maybe; - - target_path?: Maybe; - - extension?: Maybe; - - type?: Maybe; - - device?: Maybe; - - inode?: Maybe; - - uid?: Maybe; - - owner?: Maybe; - - gid?: Maybe; - - group?: Maybe; - - mode?: Maybe; - - size?: Maybe; +export interface NetworkEcsField { + bytes?: Maybe; - mtime?: Maybe; + community_id?: Maybe; - ctime?: Maybe; -} + direction?: Maybe; -export interface SystemEcsField { - audit?: Maybe; + packets?: Maybe; - auth?: Maybe; -} + protocol?: Maybe; -export interface AuditEcsFields { - package?: Maybe; + transport?: Maybe; } export interface PackageEcsFields { @@ -1347,8 +1355,8 @@ export interface PackageEcsFields { version?: Maybe; } -export interface AuthEcsFields { - ssh?: Maybe; +export interface AuditEcsFields { + package?: Maybe; } export interface SshEcsFields { @@ -1357,3188 +1365,760 @@ export interface SshEcsFields { signature?: Maybe; } -export interface PageInfo { - endCursor?: Maybe; - - hasNextPage?: Maybe; +export interface AuthEcsFields { + ssh?: Maybe; } -export interface TimelineDetailsData { - data?: Maybe; +export interface SystemEcsField { + audit?: Maybe; - inspect?: Maybe; + auth?: Maybe; } -export interface DetailItem { - field: string; - - values?: Maybe; - - originalValue?: Maybe; -} +export interface RuleField { + id?: Maybe; -export interface LastEventTimeData { - lastSeen?: Maybe; + rule_id?: Maybe; - inspect?: Maybe; -} + false_positives: string[]; -export interface HostsData { - edges: HostsEdges[]; + saved_id?: Maybe; - totalCount: number; + timeline_id?: Maybe; - pageInfo: PageInfoPaginated; + timeline_title?: Maybe; - inspect?: Maybe; -} + max_signals?: Maybe; -export interface HostsEdges { - node: HostItem; + risk_score?: Maybe; - cursor: CursorType; -} + output_index?: Maybe; -export interface HostItem { - _id?: Maybe; + description?: Maybe; - cloud?: Maybe; + from?: Maybe; - endpoint?: Maybe; + immutable?: Maybe; - host?: Maybe; + index?: Maybe; - inspect?: Maybe; + interval?: Maybe; - lastSeen?: Maybe; -} + language?: Maybe; -export interface CloudFields { - instance?: Maybe; + query?: Maybe; - machine?: Maybe; + references?: Maybe; - provider?: Maybe<(Maybe)[]>; + severity?: Maybe; - region?: Maybe<(Maybe)[]>; -} + tags?: Maybe; -export interface CloudInstance { - id?: Maybe<(Maybe)[]>; -} + threat?: Maybe; -export interface CloudMachine { - type?: Maybe<(Maybe)[]>; -} + type?: Maybe; -export interface EndpointFields { - endpointPolicy?: Maybe; + size?: Maybe; - sensorVersion?: Maybe; + to?: Maybe; - policyStatus?: Maybe; -} + enabled?: Maybe; -export interface FirstLastSeenHost { - inspect?: Maybe; + filters?: Maybe; - firstSeen?: Maybe; + created_at?: Maybe; - lastSeen?: Maybe; -} + updated_at?: Maybe; -export interface KpiNetworkData { - networkEvents?: Maybe; + created_by?: Maybe; - uniqueFlowId?: Maybe; + updated_by?: Maybe; - uniqueSourcePrivateIps?: Maybe; + version?: Maybe; - uniqueSourcePrivateIpsHistogram?: Maybe; + note?: Maybe; - uniqueDestinationPrivateIps?: Maybe; + threshold?: Maybe; - uniqueDestinationPrivateIpsHistogram?: Maybe; + exceptions_list?: Maybe; +} - dnsQueries?: Maybe; +export interface SignalField { + rule?: Maybe; - tlsHandshakes?: Maybe; + original_time?: Maybe; - inspect?: Maybe; + status?: Maybe; } -export interface KpiNetworkHistogramData { - x?: Maybe; - - y?: Maybe; +export interface RuleEcsField { + reference?: Maybe; } -export interface KpiHostsData { - hosts?: Maybe; - - hostsHistogram?: Maybe; - - authSuccess?: Maybe; - - authSuccessHistogram?: Maybe; - - authFailure?: Maybe; - - authFailureHistogram?: Maybe; - - uniqueSourceIps?: Maybe; +export interface Ecs { + _id: string; - uniqueSourceIpsHistogram?: Maybe; + _index?: Maybe; - uniqueDestinationIps?: Maybe; + agent?: Maybe; - uniqueDestinationIpsHistogram?: Maybe; + auditd?: Maybe; - inspect?: Maybe; -} + destination?: Maybe; -export interface KpiHostHistogramData { - x?: Maybe; + dns?: Maybe; - y?: Maybe; -} + endgame?: Maybe; -export interface KpiHostDetailsData { - authSuccess?: Maybe; + event?: Maybe; - authSuccessHistogram?: Maybe; + geo?: Maybe; - authFailure?: Maybe; + host?: Maybe; - authFailureHistogram?: Maybe; + network?: Maybe; - uniqueSourceIps?: Maybe; + rule?: Maybe; - uniqueSourceIpsHistogram?: Maybe; + signal?: Maybe; - uniqueDestinationIps?: Maybe; + source?: Maybe; - uniqueDestinationIpsHistogram?: Maybe; + suricata?: Maybe; - inspect?: Maybe; -} + tls?: Maybe; -export interface MatrixHistogramOverTimeData { - inspect?: Maybe; + zeek?: Maybe; - matrixHistogramData: MatrixOverTimeHistogramData[]; + http?: Maybe; - totalCount: number; -} + url?: Maybe; -export interface MatrixOverTimeHistogramData { - x?: Maybe; + timestamp?: Maybe; - y?: Maybe; + message?: Maybe; - g?: Maybe; -} + user?: Maybe; -export interface NetworkTopCountriesData { - edges: NetworkTopCountriesEdges[]; + winlog?: Maybe; - totalCount: number; + process?: Maybe; - pageInfo: PageInfoPaginated; + file?: Maybe; - inspect?: Maybe; + system?: Maybe; } -export interface NetworkTopCountriesEdges { - node: NetworkTopCountriesItem; +export interface EcsEdges { + node: Ecs; cursor: CursorType; } -export interface NetworkTopCountriesItem { - _id?: Maybe; - - source?: Maybe; - - destination?: Maybe; - - network?: Maybe; -} +export interface OsFields { + platform?: Maybe; -export interface TopCountriesItemSource { - country?: Maybe; + name?: Maybe; - destination_ips?: Maybe; + full?: Maybe; - flows?: Maybe; + family?: Maybe; - location?: Maybe; + version?: Maybe; - source_ips?: Maybe; + kernel?: Maybe; } -export interface GeoItem { - geo?: Maybe; +export interface HostFields { + architecture?: Maybe; - flowTarget?: Maybe; -} + id?: Maybe; -export interface TopCountriesItemDestination { - country?: Maybe; + ip?: Maybe<(Maybe)[]>; - destination_ips?: Maybe; + mac?: Maybe<(Maybe)[]>; - flows?: Maybe; + name?: Maybe; - location?: Maybe; + os?: Maybe; - source_ips?: Maybe; + type?: Maybe; } -export interface TopNetworkTablesEcsField { - bytes_in?: Maybe; - - bytes_out?: Maybe; -} - -export interface NetworkTopNFlowData { - edges: NetworkTopNFlowEdges[]; - - totalCount: number; +/** A descriptor of a field in an index */ +export interface IndexField { + /** Where the field belong */ + category: string; + /** Example of field's value */ + example?: Maybe; + /** whether the field's belong to an alias index */ + indexes: (Maybe)[]; + /** The name of the field */ + name: string; + /** The type of the field's values as recognized by Kibana */ + type: string; + /** Whether the field's values can be efficiently searched for */ + searchable: boolean; + /** Whether the field's values can be aggregated */ + aggregatable: boolean; + /** Description of the field */ + description?: Maybe; - pageInfo: PageInfoPaginated; + format?: Maybe; + /** the elastic type as mapped in the index */ + esTypes?: Maybe; - inspect?: Maybe; + subType?: Maybe; } -export interface NetworkTopNFlowEdges { - node: NetworkTopNFlowItem; +export interface PageInfo { + endCursor?: Maybe; - cursor: CursorType; + hasNextPage?: Maybe; } -export interface NetworkTopNFlowItem { - _id?: Maybe; - - source?: Maybe; - - destination?: Maybe; +// ==================================================== +// Arguments +// ==================================================== - network?: Maybe; +export interface GetNoteQueryArgs { + id: string; } - -export interface TopNFlowItemSource { - autonomous_system?: Maybe; - - domain?: Maybe; - - ip?: Maybe; - - location?: Maybe; - - flows?: Maybe; - - destination_ips?: Maybe; +export interface GetNotesByTimelineIdQueryArgs { + timelineId: string; } - -export interface AutonomousSystemItem { - name?: Maybe; - - number?: Maybe; +export interface GetNotesByEventIdQueryArgs { + eventId: string; } +export interface GetAllNotesQueryArgs { + pageInfo?: Maybe; -export interface TopNFlowItemDestination { - autonomous_system?: Maybe; - - domain?: Maybe; - - ip?: Maybe; - - location?: Maybe; - - flows?: Maybe; + search?: Maybe; - source_ips?: Maybe; + sort?: Maybe; } +export interface GetAllPinnedEventsByTimelineIdQueryArgs { + timelineId: string; +} +export interface SourceQueryArgs { + /** The id of the source */ + id: string; +} +export interface GetOneTimelineQueryArgs { + id: string; +} +export interface GetAllTimelineQueryArgs { + pageInfo: PageInfoTimeline; -export interface NetworkDnsData { - edges: NetworkDnsEdges[]; - - totalCount: number; - - pageInfo: PageInfoPaginated; + search?: Maybe; - inspect?: Maybe; + sort?: Maybe; - histogram?: Maybe; -} + onlyUserFavorite?: Maybe; -export interface NetworkDnsEdges { - node: NetworkDnsItem; + timelineType?: Maybe; - cursor: CursorType; + status?: Maybe; } +export interface HostsSourceArgs { + id?: Maybe; -export interface NetworkDnsItem { - _id?: Maybe; + timerange: TimerangeInput; - dnsBytesIn?: Maybe; + pagination: PaginationInputPaginated; - dnsBytesOut?: Maybe; + sort: HostsSortField; - dnsName?: Maybe; + filterQuery?: Maybe; - queryCount?: Maybe; + defaultIndex: string[]; - uniqueDomains?: Maybe; + docValueFields: DocValueFieldsInput[]; } +export interface HostOverviewSourceArgs { + id?: Maybe; -export interface MatrixOverOrdinalHistogramData { - x: string; + hostName: string; - y: number; + timerange: TimerangeInput; - g: string; + defaultIndex: string[]; } +export interface HostFirstLastSeenSourceArgs { + id?: Maybe; -export interface NetworkDsOverTimeData { - inspect?: Maybe; + hostName: string; - matrixHistogramData: MatrixOverTimeHistogramData[]; + defaultIndex: string[]; - totalCount: number; + docValueFields: DocValueFieldsInput[]; } - -export interface NetworkHttpData { - edges: NetworkHttpEdges[]; - - totalCount: number; - - pageInfo: PageInfoPaginated; - - inspect?: Maybe; +export interface IndicesExistSourceStatusArgs { + defaultIndex: string[]; } - -export interface NetworkHttpEdges { - node: NetworkHttpItem; - - cursor: CursorType; +export interface IndexFieldsSourceStatusArgs { + defaultIndex: string[]; } +export interface PersistNoteMutationArgs { + noteId?: Maybe; -export interface NetworkHttpItem { - _id?: Maybe; - - domains: string[]; - - lastHost?: Maybe; - - lastSourceIp?: Maybe; - - methods: string[]; - - path?: Maybe; - - requestCount?: Maybe; + version?: Maybe; - statuses: string[]; + note: NoteInput; } - -export interface SayMyName { - /** The id of the source */ - appName: string; +export interface DeleteNoteMutationArgs { + id: string[]; } +export interface DeleteNoteByTimelineIdMutationArgs { + timelineId: string; -export interface TimelineResult { - columns?: Maybe; - - created?: Maybe; - - createdBy?: Maybe; - - dataProviders?: Maybe; - - dateRange?: Maybe; - - description?: Maybe; - - eventIdToNoteIds?: Maybe; - - eventType?: Maybe; - - excludedRowRendererIds?: Maybe; - - favorite?: Maybe; - - filters?: Maybe; - - kqlMode?: Maybe; - - kqlQuery?: Maybe; - - indexNames?: Maybe; - - notes?: Maybe; - - noteIds?: Maybe; - - pinnedEventIds?: Maybe; - - pinnedEventsSaveObject?: Maybe; - - savedQueryId?: Maybe; - - savedObjectId: string; + version?: Maybe; +} +export interface PersistPinnedEventOnTimelineMutationArgs { + pinnedEventId?: Maybe; - sort?: Maybe; + eventId: string; - status?: Maybe; + timelineId?: Maybe; +} +export interface DeletePinnedEventOnTimelineMutationArgs { + id: string[]; +} +export interface DeleteAllPinnedEventsOnTimelineMutationArgs { + timelineId: string; +} +export interface PersistTimelineMutationArgs { + id?: Maybe; - title?: Maybe; + version?: Maybe; - templateTimelineId?: Maybe; + timeline: TimelineInput; +} +export interface PersistFavoriteMutationArgs { + timelineId?: Maybe; +} +export interface DeleteTimelineMutationArgs { + id: string[]; +} - templateTimelineVersion?: Maybe; +// ==================================================== +// Documents +// ==================================================== - timelineType?: Maybe; +export namespace GetHostOverviewQuery { + export type Variables = { + sourceId: string; + hostName: string; + timerange: TimerangeInput; + defaultIndex: string[]; + inspect: boolean; + }; - updated?: Maybe; + export type Query = { + __typename?: 'Query'; - updatedBy?: Maybe; + source: Source; + }; - version: string; -} + export type Source = { + __typename?: 'Source'; -export interface ColumnHeaderResult { - aggregatable?: Maybe; + id: string; - category?: Maybe; + HostOverview: HostOverview; + }; - columnHeaderType?: Maybe; + export type HostOverview = { + __typename?: 'HostItem'; - description?: Maybe; + _id: Maybe; - example?: Maybe; + host: Maybe; - indexes?: Maybe; + cloud: Maybe; - id?: Maybe; + inspect: Maybe; - name?: Maybe; + endpoint: Maybe; + }; - placeholder?: Maybe; + export type Host = { + __typename?: 'HostEcsFields'; - searchable?: Maybe; - - type?: Maybe; -} - -export interface DataProviderResult { - id?: Maybe; - - name?: Maybe; - - enabled?: Maybe; - - excluded?: Maybe; - - kqlQuery?: Maybe; - - queryMatch?: Maybe; - - type?: Maybe; - - and?: Maybe; -} - -export interface QueryMatchResult { - field?: Maybe; - - displayField?: Maybe; - - value?: Maybe; - - displayValue?: Maybe; - - operator?: Maybe; -} - -export interface DateRangePickerResult { - start?: Maybe; - - end?: Maybe; -} - -export interface FavoriteTimelineResult { - fullName?: Maybe; - - userName?: Maybe; - - favoriteDate?: Maybe; -} - -export interface FilterTimelineResult { - exists?: Maybe; - - meta?: Maybe; - - match_all?: Maybe; - - missing?: Maybe; - - query?: Maybe; - - range?: Maybe; - - script?: Maybe; -} - -export interface FilterMetaTimelineResult { - alias?: Maybe; - - controlledBy?: Maybe; - - disabled?: Maybe; - - field?: Maybe; - - formattedValue?: Maybe; - - index?: Maybe; - - key?: Maybe; - - negate?: Maybe; - - params?: Maybe; - - type?: Maybe; - - value?: Maybe; -} - -export interface SerializedFilterQueryResult { - filterQuery?: Maybe; -} - -export interface SerializedKueryQueryResult { - kuery?: Maybe; - - serializedQuery?: Maybe; -} - -export interface KueryFilterQueryResult { - kind?: Maybe; - - expression?: Maybe; -} - -export interface SortTimelineResult { - columnId?: Maybe; - - sortDirection?: Maybe; -} - -export interface ResponseTimelines { - timeline: (Maybe)[]; - - totalCount?: Maybe; - - defaultTimelineCount?: Maybe; - - templateTimelineCount?: Maybe; - - elasticTemplateTimelineCount?: Maybe; - - customTemplateTimelineCount?: Maybe; - - favoriteCount?: Maybe; -} - -export interface Mutation { - /** Persists a note */ - persistNote: ResponseNote; - - deleteNote?: Maybe; - - deleteNoteByTimelineId?: Maybe; - /** Persists a pinned event in a timeline */ - persistPinnedEventOnTimeline?: Maybe; - /** Remove a pinned events in a timeline */ - deletePinnedEventOnTimeline: boolean; - /** Remove all pinned events in a timeline */ - deleteAllPinnedEventsOnTimeline: boolean; - /** Persists a timeline */ - persistTimeline: ResponseTimeline; - - persistFavorite: ResponseFavoriteTimeline; - - deleteTimeline: boolean; -} - -export interface ResponseNote { - code?: Maybe; - - message?: Maybe; - - note: NoteResult; -} - -export interface ResponseTimeline { - code?: Maybe; - - message?: Maybe; - - timeline: TimelineResult; -} - -export interface ResponseFavoriteTimeline { - code?: Maybe; - - message?: Maybe; - - savedObjectId: string; - - version: string; - - favorite?: Maybe; -} - -export interface EcsEdges { - node: Ecs; - - cursor: CursorType; -} - -export interface EventsTimelineData { - edges: EcsEdges[]; - - totalCount: number; - - pageInfo: PageInfo; - - inspect?: Maybe; -} - -export interface OsFields { - platform?: Maybe; - - name?: Maybe; - - full?: Maybe; - - family?: Maybe; - - version?: Maybe; - - kernel?: Maybe; -} - -export interface HostFields { - architecture?: Maybe; - - id?: Maybe; - - ip?: Maybe<(Maybe)[]>; - - mac?: Maybe<(Maybe)[]>; - - name?: Maybe; - - os?: Maybe; - - type?: Maybe; -} - -/** A descriptor of a field in an index */ -export interface IndexField { - /** Where the field belong */ - category: string; - /** Example of field's value */ - example?: Maybe; - /** whether the field's belong to an alias index */ - indexes: (Maybe)[]; - /** The name of the field */ - name: string; - /** The type of the field's values as recognized by Kibana */ - type: string; - /** Whether the field's values can be efficiently searched for */ - searchable: boolean; - /** Whether the field's values can be aggregated */ - aggregatable: boolean; - /** Description of the field */ - description?: Maybe; - - format?: Maybe; - /** the elastic type as mapped in the index */ - esTypes?: Maybe; - - subType?: Maybe; -} - -// ==================================================== -// Arguments -// ==================================================== - -export interface GetNoteQueryArgs { - id: string; -} -export interface GetNotesByTimelineIdQueryArgs { - timelineId: string; -} -export interface GetNotesByEventIdQueryArgs { - eventId: string; -} -export interface GetAllNotesQueryArgs { - pageInfo?: Maybe; - - search?: Maybe; - - sort?: Maybe; -} -export interface GetAllPinnedEventsByTimelineIdQueryArgs { - timelineId: string; -} -export interface SourceQueryArgs { - /** The id of the source */ - id: string; -} -export interface GetOneTimelineQueryArgs { - id: string; -} -export interface GetAllTimelineQueryArgs { - pageInfo: PageInfoTimeline; - - search?: Maybe; - - sort?: Maybe; - - onlyUserFavorite?: Maybe; - - timelineType?: Maybe; - - status?: Maybe; -} -export interface AuthenticationsSourceArgs { - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface TimelineSourceArgs { - pagination: PaginationInput; - - sortField: SortField; - - fieldRequested: string[]; - - timerange?: Maybe; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface TimelineDetailsSourceArgs { - eventId: string; - - indexName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface LastEventTimeSourceArgs { - id?: Maybe; - - indexKey: LastEventIndexKey; - - details: LastTimeDetails; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface HostsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - sort: HostsSortField; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface HostOverviewSourceArgs { - id?: Maybe; - - hostName: string; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface HostFirstLastSeenSourceArgs { - id?: Maybe; - - hostName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface KpiNetworkSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface KpiHostsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface KpiHostDetailsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface MatrixHistogramSourceArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField: string; - - histogramType: HistogramType; -} -export interface NetworkTopCountriesSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkTopNFlowSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkDnsSourceArgs { - filterQuery?: Maybe; - - id?: Maybe; - - isPtrIncluded: boolean; - - pagination: PaginationInputPaginated; - - sort: NetworkDnsSortField; - - stackByField?: Maybe; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkDnsHistogramSourceArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField?: Maybe; - - docValueFields: DocValueFieldsInput[]; -} -export interface NetworkHttpSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - pagination: PaginationInputPaginated; - - sort: NetworkHttpSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface IndicesExistSourceStatusArgs { - defaultIndex: string[]; -} -export interface IndexFieldsSourceStatusArgs { - defaultIndex: string[]; -} -export interface PersistNoteMutationArgs { - noteId?: Maybe; - - version?: Maybe; - - note: NoteInput; -} -export interface DeleteNoteMutationArgs { - id: string[]; -} -export interface DeleteNoteByTimelineIdMutationArgs { - timelineId: string; - - version?: Maybe; -} -export interface PersistPinnedEventOnTimelineMutationArgs { - pinnedEventId?: Maybe; - - eventId: string; - - timelineId?: Maybe; -} -export interface DeletePinnedEventOnTimelineMutationArgs { - id: string[]; -} -export interface DeleteAllPinnedEventsOnTimelineMutationArgs { - timelineId: string; -} -export interface PersistTimelineMutationArgs { - id?: Maybe; - - version?: Maybe; - - timeline: TimelineInput; -} -export interface PersistFavoriteMutationArgs { - timelineId?: Maybe; -} -export interface DeleteTimelineMutationArgs { - id: string[]; -} - -// ==================================================== -// Documents -// ==================================================== - -export namespace GetLastEventTimeQuery { - export type Variables = { - sourceId: string; - indexKey: LastEventIndexKey; - details: LastTimeDetails; - defaultIndex: string[]; - docValueFields: DocValueFieldsInput[]; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - LastEventTime: LastEventTime; - }; - - export type LastEventTime = { - __typename?: 'LastEventTimeData'; - - lastSeen: Maybe; - }; -} - -export namespace GetMatrixHistogramQuery { - export type Variables = { - defaultIndex: string[]; - filterQuery?: Maybe; - histogramType: HistogramType; - inspect: boolean; - sourceId: string; - stackByField: string; - timerange: TimerangeInput; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - MatrixHistogram: MatrixHistogram; - }; - - export type MatrixHistogram = { - __typename?: 'MatrixHistogramOverTimeData'; - - matrixHistogramData: MatrixHistogramData[]; - - totalCount: number; - - inspect: Maybe; - }; - - export type MatrixHistogramData = { - __typename?: 'MatrixOverTimeHistogramData'; - - x: Maybe; - - y: Maybe; - - g: Maybe; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetAuthenticationsQuery { - export type Variables = { - sourceId: string; - timerange: TimerangeInput; - pagination: PaginationInputPaginated; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - docValueFields: DocValueFieldsInput[]; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - Authentications: Authentications; - }; - - export type Authentications = { - __typename?: 'AuthenticationsData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'AuthenticationsEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'AuthenticationItem'; - - _id: string; - - failures: number; - - successes: number; - - user: User; - - lastSuccess: Maybe; - - lastFailure: Maybe; - }; - - export type User = { - __typename?: 'UserEcsFields'; - - name: Maybe; - }; - - export type LastSuccess = { - __typename?: 'LastSourceHost'; - - timestamp: Maybe; - - source: Maybe<_Source>; - - host: Maybe; - }; - - export type _Source = { - __typename?: 'SourceEcsFields'; - - ip: Maybe; - }; - - export type Host = { - __typename?: 'HostEcsFields'; - - id: Maybe; - - name: Maybe; - }; - - export type LastFailure = { - __typename?: 'LastSourceHost'; - - timestamp: Maybe; - - source: Maybe<__Source>; - - host: Maybe<_Host>; - }; - - export type __Source = { - __typename?: 'SourceEcsFields'; - - ip: Maybe; - }; - - export type _Host = { - __typename?: 'HostEcsFields'; - - id: Maybe; - - name: Maybe; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetHostOverviewQuery { - export type Variables = { - sourceId: string; - hostName: string; - timerange: TimerangeInput; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - HostOverview: HostOverview; - }; - - export type HostOverview = { - __typename?: 'HostItem'; - - _id: Maybe; - - host: Maybe; - - cloud: Maybe; - - inspect: Maybe; - - endpoint: Maybe; - }; - - export type Host = { - __typename?: 'HostEcsFields'; - - architecture: Maybe; - - id: Maybe; - - ip: Maybe; - - mac: Maybe; - - name: Maybe; - - os: Maybe; - - type: Maybe; - }; - - export type Os = { - __typename?: 'OsEcsFields'; - - family: Maybe; - - name: Maybe; - - platform: Maybe; - - version: Maybe; - }; - - export type Cloud = { - __typename?: 'CloudFields'; - - instance: Maybe; - - machine: Maybe; - - provider: Maybe<(Maybe)[]>; - - region: Maybe<(Maybe)[]>; - }; - - export type Instance = { - __typename?: 'CloudInstance'; - - id: Maybe<(Maybe)[]>; - }; - - export type Machine = { - __typename?: 'CloudMachine'; - - type: Maybe<(Maybe)[]>; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; - - export type Endpoint = { - __typename?: 'EndpointFields'; - - endpointPolicy: Maybe; - - policyStatus: Maybe; - - sensorVersion: Maybe; - }; -} - -export namespace GetHostFirstLastSeenQuery { - export type Variables = { - sourceId: string; - hostName: string; - defaultIndex: string[]; - docValueFields: DocValueFieldsInput[]; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - HostFirstLastSeen: HostFirstLastSeen; - }; - - export type HostFirstLastSeen = { - __typename?: 'FirstLastSeenHost'; - - firstSeen: Maybe; - - lastSeen: Maybe; - }; -} - -export namespace GetHostsTableQuery { - export type Variables = { - sourceId: string; - timerange: TimerangeInput; - pagination: PaginationInputPaginated; - sort: HostsSortField; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - docValueFields: DocValueFieldsInput[]; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - Hosts: Hosts; - }; - - export type Hosts = { - __typename?: 'HostsData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'HostsEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'HostItem'; - - _id: Maybe; - - lastSeen: Maybe; - - host: Maybe; - }; - - export type Host = { - __typename?: 'HostEcsFields'; - - id: Maybe; - - name: Maybe; - - os: Maybe; - }; - - export type Os = { - __typename?: 'OsEcsFields'; - - name: Maybe; - - version: Maybe; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetKpiHostDetailsQuery { - export type Variables = { - sourceId: string; - timerange: TimerangeInput; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - KpiHostDetails: KpiHostDetails; - }; - - export type KpiHostDetails = { - __typename?: 'KpiHostDetailsData'; - - authSuccess: Maybe; - - authSuccessHistogram: Maybe; - - authFailure: Maybe; - - authFailureHistogram: Maybe; - - uniqueSourceIps: Maybe; - - uniqueSourceIpsHistogram: Maybe; - - uniqueDestinationIps: Maybe; - - uniqueDestinationIpsHistogram: Maybe; - - inspect: Maybe; - }; - - export type AuthSuccessHistogram = KpiHostDetailsChartFields.Fragment; - - export type AuthFailureHistogram = KpiHostDetailsChartFields.Fragment; - - export type UniqueSourceIpsHistogram = KpiHostDetailsChartFields.Fragment; - - export type UniqueDestinationIpsHistogram = KpiHostDetailsChartFields.Fragment; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetKpiHostsQuery { - export type Variables = { - sourceId: string; - timerange: TimerangeInput; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - KpiHosts: KpiHosts; - }; - - export type KpiHosts = { - __typename?: 'KpiHostsData'; - - hosts: Maybe; - - hostsHistogram: Maybe; - - authSuccess: Maybe; - - authSuccessHistogram: Maybe; - - authFailure: Maybe; - - authFailureHistogram: Maybe; - - uniqueSourceIps: Maybe; - - uniqueSourceIpsHistogram: Maybe; - - uniqueDestinationIps: Maybe; - - uniqueDestinationIpsHistogram: Maybe; - - inspect: Maybe; - }; - - export type HostsHistogram = KpiHostChartFields.Fragment; - - export type AuthSuccessHistogram = KpiHostChartFields.Fragment; - - export type AuthFailureHistogram = KpiHostChartFields.Fragment; - - export type UniqueSourceIpsHistogram = KpiHostChartFields.Fragment; - - export type UniqueDestinationIpsHistogram = KpiHostChartFields.Fragment; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetKpiNetworkQuery { - export type Variables = { - sourceId: string; - timerange: TimerangeInput; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - KpiNetwork: Maybe; - }; - - export type KpiNetwork = { - __typename?: 'KpiNetworkData'; - - networkEvents: Maybe; - - uniqueFlowId: Maybe; - - uniqueSourcePrivateIps: Maybe; - - uniqueSourcePrivateIpsHistogram: Maybe; - - uniqueDestinationPrivateIps: Maybe; - - uniqueDestinationPrivateIpsHistogram: Maybe; - - dnsQueries: Maybe; - - tlsHandshakes: Maybe; - - inspect: Maybe; - }; - - export type UniqueSourcePrivateIpsHistogram = KpiNetworkChartFields.Fragment; - - export type UniqueDestinationPrivateIpsHistogram = KpiNetworkChartFields.Fragment; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetNetworkDnsQuery { - export type Variables = { - defaultIndex: string[]; - filterQuery?: Maybe; - inspect: boolean; - isPtrIncluded: boolean; - pagination: PaginationInputPaginated; - sort: NetworkDnsSortField; - sourceId: string; - stackByField?: Maybe; - timerange: TimerangeInput; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - NetworkDns: NetworkDns; - }; - - export type NetworkDns = { - __typename?: 'NetworkDnsData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'NetworkDnsEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'NetworkDnsItem'; - - _id: Maybe; - - dnsBytesIn: Maybe; - - dnsBytesOut: Maybe; - - dnsName: Maybe; - - queryCount: Maybe; - - uniqueDomains: Maybe; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetNetworkHttpQuery { - export type Variables = { - sourceId: string; - ip?: Maybe; - filterQuery?: Maybe; - pagination: PaginationInputPaginated; - sort: NetworkHttpSortField; - timerange: TimerangeInput; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - NetworkHttp: NetworkHttp; - }; - - export type NetworkHttp = { - __typename?: 'NetworkHttpData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'NetworkHttpEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'NetworkHttpItem'; - - domains: string[]; - - lastHost: Maybe; - - lastSourceIp: Maybe; - - methods: string[]; - - path: Maybe; - - requestCount: Maybe; - - statuses: string[]; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetNetworkTopCountriesQuery { - export type Variables = { - sourceId: string; - ip?: Maybe; - filterQuery?: Maybe; - pagination: PaginationInputPaginated; - sort: NetworkTopTablesSortField; - flowTarget: FlowTargetSourceDest; - timerange: TimerangeInput; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - NetworkTopCountries: NetworkTopCountries; - }; - - export type NetworkTopCountries = { - __typename?: 'NetworkTopCountriesData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'NetworkTopCountriesEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'NetworkTopCountriesItem'; - - source: Maybe<_Source>; - - destination: Maybe; - - network: Maybe; - }; - - export type _Source = { - __typename?: 'TopCountriesItemSource'; - - country: Maybe; - - destination_ips: Maybe; - - flows: Maybe; - - source_ips: Maybe; - }; - - export type Destination = { - __typename?: 'TopCountriesItemDestination'; - - country: Maybe; - - destination_ips: Maybe; - - flows: Maybe; - - source_ips: Maybe; - }; - - export type Network = { - __typename?: 'TopNetworkTablesEcsField'; - - bytes_in: Maybe; - - bytes_out: Maybe; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetNetworkTopNFlowQuery { - export type Variables = { - sourceId: string; - ip?: Maybe; - filterQuery?: Maybe; - pagination: PaginationInputPaginated; - sort: NetworkTopTablesSortField; - flowTarget: FlowTargetSourceDest; - timerange: TimerangeInput; - defaultIndex: string[]; - inspect: boolean; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - NetworkTopNFlow: NetworkTopNFlow; - }; - - export type NetworkTopNFlow = { - __typename?: 'NetworkTopNFlowData'; - - totalCount: number; - - edges: Edges[]; - - pageInfo: PageInfo; - - inspect: Maybe; - }; - - export type Edges = { - __typename?: 'NetworkTopNFlowEdges'; - - node: Node; - - cursor: Cursor; - }; - - export type Node = { - __typename?: 'NetworkTopNFlowItem'; - - source: Maybe<_Source>; - - destination: Maybe; - - network: Maybe; - }; - - export type _Source = { - __typename?: 'TopNFlowItemSource'; - - autonomous_system: Maybe; - - domain: Maybe; - - ip: Maybe; - - location: Maybe; - - flows: Maybe; - - destination_ips: Maybe; - }; - - export type AutonomousSystem = { - __typename?: 'AutonomousSystemItem'; - - name: Maybe; - - number: Maybe; - }; - - export type Location = { - __typename?: 'GeoItem'; - - geo: Maybe; - - flowTarget: Maybe; - }; - - export type Geo = { - __typename?: 'GeoEcsFields'; - - continent_name: Maybe; - - country_name: Maybe; - - country_iso_code: Maybe; - - city_name: Maybe; - - region_iso_code: Maybe; - - region_name: Maybe; - }; - - export type Destination = { - __typename?: 'TopNFlowItemDestination'; - - autonomous_system: Maybe<_AutonomousSystem>; - - domain: Maybe; - - ip: Maybe; - - location: Maybe<_Location>; - - flows: Maybe; - - source_ips: Maybe; - }; - - export type _AutonomousSystem = { - __typename?: 'AutonomousSystemItem'; - - name: Maybe; - - number: Maybe; - }; - - export type _Location = { - __typename?: 'GeoItem'; - - geo: Maybe<_Geo>; - - flowTarget: Maybe; - }; - - export type _Geo = { - __typename?: 'GeoEcsFields'; - - continent_name: Maybe; - - country_name: Maybe; - - country_iso_code: Maybe; - - city_name: Maybe; - - region_iso_code: Maybe; - - region_name: Maybe; - }; - - export type Network = { - __typename?: 'TopNetworkTablesEcsField'; - - bytes_in: Maybe; - - bytes_out: Maybe; - }; - - export type Cursor = { - __typename?: 'CursorType'; - - value: Maybe; - }; - - export type PageInfo = { - __typename?: 'PageInfoPaginated'; - - activePage: number; - - fakeTotalCount: number; - - showMorePagesIndicator: boolean; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; -} - -export namespace GetAllTimeline { - export type Variables = { - pageInfo: PageInfoTimeline; - search?: Maybe; - sort?: Maybe; - onlyUserFavorite?: Maybe; - timelineType?: Maybe; - status?: Maybe; - }; - - export type Query = { - __typename?: 'Query'; - - getAllTimeline: GetAllTimeline; - }; - - export type GetAllTimeline = { - __typename?: 'ResponseTimelines'; - - totalCount: Maybe; - - defaultTimelineCount: Maybe; - - templateTimelineCount: Maybe; - - elasticTemplateTimelineCount: Maybe; - - customTemplateTimelineCount: Maybe; - - favoriteCount: Maybe; - - timeline: (Maybe)[]; - }; - - export type Timeline = { - __typename?: 'TimelineResult'; - - savedObjectId: string; - - description: Maybe; - - favorite: Maybe; - - eventIdToNoteIds: Maybe; - - excludedRowRendererIds: Maybe; - - notes: Maybe; - - noteIds: Maybe; - - pinnedEventIds: Maybe; - - status: Maybe; - - title: Maybe; - - timelineType: Maybe; - - templateTimelineId: Maybe; - - templateTimelineVersion: Maybe; - - created: Maybe; - - createdBy: Maybe; - - updated: Maybe; - - updatedBy: Maybe; - - version: string; - }; - - export type Favorite = { - __typename?: 'FavoriteTimelineResult'; - - fullName: Maybe; - - userName: Maybe; - - favoriteDate: Maybe; - }; - - export type EventIdToNoteIds = { - __typename?: 'NoteResult'; - - eventId: Maybe; - - note: Maybe; - - timelineId: Maybe; - - noteId: string; - - created: Maybe; - - createdBy: Maybe; - - timelineVersion: Maybe; - - updated: Maybe; - - updatedBy: Maybe; - - version: Maybe; - }; - - export type Notes = { - __typename?: 'NoteResult'; - - eventId: Maybe; - - note: Maybe; - - timelineId: Maybe; - - timelineVersion: Maybe; - - noteId: string; - - created: Maybe; - - createdBy: Maybe; - - updated: Maybe; - - updatedBy: Maybe; - - version: Maybe; - }; -} - -export namespace DeleteTimelineMutation { - export type Variables = { - id: string[]; - }; - - export type Mutation = { - __typename?: 'Mutation'; - - deleteTimeline: boolean; - }; -} - -export namespace GetTimelineDetailsQuery { - export type Variables = { - sourceId: string; - eventId: string; - indexName: string; - defaultIndex: string[]; - docValueFields: DocValueFieldsInput[]; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - TimelineDetails: TimelineDetails; - }; - - export type TimelineDetails = { - __typename?: 'TimelineDetailsData'; - - data: Maybe; - }; - - export type Data = { - __typename?: 'DetailItem'; - - field: string; - - values: Maybe; - - originalValue: Maybe; - }; -} - -export namespace PersistTimelineFavoriteMutation { - export type Variables = { - timelineId?: Maybe; - }; - - export type Mutation = { - __typename?: 'Mutation'; - - persistFavorite: PersistFavorite; - }; - - export type PersistFavorite = { - __typename?: 'ResponseFavoriteTimeline'; - - savedObjectId: string; - - version: string; - - favorite: Maybe; - }; - - export type Favorite = { - __typename?: 'FavoriteTimelineResult'; - - fullName: Maybe; - - userName: Maybe; - - favoriteDate: Maybe; - }; -} - -export namespace GetTimelineQuery { - export type Variables = { - sourceId: string; - fieldRequested: string[]; - pagination: PaginationInput; - sortField: SortField; - filterQuery?: Maybe; - defaultIndex: string[]; - inspect: boolean; - docValueFields: DocValueFieldsInput[]; - timerange: TimerangeInput; - }; - - export type Query = { - __typename?: 'Query'; - - source: Source; - }; - - export type Source = { - __typename?: 'Source'; - - id: string; - - Timeline: Timeline; - }; - - export type Timeline = { - __typename?: 'TimelineData'; - - totalCount: number; - - inspect: Maybe; - - pageInfo: PageInfo; - - edges: Edges[]; - }; - - export type Inspect = { - __typename?: 'Inspect'; - - dsl: string[]; - - response: string[]; - }; - - export type PageInfo = { - __typename?: 'PageInfo'; - - endCursor: Maybe; - - hasNextPage: Maybe; - }; - - export type EndCursor = { - __typename?: 'CursorType'; - - value: Maybe; - - tiebreaker: Maybe; - }; - - export type Edges = { - __typename?: 'TimelineEdges'; - - node: Node; - }; - - export type Node = { - __typename?: 'TimelineItem'; - - _id: string; - - _index: Maybe; - - data: Data[]; - - ecs: Ecs; - }; - - export type Data = { - __typename?: 'TimelineNonEcsData'; - - field: string; - - value: Maybe; - }; - - export type Ecs = { - __typename?: 'ECS'; - - _id: string; - - _index: Maybe; - - timestamp: Maybe; - - message: Maybe; - - system: Maybe; - - event: Maybe; - - agent: Maybe; - - auditd: Maybe; - - file: Maybe; - - host: Maybe; - - rule: Maybe; - - source: Maybe<_Source>; - - destination: Maybe; - - dns: Maybe; - - endgame: Maybe; - - geo: Maybe<__Geo>; - - signal: Maybe; - - suricata: Maybe; - - network: Maybe; - - http: Maybe; - - tls: Maybe; - - url: Maybe; - - user: Maybe; - - winlog: Maybe; - - process: Maybe; - - zeek: Maybe; - }; - - export type System = { - __typename?: 'SystemEcsField'; - - auth: Maybe; - - audit: Maybe; - }; - - export type Auth = { - __typename?: 'AuthEcsFields'; - - ssh: Maybe; - }; - - export type Ssh = { - __typename?: 'SshEcsFields'; - - signature: Maybe; - - method: Maybe; - }; - - export type Audit = { - __typename?: 'AuditEcsFields'; - - package: Maybe; - }; - - export type Package = { - __typename?: 'PackageEcsFields'; - - arch: Maybe; - - entity_id: Maybe; - - name: Maybe; - - size: Maybe; - - summary: Maybe; - - version: Maybe; - }; - - export type Event = { - __typename?: 'EventEcsFields'; - - action: Maybe; - - category: Maybe; - - code: Maybe; - - created: Maybe; - - dataset: Maybe; - - duration: Maybe; - - end: Maybe; - - hash: Maybe; - - id: Maybe; - - kind: Maybe; - - module: Maybe; - - original: Maybe; - - outcome: Maybe; - - risk_score: Maybe; - - risk_score_norm: Maybe; - - severity: Maybe; - - start: Maybe; - - timezone: Maybe; - - type: Maybe; - }; - - export type Agent = { - __typename?: 'AgentEcsField'; - - type: Maybe; - }; - - export type Auditd = { - __typename?: 'AuditdEcsFields'; - - result: Maybe; - - session: Maybe; - - data: Maybe<_Data>; - - summary: Maybe; - }; - - export type _Data = { - __typename?: 'AuditdData'; - - acct: Maybe; - - terminal: Maybe; - - op: Maybe; - }; - - export type Summary = { - __typename?: 'Summary'; - - actor: Maybe; - - object: Maybe; - - how: Maybe; - - message_type: Maybe; - - sequence: Maybe; - }; - - export type Actor = { - __typename?: 'PrimarySecondary'; - - primary: Maybe; - - secondary: Maybe; - }; - - export type Object = { - __typename?: 'PrimarySecondary'; - - primary: Maybe; - - secondary: Maybe; - - type: Maybe; - }; - - export type File = { - __typename?: 'FileFields'; - - name: Maybe; - - path: Maybe; - - target_path: Maybe; - - extension: Maybe; - - type: Maybe; - - device: Maybe; - - inode: Maybe; - - uid: Maybe; - - owner: Maybe; - - gid: Maybe; - - group: Maybe; - - mode: Maybe; - - size: Maybe; - - mtime: Maybe; - - ctime: Maybe; - }; - - export type Host = { - __typename?: 'HostEcsFields'; - - id: Maybe; - - name: Maybe; - - ip: Maybe; - }; - - export type Rule = { - __typename?: 'RuleEcsField'; - - reference: Maybe; - }; - - export type _Source = { - __typename?: 'SourceEcsFields'; - - bytes: Maybe; - - ip: Maybe; - - packets: Maybe; - - port: Maybe; - - geo: Maybe; - }; - - export type Geo = { - __typename?: 'GeoEcsFields'; - - continent_name: Maybe; - - country_name: Maybe; - - country_iso_code: Maybe; - - city_name: Maybe; - - region_iso_code: Maybe; - - region_name: Maybe; - }; - - export type Destination = { - __typename?: 'DestinationEcsFields'; - - bytes: Maybe; - - ip: Maybe; - - packets: Maybe; - - port: Maybe; - - geo: Maybe<_Geo>; - }; - - export type _Geo = { - __typename?: 'GeoEcsFields'; - - continent_name: Maybe; - - country_name: Maybe; - - country_iso_code: Maybe; - - city_name: Maybe; - - region_iso_code: Maybe; - - region_name: Maybe; - }; - - export type Dns = { - __typename?: 'DnsEcsFields'; - - question: Maybe; - - resolved_ip: Maybe; - - response_code: Maybe; - }; - - export type Question = { - __typename?: 'DnsQuestionData'; - - name: Maybe; - - type: Maybe; - }; - - export type Endgame = { - __typename?: 'EndgameEcsFields'; - - exit_code: Maybe; - - file_name: Maybe; - - file_path: Maybe; - - logon_type: Maybe; - - parent_process_name: Maybe; - - pid: Maybe; - - process_name: Maybe; - - subject_domain_name: Maybe; - - subject_logon_id: Maybe; - - subject_user_name: Maybe; - - target_domain_name: Maybe; - - target_logon_id: Maybe; - - target_user_name: Maybe; - }; - - export type __Geo = { - __typename?: 'GeoEcsFields'; - - region_name: Maybe; - - country_iso_code: Maybe; - }; - - export type Signal = { - __typename?: 'SignalField'; - - status: Maybe; - - original_time: Maybe; - - rule: Maybe<_Rule>; - }; - - export type _Rule = { - __typename?: 'RuleField'; + architecture: Maybe; id: Maybe; - saved_id: Maybe; - - timeline_id: Maybe; + ip: Maybe; - timeline_title: Maybe; + mac: Maybe; - output_index: Maybe; + name: Maybe; - from: Maybe; + os: Maybe; - index: Maybe; + type: Maybe; + }; - language: Maybe; + export type Os = { + __typename?: 'OsEcsFields'; - query: Maybe; + family: Maybe; - to: Maybe; + name: Maybe; - filters: Maybe; + platform: Maybe; - note: Maybe; + version: Maybe; + }; - type: Maybe; + export type Cloud = { + __typename?: 'CloudFields'; - threshold: Maybe; + instance: Maybe; - exceptions_list: Maybe; - }; + machine: Maybe; - export type Suricata = { - __typename?: 'SuricataEcsFields'; + provider: Maybe<(Maybe)[]>; - eve: Maybe; + region: Maybe<(Maybe)[]>; }; - export type Eve = { - __typename?: 'SuricataEveData'; + export type Instance = { + __typename?: 'CloudInstance'; - proto: Maybe; + id: Maybe<(Maybe)[]>; + }; - flow_id: Maybe; + export type Machine = { + __typename?: 'CloudMachine'; - alert: Maybe; + type: Maybe<(Maybe)[]>; }; - export type Alert = { - __typename?: 'SuricataAlertData'; + export type Inspect = { + __typename?: 'Inspect'; - signature: Maybe; + dsl: string[]; - signature_id: Maybe; + response: string[]; }; - export type Network = { - __typename?: 'NetworkEcsField'; + export type Endpoint = { + __typename?: 'EndpointFields'; - bytes: Maybe; + endpointPolicy: Maybe; - community_id: Maybe; + policyStatus: Maybe; - direction: Maybe; + sensorVersion: Maybe; + }; +} - packets: Maybe; +export namespace GetHostFirstLastSeenQuery { + export type Variables = { + sourceId: string; + hostName: string; + defaultIndex: string[]; + docValueFields: DocValueFieldsInput[]; + }; - protocol: Maybe; + export type Query = { + __typename?: 'Query'; - transport: Maybe; + source: Source; }; - export type Http = { - __typename?: 'HttpEcsFields'; - - version: Maybe; + export type Source = { + __typename?: 'Source'; - request: Maybe; + id: string; - response: Maybe; + HostFirstLastSeen: HostFirstLastSeen; }; - export type Request = { - __typename?: 'HttpRequestData'; - - method: Maybe; + export type HostFirstLastSeen = { + __typename?: 'FirstLastSeenHost'; - body: Maybe; + firstSeen: Maybe; - referrer: Maybe; + lastSeen: Maybe; }; +} - export type Body = { - __typename?: 'HttpBodyData'; +export namespace GetHostsTableQuery { + export type Variables = { + sourceId: string; + timerange: TimerangeInput; + pagination: PaginationInputPaginated; + sort: HostsSortField; + filterQuery?: Maybe; + defaultIndex: string[]; + inspect: boolean; + docValueFields: DocValueFieldsInput[]; + }; - bytes: Maybe; + export type Query = { + __typename?: 'Query'; - content: Maybe; + source: Source; }; - export type Response = { - __typename?: 'HttpResponseData'; + export type Source = { + __typename?: 'Source'; - status_code: Maybe; + id: string; - body: Maybe<_Body>; + Hosts: Hosts; }; - export type _Body = { - __typename?: 'HttpBodyData'; + export type Hosts = { + __typename?: 'HostsData'; - bytes: Maybe; + totalCount: number; - content: Maybe; - }; + edges: Edges[]; + + pageInfo: PageInfo; - export type Tls = { - __typename?: 'TlsEcsFields'; + inspect: Maybe; + }; - client_certificate: Maybe; + export type Edges = { + __typename?: 'HostsEdges'; - fingerprints: Maybe; + node: Node; - server_certificate: Maybe; + cursor: Cursor; }; - export type ClientCertificate = { - __typename?: 'TlsClientCertificateData'; + export type Node = { + __typename?: 'HostItem'; - fingerprint: Maybe; - }; + _id: Maybe; - export type Fingerprint = { - __typename?: 'FingerprintData'; + lastSeen: Maybe; - sha1: Maybe; + host: Maybe; }; - export type Fingerprints = { - __typename?: 'TlsFingerprintsData'; + export type Host = { + __typename?: 'HostEcsFields'; - ja3: Maybe; - }; + id: Maybe; - export type Ja3 = { - __typename?: 'TlsJa3Data'; + name: Maybe; - hash: Maybe; + os: Maybe; }; - export type ServerCertificate = { - __typename?: 'TlsServerCertificateData'; + export type Os = { + __typename?: 'OsEcsFields'; + + name: Maybe; - fingerprint: Maybe<_Fingerprint>; + version: Maybe; }; - export type _Fingerprint = { - __typename?: 'FingerprintData'; + export type Cursor = { + __typename?: 'CursorType'; - sha1: Maybe; + value: Maybe; }; - export type Url = { - __typename?: 'UrlEcsFields'; - - original: Maybe; + export type PageInfo = { + __typename?: 'PageInfoPaginated'; - domain: Maybe; + activePage: number; - username: Maybe; + fakeTotalCount: number; - password: Maybe; + showMorePagesIndicator: boolean; }; - export type User = { - __typename?: 'UserEcsFields'; + export type Inspect = { + __typename?: 'Inspect'; - domain: Maybe; + dsl: string[]; - name: Maybe; + response: string[]; }; +} - export type Winlog = { - __typename?: 'WinlogEcsFields'; - - event_id: Maybe; +export namespace GetAllTimeline { + export type Variables = { + pageInfo: PageInfoTimeline; + search?: Maybe; + sort?: Maybe; + onlyUserFavorite?: Maybe; + timelineType?: Maybe; + status?: Maybe; }; - export type Process = { - __typename?: 'ProcessEcsFields'; + export type Query = { + __typename?: 'Query'; - hash: Maybe; + getAllTimeline: GetAllTimeline; + }; - pid: Maybe; + export type GetAllTimeline = { + __typename?: 'ResponseTimelines'; - name: Maybe; + totalCount: Maybe; - ppid: Maybe; + defaultTimelineCount: Maybe; - args: Maybe; + templateTimelineCount: Maybe; - entity_id: Maybe; + elasticTemplateTimelineCount: Maybe; - executable: Maybe; + customTemplateTimelineCount: Maybe; - title: Maybe; + favoriteCount: Maybe; - working_directory: Maybe; + timeline: (Maybe)[]; }; - export type Hash = { - __typename?: 'ProcessHashData'; - - md5: Maybe; - - sha1: Maybe; - - sha256: Maybe; - }; + export type Timeline = { + __typename?: 'TimelineResult'; - export type Zeek = { - __typename?: 'ZeekEcsFields'; + savedObjectId: string; - session_id: Maybe; + description: Maybe; - connection: Maybe; + favorite: Maybe; - notice: Maybe; + eventIdToNoteIds: Maybe; - dns: Maybe<_Dns>; + excludedRowRendererIds: Maybe; - http: Maybe<_Http>; + notes: Maybe; - files: Maybe; + noteIds: Maybe; - ssl: Maybe; - }; + pinnedEventIds: Maybe; - export type Connection = { - __typename?: 'ZeekConnectionData'; + status: Maybe; - local_resp: Maybe; + title: Maybe; - local_orig: Maybe; + timelineType: Maybe; - missed_bytes: Maybe; + templateTimelineId: Maybe; - state: Maybe; + templateTimelineVersion: Maybe; - history: Maybe; - }; + created: Maybe; - export type Notice = { - __typename?: 'ZeekNoticeData'; + createdBy: Maybe; - suppress_for: Maybe; + updated: Maybe; - msg: Maybe; + updatedBy: Maybe; - note: Maybe; + version: string; + }; - sub: Maybe; + export type Favorite = { + __typename?: 'FavoriteTimelineResult'; - dst: Maybe; + fullName: Maybe; - dropped: Maybe; + userName: Maybe; - peer_descr: Maybe; + favoriteDate: Maybe; }; - export type _Dns = { - __typename?: 'ZeekDnsData'; - - AA: Maybe; + export type EventIdToNoteIds = { + __typename?: 'NoteResult'; - qclass_name: Maybe; + eventId: Maybe; - RD: Maybe; + note: Maybe; - qtype_name: Maybe; + timelineId: Maybe; - rejected: Maybe; + noteId: string; - qtype: Maybe; + created: Maybe; - query: Maybe; + createdBy: Maybe; - trans_id: Maybe; + timelineVersion: Maybe; - qclass: Maybe; + updated: Maybe; - RA: Maybe; + updatedBy: Maybe; - TC: Maybe; + version: Maybe; }; - export type _Http = { - __typename?: 'ZeekHttpData'; - - resp_mime_types: Maybe; - - trans_depth: Maybe; - - status_msg: Maybe; - - resp_fuids: Maybe; + export type Notes = { + __typename?: 'NoteResult'; - tags: Maybe; - }; + eventId: Maybe; - export type Files = { - __typename?: 'ZeekFileData'; + note: Maybe; - session_ids: Maybe; + timelineId: Maybe; - timedout: Maybe; + timelineVersion: Maybe; - local_orig: Maybe; + noteId: string; - tx_host: Maybe; + created: Maybe; - source: Maybe; + createdBy: Maybe; - is_orig: Maybe; + updated: Maybe; - overflow_bytes: Maybe; + updatedBy: Maybe; - sha1: Maybe; + version: Maybe; + }; +} - duration: Maybe; +export namespace DeleteTimelineMutation { + export type Variables = { + id: string[]; + }; - depth: Maybe; + export type Mutation = { + __typename?: 'Mutation'; - analyzers: Maybe; + deleteTimeline: boolean; + }; +} - mime_type: Maybe; +export namespace PersistTimelineFavoriteMutation { + export type Variables = { + timelineId?: Maybe; + }; - rx_host: Maybe; + export type Mutation = { + __typename?: 'Mutation'; - total_bytes: Maybe; + persistFavorite: PersistFavorite; + }; - fuid: Maybe; + export type PersistFavorite = { + __typename?: 'ResponseFavoriteTimeline'; - seen_bytes: Maybe; + savedObjectId: string; - missing_bytes: Maybe; + version: string; - md5: Maybe; + favorite: Maybe; }; - export type Ssl = { - __typename?: 'ZeekSslData'; - - cipher: Maybe; + export type Favorite = { + __typename?: 'FavoriteTimelineResult'; - established: Maybe; + fullName: Maybe; - resumed: Maybe; + userName: Maybe; - version: Maybe; + favoriteDate: Maybe; }; } @@ -5199,33 +2779,3 @@ export namespace PersistTimelinePinnedEventMutation { version: Maybe; }; } - -export namespace KpiHostDetailsChartFields { - export type Fragment = { - __typename?: 'KpiHostHistogramData'; - - x: Maybe; - - y: Maybe; - }; -} - -export namespace KpiHostChartFields { - export type Fragment = { - __typename?: 'KpiHostHistogramData'; - - x: Maybe; - - y: Maybe; - }; -} - -export namespace KpiNetworkChartFields { - export type Fragment = { - __typename?: 'KpiNetworkHistogramData'; - - x: Maybe; - - y: Maybe; - }; -} diff --git a/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.gql_query.ts b/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.gql_query.ts deleted file mode 100644 index c68816b34c175..0000000000000 --- a/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.gql_query.ts +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const authenticationsQuery = gql` - query GetAuthenticationsQuery( - $sourceId: ID! - $timerange: TimerangeInput! - $pagination: PaginationInputPaginated! - $filterQuery: String - $defaultIndex: [String!]! - $inspect: Boolean! - $docValueFields: [docValueFieldsInput!]! - ) { - source(id: $sourceId) { - id - Authentications( - timerange: $timerange - pagination: $pagination - filterQuery: $filterQuery - defaultIndex: $defaultIndex - docValueFields: $docValueFields - ) { - totalCount - edges { - node { - _id - failures - successes - user { - name - } - lastSuccess { - timestamp - source { - ip - } - host { - id - name - } - } - lastFailure { - timestamp - source { - ip - } - host { - id - name - } - } - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.gql_query.tsx b/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.gql_query.tsx deleted file mode 100644 index 077f49c4bdfa6..0000000000000 --- a/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.gql_query.tsx +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const kpiHostDetailsQuery = gql` - fragment KpiHostDetailsChartFields on KpiHostHistogramData { - x - y - } - - query GetKpiHostDetailsQuery( - $sourceId: ID! - $timerange: TimerangeInput! - $filterQuery: String - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - KpiHostDetails( - timerange: $timerange - filterQuery: $filterQuery - defaultIndex: $defaultIndex - ) { - authSuccess - authSuccessHistogram { - ...KpiHostDetailsChartFields - } - authFailure - authFailureHistogram { - ...KpiHostDetailsChartFields - } - uniqueSourceIps - uniqueSourceIpsHistogram { - ...KpiHostDetailsChartFields - } - uniqueDestinationIps - uniqueDestinationIpsHistogram { - ...KpiHostDetailsChartFields - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.tsx deleted file mode 100644 index 26e4eaf9ea82e..0000000000000 --- a/x-pack/plugins/security_solution/public/hosts/containers/kpi_host_details/index.tsx +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { getOr } from 'lodash/fp'; -import React from 'react'; -import { Query } from 'react-apollo'; -import { connect, ConnectedProps } from 'react-redux'; - -import { KpiHostDetailsData, GetKpiHostDetailsQuery } from '../../../graphql/types'; -import { inputsModel, inputsSelectors, State } from '../../../common/store'; -import { createFilter, getDefaultFetchPolicy } from '../../../common/containers/helpers'; -import { QueryTemplateProps } from '../../../common/containers/query_template'; - -import { kpiHostDetailsQuery } from './index.gql_query'; - -const ID = 'kpiHostDetailsQuery'; - -export interface KpiHostDetailsArgs { - id: string; - inspect: inputsModel.InspectQuery; - kpiHostDetails: KpiHostDetailsData; - loading: boolean; - refetch: inputsModel.Refetch; -} - -export interface QueryKpiHostDetailsProps extends QueryTemplateProps { - children: (args: KpiHostDetailsArgs) => React.ReactNode; -} - -const KpiHostDetailsComponentQuery = React.memo( - ({ - id = ID, - children, - endDate, - filterQuery, - indexNames, - isInspected, - skip, - sourceId, - startDate, - }) => ( - - query={kpiHostDetailsQuery} - fetchPolicy={getDefaultFetchPolicy()} - notifyOnNetworkStatusChange - skip={skip} - variables={{ - sourceId, - timerange: { - interval: '12h', - from: startDate!, - to: endDate!, - }, - filterQuery: createFilter(filterQuery), - defaultIndex: indexNames ?? [], - inspect: isInspected, - }} - > - {({ data, loading, refetch }) => { - const kpiHostDetails = getOr({}, `source.KpiHostDetails`, data); - return children({ - id, - inspect: getOr(null, 'source.KpiHostDetails.inspect', data), - kpiHostDetails, - loading, - refetch, - }); - }} - - ) -); - -KpiHostDetailsComponentQuery.displayName = 'KpiHostDetailsComponentQuery'; - -const makeMapStateToProps = () => { - const getQuery = inputsSelectors.globalQueryByIdSelector(); - const mapStateToProps = (state: State, { id = ID }: QueryKpiHostDetailsProps) => { - const { isInspected } = getQuery(state, id); - return { - isInspected, - }; - }; - return mapStateToProps; -}; - -const connector = connect(makeMapStateToProps); - -type PropsFromRedux = ConnectedProps; - -export const KpiHostDetailsQuery = connector(KpiHostDetailsComponentQuery); diff --git a/x-pack/plugins/security_solution/public/hosts/containers/kpi_hosts/index.gql_query.ts b/x-pack/plugins/security_solution/public/hosts/containers/kpi_hosts/index.gql_query.ts deleted file mode 100644 index 37d54455db1fd..0000000000000 --- a/x-pack/plugins/security_solution/public/hosts/containers/kpi_hosts/index.gql_query.ts +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const kpiHostsQuery = gql` - fragment KpiHostChartFields on KpiHostHistogramData { - x - y - } - - query GetKpiHostsQuery( - $sourceId: ID! - $timerange: TimerangeInput! - $filterQuery: String - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - KpiHosts(timerange: $timerange, filterQuery: $filterQuery, defaultIndex: $defaultIndex) { - hosts - hostsHistogram { - ...KpiHostChartFields - } - authSuccess - authSuccessHistogram { - ...KpiHostChartFields - } - authFailure - authFailureHistogram { - ...KpiHostChartFields - } - uniqueSourceIps - uniqueSourceIpsHistogram { - ...KpiHostChartFields - } - uniqueDestinationIps - uniqueDestinationIpsHistogram { - ...KpiHostChartFields - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx index 55b2b529000be..a8b46769b7363 100644 --- a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx @@ -9,7 +9,7 @@ import { noop } from 'lodash/fp'; import React, { useEffect, useCallback, useMemo } from 'react'; import { connect, ConnectedProps } from 'react-redux'; -import { HostItem } from '../../../../common/search_strategy'; +import { HostItem, LastEventIndexKey } from '../../../../common/search_strategy'; import { SecurityPageName } from '../../../app/types'; import { UpdateDateRange } from '../../../common/components/charts/common'; import { FiltersGlobal } from '../../../common/components/filters_global'; @@ -28,7 +28,6 @@ import { SiemSearchBar } from '../../../common/components/search_bar'; import { WrapperPage } from '../../../common/components/wrapper_page'; import { HostOverviewByNameQuery } from '../../containers/hosts/details'; import { useGlobalTime } from '../../../common/containers/use_global_time'; -import { LastEventIndexKey } from '../../../graphql/types'; import { useKibana } from '../../../common/lib/kibana'; import { convertToBuildEsQuery } from '../../../common/lib/keury'; import { inputsSelectors, State } from '../../../common/store'; diff --git a/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx b/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx index ea8cf11e7595a..4835f7eff5b6f 100644 --- a/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx +++ b/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx @@ -23,7 +23,7 @@ import { WrapperPage } from '../../common/components/wrapper_page'; import { useFullScreen } from '../../common/containers/use_full_screen'; import { useGlobalTime } from '../../common/containers/use_global_time'; import { TimelineId } from '../../../common/types/timeline'; -import { LastEventIndexKey } from '../../graphql/types'; +import { LastEventIndexKey } from '../../../common/search_strategy'; import { useKibana } from '../../common/lib/kibana'; import { convertToBuildEsQuery } from '../../common/lib/keury'; import { inputsSelectors, State } from '../../common/store'; diff --git a/x-pack/plugins/security_solution/public/network/components/direction/index.tsx b/x-pack/plugins/security_solution/public/network/components/direction/index.tsx index c8e8f009339c1..7fbc4c5e3c6df 100644 --- a/x-pack/plugins/security_solution/public/network/components/direction/index.tsx +++ b/x-pack/plugins/security_solution/public/network/components/direction/index.tsx @@ -6,7 +6,7 @@ import React from 'react'; -import { NetworkDirectionEcs } from '../../../graphql/types'; +import { NetworkDirectionEcs } from '../../../../common/search_strategy'; import { DraggableBadge } from '../../../common/components/draggables'; import { NETWORK_DIRECTION_FIELD_NAME } from '../source_destination/field_names'; diff --git a/x-pack/plugins/security_solution/public/network/components/network_dns_table/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/network/components/network_dns_table/__snapshots__/index.test.tsx.snap index a70ee66a5552e..0119859d37672 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_dns_table/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/network/components/network_dns_table/__snapshots__/index.test.tsx.snap @@ -1,7 +1,7 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`NetworkTopNFlow Table Component rendering it renders the default NetworkTopNFlow table 1`] = ` - { const wrapper = shallow( ); - expect(wrapper.find('Connect(NetworkDnsTableComponent)')).toMatchSnapshot(); + expect(wrapper.find('Memo(NetworkDnsTableComponent)')).toMatchSnapshot(); }); }); @@ -81,18 +77,14 @@ describe('NetworkTopNFlow Table Component', () => { diff --git a/x-pack/plugins/security_solution/public/network/components/network_dns_table/index.tsx b/x-pack/plugins/security_solution/public/network/components/network_dns_table/index.tsx index ce5c05db34c5e..fa7690e9eeaff 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_dns_table/index.tsx +++ b/x-pack/plugins/security_solution/public/network/components/network_dns_table/index.tsx @@ -5,17 +5,16 @@ */ import React, { useCallback, useMemo } from 'react'; -import { connect, ConnectedProps } from 'react-redux'; +import { useDispatch, useSelector, shallowEqual } from 'react-redux'; import deepEqual from 'fast-deep-equal'; import { networkActions, networkModel, networkSelectors } from '../../store'; import { Direction, + SortField, NetworkDnsEdges, NetworkDnsFields, - NetworkDnsSortField, -} from '../../../graphql/types'; -import { State } from '../../../common/store'; +} from '../../../../common/search_strategy'; import { Criteria, ItemsPerRow, PaginatedTable } from '../../../common/components/paginated_table'; import { getNetworkDnsColumns } from './columns'; @@ -24,7 +23,7 @@ import * as i18n from './translations'; const tableType = networkModel.NetworkTableType.dns; -interface OwnProps { +interface NetworkDnsTableProps { data: NetworkDnsEdges[]; fakeTotalCount: number; id: string; @@ -36,8 +35,6 @@ interface OwnProps { type: networkModel.NetworkType; } -type NetworkDnsTableProps = OwnProps & PropsFromRedux; - const rowItems: ItemsPerRow[] = [ { text: i18n.ROWS_5, @@ -49,121 +46,122 @@ const rowItems: ItemsPerRow[] = [ }, ]; -export const NetworkDnsTableComponent = React.memo( - ({ - activePage, - data, - fakeTotalCount, - id, - isInspect, - isPtrIncluded, - limit, - loading, - loadPage, - showMorePagesIndicator, - sort, - totalCount, - type, - updateNetworkTable, - }) => { - const updateLimitPagination = useCallback( - (newLimit) => - updateNetworkTable({ +const NetworkDnsTableComponent: React.FC = ({ + data, + fakeTotalCount, + id, + isInspect, + loading, + loadPage, + showMorePagesIndicator, + totalCount, + type, +}) => { + const dispatch = useDispatch(); + const getNetworkDnsSelector = networkSelectors.dnsSelector(); + const { activePage, isPtrIncluded, limit, sort } = useSelector( + getNetworkDnsSelector, + shallowEqual + ); + const updateLimitPagination = useCallback( + (newLimit) => + dispatch( + networkActions.updateNetworkTable({ networkType: type, tableType, updates: { limit: newLimit }, - }), - [type, updateNetworkTable] - ); - - const updateActivePage = useCallback( - (newPage) => - updateNetworkTable({ + }) + ), + [type, dispatch] + ); + + const updateActivePage = useCallback( + (newPage) => + dispatch( + networkActions.updateNetworkTable({ networkType: type, tableType, updates: { activePage: newPage }, - }), - [type, updateNetworkTable] - ); - - const onChange = useCallback( - (criteria: Criteria) => { - if (criteria.sort != null) { - const newDnsSortField: NetworkDnsSortField = { - field: criteria.sort.field.split('.')[1] as NetworkDnsFields, - direction: criteria.sort.direction as Direction, - }; - if (!deepEqual(newDnsSortField, sort)) { - updateNetworkTable({ + }) + ), + [dispatch, type] + ); + + const onChange = useCallback( + (criteria: Criteria) => { + if (criteria.sort != null) { + const newDnsSortField: SortField = { + field: criteria.sort.field.split('.')[1] as NetworkDnsFields, + direction: criteria.sort.direction as Direction, + }; + if (!deepEqual(newDnsSortField, sort)) { + dispatch( + networkActions.updateNetworkTable({ networkType: type, tableType, updates: { sort: newDnsSortField }, - }); - } + }) + ); } - }, - [sort, type, updateNetworkTable] - ); - - const onChangePtrIncluded = useCallback( - () => - updateNetworkTable({ + } + }, + [sort, type, dispatch] + ); + + const onChangePtrIncluded = useCallback( + () => + dispatch( + networkActions.updateNetworkTable({ networkType: type, tableType, updates: { isPtrIncluded: !isPtrIncluded }, - }), - [type, updateNetworkTable, isPtrIncluded] - ); - - const columns = useMemo(() => getNetworkDnsColumns(), []); - - return ( - - } - headerTitle={i18n.TOP_DNS_DOMAINS} - headerTooltip={i18n.TOOLTIP} - headerUnit={i18n.UNIT(totalCount)} - id={id} - itemsPerRow={rowItems} - isInspect={isInspect} - limit={limit} - loading={loading} - loadPage={loadPage} - onChange={onChange} - pageOfItems={data} - showMorePagesIndicator={showMorePagesIndicator} - sorting={{ - field: `node.${sort.field}`, - direction: sort.direction, - }} - totalCount={fakeTotalCount} - updateActivePage={updateActivePage} - updateLimitPagination={updateLimitPagination} - /> - ); - } -); - -NetworkDnsTableComponent.displayName = 'NetworkDnsTableComponent'; - -const makeMapStateToProps = () => { - const getNetworkDnsSelector = networkSelectors.dnsSelector(); - const mapStateToProps = (state: State) => getNetworkDnsSelector(state); - return mapStateToProps; -}; - -const mapDispatchToProps = { - updateNetworkTable: networkActions.updateNetworkTable, + }) + ), + [dispatch, type, isPtrIncluded] + ); + + const columns = useMemo(() => getNetworkDnsColumns(), []); + + const sorting = useMemo( + () => ({ + field: `node.${sort.field}`, + direction: sort.direction, + }), + [sort.direction, sort.field] + ); + + const HeaderSupplement = useMemo( + () => , + [isPtrIncluded, onChangePtrIncluded] + ); + + return ( + + ); }; -const connector = connect(makeMapStateToProps, mapDispatchToProps); - -type PropsFromRedux = ConnectedProps; +NetworkDnsTableComponent.displayName = 'NetworkDnsTableComponent'; -export const NetworkDnsTable = connector(NetworkDnsTableComponent); +export const NetworkDnsTable = React.memo(NetworkDnsTableComponent); diff --git a/x-pack/plugins/security_solution/public/network/components/network_dns_table/mock.ts b/x-pack/plugins/security_solution/public/network/components/network_dns_table/mock.ts index d094256fa4026..faeee4800d8a8 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_dns_table/mock.ts +++ b/x-pack/plugins/security_solution/public/network/components/network_dns_table/mock.ts @@ -4,179 +4,178 @@ * you may not use this file except in compliance with the Elastic License. */ -import { NetworkDnsData } from '../../../graphql/types'; +import { NetworkDnsStrategyResponse } from '../../../../common/search_strategy'; -export const mockData: { NetworkDns: NetworkDnsData } = { - NetworkDns: { - totalCount: 80, - edges: [ - { - node: { - _id: 'nflxvideo.net', - dnsBytesIn: 2964, - dnsBytesOut: 12546, - dnsName: 'nflxvideo.net', - queryCount: 52, - uniqueDomains: 21, - }, - cursor: { value: 'nflxvideo.net' }, - }, - { - node: { - _id: 'apple.com', - dnsBytesIn: 2680, - dnsBytesOut: 31687, - dnsName: 'apple.com', - queryCount: 75, - uniqueDomains: 20, - }, - cursor: { value: 'apple.com' }, - }, - { - node: { - _id: 'googlevideo.com', - dnsBytesIn: 1890, - dnsBytesOut: 16292, - dnsName: 'googlevideo.com', - queryCount: 38, - uniqueDomains: 19, - }, - cursor: { value: 'googlevideo.com' }, - }, - { - node: { - _id: 'netflix.com', - dnsBytesIn: 60525, - dnsBytesOut: 218193, - dnsName: 'netflix.com', - queryCount: 1532, - uniqueDomains: 12, - }, - cursor: { value: 'netflix.com' }, - }, - { - node: { - _id: 'samsungcloudsolution.com', - dnsBytesIn: 1480, - dnsBytesOut: 11702, - dnsName: 'samsungcloudsolution.com', - queryCount: 31, - uniqueDomains: 8, - }, - cursor: { value: 'samsungcloudsolution.com' }, - }, - { - node: { - _id: 'doubleclick.net', - dnsBytesIn: 1505, - dnsBytesOut: 14372, - dnsName: 'doubleclick.net', - queryCount: 35, - uniqueDomains: 7, - }, - cursor: { value: 'doubleclick.net' }, - }, - { - node: { - _id: 'digitalocean.com', - dnsBytesIn: 2035, - dnsBytesOut: 4111, - dnsName: 'digitalocean.com', - queryCount: 35, - uniqueDomains: 6, - }, - cursor: { value: 'digitalocean.com' }, - }, - { - node: { - _id: 'samsungelectronics.com', - dnsBytesIn: 3916, - dnsBytesOut: 36592, - dnsName: 'samsungelectronics.com', - queryCount: 89, - uniqueDomains: 6, - }, - cursor: { value: 'samsungelectronics.com' }, - }, - { - node: { - _id: 'google.com', - dnsBytesIn: 896, - dnsBytesOut: 8072, - dnsName: 'google.com', - queryCount: 23, - uniqueDomains: 5, - }, - cursor: { value: 'google.com' }, - }, - { - node: { - _id: 'samsungcloudsolution.net', - dnsBytesIn: 1490, - dnsBytesOut: 11518, - dnsName: 'samsungcloudsolution.net', - queryCount: 30, - uniqueDomains: 5, - }, - cursor: { value: 'samsungcloudsolution.net' }, - }, - ], - pageInfo: { - activePage: 1, - fakeTotalCount: 50, - showMorePagesIndicator: true, - }, - histogram: [ - { - x: 'nflxvideo.net', - g: 'nflxvideo.net', - y: 12546, - }, - { - x: 'apple.com', - g: 'apple.com', - y: 31687, - }, - { - x: 'googlevideo.com', - g: 'googlevideo.com', - y: 16292, - }, - { - x: 'netflix.com', - g: 'netflix.com', - y: 218193, - }, - { - x: 'samsungcloudsolution.com', - g: 'samsungcloudsolution.com', - y: 11702, - }, - { - x: 'doubleclick.net', - g: 'doubleclick.net', - y: 14372, - }, - { - x: 'digitalocean.com', - g: 'digitalocean.com', - y: 4111, - }, - { - x: 'samsungelectronics.com', - g: 'samsungelectronics.com', - y: 36592, - }, - { - x: 'google.com', - g: 'google.com', - y: 8072, - }, - { - x: 'samsungcloudsolution.net', - g: 'samsungcloudsolution.net', - y: 11518, - }, - ], +export const mockData: NetworkDnsStrategyResponse = { + totalCount: 80, + edges: [ + { + node: { + _id: 'nflxvideo.net', + dnsBytesIn: 2964, + dnsBytesOut: 12546, + dnsName: 'nflxvideo.net', + queryCount: 52, + uniqueDomains: 21, + }, + cursor: { value: 'nflxvideo.net' }, + }, + { + node: { + _id: 'apple.com', + dnsBytesIn: 2680, + dnsBytesOut: 31687, + dnsName: 'apple.com', + queryCount: 75, + uniqueDomains: 20, + }, + cursor: { value: 'apple.com' }, + }, + { + node: { + _id: 'googlevideo.com', + dnsBytesIn: 1890, + dnsBytesOut: 16292, + dnsName: 'googlevideo.com', + queryCount: 38, + uniqueDomains: 19, + }, + cursor: { value: 'googlevideo.com' }, + }, + { + node: { + _id: 'netflix.com', + dnsBytesIn: 60525, + dnsBytesOut: 218193, + dnsName: 'netflix.com', + queryCount: 1532, + uniqueDomains: 12, + }, + cursor: { value: 'netflix.com' }, + }, + { + node: { + _id: 'samsungcloudsolution.com', + dnsBytesIn: 1480, + dnsBytesOut: 11702, + dnsName: 'samsungcloudsolution.com', + queryCount: 31, + uniqueDomains: 8, + }, + cursor: { value: 'samsungcloudsolution.com' }, + }, + { + node: { + _id: 'doubleclick.net', + dnsBytesIn: 1505, + dnsBytesOut: 14372, + dnsName: 'doubleclick.net', + queryCount: 35, + uniqueDomains: 7, + }, + cursor: { value: 'doubleclick.net' }, + }, + { + node: { + _id: 'digitalocean.com', + dnsBytesIn: 2035, + dnsBytesOut: 4111, + dnsName: 'digitalocean.com', + queryCount: 35, + uniqueDomains: 6, + }, + cursor: { value: 'digitalocean.com' }, + }, + { + node: { + _id: 'samsungelectronics.com', + dnsBytesIn: 3916, + dnsBytesOut: 36592, + dnsName: 'samsungelectronics.com', + queryCount: 89, + uniqueDomains: 6, + }, + cursor: { value: 'samsungelectronics.com' }, + }, + { + node: { + _id: 'google.com', + dnsBytesIn: 896, + dnsBytesOut: 8072, + dnsName: 'google.com', + queryCount: 23, + uniqueDomains: 5, + }, + cursor: { value: 'google.com' }, + }, + { + node: { + _id: 'samsungcloudsolution.net', + dnsBytesIn: 1490, + dnsBytesOut: 11518, + dnsName: 'samsungcloudsolution.net', + queryCount: 30, + uniqueDomains: 5, + }, + cursor: { value: 'samsungcloudsolution.net' }, + }, + ], + pageInfo: { + activePage: 1, + fakeTotalCount: 50, + showMorePagesIndicator: true, }, + histogram: [ + { + x: 'nflxvideo.net', + g: 'nflxvideo.net', + y: 12546, + }, + { + x: 'apple.com', + g: 'apple.com', + y: 31687, + }, + { + x: 'googlevideo.com', + g: 'googlevideo.com', + y: 16292, + }, + { + x: 'netflix.com', + g: 'netflix.com', + y: 218193, + }, + { + x: 'samsungcloudsolution.com', + g: 'samsungcloudsolution.com', + y: 11702, + }, + { + x: 'doubleclick.net', + g: 'doubleclick.net', + y: 14372, + }, + { + x: 'digitalocean.com', + g: 'digitalocean.com', + y: 4111, + }, + { + x: 'samsungelectronics.com', + g: 'samsungelectronics.com', + y: 36592, + }, + { + x: 'google.com', + g: 'google.com', + y: 8072, + }, + { + x: 'samsungcloudsolution.net', + g: 'samsungcloudsolution.net', + y: 11518, + }, + ], + rawResponse: {} as NetworkDnsStrategyResponse['rawResponse'], }; diff --git a/x-pack/plugins/security_solution/public/network/components/network_http_table/index.test.tsx b/x-pack/plugins/security_solution/public/network/components/network_http_table/index.test.tsx index 2e0e278d8242d..5bd9b0f79f903 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_http_table/index.test.tsx +++ b/x-pack/plugins/security_solution/public/network/components/network_http_table/index.test.tsx @@ -57,24 +57,20 @@ describe('NetworkHttp Table Component', () => { const wrapper = shallow( ); - expect(wrapper.find('Connect(Component)')).toMatchSnapshot(); + expect(wrapper.find('Memo(NetworkHttpTableComponent)')).toMatchSnapshot(); }); }); @@ -84,18 +80,14 @@ describe('NetworkHttp Table Component', () => { diff --git a/x-pack/plugins/security_solution/public/network/components/network_http_table/mock.ts b/x-pack/plugins/security_solution/public/network/components/network_http_table/mock.ts index f82f911d601ff..592feb6b73cde 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_http_table/mock.ts +++ b/x-pack/plugins/security_solution/public/network/components/network_http_table/mock.ts @@ -4,85 +4,83 @@ * you may not use this file except in compliance with the Elastic License. */ -import { NetworkHttpData } from '../../../graphql/types'; +import { NetworkHttpStrategyResponse } from '../../../../common/search_strategy'; -export const mockData: { NetworkHttp: NetworkHttpData } = { - NetworkHttp: { - edges: [ - { - node: { - _id: '/computeMetadata/v1/instance/virtual-clock/drift-token', - domains: ['metadata.google.internal'], - methods: ['get'], - statuses: [], - lastHost: 'suricata-iowa', - lastSourceIp: '10.128.0.21', - path: '/computeMetadata/v1/instance/virtual-clock/drift-token', - requestCount: 1440, - }, - cursor: { - value: '/computeMetadata/v1/instance/virtual-clock/drift-token', - tiebreaker: null, - }, +export const mockData: NetworkHttpStrategyResponse = { + edges: [ + { + node: { + _id: '/computeMetadata/v1/instance/virtual-clock/drift-token', + domains: ['metadata.google.internal'], + methods: ['get'], + statuses: [], + lastHost: 'suricata-iowa', + lastSourceIp: '10.128.0.21', + path: '/computeMetadata/v1/instance/virtual-clock/drift-token', + requestCount: 1440, }, - { - node: { - _id: '/computeMetadata/v1/', - domains: ['metadata.google.internal'], - methods: ['get'], - statuses: ['200'], - lastHost: 'suricata-iowa', - lastSourceIp: '10.128.0.21', - path: '/computeMetadata/v1/', - requestCount: 1020, - }, - cursor: { - value: '/computeMetadata/v1/', - tiebreaker: null, - }, + cursor: { + value: '/computeMetadata/v1/instance/virtual-clock/drift-token', + tiebreaker: null, }, - { - node: { - _id: '/computeMetadata/v1/instance/network-interfaces/', - domains: ['metadata.google.internal'], - methods: ['get'], - statuses: [], - lastHost: 'suricata-iowa', - lastSourceIp: '10.128.0.21', - path: '/computeMetadata/v1/instance/network-interfaces/', - requestCount: 960, - }, - cursor: { - value: '/computeMetadata/v1/instance/network-interfaces/', - tiebreaker: null, - }, + }, + { + node: { + _id: '/computeMetadata/v1/', + domains: ['metadata.google.internal'], + methods: ['get'], + statuses: ['200'], + lastHost: 'suricata-iowa', + lastSourceIp: '10.128.0.21', + path: '/computeMetadata/v1/', + requestCount: 1020, }, - { - node: { - _id: '/downloads/ca_setup.exe', - domains: ['www.oxid.it'], - methods: ['get'], - statuses: ['200'], - lastHost: 'jessie', - lastSourceIp: '10.0.2.15', - path: '/downloads/ca_setup.exe', - requestCount: 3, - }, - cursor: { - value: '/downloads/ca_setup.exe', - tiebreaker: null, - }, + cursor: { + value: '/computeMetadata/v1/', + tiebreaker: null, }, - ], - inspect: { - dsl: [''], - response: [''], }, - pageInfo: { - activePage: 0, - fakeTotalCount: 4, - showMorePagesIndicator: false, + { + node: { + _id: '/computeMetadata/v1/instance/network-interfaces/', + domains: ['metadata.google.internal'], + methods: ['get'], + statuses: [], + lastHost: 'suricata-iowa', + lastSourceIp: '10.128.0.21', + path: '/computeMetadata/v1/instance/network-interfaces/', + requestCount: 960, + }, + cursor: { + value: '/computeMetadata/v1/instance/network-interfaces/', + tiebreaker: null, + }, }, - totalCount: 4, + { + node: { + _id: '/downloads/ca_setup.exe', + domains: ['www.oxid.it'], + methods: ['get'], + statuses: ['200'], + lastHost: 'jessie', + lastSourceIp: '10.0.2.15', + path: '/downloads/ca_setup.exe', + requestCount: 3, + }, + cursor: { + value: '/downloads/ca_setup.exe', + tiebreaker: null, + }, + }, + ], + inspect: { + dsl: [''], + }, + pageInfo: { + activePage: 0, + fakeTotalCount: 4, + showMorePagesIndicator: false, }, + totalCount: 4, + rawResponse: {} as NetworkHttpStrategyResponse['rawResponse'], }; diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/__snapshots__/index.test.tsx.snap index 3d47e398ed395..07874f9f39f0b 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/__snapshots__/index.test.tsx.snap @@ -1,7 +1,7 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`NetworkTopNFlow Table Component rendering it renders the default NetworkTopNFlow table on the IP Details page 1`] = ` - { const wrapper = shallow( ); - expect(wrapper.find('Connect(Component)')).toMatchSnapshot(); + expect(wrapper.find('Memo(NetworkTopNFlowTableComponent)')).toMatchSnapshot(); }); test('it renders the default NetworkTopNFlow table on the IP Details page', () => { const wrapper = shallow( ); - expect(wrapper.find('Connect(Component)')).toMatchSnapshot(); + expect(wrapper.find('Memo(NetworkTopNFlowTableComponent)')).toMatchSnapshot(); }); }); @@ -110,19 +102,15 @@ describe('NetworkTopNFlow Table Component', () => { diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/index.tsx b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/index.tsx index 757b178431d90..9824ac602bb43 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/index.tsx +++ b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/index.tsx @@ -5,23 +5,23 @@ */ import { last } from 'lodash/fp'; import React, { useCallback, useMemo } from 'react'; -import { connect, ConnectedProps } from 'react-redux'; +import { useDispatch, useSelector, shallowEqual } from 'react-redux'; import deepEqual from 'fast-deep-equal'; import { Direction, + SortField, FlowTargetSourceDest, NetworkTopNFlowEdges, NetworkTopTablesFields, - NetworkTopTablesSortField, -} from '../../../graphql/types'; +} from '../../../../common/search_strategy'; import { State } from '../../../common/store'; import { Criteria, ItemsPerRow, PaginatedTable } from '../../../common/components/paginated_table'; import { networkActions, networkModel, networkSelectors } from '../../store'; import { getNFlowColumnsCurated } from './columns'; import * as i18n from './translations'; -interface OwnProps { +interface NetworkTopNFlowTableProps { data: NetworkTopNFlowEdges[]; fakeTotalCount: number; flowTargeted: FlowTargetSourceDest; @@ -34,8 +34,6 @@ interface OwnProps { type: networkModel.NetworkType; } -type NetworkTopNFlowTableProps = OwnProps & PropsFromRedux; - const rowItems: ItemsPerRow[] = [ { text: i18n.ROWS_5, @@ -50,21 +48,24 @@ const rowItems: ItemsPerRow[] = [ export const NetworkTopNFlowTableId = 'networkTopSourceFlow-top-talkers'; const NetworkTopNFlowTableComponent: React.FC = ({ - activePage, data, fakeTotalCount, flowTargeted, id, isInspect, - limit, loading, loadPage, showMorePagesIndicator, - sort, totalCount, type, - updateNetworkTable, }) => { + const dispatch = useDispatch(); + const getTopNFlowSelector = networkSelectors.topNFlowSelector(); + const { activePage, limit, sort } = useSelector( + (state: State) => getTopNFlowSelector(state, type, flowTargeted), + shallowEqual + ); + const columns = useMemo( () => getNFlowColumnsCurated(flowTargeted, type, NetworkTopNFlowTableId), [flowTargeted, type] @@ -92,22 +93,24 @@ const NetworkTopNFlowTableComponent: React.FC = ({ const splitField = criteria.sort.field.split('.'); const field = last(splitField); const newSortDirection = field !== sort.field ? Direction.desc : criteria.sort.direction; // sort by desc on init click - const newTopNFlowSort: NetworkTopTablesSortField = { + const newTopNFlowSort: SortField = { field: field as NetworkTopTablesFields, - direction: newSortDirection as Direction, + direction: newSortDirection, }; if (!deepEqual(newTopNFlowSort, sort)) { - updateNetworkTable({ - networkType: type, - tableType, - updates: { - sort: newTopNFlowSort, - }, - }); + dispatch( + networkActions.updateNetworkTable({ + networkType: type, + tableType, + updates: { + sort: newTopNFlowSort, + }, + }) + ); } } }, - [sort, type, tableType, updateNetworkTable] + [sort, dispatch, type, tableType] ); const field = @@ -118,18 +121,26 @@ const NetworkTopNFlowTableComponent: React.FC = ({ const updateActivePage = useCallback( (newPage) => - updateNetworkTable({ - networkType: type, - tableType, - updates: { activePage: newPage }, - }), - [updateNetworkTable, type, tableType] + dispatch( + networkActions.updateNetworkTable({ + networkType: type, + tableType, + updates: { activePage: newPage }, + }) + ), + [dispatch, type, tableType] ); const updateLimitPagination = useCallback( (newLimit) => - updateNetworkTable({ networkType: type, tableType, updates: { limit: newLimit } }), - [updateNetworkTable, type, tableType] + dispatch( + networkActions.updateNetworkTable({ + networkType: type, + tableType, + updates: { limit: newLimit }, + }) + ), + [dispatch, type, tableType] ); return ( @@ -157,18 +168,4 @@ const NetworkTopNFlowTableComponent: React.FC = ({ ); }; -const makeMapStateToProps = () => { - const getTopNFlowSelector = networkSelectors.topNFlowSelector(); - return (state: State, { type, flowTargeted }: OwnProps) => - getTopNFlowSelector(state, type, flowTargeted); -}; - -const mapDispatchToProps = { - updateNetworkTable: networkActions.updateNetworkTable, -}; - -const connector = connect(makeMapStateToProps, mapDispatchToProps); - -type PropsFromRedux = ConnectedProps; - -export const NetworkTopNFlowTable = connector(React.memo(NetworkTopNFlowTableComponent)); +export const NetworkTopNFlowTable = React.memo(NetworkTopNFlowTableComponent); diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/mock.ts b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/mock.ts index bd21d78ba77c5..cf7d6974fc739 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/mock.ts +++ b/x-pack/plugins/security_solution/public/network/components/network_top_n_flow_table/mock.ts @@ -4,83 +4,81 @@ * you may not use this file except in compliance with the Elastic License. */ -import { NetworkTopNFlowData, FlowTargetSourceDest } from '../../../graphql/types'; +import { + NetworkTopNFlowStrategyResponse, + FlowTargetSourceDest, +} from '../../../../common/search_strategy'; -export const mockData: { NetworkTopNFlow: NetworkTopNFlowData } = { - NetworkTopNFlow: { - totalCount: 524, - edges: [ - { - node: { - source: { - autonomous_system: { - name: 'Google, Inc', - number: 15169, - }, - domain: ['test.domain.com'], - flows: 12345, - destination_ips: 12, - ip: '8.8.8.8', - location: { - geo: { - continent_name: ['North America'], - country_name: null, - country_iso_code: ['US'], - city_name: ['Mountain View'], - region_iso_code: ['US-CA'], - region_name: ['California'], - }, - flowTarget: FlowTargetSourceDest.source, - }, +export const mockData: NetworkTopNFlowStrategyResponse = { + totalCount: 524, + edges: [ + { + node: { + source: { + autonomous_system: { + name: 'Google, Inc', + number: 15169, }, - destination: null, - network: { - bytes_in: 3826633497, - bytes_out: 1083495734, + domain: ['test.domain.com'], + flows: 12345, + destination_ips: 12, + ip: '8.8.8.8', + location: { + geo: { + continent_name: ['North America'], + country_iso_code: ['US'], + city_name: ['Mountain View'], + region_iso_code: ['US-CA'], + region_name: ['California'], + }, + flowTarget: FlowTargetSourceDest.source, }, }, - cursor: { - value: '8.8.8.8', + network: { + bytes_in: 3826633497, + bytes_out: 1083495734, }, }, - { - node: { - source: { - autonomous_system: { - name: 'TM Net, Internet Service Provider', - number: 4788, - }, - domain: ['test.domain.net', 'test.old.domain.net'], - flows: 12345, - destination_ips: 12, - ip: '9.9.9.9', - location: { - geo: { - continent_name: ['Asia'], - country_name: null, - country_iso_code: ['MY'], - city_name: ['Petaling Jaya'], - region_iso_code: ['MY-10'], - region_name: ['Selangor'], - }, - flowTarget: FlowTargetSourceDest.source, - }, + cursor: { + value: '8.8.8.8', + }, + }, + { + node: { + source: { + autonomous_system: { + name: 'TM Net, Internet Service Provider', + number: 4788, }, - destination: null, - network: { - bytes_in: 3826633497, - bytes_out: 1083495734, + domain: ['test.domain.net', 'test.old.domain.net'], + flows: 12345, + destination_ips: 12, + ip: '9.9.9.9', + location: { + geo: { + continent_name: ['Asia'], + country_iso_code: ['MY'], + city_name: ['Petaling Jaya'], + region_iso_code: ['MY-10'], + region_name: ['Selangor'], + }, + flowTarget: FlowTargetSourceDest.source, }, }, - cursor: { - value: '9.9.9.9', + network: { + bytes_in: 3826633497, + bytes_out: 1083495734, }, }, - ], - pageInfo: { - activePage: 1, - fakeTotalCount: 50, - showMorePagesIndicator: true, + cursor: { + value: '9.9.9.9', + }, }, + ], + pageInfo: { + activePage: 1, + fakeTotalCount: 50, + showMorePagesIndicator: true, }, + rawResponse: {} as NetworkTopNFlowStrategyResponse['rawResponse'], }; diff --git a/x-pack/plugins/security_solution/public/network/containers/kpi_network/index.gql_query.ts b/x-pack/plugins/security_solution/public/network/containers/kpi_network/index.gql_query.ts deleted file mode 100644 index 3c693f08b45f2..0000000000000 --- a/x-pack/plugins/security_solution/public/network/containers/kpi_network/index.gql_query.ts +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const kpiNetworkQuery = gql` - fragment KpiNetworkChartFields on KpiNetworkHistogramData { - x - y - } - - query GetKpiNetworkQuery( - $sourceId: ID! - $timerange: TimerangeInput! - $filterQuery: String - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - KpiNetwork(timerange: $timerange, filterQuery: $filterQuery, defaultIndex: $defaultIndex) { - networkEvents - uniqueFlowId - uniqueSourcePrivateIps - uniqueSourcePrivateIpsHistogram { - ...KpiNetworkChartFields - } - uniqueDestinationPrivateIps - uniqueDestinationPrivateIpsHistogram { - ...KpiNetworkChartFields - } - dnsQueries - tlsHandshakes - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.gql_query.ts b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.gql_query.ts deleted file mode 100644 index a81d112fa4c50..0000000000000 --- a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.gql_query.ts +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const networkDnsQuery = gql` - query GetNetworkDnsQuery( - $defaultIndex: [String!]! - $filterQuery: String - $inspect: Boolean! - $isPtrIncluded: Boolean! - $pagination: PaginationInputPaginated! - $sort: NetworkDnsSortField! - $sourceId: ID! - $stackByField: String - $timerange: TimerangeInput! - ) { - source(id: $sourceId) { - id - NetworkDns( - isPtrIncluded: $isPtrIncluded - sort: $sort - timerange: $timerange - pagination: $pagination - filterQuery: $filterQuery - defaultIndex: $defaultIndex - stackByField: $stackByField - ) { - totalCount - edges { - node { - _id - dnsBytesIn - dnsBytesOut - dnsName - queryCount - uniqueDomains - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx index 334373c4a551a..1f199ba4f9acd 100644 --- a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx +++ b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx @@ -13,7 +13,7 @@ import { ESTermQuery } from '../../../../common/typed_json'; import { inputsModel, State } from '../../../common/store'; import { useKibana } from '../../../common/lib/kibana'; import { createFilter } from '../../../common/containers/helpers'; -import { NetworkDnsEdges, PageInfoPaginated } from '../../../graphql/types'; +import { NetworkDnsEdges, PageInfoPaginated } from '../../../../common/search_strategy'; import { generateTablePaginationOptions } from '../../../common/components/paginated_table/helpers'; import { networkModel, networkSelectors } from '../../store'; import { diff --git a/x-pack/plugins/security_solution/public/network/containers/network_http/index.gql_query.ts b/x-pack/plugins/security_solution/public/network/containers/network_http/index.gql_query.ts deleted file mode 100644 index bedf13dfa9849..0000000000000 --- a/x-pack/plugins/security_solution/public/network/containers/network_http/index.gql_query.ts +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const networkHttpQuery = gql` - query GetNetworkHttpQuery( - $sourceId: ID! - $ip: String - $filterQuery: String - $pagination: PaginationInputPaginated! - $sort: NetworkHttpSortField! - $timerange: TimerangeInput! - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - NetworkHttp( - filterQuery: $filterQuery - ip: $ip - pagination: $pagination - sort: $sort - timerange: $timerange - defaultIndex: $defaultIndex - ) { - totalCount - edges { - node { - domains - lastHost - lastSourceIp - methods - path - requestCount - statuses - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx index 221b693818c50..98202f6b42be6 100644 --- a/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx +++ b/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx @@ -13,11 +13,12 @@ import { ESTermQuery } from '../../../../common/typed_json'; import { inputsModel, State } from '../../../common/store'; import { useKibana } from '../../../common/lib/kibana'; import { createFilter } from '../../../common/containers/helpers'; -import { NetworkHttpEdges, PageInfoPaginated } from '../../../graphql/types'; import { generateTablePaginationOptions } from '../../../common/components/paginated_table/helpers'; import { networkModel, networkSelectors } from '../../store'; import { NetworkQueries, + NetworkHttpEdges, + PageInfoPaginated, NetworkHttpRequestOptions, NetworkHttpStrategyResponse, SortField, diff --git a/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.gql_query.ts b/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.gql_query.ts deleted file mode 100644 index 5850246ceecec..0000000000000 --- a/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.gql_query.ts +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const networkTopCountriesQuery = gql` - query GetNetworkTopCountriesQuery( - $sourceId: ID! - $ip: String - $filterQuery: String - $pagination: PaginationInputPaginated! - $sort: NetworkTopTablesSortField! - $flowTarget: FlowTargetSourceDest! - $timerange: TimerangeInput! - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - NetworkTopCountries( - filterQuery: $filterQuery - flowTarget: $flowTarget - ip: $ip - pagination: $pagination - sort: $sort - timerange: $timerange - defaultIndex: $defaultIndex - ) { - totalCount - edges { - node { - source { - country - destination_ips - flows - source_ips - } - destination { - country - destination_ips - flows - source_ips - } - network { - bytes_in - bytes_out - } - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/network/containers/network_top_n_flow/index.gql_query.ts b/x-pack/plugins/security_solution/public/network/containers/network_top_n_flow/index.gql_query.ts deleted file mode 100644 index a73f9ff9256ff..0000000000000 --- a/x-pack/plugins/security_solution/public/network/containers/network_top_n_flow/index.gql_query.ts +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const networkTopNFlowQuery = gql` - query GetNetworkTopNFlowQuery( - $sourceId: ID! - $ip: String - $filterQuery: String - $pagination: PaginationInputPaginated! - $sort: NetworkTopTablesSortField! - $flowTarget: FlowTargetSourceDest! - $timerange: TimerangeInput! - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - NetworkTopNFlow( - filterQuery: $filterQuery - flowTarget: $flowTarget - ip: $ip - pagination: $pagination - sort: $sort - timerange: $timerange - defaultIndex: $defaultIndex - ) { - totalCount - edges { - node { - source { - autonomous_system { - name - number - } - domain - ip - location { - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - flowTarget - } - flows - destination_ips - } - destination { - autonomous_system { - name - number - } - domain - ip - location { - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - flowTarget - } - flows - source_ips - } - network { - bytes_in - bytes_out - } - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx index eaeb31c020473..a227dec410915 100644 --- a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx @@ -9,7 +9,7 @@ import React, { useCallback, useEffect, useMemo } from 'react'; import { useDispatch, useSelector, shallowEqual } from 'react-redux'; import { useParams } from 'react-router-dom'; -import { FlowTarget } from '../../../../common/search_strategy'; +import { FlowTarget, LastEventIndexKey } from '../../../../common/search_strategy'; import { useGlobalTime } from '../../../common/containers/use_global_time'; import { FiltersGlobal } from '../../../common/components/filters_global'; import { HeaderPage } from '../../../common/components/header_page'; @@ -24,7 +24,7 @@ import { IpOverview } from '../../components/details'; import { SiemSearchBar } from '../../../common/components/search_bar'; import { WrapperPage } from '../../../common/components/wrapper_page'; import { useNetworkDetails } from '../../containers/details'; -import { FlowTargetSourceDest, LastEventIndexKey } from '../../../graphql/types'; +import { FlowTargetSourceDest } from '../../../graphql/types'; import { useKibana } from '../../../common/lib/kibana'; import { decodeIpv6 } from '../../../common/lib/helpers'; import { convertToBuildEsQuery } from '../../../common/lib/keury'; diff --git a/x-pack/plugins/security_solution/public/network/pages/network.tsx b/x-pack/plugins/security_solution/public/network/pages/network.tsx index 6aea771e49499..243ea8626582f 100644 --- a/x-pack/plugins/security_solution/public/network/pages/network.tsx +++ b/x-pack/plugins/security_solution/public/network/pages/network.tsx @@ -24,7 +24,7 @@ import { SiemSearchBar } from '../../common/components/search_bar'; import { WrapperPage } from '../../common/components/wrapper_page'; import { useFullScreen } from '../../common/containers/use_full_screen'; import { useGlobalTime } from '../../common/containers/use_global_time'; -import { LastEventIndexKey } from '../../graphql/types'; +import { LastEventIndexKey } from '../../../common/search_strategy'; import { useKibana } from '../../common/lib/kibana'; import { convertToBuildEsQuery } from '../../common/lib/keury'; import { State, inputsSelectors } from '../../common/store'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx index 01e5202d03332..f823b717e7f4c 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx @@ -10,12 +10,13 @@ import React from 'react'; import { TestProviders } from '../../../../common/mock/test_providers'; import { FooterComponent, PagingControlComponent } from './index'; -import { mockData } from './mock'; describe('Footer Timeline Component', () => { const loadMore = jest.fn(); const onChangeItemsPerPage = jest.fn(); const updatedAt = 1546878704036; + const totalCount = 15546; + const itemsCount = 2; describe('rendering', () => { test('it renders the default timeline footer', () => { @@ -27,12 +28,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> ); @@ -49,12 +50,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={true} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> ); @@ -72,12 +73,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> @@ -123,12 +124,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={true} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> ); @@ -146,12 +147,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={1} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> @@ -173,12 +174,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> @@ -198,12 +199,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={1} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> @@ -225,12 +226,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={true} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> @@ -250,12 +251,12 @@ describe('Footer Timeline Component', () => { id={'timeline-id'} isLive={false} isLoading={false} - itemsCount={mockData.Events.edges.length} + itemsCount={itemsCount} itemsPerPage={2} itemsPerPageOptions={[1, 5, 10, 20]} onChangeItemsPerPage={onChangeItemsPerPage} onChangePage={loadMore} - serverSideEventCount={mockData.Events.totalCount} + serverSideEventCount={totalCount} totalPages={2} /> diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/mock.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/mock.ts deleted file mode 100644 index fcd30ee2b8500..0000000000000 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/mock.ts +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { EventsTimelineData } from '../../../../graphql/types'; - -export const mockData: { Events: EventsTimelineData } = { - Events: { - totalCount: 15546, - pageInfo: { - hasNextPage: true, - endCursor: { - value: '1546878704036', - tiebreaker: '10624', - }, - }, - edges: [ - { - cursor: { - value: '1546878704036', - tiebreaker: '10656', - }, - node: { - _id: 'Fo8nKWgBiyhPd5Zo3cib', - timestamp: '2019-01-07T16:31:44.036Z', - _index: 'auditbeat-7.0.0-2019.01.07', - destination: { - ip: ['24.168.54.169'], - port: [62123], - }, - event: { - category: null, - id: null, - module: ['system'], - severity: null, - type: null, - }, - geo: null, - host: { - name: ['siem-general'], - ip: null, - }, - source: { - ip: ['10.142.0.6'], - port: [9200], - }, - suricata: null, - }, - }, - { - cursor: { - value: '1546878704036', - tiebreaker: '10624', - }, - node: { - _id: 'F48nKWgBiyhPd5Zo3cib', - timestamp: '2019-01-07T16:31:44.036Z', - _index: 'auditbeat-7.0.0-2019.01.07', - destination: { - ip: ['24.168.54.169'], - port: [62145], - }, - event: { - category: null, - id: null, - module: ['system'], - severity: null, - type: null, - }, - geo: null, - host: { - name: ['siem-general'], - ip: null, - }, - source: { - ip: ['10.142.0.6'], - port: [9200], - }, - suricata: null, - }, - }, - ], - }, -}; diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.gql_query.ts b/x-pack/plugins/security_solution/public/timelines/containers/details/index.gql_query.ts deleted file mode 100644 index eff58725edb29..0000000000000 --- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.gql_query.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const timelineDetailsQuery = gql` - query GetTimelineDetailsQuery( - $sourceId: ID! - $eventId: String! - $indexName: String! - $defaultIndex: [String!]! - $docValueFields: [docValueFieldsInput!]! - ) { - source(id: $sourceId) { - id - TimelineDetails( - eventId: $eventId - indexName: $indexName - defaultIndex: $defaultIndex - docValueFields: $docValueFields - ) { - data { - field - values - originalValue - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.gql_query.ts b/x-pack/plugins/security_solution/public/timelines/containers/index.gql_query.ts deleted file mode 100644 index c67ad45bede94..0000000000000 --- a/x-pack/plugins/security_solution/public/timelines/containers/index.gql_query.ts +++ /dev/null @@ -1,375 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const timelineQuery = gql` - query GetTimelineQuery( - $sourceId: ID! - $fieldRequested: [String!]! - $pagination: PaginationInput! - $sortField: SortField! - $filterQuery: String - $defaultIndex: [String!]! - $inspect: Boolean! - $docValueFields: [docValueFieldsInput!]! - $timerange: TimerangeInput! - ) { - source(id: $sourceId) { - id - Timeline( - fieldRequested: $fieldRequested - pagination: $pagination - sortField: $sortField - filterQuery: $filterQuery - defaultIndex: $defaultIndex - docValueFields: $docValueFields - timerange: $timerange - ) { - totalCount - inspect @include(if: $inspect) { - dsl - response - } - pageInfo { - endCursor { - value - tiebreaker - } - hasNextPage - } - edges { - node { - _id - _index - data { - field - value - } - ecs { - _id - _index - timestamp - message - system { - auth { - ssh { - signature - method - } - } - audit { - package { - arch - entity_id - name - size - summary - version - } - } - } - event { - action - category - code - created - dataset - duration - end - hash - id - kind - module - original - outcome - risk_score - risk_score_norm - severity - start - timezone - type - } - agent { - type - } - auditd { - result - session - data { - acct - terminal - op - } - summary { - actor { - primary - secondary - } - object { - primary - secondary - type - } - how - message_type - sequence - } - } - file { - name - path - target_path - extension - type - device - inode - uid - owner - gid - group - mode - size - mtime - ctime - } - host { - id - name - ip - } - rule { - reference - } - source { - bytes - ip - packets - port - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - } - destination { - bytes - ip - packets - port - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - } - dns { - question { - name - type - } - resolved_ip - response_code - } - endgame { - exit_code - file_name - file_path - logon_type - parent_process_name - pid - process_name - subject_domain_name - subject_logon_id - subject_user_name - target_domain_name - target_logon_id - target_user_name - } - geo { - region_name - country_iso_code - } - signal { - status - original_time - rule { - id - saved_id - timeline_id - timeline_title - output_index - from - index - language - query - to - filters - note - type - threshold - exceptions_list - } - } - suricata { - eve { - proto - flow_id - alert { - signature - signature_id - } - } - } - network { - bytes - community_id - direction - packets - protocol - transport - } - http { - version - request { - method - body { - bytes - content - } - referrer - } - response { - status_code - body { - bytes - content - } - } - } - tls { - client_certificate { - fingerprint { - sha1 - } - } - fingerprints { - ja3 { - hash - } - } - server_certificate { - fingerprint { - sha1 - } - } - } - url { - original - domain - username - password - } - user { - domain - name - } - winlog { - event_id - } - process { - hash { - md5 - sha1 - sha256 - } - pid - name - ppid - args - entity_id - executable - title - working_directory - } - zeek { - session_id - connection { - local_resp - local_orig - missed_bytes - state - history - } - notice { - suppress_for - msg - note - sub - dst - dropped - peer_descr - } - dns { - AA - qclass_name - RD - qtype_name - rejected - qtype - query - trans_id - qclass - RA - TC - } - http { - resp_mime_types - trans_depth - status_msg - resp_fuids - tags - } - files { - session_ids - timedout - local_orig - tx_host - source - is_orig - overflow_bytes - sha1 - duration - depth - analyzers - mime_type - rx_host - total_bytes - fuid - seen_bytes - missing_bytes - md5 - } - ssl { - cipher - established - resumed - version - } - } - } - } - } - } - } - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/authentications/index.ts b/x-pack/plugins/security_solution/server/graphql/authentications/index.ts deleted file mode 100644 index 8c16518590ad7..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/authentications/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createAuthenticationsResolvers } from './resolvers'; -export { authenticationsSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/authentications/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/authentications/resolvers.ts deleted file mode 100644 index b66ccd9a111b7..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/authentications/resolvers.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { SourceResolvers } from '../../graphql/types'; -import { Authentications } from '../../lib/authentications'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { createOptionsPaginated } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; - -type QueryAuthenticationsResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export interface AuthenticationsResolversDeps { - authentications: Authentications; -} - -export const createAuthenticationsResolvers = ( - libs: AuthenticationsResolversDeps -): { - Source: { - Authentications: QueryAuthenticationsResolver; - }; -} => ({ - Source: { - async Authentications(source, args, { req }, info) { - const options = createOptionsPaginated(source, args, info); - return libs.authentications.getAuthentications(req, options); - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/authentications/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/authentications/schema.gql.ts deleted file mode 100644 index 648a65fa24682..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/authentications/schema.gql.ts +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const authenticationsSchema = gql` - type LastSourceHost { - timestamp: Date - source: SourceEcsFields - host: HostEcsFields - } - - type AuthenticationItem { - _id: String! - failures: Float! - successes: Float! - user: UserEcsFields! - lastSuccess: LastSourceHost - lastFailure: LastSourceHost - } - - type AuthenticationsEdges { - node: AuthenticationItem! - cursor: CursorType! - } - - type AuthenticationsData { - edges: [AuthenticationsEdges!]! - totalCount: Float! - pageInfo: PageInfoPaginated! - inspect: Inspect - } - - extend type Source { - "Gets Authentication success and failures based on a timerange" - Authentications( - timerange: TimerangeInput! - pagination: PaginationInputPaginated! - filterQuery: String - defaultIndex: [String!]! - docValueFields: [docValueFieldsInput!]! - ): AuthenticationsData! - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/events/index.ts b/x-pack/plugins/security_solution/server/graphql/events/index.ts deleted file mode 100644 index c794dfa7170f2..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/events/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createEsValueResolvers, createEventsResolvers } from './resolvers'; -export { eventsSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/events/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/events/resolvers.ts deleted file mode 100644 index ef28ac523ff85..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/events/resolvers.ts +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { GraphQLScalarType, Kind } from 'graphql'; - -import { Events } from '../../lib/events'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { createOptions } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; -import { SourceResolvers } from '../types'; -import { LastEventTimeRequestOptions } from '../../lib/events/types'; - -type QueryTimelineResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -type QueryTimelineDetailsResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -type QueryLastEventTimeResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export interface EventsResolversDeps { - events: Events; -} -export const createEventsResolvers = ( - libs: EventsResolversDeps -): { - Source: { - Timeline: QueryTimelineResolver; - TimelineDetails: QueryTimelineDetailsResolver; - LastEventTime: QueryLastEventTimeResolver; - }; -} => ({ - Source: { - async Timeline(source, args, { req }, info) { - const options = createOptions(source, args, info, 'edges.node.ecs.'); - return libs.events.getTimelineData(req, { - ...options, - fieldRequested: args.fieldRequested, - }); - }, - async TimelineDetails(source, args, { req }) { - return libs.events.getTimelineDetails(req, { - indexName: args.indexName, - eventId: args.eventId, - defaultIndex: args.defaultIndex, - }); - }, - async LastEventTime(source, args, { req }) { - const options: LastEventTimeRequestOptions = { - defaultIndex: args.defaultIndex, - docValueFields: args.docValueFields, - sourceConfiguration: source.configuration, - indexKey: args.indexKey, - details: args.details, - }; - return libs.events.getLastEventTimeData(req, options); - }, - }, -}); - -/* - * serialize: gets invoked when serializing the result to send it back to a client. - * - * parseValue: gets invoked to parse client input that was passed through variables. - * - * parseLiteral: gets invoked to parse client input that was passed inline in the query. - */ - -const esValueScalar = new GraphQLScalarType({ - name: 'DetailItemValue', - description: 'Represents value in detail item from the timeline who wants to more than one type', - serialize(value): string { - return value; - }, - parseValue(value) { - return value; - }, - parseLiteral(ast) { - switch (ast.kind) { - case Kind.INT: - return parseInt(ast.value, 10); - case Kind.FLOAT: - return parseFloat(ast.value); - case Kind.STRING: - return ast.value; - case Kind.LIST: - return ast.values; - case Kind.OBJECT: - return ast.fields; - } - return null; - }, -}); - -export const createEsValueResolvers = () => ({ EsValue: esValueScalar }); diff --git a/x-pack/plugins/security_solution/server/graphql/events/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/events/schema.gql.ts deleted file mode 100644 index eee4bc3e3a33f..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/events/schema.gql.ts +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const eventsSchema = gql` - scalar EsValue - - type EventsTimelineData { - edges: [EcsEdges!]! - totalCount: Float! - pageInfo: PageInfo! - inspect: Inspect - } - - type TimelineNonEcsData { - field: String! - value: ToStringArray - } - - type TimelineItem { - _id: String! - _index: String - data: [TimelineNonEcsData!]! - ecs: ECS! - } - - type TimelineEdges { - node: TimelineItem! - cursor: CursorType! - } - - type TimelineData { - edges: [TimelineEdges!]! - totalCount: Float! - pageInfo: PageInfo! - inspect: Inspect - } - - type DetailItem { - field: String! - values: ToStringArray - originalValue: EsValue - } - - input LastTimeDetails { - hostName: String - ip: String - } - - type TimelineDetailsData { - data: [DetailItem!] - inspect: Inspect - } - - type LastEventTimeData { - lastSeen: Date - inspect: Inspect - } - - enum LastEventIndexKey { - hostDetails - hosts - ipDetails - network - } - - extend type Source { - Timeline( - pagination: PaginationInput! - sortField: SortField! - fieldRequested: [String!]! - timerange: TimerangeInput - filterQuery: String - defaultIndex: [String!]! - docValueFields: [docValueFieldsInput!]! - ): TimelineData! - TimelineDetails( - eventId: String! - indexName: String! - defaultIndex: [String!]! - docValueFields: [docValueFieldsInput!]! - ): TimelineDetailsData! - LastEventTime( - id: String - indexKey: LastEventIndexKey! - details: LastTimeDetails! - defaultIndex: [String!]! - docValueFields: [docValueFieldsInput!]! - ): LastEventTimeData! - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/index.ts b/x-pack/plugins/security_solution/server/graphql/index.ts index d23494e0eeaa6..308572a6a7e65 100644 --- a/x-pack/plugins/security_solution/server/graphql/index.ts +++ b/x-pack/plugins/security_solution/server/graphql/index.ts @@ -7,13 +7,8 @@ import { rootSchema } from '../../common/graphql/root'; import { sharedSchema } from '../../common/graphql/shared'; -import { authenticationsSchema } from './authentications'; import { ecsSchema } from './ecs'; -import { eventsSchema } from './events'; import { hostsSchema } from './hosts'; -import { kpiHostsSchema } from './kpi_hosts'; -import { kpiNetworkSchema } from './kpi_network'; -import { networkSchema } from './network'; import { dateSchema } from './scalar_date'; import { noteSchema } from './note'; import { pinnedEventSchema } from './pinned_event'; @@ -25,21 +20,14 @@ import { sourceStatusSchema } from './source_status'; import { sourcesSchema } from './sources'; import { timelineSchema } from './timeline'; import { whoAmISchema } from './who_am_i'; -import { matrixHistogramSchema } from './matrix_histogram'; export const schemas = [ - authenticationsSchema, ecsSchema, - eventsSchema, dateSchema, toAnySchema, toNumberSchema, toDateSchema, toBooleanSchema, hostsSchema, - kpiNetworkSchema, - kpiHostsSchema, - matrixHistogramSchema, - networkSchema, noteSchema, pinnedEventSchema, rootSchema, diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/index.ts b/x-pack/plugins/security_solution/server/graphql/kpi_hosts/index.ts deleted file mode 100644 index cb0f2be52adc7..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createKpiHostsResolvers } from './resolvers'; -export { kpiHostsSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/kpi_hosts/resolvers.ts deleted file mode 100644 index 6708bdcd55d62..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/resolvers.ts +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { SourceResolvers } from '../../graphql/types'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { KpiHosts } from '../../lib/kpi_hosts'; -import { createOptions } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; - -export type QueryKpiHostsResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export type QueryKpiHostDetailsResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export interface KpiHostsResolversDeps { - kpiHosts: KpiHosts; -} - -export const createKpiHostsResolvers = ( - libs: KpiHostsResolversDeps -): { - Source: { - KpiHosts: QueryKpiHostsResolver; - KpiHostDetails: QueryKpiHostDetailsResolver; - }; -} => ({ - Source: { - async KpiHosts(source, args, { req }, info) { - const options = { ...createOptions(source, args, info) }; - return libs.kpiHosts.getKpiHosts(req, options); - }, - async KpiHostDetails(source, args, { req }, info) { - const options = { ...createOptions(source, args, info) }; - return libs.kpiHosts.getKpiHostDetails(req, options); - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/kpi_hosts/schema.gql.ts deleted file mode 100644 index 49c988436e977..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_hosts/schema.gql.ts +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const kpiHostsSchema = gql` - type KpiHostHistogramData { - x: Float - y: Float - } - - type KpiHostsData { - hosts: Float - hostsHistogram: [KpiHostHistogramData!] - authSuccess: Float - authSuccessHistogram: [KpiHostHistogramData!] - authFailure: Float - authFailureHistogram: [KpiHostHistogramData!] - uniqueSourceIps: Float - uniqueSourceIpsHistogram: [KpiHostHistogramData!] - uniqueDestinationIps: Float - uniqueDestinationIpsHistogram: [KpiHostHistogramData!] - inspect: Inspect - } - - type KpiHostDetailsData { - authSuccess: Float - authSuccessHistogram: [KpiHostHistogramData!] - authFailure: Float - authFailureHistogram: [KpiHostHistogramData!] - uniqueSourceIps: Float - uniqueSourceIpsHistogram: [KpiHostHistogramData!] - uniqueDestinationIps: Float - uniqueDestinationIpsHistogram: [KpiHostHistogramData!] - inspect: Inspect - } - - extend type Source { - KpiHosts( - id: String - timerange: TimerangeInput! - filterQuery: String - defaultIndex: [String!]! - ): KpiHostsData! - - KpiHostDetails( - id: String - timerange: TimerangeInput! - filterQuery: String - defaultIndex: [String!]! - ): KpiHostDetailsData! - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_network/index.ts b/x-pack/plugins/security_solution/server/graphql/kpi_network/index.ts deleted file mode 100644 index bd9da6374d868..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_network/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createKpiNetworkResolvers } from './resolvers'; -export { kpiNetworkSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_network/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/kpi_network/resolvers.ts deleted file mode 100644 index b587d8c4ac726..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_network/resolvers.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { SourceResolvers } from '../../graphql/types'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { KpiNetwork } from '../../lib/kpi_network'; -import { createOptions } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; - -export type QueryKipNetworkResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export interface KpiNetworkResolversDeps { - kpiNetwork: KpiNetwork; -} - -export const createKpiNetworkResolvers = ( - libs: KpiNetworkResolversDeps -): { - Source: { - KpiNetwork: QueryKipNetworkResolver; - }; -} => ({ - Source: { - async KpiNetwork(source, args, { req }, info) { - const options = { ...createOptions(source, args, info) }; - return libs.kpiNetwork.getKpiNetwork(req, options); - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/kpi_network/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/kpi_network/schema.gql.ts deleted file mode 100644 index 830240a83bd91..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/kpi_network/schema.gql.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const kpiNetworkSchema = gql` - type KpiNetworkHistogramData { - x: Float - y: Float - } - - type KpiNetworkData { - networkEvents: Float - uniqueFlowId: Float - uniqueSourcePrivateIps: Float - uniqueSourcePrivateIpsHistogram: [KpiNetworkHistogramData!] - uniqueDestinationPrivateIps: Float - uniqueDestinationPrivateIpsHistogram: [KpiNetworkHistogramData!] - dnsQueries: Float - tlsHandshakes: Float - inspect: Inspect - } - - extend type Source { - KpiNetwork( - id: String - timerange: TimerangeInput! - filterQuery: String - defaultIndex: [String!]! - ): KpiNetworkData - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/index.ts b/x-pack/plugins/security_solution/server/graphql/matrix_histogram/index.ts deleted file mode 100644 index 1460b6022bb13..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createMatrixHistogramResolvers } from './resolvers'; -export { matrixHistogramSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/matrix_histogram/resolvers.ts deleted file mode 100644 index 35cebe4777dcf..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/resolvers.ts +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { MatrixHistogram } from '../../lib/matrix_histogram'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { createOptions } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; -import { SourceResolvers } from '../types'; - -export interface MatrixHistogramResolversDeps { - matrixHistogram: MatrixHistogram; -} - -type QueryMatrixHistogramResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export const createMatrixHistogramResolvers = ( - libs: MatrixHistogramResolversDeps -): { - Source: { - MatrixHistogram: QueryMatrixHistogramResolver; - }; -} => ({ - Source: { - async MatrixHistogram(source, args, { req }, info) { - const options = { - ...createOptions(source, args, info), - stackByField: args.stackByField, - histogramType: args.histogramType, - }; - return libs.matrixHistogram.getMatrixHistogramData(req, options); - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/matrix_histogram/schema.gql.ts deleted file mode 100644 index deda6dc6e5c1a..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/matrix_histogram/schema.gql.ts +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const matrixHistogramSchema = gql` - type MatrixOverTimeHistogramData { - x: Float - y: Float - g: String - } - - type MatrixHistogramOverTimeData { - inspect: Inspect - matrixHistogramData: [MatrixOverTimeHistogramData!]! - totalCount: Float! - } - - enum HistogramType { - authentications - anomalies - events - alerts - dns - } - - extend type Source { - MatrixHistogram( - filterQuery: String - defaultIndex: [String!]! - timerange: TimerangeInput! - stackByField: String! - histogramType: HistogramType! - ): MatrixHistogramOverTimeData! - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/network/index.ts b/x-pack/plugins/security_solution/server/graphql/network/index.ts deleted file mode 100644 index 5dba3b21c1108..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/network/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createNetworkResolvers } from './resolvers'; -export { networkSchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/network/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/network/resolvers.ts deleted file mode 100644 index db15babc42a72..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/network/resolvers.ts +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { SourceResolvers } from '../../graphql/types'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { Network } from '../../lib/network'; -import { createOptionsPaginated } from '../../utils/build_query/create_options'; -import { QuerySourceResolver } from '../sources/resolvers'; - -type QueryNetworkTopCountriesResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -type QueryNetworkTopNFlowResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -type QueryNetworkHttpResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -type QueryDnsResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export interface NetworkResolversDeps { - network: Network; -} - -export const createNetworkResolvers = ( - libs: NetworkResolversDeps -): { - Source: { - NetworkHttp: QueryNetworkHttpResolver; - NetworkTopCountries: QueryNetworkTopCountriesResolver; - NetworkTopNFlow: QueryNetworkTopNFlowResolver; - NetworkDns: QueryDnsResolver; - }; -} => ({ - Source: { - async NetworkTopCountries(source, args, { req }, info) { - const options = { - ...createOptionsPaginated(source, args, info), - flowTarget: args.flowTarget, - networkTopCountriesSort: args.sort, - ip: args.ip, - }; - return libs.network.getNetworkTopCountries(req, options); - }, - async NetworkTopNFlow(source, args, { req }, info) { - const options = { - ...createOptionsPaginated(source, args, info), - flowTarget: args.flowTarget, - networkTopNFlowSort: args.sort, - ip: args.ip, - }; - return libs.network.getNetworkTopNFlow(req, options); - }, - async NetworkHttp(source, args, { req }, info) { - const options = { - ...createOptionsPaginated(source, args, info), - networkHttpSort: args.sort, - ip: args.ip, - }; - return libs.network.getNetworkHttp(req, options); - }, - async NetworkDns(source, args, { req }, info) { - const options = { - ...createOptionsPaginated(source, args, info), - networkDnsSortField: args.sort, - isPtrIncluded: args.isPtrIncluded, - }; - return libs.network.getNetworkDns(req, options); - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/network/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/network/schema.gql.ts deleted file mode 100644 index 9bb8a48c12f0d..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/network/schema.gql.ts +++ /dev/null @@ -1,253 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const networkSchema = gql` - enum NetworkDirectionEcs { - inbound - outbound - internal - external - incoming - outgoing - listening - unknown - } - - type TopNetworkTablesEcsField { - bytes_in: Float - bytes_out: Float - } - - type GeoItem { - geo: GeoEcsFields - flowTarget: FlowTargetSourceDest - } - - type AutonomousSystemItem { - name: String - number: Float - } - - type TopCountriesItemSource { - country: String - destination_ips: Float - flows: Float - location: GeoItem - source_ips: Float - } - - type TopCountriesItemDestination { - country: String - destination_ips: Float - flows: Float - location: GeoItem - source_ips: Float - } - - type NetworkTopCountriesItem { - _id: String - source: TopCountriesItemSource - destination: TopCountriesItemDestination - network: TopNetworkTablesEcsField - } - - type NetworkTopCountriesEdges { - node: NetworkTopCountriesItem! - cursor: CursorType! - } - - type NetworkTopCountriesData { - edges: [NetworkTopCountriesEdges!]! - totalCount: Float! - pageInfo: PageInfoPaginated! - inspect: Inspect - } - - type TopNFlowItemSource { - autonomous_system: AutonomousSystemItem - domain: [String!] - ip: String - location: GeoItem - flows: Float - destination_ips: Float - } - - type TopNFlowItemDestination { - autonomous_system: AutonomousSystemItem - domain: [String!] - ip: String - location: GeoItem - flows: Float - source_ips: Float - } - - enum NetworkTopTablesFields { - bytes_in - bytes_out - flows - destination_ips - source_ips - } - - input NetworkTopTablesSortField { - field: NetworkTopTablesFields! - direction: Direction! - } - - type NetworkTopNFlowItem { - _id: String - source: TopNFlowItemSource - destination: TopNFlowItemDestination - network: TopNetworkTablesEcsField - } - - type NetworkTopNFlowEdges { - node: NetworkTopNFlowItem! - cursor: CursorType! - } - - type NetworkTopNFlowData { - edges: [NetworkTopNFlowEdges!]! - totalCount: Float! - pageInfo: PageInfoPaginated! - inspect: Inspect - } - - enum NetworkDnsFields { - dnsName - queryCount - uniqueDomains - dnsBytesIn - dnsBytesOut - } - - input NetworkDnsSortField { - field: NetworkDnsFields! - direction: Direction! - } - - type NetworkDnsItem { - _id: String - dnsBytesIn: Float - dnsBytesOut: Float - dnsName: String - queryCount: Float - uniqueDomains: Float - } - - type NetworkDnsEdges { - node: NetworkDnsItem! - cursor: CursorType! - } - - type MatrixOverOrdinalHistogramData { - x: String! - y: Float! - g: String! - } - - type NetworkDnsData { - edges: [NetworkDnsEdges!]! - totalCount: Float! - pageInfo: PageInfoPaginated! - inspect: Inspect - histogram: [MatrixOverOrdinalHistogramData!] - } - - enum NetworkHttpFields { - domains - lastHost - lastSourceIp - methods - path - requestCount - statuses - } - - input NetworkHttpSortField { - direction: Direction! - } - - type NetworkHttpItem { - _id: String - domains: [String!]! - lastHost: String - lastSourceIp: String - methods: [String!]! - path: String - requestCount: Float - statuses: [String!]! - } - - type NetworkHttpEdges { - node: NetworkHttpItem! - cursor: CursorType! - } - - type NetworkHttpData { - edges: [NetworkHttpEdges!]! - totalCount: Float! - pageInfo: PageInfoPaginated! - inspect: Inspect - } - - type NetworkDsOverTimeData { - inspect: Inspect - matrixHistogramData: [MatrixOverTimeHistogramData!]! - totalCount: Float! - } - - extend type Source { - NetworkTopCountries( - id: String - filterQuery: String - ip: String - flowTarget: FlowTargetSourceDest! - pagination: PaginationInputPaginated! - sort: NetworkTopTablesSortField! - timerange: TimerangeInput! - defaultIndex: [String!]! - ): NetworkTopCountriesData! - NetworkTopNFlow( - id: String - filterQuery: String - ip: String - flowTarget: FlowTargetSourceDest! - pagination: PaginationInputPaginated! - sort: NetworkTopTablesSortField! - timerange: TimerangeInput! - defaultIndex: [String!]! - ): NetworkTopNFlowData! - NetworkDns( - filterQuery: String - id: String - isPtrIncluded: Boolean! - pagination: PaginationInputPaginated! - sort: NetworkDnsSortField! - stackByField: String - timerange: TimerangeInput! - defaultIndex: [String!]! - ): NetworkDnsData! - NetworkDnsHistogram( - filterQuery: String - defaultIndex: [String!]! - timerange: TimerangeInput! - stackByField: String - docValueFields: [docValueFieldsInput!]! - ): NetworkDsOverTimeData! - NetworkHttp( - id: String - filterQuery: String - ip: String - pagination: PaginationInputPaginated! - sort: NetworkHttpSortField! - timerange: TimerangeInput! - defaultIndex: [String!]! - ): NetworkHttpData! - } -`; diff --git a/x-pack/plugins/security_solution/server/graphql/types.ts b/x-pack/plugins/security_solution/server/graphql/types.ts index 5f370ab1b8c9f..c980ddba9f223 100644 --- a/x-pack/plugins/security_solution/server/graphql/types.ts +++ b/x-pack/plugins/security_solution/server/graphql/types.ts @@ -42,53 +42,16 @@ export interface PaginationInputPaginated { querySize: number; } -export interface DocValueFieldsInput { - field: string; - - format: string; -} - -export interface PaginationInput { - /** The limit parameter allows you to configure the maximum amount of items to be returned */ - limit: number; - /** The cursor parameter defines the next result you want to fetch */ - cursor?: Maybe; - /** The tiebreaker parameter allow to be more precise to fetch the next item */ - tiebreaker?: Maybe; -} - -export interface SortField { - sortFieldId: string; - - direction: Direction; -} - -export interface LastTimeDetails { - hostName?: Maybe; - - ip?: Maybe; -} - export interface HostsSortField { field: HostsFields; direction: Direction; } -export interface NetworkTopTablesSortField { - field: NetworkTopTablesFields; - - direction: Direction; -} - -export interface NetworkDnsSortField { - field: NetworkDnsFields; - - direction: Direction; -} +export interface DocValueFieldsInput { + field: string; -export interface NetworkHttpSortField { - direction: Direction; + format: string; } export interface PageInfoTimeline { @@ -269,6 +232,21 @@ export interface SortTimelineInput { sortDirection?: Maybe; } +export interface PaginationInput { + /** The limit parameter allows you to configure the maximum amount of items to be returned */ + limit: number; + /** The cursor parameter defines the next result you want to fetch */ + cursor?: Maybe; + /** The tiebreaker parameter allow to be more precise to fetch the next item */ + tiebreaker?: Maybe; +} + +export interface SortField { + sortFieldId: string; + + direction: Direction; +} + export interface FavoriteTimelineInput { fullName?: Maybe; @@ -287,13 +265,6 @@ export enum Direction { desc = 'desc', } -export enum LastEventIndexKey { - hostDetails = 'hostDetails', - hosts = 'hosts', - ipDetails = 'ipDetails', - network = 'network', -} - export enum HostsFields { hostName = 'hostName', lastSeen = 'lastSeen', @@ -305,35 +276,6 @@ export enum HostPolicyResponseActionStatus { warning = 'warning', } -export enum HistogramType { - authentications = 'authentications', - anomalies = 'anomalies', - events = 'events', - alerts = 'alerts', - dns = 'dns', -} - -export enum FlowTargetSourceDest { - destination = 'destination', - source = 'source', -} - -export enum NetworkTopTablesFields { - bytes_in = 'bytes_in', - bytes_out = 'bytes_out', - flows = 'flows', - destination_ips = 'destination_ips', - source_ips = 'source_ips', -} - -export enum NetworkDnsFields { - dnsName = 'dnsName', - queryCount = 'queryCount', - uniqueDomains = 'uniqueDomains', - dnsBytesIn = 'dnsBytesIn', - dnsBytesOut = 'dnsBytesOut', -} - export enum DataProviderType { default = 'default', template = 'template', @@ -373,27 +315,6 @@ export enum SortFieldTimeline { created = 'created', } -export enum NetworkDirectionEcs { - inbound = 'inbound', - outbound = 'outbound', - internal = 'internal', - external = 'external', - incoming = 'incoming', - outgoing = 'outgoing', - listening = 'listening', - unknown = 'unknown', -} - -export enum NetworkHttpFields { - domains = 'domains', - lastHost = 'lastHost', - lastSourceIp = 'lastSourceIp', - methods = 'methods', - path = 'path', - requestCount = 'requestCount', - statuses = 'statuses', -} - export enum FlowTarget { client = 'client', destination = 'destination', @@ -401,6 +322,11 @@ export enum FlowTarget { source = 'source', } +export enum FlowTargetSourceDest { + destination = 'destination', + source = 'source', +} + export enum FlowDirection { uniDirectional = 'uniDirectional', biDirectional = 'biDirectional', @@ -410,17 +336,15 @@ export type ToStringArray = string[] | string; export type Date = string; -export type ToNumberArray = number[] | number; - -export type ToDateArray = string[] | string; +export type ToAny = any; -export type ToBooleanArray = boolean[] | boolean; +export type ToStringArrayNoNullable = any; -export type ToAny = any; +export type ToDateArray = string[] | string; -export type EsValue = any; +export type ToNumberArray = number[] | number; -export type ToStringArrayNoNullable = any; +export type ToBooleanArray = boolean[] | boolean; export type ToIFieldSubTypeNonNullable = any; @@ -511,38 +435,12 @@ export interface Source { configuration: SourceConfiguration; /** The status of the source */ status: SourceStatus; - /** Gets Authentication success and failures based on a timerange */ - Authentications: AuthenticationsData; - - Timeline: TimelineData; - - TimelineDetails: TimelineDetailsData; - - LastEventTime: LastEventTimeData; /** Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified */ Hosts: HostsData; HostOverview: HostItem; HostFirstLastSeen: FirstLastSeenHost; - - KpiNetwork?: Maybe; - - KpiHosts: KpiHostsData; - - KpiHostDetails: KpiHostDetailsData; - - MatrixHistogram: MatrixHistogramOverTimeData; - - NetworkTopCountries: NetworkTopCountriesData; - - NetworkTopNFlow: NetworkTopNFlowData; - - NetworkDns: NetworkDnsData; - - NetworkDnsHistogram: NetworkDsOverTimeData; - - NetworkHttp: NetworkHttpData; /** Just a simple example to get the app name */ whoAmI?: Maybe; } @@ -577,8 +475,8 @@ export interface SourceStatus { indexFields: string[]; } -export interface AuthenticationsData { - edges: AuthenticationsEdges[]; +export interface HostsData { + edges: HostsEdges[]; totalCount: number; @@ -587,84 +485,50 @@ export interface AuthenticationsData { inspect?: Maybe; } -export interface AuthenticationsEdges { - node: AuthenticationItem; +export interface HostsEdges { + node: HostItem; cursor: CursorType; } -export interface AuthenticationItem { - _id: string; +export interface HostItem { + _id?: Maybe; - failures: number; + cloud?: Maybe; - successes: number; + endpoint?: Maybe; - user: UserEcsFields; + host?: Maybe; - lastSuccess?: Maybe; + inspect?: Maybe; - lastFailure?: Maybe; + lastSeen?: Maybe; } -export interface UserEcsFields { - domain?: Maybe; - - id?: Maybe; - - name?: Maybe; - - full_name?: Maybe; +export interface CloudFields { + instance?: Maybe; - email?: Maybe; + machine?: Maybe; - hash?: Maybe; + provider?: Maybe<(Maybe)[]>; - group?: Maybe; + region?: Maybe<(Maybe)[]>; } -export interface LastSourceHost { - timestamp?: Maybe; - - source?: Maybe; - - host?: Maybe; +export interface CloudInstance { + id?: Maybe<(Maybe)[]>; } -export interface SourceEcsFields { - bytes?: Maybe; - - ip?: Maybe; - - port?: Maybe; - - domain?: Maybe; - - geo?: Maybe; - - packets?: Maybe; +export interface CloudMachine { + type?: Maybe<(Maybe)[]>; } -export interface GeoEcsFields { - city_name?: Maybe; - - continent_name?: Maybe; - - country_iso_code?: Maybe; - - country_name?: Maybe; - - location?: Maybe; - - region_iso_code?: Maybe; - - region_name?: Maybe; -} +export interface EndpointFields { + endpointPolicy?: Maybe; -export interface Location { - lon?: Maybe; + sensorVersion?: Maybe; - lat?: Maybe; + policyStatus?: Maybe; } export interface HostEcsFields { @@ -697,6 +561,12 @@ export interface OsEcsFields { kernel?: Maybe; } +export interface Inspect { + dsl: string[]; + + response: string[]; +} + export interface CursorType { value?: Maybe; @@ -711,196 +581,272 @@ export interface PageInfoPaginated { showMorePagesIndicator: boolean; } -export interface Inspect { - dsl: string[]; +export interface FirstLastSeenHost { + inspect?: Maybe; - response: string[]; + firstSeen?: Maybe; + + lastSeen?: Maybe; } -export interface TimelineData { - edges: TimelineEdges[]; +export interface SayMyName { + /** The id of the source */ + appName: string; +} - totalCount: number; +export interface TimelineResult { + columns?: Maybe; - pageInfo: PageInfo; + created?: Maybe; - inspect?: Maybe; -} + createdBy?: Maybe; -export interface TimelineEdges { - node: TimelineItem; + dataProviders?: Maybe; - cursor: CursorType; -} + dateRange?: Maybe; -export interface TimelineItem { - _id: string; + description?: Maybe; - _index?: Maybe; + eventIdToNoteIds?: Maybe; - data: TimelineNonEcsData[]; + eventType?: Maybe; - ecs: Ecs; -} + excludedRowRendererIds?: Maybe; -export interface TimelineNonEcsData { - field: string; + favorite?: Maybe; - value?: Maybe; -} + filters?: Maybe; -export interface Ecs { - _id: string; + kqlMode?: Maybe; - _index?: Maybe; + kqlQuery?: Maybe; - agent?: Maybe; + indexNames?: Maybe; - auditd?: Maybe; + notes?: Maybe; - destination?: Maybe; + noteIds?: Maybe; - dns?: Maybe; + pinnedEventIds?: Maybe; - endgame?: Maybe; + pinnedEventsSaveObject?: Maybe; - event?: Maybe; + savedQueryId?: Maybe; - geo?: Maybe; + savedObjectId: string; - host?: Maybe; + sort?: Maybe; - network?: Maybe; + status?: Maybe; - rule?: Maybe; + title?: Maybe; - signal?: Maybe; + templateTimelineId?: Maybe; - source?: Maybe; + templateTimelineVersion?: Maybe; - suricata?: Maybe; + timelineType?: Maybe; - tls?: Maybe; + updated?: Maybe; - zeek?: Maybe; + updatedBy?: Maybe; - http?: Maybe; + version: string; +} - url?: Maybe; +export interface ColumnHeaderResult { + aggregatable?: Maybe; - timestamp?: Maybe; + category?: Maybe; - message?: Maybe; + columnHeaderType?: Maybe; - user?: Maybe; + description?: Maybe; - winlog?: Maybe; + example?: Maybe; - process?: Maybe; + indexes?: Maybe; - file?: Maybe; + id?: Maybe; - system?: Maybe; -} + name?: Maybe; -export interface AgentEcsField { - type?: Maybe; + placeholder?: Maybe; + + searchable?: Maybe; + + type?: Maybe; } -export interface AuditdEcsFields { - result?: Maybe; +export interface DataProviderResult { + id?: Maybe; - session?: Maybe; + name?: Maybe; - data?: Maybe; + enabled?: Maybe; - summary?: Maybe; + excluded?: Maybe; - sequence?: Maybe; + kqlQuery?: Maybe; + + queryMatch?: Maybe; + + type?: Maybe; + + and?: Maybe; } -export interface AuditdData { - acct?: Maybe; +export interface QueryMatchResult { + field?: Maybe; - terminal?: Maybe; + displayField?: Maybe; - op?: Maybe; + value?: Maybe; + + displayValue?: Maybe; + + operator?: Maybe; } -export interface Summary { - actor?: Maybe; +export interface DateRangePickerResult { + start?: Maybe; - object?: Maybe; + end?: Maybe; +} - how?: Maybe; +export interface FavoriteTimelineResult { + fullName?: Maybe; - message_type?: Maybe; + userName?: Maybe; - sequence?: Maybe; + favoriteDate?: Maybe; } -export interface PrimarySecondary { - primary?: Maybe; +export interface FilterTimelineResult { + exists?: Maybe; - secondary?: Maybe; + meta?: Maybe; - type?: Maybe; + match_all?: Maybe; + + missing?: Maybe; + + query?: Maybe; + + range?: Maybe; + + script?: Maybe; } -export interface DestinationEcsFields { - bytes?: Maybe; +export interface FilterMetaTimelineResult { + alias?: Maybe; - ip?: Maybe; + controlledBy?: Maybe; - port?: Maybe; + disabled?: Maybe; - domain?: Maybe; + field?: Maybe; - geo?: Maybe; + formattedValue?: Maybe; - packets?: Maybe; + index?: Maybe; + + key?: Maybe; + + negate?: Maybe; + + params?: Maybe; + + type?: Maybe; + + value?: Maybe; } -export interface DnsEcsFields { - question?: Maybe; +export interface SerializedFilterQueryResult { + filterQuery?: Maybe; +} - resolved_ip?: Maybe; +export interface SerializedKueryQueryResult { + kuery?: Maybe; - response_code?: Maybe; + serializedQuery?: Maybe; } -export interface DnsQuestionData { - name?: Maybe; +export interface KueryFilterQueryResult { + kind?: Maybe; - type?: Maybe; + expression?: Maybe; } -export interface EndgameEcsFields { - exit_code?: Maybe; +export interface SortTimelineResult { + columnId?: Maybe; - file_name?: Maybe; + sortDirection?: Maybe; +} - file_path?: Maybe; +export interface ResponseTimelines { + timeline: (Maybe)[]; - logon_type?: Maybe; + totalCount?: Maybe; - parent_process_name?: Maybe; + defaultTimelineCount?: Maybe; - pid?: Maybe; + templateTimelineCount?: Maybe; - process_name?: Maybe; + elasticTemplateTimelineCount?: Maybe; - subject_domain_name?: Maybe; + customTemplateTimelineCount?: Maybe; - subject_logon_id?: Maybe; + favoriteCount?: Maybe; +} - subject_user_name?: Maybe; +export interface Mutation { + /** Persists a note */ + persistNote: ResponseNote; - target_domain_name?: Maybe; + deleteNote?: Maybe; - target_logon_id?: Maybe; + deleteNoteByTimelineId?: Maybe; + /** Persists a pinned event in a timeline */ + persistPinnedEventOnTimeline?: Maybe; + /** Remove a pinned events in a timeline */ + deletePinnedEventOnTimeline: boolean; + /** Remove all pinned events in a timeline */ + deleteAllPinnedEventsOnTimeline: boolean; + /** Persists a timeline */ + persistTimeline: ResponseTimeline; - target_user_name?: Maybe; + persistFavorite: ResponseFavoriteTimeline; + + deleteTimeline: boolean; +} + +export interface ResponseNote { + code?: Maybe; + + message?: Maybe; + + note: NoteResult; +} + +export interface ResponseTimeline { + code?: Maybe; + + message?: Maybe; + + timeline: TimelineResult; +} + +export interface ResponseFavoriteTimeline { + code?: Maybe; + + message?: Maybe; + + savedObjectId: string; + + version: string; + + favorite?: Maybe; } export interface EventEcsFields { @@ -943,110 +889,176 @@ export interface EventEcsFields { type?: Maybe; } -export interface NetworkEcsField { - bytes?: Maybe; +export interface Location { + lon?: Maybe; - community_id?: Maybe; + lat?: Maybe; +} - direction?: Maybe; +export interface GeoEcsFields { + city_name?: Maybe; - packets?: Maybe; + continent_name?: Maybe; - protocol?: Maybe; + country_iso_code?: Maybe; - transport?: Maybe; -} + country_name?: Maybe; -export interface RuleEcsField { - reference?: Maybe; + location?: Maybe; + + region_iso_code?: Maybe; + + region_name?: Maybe; } -export interface SignalField { - rule?: Maybe; +export interface PrimarySecondary { + primary?: Maybe; - original_time?: Maybe; + secondary?: Maybe; - status?: Maybe; + type?: Maybe; } -export interface RuleField { - id?: Maybe; +export interface Summary { + actor?: Maybe; - rule_id?: Maybe; + object?: Maybe; - false_positives: string[]; + how?: Maybe; - saved_id?: Maybe; + message_type?: Maybe; - timeline_id?: Maybe; + sequence?: Maybe; +} - timeline_title?: Maybe; +export interface AgentEcsField { + type?: Maybe; +} - max_signals?: Maybe; +export interface AuditdData { + acct?: Maybe; - risk_score?: Maybe; + terminal?: Maybe; - output_index?: Maybe; + op?: Maybe; +} - description?: Maybe; +export interface AuditdEcsFields { + result?: Maybe; - from?: Maybe; + session?: Maybe; - immutable?: Maybe; + data?: Maybe; - index?: Maybe; + summary?: Maybe; - interval?: Maybe; + sequence?: Maybe; +} - language?: Maybe; +export interface Thread { + id?: Maybe; - query?: Maybe; + start?: Maybe; +} - references?: Maybe; +export interface ProcessHashData { + md5?: Maybe; - severity?: Maybe; + sha1?: Maybe; - tags?: Maybe; + sha256?: Maybe; +} - threat?: Maybe; +export interface ProcessEcsFields { + hash?: Maybe; - type?: Maybe; + pid?: Maybe; - size?: Maybe; + name?: Maybe; - to?: Maybe; + ppid?: Maybe; - enabled?: Maybe; + args?: Maybe; - filters?: Maybe; + entity_id?: Maybe; - created_at?: Maybe; + executable?: Maybe; - updated_at?: Maybe; + title?: Maybe; - created_by?: Maybe; + thread?: Maybe; - updated_by?: Maybe; + working_directory?: Maybe; +} - version?: Maybe; +export interface SourceEcsFields { + bytes?: Maybe; - note?: Maybe; + ip?: Maybe; - threshold?: Maybe; + port?: Maybe; - exceptions_list?: Maybe; + domain?: Maybe; + + geo?: Maybe; + + packets?: Maybe; } -export interface SuricataEcsFields { - eve?: Maybe; +export interface DestinationEcsFields { + bytes?: Maybe; + + ip?: Maybe; + + port?: Maybe; + + domain?: Maybe; + + geo?: Maybe; + + packets?: Maybe; } -export interface SuricataEveData { - alert?: Maybe; +export interface DnsQuestionData { + name?: Maybe; - flow_id?: Maybe; + type?: Maybe; +} - proto?: Maybe; +export interface DnsEcsFields { + question?: Maybe; + + resolved_ip?: Maybe; + + response_code?: Maybe; +} + +export interface EndgameEcsFields { + exit_code?: Maybe; + + file_name?: Maybe; + + file_path?: Maybe; + + logon_type?: Maybe; + + parent_process_name?: Maybe; + + pid?: Maybe; + + process_name?: Maybe; + + subject_domain_name?: Maybe; + + subject_logon_id?: Maybe; + + subject_user_name?: Maybe; + + target_domain_name?: Maybe; + + target_logon_id?: Maybe; + + target_user_name?: Maybe; } export interface SuricataAlertData { @@ -1055,48 +1067,44 @@ export interface SuricataAlertData { signature_id?: Maybe; } -export interface TlsEcsFields { - client_certificate?: Maybe; +export interface SuricataEveData { + alert?: Maybe; - fingerprints?: Maybe; + flow_id?: Maybe; - server_certificate?: Maybe; + proto?: Maybe; } -export interface TlsClientCertificateData { - fingerprint?: Maybe; +export interface SuricataEcsFields { + eve?: Maybe; } -export interface FingerprintData { - sha1?: Maybe; +export interface TlsJa3Data { + hash?: Maybe; } -export interface TlsFingerprintsData { - ja3?: Maybe; +export interface FingerprintData { + sha1?: Maybe; } -export interface TlsJa3Data { - hash?: Maybe; +export interface TlsClientCertificateData { + fingerprint?: Maybe; } export interface TlsServerCertificateData { fingerprint?: Maybe; } -export interface ZeekEcsFields { - session_id?: Maybe; - - connection?: Maybe; - - notice?: Maybe; - - dns?: Maybe; +export interface TlsFingerprintsData { + ja3?: Maybe; +} - http?: Maybe; +export interface TlsEcsFields { + client_certificate?: Maybe; - files?: Maybe; + fingerprints?: Maybe; - ssl?: Maybe; + server_certificate?: Maybe; } export interface ZeekConnectionData { @@ -1151,6 +1159,38 @@ export interface ZeekDnsData { TC?: Maybe; } +export interface FileFields { + name?: Maybe; + + path?: Maybe; + + target_path?: Maybe; + + extension?: Maybe; + + type?: Maybe; + + device?: Maybe; + + inode?: Maybe; + + uid?: Maybe; + + owner?: Maybe; + + gid?: Maybe; + + group?: Maybe; + + mode?: Maybe; + + size?: Maybe; + + mtime?: Maybe; + + ctime?: Maybe; +} + export interface ZeekHttpData { resp_mime_types?: Maybe; @@ -1163,6 +1203,48 @@ export interface ZeekHttpData { tags?: Maybe; } +export interface HttpBodyData { + content?: Maybe; + + bytes?: Maybe; +} + +export interface HttpRequestData { + method?: Maybe; + + body?: Maybe; + + referrer?: Maybe; + + bytes?: Maybe; +} + +export interface HttpResponseData { + status_code?: Maybe; + + body?: Maybe; + + bytes?: Maybe; +} + +export interface HttpEcsFields { + version?: Maybe; + + request?: Maybe; + + response?: Maybe; +} + +export interface UrlEcsFields { + domain?: Maybe; + + original?: Maybe; + + username?: Maybe; + + password?: Maybe; +} + export interface ZeekFileData { session_ids?: Maybe; @@ -1211,128 +1293,54 @@ export interface ZeekSslData { version?: Maybe; } -export interface HttpEcsFields { - version?: Maybe; +export interface ZeekEcsFields { + session_id?: Maybe; - request?: Maybe; + connection?: Maybe; - response?: Maybe; -} + notice?: Maybe; -export interface HttpRequestData { - method?: Maybe; + dns?: Maybe; - body?: Maybe; + http?: Maybe; - referrer?: Maybe; + files?: Maybe; - bytes?: Maybe; + ssl?: Maybe; } -export interface HttpBodyData { - content?: Maybe; - - bytes?: Maybe; -} +export interface UserEcsFields { + domain?: Maybe; -export interface HttpResponseData { - status_code?: Maybe; + id?: Maybe; - body?: Maybe; + name?: Maybe; - bytes?: Maybe; -} + full_name?: Maybe; -export interface UrlEcsFields { - domain?: Maybe; + email?: Maybe; - original?: Maybe; + hash?: Maybe; - username?: Maybe; - - password?: Maybe; + group?: Maybe; } export interface WinlogEcsFields { event_id?: Maybe; } -export interface ProcessEcsFields { - hash?: Maybe; - - pid?: Maybe; - - name?: Maybe; - - ppid?: Maybe; - - args?: Maybe; - - entity_id?: Maybe; - - executable?: Maybe; - - title?: Maybe; - - thread?: Maybe; - - working_directory?: Maybe; -} - -export interface ProcessHashData { - md5?: Maybe; - - sha1?: Maybe; - - sha256?: Maybe; -} - -export interface Thread { - id?: Maybe; - - start?: Maybe; -} - -export interface FileFields { - name?: Maybe; - - path?: Maybe; - - target_path?: Maybe; - - extension?: Maybe; - - type?: Maybe; - - device?: Maybe; - - inode?: Maybe; - - uid?: Maybe; - - owner?: Maybe; - - gid?: Maybe; - - group?: Maybe; - - mode?: Maybe; - - size?: Maybe; +export interface NetworkEcsField { + bytes?: Maybe; - mtime?: Maybe; + community_id?: Maybe; - ctime?: Maybe; -} + direction?: Maybe; -export interface SystemEcsField { - audit?: Maybe; + packets?: Maybe; - auth?: Maybe; -} + protocol?: Maybe; -export interface AuditEcsFields { - package?: Maybe; + transport?: Maybe; } export interface PackageEcsFields { @@ -1349,8 +1357,8 @@ export interface PackageEcsFields { version?: Maybe; } -export interface AuthEcsFields { - ssh?: Maybe; +export interface AuditEcsFields { + package?: Maybe; } export interface SshEcsFields { @@ -1359,6688 +1367,4408 @@ export interface SshEcsFields { signature?: Maybe; } -export interface PageInfo { - endCursor?: Maybe; - - hasNextPage?: Maybe; +export interface AuthEcsFields { + ssh?: Maybe; } -export interface TimelineDetailsData { - data?: Maybe; +export interface SystemEcsField { + audit?: Maybe; - inspect?: Maybe; + auth?: Maybe; } -export interface DetailItem { - field: string; - - values?: Maybe; - - originalValue?: Maybe; -} +export interface RuleField { + id?: Maybe; -export interface LastEventTimeData { - lastSeen?: Maybe; + rule_id?: Maybe; - inspect?: Maybe; -} + false_positives: string[]; -export interface HostsData { - edges: HostsEdges[]; + saved_id?: Maybe; - totalCount: number; + timeline_id?: Maybe; - pageInfo: PageInfoPaginated; + timeline_title?: Maybe; - inspect?: Maybe; -} + max_signals?: Maybe; -export interface HostsEdges { - node: HostItem; + risk_score?: Maybe; - cursor: CursorType; -} + output_index?: Maybe; -export interface HostItem { - _id?: Maybe; + description?: Maybe; - cloud?: Maybe; + from?: Maybe; - endpoint?: Maybe; + immutable?: Maybe; - host?: Maybe; + index?: Maybe; - inspect?: Maybe; + interval?: Maybe; - lastSeen?: Maybe; -} + language?: Maybe; -export interface CloudFields { - instance?: Maybe; + query?: Maybe; - machine?: Maybe; + references?: Maybe; - provider?: Maybe<(Maybe)[]>; + severity?: Maybe; - region?: Maybe<(Maybe)[]>; -} + tags?: Maybe; -export interface CloudInstance { - id?: Maybe<(Maybe)[]>; -} + threat?: Maybe; -export interface CloudMachine { - type?: Maybe<(Maybe)[]>; -} + type?: Maybe; -export interface EndpointFields { - endpointPolicy?: Maybe; + size?: Maybe; - sensorVersion?: Maybe; + to?: Maybe; - policyStatus?: Maybe; -} + enabled?: Maybe; -export interface FirstLastSeenHost { - inspect?: Maybe; + filters?: Maybe; - firstSeen?: Maybe; + created_at?: Maybe; - lastSeen?: Maybe; -} + updated_at?: Maybe; -export interface KpiNetworkData { - networkEvents?: Maybe; + created_by?: Maybe; - uniqueFlowId?: Maybe; + updated_by?: Maybe; - uniqueSourcePrivateIps?: Maybe; + version?: Maybe; - uniqueSourcePrivateIpsHistogram?: Maybe; + note?: Maybe; - uniqueDestinationPrivateIps?: Maybe; + threshold?: Maybe; - uniqueDestinationPrivateIpsHistogram?: Maybe; + exceptions_list?: Maybe; +} - dnsQueries?: Maybe; +export interface SignalField { + rule?: Maybe; - tlsHandshakes?: Maybe; + original_time?: Maybe; - inspect?: Maybe; + status?: Maybe; } -export interface KpiNetworkHistogramData { - x?: Maybe; - - y?: Maybe; +export interface RuleEcsField { + reference?: Maybe; } -export interface KpiHostsData { - hosts?: Maybe; - - hostsHistogram?: Maybe; - - authSuccess?: Maybe; - - authSuccessHistogram?: Maybe; - - authFailure?: Maybe; - - authFailureHistogram?: Maybe; - - uniqueSourceIps?: Maybe; +export interface Ecs { + _id: string; - uniqueSourceIpsHistogram?: Maybe; + _index?: Maybe; - uniqueDestinationIps?: Maybe; + agent?: Maybe; - uniqueDestinationIpsHistogram?: Maybe; + auditd?: Maybe; - inspect?: Maybe; -} + destination?: Maybe; -export interface KpiHostHistogramData { - x?: Maybe; + dns?: Maybe; - y?: Maybe; -} + endgame?: Maybe; -export interface KpiHostDetailsData { - authSuccess?: Maybe; + event?: Maybe; - authSuccessHistogram?: Maybe; + geo?: Maybe; - authFailure?: Maybe; + host?: Maybe; - authFailureHistogram?: Maybe; + network?: Maybe; - uniqueSourceIps?: Maybe; + rule?: Maybe; - uniqueSourceIpsHistogram?: Maybe; + signal?: Maybe; - uniqueDestinationIps?: Maybe; + source?: Maybe; - uniqueDestinationIpsHistogram?: Maybe; + suricata?: Maybe; - inspect?: Maybe; -} + tls?: Maybe; -export interface MatrixHistogramOverTimeData { - inspect?: Maybe; + zeek?: Maybe; - matrixHistogramData: MatrixOverTimeHistogramData[]; + http?: Maybe; - totalCount: number; -} + url?: Maybe; -export interface MatrixOverTimeHistogramData { - x?: Maybe; + timestamp?: Maybe; - y?: Maybe; + message?: Maybe; - g?: Maybe; -} + user?: Maybe; -export interface NetworkTopCountriesData { - edges: NetworkTopCountriesEdges[]; + winlog?: Maybe; - totalCount: number; + process?: Maybe; - pageInfo: PageInfoPaginated; + file?: Maybe; - inspect?: Maybe; + system?: Maybe; } -export interface NetworkTopCountriesEdges { - node: NetworkTopCountriesItem; +export interface EcsEdges { + node: Ecs; cursor: CursorType; } -export interface NetworkTopCountriesItem { - _id?: Maybe; - - source?: Maybe; - - destination?: Maybe; - - network?: Maybe; -} +export interface OsFields { + platform?: Maybe; -export interface TopCountriesItemSource { - country?: Maybe; + name?: Maybe; - destination_ips?: Maybe; + full?: Maybe; - flows?: Maybe; + family?: Maybe; - location?: Maybe; + version?: Maybe; - source_ips?: Maybe; + kernel?: Maybe; } -export interface GeoItem { - geo?: Maybe; +export interface HostFields { + architecture?: Maybe; - flowTarget?: Maybe; -} + id?: Maybe; -export interface TopCountriesItemDestination { - country?: Maybe; + ip?: Maybe<(Maybe)[]>; - destination_ips?: Maybe; + mac?: Maybe<(Maybe)[]>; - flows?: Maybe; + name?: Maybe; - location?: Maybe; + os?: Maybe; - source_ips?: Maybe; + type?: Maybe; } -export interface TopNetworkTablesEcsField { - bytes_in?: Maybe; - - bytes_out?: Maybe; -} - -export interface NetworkTopNFlowData { - edges: NetworkTopNFlowEdges[]; - - totalCount: number; +/** A descriptor of a field in an index */ +export interface IndexField { + /** Where the field belong */ + category: string; + /** Example of field's value */ + example?: Maybe; + /** whether the field's belong to an alias index */ + indexes: (Maybe)[]; + /** The name of the field */ + name: string; + /** The type of the field's values as recognized by Kibana */ + type: string; + /** Whether the field's values can be efficiently searched for */ + searchable: boolean; + /** Whether the field's values can be aggregated */ + aggregatable: boolean; + /** Description of the field */ + description?: Maybe; - pageInfo: PageInfoPaginated; + format?: Maybe; + /** the elastic type as mapped in the index */ + esTypes?: Maybe; - inspect?: Maybe; + subType?: Maybe; } -export interface NetworkTopNFlowEdges { - node: NetworkTopNFlowItem; +export interface PageInfo { + endCursor?: Maybe; - cursor: CursorType; + hasNextPage?: Maybe; } -export interface NetworkTopNFlowItem { - _id?: Maybe; - - source?: Maybe; - - destination?: Maybe; +// ==================================================== +// Arguments +// ==================================================== - network?: Maybe; +export interface GetNoteQueryArgs { + id: string; } - -export interface TopNFlowItemSource { - autonomous_system?: Maybe; - - domain?: Maybe; - - ip?: Maybe; - - location?: Maybe; - - flows?: Maybe; - - destination_ips?: Maybe; +export interface GetNotesByTimelineIdQueryArgs { + timelineId: string; } +export interface GetNotesByEventIdQueryArgs { + eventId: string; +} +export interface GetAllNotesQueryArgs { + pageInfo?: Maybe; -export interface AutonomousSystemItem { - name?: Maybe; + search?: Maybe; - number?: Maybe; + sort?: Maybe; } +export interface GetAllPinnedEventsByTimelineIdQueryArgs { + timelineId: string; +} +export interface SourceQueryArgs { + /** The id of the source */ + id: string; +} +export interface GetOneTimelineQueryArgs { + id: string; +} +export interface GetAllTimelineQueryArgs { + pageInfo: PageInfoTimeline; -export interface TopNFlowItemDestination { - autonomous_system?: Maybe; - - domain?: Maybe; + search?: Maybe; - ip?: Maybe; + sort?: Maybe; - location?: Maybe; + onlyUserFavorite?: Maybe; - flows?: Maybe; + timelineType?: Maybe; - source_ips?: Maybe; + status?: Maybe; } +export interface HostsSourceArgs { + id?: Maybe; -export interface NetworkDnsData { - edges: NetworkDnsEdges[]; - - totalCount: number; + timerange: TimerangeInput; - pageInfo: PageInfoPaginated; + pagination: PaginationInputPaginated; - inspect?: Maybe; + sort: HostsSortField; - histogram?: Maybe; -} + filterQuery?: Maybe; -export interface NetworkDnsEdges { - node: NetworkDnsItem; + defaultIndex: string[]; - cursor: CursorType; + docValueFields: DocValueFieldsInput[]; } +export interface HostOverviewSourceArgs { + id?: Maybe; -export interface NetworkDnsItem { - _id?: Maybe; - - dnsBytesIn?: Maybe; - - dnsBytesOut?: Maybe; - - dnsName?: Maybe; + hostName: string; - queryCount?: Maybe; + timerange: TimerangeInput; - uniqueDomains?: Maybe; + defaultIndex: string[]; } +export interface HostFirstLastSeenSourceArgs { + id?: Maybe; -export interface MatrixOverOrdinalHistogramData { - x: string; + hostName: string; - y: number; + defaultIndex: string[]; - g: string; + docValueFields: DocValueFieldsInput[]; } +export interface IndicesExistSourceStatusArgs { + defaultIndex: string[]; +} +export interface IndexFieldsSourceStatusArgs { + defaultIndex: string[]; +} +export interface PersistNoteMutationArgs { + noteId?: Maybe; -export interface NetworkDsOverTimeData { - inspect?: Maybe; - - matrixHistogramData: MatrixOverTimeHistogramData[]; + version?: Maybe; - totalCount: number; + note: NoteInput; } +export interface DeleteNoteMutationArgs { + id: string[]; +} +export interface DeleteNoteByTimelineIdMutationArgs { + timelineId: string; -export interface NetworkHttpData { - edges: NetworkHttpEdges[]; - - totalCount: number; + version?: Maybe; +} +export interface PersistPinnedEventOnTimelineMutationArgs { + pinnedEventId?: Maybe; - pageInfo: PageInfoPaginated; + eventId: string; - inspect?: Maybe; + timelineId?: Maybe; +} +export interface DeletePinnedEventOnTimelineMutationArgs { + id: string[]; +} +export interface DeleteAllPinnedEventsOnTimelineMutationArgs { + timelineId: string; } +export interface PersistTimelineMutationArgs { + id?: Maybe; -export interface NetworkHttpEdges { - node: NetworkHttpItem; + version?: Maybe; - cursor: CursorType; + timeline: TimelineInput; +} +export interface PersistFavoriteMutationArgs { + timelineId?: Maybe; +} +export interface DeleteTimelineMutationArgs { + id: string[]; } -export interface NetworkHttpItem { - _id?: Maybe; +import { GraphQLResolveInfo, GraphQLScalarType, GraphQLScalarTypeConfig } from 'graphql'; - domains: string[]; +export type Resolver = ( + parent: Parent, + args: Args, + context: TContext, + info: GraphQLResolveInfo +) => Promise | Result; - lastHost?: Maybe; +export interface ISubscriptionResolverObject { + subscribe( + parent: P, + args: Args, + context: TContext, + info: GraphQLResolveInfo + ): AsyncIterator | Promise>; + resolve?( + parent: P, + args: Args, + context: TContext, + info: GraphQLResolveInfo + ): R | Result | Promise; +} - lastSourceIp?: Maybe; +export type SubscriptionResolver = + | ((...args: any[]) => ISubscriptionResolverObject) + | ISubscriptionResolverObject; - methods: string[]; +export type TypeResolveFn = ( + parent: Parent, + context: TContext, + info: GraphQLResolveInfo +) => Maybe; - path?: Maybe; +export type NextResolverFn = () => Promise; - requestCount?: Maybe; +export type DirectiveResolverFn = ( + next: NextResolverFn, + source: any, + args: TArgs, + context: TContext, + info: GraphQLResolveInfo +) => TResult | Promise; - statuses: string[]; -} +export namespace QueryResolvers { + export interface Resolvers { + getNote?: GetNoteResolver; -export interface SayMyName { - /** The id of the source */ - appName: string; -} + getNotesByTimelineId?: GetNotesByTimelineIdResolver; -export interface TimelineResult { - columns?: Maybe; + getNotesByEventId?: GetNotesByEventIdResolver; - created?: Maybe; + getAllNotes?: GetAllNotesResolver; - createdBy?: Maybe; + getAllPinnedEventsByTimelineId?: GetAllPinnedEventsByTimelineIdResolver< + PinnedEvent[], + TypeParent, + TContext + >; + /** Get a security data source by id */ + source?: SourceResolver; + /** Get a list of all security data sources */ + allSources?: AllSourcesResolver; - dataProviders?: Maybe; + getOneTimeline?: GetOneTimelineResolver; - dateRange?: Maybe; + getAllTimeline?: GetAllTimelineResolver; + } - description?: Maybe; + export type GetNoteResolver = Resolver< + R, + Parent, + TContext, + GetNoteArgs + >; + export interface GetNoteArgs { + id: string; + } - eventIdToNoteIds?: Maybe; + export type GetNotesByTimelineIdResolver< + R = NoteResult[], + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface GetNotesByTimelineIdArgs { + timelineId: string; + } - eventType?: Maybe; + export type GetNotesByEventIdResolver< + R = NoteResult[], + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface GetNotesByEventIdArgs { + eventId: string; + } - excludedRowRendererIds?: Maybe; + export type GetAllNotesResolver< + R = ResponseNotes, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface GetAllNotesArgs { + pageInfo?: Maybe; - favorite?: Maybe; + search?: Maybe; - filters?: Maybe; + sort?: Maybe; + } - kqlMode?: Maybe; - - kqlQuery?: Maybe; - - indexNames?: Maybe; - - notes?: Maybe; - - noteIds?: Maybe; - - pinnedEventIds?: Maybe; - - pinnedEventsSaveObject?: Maybe; - - savedQueryId?: Maybe; - - savedObjectId: string; - - sort?: Maybe; - - status?: Maybe; - - title?: Maybe; - - templateTimelineId?: Maybe; - - templateTimelineVersion?: Maybe; - - timelineType?: Maybe; - - updated?: Maybe; - - updatedBy?: Maybe; - - version: string; -} - -export interface ColumnHeaderResult { - aggregatable?: Maybe; - - category?: Maybe; - - columnHeaderType?: Maybe; - - description?: Maybe; - - example?: Maybe; - - indexes?: Maybe; - - id?: Maybe; - - name?: Maybe; - - placeholder?: Maybe; - - searchable?: Maybe; - - type?: Maybe; -} - -export interface DataProviderResult { - id?: Maybe; - - name?: Maybe; - - enabled?: Maybe; - - excluded?: Maybe; - - kqlQuery?: Maybe; - - queryMatch?: Maybe; - - type?: Maybe; - - and?: Maybe; -} - -export interface QueryMatchResult { - field?: Maybe; - - displayField?: Maybe; - - value?: Maybe; - - displayValue?: Maybe; - - operator?: Maybe; -} - -export interface DateRangePickerResult { - start?: Maybe; - - end?: Maybe; -} - -export interface FavoriteTimelineResult { - fullName?: Maybe; - - userName?: Maybe; - - favoriteDate?: Maybe; -} - -export interface FilterTimelineResult { - exists?: Maybe; - - meta?: Maybe; - - match_all?: Maybe; - - missing?: Maybe; - - query?: Maybe; - - range?: Maybe; - - script?: Maybe; -} - -export interface FilterMetaTimelineResult { - alias?: Maybe; - - controlledBy?: Maybe; - - disabled?: Maybe; - - field?: Maybe; - - formattedValue?: Maybe; - - index?: Maybe; - - key?: Maybe; - - negate?: Maybe; - - params?: Maybe; - - type?: Maybe; - - value?: Maybe; -} - -export interface SerializedFilterQueryResult { - filterQuery?: Maybe; -} - -export interface SerializedKueryQueryResult { - kuery?: Maybe; - - serializedQuery?: Maybe; -} - -export interface KueryFilterQueryResult { - kind?: Maybe; - - expression?: Maybe; -} - -export interface SortTimelineResult { - columnId?: Maybe; - - sortDirection?: Maybe; -} - -export interface ResponseTimelines { - timeline: (Maybe)[]; - - totalCount?: Maybe; - - defaultTimelineCount?: Maybe; - - templateTimelineCount?: Maybe; - - elasticTemplateTimelineCount?: Maybe; - - customTemplateTimelineCount?: Maybe; - - favoriteCount?: Maybe; -} - -export interface Mutation { - /** Persists a note */ - persistNote: ResponseNote; - - deleteNote?: Maybe; - - deleteNoteByTimelineId?: Maybe; - /** Persists a pinned event in a timeline */ - persistPinnedEventOnTimeline?: Maybe; - /** Remove a pinned events in a timeline */ - deletePinnedEventOnTimeline: boolean; - /** Remove all pinned events in a timeline */ - deleteAllPinnedEventsOnTimeline: boolean; - /** Persists a timeline */ - persistTimeline: ResponseTimeline; - - persistFavorite: ResponseFavoriteTimeline; - - deleteTimeline: boolean; -} - -export interface ResponseNote { - code?: Maybe; - - message?: Maybe; - - note: NoteResult; -} - -export interface ResponseTimeline { - code?: Maybe; - - message?: Maybe; - - timeline: TimelineResult; -} - -export interface ResponseFavoriteTimeline { - code?: Maybe; - - message?: Maybe; - - savedObjectId: string; - - version: string; - - favorite?: Maybe; -} - -export interface EcsEdges { - node: Ecs; - - cursor: CursorType; -} - -export interface EventsTimelineData { - edges: EcsEdges[]; - - totalCount: number; - - pageInfo: PageInfo; - - inspect?: Maybe; -} - -export interface OsFields { - platform?: Maybe; - - name?: Maybe; - - full?: Maybe; - - family?: Maybe; - - version?: Maybe; - - kernel?: Maybe; -} - -export interface HostFields { - architecture?: Maybe; - - id?: Maybe; - - ip?: Maybe<(Maybe)[]>; - - mac?: Maybe<(Maybe)[]>; - - name?: Maybe; - - os?: Maybe; - - type?: Maybe; -} - -/** A descriptor of a field in an index */ -export interface IndexField { - /** Where the field belong */ - category: string; - /** Example of field's value */ - example?: Maybe; - /** whether the field's belong to an alias index */ - indexes: (Maybe)[]; - /** The name of the field */ - name: string; - /** The type of the field's values as recognized by Kibana */ - type: string; - /** Whether the field's values can be efficiently searched for */ - searchable: boolean; - /** Whether the field's values can be aggregated */ - aggregatable: boolean; - /** Description of the field */ - description?: Maybe; - - format?: Maybe; - /** the elastic type as mapped in the index */ - esTypes?: Maybe; - - subType?: Maybe; -} - -// ==================================================== -// Arguments -// ==================================================== - -export interface GetNoteQueryArgs { - id: string; -} -export interface GetNotesByTimelineIdQueryArgs { - timelineId: string; -} -export interface GetNotesByEventIdQueryArgs { - eventId: string; -} -export interface GetAllNotesQueryArgs { - pageInfo?: Maybe; - - search?: Maybe; - - sort?: Maybe; -} -export interface GetAllPinnedEventsByTimelineIdQueryArgs { - timelineId: string; -} -export interface SourceQueryArgs { - /** The id of the source */ - id: string; -} -export interface GetOneTimelineQueryArgs { - id: string; -} -export interface GetAllTimelineQueryArgs { - pageInfo: PageInfoTimeline; - - search?: Maybe; - - sort?: Maybe; - - onlyUserFavorite?: Maybe; - - timelineType?: Maybe; - - status?: Maybe; -} -export interface AuthenticationsSourceArgs { - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface TimelineSourceArgs { - pagination: PaginationInput; - - sortField: SortField; - - fieldRequested: string[]; - - timerange?: Maybe; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface TimelineDetailsSourceArgs { - eventId: string; - - indexName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface LastEventTimeSourceArgs { - id?: Maybe; - - indexKey: LastEventIndexKey; - - details: LastTimeDetails; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface HostsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - sort: HostsSortField; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface HostOverviewSourceArgs { - id?: Maybe; - - hostName: string; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface HostFirstLastSeenSourceArgs { - id?: Maybe; - - hostName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; -} -export interface KpiNetworkSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface KpiHostsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface KpiHostDetailsSourceArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; -} -export interface MatrixHistogramSourceArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField: string; - - histogramType: HistogramType; -} -export interface NetworkTopCountriesSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkTopNFlowSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkDnsSourceArgs { - filterQuery?: Maybe; - - id?: Maybe; - - isPtrIncluded: boolean; - - pagination: PaginationInputPaginated; - - sort: NetworkDnsSortField; - - stackByField?: Maybe; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface NetworkDnsHistogramSourceArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField?: Maybe; - - docValueFields: DocValueFieldsInput[]; -} -export interface NetworkHttpSourceArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - pagination: PaginationInputPaginated; - - sort: NetworkHttpSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; -} -export interface IndicesExistSourceStatusArgs { - defaultIndex: string[]; -} -export interface IndexFieldsSourceStatusArgs { - defaultIndex: string[]; -} -export interface PersistNoteMutationArgs { - noteId?: Maybe; - - version?: Maybe; - - note: NoteInput; -} -export interface DeleteNoteMutationArgs { - id: string[]; -} -export interface DeleteNoteByTimelineIdMutationArgs { - timelineId: string; - - version?: Maybe; -} -export interface PersistPinnedEventOnTimelineMutationArgs { - pinnedEventId?: Maybe; - - eventId: string; - - timelineId?: Maybe; -} -export interface DeletePinnedEventOnTimelineMutationArgs { - id: string[]; -} -export interface DeleteAllPinnedEventsOnTimelineMutationArgs { - timelineId: string; -} -export interface PersistTimelineMutationArgs { - id?: Maybe; - - version?: Maybe; - - timeline: TimelineInput; -} -export interface PersistFavoriteMutationArgs { - timelineId?: Maybe; -} -export interface DeleteTimelineMutationArgs { - id: string[]; -} - -import { GraphQLResolveInfo, GraphQLScalarType, GraphQLScalarTypeConfig } from 'graphql'; - -export type Resolver = ( - parent: Parent, - args: Args, - context: TContext, - info: GraphQLResolveInfo -) => Promise | Result; - -export interface ISubscriptionResolverObject { - subscribe( - parent: P, - args: Args, - context: TContext, - info: GraphQLResolveInfo - ): AsyncIterator | Promise>; - resolve?( - parent: P, - args: Args, - context: TContext, - info: GraphQLResolveInfo - ): R | Result | Promise; -} - -export type SubscriptionResolver = - | ((...args: any[]) => ISubscriptionResolverObject) - | ISubscriptionResolverObject; - -export type TypeResolveFn = ( - parent: Parent, - context: TContext, - info: GraphQLResolveInfo -) => Maybe; - -export type NextResolverFn = () => Promise; - -export type DirectiveResolverFn = ( - next: NextResolverFn, - source: any, - args: TArgs, - context: TContext, - info: GraphQLResolveInfo -) => TResult | Promise; - -export namespace QueryResolvers { - export interface Resolvers { - getNote?: GetNoteResolver; - - getNotesByTimelineId?: GetNotesByTimelineIdResolver; - - getNotesByEventId?: GetNotesByEventIdResolver; - - getAllNotes?: GetAllNotesResolver; - - getAllPinnedEventsByTimelineId?: GetAllPinnedEventsByTimelineIdResolver< - PinnedEvent[], - TypeParent, - TContext - >; - /** Get a security data source by id */ - source?: SourceResolver; - /** Get a list of all security data sources */ - allSources?: AllSourcesResolver; - - getOneTimeline?: GetOneTimelineResolver; - - getAllTimeline?: GetAllTimelineResolver; - } - - export type GetNoteResolver = Resolver< - R, - Parent, - TContext, - GetNoteArgs - >; - export interface GetNoteArgs { - id: string; - } - - export type GetNotesByTimelineIdResolver< - R = NoteResult[], - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetNotesByTimelineIdArgs { - timelineId: string; - } - - export type GetNotesByEventIdResolver< - R = NoteResult[], - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetNotesByEventIdArgs { - eventId: string; - } - - export type GetAllNotesResolver< - R = ResponseNotes, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetAllNotesArgs { - pageInfo?: Maybe; - - search?: Maybe; - - sort?: Maybe; - } - - export type GetAllPinnedEventsByTimelineIdResolver< - R = PinnedEvent[], - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetAllPinnedEventsByTimelineIdArgs { - timelineId: string; - } - - export type SourceResolver = Resolver< - R, - Parent, - TContext, - SourceArgs - >; - export interface SourceArgs { - /** The id of the source */ - id: string; - } - - export type AllSourcesResolver = Resolver< - R, - Parent, - TContext - >; - export type GetOneTimelineResolver< - R = TimelineResult, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetOneTimelineArgs { - id: string; - } - - export type GetAllTimelineResolver< - R = ResponseTimelines, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface GetAllTimelineArgs { - pageInfo: PageInfoTimeline; - - search?: Maybe; - - sort?: Maybe; - - onlyUserFavorite?: Maybe; - - timelineType?: Maybe; - - status?: Maybe; - } -} - -export namespace NoteResultResolvers { - export interface Resolvers { - eventId?: EventIdResolver, TypeParent, TContext>; - - note?: NoteResolver, TypeParent, TContext>; - - timelineId?: TimelineIdResolver, TypeParent, TContext>; - - noteId?: NoteIdResolver; - - created?: CreatedResolver, TypeParent, TContext>; - - createdBy?: CreatedByResolver, TypeParent, TContext>; - - timelineVersion?: TimelineVersionResolver, TypeParent, TContext>; - - updated?: UpdatedResolver, TypeParent, TContext>; - - updatedBy?: UpdatedByResolver, TypeParent, TContext>; - - version?: VersionResolver, TypeParent, TContext>; - } - - export type EventIdResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type NoteResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type TimelineIdResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type NoteIdResolver = Resolver< - R, - Parent, - TContext - >; - export type CreatedResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type CreatedByResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type TimelineVersionResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type UpdatedResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type UpdatedByResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; - export type VersionResolver< - R = Maybe, - Parent = NoteResult, - TContext = SiemContext - > = Resolver; -} - -export namespace ResponseNotesResolvers { - export interface Resolvers { - notes?: NotesResolver; - - totalCount?: TotalCountResolver, TypeParent, TContext>; - } - - export type NotesResolver< - R = NoteResult[], - Parent = ResponseNotes, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = Maybe, - Parent = ResponseNotes, - TContext = SiemContext - > = Resolver; -} - -export namespace PinnedEventResolvers { - export interface Resolvers { - code?: CodeResolver, TypeParent, TContext>; - - message?: MessageResolver, TypeParent, TContext>; - - pinnedEventId?: PinnedEventIdResolver; - - eventId?: EventIdResolver, TypeParent, TContext>; - - timelineId?: TimelineIdResolver, TypeParent, TContext>; - - timelineVersion?: TimelineVersionResolver, TypeParent, TContext>; - - created?: CreatedResolver, TypeParent, TContext>; - - createdBy?: CreatedByResolver, TypeParent, TContext>; - - updated?: UpdatedResolver, TypeParent, TContext>; - - updatedBy?: UpdatedByResolver, TypeParent, TContext>; - - version?: VersionResolver, TypeParent, TContext>; - } - - export type CodeResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type MessageResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type PinnedEventIdResolver< - R = string, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type EventIdResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type TimelineIdResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type TimelineVersionResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type CreatedResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type CreatedByResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type UpdatedResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type UpdatedByResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; - export type VersionResolver< - R = Maybe, - Parent = PinnedEvent, - TContext = SiemContext - > = Resolver; -} - -export namespace SourceResolvers { - export interface Resolvers { - /** The id of the source */ - id?: IdResolver; - /** The raw configuration of the source */ - configuration?: ConfigurationResolver; - /** The status of the source */ - status?: StatusResolver; - /** Gets Authentication success and failures based on a timerange */ - Authentications?: AuthenticationsResolver; - - Timeline?: TimelineResolver; - - TimelineDetails?: TimelineDetailsResolver; - - LastEventTime?: LastEventTimeResolver; - /** Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified */ - Hosts?: HostsResolver; - - HostOverview?: HostOverviewResolver; - - HostFirstLastSeen?: HostFirstLastSeenResolver; - - KpiNetwork?: KpiNetworkResolver, TypeParent, TContext>; - - KpiHosts?: KpiHostsResolver; - - KpiHostDetails?: KpiHostDetailsResolver; - - MatrixHistogram?: MatrixHistogramResolver; - - NetworkTopCountries?: NetworkTopCountriesResolver< - NetworkTopCountriesData, - TypeParent, - TContext - >; - - NetworkTopNFlow?: NetworkTopNFlowResolver; - - NetworkDns?: NetworkDnsResolver; - - NetworkDnsHistogram?: NetworkDnsHistogramResolver; - - NetworkHttp?: NetworkHttpResolver; - /** Just a simple example to get the app name */ - whoAmI?: WhoAmIResolver, TypeParent, TContext>; - } - - export type IdResolver = Resolver< - R, - Parent, - TContext - >; - export type ConfigurationResolver< - R = SourceConfiguration, - Parent = Source, - TContext = SiemContext - > = Resolver; - export type StatusResolver = Resolver< - R, - Parent, - TContext - >; - export type AuthenticationsResolver< - R = AuthenticationsData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface AuthenticationsArgs { - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type TimelineResolver< - R = TimelineData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface TimelineArgs { - pagination: PaginationInput; - - sortField: SortField; - - fieldRequested: string[]; - - timerange?: Maybe; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type TimelineDetailsResolver< - R = TimelineDetailsData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface TimelineDetailsArgs { - eventId: string; - - indexName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type LastEventTimeResolver< - R = LastEventTimeData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface LastEventTimeArgs { - id?: Maybe; - - indexKey: LastEventIndexKey; - - details: LastTimeDetails; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type HostsResolver = Resolver< - R, - Parent, - TContext, - HostsArgs - >; - export interface HostsArgs { - id?: Maybe; - - timerange: TimerangeInput; - - pagination: PaginationInputPaginated; - - sort: HostsSortField; - - filterQuery?: Maybe; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type HostOverviewResolver< - R = HostItem, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface HostOverviewArgs { - id?: Maybe; - - hostName: string; - - timerange: TimerangeInput; - - defaultIndex: string[]; - } - - export type HostFirstLastSeenResolver< - R = FirstLastSeenHost, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface HostFirstLastSeenArgs { - id?: Maybe; - - hostName: string; - - defaultIndex: string[]; - - docValueFields: DocValueFieldsInput[]; - } - - export type KpiNetworkResolver< - R = Maybe, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface KpiNetworkArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; - } - - export type KpiHostsResolver< - R = KpiHostsData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface KpiHostsArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; - } - - export type KpiHostDetailsResolver< - R = KpiHostDetailsData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface KpiHostDetailsArgs { - id?: Maybe; - - timerange: TimerangeInput; - - filterQuery?: Maybe; - - defaultIndex: string[]; - } - - export type MatrixHistogramResolver< - R = MatrixHistogramOverTimeData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface MatrixHistogramArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField: string; - - histogramType: HistogramType; - } - - export type NetworkTopCountriesResolver< - R = NetworkTopCountriesData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface NetworkTopCountriesArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; - } - - export type NetworkTopNFlowResolver< - R = NetworkTopNFlowData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface NetworkTopNFlowArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - flowTarget: FlowTargetSourceDest; - - pagination: PaginationInputPaginated; - - sort: NetworkTopTablesSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; - } - - export type NetworkDnsResolver< - R = NetworkDnsData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface NetworkDnsArgs { - filterQuery?: Maybe; - - id?: Maybe; - - isPtrIncluded: boolean; - - pagination: PaginationInputPaginated; - - sort: NetworkDnsSortField; - - stackByField?: Maybe; - - timerange: TimerangeInput; - - defaultIndex: string[]; - } - - export type NetworkDnsHistogramResolver< - R = NetworkDsOverTimeData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface NetworkDnsHistogramArgs { - filterQuery?: Maybe; - - defaultIndex: string[]; - - timerange: TimerangeInput; - - stackByField?: Maybe; - - docValueFields: DocValueFieldsInput[]; - } - - export type NetworkHttpResolver< - R = NetworkHttpData, - Parent = Source, - TContext = SiemContext - > = Resolver; - export interface NetworkHttpArgs { - id?: Maybe; - - filterQuery?: Maybe; - - ip?: Maybe; - - pagination: PaginationInputPaginated; - - sort: NetworkHttpSortField; - - timerange: TimerangeInput; - - defaultIndex: string[]; - } - - export type WhoAmIResolver< - R = Maybe, - Parent = Source, - TContext = SiemContext - > = Resolver; -} -/** A set of configuration options for a security data source */ -export namespace SourceConfigurationResolvers { - export interface Resolvers { - /** The field mapping to use for this source */ - fields?: FieldsResolver; - } - - export type FieldsResolver< - R = SourceFields, - Parent = SourceConfiguration, - TContext = SiemContext - > = Resolver; -} -/** A mapping of semantic fields to their document counterparts */ -export namespace SourceFieldsResolvers { - export interface Resolvers { - /** The field to identify a container by */ - container?: ContainerResolver; - /** The fields to identify a host by */ - host?: HostResolver; - /** The fields that may contain the log event message. The first field found win. */ - message?: MessageResolver; - /** The field to identify a pod by */ - pod?: PodResolver; - /** The field to use as a tiebreaker for log events that have identical timestamps */ - tiebreaker?: TiebreakerResolver; - /** The field to use as a timestamp for metrics and logs */ - timestamp?: TimestampResolver; - } - - export type ContainerResolver< - R = string, - Parent = SourceFields, - TContext = SiemContext - > = Resolver; - export type HostResolver = Resolver< - R, - Parent, - TContext - >; - export type MessageResolver< - R = string[], - Parent = SourceFields, - TContext = SiemContext - > = Resolver; - export type PodResolver = Resolver< - R, - Parent, - TContext - >; - export type TiebreakerResolver< - R = string, - Parent = SourceFields, - TContext = SiemContext - > = Resolver; - export type TimestampResolver< - R = string, - Parent = SourceFields, - TContext = SiemContext - > = Resolver; -} -/** The status of an infrastructure data source */ -export namespace SourceStatusResolvers { - export interface Resolvers { - /** Whether the configured alias or wildcard pattern resolve to any auditbeat indices */ - indicesExist?: IndicesExistResolver; - /** The list of fields defined in the index mappings */ - indexFields?: IndexFieldsResolver; - } - - export type IndicesExistResolver< - R = boolean, - Parent = SourceStatus, - TContext = SiemContext - > = Resolver; - export interface IndicesExistArgs { - defaultIndex: string[]; - } - - export type IndexFieldsResolver< - R = string[], - Parent = SourceStatus, - TContext = SiemContext - > = Resolver; - export interface IndexFieldsArgs { - defaultIndex: string[]; - } -} - -export namespace AuthenticationsDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; - } - - export type EdgesResolver< - R = AuthenticationsEdges[], - Parent = AuthenticationsData, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = number, - Parent = AuthenticationsData, - TContext = SiemContext - > = Resolver; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = AuthenticationsData, - TContext = SiemContext - > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = AuthenticationsData, - TContext = SiemContext - > = Resolver; -} - -export namespace AuthenticationsEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; - - cursor?: CursorResolver; - } - - export type NodeResolver< - R = AuthenticationItem, - Parent = AuthenticationsEdges, - TContext = SiemContext - > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = AuthenticationsEdges, - TContext = SiemContext - > = Resolver; -} - -export namespace AuthenticationItemResolvers { - export interface Resolvers { - _id?: _IdResolver; - - failures?: FailuresResolver; - - successes?: SuccessesResolver; - - user?: UserResolver; - - lastSuccess?: LastSuccessResolver, TypeParent, TContext>; - - lastFailure?: LastFailureResolver, TypeParent, TContext>; - } - - export type _IdResolver< - R = string, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; - export type FailuresResolver< - R = number, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; - export type SuccessesResolver< - R = number, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; - export type UserResolver< - R = UserEcsFields, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; - export type LastSuccessResolver< - R = Maybe, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; - export type LastFailureResolver< - R = Maybe, - Parent = AuthenticationItem, - TContext = SiemContext - > = Resolver; -} - -export namespace UserEcsFieldsResolvers { - export interface Resolvers { - domain?: DomainResolver, TypeParent, TContext>; - - id?: IdResolver, TypeParent, TContext>; - - name?: NameResolver, TypeParent, TContext>; - - full_name?: FullNameResolver, TypeParent, TContext>; - - email?: EmailResolver, TypeParent, TContext>; - - hash?: HashResolver, TypeParent, TContext>; - - group?: GroupResolver, TypeParent, TContext>; - } - - export type DomainResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type IdResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type NameResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type FullNameResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type EmailResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type HashResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; - export type GroupResolver< - R = Maybe, - Parent = UserEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace LastSourceHostResolvers { - export interface Resolvers { - timestamp?: TimestampResolver, TypeParent, TContext>; - - source?: SourceResolver, TypeParent, TContext>; - - host?: HostResolver, TypeParent, TContext>; - } - - export type TimestampResolver< - R = Maybe, - Parent = LastSourceHost, - TContext = SiemContext - > = Resolver; - export type SourceResolver< - R = Maybe, - Parent = LastSourceHost, - TContext = SiemContext - > = Resolver; - export type HostResolver< - R = Maybe, - Parent = LastSourceHost, - TContext = SiemContext - > = Resolver; -} - -export namespace SourceEcsFieldsResolvers { - export interface Resolvers { - bytes?: BytesResolver, TypeParent, TContext>; - - ip?: IpResolver, TypeParent, TContext>; - - port?: PortResolver, TypeParent, TContext>; - - domain?: DomainResolver, TypeParent, TContext>; - - geo?: GeoResolver, TypeParent, TContext>; - - packets?: PacketsResolver, TypeParent, TContext>; - } - - export type BytesResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; - export type IpResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; - export type PortResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; - export type DomainResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; - export type GeoResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; - export type PacketsResolver< - R = Maybe, - Parent = SourceEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace GeoEcsFieldsResolvers { - export interface Resolvers { - city_name?: CityNameResolver, TypeParent, TContext>; - - continent_name?: ContinentNameResolver, TypeParent, TContext>; - - country_iso_code?: CountryIsoCodeResolver, TypeParent, TContext>; - - country_name?: CountryNameResolver, TypeParent, TContext>; - - location?: LocationResolver, TypeParent, TContext>; - - region_iso_code?: RegionIsoCodeResolver, TypeParent, TContext>; - - region_name?: RegionNameResolver, TypeParent, TContext>; - } - - export type CityNameResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type ContinentNameResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type CountryIsoCodeResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type CountryNameResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type LocationResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type RegionIsoCodeResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; - export type RegionNameResolver< - R = Maybe, - Parent = GeoEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace LocationResolvers { - export interface Resolvers { - lon?: LonResolver, TypeParent, TContext>; - - lat?: LatResolver, TypeParent, TContext>; - } - - export type LonResolver< - R = Maybe, - Parent = Location, - TContext = SiemContext - > = Resolver; - export type LatResolver< - R = Maybe, - Parent = Location, - TContext = SiemContext - > = Resolver; -} - -export namespace HostEcsFieldsResolvers { - export interface Resolvers { - architecture?: ArchitectureResolver, TypeParent, TContext>; - - id?: IdResolver, TypeParent, TContext>; - - ip?: IpResolver, TypeParent, TContext>; - - mac?: MacResolver, TypeParent, TContext>; - - name?: NameResolver, TypeParent, TContext>; - - os?: OsResolver, TypeParent, TContext>; - - type?: TypeResolver, TypeParent, TContext>; - } - - export type ArchitectureResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type IdResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type IpResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type MacResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type NameResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type OsResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = HostEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace OsEcsFieldsResolvers { - export interface Resolvers { - platform?: PlatformResolver, TypeParent, TContext>; - - name?: NameResolver, TypeParent, TContext>; - - full?: FullResolver, TypeParent, TContext>; - - family?: FamilyResolver, TypeParent, TContext>; - - version?: VersionResolver, TypeParent, TContext>; - - kernel?: KernelResolver, TypeParent, TContext>; - } - - export type PlatformResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; - export type NameResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; - export type FullResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; - export type FamilyResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; - export type VersionResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; - export type KernelResolver< - R = Maybe, - Parent = OsEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace CursorTypeResolvers { - export interface Resolvers { - value?: ValueResolver, TypeParent, TContext>; - - tiebreaker?: TiebreakerResolver, TypeParent, TContext>; - } - - export type ValueResolver< - R = Maybe, - Parent = CursorType, - TContext = SiemContext - > = Resolver; - export type TiebreakerResolver< - R = Maybe, - Parent = CursorType, - TContext = SiemContext - > = Resolver; -} - -export namespace PageInfoPaginatedResolvers { - export interface Resolvers { - activePage?: ActivePageResolver; - - fakeTotalCount?: FakeTotalCountResolver; - - showMorePagesIndicator?: ShowMorePagesIndicatorResolver; - } - - export type ActivePageResolver< - R = number, - Parent = PageInfoPaginated, - TContext = SiemContext - > = Resolver; - export type FakeTotalCountResolver< - R = number, - Parent = PageInfoPaginated, - TContext = SiemContext - > = Resolver; - export type ShowMorePagesIndicatorResolver< - R = boolean, - Parent = PageInfoPaginated, - TContext = SiemContext - > = Resolver; -} - -export namespace InspectResolvers { - export interface Resolvers { - dsl?: DslResolver; - - response?: ResponseResolver; - } - - export type DslResolver = Resolver< - R, - Parent, - TContext - >; - export type ResponseResolver = Resolver< - R, - Parent, - TContext - >; -} - -export namespace TimelineDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; - } - - export type EdgesResolver< - R = TimelineEdges[], - Parent = TimelineData, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = number, - Parent = TimelineData, - TContext = SiemContext - > = Resolver; - export type PageInfoResolver< - R = PageInfo, - Parent = TimelineData, - TContext = SiemContext - > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = TimelineData, - TContext = SiemContext - > = Resolver; -} - -export namespace TimelineEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; - - cursor?: CursorResolver; - } - - export type NodeResolver< - R = TimelineItem, - Parent = TimelineEdges, - TContext = SiemContext - > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = TimelineEdges, - TContext = SiemContext - > = Resolver; -} - -export namespace TimelineItemResolvers { - export interface Resolvers { - _id?: _IdResolver; - - _index?: _IndexResolver, TypeParent, TContext>; - - data?: DataResolver; - - ecs?: EcsResolver; - } - - export type _IdResolver = Resolver< - R, - Parent, - TContext - >; - export type _IndexResolver< - R = Maybe, - Parent = TimelineItem, - TContext = SiemContext - > = Resolver; - export type DataResolver< - R = TimelineNonEcsData[], - Parent = TimelineItem, - TContext = SiemContext - > = Resolver; - export type EcsResolver = Resolver< - R, - Parent, - TContext - >; -} - -export namespace TimelineNonEcsDataResolvers { - export interface Resolvers { - field?: FieldResolver; - - value?: ValueResolver, TypeParent, TContext>; - } - - export type FieldResolver< - R = string, - Parent = TimelineNonEcsData, - TContext = SiemContext - > = Resolver; - export type ValueResolver< - R = Maybe, - Parent = TimelineNonEcsData, - TContext = SiemContext - > = Resolver; -} - -export namespace EcsResolvers { - export interface Resolvers { - _id?: _IdResolver; - - _index?: _IndexResolver, TypeParent, TContext>; - - agent?: AgentResolver, TypeParent, TContext>; - - auditd?: AuditdResolver, TypeParent, TContext>; - - destination?: DestinationResolver, TypeParent, TContext>; - - dns?: DnsResolver, TypeParent, TContext>; - - endgame?: EndgameResolver, TypeParent, TContext>; - - event?: EventResolver, TypeParent, TContext>; - - geo?: GeoResolver, TypeParent, TContext>; - - host?: HostResolver, TypeParent, TContext>; - - network?: NetworkResolver, TypeParent, TContext>; - - rule?: RuleResolver, TypeParent, TContext>; - - signal?: SignalResolver, TypeParent, TContext>; - - source?: SourceResolver, TypeParent, TContext>; - - suricata?: SuricataResolver, TypeParent, TContext>; - - tls?: TlsResolver, TypeParent, TContext>; - - zeek?: ZeekResolver, TypeParent, TContext>; - - http?: HttpResolver, TypeParent, TContext>; - - url?: UrlResolver, TypeParent, TContext>; - - timestamp?: TimestampResolver, TypeParent, TContext>; - - message?: MessageResolver, TypeParent, TContext>; - - user?: UserResolver, TypeParent, TContext>; - - winlog?: WinlogResolver, TypeParent, TContext>; - - process?: ProcessResolver, TypeParent, TContext>; - - file?: FileResolver, TypeParent, TContext>; - - system?: SystemResolver, TypeParent, TContext>; - } - - export type _IdResolver = Resolver< - R, - Parent, - TContext - >; - export type _IndexResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type AgentResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type AuditdResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type DestinationResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type DnsResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type EndgameResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type EventResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type GeoResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type HostResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type NetworkResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type RuleResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type SignalResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type SourceResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type SuricataResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type TlsResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type ZeekResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type HttpResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type UrlResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type TimestampResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type MessageResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type UserResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type WinlogResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type ProcessResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; - export type FileResolver, Parent = Ecs, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type SystemResolver< - R = Maybe, - Parent = Ecs, - TContext = SiemContext - > = Resolver; -} - -export namespace AgentEcsFieldResolvers { - export interface Resolvers { - type?: TypeResolver, TypeParent, TContext>; - } - - export type TypeResolver< - R = Maybe, - Parent = AgentEcsField, - TContext = SiemContext - > = Resolver; -} - -export namespace AuditdEcsFieldsResolvers { - export interface Resolvers { - result?: ResultResolver, TypeParent, TContext>; - - session?: SessionResolver, TypeParent, TContext>; - - data?: DataResolver, TypeParent, TContext>; - - summary?: SummaryResolver, TypeParent, TContext>; - - sequence?: SequenceResolver, TypeParent, TContext>; - } - - export type ResultResolver< - R = Maybe, - Parent = AuditdEcsFields, - TContext = SiemContext - > = Resolver; - export type SessionResolver< - R = Maybe, - Parent = AuditdEcsFields, - TContext = SiemContext - > = Resolver; - export type DataResolver< - R = Maybe, - Parent = AuditdEcsFields, - TContext = SiemContext - > = Resolver; - export type SummaryResolver< - R = Maybe, - Parent = AuditdEcsFields, - TContext = SiemContext - > = Resolver; - export type SequenceResolver< - R = Maybe, - Parent = AuditdEcsFields, - TContext = SiemContext - > = Resolver; -} - -export namespace AuditdDataResolvers { - export interface Resolvers { - acct?: AcctResolver, TypeParent, TContext>; - - terminal?: TerminalResolver, TypeParent, TContext>; - - op?: OpResolver, TypeParent, TContext>; - } - - export type AcctResolver< - R = Maybe, - Parent = AuditdData, - TContext = SiemContext - > = Resolver; - export type TerminalResolver< - R = Maybe, - Parent = AuditdData, - TContext = SiemContext - > = Resolver; - export type OpResolver< - R = Maybe, - Parent = AuditdData, - TContext = SiemContext - > = Resolver; -} - -export namespace SummaryResolvers { - export interface Resolvers { - actor?: ActorResolver, TypeParent, TContext>; - - object?: ObjectResolver, TypeParent, TContext>; - - how?: HowResolver, TypeParent, TContext>; - - message_type?: MessageTypeResolver, TypeParent, TContext>; - - sequence?: SequenceResolver, TypeParent, TContext>; - } - - export type ActorResolver< - R = Maybe, - Parent = Summary, - TContext = SiemContext - > = Resolver; - export type ObjectResolver< - R = Maybe, - Parent = Summary, - TContext = SiemContext - > = Resolver; - export type HowResolver< - R = Maybe, - Parent = Summary, - TContext = SiemContext - > = Resolver; - export type MessageTypeResolver< - R = Maybe, - Parent = Summary, - TContext = SiemContext - > = Resolver; - export type SequenceResolver< - R = Maybe, - Parent = Summary, - TContext = SiemContext - > = Resolver; -} - -export namespace PrimarySecondaryResolvers { - export interface Resolvers { - primary?: PrimaryResolver, TypeParent, TContext>; - - secondary?: SecondaryResolver, TypeParent, TContext>; - - type?: TypeResolver, TypeParent, TContext>; - } - - export type PrimaryResolver< - R = Maybe, - Parent = PrimarySecondary, - TContext = SiemContext - > = Resolver; - export type SecondaryResolver< - R = Maybe, - Parent = PrimarySecondary, - TContext = SiemContext - > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = PrimarySecondary, - TContext = SiemContext - > = Resolver; -} - -export namespace DestinationEcsFieldsResolvers { - export interface Resolvers { - bytes?: BytesResolver, TypeParent, TContext>; - - ip?: IpResolver, TypeParent, TContext>; - - port?: PortResolver, TypeParent, TContext>; - - domain?: DomainResolver, TypeParent, TContext>; - - geo?: GeoResolver, TypeParent, TContext>; - - packets?: PacketsResolver, TypeParent, TContext>; - } - - export type BytesResolver< - R = Maybe, - Parent = DestinationEcsFields, - TContext = SiemContext - > = Resolver; - export type IpResolver< - R = Maybe, - Parent = DestinationEcsFields, - TContext = SiemContext - > = Resolver; - export type PortResolver< - R = Maybe, - Parent = DestinationEcsFields, - TContext = SiemContext - > = Resolver; - export type DomainResolver< - R = Maybe, - Parent = DestinationEcsFields, - TContext = SiemContext - > = Resolver; - export type GeoResolver< - R = Maybe, - Parent = DestinationEcsFields, - TContext = SiemContext - > = Resolver; - export type PacketsResolver< - R = Maybe, - Parent = DestinationEcsFields, + export type GetAllPinnedEventsByTimelineIdResolver< + R = PinnedEvent[], + Parent = {}, TContext = SiemContext - > = Resolver; -} - -export namespace DnsEcsFieldsResolvers { - export interface Resolvers { - question?: QuestionResolver, TypeParent, TContext>; - - resolved_ip?: ResolvedIpResolver, TypeParent, TContext>; + > = Resolver; + export interface GetAllPinnedEventsByTimelineIdArgs { + timelineId: string; + } - response_code?: ResponseCodeResolver, TypeParent, TContext>; + export type SourceResolver = Resolver< + R, + Parent, + TContext, + SourceArgs + >; + export interface SourceArgs { + /** The id of the source */ + id: string; } - export type QuestionResolver< - R = Maybe, - Parent = DnsEcsFields, - TContext = SiemContext - > = Resolver; - export type ResolvedIpResolver< - R = Maybe, - Parent = DnsEcsFields, - TContext = SiemContext - > = Resolver; - export type ResponseCodeResolver< - R = Maybe, - Parent = DnsEcsFields, + export type AllSourcesResolver = Resolver< + R, + Parent, + TContext + >; + export type GetOneTimelineResolver< + R = TimelineResult, + Parent = {}, TContext = SiemContext - > = Resolver; -} - -export namespace DnsQuestionDataResolvers { - export interface Resolvers { - name?: NameResolver, TypeParent, TContext>; - - type?: TypeResolver, TypeParent, TContext>; + > = Resolver; + export interface GetOneTimelineArgs { + id: string; } - export type NameResolver< - R = Maybe, - Parent = DnsQuestionData, - TContext = SiemContext - > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = DnsQuestionData, + export type GetAllTimelineResolver< + R = ResponseTimelines, + Parent = {}, TContext = SiemContext - > = Resolver; -} + > = Resolver; + export interface GetAllTimelineArgs { + pageInfo: PageInfoTimeline; -export namespace EndgameEcsFieldsResolvers { - export interface Resolvers { - exit_code?: ExitCodeResolver, TypeParent, TContext>; + search?: Maybe; - file_name?: FileNameResolver, TypeParent, TContext>; + sort?: Maybe; - file_path?: FilePathResolver, TypeParent, TContext>; + onlyUserFavorite?: Maybe; - logon_type?: LogonTypeResolver, TypeParent, TContext>; + timelineType?: Maybe; - parent_process_name?: ParentProcessNameResolver, TypeParent, TContext>; + status?: Maybe; + } +} - pid?: PidResolver, TypeParent, TContext>; +export namespace NoteResultResolvers { + export interface Resolvers { + eventId?: EventIdResolver, TypeParent, TContext>; - process_name?: ProcessNameResolver, TypeParent, TContext>; + note?: NoteResolver, TypeParent, TContext>; - subject_domain_name?: SubjectDomainNameResolver, TypeParent, TContext>; + timelineId?: TimelineIdResolver, TypeParent, TContext>; - subject_logon_id?: SubjectLogonIdResolver, TypeParent, TContext>; + noteId?: NoteIdResolver; - subject_user_name?: SubjectUserNameResolver, TypeParent, TContext>; + created?: CreatedResolver, TypeParent, TContext>; - target_domain_name?: TargetDomainNameResolver, TypeParent, TContext>; + createdBy?: CreatedByResolver, TypeParent, TContext>; - target_logon_id?: TargetLogonIdResolver, TypeParent, TContext>; + timelineVersion?: TimelineVersionResolver, TypeParent, TContext>; - target_user_name?: TargetUserNameResolver, TypeParent, TContext>; + updated?: UpdatedResolver, TypeParent, TContext>; + + updatedBy?: UpdatedByResolver, TypeParent, TContext>; + + version?: VersionResolver, TypeParent, TContext>; } - export type ExitCodeResolver< - R = Maybe, - Parent = EndgameEcsFields, - TContext = SiemContext - > = Resolver; - export type FileNameResolver< - R = Maybe, - Parent = EndgameEcsFields, - TContext = SiemContext - > = Resolver; - export type FilePathResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type EventIdResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type LogonTypeResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type NoteResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type ParentProcessNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type TimelineIdResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type PidResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type NoteIdResolver = Resolver< + R, + Parent, + TContext + >; + export type CreatedResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type ProcessNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type CreatedByResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type SubjectDomainNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type TimelineVersionResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type SubjectLogonIdResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type UpdatedResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type SubjectUserNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type UpdatedByResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type TargetDomainNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type VersionResolver< + R = Maybe, + Parent = NoteResult, TContext = SiemContext > = Resolver; - export type TargetLogonIdResolver< - R = Maybe, - Parent = EndgameEcsFields, +} + +export namespace ResponseNotesResolvers { + export interface Resolvers { + notes?: NotesResolver; + + totalCount?: TotalCountResolver, TypeParent, TContext>; + } + + export type NotesResolver< + R = NoteResult[], + Parent = ResponseNotes, TContext = SiemContext > = Resolver; - export type TargetUserNameResolver< - R = Maybe, - Parent = EndgameEcsFields, + export type TotalCountResolver< + R = Maybe, + Parent = ResponseNotes, TContext = SiemContext > = Resolver; } -export namespace EventEcsFieldsResolvers { - export interface Resolvers { - action?: ActionResolver, TypeParent, TContext>; - - category?: CategoryResolver, TypeParent, TContext>; - - code?: CodeResolver, TypeParent, TContext>; - - created?: CreatedResolver, TypeParent, TContext>; - - dataset?: DatasetResolver, TypeParent, TContext>; - - duration?: DurationResolver, TypeParent, TContext>; - - end?: EndResolver, TypeParent, TContext>; - - hash?: HashResolver, TypeParent, TContext>; - - id?: IdResolver, TypeParent, TContext>; +export namespace PinnedEventResolvers { + export interface Resolvers { + code?: CodeResolver, TypeParent, TContext>; - kind?: KindResolver, TypeParent, TContext>; + message?: MessageResolver, TypeParent, TContext>; - module?: ModuleResolver, TypeParent, TContext>; + pinnedEventId?: PinnedEventIdResolver; - original?: OriginalResolver, TypeParent, TContext>; + eventId?: EventIdResolver, TypeParent, TContext>; - outcome?: OutcomeResolver, TypeParent, TContext>; + timelineId?: TimelineIdResolver, TypeParent, TContext>; - risk_score?: RiskScoreResolver, TypeParent, TContext>; + timelineVersion?: TimelineVersionResolver, TypeParent, TContext>; - risk_score_norm?: RiskScoreNormResolver, TypeParent, TContext>; + created?: CreatedResolver, TypeParent, TContext>; - severity?: SeverityResolver, TypeParent, TContext>; + createdBy?: CreatedByResolver, TypeParent, TContext>; - start?: StartResolver, TypeParent, TContext>; + updated?: UpdatedResolver, TypeParent, TContext>; - timezone?: TimezoneResolver, TypeParent, TContext>; + updatedBy?: UpdatedByResolver, TypeParent, TContext>; - type?: TypeResolver, TypeParent, TContext>; + version?: VersionResolver, TypeParent, TContext>; } - export type ActionResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; - export type CategoryResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; export type CodeResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; - export type CreatedResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; - export type DatasetResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; - export type DurationResolver< - R = Maybe, - Parent = EventEcsFields, - TContext = SiemContext - > = Resolver; - export type EndResolver< - R = Maybe, - Parent = EventEcsFields, + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type HashResolver< - R = Maybe, - Parent = EventEcsFields, + export type MessageResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type IdResolver< - R = Maybe, - Parent = EventEcsFields, + export type PinnedEventIdResolver< + R = string, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type KindResolver< - R = Maybe, - Parent = EventEcsFields, + export type EventIdResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type ModuleResolver< - R = Maybe, - Parent = EventEcsFields, + export type TimelineIdResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type OriginalResolver< - R = Maybe, - Parent = EventEcsFields, + export type TimelineVersionResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type OutcomeResolver< - R = Maybe, - Parent = EventEcsFields, + export type CreatedResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type RiskScoreResolver< - R = Maybe, - Parent = EventEcsFields, + export type CreatedByResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type RiskScoreNormResolver< - R = Maybe, - Parent = EventEcsFields, + export type UpdatedResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type SeverityResolver< - R = Maybe, - Parent = EventEcsFields, + export type UpdatedByResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type StartResolver< - R = Maybe, - Parent = EventEcsFields, + export type VersionResolver< + R = Maybe, + Parent = PinnedEvent, TContext = SiemContext > = Resolver; - export type TimezoneResolver< - R = Maybe, - Parent = EventEcsFields, +} + +export namespace SourceResolvers { + export interface Resolvers { + /** The id of the source */ + id?: IdResolver; + /** The raw configuration of the source */ + configuration?: ConfigurationResolver; + /** The status of the source */ + status?: StatusResolver; + /** Gets Hosts based on timerange and specified criteria, or all events in the timerange if no criteria is specified */ + Hosts?: HostsResolver; + + HostOverview?: HostOverviewResolver; + + HostFirstLastSeen?: HostFirstLastSeenResolver; + /** Just a simple example to get the app name */ + whoAmI?: WhoAmIResolver, TypeParent, TContext>; + } + + export type IdResolver = Resolver< + R, + Parent, + TContext + >; + export type ConfigurationResolver< + R = SourceConfiguration, + Parent = Source, TContext = SiemContext > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = EventEcsFields, + export type StatusResolver = Resolver< + R, + Parent, + TContext + >; + export type HostsResolver = Resolver< + R, + Parent, + TContext, + HostsArgs + >; + export interface HostsArgs { + id?: Maybe; + + timerange: TimerangeInput; + + pagination: PaginationInputPaginated; + + sort: HostsSortField; + + filterQuery?: Maybe; + + defaultIndex: string[]; + + docValueFields: DocValueFieldsInput[]; + } + + export type HostOverviewResolver< + R = HostItem, + Parent = Source, TContext = SiemContext - > = Resolver; -} + > = Resolver; + export interface HostOverviewArgs { + id?: Maybe; -export namespace NetworkEcsFieldResolvers { - export interface Resolvers { - bytes?: BytesResolver, TypeParent, TContext>; + hostName: string; - community_id?: CommunityIdResolver, TypeParent, TContext>; + timerange: TimerangeInput; - direction?: DirectionResolver, TypeParent, TContext>; + defaultIndex: string[]; + } - packets?: PacketsResolver, TypeParent, TContext>; + export type HostFirstLastSeenResolver< + R = FirstLastSeenHost, + Parent = Source, + TContext = SiemContext + > = Resolver; + export interface HostFirstLastSeenArgs { + id?: Maybe; - protocol?: ProtocolResolver, TypeParent, TContext>; + hostName: string; - transport?: TransportResolver, TypeParent, TContext>; + defaultIndex: string[]; + + docValueFields: DocValueFieldsInput[]; } - export type BytesResolver< - R = Maybe, - Parent = NetworkEcsField, + export type WhoAmIResolver< + R = Maybe, + Parent = Source, TContext = SiemContext > = Resolver; - export type CommunityIdResolver< - R = Maybe, - Parent = NetworkEcsField, +} +/** A set of configuration options for a security data source */ +export namespace SourceConfigurationResolvers { + export interface Resolvers { + /** The field mapping to use for this source */ + fields?: FieldsResolver; + } + + export type FieldsResolver< + R = SourceFields, + Parent = SourceConfiguration, TContext = SiemContext > = Resolver; - export type DirectionResolver< - R = Maybe, - Parent = NetworkEcsField, +} +/** A mapping of semantic fields to their document counterparts */ +export namespace SourceFieldsResolvers { + export interface Resolvers { + /** The field to identify a container by */ + container?: ContainerResolver; + /** The fields to identify a host by */ + host?: HostResolver; + /** The fields that may contain the log event message. The first field found win. */ + message?: MessageResolver; + /** The field to identify a pod by */ + pod?: PodResolver; + /** The field to use as a tiebreaker for log events that have identical timestamps */ + tiebreaker?: TiebreakerResolver; + /** The field to use as a timestamp for metrics and logs */ + timestamp?: TimestampResolver; + } + + export type ContainerResolver< + R = string, + Parent = SourceFields, TContext = SiemContext > = Resolver; - export type PacketsResolver< - R = Maybe, - Parent = NetworkEcsField, + export type HostResolver = Resolver< + R, + Parent, + TContext + >; + export type MessageResolver< + R = string[], + Parent = SourceFields, TContext = SiemContext > = Resolver; - export type ProtocolResolver< - R = Maybe, - Parent = NetworkEcsField, + export type PodResolver = Resolver< + R, + Parent, + TContext + >; + export type TiebreakerResolver< + R = string, + Parent = SourceFields, TContext = SiemContext > = Resolver; - export type TransportResolver< - R = Maybe, - Parent = NetworkEcsField, + export type TimestampResolver< + R = string, + Parent = SourceFields, TContext = SiemContext > = Resolver; } +/** The status of an infrastructure data source */ +export namespace SourceStatusResolvers { + export interface Resolvers { + /** Whether the configured alias or wildcard pattern resolve to any auditbeat indices */ + indicesExist?: IndicesExistResolver; + /** The list of fields defined in the index mappings */ + indexFields?: IndexFieldsResolver; + } -export namespace RuleEcsFieldResolvers { - export interface Resolvers { - reference?: ReferenceResolver, TypeParent, TContext>; + export type IndicesExistResolver< + R = boolean, + Parent = SourceStatus, + TContext = SiemContext + > = Resolver; + export interface IndicesExistArgs { + defaultIndex: string[]; } - export type ReferenceResolver< - R = Maybe, - Parent = RuleEcsField, + export type IndexFieldsResolver< + R = string[], + Parent = SourceStatus, TContext = SiemContext - > = Resolver; + > = Resolver; + export interface IndexFieldsArgs { + defaultIndex: string[]; + } } -export namespace SignalFieldResolvers { - export interface Resolvers { - rule?: RuleResolver, TypeParent, TContext>; +export namespace HostsDataResolvers { + export interface Resolvers { + edges?: EdgesResolver; - original_time?: OriginalTimeResolver, TypeParent, TContext>; + totalCount?: TotalCountResolver; - status?: StatusResolver, TypeParent, TContext>; + pageInfo?: PageInfoResolver; + + inspect?: InspectResolver, TypeParent, TContext>; } - export type RuleResolver< - R = Maybe, - Parent = SignalField, + export type EdgesResolver< + R = HostsEdges[], + Parent = HostsData, TContext = SiemContext > = Resolver; - export type OriginalTimeResolver< - R = Maybe, - Parent = SignalField, + export type TotalCountResolver = Resolver< + R, + Parent, + TContext + >; + export type PageInfoResolver< + R = PageInfoPaginated, + Parent = HostsData, TContext = SiemContext > = Resolver; - export type StatusResolver< - R = Maybe, - Parent = SignalField, + export type InspectResolver< + R = Maybe, + Parent = HostsData, TContext = SiemContext > = Resolver; } -export namespace RuleFieldResolvers { - export interface Resolvers { - id?: IdResolver, TypeParent, TContext>; - - rule_id?: RuleIdResolver, TypeParent, TContext>; - - false_positives?: FalsePositivesResolver; - - saved_id?: SavedIdResolver, TypeParent, TContext>; - - timeline_id?: TimelineIdResolver, TypeParent, TContext>; - - timeline_title?: TimelineTitleResolver, TypeParent, TContext>; - - max_signals?: MaxSignalsResolver, TypeParent, TContext>; - - risk_score?: RiskScoreResolver, TypeParent, TContext>; - - output_index?: OutputIndexResolver, TypeParent, TContext>; - - description?: DescriptionResolver, TypeParent, TContext>; - - from?: FromResolver, TypeParent, TContext>; - - immutable?: ImmutableResolver, TypeParent, TContext>; - - index?: IndexResolver, TypeParent, TContext>; - - interval?: IntervalResolver, TypeParent, TContext>; - - language?: LanguageResolver, TypeParent, TContext>; - - query?: QueryResolver, TypeParent, TContext>; - - references?: ReferencesResolver, TypeParent, TContext>; - - severity?: SeverityResolver, TypeParent, TContext>; - - tags?: TagsResolver, TypeParent, TContext>; - - threat?: ThreatResolver, TypeParent, TContext>; - - type?: TypeResolver, TypeParent, TContext>; - - size?: SizeResolver, TypeParent, TContext>; - - to?: ToResolver, TypeParent, TContext>; - - enabled?: EnabledResolver, TypeParent, TContext>; - - filters?: FiltersResolver, TypeParent, TContext>; +export namespace HostsEdgesResolvers { + export interface Resolvers { + node?: NodeResolver; - created_at?: CreatedAtResolver, TypeParent, TContext>; + cursor?: CursorResolver; + } - updated_at?: UpdatedAtResolver, TypeParent, TContext>; + export type NodeResolver = Resolver< + R, + Parent, + TContext + >; + export type CursorResolver< + R = CursorType, + Parent = HostsEdges, + TContext = SiemContext + > = Resolver; +} - created_by?: CreatedByResolver, TypeParent, TContext>; +export namespace HostItemResolvers { + export interface Resolvers { + _id?: _IdResolver, TypeParent, TContext>; - updated_by?: UpdatedByResolver, TypeParent, TContext>; + cloud?: CloudResolver, TypeParent, TContext>; - version?: VersionResolver, TypeParent, TContext>; + endpoint?: EndpointResolver, TypeParent, TContext>; - note?: NoteResolver, TypeParent, TContext>; + host?: HostResolver, TypeParent, TContext>; - threshold?: ThresholdResolver, TypeParent, TContext>; + inspect?: InspectResolver, TypeParent, TContext>; - exceptions_list?: ExceptionsListResolver, TypeParent, TContext>; + lastSeen?: LastSeenResolver, TypeParent, TContext>; } - export type IdResolver< - R = Maybe, - Parent = RuleField, - TContext = SiemContext - > = Resolver; - export type RuleIdResolver< - R = Maybe, - Parent = RuleField, + export type _IdResolver, Parent = HostItem, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type CloudResolver< + R = Maybe, + Parent = HostItem, TContext = SiemContext > = Resolver; - export type FalsePositivesResolver< - R = string[], - Parent = RuleField, + export type EndpointResolver< + R = Maybe, + Parent = HostItem, TContext = SiemContext > = Resolver; - export type SavedIdResolver< - R = Maybe, - Parent = RuleField, + export type HostResolver< + R = Maybe, + Parent = HostItem, TContext = SiemContext > = Resolver; - export type TimelineIdResolver< - R = Maybe, - Parent = RuleField, + export type InspectResolver< + R = Maybe, + Parent = HostItem, TContext = SiemContext > = Resolver; - export type TimelineTitleResolver< - R = Maybe, - Parent = RuleField, + export type LastSeenResolver< + R = Maybe, + Parent = HostItem, TContext = SiemContext > = Resolver; - export type MaxSignalsResolver< - R = Maybe, - Parent = RuleField, +} + +export namespace CloudFieldsResolvers { + export interface Resolvers { + instance?: InstanceResolver, TypeParent, TContext>; + + machine?: MachineResolver, TypeParent, TContext>; + + provider?: ProviderResolver)[]>, TypeParent, TContext>; + + region?: RegionResolver)[]>, TypeParent, TContext>; + } + + export type InstanceResolver< + R = Maybe, + Parent = CloudFields, TContext = SiemContext > = Resolver; - export type RiskScoreResolver< - R = Maybe, - Parent = RuleField, + export type MachineResolver< + R = Maybe, + Parent = CloudFields, TContext = SiemContext > = Resolver; - export type OutputIndexResolver< - R = Maybe, - Parent = RuleField, + export type ProviderResolver< + R = Maybe<(Maybe)[]>, + Parent = CloudFields, TContext = SiemContext > = Resolver; - export type DescriptionResolver< - R = Maybe, - Parent = RuleField, + export type RegionResolver< + R = Maybe<(Maybe)[]>, + Parent = CloudFields, TContext = SiemContext > = Resolver; - export type FromResolver< - R = Maybe, - Parent = RuleField, +} + +export namespace CloudInstanceResolvers { + export interface Resolvers { + id?: IdResolver)[]>, TypeParent, TContext>; + } + + export type IdResolver< + R = Maybe<(Maybe)[]>, + Parent = CloudInstance, TContext = SiemContext > = Resolver; - export type ImmutableResolver< - R = Maybe, - Parent = RuleField, +} + +export namespace CloudMachineResolvers { + export interface Resolvers { + type?: TypeResolver)[]>, TypeParent, TContext>; + } + + export type TypeResolver< + R = Maybe<(Maybe)[]>, + Parent = CloudMachine, TContext = SiemContext > = Resolver; - export type IndexResolver< - R = Maybe, - Parent = RuleField, +} + +export namespace EndpointFieldsResolvers { + export interface Resolvers { + endpointPolicy?: EndpointPolicyResolver, TypeParent, TContext>; + + sensorVersion?: SensorVersionResolver, TypeParent, TContext>; + + policyStatus?: PolicyStatusResolver< + Maybe, + TypeParent, + TContext + >; + } + + export type EndpointPolicyResolver< + R = Maybe, + Parent = EndpointFields, TContext = SiemContext > = Resolver; - export type IntervalResolver< - R = Maybe, - Parent = RuleField, + export type SensorVersionResolver< + R = Maybe, + Parent = EndpointFields, TContext = SiemContext > = Resolver; - export type LanguageResolver< - R = Maybe, - Parent = RuleField, + export type PolicyStatusResolver< + R = Maybe, + Parent = EndpointFields, TContext = SiemContext > = Resolver; - export type QueryResolver< +} + +export namespace HostEcsFieldsResolvers { + export interface Resolvers { + architecture?: ArchitectureResolver, TypeParent, TContext>; + + id?: IdResolver, TypeParent, TContext>; + + ip?: IpResolver, TypeParent, TContext>; + + mac?: MacResolver, TypeParent, TContext>; + + name?: NameResolver, TypeParent, TContext>; + + os?: OsResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + } + + export type ArchitectureResolver< R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type ReferencesResolver< + export type IdResolver< R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type SeverityResolver< + export type IpResolver< R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type TagsResolver< + export type MacResolver< R = Maybe, - Parent = RuleField, - TContext = SiemContext - > = Resolver; - export type ThreatResolver< - R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type TypeResolver< + export type NameResolver< R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type SizeResolver< - R = Maybe, - Parent = RuleField, + export type OsResolver< + R = Maybe, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type ToResolver< + export type TypeResolver< R = Maybe, - Parent = RuleField, - TContext = SiemContext - > = Resolver; - export type EnabledResolver< - R = Maybe, - Parent = RuleField, - TContext = SiemContext - > = Resolver; - export type FiltersResolver< - R = Maybe, - Parent = RuleField, + Parent = HostEcsFields, TContext = SiemContext > = Resolver; - export type CreatedAtResolver< +} + +export namespace OsEcsFieldsResolvers { + export interface Resolvers { + platform?: PlatformResolver, TypeParent, TContext>; + + name?: NameResolver, TypeParent, TContext>; + + full?: FullResolver, TypeParent, TContext>; + + family?: FamilyResolver, TypeParent, TContext>; + + version?: VersionResolver, TypeParent, TContext>; + + kernel?: KernelResolver, TypeParent, TContext>; + } + + export type PlatformResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; - export type UpdatedAtResolver< + export type NameResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; - export type CreatedByResolver< + export type FullResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; - export type UpdatedByResolver< + export type FamilyResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; export type VersionResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; - export type NoteResolver< + export type KernelResolver< R = Maybe, - Parent = RuleField, + Parent = OsEcsFields, TContext = SiemContext > = Resolver; - export type ThresholdResolver< - R = Maybe, - Parent = RuleField, +} + +export namespace InspectResolvers { + export interface Resolvers { + dsl?: DslResolver; + + response?: ResponseResolver; + } + + export type DslResolver = Resolver< + R, + Parent, + TContext + >; + export type ResponseResolver = Resolver< + R, + Parent, + TContext + >; +} + +export namespace CursorTypeResolvers { + export interface Resolvers { + value?: ValueResolver, TypeParent, TContext>; + + tiebreaker?: TiebreakerResolver, TypeParent, TContext>; + } + + export type ValueResolver< + R = Maybe, + Parent = CursorType, TContext = SiemContext > = Resolver; - export type ExceptionsListResolver< - R = Maybe, - Parent = RuleField, + export type TiebreakerResolver< + R = Maybe, + Parent = CursorType, TContext = SiemContext > = Resolver; } -export namespace SuricataEcsFieldsResolvers { - export interface Resolvers { - eve?: EveResolver, TypeParent, TContext>; +export namespace PageInfoPaginatedResolvers { + export interface Resolvers { + activePage?: ActivePageResolver; + + fakeTotalCount?: FakeTotalCountResolver; + + showMorePagesIndicator?: ShowMorePagesIndicatorResolver; } - export type EveResolver< - R = Maybe, - Parent = SuricataEcsFields, + export type ActivePageResolver< + R = number, + Parent = PageInfoPaginated, + TContext = SiemContext + > = Resolver; + export type FakeTotalCountResolver< + R = number, + Parent = PageInfoPaginated, + TContext = SiemContext + > = Resolver; + export type ShowMorePagesIndicatorResolver< + R = boolean, + Parent = PageInfoPaginated, TContext = SiemContext > = Resolver; } -export namespace SuricataEveDataResolvers { - export interface Resolvers { - alert?: AlertResolver, TypeParent, TContext>; +export namespace FirstLastSeenHostResolvers { + export interface Resolvers { + inspect?: InspectResolver, TypeParent, TContext>; - flow_id?: FlowIdResolver, TypeParent, TContext>; + firstSeen?: FirstSeenResolver, TypeParent, TContext>; - proto?: ProtoResolver, TypeParent, TContext>; + lastSeen?: LastSeenResolver, TypeParent, TContext>; } - export type AlertResolver< - R = Maybe, - Parent = SuricataEveData, + export type InspectResolver< + R = Maybe, + Parent = FirstLastSeenHost, TContext = SiemContext > = Resolver; - export type FlowIdResolver< - R = Maybe, - Parent = SuricataEveData, + export type FirstSeenResolver< + R = Maybe, + Parent = FirstLastSeenHost, TContext = SiemContext > = Resolver; - export type ProtoResolver< - R = Maybe, - Parent = SuricataEveData, + export type LastSeenResolver< + R = Maybe, + Parent = FirstLastSeenHost, TContext = SiemContext > = Resolver; } -export namespace SuricataAlertDataResolvers { - export interface Resolvers { - signature?: SignatureResolver, TypeParent, TContext>; +export namespace SayMyNameResolvers { + export interface Resolvers { + /** The id of the source */ + appName?: AppNameResolver; + } + + export type AppNameResolver = Resolver< + R, + Parent, + TContext + >; +} + +export namespace TimelineResultResolvers { + export interface Resolvers { + columns?: ColumnsResolver, TypeParent, TContext>; + + created?: CreatedResolver, TypeParent, TContext>; + + createdBy?: CreatedByResolver, TypeParent, TContext>; + + dataProviders?: DataProvidersResolver, TypeParent, TContext>; + + dateRange?: DateRangeResolver, TypeParent, TContext>; + + description?: DescriptionResolver, TypeParent, TContext>; - signature_id?: SignatureIdResolver, TypeParent, TContext>; - } + eventIdToNoteIds?: EventIdToNoteIdsResolver, TypeParent, TContext>; - export type SignatureResolver< - R = Maybe, - Parent = SuricataAlertData, - TContext = SiemContext - > = Resolver; - export type SignatureIdResolver< - R = Maybe, - Parent = SuricataAlertData, - TContext = SiemContext - > = Resolver; -} + eventType?: EventTypeResolver, TypeParent, TContext>; -export namespace TlsEcsFieldsResolvers { - export interface Resolvers { - client_certificate?: ClientCertificateResolver< - Maybe, + excludedRowRendererIds?: ExcludedRowRendererIdsResolver< + Maybe, TypeParent, TContext >; - fingerprints?: FingerprintsResolver, TypeParent, TContext>; + favorite?: FavoriteResolver, TypeParent, TContext>; - server_certificate?: ServerCertificateResolver< - Maybe, + filters?: FiltersResolver, TypeParent, TContext>; + + kqlMode?: KqlModeResolver, TypeParent, TContext>; + + kqlQuery?: KqlQueryResolver, TypeParent, TContext>; + + indexNames?: IndexNamesResolver, TypeParent, TContext>; + + notes?: NotesResolver, TypeParent, TContext>; + + noteIds?: NoteIdsResolver, TypeParent, TContext>; + + pinnedEventIds?: PinnedEventIdsResolver, TypeParent, TContext>; + + pinnedEventsSaveObject?: PinnedEventsSaveObjectResolver< + Maybe, TypeParent, TContext >; + + savedQueryId?: SavedQueryIdResolver, TypeParent, TContext>; + + savedObjectId?: SavedObjectIdResolver; + + sort?: SortResolver, TypeParent, TContext>; + + status?: StatusResolver, TypeParent, TContext>; + + title?: TitleResolver, TypeParent, TContext>; + + templateTimelineId?: TemplateTimelineIdResolver, TypeParent, TContext>; + + templateTimelineVersion?: TemplateTimelineVersionResolver, TypeParent, TContext>; + + timelineType?: TimelineTypeResolver, TypeParent, TContext>; + + updated?: UpdatedResolver, TypeParent, TContext>; + + updatedBy?: UpdatedByResolver, TypeParent, TContext>; + + version?: VersionResolver; } - export type ClientCertificateResolver< - R = Maybe, - Parent = TlsEcsFields, + export type ColumnsResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type FingerprintsResolver< - R = Maybe, - Parent = TlsEcsFields, + export type CreatedResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type ServerCertificateResolver< - R = Maybe, - Parent = TlsEcsFields, + export type CreatedByResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace TlsClientCertificateDataResolvers { - export interface Resolvers { - fingerprint?: FingerprintResolver, TypeParent, TContext>; - } - - export type FingerprintResolver< - R = Maybe, - Parent = TlsClientCertificateData, + export type DataProvidersResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace FingerprintDataResolvers { - export interface Resolvers { - sha1?: Sha1Resolver, TypeParent, TContext>; - } - - export type Sha1Resolver< - R = Maybe, - Parent = FingerprintData, + export type DateRangeResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace TlsFingerprintsDataResolvers { - export interface Resolvers { - ja3?: Ja3Resolver, TypeParent, TContext>; - } - - export type Ja3Resolver< - R = Maybe, - Parent = TlsFingerprintsData, + export type DescriptionResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace TlsJa3DataResolvers { - export interface Resolvers { - hash?: HashResolver, TypeParent, TContext>; - } - - export type HashResolver< - R = Maybe, - Parent = TlsJa3Data, + export type EventIdToNoteIdsResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace TlsServerCertificateDataResolvers { - export interface Resolvers { - fingerprint?: FingerprintResolver, TypeParent, TContext>; - } - - export type FingerprintResolver< - R = Maybe, - Parent = TlsServerCertificateData, + export type EventTypeResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace ZeekEcsFieldsResolvers { - export interface Resolvers { - session_id?: SessionIdResolver, TypeParent, TContext>; - - connection?: ConnectionResolver, TypeParent, TContext>; - - notice?: NoticeResolver, TypeParent, TContext>; - - dns?: DnsResolver, TypeParent, TContext>; - - http?: HttpResolver, TypeParent, TContext>; - - files?: FilesResolver, TypeParent, TContext>; - - ssl?: SslResolver, TypeParent, TContext>; - } - - export type SessionIdResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type ExcludedRowRendererIdsResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type ConnectionResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type FavoriteResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type NoticeResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type FiltersResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type DnsResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type KqlModeResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type HttpResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type KqlQueryResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type FilesResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type IndexNamesResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type SslResolver< - R = Maybe, - Parent = ZeekEcsFields, + export type NotesResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace ZeekConnectionDataResolvers { - export interface Resolvers { - local_resp?: LocalRespResolver, TypeParent, TContext>; - - local_orig?: LocalOrigResolver, TypeParent, TContext>; - - missed_bytes?: MissedBytesResolver, TypeParent, TContext>; - - state?: StateResolver, TypeParent, TContext>; - - history?: HistoryResolver, TypeParent, TContext>; - } - - export type LocalRespResolver< - R = Maybe, - Parent = ZeekConnectionData, + export type NoteIdsResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type LocalOrigResolver< - R = Maybe, - Parent = ZeekConnectionData, + export type PinnedEventIdsResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type MissedBytesResolver< - R = Maybe, - Parent = ZeekConnectionData, + export type PinnedEventsSaveObjectResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type StateResolver< - R = Maybe, - Parent = ZeekConnectionData, + export type SavedQueryIdResolver< + R = Maybe, + Parent = TimelineResult, + TContext = SiemContext + > = Resolver; + export type SavedObjectIdResolver< + R = string, + Parent = TimelineResult, + TContext = SiemContext + > = Resolver; + export type SortResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type HistoryResolver< - R = Maybe, - Parent = ZeekConnectionData, + export type StatusResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace ZeekNoticeDataResolvers { - export interface Resolvers { - suppress_for?: SuppressForResolver, TypeParent, TContext>; - - msg?: MsgResolver, TypeParent, TContext>; - - note?: NoteResolver, TypeParent, TContext>; - - sub?: SubResolver, TypeParent, TContext>; - - dst?: DstResolver, TypeParent, TContext>; - - dropped?: DroppedResolver, TypeParent, TContext>; - - peer_descr?: PeerDescrResolver, TypeParent, TContext>; - } - - export type SuppressForResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type TitleResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type MsgResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type TemplateTimelineIdResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type NoteResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type TemplateTimelineVersionResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type SubResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type TimelineTypeResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type DstResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type UpdatedResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type DroppedResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type UpdatedByResolver< + R = Maybe, + Parent = TimelineResult, TContext = SiemContext > = Resolver; - export type PeerDescrResolver< - R = Maybe, - Parent = ZeekNoticeData, + export type VersionResolver< + R = string, + Parent = TimelineResult, TContext = SiemContext > = Resolver; } -export namespace ZeekDnsDataResolvers { - export interface Resolvers { - AA?: AaResolver, TypeParent, TContext>; +export namespace ColumnHeaderResultResolvers { + export interface Resolvers { + aggregatable?: AggregatableResolver, TypeParent, TContext>; - qclass_name?: QclassNameResolver, TypeParent, TContext>; + category?: CategoryResolver, TypeParent, TContext>; - RD?: RdResolver, TypeParent, TContext>; + columnHeaderType?: ColumnHeaderTypeResolver, TypeParent, TContext>; - qtype_name?: QtypeNameResolver, TypeParent, TContext>; + description?: DescriptionResolver, TypeParent, TContext>; - rejected?: RejectedResolver, TypeParent, TContext>; + example?: ExampleResolver, TypeParent, TContext>; - qtype?: QtypeResolver, TypeParent, TContext>; + indexes?: IndexesResolver, TypeParent, TContext>; - query?: QueryResolver, TypeParent, TContext>; + id?: IdResolver, TypeParent, TContext>; - trans_id?: TransIdResolver, TypeParent, TContext>; + name?: NameResolver, TypeParent, TContext>; - qclass?: QclassResolver, TypeParent, TContext>; + placeholder?: PlaceholderResolver, TypeParent, TContext>; - RA?: RaResolver, TypeParent, TContext>; + searchable?: SearchableResolver, TypeParent, TContext>; - TC?: TcResolver, TypeParent, TContext>; + type?: TypeResolver, TypeParent, TContext>; } - export type AaResolver< - R = Maybe, - Parent = ZeekDnsData, + export type AggregatableResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type QclassNameResolver< - R = Maybe, - Parent = ZeekDnsData, + export type CategoryResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type RdResolver< - R = Maybe, - Parent = ZeekDnsData, + export type ColumnHeaderTypeResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type QtypeNameResolver< - R = Maybe, - Parent = ZeekDnsData, + export type DescriptionResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type RejectedResolver< - R = Maybe, - Parent = ZeekDnsData, + export type ExampleResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type QtypeResolver< - R = Maybe, - Parent = ZeekDnsData, + export type IndexesResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type QueryResolver< - R = Maybe, - Parent = ZeekDnsData, + export type IdResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type TransIdResolver< - R = Maybe, - Parent = ZeekDnsData, + export type NameResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type QclassResolver< - R = Maybe, - Parent = ZeekDnsData, + export type PlaceholderResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type RaResolver< - R = Maybe, - Parent = ZeekDnsData, + export type SearchableResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; - export type TcResolver< - R = Maybe, - Parent = ZeekDnsData, + export type TypeResolver< + R = Maybe, + Parent = ColumnHeaderResult, TContext = SiemContext > = Resolver; } -export namespace ZeekHttpDataResolvers { - export interface Resolvers { - resp_mime_types?: RespMimeTypesResolver, TypeParent, TContext>; +export namespace DataProviderResultResolvers { + export interface Resolvers { + id?: IdResolver, TypeParent, TContext>; - trans_depth?: TransDepthResolver, TypeParent, TContext>; + name?: NameResolver, TypeParent, TContext>; - status_msg?: StatusMsgResolver, TypeParent, TContext>; + enabled?: EnabledResolver, TypeParent, TContext>; - resp_fuids?: RespFuidsResolver, TypeParent, TContext>; + excluded?: ExcludedResolver, TypeParent, TContext>; - tags?: TagsResolver, TypeParent, TContext>; + kqlQuery?: KqlQueryResolver, TypeParent, TContext>; + + queryMatch?: QueryMatchResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + + and?: AndResolver, TypeParent, TContext>; } - export type RespMimeTypesResolver< - R = Maybe, - Parent = ZeekHttpData, + export type IdResolver< + R = Maybe, + Parent = DataProviderResult, TContext = SiemContext > = Resolver; - export type TransDepthResolver< - R = Maybe, - Parent = ZeekHttpData, + export type NameResolver< + R = Maybe, + Parent = DataProviderResult, TContext = SiemContext > = Resolver; - export type StatusMsgResolver< - R = Maybe, - Parent = ZeekHttpData, + export type EnabledResolver< + R = Maybe, + Parent = DataProviderResult, TContext = SiemContext > = Resolver; - export type RespFuidsResolver< - R = Maybe, - Parent = ZeekHttpData, + export type ExcludedResolver< + R = Maybe, + Parent = DataProviderResult, TContext = SiemContext > = Resolver; - export type TagsResolver< - R = Maybe, - Parent = ZeekHttpData, + export type KqlQueryResolver< + R = Maybe, + Parent = DataProviderResult, + TContext = SiemContext + > = Resolver; + export type QueryMatchResolver< + R = Maybe, + Parent = DataProviderResult, + TContext = SiemContext + > = Resolver; + export type TypeResolver< + R = Maybe, + Parent = DataProviderResult, + TContext = SiemContext + > = Resolver; + export type AndResolver< + R = Maybe, + Parent = DataProviderResult, TContext = SiemContext > = Resolver; } -export namespace ZeekFileDataResolvers { - export interface Resolvers { - session_ids?: SessionIdsResolver, TypeParent, TContext>; - - timedout?: TimedoutResolver, TypeParent, TContext>; - - local_orig?: LocalOrigResolver, TypeParent, TContext>; - - tx_host?: TxHostResolver, TypeParent, TContext>; - - source?: SourceResolver, TypeParent, TContext>; - - is_orig?: IsOrigResolver, TypeParent, TContext>; - - overflow_bytes?: OverflowBytesResolver, TypeParent, TContext>; - - sha1?: Sha1Resolver, TypeParent, TContext>; - - duration?: DurationResolver, TypeParent, TContext>; - - depth?: DepthResolver, TypeParent, TContext>; - - analyzers?: AnalyzersResolver, TypeParent, TContext>; - - mime_type?: MimeTypeResolver, TypeParent, TContext>; - - rx_host?: RxHostResolver, TypeParent, TContext>; - - total_bytes?: TotalBytesResolver, TypeParent, TContext>; +export namespace QueryMatchResultResolvers { + export interface Resolvers { + field?: FieldResolver, TypeParent, TContext>; - fuid?: FuidResolver, TypeParent, TContext>; + displayField?: DisplayFieldResolver, TypeParent, TContext>; - seen_bytes?: SeenBytesResolver, TypeParent, TContext>; + value?: ValueResolver, TypeParent, TContext>; - missing_bytes?: MissingBytesResolver, TypeParent, TContext>; + displayValue?: DisplayValueResolver, TypeParent, TContext>; - md5?: Md5Resolver, TypeParent, TContext>; + operator?: OperatorResolver, TypeParent, TContext>; } - export type SessionIdsResolver< - R = Maybe, - Parent = ZeekFileData, - TContext = SiemContext - > = Resolver; - export type TimedoutResolver< - R = Maybe, - Parent = ZeekFileData, + export type FieldResolver< + R = Maybe, + Parent = QueryMatchResult, TContext = SiemContext > = Resolver; - export type LocalOrigResolver< - R = Maybe, - Parent = ZeekFileData, + export type DisplayFieldResolver< + R = Maybe, + Parent = QueryMatchResult, TContext = SiemContext > = Resolver; - export type TxHostResolver< - R = Maybe, - Parent = ZeekFileData, + export type ValueResolver< + R = Maybe, + Parent = QueryMatchResult, TContext = SiemContext > = Resolver; - export type SourceResolver< - R = Maybe, - Parent = ZeekFileData, + export type DisplayValueResolver< + R = Maybe, + Parent = QueryMatchResult, TContext = SiemContext > = Resolver; - export type IsOrigResolver< - R = Maybe, - Parent = ZeekFileData, + export type OperatorResolver< + R = Maybe, + Parent = QueryMatchResult, TContext = SiemContext > = Resolver; - export type OverflowBytesResolver< - R = Maybe, - Parent = ZeekFileData, +} + +export namespace DateRangePickerResultResolvers { + export interface Resolvers { + start?: StartResolver, TypeParent, TContext>; + + end?: EndResolver, TypeParent, TContext>; + } + + export type StartResolver< + R = Maybe, + Parent = DateRangePickerResult, TContext = SiemContext > = Resolver; - export type Sha1Resolver< - R = Maybe, - Parent = ZeekFileData, + export type EndResolver< + R = Maybe, + Parent = DateRangePickerResult, TContext = SiemContext > = Resolver; - export type DurationResolver< - R = Maybe, - Parent = ZeekFileData, +} + +export namespace FavoriteTimelineResultResolvers { + export interface Resolvers { + fullName?: FullNameResolver, TypeParent, TContext>; + + userName?: UserNameResolver, TypeParent, TContext>; + + favoriteDate?: FavoriteDateResolver, TypeParent, TContext>; + } + + export type FullNameResolver< + R = Maybe, + Parent = FavoriteTimelineResult, TContext = SiemContext > = Resolver; - export type DepthResolver< - R = Maybe, - Parent = ZeekFileData, + export type UserNameResolver< + R = Maybe, + Parent = FavoriteTimelineResult, TContext = SiemContext > = Resolver; - export type AnalyzersResolver< - R = Maybe, - Parent = ZeekFileData, + export type FavoriteDateResolver< + R = Maybe, + Parent = FavoriteTimelineResult, TContext = SiemContext > = Resolver; - export type MimeTypeResolver< - R = Maybe, - Parent = ZeekFileData, +} + +export namespace FilterTimelineResultResolvers { + export interface Resolvers { + exists?: ExistsResolver, TypeParent, TContext>; + + meta?: MetaResolver, TypeParent, TContext>; + + match_all?: MatchAllResolver, TypeParent, TContext>; + + missing?: MissingResolver, TypeParent, TContext>; + + query?: QueryResolver, TypeParent, TContext>; + + range?: RangeResolver, TypeParent, TContext>; + + script?: ScriptResolver, TypeParent, TContext>; + } + + export type ExistsResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type RxHostResolver< - R = Maybe, - Parent = ZeekFileData, + export type MetaResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type TotalBytesResolver< - R = Maybe, - Parent = ZeekFileData, + export type MatchAllResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type FuidResolver< - R = Maybe, - Parent = ZeekFileData, + export type MissingResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type SeenBytesResolver< - R = Maybe, - Parent = ZeekFileData, + export type QueryResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type MissingBytesResolver< - R = Maybe, - Parent = ZeekFileData, + export type RangeResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; - export type Md5Resolver< - R = Maybe, - Parent = ZeekFileData, + export type ScriptResolver< + R = Maybe, + Parent = FilterTimelineResult, TContext = SiemContext > = Resolver; } -export namespace ZeekSslDataResolvers { - export interface Resolvers { - cipher?: CipherResolver, TypeParent, TContext>; +export namespace FilterMetaTimelineResultResolvers { + export interface Resolvers { + alias?: AliasResolver, TypeParent, TContext>; - established?: EstablishedResolver, TypeParent, TContext>; + controlledBy?: ControlledByResolver, TypeParent, TContext>; - resumed?: ResumedResolver, TypeParent, TContext>; + disabled?: DisabledResolver, TypeParent, TContext>; - version?: VersionResolver, TypeParent, TContext>; + field?: FieldResolver, TypeParent, TContext>; + + formattedValue?: FormattedValueResolver, TypeParent, TContext>; + + index?: IndexResolver, TypeParent, TContext>; + + key?: KeyResolver, TypeParent, TContext>; + + negate?: NegateResolver, TypeParent, TContext>; + + params?: ParamsResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + + value?: ValueResolver, TypeParent, TContext>; } - export type CipherResolver< - R = Maybe, - Parent = ZeekSslData, + export type AliasResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; - export type EstablishedResolver< - R = Maybe, - Parent = ZeekSslData, + export type ControlledByResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; - export type ResumedResolver< - R = Maybe, - Parent = ZeekSslData, + export type DisabledResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; - export type VersionResolver< - R = Maybe, - Parent = ZeekSslData, + export type FieldResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; -} - -export namespace HttpEcsFieldsResolvers { - export interface Resolvers { - version?: VersionResolver, TypeParent, TContext>; - - request?: RequestResolver, TypeParent, TContext>; - - response?: ResponseResolver, TypeParent, TContext>; - } - - export type VersionResolver< - R = Maybe, - Parent = HttpEcsFields, + export type FormattedValueResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; - export type RequestResolver< - R = Maybe, - Parent = HttpEcsFields, + export type IndexResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; - export type ResponseResolver< - R = Maybe, - Parent = HttpEcsFields, + export type KeyResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, + TContext = SiemContext + > = Resolver; + export type NegateResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, + TContext = SiemContext + > = Resolver; + export type ParamsResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, + TContext = SiemContext + > = Resolver; + export type TypeResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, + TContext = SiemContext + > = Resolver; + export type ValueResolver< + R = Maybe, + Parent = FilterMetaTimelineResult, TContext = SiemContext > = Resolver; } -export namespace HttpRequestDataResolvers { - export interface Resolvers { - method?: MethodResolver, TypeParent, TContext>; +export namespace SerializedFilterQueryResultResolvers { + export interface Resolvers { + filterQuery?: FilterQueryResolver, TypeParent, TContext>; + } - body?: BodyResolver, TypeParent, TContext>; + export type FilterQueryResolver< + R = Maybe, + Parent = SerializedFilterQueryResult, + TContext = SiemContext + > = Resolver; +} - referrer?: ReferrerResolver, TypeParent, TContext>; +export namespace SerializedKueryQueryResultResolvers { + export interface Resolvers { + kuery?: KueryResolver, TypeParent, TContext>; - bytes?: BytesResolver, TypeParent, TContext>; + serializedQuery?: SerializedQueryResolver, TypeParent, TContext>; } - export type MethodResolver< - R = Maybe, - Parent = HttpRequestData, - TContext = SiemContext - > = Resolver; - export type BodyResolver< - R = Maybe, - Parent = HttpRequestData, - TContext = SiemContext - > = Resolver; - export type ReferrerResolver< - R = Maybe, - Parent = HttpRequestData, + export type KueryResolver< + R = Maybe, + Parent = SerializedKueryQueryResult, TContext = SiemContext > = Resolver; - export type BytesResolver< - R = Maybe, - Parent = HttpRequestData, + export type SerializedQueryResolver< + R = Maybe, + Parent = SerializedKueryQueryResult, TContext = SiemContext > = Resolver; } -export namespace HttpBodyDataResolvers { - export interface Resolvers { - content?: ContentResolver, TypeParent, TContext>; +export namespace KueryFilterQueryResultResolvers { + export interface Resolvers { + kind?: KindResolver, TypeParent, TContext>; - bytes?: BytesResolver, TypeParent, TContext>; + expression?: ExpressionResolver, TypeParent, TContext>; } - export type ContentResolver< - R = Maybe, - Parent = HttpBodyData, + export type KindResolver< + R = Maybe, + Parent = KueryFilterQueryResult, TContext = SiemContext > = Resolver; - export type BytesResolver< - R = Maybe, - Parent = HttpBodyData, + export type ExpressionResolver< + R = Maybe, + Parent = KueryFilterQueryResult, TContext = SiemContext > = Resolver; } -export namespace HttpResponseDataResolvers { - export interface Resolvers { - status_code?: StatusCodeResolver, TypeParent, TContext>; - - body?: BodyResolver, TypeParent, TContext>; +export namespace SortTimelineResultResolvers { + export interface Resolvers { + columnId?: ColumnIdResolver, TypeParent, TContext>; - bytes?: BytesResolver, TypeParent, TContext>; + sortDirection?: SortDirectionResolver, TypeParent, TContext>; } - export type StatusCodeResolver< - R = Maybe, - Parent = HttpResponseData, - TContext = SiemContext - > = Resolver; - export type BodyResolver< - R = Maybe, - Parent = HttpResponseData, + export type ColumnIdResolver< + R = Maybe, + Parent = SortTimelineResult, TContext = SiemContext > = Resolver; - export type BytesResolver< - R = Maybe, - Parent = HttpResponseData, + export type SortDirectionResolver< + R = Maybe, + Parent = SortTimelineResult, TContext = SiemContext > = Resolver; } -export namespace UrlEcsFieldsResolvers { - export interface Resolvers { - domain?: DomainResolver, TypeParent, TContext>; +export namespace ResponseTimelinesResolvers { + export interface Resolvers { + timeline?: TimelineResolver<(Maybe)[], TypeParent, TContext>; - original?: OriginalResolver, TypeParent, TContext>; + totalCount?: TotalCountResolver, TypeParent, TContext>; - username?: UsernameResolver, TypeParent, TContext>; + defaultTimelineCount?: DefaultTimelineCountResolver, TypeParent, TContext>; - password?: PasswordResolver, TypeParent, TContext>; + templateTimelineCount?: TemplateTimelineCountResolver, TypeParent, TContext>; + + elasticTemplateTimelineCount?: ElasticTemplateTimelineCountResolver< + Maybe, + TypeParent, + TContext + >; + + customTemplateTimelineCount?: CustomTemplateTimelineCountResolver< + Maybe, + TypeParent, + TContext + >; + + favoriteCount?: FavoriteCountResolver, TypeParent, TContext>; } - export type DomainResolver< - R = Maybe, - Parent = UrlEcsFields, + export type TimelineResolver< + R = (Maybe)[], + Parent = ResponseTimelines, TContext = SiemContext > = Resolver; - export type OriginalResolver< - R = Maybe, - Parent = UrlEcsFields, + export type TotalCountResolver< + R = Maybe, + Parent = ResponseTimelines, TContext = SiemContext > = Resolver; - export type UsernameResolver< - R = Maybe, - Parent = UrlEcsFields, + export type DefaultTimelineCountResolver< + R = Maybe, + Parent = ResponseTimelines, TContext = SiemContext > = Resolver; - export type PasswordResolver< - R = Maybe, - Parent = UrlEcsFields, + export type TemplateTimelineCountResolver< + R = Maybe, + Parent = ResponseTimelines, + TContext = SiemContext + > = Resolver; + export type ElasticTemplateTimelineCountResolver< + R = Maybe, + Parent = ResponseTimelines, + TContext = SiemContext + > = Resolver; + export type CustomTemplateTimelineCountResolver< + R = Maybe, + Parent = ResponseTimelines, + TContext = SiemContext + > = Resolver; + export type FavoriteCountResolver< + R = Maybe, + Parent = ResponseTimelines, TContext = SiemContext > = Resolver; } -export namespace WinlogEcsFieldsResolvers { - export interface Resolvers { - event_id?: EventIdResolver, TypeParent, TContext>; +export namespace MutationResolvers { + export interface Resolvers { + /** Persists a note */ + persistNote?: PersistNoteResolver; + + deleteNote?: DeleteNoteResolver, TypeParent, TContext>; + + deleteNoteByTimelineId?: DeleteNoteByTimelineIdResolver, TypeParent, TContext>; + /** Persists a pinned event in a timeline */ + persistPinnedEventOnTimeline?: PersistPinnedEventOnTimelineResolver< + Maybe, + TypeParent, + TContext + >; + /** Remove a pinned events in a timeline */ + deletePinnedEventOnTimeline?: DeletePinnedEventOnTimelineResolver< + boolean, + TypeParent, + TContext + >; + /** Remove all pinned events in a timeline */ + deleteAllPinnedEventsOnTimeline?: DeleteAllPinnedEventsOnTimelineResolver< + boolean, + TypeParent, + TContext + >; + /** Persists a timeline */ + persistTimeline?: PersistTimelineResolver; + + persistFavorite?: PersistFavoriteResolver; + + deleteTimeline?: DeleteTimelineResolver; } - export type EventIdResolver< - R = Maybe, - Parent = WinlogEcsFields, + export type PersistNoteResolver = Resolver< + R, + Parent, + TContext, + PersistNoteArgs + >; + export interface PersistNoteArgs { + noteId?: Maybe; + + version?: Maybe; + + note: NoteInput; + } + + export type DeleteNoteResolver< + R = Maybe, + Parent = {}, TContext = SiemContext - > = Resolver; -} + > = Resolver; + export interface DeleteNoteArgs { + id: string[]; + } -export namespace ProcessEcsFieldsResolvers { - export interface Resolvers { - hash?: HashResolver, TypeParent, TContext>; + export type DeleteNoteByTimelineIdResolver< + R = Maybe, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface DeleteNoteByTimelineIdArgs { + timelineId: string; - pid?: PidResolver, TypeParent, TContext>; + version?: Maybe; + } + + export type PersistPinnedEventOnTimelineResolver< + R = Maybe, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface PersistPinnedEventOnTimelineArgs { + pinnedEventId?: Maybe; + + eventId: string; + + timelineId?: Maybe; + } + + export type DeletePinnedEventOnTimelineResolver< + R = boolean, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface DeletePinnedEventOnTimelineArgs { + id: string[]; + } + + export type DeleteAllPinnedEventsOnTimelineResolver< + R = boolean, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface DeleteAllPinnedEventsOnTimelineArgs { + timelineId: string; + } - name?: NameResolver, TypeParent, TContext>; + export type PersistTimelineResolver< + R = ResponseTimeline, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface PersistTimelineArgs { + id?: Maybe; - ppid?: PpidResolver, TypeParent, TContext>; + version?: Maybe; - args?: ArgsResolver, TypeParent, TContext>; + timeline: TimelineInput; + } - entity_id?: EntityIdResolver, TypeParent, TContext>; + export type PersistFavoriteResolver< + R = ResponseFavoriteTimeline, + Parent = {}, + TContext = SiemContext + > = Resolver; + export interface PersistFavoriteArgs { + timelineId?: Maybe; + } - executable?: ExecutableResolver, TypeParent, TContext>; + export type DeleteTimelineResolver = Resolver< + R, + Parent, + TContext, + DeleteTimelineArgs + >; + export interface DeleteTimelineArgs { + id: string[]; + } +} - title?: TitleResolver, TypeParent, TContext>; +export namespace ResponseNoteResolvers { + export interface Resolvers { + code?: CodeResolver, TypeParent, TContext>; - thread?: ThreadResolver, TypeParent, TContext>; + message?: MessageResolver, TypeParent, TContext>; - working_directory?: WorkingDirectoryResolver, TypeParent, TContext>; + note?: NoteResolver; } - export type HashResolver< - R = Maybe, - Parent = ProcessEcsFields, - TContext = SiemContext - > = Resolver; - export type PidResolver< - R = Maybe, - Parent = ProcessEcsFields, - TContext = SiemContext - > = Resolver; - export type NameResolver< - R = Maybe, - Parent = ProcessEcsFields, - TContext = SiemContext - > = Resolver; - export type PpidResolver< - R = Maybe, - Parent = ProcessEcsFields, - TContext = SiemContext - > = Resolver; - export type ArgsResolver< - R = Maybe, - Parent = ProcessEcsFields, + export type CodeResolver< + R = Maybe, + Parent = ResponseNote, TContext = SiemContext > = Resolver; - export type EntityIdResolver< - R = Maybe, - Parent = ProcessEcsFields, + export type MessageResolver< + R = Maybe, + Parent = ResponseNote, TContext = SiemContext > = Resolver; - export type ExecutableResolver< - R = Maybe, - Parent = ProcessEcsFields, + export type NoteResolver< + R = NoteResult, + Parent = ResponseNote, TContext = SiemContext > = Resolver; - export type TitleResolver< - R = Maybe, - Parent = ProcessEcsFields, +} + +export namespace ResponseTimelineResolvers { + export interface Resolvers { + code?: CodeResolver, TypeParent, TContext>; + + message?: MessageResolver, TypeParent, TContext>; + + timeline?: TimelineResolver; + } + + export type CodeResolver< + R = Maybe, + Parent = ResponseTimeline, TContext = SiemContext > = Resolver; - export type ThreadResolver< - R = Maybe, - Parent = ProcessEcsFields, + export type MessageResolver< + R = Maybe, + Parent = ResponseTimeline, TContext = SiemContext > = Resolver; - export type WorkingDirectoryResolver< - R = Maybe, - Parent = ProcessEcsFields, + export type TimelineResolver< + R = TimelineResult, + Parent = ResponseTimeline, TContext = SiemContext > = Resolver; } -export namespace ProcessHashDataResolvers { - export interface Resolvers { - md5?: Md5Resolver, TypeParent, TContext>; +export namespace ResponseFavoriteTimelineResolvers { + export interface Resolvers { + code?: CodeResolver, TypeParent, TContext>; - sha1?: Sha1Resolver, TypeParent, TContext>; + message?: MessageResolver, TypeParent, TContext>; - sha256?: Sha256Resolver, TypeParent, TContext>; + savedObjectId?: SavedObjectIdResolver; + + version?: VersionResolver; + + favorite?: FavoriteResolver, TypeParent, TContext>; } - export type Md5Resolver< - R = Maybe, - Parent = ProcessHashData, + export type CodeResolver< + R = Maybe, + Parent = ResponseFavoriteTimeline, TContext = SiemContext > = Resolver; - export type Sha1Resolver< - R = Maybe, - Parent = ProcessHashData, + export type MessageResolver< + R = Maybe, + Parent = ResponseFavoriteTimeline, TContext = SiemContext > = Resolver; - export type Sha256Resolver< - R = Maybe, - Parent = ProcessHashData, + export type SavedObjectIdResolver< + R = string, + Parent = ResponseFavoriteTimeline, TContext = SiemContext > = Resolver; -} - -export namespace ThreadResolvers { - export interface Resolvers { - id?: IdResolver, TypeParent, TContext>; - - start?: StartResolver, TypeParent, TContext>; - } - - export type IdResolver< - R = Maybe, - Parent = Thread, + export type VersionResolver< + R = string, + Parent = ResponseFavoriteTimeline, TContext = SiemContext > = Resolver; - export type StartResolver< - R = Maybe, - Parent = Thread, + export type FavoriteResolver< + R = Maybe, + Parent = ResponseFavoriteTimeline, TContext = SiemContext > = Resolver; } -export namespace FileFieldsResolvers { - export interface Resolvers { - name?: NameResolver, TypeParent, TContext>; +export namespace EventEcsFieldsResolvers { + export interface Resolvers { + action?: ActionResolver, TypeParent, TContext>; - path?: PathResolver, TypeParent, TContext>; + category?: CategoryResolver, TypeParent, TContext>; - target_path?: TargetPathResolver, TypeParent, TContext>; + code?: CodeResolver, TypeParent, TContext>; - extension?: ExtensionResolver, TypeParent, TContext>; + created?: CreatedResolver, TypeParent, TContext>; - type?: TypeResolver, TypeParent, TContext>; + dataset?: DatasetResolver, TypeParent, TContext>; - device?: DeviceResolver, TypeParent, TContext>; + duration?: DurationResolver, TypeParent, TContext>; - inode?: InodeResolver, TypeParent, TContext>; + end?: EndResolver, TypeParent, TContext>; - uid?: UidResolver, TypeParent, TContext>; + hash?: HashResolver, TypeParent, TContext>; - owner?: OwnerResolver, TypeParent, TContext>; + id?: IdResolver, TypeParent, TContext>; - gid?: GidResolver, TypeParent, TContext>; + kind?: KindResolver, TypeParent, TContext>; - group?: GroupResolver, TypeParent, TContext>; + module?: ModuleResolver, TypeParent, TContext>; - mode?: ModeResolver, TypeParent, TContext>; + original?: OriginalResolver, TypeParent, TContext>; - size?: SizeResolver, TypeParent, TContext>; + outcome?: OutcomeResolver, TypeParent, TContext>; - mtime?: MtimeResolver, TypeParent, TContext>; + risk_score?: RiskScoreResolver, TypeParent, TContext>; - ctime?: CtimeResolver, TypeParent, TContext>; + risk_score_norm?: RiskScoreNormResolver, TypeParent, TContext>; + + severity?: SeverityResolver, TypeParent, TContext>; + + start?: StartResolver, TypeParent, TContext>; + + timezone?: TimezoneResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; } - export type NameResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type PathResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type TargetPathResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type ExtensionResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type DeviceResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type InodeResolver< - R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; - export type UidResolver< + export type ActionResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type OwnerResolver< + export type CategoryResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type GidResolver< + export type CodeResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type GroupResolver< + export type CreatedResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type ModeResolver< + export type DatasetResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type SizeResolver< + export type DurationResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type MtimeResolver< + export type EndResolver< R = Maybe, - Parent = FileFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type CtimeResolver< + export type HashResolver< R = Maybe, - Parent = FileFields, - TContext = SiemContext - > = Resolver; -} - -export namespace SystemEcsFieldResolvers { - export interface Resolvers { - audit?: AuditResolver, TypeParent, TContext>; - - auth?: AuthResolver, TypeParent, TContext>; - } - - export type AuditResolver< - R = Maybe, - Parent = SystemEcsField, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type AuthResolver< - R = Maybe, - Parent = SystemEcsField, + export type IdResolver< + R = Maybe, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace AuditEcsFieldsResolvers { - export interface Resolvers { - package?: PackageResolver, TypeParent, TContext>; - } - - export type PackageResolver< - R = Maybe, - Parent = AuditEcsFields, + export type KindResolver< + R = Maybe, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace PackageEcsFieldsResolvers { - export interface Resolvers { - arch?: ArchResolver, TypeParent, TContext>; - - entity_id?: EntityIdResolver, TypeParent, TContext>; - - name?: NameResolver, TypeParent, TContext>; - - size?: SizeResolver, TypeParent, TContext>; - - summary?: SummaryResolver, TypeParent, TContext>; - - version?: VersionResolver, TypeParent, TContext>; - } - - export type ArchResolver< + export type ModuleResolver< R = Maybe, - Parent = PackageEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type EntityIdResolver< + export type OriginalResolver< R = Maybe, - Parent = PackageEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type NameResolver< + export type OutcomeResolver< R = Maybe, - Parent = PackageEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type SizeResolver< + export type RiskScoreResolver< R = Maybe, - Parent = PackageEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type SummaryResolver< - R = Maybe, - Parent = PackageEcsFields, + export type RiskScoreNormResolver< + R = Maybe, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type VersionResolver< - R = Maybe, - Parent = PackageEcsFields, + export type SeverityResolver< + R = Maybe, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace AuthEcsFieldsResolvers { - export interface Resolvers { - ssh?: SshResolver, TypeParent, TContext>; - } - - export type SshResolver< - R = Maybe, - Parent = AuthEcsFields, + export type StartResolver< + R = Maybe, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace SshEcsFieldsResolvers { - export interface Resolvers { - method?: MethodResolver, TypeParent, TContext>; - - signature?: SignatureResolver, TypeParent, TContext>; - } - - export type MethodResolver< + export type TimezoneResolver< R = Maybe, - Parent = SshEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; - export type SignatureResolver< + export type TypeResolver< R = Maybe, - Parent = SshEcsFields, + Parent = EventEcsFields, TContext = SiemContext > = Resolver; } -export namespace PageInfoResolvers { - export interface Resolvers { - endCursor?: EndCursorResolver, TypeParent, TContext>; +export namespace LocationResolvers { + export interface Resolvers { + lon?: LonResolver, TypeParent, TContext>; - hasNextPage?: HasNextPageResolver, TypeParent, TContext>; + lat?: LatResolver, TypeParent, TContext>; } - export type EndCursorResolver< - R = Maybe, - Parent = PageInfo, + export type LonResolver< + R = Maybe, + Parent = Location, TContext = SiemContext > = Resolver; - export type HasNextPageResolver< - R = Maybe, - Parent = PageInfo, + export type LatResolver< + R = Maybe, + Parent = Location, TContext = SiemContext > = Resolver; } -export namespace TimelineDetailsDataResolvers { - export interface Resolvers { - data?: DataResolver, TypeParent, TContext>; +export namespace GeoEcsFieldsResolvers { + export interface Resolvers { + city_name?: CityNameResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; - } + continent_name?: ContinentNameResolver, TypeParent, TContext>; - export type DataResolver< - R = Maybe, - Parent = TimelineDetailsData, - TContext = SiemContext - > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = TimelineDetailsData, - TContext = SiemContext - > = Resolver; -} + country_iso_code?: CountryIsoCodeResolver, TypeParent, TContext>; + + country_name?: CountryNameResolver, TypeParent, TContext>; -export namespace DetailItemResolvers { - export interface Resolvers { - field?: FieldResolver; + location?: LocationResolver, TypeParent, TContext>; - values?: ValuesResolver, TypeParent, TContext>; + region_iso_code?: RegionIsoCodeResolver, TypeParent, TContext>; - originalValue?: OriginalValueResolver, TypeParent, TContext>; + region_name?: RegionNameResolver, TypeParent, TContext>; } - export type FieldResolver = Resolver< - R, - Parent, - TContext - >; - export type ValuesResolver< + export type CityNameResolver< R = Maybe, - Parent = DetailItem, - TContext = SiemContext - > = Resolver; - export type OriginalValueResolver< - R = Maybe, - Parent = DetailItem, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace LastEventTimeDataResolvers { - export interface Resolvers { - lastSeen?: LastSeenResolver, TypeParent, TContext>; - - inspect?: InspectResolver, TypeParent, TContext>; - } - - export type LastSeenResolver< - R = Maybe, - Parent = LastEventTimeData, + export type ContinentNameResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = LastEventTimeData, + export type CountryIsoCodeResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace HostsDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; - } - - export type EdgesResolver< - R = HostsEdges[], - Parent = HostsData, + export type CountryNameResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; - export type TotalCountResolver = Resolver< - R, - Parent, - TContext - >; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = HostsData, + export type LocationResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = HostsData, + export type RegionIsoCodeResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace HostsEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; - - cursor?: CursorResolver; - } - - export type NodeResolver = Resolver< - R, - Parent, - TContext - >; - export type CursorResolver< - R = CursorType, - Parent = HostsEdges, + export type RegionNameResolver< + R = Maybe, + Parent = GeoEcsFields, TContext = SiemContext > = Resolver; -} - -export namespace HostItemResolvers { - export interface Resolvers { - _id?: _IdResolver, TypeParent, TContext>; - - cloud?: CloudResolver, TypeParent, TContext>; - - endpoint?: EndpointResolver, TypeParent, TContext>; +} - host?: HostResolver, TypeParent, TContext>; +export namespace PrimarySecondaryResolvers { + export interface Resolvers { + primary?: PrimaryResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; + secondary?: SecondaryResolver, TypeParent, TContext>; - lastSeen?: LastSeenResolver, TypeParent, TContext>; + type?: TypeResolver, TypeParent, TContext>; } - export type _IdResolver, Parent = HostItem, TContext = SiemContext> = Resolver< - R, - Parent, - TContext - >; - export type CloudResolver< - R = Maybe, - Parent = HostItem, - TContext = SiemContext - > = Resolver; - export type EndpointResolver< - R = Maybe, - Parent = HostItem, - TContext = SiemContext - > = Resolver; - export type HostResolver< - R = Maybe, - Parent = HostItem, + export type PrimaryResolver< + R = Maybe, + Parent = PrimarySecondary, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = HostItem, + export type SecondaryResolver< + R = Maybe, + Parent = PrimarySecondary, TContext = SiemContext > = Resolver; - export type LastSeenResolver< - R = Maybe, - Parent = HostItem, + export type TypeResolver< + R = Maybe, + Parent = PrimarySecondary, TContext = SiemContext > = Resolver; } -export namespace CloudFieldsResolvers { - export interface Resolvers { - instance?: InstanceResolver, TypeParent, TContext>; +export namespace SummaryResolvers { + export interface Resolvers { + actor?: ActorResolver, TypeParent, TContext>; - machine?: MachineResolver, TypeParent, TContext>; + object?: ObjectResolver, TypeParent, TContext>; - provider?: ProviderResolver)[]>, TypeParent, TContext>; + how?: HowResolver, TypeParent, TContext>; - region?: RegionResolver)[]>, TypeParent, TContext>; + message_type?: MessageTypeResolver, TypeParent, TContext>; + + sequence?: SequenceResolver, TypeParent, TContext>; } - export type InstanceResolver< - R = Maybe, - Parent = CloudFields, + export type ActorResolver< + R = Maybe, + Parent = Summary, TContext = SiemContext > = Resolver; - export type MachineResolver< - R = Maybe, - Parent = CloudFields, + export type ObjectResolver< + R = Maybe, + Parent = Summary, TContext = SiemContext > = Resolver; - export type ProviderResolver< - R = Maybe<(Maybe)[]>, - Parent = CloudFields, + export type HowResolver< + R = Maybe, + Parent = Summary, TContext = SiemContext > = Resolver; - export type RegionResolver< - R = Maybe<(Maybe)[]>, - Parent = CloudFields, + export type MessageTypeResolver< + R = Maybe, + Parent = Summary, + TContext = SiemContext + > = Resolver; + export type SequenceResolver< + R = Maybe, + Parent = Summary, TContext = SiemContext > = Resolver; } -export namespace CloudInstanceResolvers { - export interface Resolvers { - id?: IdResolver)[]>, TypeParent, TContext>; +export namespace AgentEcsFieldResolvers { + export interface Resolvers { + type?: TypeResolver, TypeParent, TContext>; } - export type IdResolver< - R = Maybe<(Maybe)[]>, - Parent = CloudInstance, + export type TypeResolver< + R = Maybe, + Parent = AgentEcsField, TContext = SiemContext > = Resolver; } -export namespace CloudMachineResolvers { - export interface Resolvers { - type?: TypeResolver)[]>, TypeParent, TContext>; +export namespace AuditdDataResolvers { + export interface Resolvers { + acct?: AcctResolver, TypeParent, TContext>; + + terminal?: TerminalResolver, TypeParent, TContext>; + + op?: OpResolver, TypeParent, TContext>; } - export type TypeResolver< - R = Maybe<(Maybe)[]>, - Parent = CloudMachine, + export type AcctResolver< + R = Maybe, + Parent = AuditdData, + TContext = SiemContext + > = Resolver; + export type TerminalResolver< + R = Maybe, + Parent = AuditdData, + TContext = SiemContext + > = Resolver; + export type OpResolver< + R = Maybe, + Parent = AuditdData, TContext = SiemContext > = Resolver; } -export namespace EndpointFieldsResolvers { - export interface Resolvers { - endpointPolicy?: EndpointPolicyResolver, TypeParent, TContext>; +export namespace AuditdEcsFieldsResolvers { + export interface Resolvers { + result?: ResultResolver, TypeParent, TContext>; - sensorVersion?: SensorVersionResolver, TypeParent, TContext>; + session?: SessionResolver, TypeParent, TContext>; - policyStatus?: PolicyStatusResolver< - Maybe, - TypeParent, - TContext - >; + data?: DataResolver, TypeParent, TContext>; + + summary?: SummaryResolver, TypeParent, TContext>; + + sequence?: SequenceResolver, TypeParent, TContext>; } - export type EndpointPolicyResolver< - R = Maybe, - Parent = EndpointFields, + export type ResultResolver< + R = Maybe, + Parent = AuditdEcsFields, TContext = SiemContext > = Resolver; - export type SensorVersionResolver< - R = Maybe, - Parent = EndpointFields, + export type SessionResolver< + R = Maybe, + Parent = AuditdEcsFields, TContext = SiemContext > = Resolver; - export type PolicyStatusResolver< - R = Maybe, - Parent = EndpointFields, + export type DataResolver< + R = Maybe, + Parent = AuditdEcsFields, + TContext = SiemContext + > = Resolver; + export type SummaryResolver< + R = Maybe, + Parent = AuditdEcsFields, + TContext = SiemContext + > = Resolver; + export type SequenceResolver< + R = Maybe, + Parent = AuditdEcsFields, TContext = SiemContext > = Resolver; } -export namespace FirstLastSeenHostResolvers { - export interface Resolvers { - inspect?: InspectResolver, TypeParent, TContext>; +export namespace ThreadResolvers { + export interface Resolvers { + id?: IdResolver, TypeParent, TContext>; - firstSeen?: FirstSeenResolver, TypeParent, TContext>; + start?: StartResolver, TypeParent, TContext>; + } - lastSeen?: LastSeenResolver, TypeParent, TContext>; + export type IdResolver< + R = Maybe, + Parent = Thread, + TContext = SiemContext + > = Resolver; + export type StartResolver< + R = Maybe, + Parent = Thread, + TContext = SiemContext + > = Resolver; +} + +export namespace ProcessHashDataResolvers { + export interface Resolvers { + md5?: Md5Resolver, TypeParent, TContext>; + + sha1?: Sha1Resolver, TypeParent, TContext>; + + sha256?: Sha256Resolver, TypeParent, TContext>; } - export type InspectResolver< - R = Maybe, - Parent = FirstLastSeenHost, + export type Md5Resolver< + R = Maybe, + Parent = ProcessHashData, TContext = SiemContext > = Resolver; - export type FirstSeenResolver< - R = Maybe, - Parent = FirstLastSeenHost, + export type Sha1Resolver< + R = Maybe, + Parent = ProcessHashData, TContext = SiemContext > = Resolver; - export type LastSeenResolver< - R = Maybe, - Parent = FirstLastSeenHost, + export type Sha256Resolver< + R = Maybe, + Parent = ProcessHashData, TContext = SiemContext > = Resolver; } -export namespace KpiNetworkDataResolvers { - export interface Resolvers { - networkEvents?: NetworkEventsResolver, TypeParent, TContext>; +export namespace ProcessEcsFieldsResolvers { + export interface Resolvers { + hash?: HashResolver, TypeParent, TContext>; - uniqueFlowId?: UniqueFlowIdResolver, TypeParent, TContext>; + pid?: PidResolver, TypeParent, TContext>; - uniqueSourcePrivateIps?: UniqueSourcePrivateIpsResolver, TypeParent, TContext>; + name?: NameResolver, TypeParent, TContext>; - uniqueSourcePrivateIpsHistogram?: UniqueSourcePrivateIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + ppid?: PpidResolver, TypeParent, TContext>; - uniqueDestinationPrivateIps?: UniqueDestinationPrivateIpsResolver< - Maybe, - TypeParent, - TContext - >; + args?: ArgsResolver, TypeParent, TContext>; - uniqueDestinationPrivateIpsHistogram?: UniqueDestinationPrivateIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + entity_id?: EntityIdResolver, TypeParent, TContext>; + + executable?: ExecutableResolver, TypeParent, TContext>; - dnsQueries?: DnsQueriesResolver, TypeParent, TContext>; + title?: TitleResolver, TypeParent, TContext>; - tlsHandshakes?: TlsHandshakesResolver, TypeParent, TContext>; + thread?: ThreadResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; + working_directory?: WorkingDirectoryResolver, TypeParent, TContext>; } - export type NetworkEventsResolver< - R = Maybe, - Parent = KpiNetworkData, + export type HashResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type UniqueFlowIdResolver< - R = Maybe, - Parent = KpiNetworkData, + export type PidResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourcePrivateIpsResolver< - R = Maybe, - Parent = KpiNetworkData, + export type NameResolver< + R = Maybe, + Parent = ProcessEcsFields, + TContext = SiemContext + > = Resolver; + export type PpidResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourcePrivateIpsHistogramResolver< - R = Maybe, - Parent = KpiNetworkData, + export type ArgsResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationPrivateIpsResolver< - R = Maybe, - Parent = KpiNetworkData, + export type EntityIdResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationPrivateIpsHistogramResolver< - R = Maybe, - Parent = KpiNetworkData, + export type ExecutableResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type DnsQueriesResolver< - R = Maybe, - Parent = KpiNetworkData, + export type TitleResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type TlsHandshakesResolver< - R = Maybe, - Parent = KpiNetworkData, + export type ThreadResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = KpiNetworkData, + export type WorkingDirectoryResolver< + R = Maybe, + Parent = ProcessEcsFields, TContext = SiemContext > = Resolver; } -export namespace KpiNetworkHistogramDataResolvers { - export interface Resolvers { - x?: XResolver, TypeParent, TContext>; +export namespace SourceEcsFieldsResolvers { + export interface Resolvers { + bytes?: BytesResolver, TypeParent, TContext>; + + ip?: IpResolver, TypeParent, TContext>; + + port?: PortResolver, TypeParent, TContext>; + + domain?: DomainResolver, TypeParent, TContext>; + + geo?: GeoResolver, TypeParent, TContext>; - y?: YResolver, TypeParent, TContext>; + packets?: PacketsResolver, TypeParent, TContext>; } - export type XResolver< - R = Maybe, - Parent = KpiNetworkHistogramData, + export type BytesResolver< + R = Maybe, + Parent = SourceEcsFields, TContext = SiemContext > = Resolver; - export type YResolver< - R = Maybe, - Parent = KpiNetworkHistogramData, + export type IpResolver< + R = Maybe, + Parent = SourceEcsFields, + TContext = SiemContext + > = Resolver; + export type PortResolver< + R = Maybe, + Parent = SourceEcsFields, + TContext = SiemContext + > = Resolver; + export type DomainResolver< + R = Maybe, + Parent = SourceEcsFields, + TContext = SiemContext + > = Resolver; + export type GeoResolver< + R = Maybe, + Parent = SourceEcsFields, + TContext = SiemContext + > = Resolver; + export type PacketsResolver< + R = Maybe, + Parent = SourceEcsFields, TContext = SiemContext > = Resolver; } -export namespace KpiHostsDataResolvers { - export interface Resolvers { - hosts?: HostsResolver, TypeParent, TContext>; - - hostsHistogram?: HostsHistogramResolver, TypeParent, TContext>; - - authSuccess?: AuthSuccessResolver, TypeParent, TContext>; - - authSuccessHistogram?: AuthSuccessHistogramResolver< - Maybe, - TypeParent, - TContext - >; - - authFailure?: AuthFailureResolver, TypeParent, TContext>; - - authFailureHistogram?: AuthFailureHistogramResolver< - Maybe, - TypeParent, - TContext - >; +export namespace DestinationEcsFieldsResolvers { + export interface Resolvers { + bytes?: BytesResolver, TypeParent, TContext>; - uniqueSourceIps?: UniqueSourceIpsResolver, TypeParent, TContext>; + ip?: IpResolver, TypeParent, TContext>; - uniqueSourceIpsHistogram?: UniqueSourceIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + port?: PortResolver, TypeParent, TContext>; - uniqueDestinationIps?: UniqueDestinationIpsResolver, TypeParent, TContext>; + domain?: DomainResolver, TypeParent, TContext>; - uniqueDestinationIpsHistogram?: UniqueDestinationIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + geo?: GeoResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; + packets?: PacketsResolver, TypeParent, TContext>; } - export type HostsResolver< - R = Maybe, - Parent = KpiHostsData, - TContext = SiemContext - > = Resolver; - export type HostsHistogramResolver< - R = Maybe, - Parent = KpiHostsData, - TContext = SiemContext - > = Resolver; - export type AuthSuccessResolver< - R = Maybe, - Parent = KpiHostsData, - TContext = SiemContext - > = Resolver; - export type AuthSuccessHistogramResolver< - R = Maybe, - Parent = KpiHostsData, + export type BytesResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type AuthFailureResolver< - R = Maybe, - Parent = KpiHostsData, + export type IpResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type AuthFailureHistogramResolver< - R = Maybe, - Parent = KpiHostsData, + export type PortResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourceIpsResolver< - R = Maybe, - Parent = KpiHostsData, + export type DomainResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourceIpsHistogramResolver< - R = Maybe, - Parent = KpiHostsData, + export type GeoResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationIpsResolver< - R = Maybe, - Parent = KpiHostsData, + export type PacketsResolver< + R = Maybe, + Parent = DestinationEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationIpsHistogramResolver< - R = Maybe, - Parent = KpiHostsData, +} + +export namespace DnsQuestionDataResolvers { + export interface Resolvers { + name?: NameResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + } + + export type NameResolver< + R = Maybe, + Parent = DnsQuestionData, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = KpiHostsData, + export type TypeResolver< + R = Maybe, + Parent = DnsQuestionData, TContext = SiemContext > = Resolver; } -export namespace KpiHostHistogramDataResolvers { - export interface Resolvers { - x?: XResolver, TypeParent, TContext>; +export namespace DnsEcsFieldsResolvers { + export interface Resolvers { + question?: QuestionResolver, TypeParent, TContext>; + + resolved_ip?: ResolvedIpResolver, TypeParent, TContext>; - y?: YResolver, TypeParent, TContext>; + response_code?: ResponseCodeResolver, TypeParent, TContext>; } - export type XResolver< - R = Maybe, - Parent = KpiHostHistogramData, + export type QuestionResolver< + R = Maybe, + Parent = DnsEcsFields, TContext = SiemContext > = Resolver; - export type YResolver< - R = Maybe, - Parent = KpiHostHistogramData, + export type ResolvedIpResolver< + R = Maybe, + Parent = DnsEcsFields, + TContext = SiemContext + > = Resolver; + export type ResponseCodeResolver< + R = Maybe, + Parent = DnsEcsFields, TContext = SiemContext > = Resolver; } -export namespace KpiHostDetailsDataResolvers { - export interface Resolvers { - authSuccess?: AuthSuccessResolver, TypeParent, TContext>; +export namespace EndgameEcsFieldsResolvers { + export interface Resolvers { + exit_code?: ExitCodeResolver, TypeParent, TContext>; - authSuccessHistogram?: AuthSuccessHistogramResolver< - Maybe, - TypeParent, - TContext - >; + file_name?: FileNameResolver, TypeParent, TContext>; - authFailure?: AuthFailureResolver, TypeParent, TContext>; + file_path?: FilePathResolver, TypeParent, TContext>; - authFailureHistogram?: AuthFailureHistogramResolver< - Maybe, - TypeParent, - TContext - >; + logon_type?: LogonTypeResolver, TypeParent, TContext>; - uniqueSourceIps?: UniqueSourceIpsResolver, TypeParent, TContext>; + parent_process_name?: ParentProcessNameResolver, TypeParent, TContext>; - uniqueSourceIpsHistogram?: UniqueSourceIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + pid?: PidResolver, TypeParent, TContext>; - uniqueDestinationIps?: UniqueDestinationIpsResolver, TypeParent, TContext>; + process_name?: ProcessNameResolver, TypeParent, TContext>; - uniqueDestinationIpsHistogram?: UniqueDestinationIpsHistogramResolver< - Maybe, - TypeParent, - TContext - >; + subject_domain_name?: SubjectDomainNameResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; + subject_logon_id?: SubjectLogonIdResolver, TypeParent, TContext>; + + subject_user_name?: SubjectUserNameResolver, TypeParent, TContext>; + + target_domain_name?: TargetDomainNameResolver, TypeParent, TContext>; + + target_logon_id?: TargetLogonIdResolver, TypeParent, TContext>; + + target_user_name?: TargetUserNameResolver, TypeParent, TContext>; } - export type AuthSuccessResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type ExitCodeResolver< + R = Maybe, + Parent = EndgameEcsFields, + TContext = SiemContext + > = Resolver; + export type FileNameResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type AuthSuccessHistogramResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type FilePathResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type AuthFailureResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type LogonTypeResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type AuthFailureHistogramResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type ParentProcessNameResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourceIpsResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type PidResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type UniqueSourceIpsHistogramResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type ProcessNameResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationIpsResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type SubjectDomainNameResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type UniqueDestinationIpsHistogramResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type SubjectLogonIdResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = KpiHostDetailsData, + export type SubjectUserNameResolver< + R = Maybe, + Parent = EndgameEcsFields, + TContext = SiemContext + > = Resolver; + export type TargetDomainNameResolver< + R = Maybe, + Parent = EndgameEcsFields, + TContext = SiemContext + > = Resolver; + export type TargetLogonIdResolver< + R = Maybe, + Parent = EndgameEcsFields, + TContext = SiemContext + > = Resolver; + export type TargetUserNameResolver< + R = Maybe, + Parent = EndgameEcsFields, TContext = SiemContext > = Resolver; } -export namespace MatrixHistogramOverTimeDataResolvers { - export interface Resolvers { - inspect?: InspectResolver, TypeParent, TContext>; - - matrixHistogramData?: MatrixHistogramDataResolver< - MatrixOverTimeHistogramData[], - TypeParent, - TContext - >; - - totalCount?: TotalCountResolver; - } +export namespace SuricataAlertDataResolvers { + export interface Resolvers { + signature?: SignatureResolver, TypeParent, TContext>; - export type InspectResolver< - R = Maybe, - Parent = MatrixHistogramOverTimeData, - TContext = SiemContext - > = Resolver; - export type MatrixHistogramDataResolver< - R = MatrixOverTimeHistogramData[], - Parent = MatrixHistogramOverTimeData, + signature_id?: SignatureIdResolver, TypeParent, TContext>; + } + + export type SignatureResolver< + R = Maybe, + Parent = SuricataAlertData, TContext = SiemContext > = Resolver; - export type TotalCountResolver< - R = number, - Parent = MatrixHistogramOverTimeData, + export type SignatureIdResolver< + R = Maybe, + Parent = SuricataAlertData, TContext = SiemContext > = Resolver; } -export namespace MatrixOverTimeHistogramDataResolvers { - export interface Resolvers { - x?: XResolver, TypeParent, TContext>; +export namespace SuricataEveDataResolvers { + export interface Resolvers { + alert?: AlertResolver, TypeParent, TContext>; - y?: YResolver, TypeParent, TContext>; + flow_id?: FlowIdResolver, TypeParent, TContext>; - g?: GResolver, TypeParent, TContext>; + proto?: ProtoResolver, TypeParent, TContext>; } - export type XResolver< - R = Maybe, - Parent = MatrixOverTimeHistogramData, + export type AlertResolver< + R = Maybe, + Parent = SuricataEveData, TContext = SiemContext > = Resolver; - export type YResolver< - R = Maybe, - Parent = MatrixOverTimeHistogramData, + export type FlowIdResolver< + R = Maybe, + Parent = SuricataEveData, TContext = SiemContext > = Resolver; - export type GResolver< - R = Maybe, - Parent = MatrixOverTimeHistogramData, + export type ProtoResolver< + R = Maybe, + Parent = SuricataEveData, TContext = SiemContext > = Resolver; } -export namespace NetworkTopCountriesDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; +export namespace SuricataEcsFieldsResolvers { + export interface Resolvers { + eve?: EveResolver, TypeParent, TContext>; } - export type EdgesResolver< - R = NetworkTopCountriesEdges[], - Parent = NetworkTopCountriesData, + export type EveResolver< + R = Maybe, + Parent = SuricataEcsFields, TContext = SiemContext > = Resolver; - export type TotalCountResolver< - R = number, - Parent = NetworkTopCountriesData, +} + +export namespace TlsJa3DataResolvers { + export interface Resolvers { + hash?: HashResolver, TypeParent, TContext>; + } + + export type HashResolver< + R = Maybe, + Parent = TlsJa3Data, TContext = SiemContext > = Resolver; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = NetworkTopCountriesData, +} + +export namespace FingerprintDataResolvers { + export interface Resolvers { + sha1?: Sha1Resolver, TypeParent, TContext>; + } + + export type Sha1Resolver< + R = Maybe, + Parent = FingerprintData, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = NetworkTopCountriesData, +} + +export namespace TlsClientCertificateDataResolvers { + export interface Resolvers { + fingerprint?: FingerprintResolver, TypeParent, TContext>; + } + + export type FingerprintResolver< + R = Maybe, + Parent = TlsClientCertificateData, TContext = SiemContext > = Resolver; } -export namespace NetworkTopCountriesEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; - - cursor?: CursorResolver; +export namespace TlsServerCertificateDataResolvers { + export interface Resolvers { + fingerprint?: FingerprintResolver, TypeParent, TContext>; } - export type NodeResolver< - R = NetworkTopCountriesItem, - Parent = NetworkTopCountriesEdges, + export type FingerprintResolver< + R = Maybe, + Parent = TlsServerCertificateData, TContext = SiemContext > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = NetworkTopCountriesEdges, +} + +export namespace TlsFingerprintsDataResolvers { + export interface Resolvers { + ja3?: Ja3Resolver, TypeParent, TContext>; + } + + export type Ja3Resolver< + R = Maybe, + Parent = TlsFingerprintsData, TContext = SiemContext > = Resolver; } -export namespace NetworkTopCountriesItemResolvers { - export interface Resolvers { - _id?: _IdResolver, TypeParent, TContext>; - - source?: SourceResolver, TypeParent, TContext>; +export namespace TlsEcsFieldsResolvers { + export interface Resolvers { + client_certificate?: ClientCertificateResolver< + Maybe, + TypeParent, + TContext + >; - destination?: DestinationResolver, TypeParent, TContext>; + fingerprints?: FingerprintsResolver, TypeParent, TContext>; - network?: NetworkResolver, TypeParent, TContext>; + server_certificate?: ServerCertificateResolver< + Maybe, + TypeParent, + TContext + >; } - export type _IdResolver< - R = Maybe, - Parent = NetworkTopCountriesItem, - TContext = SiemContext - > = Resolver; - export type SourceResolver< - R = Maybe, - Parent = NetworkTopCountriesItem, + export type ClientCertificateResolver< + R = Maybe, + Parent = TlsEcsFields, TContext = SiemContext > = Resolver; - export type DestinationResolver< - R = Maybe, - Parent = NetworkTopCountriesItem, + export type FingerprintsResolver< + R = Maybe, + Parent = TlsEcsFields, TContext = SiemContext > = Resolver; - export type NetworkResolver< - R = Maybe, - Parent = NetworkTopCountriesItem, + export type ServerCertificateResolver< + R = Maybe, + Parent = TlsEcsFields, TContext = SiemContext > = Resolver; } -export namespace TopCountriesItemSourceResolvers { - export interface Resolvers { - country?: CountryResolver, TypeParent, TContext>; +export namespace ZeekConnectionDataResolvers { + export interface Resolvers { + local_resp?: LocalRespResolver, TypeParent, TContext>; - destination_ips?: DestinationIpsResolver, TypeParent, TContext>; + local_orig?: LocalOrigResolver, TypeParent, TContext>; - flows?: FlowsResolver, TypeParent, TContext>; + missed_bytes?: MissedBytesResolver, TypeParent, TContext>; - location?: LocationResolver, TypeParent, TContext>; + state?: StateResolver, TypeParent, TContext>; - source_ips?: SourceIpsResolver, TypeParent, TContext>; + history?: HistoryResolver, TypeParent, TContext>; } - export type CountryResolver< - R = Maybe, - Parent = TopCountriesItemSource, + export type LocalRespResolver< + R = Maybe, + Parent = ZeekConnectionData, TContext = SiemContext > = Resolver; - export type DestinationIpsResolver< - R = Maybe, - Parent = TopCountriesItemSource, + export type LocalOrigResolver< + R = Maybe, + Parent = ZeekConnectionData, TContext = SiemContext > = Resolver; - export type FlowsResolver< - R = Maybe, - Parent = TopCountriesItemSource, + export type MissedBytesResolver< + R = Maybe, + Parent = ZeekConnectionData, TContext = SiemContext > = Resolver; - export type LocationResolver< - R = Maybe, - Parent = TopCountriesItemSource, + export type StateResolver< + R = Maybe, + Parent = ZeekConnectionData, TContext = SiemContext > = Resolver; - export type SourceIpsResolver< - R = Maybe, - Parent = TopCountriesItemSource, + export type HistoryResolver< + R = Maybe, + Parent = ZeekConnectionData, TContext = SiemContext > = Resolver; } -export namespace GeoItemResolvers { - export interface Resolvers { - geo?: GeoResolver, TypeParent, TContext>; - - flowTarget?: FlowTargetResolver, TypeParent, TContext>; - } +export namespace ZeekNoticeDataResolvers { + export interface Resolvers { + suppress_for?: SuppressForResolver, TypeParent, TContext>; - export type GeoResolver< - R = Maybe, - Parent = GeoItem, - TContext = SiemContext - > = Resolver; - export type FlowTargetResolver< - R = Maybe, - Parent = GeoItem, - TContext = SiemContext - > = Resolver; -} + msg?: MsgResolver, TypeParent, TContext>; -export namespace TopCountriesItemDestinationResolvers { - export interface Resolvers { - country?: CountryResolver, TypeParent, TContext>; + note?: NoteResolver, TypeParent, TContext>; - destination_ips?: DestinationIpsResolver, TypeParent, TContext>; + sub?: SubResolver, TypeParent, TContext>; - flows?: FlowsResolver, TypeParent, TContext>; + dst?: DstResolver, TypeParent, TContext>; - location?: LocationResolver, TypeParent, TContext>; + dropped?: DroppedResolver, TypeParent, TContext>; - source_ips?: SourceIpsResolver, TypeParent, TContext>; + peer_descr?: PeerDescrResolver, TypeParent, TContext>; } - export type CountryResolver< - R = Maybe, - Parent = TopCountriesItemDestination, + export type SuppressForResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; - export type DestinationIpsResolver< - R = Maybe, - Parent = TopCountriesItemDestination, + export type MsgResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; - export type FlowsResolver< - R = Maybe, - Parent = TopCountriesItemDestination, + export type NoteResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; - export type LocationResolver< - R = Maybe, - Parent = TopCountriesItemDestination, + export type SubResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; - export type SourceIpsResolver< - R = Maybe, - Parent = TopCountriesItemDestination, + export type DstResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; -} - -export namespace TopNetworkTablesEcsFieldResolvers { - export interface Resolvers { - bytes_in?: BytesInResolver, TypeParent, TContext>; - - bytes_out?: BytesOutResolver, TypeParent, TContext>; - } - - export type BytesInResolver< - R = Maybe, - Parent = TopNetworkTablesEcsField, + export type DroppedResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; - export type BytesOutResolver< - R = Maybe, - Parent = TopNetworkTablesEcsField, + export type PeerDescrResolver< + R = Maybe, + Parent = ZeekNoticeData, TContext = SiemContext > = Resolver; } -export namespace NetworkTopNFlowDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; +export namespace ZeekDnsDataResolvers { + export interface Resolvers { + AA?: AaResolver, TypeParent, TContext>; - pageInfo?: PageInfoResolver; + qclass_name?: QclassNameResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; - } + RD?: RdResolver, TypeParent, TContext>; - export type EdgesResolver< - R = NetworkTopNFlowEdges[], - Parent = NetworkTopNFlowData, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = number, - Parent = NetworkTopNFlowData, - TContext = SiemContext - > = Resolver; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = NetworkTopNFlowData, - TContext = SiemContext - > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = NetworkTopNFlowData, - TContext = SiemContext - > = Resolver; -} + qtype_name?: QtypeNameResolver, TypeParent, TContext>; -export namespace NetworkTopNFlowEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; + rejected?: RejectedResolver, TypeParent, TContext>; - cursor?: CursorResolver; - } + qtype?: QtypeResolver, TypeParent, TContext>; - export type NodeResolver< - R = NetworkTopNFlowItem, - Parent = NetworkTopNFlowEdges, - TContext = SiemContext - > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = NetworkTopNFlowEdges, - TContext = SiemContext - > = Resolver; -} + query?: QueryResolver, TypeParent, TContext>; -export namespace NetworkTopNFlowItemResolvers { - export interface Resolvers { - _id?: _IdResolver, TypeParent, TContext>; + trans_id?: TransIdResolver, TypeParent, TContext>; - source?: SourceResolver, TypeParent, TContext>; + qclass?: QclassResolver, TypeParent, TContext>; - destination?: DestinationResolver, TypeParent, TContext>; + RA?: RaResolver, TypeParent, TContext>; - network?: NetworkResolver, TypeParent, TContext>; + TC?: TcResolver, TypeParent, TContext>; } - export type _IdResolver< - R = Maybe, - Parent = NetworkTopNFlowItem, + export type AaResolver< + R = Maybe, + Parent = ZeekDnsData, + TContext = SiemContext + > = Resolver; + export type QclassNameResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type SourceResolver< - R = Maybe, - Parent = NetworkTopNFlowItem, + export type RdResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type DestinationResolver< - R = Maybe, - Parent = NetworkTopNFlowItem, + export type QtypeNameResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type NetworkResolver< - R = Maybe, - Parent = NetworkTopNFlowItem, + export type RejectedResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; -} - -export namespace TopNFlowItemSourceResolvers { - export interface Resolvers { - autonomous_system?: AutonomousSystemResolver, TypeParent, TContext>; - - domain?: DomainResolver, TypeParent, TContext>; - - ip?: IpResolver, TypeParent, TContext>; - - location?: LocationResolver, TypeParent, TContext>; - - flows?: FlowsResolver, TypeParent, TContext>; - - destination_ips?: DestinationIpsResolver, TypeParent, TContext>; - } - - export type AutonomousSystemResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type QtypeResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type DomainResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type QueryResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type IpResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type TransIdResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type LocationResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type QclassResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type FlowsResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type RaResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; - export type DestinationIpsResolver< - R = Maybe, - Parent = TopNFlowItemSource, + export type TcResolver< + R = Maybe, + Parent = ZeekDnsData, TContext = SiemContext > = Resolver; } -export namespace AutonomousSystemItemResolvers { - export interface Resolvers { - name?: NameResolver, TypeParent, TContext>; +export namespace FileFieldsResolvers { + export interface Resolvers { + name?: NameResolver, TypeParent, TContext>; - number?: NumberResolver, TypeParent, TContext>; - } + path?: PathResolver, TypeParent, TContext>; - export type NameResolver< - R = Maybe, - Parent = AutonomousSystemItem, - TContext = SiemContext - > = Resolver; - export type NumberResolver< - R = Maybe, - Parent = AutonomousSystemItem, - TContext = SiemContext - > = Resolver; -} + target_path?: TargetPathResolver, TypeParent, TContext>; + + extension?: ExtensionResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + + device?: DeviceResolver, TypeParent, TContext>; + + inode?: InodeResolver, TypeParent, TContext>; + + uid?: UidResolver, TypeParent, TContext>; + + owner?: OwnerResolver, TypeParent, TContext>; -export namespace TopNFlowItemDestinationResolvers { - export interface Resolvers { - autonomous_system?: AutonomousSystemResolver, TypeParent, TContext>; + gid?: GidResolver, TypeParent, TContext>; - domain?: DomainResolver, TypeParent, TContext>; + group?: GroupResolver, TypeParent, TContext>; - ip?: IpResolver, TypeParent, TContext>; + mode?: ModeResolver, TypeParent, TContext>; - location?: LocationResolver, TypeParent, TContext>; + size?: SizeResolver, TypeParent, TContext>; - flows?: FlowsResolver, TypeParent, TContext>; + mtime?: MtimeResolver, TypeParent, TContext>; - source_ips?: SourceIpsResolver, TypeParent, TContext>; + ctime?: CtimeResolver, TypeParent, TContext>; } - export type AutonomousSystemResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type NameResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type DomainResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type PathResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type IpResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type TargetPathResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type LocationResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type ExtensionResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type FlowsResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type TypeResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type SourceIpsResolver< - R = Maybe, - Parent = TopNFlowItemDestination, + export type DeviceResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; -} - -export namespace NetworkDnsDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; - - histogram?: HistogramResolver, TypeParent, TContext>; - } - - export type EdgesResolver< - R = NetworkDnsEdges[], - Parent = NetworkDnsData, + export type InodeResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type TotalCountResolver< - R = number, - Parent = NetworkDnsData, + export type UidResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = NetworkDnsData, + export type OwnerResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = NetworkDnsData, + export type GidResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type HistogramResolver< - R = Maybe, - Parent = NetworkDnsData, + export type GroupResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; -} - -export namespace NetworkDnsEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; - - cursor?: CursorResolver; - } - - export type NodeResolver< - R = NetworkDnsItem, - Parent = NetworkDnsEdges, + export type ModeResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = NetworkDnsEdges, + export type SizeResolver< + R = Maybe, + Parent = FileFields, + TContext = SiemContext + > = Resolver; + export type MtimeResolver< + R = Maybe, + Parent = FileFields, + TContext = SiemContext + > = Resolver; + export type CtimeResolver< + R = Maybe, + Parent = FileFields, TContext = SiemContext > = Resolver; } -export namespace NetworkDnsItemResolvers { - export interface Resolvers { - _id?: _IdResolver, TypeParent, TContext>; - - dnsBytesIn?: DnsBytesInResolver, TypeParent, TContext>; +export namespace ZeekHttpDataResolvers { + export interface Resolvers { + resp_mime_types?: RespMimeTypesResolver, TypeParent, TContext>; - dnsBytesOut?: DnsBytesOutResolver, TypeParent, TContext>; + trans_depth?: TransDepthResolver, TypeParent, TContext>; - dnsName?: DnsNameResolver, TypeParent, TContext>; + status_msg?: StatusMsgResolver, TypeParent, TContext>; - queryCount?: QueryCountResolver, TypeParent, TContext>; + resp_fuids?: RespFuidsResolver, TypeParent, TContext>; - uniqueDomains?: UniqueDomainsResolver, TypeParent, TContext>; + tags?: TagsResolver, TypeParent, TContext>; } - export type _IdResolver< - R = Maybe, - Parent = NetworkDnsItem, - TContext = SiemContext - > = Resolver; - export type DnsBytesInResolver< - R = Maybe, - Parent = NetworkDnsItem, + export type RespMimeTypesResolver< + R = Maybe, + Parent = ZeekHttpData, TContext = SiemContext > = Resolver; - export type DnsBytesOutResolver< - R = Maybe, - Parent = NetworkDnsItem, + export type TransDepthResolver< + R = Maybe, + Parent = ZeekHttpData, TContext = SiemContext > = Resolver; - export type DnsNameResolver< - R = Maybe, - Parent = NetworkDnsItem, + export type StatusMsgResolver< + R = Maybe, + Parent = ZeekHttpData, TContext = SiemContext > = Resolver; - export type QueryCountResolver< - R = Maybe, - Parent = NetworkDnsItem, + export type RespFuidsResolver< + R = Maybe, + Parent = ZeekHttpData, TContext = SiemContext > = Resolver; - export type UniqueDomainsResolver< - R = Maybe, - Parent = NetworkDnsItem, + export type TagsResolver< + R = Maybe, + Parent = ZeekHttpData, TContext = SiemContext > = Resolver; } -export namespace MatrixOverOrdinalHistogramDataResolvers { - export interface Resolvers { - x?: XResolver; - - y?: YResolver; +export namespace HttpBodyDataResolvers { + export interface Resolvers { + content?: ContentResolver, TypeParent, TContext>; - g?: GResolver; + bytes?: BytesResolver, TypeParent, TContext>; } - export type XResolver< - R = string, - Parent = MatrixOverOrdinalHistogramData, - TContext = SiemContext - > = Resolver; - export type YResolver< - R = number, - Parent = MatrixOverOrdinalHistogramData, + export type ContentResolver< + R = Maybe, + Parent = HttpBodyData, TContext = SiemContext > = Resolver; - export type GResolver< - R = string, - Parent = MatrixOverOrdinalHistogramData, + export type BytesResolver< + R = Maybe, + Parent = HttpBodyData, TContext = SiemContext > = Resolver; } -export namespace NetworkDsOverTimeDataResolvers { - export interface Resolvers { - inspect?: InspectResolver, TypeParent, TContext>; +export namespace HttpRequestDataResolvers { + export interface Resolvers { + method?: MethodResolver, TypeParent, TContext>; - matrixHistogramData?: MatrixHistogramDataResolver< - MatrixOverTimeHistogramData[], - TypeParent, - TContext - >; + body?: BodyResolver, TypeParent, TContext>; - totalCount?: TotalCountResolver; + referrer?: ReferrerResolver, TypeParent, TContext>; + + bytes?: BytesResolver, TypeParent, TContext>; } - export type InspectResolver< - R = Maybe, - Parent = NetworkDsOverTimeData, + export type MethodResolver< + R = Maybe, + Parent = HttpRequestData, TContext = SiemContext > = Resolver; - export type MatrixHistogramDataResolver< - R = MatrixOverTimeHistogramData[], - Parent = NetworkDsOverTimeData, + export type BodyResolver< + R = Maybe, + Parent = HttpRequestData, TContext = SiemContext > = Resolver; - export type TotalCountResolver< - R = number, - Parent = NetworkDsOverTimeData, + export type ReferrerResolver< + R = Maybe, + Parent = HttpRequestData, + TContext = SiemContext + > = Resolver; + export type BytesResolver< + R = Maybe, + Parent = HttpRequestData, TContext = SiemContext > = Resolver; } -export namespace NetworkHttpDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; +export namespace HttpResponseDataResolvers { + export interface Resolvers { + status_code?: StatusCodeResolver, TypeParent, TContext>; - pageInfo?: PageInfoResolver; + body?: BodyResolver, TypeParent, TContext>; - inspect?: InspectResolver, TypeParent, TContext>; + bytes?: BytesResolver, TypeParent, TContext>; } - - export type EdgesResolver< - R = NetworkHttpEdges[], - Parent = NetworkHttpData, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = number, - Parent = NetworkHttpData, + + export type StatusCodeResolver< + R = Maybe, + Parent = HttpResponseData, TContext = SiemContext > = Resolver; - export type PageInfoResolver< - R = PageInfoPaginated, - Parent = NetworkHttpData, + export type BodyResolver< + R = Maybe, + Parent = HttpResponseData, TContext = SiemContext > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = NetworkHttpData, + export type BytesResolver< + R = Maybe, + Parent = HttpResponseData, TContext = SiemContext > = Resolver; } -export namespace NetworkHttpEdgesResolvers { - export interface Resolvers { - node?: NodeResolver; +export namespace HttpEcsFieldsResolvers { + export interface Resolvers { + version?: VersionResolver, TypeParent, TContext>; + + request?: RequestResolver, TypeParent, TContext>; - cursor?: CursorResolver; + response?: ResponseResolver, TypeParent, TContext>; } - export type NodeResolver< - R = NetworkHttpItem, - Parent = NetworkHttpEdges, + export type VersionResolver< + R = Maybe, + Parent = HttpEcsFields, TContext = SiemContext > = Resolver; - export type CursorResolver< - R = CursorType, - Parent = NetworkHttpEdges, + export type RequestResolver< + R = Maybe, + Parent = HttpEcsFields, + TContext = SiemContext + > = Resolver; + export type ResponseResolver< + R = Maybe, + Parent = HttpEcsFields, TContext = SiemContext > = Resolver; } -export namespace NetworkHttpItemResolvers { - export interface Resolvers { - _id?: _IdResolver, TypeParent, TContext>; - - domains?: DomainsResolver; - - lastHost?: LastHostResolver, TypeParent, TContext>; - - lastSourceIp?: LastSourceIpResolver, TypeParent, TContext>; - - methods?: MethodsResolver; +export namespace UrlEcsFieldsResolvers { + export interface Resolvers { + domain?: DomainResolver, TypeParent, TContext>; - path?: PathResolver, TypeParent, TContext>; + original?: OriginalResolver, TypeParent, TContext>; - requestCount?: RequestCountResolver, TypeParent, TContext>; + username?: UsernameResolver, TypeParent, TContext>; - statuses?: StatusesResolver; + password?: PasswordResolver, TypeParent, TContext>; } - export type _IdResolver< - R = Maybe, - Parent = NetworkHttpItem, - TContext = SiemContext - > = Resolver; - export type DomainsResolver< - R = string[], - Parent = NetworkHttpItem, - TContext = SiemContext - > = Resolver; - export type LastHostResolver< - R = Maybe, - Parent = NetworkHttpItem, - TContext = SiemContext - > = Resolver; - export type LastSourceIpResolver< - R = Maybe, - Parent = NetworkHttpItem, - TContext = SiemContext - > = Resolver; - export type MethodsResolver< - R = string[], - Parent = NetworkHttpItem, + export type DomainResolver< + R = Maybe, + Parent = UrlEcsFields, TContext = SiemContext > = Resolver; - export type PathResolver< - R = Maybe, - Parent = NetworkHttpItem, + export type OriginalResolver< + R = Maybe, + Parent = UrlEcsFields, TContext = SiemContext > = Resolver; - export type RequestCountResolver< - R = Maybe, - Parent = NetworkHttpItem, + export type UsernameResolver< + R = Maybe, + Parent = UrlEcsFields, TContext = SiemContext > = Resolver; - export type StatusesResolver< - R = string[], - Parent = NetworkHttpItem, + export type PasswordResolver< + R = Maybe, + Parent = UrlEcsFields, TContext = SiemContext > = Resolver; } -export namespace SayMyNameResolvers { - export interface Resolvers { - /** The id of the source */ - appName?: AppNameResolver; - } - - export type AppNameResolver = Resolver< - R, - Parent, - TContext - >; -} - -export namespace TimelineResultResolvers { - export interface Resolvers { - columns?: ColumnsResolver, TypeParent, TContext>; - - created?: CreatedResolver, TypeParent, TContext>; - - createdBy?: CreatedByResolver, TypeParent, TContext>; - - dataProviders?: DataProvidersResolver, TypeParent, TContext>; - - dateRange?: DateRangeResolver, TypeParent, TContext>; - - description?: DescriptionResolver, TypeParent, TContext>; - - eventIdToNoteIds?: EventIdToNoteIdsResolver, TypeParent, TContext>; - - eventType?: EventTypeResolver, TypeParent, TContext>; - - excludedRowRendererIds?: ExcludedRowRendererIdsResolver< - Maybe, - TypeParent, - TContext - >; - - favorite?: FavoriteResolver, TypeParent, TContext>; - - filters?: FiltersResolver, TypeParent, TContext>; - - kqlMode?: KqlModeResolver, TypeParent, TContext>; +export namespace ZeekFileDataResolvers { + export interface Resolvers { + session_ids?: SessionIdsResolver, TypeParent, TContext>; - kqlQuery?: KqlQueryResolver, TypeParent, TContext>; + timedout?: TimedoutResolver, TypeParent, TContext>; - indexNames?: IndexNamesResolver, TypeParent, TContext>; + local_orig?: LocalOrigResolver, TypeParent, TContext>; - notes?: NotesResolver, TypeParent, TContext>; + tx_host?: TxHostResolver, TypeParent, TContext>; - noteIds?: NoteIdsResolver, TypeParent, TContext>; + source?: SourceResolver, TypeParent, TContext>; - pinnedEventIds?: PinnedEventIdsResolver, TypeParent, TContext>; + is_orig?: IsOrigResolver, TypeParent, TContext>; - pinnedEventsSaveObject?: PinnedEventsSaveObjectResolver< - Maybe, - TypeParent, - TContext - >; + overflow_bytes?: OverflowBytesResolver, TypeParent, TContext>; - savedQueryId?: SavedQueryIdResolver, TypeParent, TContext>; + sha1?: Sha1Resolver, TypeParent, TContext>; - savedObjectId?: SavedObjectIdResolver; + duration?: DurationResolver, TypeParent, TContext>; - sort?: SortResolver, TypeParent, TContext>; + depth?: DepthResolver, TypeParent, TContext>; - status?: StatusResolver, TypeParent, TContext>; + analyzers?: AnalyzersResolver, TypeParent, TContext>; - title?: TitleResolver, TypeParent, TContext>; + mime_type?: MimeTypeResolver, TypeParent, TContext>; - templateTimelineId?: TemplateTimelineIdResolver, TypeParent, TContext>; + rx_host?: RxHostResolver, TypeParent, TContext>; - templateTimelineVersion?: TemplateTimelineVersionResolver, TypeParent, TContext>; + total_bytes?: TotalBytesResolver, TypeParent, TContext>; - timelineType?: TimelineTypeResolver, TypeParent, TContext>; + fuid?: FuidResolver, TypeParent, TContext>; - updated?: UpdatedResolver, TypeParent, TContext>; + seen_bytes?: SeenBytesResolver, TypeParent, TContext>; - updatedBy?: UpdatedByResolver, TypeParent, TContext>; + missing_bytes?: MissingBytesResolver, TypeParent, TContext>; - version?: VersionResolver; + md5?: Md5Resolver, TypeParent, TContext>; } - export type ColumnsResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type CreatedResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type CreatedByResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type DataProvidersResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type DateRangeResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type DescriptionResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type EventIdToNoteIdsResolver< - R = Maybe, - Parent = TimelineResult, - TContext = SiemContext - > = Resolver; - export type EventTypeResolver< - R = Maybe, - Parent = TimelineResult, + export type SessionIdsResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type ExcludedRowRendererIdsResolver< - R = Maybe, - Parent = TimelineResult, + export type TimedoutResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type FavoriteResolver< - R = Maybe, - Parent = TimelineResult, + export type LocalOrigResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type FiltersResolver< - R = Maybe, - Parent = TimelineResult, + export type TxHostResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type KqlModeResolver< - R = Maybe, - Parent = TimelineResult, + export type SourceResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type KqlQueryResolver< - R = Maybe, - Parent = TimelineResult, + export type IsOrigResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type IndexNamesResolver< - R = Maybe, - Parent = TimelineResult, + export type OverflowBytesResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type NotesResolver< - R = Maybe, - Parent = TimelineResult, + export type Sha1Resolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type NoteIdsResolver< - R = Maybe, - Parent = TimelineResult, + export type DurationResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type PinnedEventIdsResolver< - R = Maybe, - Parent = TimelineResult, + export type DepthResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type PinnedEventsSaveObjectResolver< - R = Maybe, - Parent = TimelineResult, + export type AnalyzersResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type SavedQueryIdResolver< - R = Maybe, - Parent = TimelineResult, + export type MimeTypeResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type SavedObjectIdResolver< - R = string, - Parent = TimelineResult, + export type RxHostResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type SortResolver< - R = Maybe, - Parent = TimelineResult, + export type TotalBytesResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type StatusResolver< - R = Maybe, - Parent = TimelineResult, + export type FuidResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type TitleResolver< - R = Maybe, - Parent = TimelineResult, + export type SeenBytesResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type TemplateTimelineIdResolver< - R = Maybe, - Parent = TimelineResult, + export type MissingBytesResolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type TemplateTimelineVersionResolver< - R = Maybe, - Parent = TimelineResult, + export type Md5Resolver< + R = Maybe, + Parent = ZeekFileData, TContext = SiemContext > = Resolver; - export type TimelineTypeResolver< - R = Maybe, - Parent = TimelineResult, +} + +export namespace ZeekSslDataResolvers { + export interface Resolvers { + cipher?: CipherResolver, TypeParent, TContext>; + + established?: EstablishedResolver, TypeParent, TContext>; + + resumed?: ResumedResolver, TypeParent, TContext>; + + version?: VersionResolver, TypeParent, TContext>; + } + + export type CipherResolver< + R = Maybe, + Parent = ZeekSslData, TContext = SiemContext > = Resolver; - export type UpdatedResolver< - R = Maybe, - Parent = TimelineResult, + export type EstablishedResolver< + R = Maybe, + Parent = ZeekSslData, TContext = SiemContext > = Resolver; - export type UpdatedByResolver< - R = Maybe, - Parent = TimelineResult, + export type ResumedResolver< + R = Maybe, + Parent = ZeekSslData, TContext = SiemContext > = Resolver; export type VersionResolver< - R = string, - Parent = TimelineResult, + R = Maybe, + Parent = ZeekSslData, TContext = SiemContext > = Resolver; } -export namespace ColumnHeaderResultResolvers { - export interface Resolvers { - aggregatable?: AggregatableResolver, TypeParent, TContext>; - - category?: CategoryResolver, TypeParent, TContext>; - - columnHeaderType?: ColumnHeaderTypeResolver, TypeParent, TContext>; - - description?: DescriptionResolver, TypeParent, TContext>; - - example?: ExampleResolver, TypeParent, TContext>; +export namespace ZeekEcsFieldsResolvers { + export interface Resolvers { + session_id?: SessionIdResolver, TypeParent, TContext>; - indexes?: IndexesResolver, TypeParent, TContext>; + connection?: ConnectionResolver, TypeParent, TContext>; - id?: IdResolver, TypeParent, TContext>; + notice?: NoticeResolver, TypeParent, TContext>; - name?: NameResolver, TypeParent, TContext>; + dns?: DnsResolver, TypeParent, TContext>; - placeholder?: PlaceholderResolver, TypeParent, TContext>; + http?: HttpResolver, TypeParent, TContext>; - searchable?: SearchableResolver, TypeParent, TContext>; + files?: FilesResolver, TypeParent, TContext>; - type?: TypeResolver, TypeParent, TContext>; + ssl?: SslResolver, TypeParent, TContext>; } - export type AggregatableResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type SessionIdResolver< + R = Maybe, + Parent = ZeekEcsFields, TContext = SiemContext > = Resolver; - export type CategoryResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type ConnectionResolver< + R = Maybe, + Parent = ZeekEcsFields, TContext = SiemContext > = Resolver; - export type ColumnHeaderTypeResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type NoticeResolver< + R = Maybe, + Parent = ZeekEcsFields, TContext = SiemContext > = Resolver; - export type DescriptionResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type DnsResolver< + R = Maybe, + Parent = ZeekEcsFields, TContext = SiemContext > = Resolver; - export type ExampleResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type HttpResolver< + R = Maybe, + Parent = ZeekEcsFields, TContext = SiemContext > = Resolver; - export type IndexesResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type FilesResolver< + R = Maybe, + Parent = ZeekEcsFields, + TContext = SiemContext + > = Resolver; + export type SslResolver< + R = Maybe, + Parent = ZeekEcsFields, + TContext = SiemContext + > = Resolver; +} + +export namespace UserEcsFieldsResolvers { + export interface Resolvers { + domain?: DomainResolver, TypeParent, TContext>; + + id?: IdResolver, TypeParent, TContext>; + + name?: NameResolver, TypeParent, TContext>; + + full_name?: FullNameResolver, TypeParent, TContext>; + + email?: EmailResolver, TypeParent, TContext>; + + hash?: HashResolver, TypeParent, TContext>; + + group?: GroupResolver, TypeParent, TContext>; + } + + export type DomainResolver< + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; export type IdResolver< - R = Maybe, - Parent = ColumnHeaderResult, + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; export type NameResolver< - R = Maybe, - Parent = ColumnHeaderResult, + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; - export type PlaceholderResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type FullNameResolver< + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; - export type SearchableResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type EmailResolver< + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = ColumnHeaderResult, + export type HashResolver< + R = Maybe, + Parent = UserEcsFields, + TContext = SiemContext + > = Resolver; + export type GroupResolver< + R = Maybe, + Parent = UserEcsFields, TContext = SiemContext > = Resolver; } -export namespace DataProviderResultResolvers { - export interface Resolvers { - id?: IdResolver, TypeParent, TContext>; +export namespace WinlogEcsFieldsResolvers { + export interface Resolvers { + event_id?: EventIdResolver, TypeParent, TContext>; + } - name?: NameResolver, TypeParent, TContext>; + export type EventIdResolver< + R = Maybe, + Parent = WinlogEcsFields, + TContext = SiemContext + > = Resolver; +} - enabled?: EnabledResolver, TypeParent, TContext>; +export namespace NetworkEcsFieldResolvers { + export interface Resolvers { + bytes?: BytesResolver, TypeParent, TContext>; - excluded?: ExcludedResolver, TypeParent, TContext>; + community_id?: CommunityIdResolver, TypeParent, TContext>; - kqlQuery?: KqlQueryResolver, TypeParent, TContext>; + direction?: DirectionResolver, TypeParent, TContext>; - queryMatch?: QueryMatchResolver, TypeParent, TContext>; + packets?: PacketsResolver, TypeParent, TContext>; - type?: TypeResolver, TypeParent, TContext>; + protocol?: ProtocolResolver, TypeParent, TContext>; - and?: AndResolver, TypeParent, TContext>; + transport?: TransportResolver, TypeParent, TContext>; } - export type IdResolver< - R = Maybe, - Parent = DataProviderResult, - TContext = SiemContext - > = Resolver; - export type NameResolver< - R = Maybe, - Parent = DataProviderResult, - TContext = SiemContext - > = Resolver; - export type EnabledResolver< - R = Maybe, - Parent = DataProviderResult, + export type BytesResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; - export type ExcludedResolver< - R = Maybe, - Parent = DataProviderResult, + export type CommunityIdResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; - export type KqlQueryResolver< - R = Maybe, - Parent = DataProviderResult, + export type DirectionResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; - export type QueryMatchResolver< - R = Maybe, - Parent = DataProviderResult, + export type PacketsResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = DataProviderResult, + export type ProtocolResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; - export type AndResolver< - R = Maybe, - Parent = DataProviderResult, + export type TransportResolver< + R = Maybe, + Parent = NetworkEcsField, TContext = SiemContext > = Resolver; } -export namespace QueryMatchResultResolvers { - export interface Resolvers { - field?: FieldResolver, TypeParent, TContext>; +export namespace PackageEcsFieldsResolvers { + export interface Resolvers { + arch?: ArchResolver, TypeParent, TContext>; - displayField?: DisplayFieldResolver, TypeParent, TContext>; + entity_id?: EntityIdResolver, TypeParent, TContext>; - value?: ValueResolver, TypeParent, TContext>; + name?: NameResolver, TypeParent, TContext>; - displayValue?: DisplayValueResolver, TypeParent, TContext>; + size?: SizeResolver, TypeParent, TContext>; - operator?: OperatorResolver, TypeParent, TContext>; + summary?: SummaryResolver, TypeParent, TContext>; + + version?: VersionResolver, TypeParent, TContext>; } - export type FieldResolver< - R = Maybe, - Parent = QueryMatchResult, + export type ArchResolver< + R = Maybe, + Parent = PackageEcsFields, TContext = SiemContext > = Resolver; - export type DisplayFieldResolver< - R = Maybe, - Parent = QueryMatchResult, + export type EntityIdResolver< + R = Maybe, + Parent = PackageEcsFields, TContext = SiemContext > = Resolver; - export type ValueResolver< - R = Maybe, - Parent = QueryMatchResult, + export type NameResolver< + R = Maybe, + Parent = PackageEcsFields, TContext = SiemContext > = Resolver; - export type DisplayValueResolver< - R = Maybe, - Parent = QueryMatchResult, + export type SizeResolver< + R = Maybe, + Parent = PackageEcsFields, TContext = SiemContext > = Resolver; - export type OperatorResolver< - R = Maybe, - Parent = QueryMatchResult, + export type SummaryResolver< + R = Maybe, + Parent = PackageEcsFields, + TContext = SiemContext + > = Resolver; + export type VersionResolver< + R = Maybe, + Parent = PackageEcsFields, TContext = SiemContext > = Resolver; } -export namespace DateRangePickerResultResolvers { - export interface Resolvers { - start?: StartResolver, TypeParent, TContext>; +export namespace AuditEcsFieldsResolvers { + export interface Resolvers { + package?: PackageResolver, TypeParent, TContext>; + } - end?: EndResolver, TypeParent, TContext>; + export type PackageResolver< + R = Maybe, + Parent = AuditEcsFields, + TContext = SiemContext + > = Resolver; +} + +export namespace SshEcsFieldsResolvers { + export interface Resolvers { + method?: MethodResolver, TypeParent, TContext>; + + signature?: SignatureResolver, TypeParent, TContext>; } - export type StartResolver< - R = Maybe, - Parent = DateRangePickerResult, + export type MethodResolver< + R = Maybe, + Parent = SshEcsFields, TContext = SiemContext > = Resolver; - export type EndResolver< - R = Maybe, - Parent = DateRangePickerResult, + export type SignatureResolver< + R = Maybe, + Parent = SshEcsFields, TContext = SiemContext > = Resolver; } -export namespace FavoriteTimelineResultResolvers { - export interface Resolvers { - fullName?: FullNameResolver, TypeParent, TContext>; - - userName?: UserNameResolver, TypeParent, TContext>; - - favoriteDate?: FavoriteDateResolver, TypeParent, TContext>; +export namespace AuthEcsFieldsResolvers { + export interface Resolvers { + ssh?: SshResolver, TypeParent, TContext>; } - export type FullNameResolver< - R = Maybe, - Parent = FavoriteTimelineResult, + export type SshResolver< + R = Maybe, + Parent = AuthEcsFields, TContext = SiemContext > = Resolver; - export type UserNameResolver< - R = Maybe, - Parent = FavoriteTimelineResult, +} + +export namespace SystemEcsFieldResolvers { + export interface Resolvers { + audit?: AuditResolver, TypeParent, TContext>; + + auth?: AuthResolver, TypeParent, TContext>; + } + + export type AuditResolver< + R = Maybe, + Parent = SystemEcsField, TContext = SiemContext > = Resolver; - export type FavoriteDateResolver< - R = Maybe, - Parent = FavoriteTimelineResult, + export type AuthResolver< + R = Maybe, + Parent = SystemEcsField, TContext = SiemContext > = Resolver; } -export namespace FilterTimelineResultResolvers { - export interface Resolvers { - exists?: ExistsResolver, TypeParent, TContext>; +export namespace RuleFieldResolvers { + export interface Resolvers { + id?: IdResolver, TypeParent, TContext>; - meta?: MetaResolver, TypeParent, TContext>; + rule_id?: RuleIdResolver, TypeParent, TContext>; - match_all?: MatchAllResolver, TypeParent, TContext>; + false_positives?: FalsePositivesResolver; - missing?: MissingResolver, TypeParent, TContext>; + saved_id?: SavedIdResolver, TypeParent, TContext>; - query?: QueryResolver, TypeParent, TContext>; + timeline_id?: TimelineIdResolver, TypeParent, TContext>; - range?: RangeResolver, TypeParent, TContext>; + timeline_title?: TimelineTitleResolver, TypeParent, TContext>; - script?: ScriptResolver, TypeParent, TContext>; + max_signals?: MaxSignalsResolver, TypeParent, TContext>; + + risk_score?: RiskScoreResolver, TypeParent, TContext>; + + output_index?: OutputIndexResolver, TypeParent, TContext>; + + description?: DescriptionResolver, TypeParent, TContext>; + + from?: FromResolver, TypeParent, TContext>; + + immutable?: ImmutableResolver, TypeParent, TContext>; + + index?: IndexResolver, TypeParent, TContext>; + + interval?: IntervalResolver, TypeParent, TContext>; + + language?: LanguageResolver, TypeParent, TContext>; + + query?: QueryResolver, TypeParent, TContext>; + + references?: ReferencesResolver, TypeParent, TContext>; + + severity?: SeverityResolver, TypeParent, TContext>; + + tags?: TagsResolver, TypeParent, TContext>; + + threat?: ThreatResolver, TypeParent, TContext>; + + type?: TypeResolver, TypeParent, TContext>; + + size?: SizeResolver, TypeParent, TContext>; + + to?: ToResolver, TypeParent, TContext>; + + enabled?: EnabledResolver, TypeParent, TContext>; + + filters?: FiltersResolver, TypeParent, TContext>; + + created_at?: CreatedAtResolver, TypeParent, TContext>; + + updated_at?: UpdatedAtResolver, TypeParent, TContext>; + + created_by?: CreatedByResolver, TypeParent, TContext>; + + updated_by?: UpdatedByResolver, TypeParent, TContext>; + + version?: VersionResolver, TypeParent, TContext>; + + note?: NoteResolver, TypeParent, TContext>; + + threshold?: ThresholdResolver, TypeParent, TContext>; + + exceptions_list?: ExceptionsListResolver, TypeParent, TContext>; } - export type ExistsResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type IdResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type MetaResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type RuleIdResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type FalsePositivesResolver< + R = string[], + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type SavedIdResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type TimelineIdResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type TimelineTitleResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type MaxSignalsResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type RiskScoreResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type OutputIndexResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type MatchAllResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type DescriptionResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type MissingResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type FromResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type QueryResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type ImmutableResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type RangeResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type IndexResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type ScriptResolver< - R = Maybe, - Parent = FilterTimelineResult, + export type IntervalResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; -} - -export namespace FilterMetaTimelineResultResolvers { - export interface Resolvers { - alias?: AliasResolver, TypeParent, TContext>; - - controlledBy?: ControlledByResolver, TypeParent, TContext>; - - disabled?: DisabledResolver, TypeParent, TContext>; - - field?: FieldResolver, TypeParent, TContext>; - - formattedValue?: FormattedValueResolver, TypeParent, TContext>; - - index?: IndexResolver, TypeParent, TContext>; - - key?: KeyResolver, TypeParent, TContext>; - - negate?: NegateResolver, TypeParent, TContext>; - - params?: ParamsResolver, TypeParent, TContext>; - - type?: TypeResolver, TypeParent, TContext>; - - value?: ValueResolver, TypeParent, TContext>; - } - - export type AliasResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type LanguageResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type ControlledByResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type QueryResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type DisabledResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type ReferencesResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type FieldResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type SeverityResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type FormattedValueResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type TagsResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type IndexResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type ThreatResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type KeyResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type TypeResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type NegateResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type SizeResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type ParamsResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type ToResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type TypeResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type EnabledResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type ValueResolver< - R = Maybe, - Parent = FilterMetaTimelineResult, + export type FiltersResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; -} - -export namespace SerializedFilterQueryResultResolvers { - export interface Resolvers { - filterQuery?: FilterQueryResolver, TypeParent, TContext>; - } - - export type FilterQueryResolver< - R = Maybe, - Parent = SerializedFilterQueryResult, + export type CreatedAtResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; -} - -export namespace SerializedKueryQueryResultResolvers { - export interface Resolvers { - kuery?: KueryResolver, TypeParent, TContext>; - - serializedQuery?: SerializedQueryResolver, TypeParent, TContext>; - } - - export type KueryResolver< - R = Maybe, - Parent = SerializedKueryQueryResult, + export type UpdatedAtResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type SerializedQueryResolver< - R = Maybe, - Parent = SerializedKueryQueryResult, + export type CreatedByResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; -} - -export namespace KueryFilterQueryResultResolvers { - export interface Resolvers { - kind?: KindResolver, TypeParent, TContext>; - - expression?: ExpressionResolver, TypeParent, TContext>; - } - - export type KindResolver< - R = Maybe, - Parent = KueryFilterQueryResult, + export type UpdatedByResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type ExpressionResolver< - R = Maybe, - Parent = KueryFilterQueryResult, + export type VersionResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; -} - -export namespace SortTimelineResultResolvers { - export interface Resolvers { - columnId?: ColumnIdResolver, TypeParent, TContext>; - - sortDirection?: SortDirectionResolver, TypeParent, TContext>; - } - - export type ColumnIdResolver< - R = Maybe, - Parent = SortTimelineResult, + export type NoteResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; - export type SortDirectionResolver< - R = Maybe, - Parent = SortTimelineResult, + export type ThresholdResolver< + R = Maybe, + Parent = RuleField, + TContext = SiemContext + > = Resolver; + export type ExceptionsListResolver< + R = Maybe, + Parent = RuleField, TContext = SiemContext > = Resolver; } -export namespace ResponseTimelinesResolvers { - export interface Resolvers { - timeline?: TimelineResolver<(Maybe)[], TypeParent, TContext>; - - totalCount?: TotalCountResolver, TypeParent, TContext>; - - defaultTimelineCount?: DefaultTimelineCountResolver, TypeParent, TContext>; - - templateTimelineCount?: TemplateTimelineCountResolver, TypeParent, TContext>; - - elasticTemplateTimelineCount?: ElasticTemplateTimelineCountResolver< - Maybe, - TypeParent, - TContext - >; +export namespace SignalFieldResolvers { + export interface Resolvers { + rule?: RuleResolver, TypeParent, TContext>; - customTemplateTimelineCount?: CustomTemplateTimelineCountResolver< - Maybe, - TypeParent, - TContext - >; + original_time?: OriginalTimeResolver, TypeParent, TContext>; - favoriteCount?: FavoriteCountResolver, TypeParent, TContext>; + status?: StatusResolver, TypeParent, TContext>; } - export type TimelineResolver< - R = (Maybe)[], - Parent = ResponseTimelines, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = Maybe, - Parent = ResponseTimelines, - TContext = SiemContext - > = Resolver; - export type DefaultTimelineCountResolver< - R = Maybe, - Parent = ResponseTimelines, - TContext = SiemContext - > = Resolver; - export type TemplateTimelineCountResolver< - R = Maybe, - Parent = ResponseTimelines, + export type RuleResolver< + R = Maybe, + Parent = SignalField, TContext = SiemContext > = Resolver; - export type ElasticTemplateTimelineCountResolver< - R = Maybe, - Parent = ResponseTimelines, + export type OriginalTimeResolver< + R = Maybe, + Parent = SignalField, TContext = SiemContext > = Resolver; - export type CustomTemplateTimelineCountResolver< - R = Maybe, - Parent = ResponseTimelines, + export type StatusResolver< + R = Maybe, + Parent = SignalField, TContext = SiemContext > = Resolver; - export type FavoriteCountResolver< - R = Maybe, - Parent = ResponseTimelines, +} + +export namespace RuleEcsFieldResolvers { + export interface Resolvers { + reference?: ReferenceResolver, TypeParent, TContext>; + } + + export type ReferenceResolver< + R = Maybe, + Parent = RuleEcsField, TContext = SiemContext > = Resolver; } -export namespace MutationResolvers { - export interface Resolvers { - /** Persists a note */ - persistNote?: PersistNoteResolver; +export namespace EcsResolvers { + export interface Resolvers { + _id?: _IdResolver; - deleteNote?: DeleteNoteResolver, TypeParent, TContext>; + _index?: _IndexResolver, TypeParent, TContext>; - deleteNoteByTimelineId?: DeleteNoteByTimelineIdResolver, TypeParent, TContext>; - /** Persists a pinned event in a timeline */ - persistPinnedEventOnTimeline?: PersistPinnedEventOnTimelineResolver< - Maybe, - TypeParent, - TContext - >; - /** Remove a pinned events in a timeline */ - deletePinnedEventOnTimeline?: DeletePinnedEventOnTimelineResolver< - boolean, - TypeParent, - TContext - >; - /** Remove all pinned events in a timeline */ - deleteAllPinnedEventsOnTimeline?: DeleteAllPinnedEventsOnTimelineResolver< - boolean, - TypeParent, - TContext - >; - /** Persists a timeline */ - persistTimeline?: PersistTimelineResolver; + agent?: AgentResolver, TypeParent, TContext>; - persistFavorite?: PersistFavoriteResolver; + auditd?: AuditdResolver, TypeParent, TContext>; - deleteTimeline?: DeleteTimelineResolver; - } + destination?: DestinationResolver, TypeParent, TContext>; - export type PersistNoteResolver = Resolver< - R, - Parent, - TContext, - PersistNoteArgs - >; - export interface PersistNoteArgs { - noteId?: Maybe; + dns?: DnsResolver, TypeParent, TContext>; - version?: Maybe; + endgame?: EndgameResolver, TypeParent, TContext>; - note: NoteInput; - } + event?: EventResolver, TypeParent, TContext>; - export type DeleteNoteResolver< - R = Maybe, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface DeleteNoteArgs { - id: string[]; - } + geo?: GeoResolver, TypeParent, TContext>; - export type DeleteNoteByTimelineIdResolver< - R = Maybe, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface DeleteNoteByTimelineIdArgs { - timelineId: string; + host?: HostResolver, TypeParent, TContext>; - version?: Maybe; - } + network?: NetworkResolver, TypeParent, TContext>; - export type PersistPinnedEventOnTimelineResolver< - R = Maybe, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface PersistPinnedEventOnTimelineArgs { - pinnedEventId?: Maybe; + rule?: RuleResolver, TypeParent, TContext>; - eventId: string; + signal?: SignalResolver, TypeParent, TContext>; - timelineId?: Maybe; - } + source?: SourceResolver, TypeParent, TContext>; - export type DeletePinnedEventOnTimelineResolver< - R = boolean, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface DeletePinnedEventOnTimelineArgs { - id: string[]; - } + suricata?: SuricataResolver, TypeParent, TContext>; - export type DeleteAllPinnedEventsOnTimelineResolver< - R = boolean, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface DeleteAllPinnedEventsOnTimelineArgs { - timelineId: string; - } + tls?: TlsResolver, TypeParent, TContext>; - export type PersistTimelineResolver< - R = ResponseTimeline, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface PersistTimelineArgs { - id?: Maybe; + zeek?: ZeekResolver, TypeParent, TContext>; - version?: Maybe; + http?: HttpResolver, TypeParent, TContext>; - timeline: TimelineInput; - } + url?: UrlResolver, TypeParent, TContext>; - export type PersistFavoriteResolver< - R = ResponseFavoriteTimeline, - Parent = {}, - TContext = SiemContext - > = Resolver; - export interface PersistFavoriteArgs { - timelineId?: Maybe; - } + timestamp?: TimestampResolver, TypeParent, TContext>; - export type DeleteTimelineResolver = Resolver< - R, - Parent, - TContext, - DeleteTimelineArgs - >; - export interface DeleteTimelineArgs { - id: string[]; - } -} + message?: MessageResolver, TypeParent, TContext>; -export namespace ResponseNoteResolvers { - export interface Resolvers { - code?: CodeResolver, TypeParent, TContext>; + user?: UserResolver, TypeParent, TContext>; - message?: MessageResolver, TypeParent, TContext>; + winlog?: WinlogResolver, TypeParent, TContext>; - note?: NoteResolver; + process?: ProcessResolver, TypeParent, TContext>; + + file?: FileResolver, TypeParent, TContext>; + + system?: SystemResolver, TypeParent, TContext>; } - export type CodeResolver< - R = Maybe, - Parent = ResponseNote, + export type _IdResolver = Resolver< + R, + Parent, + TContext + >; + export type _IndexResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type AgentResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type MessageResolver< - R = Maybe, - Parent = ResponseNote, + export type AuditdResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type NoteResolver< - R = NoteResult, - Parent = ResponseNote, + export type DestinationResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; -} - -export namespace ResponseTimelineResolvers { - export interface Resolvers { - code?: CodeResolver, TypeParent, TContext>; - - message?: MessageResolver, TypeParent, TContext>; - - timeline?: TimelineResolver; - } - - export type CodeResolver< - R = Maybe, - Parent = ResponseTimeline, + export type DnsResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type EndgameResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type EventResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type GeoResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type HostResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type NetworkResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type RuleResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type SignalResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type SourceResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; + export type SuricataResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type MessageResolver< - R = Maybe, - Parent = ResponseTimeline, + export type TlsResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type ZeekResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type TimelineResolver< - R = TimelineResult, - Parent = ResponseTimeline, + export type HttpResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; -} - -export namespace ResponseFavoriteTimelineResolvers { - export interface Resolvers { - code?: CodeResolver, TypeParent, TContext>; - - message?: MessageResolver, TypeParent, TContext>; - - savedObjectId?: SavedObjectIdResolver; - - version?: VersionResolver; - - favorite?: FavoriteResolver, TypeParent, TContext>; - } - - export type CodeResolver< - R = Maybe, - Parent = ResponseFavoriteTimeline, + export type UrlResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type TimestampResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type MessageResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type MessageResolver< - R = Maybe, - Parent = ResponseFavoriteTimeline, + export type UserResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type SavedObjectIdResolver< - R = string, - Parent = ResponseFavoriteTimeline, + export type WinlogResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type VersionResolver< - R = string, - Parent = ResponseFavoriteTimeline, + export type ProcessResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; - export type FavoriteResolver< - R = Maybe, - Parent = ResponseFavoriteTimeline, + export type FileResolver, Parent = Ecs, TContext = SiemContext> = Resolver< + R, + Parent, + TContext + >; + export type SystemResolver< + R = Maybe, + Parent = Ecs, TContext = SiemContext > = Resolver; } @@ -8064,39 +5792,6 @@ export namespace EcsEdgesResolvers { >; } -export namespace EventsTimelineDataResolvers { - export interface Resolvers { - edges?: EdgesResolver; - - totalCount?: TotalCountResolver; - - pageInfo?: PageInfoResolver; - - inspect?: InspectResolver, TypeParent, TContext>; - } - - export type EdgesResolver< - R = EcsEdges[], - Parent = EventsTimelineData, - TContext = SiemContext - > = Resolver; - export type TotalCountResolver< - R = number, - Parent = EventsTimelineData, - TContext = SiemContext - > = Resolver; - export type PageInfoResolver< - R = PageInfo, - Parent = EventsTimelineData, - TContext = SiemContext - > = Resolver; - export type InspectResolver< - R = Maybe, - Parent = EventsTimelineData, - TContext = SiemContext - > = Resolver; -} - export namespace OsFieldsResolvers { export interface Resolvers { platform?: PlatformResolver, TypeParent, TContext>; @@ -8281,6 +5976,25 @@ export namespace IndexFieldResolvers { > = Resolver; } +export namespace PageInfoResolvers { + export interface Resolvers { + endCursor?: EndCursorResolver, TypeParent, TContext>; + + hasNextPage?: HasNextPageResolver, TypeParent, TContext>; + } + + export type EndCursorResolver< + R = Maybe, + Parent = PageInfo, + TContext = SiemContext + > = Resolver; + export type HasNextPageResolver< + R = Maybe, + Parent = PageInfo, + TContext = SiemContext + > = Resolver; +} + /** Directs the executor to skip this field or fragment when the `if` argument is true. */ export type SkipDirectiveResolver = DirectiveResolverFn< Result, @@ -8320,25 +6034,22 @@ export interface ToStringArrayScalarConfig extends GraphQLScalarTypeConfig { name: 'Date'; } -export interface ToNumberArrayScalarConfig extends GraphQLScalarTypeConfig { - name: 'ToNumberArray'; -} -export interface ToDateArrayScalarConfig extends GraphQLScalarTypeConfig { - name: 'ToDateArray'; -} -export interface ToBooleanArrayScalarConfig extends GraphQLScalarTypeConfig { - name: 'ToBooleanArray'; -} export interface ToAnyScalarConfig extends GraphQLScalarTypeConfig { name: 'ToAny'; } -export interface EsValueScalarConfig extends GraphQLScalarTypeConfig { - name: 'EsValue'; -} export interface ToStringArrayNoNullableScalarConfig extends GraphQLScalarTypeConfig { name: 'ToStringArrayNoNullable'; } +export interface ToDateArrayScalarConfig extends GraphQLScalarTypeConfig { + name: 'ToDateArray'; +} +export interface ToNumberArrayScalarConfig extends GraphQLScalarTypeConfig { + name: 'ToNumberArray'; +} +export interface ToBooleanArrayScalarConfig extends GraphQLScalarTypeConfig { + name: 'ToBooleanArray'; +} export interface ToIFieldSubTypeNonNullableScalarConfig extends GraphQLScalarTypeConfig { name: 'ToIFieldSubTypeNonNullable'; @@ -8353,73 +6064,6 @@ export type IResolvers = { SourceConfiguration?: SourceConfigurationResolvers.Resolvers; SourceFields?: SourceFieldsResolvers.Resolvers; SourceStatus?: SourceStatusResolvers.Resolvers; - AuthenticationsData?: AuthenticationsDataResolvers.Resolvers; - AuthenticationsEdges?: AuthenticationsEdgesResolvers.Resolvers; - AuthenticationItem?: AuthenticationItemResolvers.Resolvers; - UserEcsFields?: UserEcsFieldsResolvers.Resolvers; - LastSourceHost?: LastSourceHostResolvers.Resolvers; - SourceEcsFields?: SourceEcsFieldsResolvers.Resolvers; - GeoEcsFields?: GeoEcsFieldsResolvers.Resolvers; - Location?: LocationResolvers.Resolvers; - HostEcsFields?: HostEcsFieldsResolvers.Resolvers; - OsEcsFields?: OsEcsFieldsResolvers.Resolvers; - CursorType?: CursorTypeResolvers.Resolvers; - PageInfoPaginated?: PageInfoPaginatedResolvers.Resolvers; - Inspect?: InspectResolvers.Resolvers; - TimelineData?: TimelineDataResolvers.Resolvers; - TimelineEdges?: TimelineEdgesResolvers.Resolvers; - TimelineItem?: TimelineItemResolvers.Resolvers; - TimelineNonEcsData?: TimelineNonEcsDataResolvers.Resolvers; - Ecs?: EcsResolvers.Resolvers; - AgentEcsField?: AgentEcsFieldResolvers.Resolvers; - AuditdEcsFields?: AuditdEcsFieldsResolvers.Resolvers; - AuditdData?: AuditdDataResolvers.Resolvers; - Summary?: SummaryResolvers.Resolvers; - PrimarySecondary?: PrimarySecondaryResolvers.Resolvers; - DestinationEcsFields?: DestinationEcsFieldsResolvers.Resolvers; - DnsEcsFields?: DnsEcsFieldsResolvers.Resolvers; - DnsQuestionData?: DnsQuestionDataResolvers.Resolvers; - EndgameEcsFields?: EndgameEcsFieldsResolvers.Resolvers; - EventEcsFields?: EventEcsFieldsResolvers.Resolvers; - NetworkEcsField?: NetworkEcsFieldResolvers.Resolvers; - RuleEcsField?: RuleEcsFieldResolvers.Resolvers; - SignalField?: SignalFieldResolvers.Resolvers; - RuleField?: RuleFieldResolvers.Resolvers; - SuricataEcsFields?: SuricataEcsFieldsResolvers.Resolvers; - SuricataEveData?: SuricataEveDataResolvers.Resolvers; - SuricataAlertData?: SuricataAlertDataResolvers.Resolvers; - TlsEcsFields?: TlsEcsFieldsResolvers.Resolvers; - TlsClientCertificateData?: TlsClientCertificateDataResolvers.Resolvers; - FingerprintData?: FingerprintDataResolvers.Resolvers; - TlsFingerprintsData?: TlsFingerprintsDataResolvers.Resolvers; - TlsJa3Data?: TlsJa3DataResolvers.Resolvers; - TlsServerCertificateData?: TlsServerCertificateDataResolvers.Resolvers; - ZeekEcsFields?: ZeekEcsFieldsResolvers.Resolvers; - ZeekConnectionData?: ZeekConnectionDataResolvers.Resolvers; - ZeekNoticeData?: ZeekNoticeDataResolvers.Resolvers; - ZeekDnsData?: ZeekDnsDataResolvers.Resolvers; - ZeekHttpData?: ZeekHttpDataResolvers.Resolvers; - ZeekFileData?: ZeekFileDataResolvers.Resolvers; - ZeekSslData?: ZeekSslDataResolvers.Resolvers; - HttpEcsFields?: HttpEcsFieldsResolvers.Resolvers; - HttpRequestData?: HttpRequestDataResolvers.Resolvers; - HttpBodyData?: HttpBodyDataResolvers.Resolvers; - HttpResponseData?: HttpResponseDataResolvers.Resolvers; - UrlEcsFields?: UrlEcsFieldsResolvers.Resolvers; - WinlogEcsFields?: WinlogEcsFieldsResolvers.Resolvers; - ProcessEcsFields?: ProcessEcsFieldsResolvers.Resolvers; - ProcessHashData?: ProcessHashDataResolvers.Resolvers; - Thread?: ThreadResolvers.Resolvers; - FileFields?: FileFieldsResolvers.Resolvers; - SystemEcsField?: SystemEcsFieldResolvers.Resolvers; - AuditEcsFields?: AuditEcsFieldsResolvers.Resolvers; - PackageEcsFields?: PackageEcsFieldsResolvers.Resolvers; - AuthEcsFields?: AuthEcsFieldsResolvers.Resolvers; - SshEcsFields?: SshEcsFieldsResolvers.Resolvers; - PageInfo?: PageInfoResolvers.Resolvers; - TimelineDetailsData?: TimelineDetailsDataResolvers.Resolvers; - DetailItem?: DetailItemResolvers.Resolvers; - LastEventTimeData?: LastEventTimeDataResolvers.Resolvers; HostsData?: HostsDataResolvers.Resolvers; HostsEdges?: HostsEdgesResolvers.Resolvers; HostItem?: HostItemResolvers.Resolvers; @@ -8427,35 +6071,12 @@ export type IResolvers = { CloudInstance?: CloudInstanceResolvers.Resolvers; CloudMachine?: CloudMachineResolvers.Resolvers; EndpointFields?: EndpointFieldsResolvers.Resolvers; + HostEcsFields?: HostEcsFieldsResolvers.Resolvers; + OsEcsFields?: OsEcsFieldsResolvers.Resolvers; + Inspect?: InspectResolvers.Resolvers; + CursorType?: CursorTypeResolvers.Resolvers; + PageInfoPaginated?: PageInfoPaginatedResolvers.Resolvers; FirstLastSeenHost?: FirstLastSeenHostResolvers.Resolvers; - KpiNetworkData?: KpiNetworkDataResolvers.Resolvers; - KpiNetworkHistogramData?: KpiNetworkHistogramDataResolvers.Resolvers; - KpiHostsData?: KpiHostsDataResolvers.Resolvers; - KpiHostHistogramData?: KpiHostHistogramDataResolvers.Resolvers; - KpiHostDetailsData?: KpiHostDetailsDataResolvers.Resolvers; - MatrixHistogramOverTimeData?: MatrixHistogramOverTimeDataResolvers.Resolvers; - MatrixOverTimeHistogramData?: MatrixOverTimeHistogramDataResolvers.Resolvers; - NetworkTopCountriesData?: NetworkTopCountriesDataResolvers.Resolvers; - NetworkTopCountriesEdges?: NetworkTopCountriesEdgesResolvers.Resolvers; - NetworkTopCountriesItem?: NetworkTopCountriesItemResolvers.Resolvers; - TopCountriesItemSource?: TopCountriesItemSourceResolvers.Resolvers; - GeoItem?: GeoItemResolvers.Resolvers; - TopCountriesItemDestination?: TopCountriesItemDestinationResolvers.Resolvers; - TopNetworkTablesEcsField?: TopNetworkTablesEcsFieldResolvers.Resolvers; - NetworkTopNFlowData?: NetworkTopNFlowDataResolvers.Resolvers; - NetworkTopNFlowEdges?: NetworkTopNFlowEdgesResolvers.Resolvers; - NetworkTopNFlowItem?: NetworkTopNFlowItemResolvers.Resolvers; - TopNFlowItemSource?: TopNFlowItemSourceResolvers.Resolvers; - AutonomousSystemItem?: AutonomousSystemItemResolvers.Resolvers; - TopNFlowItemDestination?: TopNFlowItemDestinationResolvers.Resolvers; - NetworkDnsData?: NetworkDnsDataResolvers.Resolvers; - NetworkDnsEdges?: NetworkDnsEdgesResolvers.Resolvers; - NetworkDnsItem?: NetworkDnsItemResolvers.Resolvers; - MatrixOverOrdinalHistogramData?: MatrixOverOrdinalHistogramDataResolvers.Resolvers; - NetworkDsOverTimeData?: NetworkDsOverTimeDataResolvers.Resolvers; - NetworkHttpData?: NetworkHttpDataResolvers.Resolvers; - NetworkHttpEdges?: NetworkHttpEdgesResolvers.Resolvers; - NetworkHttpItem?: NetworkHttpItemResolvers.Resolvers; SayMyName?: SayMyNameResolvers.Resolvers; TimelineResult?: TimelineResultResolvers.Resolvers; ColumnHeaderResult?: ColumnHeaderResultResolvers.Resolvers; @@ -8474,19 +6095,68 @@ export type IResolvers = { ResponseNote?: ResponseNoteResolvers.Resolvers; ResponseTimeline?: ResponseTimelineResolvers.Resolvers; ResponseFavoriteTimeline?: ResponseFavoriteTimelineResolvers.Resolvers; + EventEcsFields?: EventEcsFieldsResolvers.Resolvers; + Location?: LocationResolvers.Resolvers; + GeoEcsFields?: GeoEcsFieldsResolvers.Resolvers; + PrimarySecondary?: PrimarySecondaryResolvers.Resolvers; + Summary?: SummaryResolvers.Resolvers; + AgentEcsField?: AgentEcsFieldResolvers.Resolvers; + AuditdData?: AuditdDataResolvers.Resolvers; + AuditdEcsFields?: AuditdEcsFieldsResolvers.Resolvers; + Thread?: ThreadResolvers.Resolvers; + ProcessHashData?: ProcessHashDataResolvers.Resolvers; + ProcessEcsFields?: ProcessEcsFieldsResolvers.Resolvers; + SourceEcsFields?: SourceEcsFieldsResolvers.Resolvers; + DestinationEcsFields?: DestinationEcsFieldsResolvers.Resolvers; + DnsQuestionData?: DnsQuestionDataResolvers.Resolvers; + DnsEcsFields?: DnsEcsFieldsResolvers.Resolvers; + EndgameEcsFields?: EndgameEcsFieldsResolvers.Resolvers; + SuricataAlertData?: SuricataAlertDataResolvers.Resolvers; + SuricataEveData?: SuricataEveDataResolvers.Resolvers; + SuricataEcsFields?: SuricataEcsFieldsResolvers.Resolvers; + TlsJa3Data?: TlsJa3DataResolvers.Resolvers; + FingerprintData?: FingerprintDataResolvers.Resolvers; + TlsClientCertificateData?: TlsClientCertificateDataResolvers.Resolvers; + TlsServerCertificateData?: TlsServerCertificateDataResolvers.Resolvers; + TlsFingerprintsData?: TlsFingerprintsDataResolvers.Resolvers; + TlsEcsFields?: TlsEcsFieldsResolvers.Resolvers; + ZeekConnectionData?: ZeekConnectionDataResolvers.Resolvers; + ZeekNoticeData?: ZeekNoticeDataResolvers.Resolvers; + ZeekDnsData?: ZeekDnsDataResolvers.Resolvers; + FileFields?: FileFieldsResolvers.Resolvers; + ZeekHttpData?: ZeekHttpDataResolvers.Resolvers; + HttpBodyData?: HttpBodyDataResolvers.Resolvers; + HttpRequestData?: HttpRequestDataResolvers.Resolvers; + HttpResponseData?: HttpResponseDataResolvers.Resolvers; + HttpEcsFields?: HttpEcsFieldsResolvers.Resolvers; + UrlEcsFields?: UrlEcsFieldsResolvers.Resolvers; + ZeekFileData?: ZeekFileDataResolvers.Resolvers; + ZeekSslData?: ZeekSslDataResolvers.Resolvers; + ZeekEcsFields?: ZeekEcsFieldsResolvers.Resolvers; + UserEcsFields?: UserEcsFieldsResolvers.Resolvers; + WinlogEcsFields?: WinlogEcsFieldsResolvers.Resolvers; + NetworkEcsField?: NetworkEcsFieldResolvers.Resolvers; + PackageEcsFields?: PackageEcsFieldsResolvers.Resolvers; + AuditEcsFields?: AuditEcsFieldsResolvers.Resolvers; + SshEcsFields?: SshEcsFieldsResolvers.Resolvers; + AuthEcsFields?: AuthEcsFieldsResolvers.Resolvers; + SystemEcsField?: SystemEcsFieldResolvers.Resolvers; + RuleField?: RuleFieldResolvers.Resolvers; + SignalField?: SignalFieldResolvers.Resolvers; + RuleEcsField?: RuleEcsFieldResolvers.Resolvers; + Ecs?: EcsResolvers.Resolvers; EcsEdges?: EcsEdgesResolvers.Resolvers; - EventsTimelineData?: EventsTimelineDataResolvers.Resolvers; OsFields?: OsFieldsResolvers.Resolvers; HostFields?: HostFieldsResolvers.Resolvers; IndexField?: IndexFieldResolvers.Resolvers; + PageInfo?: PageInfoResolvers.Resolvers; ToStringArray?: GraphQLScalarType; Date?: GraphQLScalarType; - ToNumberArray?: GraphQLScalarType; - ToDateArray?: GraphQLScalarType; - ToBooleanArray?: GraphQLScalarType; ToAny?: GraphQLScalarType; - EsValue?: GraphQLScalarType; ToStringArrayNoNullable?: GraphQLScalarType; + ToDateArray?: GraphQLScalarType; + ToNumberArray?: GraphQLScalarType; + ToBooleanArray?: GraphQLScalarType; ToIFieldSubTypeNonNullable?: GraphQLScalarType; } & { [typeName: string]: never }; diff --git a/x-pack/plugins/security_solution/server/init_server.ts b/x-pack/plugins/security_solution/server/init_server.ts index 3d2833f1c6c60..43cf6aae7855b 100644 --- a/x-pack/plugins/security_solution/server/init_server.ts +++ b/x-pack/plugins/security_solution/server/init_server.ts @@ -6,13 +6,8 @@ import { IResolvers, makeExecutableSchema } from 'graphql-tools'; import { schemas } from './graphql'; -import { createAuthenticationsResolvers } from './graphql/authentications'; import { createScalarToStringArrayValueResolvers } from './graphql/ecs'; -import { createEsValueResolvers, createEventsResolvers } from './graphql/events'; import { createHostsResolvers } from './graphql/hosts'; -import { createKpiHostsResolvers } from './graphql/kpi_hosts'; -import { createKpiNetworkResolvers } from './graphql/kpi_network'; -import { createNetworkResolvers } from './graphql/network'; import { createNoteResolvers } from './graphql/note'; import { createPinnedEventResolvers } from './graphql/pinned_event'; import { createScalarDateResolvers } from './graphql/scalar_date'; @@ -25,22 +20,15 @@ import { createSourcesResolvers } from './graphql/sources'; import { createTimelineResolvers } from './graphql/timeline'; import { createWhoAmIResolvers } from './graphql/who_am_i'; import { AppBackendLibs } from './lib/types'; -import { createMatrixHistogramResolvers } from './graphql/matrix_histogram'; export const initServer = (libs: AppBackendLibs) => { const schema = makeExecutableSchema({ resolvers: [ - createAuthenticationsResolvers(libs) as IResolvers, - createEsValueResolvers() as IResolvers, - createEventsResolvers(libs) as IResolvers, createHostsResolvers(libs) as IResolvers, - createKpiNetworkResolvers(libs) as IResolvers, - createMatrixHistogramResolvers(libs) as IResolvers, createNoteResolvers(libs) as IResolvers, createPinnedEventResolvers(libs) as IResolvers, createSourcesResolvers(libs) as IResolvers, createScalarToStringArrayValueResolvers() as IResolvers, - createNetworkResolvers(libs) as IResolvers, createScalarDateResolvers() as IResolvers, createScalarToDateArrayValueResolvers() as IResolvers, createScalarToAnyValueResolvers() as IResolvers, @@ -50,7 +38,6 @@ export const initServer = (libs: AppBackendLibs) => { createSourceStatusResolvers(libs) as IResolvers, createTimelineResolvers(libs) as IResolvers, createWhoAmIResolvers() as IResolvers, - createKpiHostsResolvers(libs) as IResolvers, ], typeDefs: schemas, }); diff --git a/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.test.ts deleted file mode 100644 index d037164a34efb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.test.ts +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { AuthenticationsEdges } from '../../graphql/types'; - -import { formatAuthenticationData } from './elasticsearch_adapter'; -import { auditdFieldsMap } from './query.dsl'; -import { AuthenticationHit } from './types'; - -describe('authentications elasticsearch_adapter', () => { - describe('#formatAuthenticationsData', () => { - const hit: AuthenticationHit = { - _index: 'index-123', - _type: 'type-123', - _id: 'id-123', - _score: 10, - _source: { - '@timestamp': 'time-1', - }, - cursor: 'cursor-1', - sort: [0], - user: 'Evan', - failures: 10, - successes: 20, - }; - - test('it formats a authentication with an empty set', () => { - const fields: readonly string[] = ['']; - const data = formatAuthenticationData(fields, hit, auditdFieldsMap); - const expected: AuthenticationsEdges = { - cursor: { - tiebreaker: null, - value: 'cursor-1', - }, - node: { - _id: 'id-123', - failures: 10, - successes: 20, - user: { - name: ['Evan'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats a authentications with a source ip correctly', () => { - const fields: readonly string[] = ['lastSuccess.source.ip']; - const data = formatAuthenticationData(fields, hit, auditdFieldsMap); - const expected: AuthenticationsEdges = { - cursor: { - tiebreaker: null, - value: 'cursor-1', - }, - node: { - _id: 'id-123', - failures: 10, - successes: 20, - user: { - name: ['Evan'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats a authentications with a host name only', () => { - const fields: readonly string[] = ['lastSuccess.host.name']; - const data = formatAuthenticationData(fields, hit, auditdFieldsMap); - const expected: AuthenticationsEdges = { - cursor: { - tiebreaker: null, - value: 'cursor-1', - }, - node: { - _id: 'id-123', - failures: 10, - successes: 20, - user: { - name: ['Evan'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats a authentications with a host id only', () => { - const fields: readonly string[] = ['lastSuccess.host.id']; - const data = formatAuthenticationData(fields, hit, auditdFieldsMap); - const expected: AuthenticationsEdges = { - cursor: { - tiebreaker: null, - value: 'cursor-1', - }, - node: { - _id: 'id-123', - failures: 10, - successes: 20, - user: { - name: ['Evan'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats a authentications with a host name and id correctly', () => { - const fields: readonly string[] = ['lastSuccess.host.name', 'lastSuccess.host.id']; - const data = formatAuthenticationData(fields, hit, auditdFieldsMap); - const expected: AuthenticationsEdges = { - cursor: { - tiebreaker: null, - value: 'cursor-1', - }, - node: { - _id: 'id-123', - failures: 10, - successes: 20, - user: { - name: ['Evan'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.ts deleted file mode 100644 index 724297fac7b67..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/authentications/elasticsearch_adapter.ts +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { getOr } from 'lodash/fp'; - -import { AuthenticationsData, AuthenticationsEdges } from '../../graphql/types'; -import { mergeFieldsWithHit, inspectStringifyObject } from '../../utils/build_query'; -import { FrameworkAdapter, FrameworkRequest, RequestOptionsPaginated } from '../framework'; -import { TermAggregation } from '../types'; -import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../common/constants'; - -import { auditdFieldsMap, buildQuery } from './query.dsl'; -import { - AuthenticationBucket, - AuthenticationData, - AuthenticationHit, - AuthenticationsAdapter, -} from './types'; - -export class ElasticsearchAuthenticationAdapter implements AuthenticationsAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getAuthentications( - request: FrameworkRequest, - options: RequestOptionsPaginated - ): Promise { - const dsl = buildQuery(options); - if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) { - throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`); - } - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; - const totalCount = getOr(0, 'aggregations.user_count.value', response); - const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const hits: AuthenticationHit[] = getOr( - [], - 'aggregations.group_by_users.buckets', - response - ).map((bucket: AuthenticationBucket) => ({ - _id: getOr( - `${bucket.key}+${bucket.doc_count}`, - 'failures.lastFailure.hits.hits[0].id', - bucket - ), - _source: { - lastSuccess: getOr(null, 'successes.lastSuccess.hits.hits[0]._source', bucket), - lastFailure: getOr(null, 'failures.lastFailure.hits.hits[0]._source', bucket), - }, - user: bucket.key, - failures: bucket.failures.doc_count, - successes: bucket.successes.doc_count, - })); - const authenticationEdges: AuthenticationsEdges[] = hits.map((hit) => - formatAuthenticationData(options.fields, hit, auditdFieldsMap) - ); - - const edges = authenticationEdges.splice(cursorStart, querySize - cursorStart); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - const showMorePagesIndicator = totalCount > fakeTotalCount; - - return { - inspect, - edges, - totalCount, - pageInfo: { - activePage: activePage ? activePage : 0, - fakeTotalCount, - showMorePagesIndicator, - }, - }; - } -} - -export const formatAuthenticationData = ( - fields: readonly string[], - hit: AuthenticationHit, - fieldMap: Readonly> -): AuthenticationsEdges => - fields.reduce( - (flattenedFields, fieldName) => { - if (hit.cursor) { - flattenedFields.cursor.value = hit.cursor; - } - flattenedFields.node = { - ...flattenedFields.node, - ...{ - _id: hit._id, - user: { name: [hit.user] }, - failures: hit.failures, - successes: hit.successes, - }, - }; - return mergeFieldsWithHit(fieldName, flattenedFields, fieldMap, hit); - }, - { - node: { - failures: 0, - successes: 0, - _id: '', - user: { - name: [''], - }, - }, - cursor: { - value: '', - tiebreaker: null, - }, - } - ); diff --git a/x-pack/plugins/security_solution/server/lib/authentications/index.ts b/x-pack/plugins/security_solution/server/lib/authentications/index.ts deleted file mode 100644 index c1b93818943db..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/authentications/index.ts +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { AuthenticationsData } from '../../graphql/types'; -import { FrameworkRequest, RequestOptionsPaginated } from '../framework'; - -import { AuthenticationsAdapter } from './types'; - -export class Authentications { - constructor(private readonly adapter: AuthenticationsAdapter) {} - - public async getAuthentications( - req: FrameworkRequest, - options: RequestOptionsPaginated - ): Promise { - return this.adapter.getAuthentications(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/authentications/query.dsl.ts b/x-pack/plugins/security_solution/server/lib/authentications/query.dsl.ts deleted file mode 100644 index b6b72cd37efaa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/authentications/query.dsl.ts +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { isEmpty } from 'lodash/fp'; - -import { createQueryFilterClauses } from '../../utils/build_query'; -import { reduceFields } from '../../utils/build_query/reduce_fields'; -import { hostFieldsMap, sourceFieldsMap } from '../ecs_fields'; -import { extendMap } from '../ecs_fields/extend_map'; -import { RequestOptionsPaginated } from '../framework'; - -export const auditdFieldsMap: Readonly> = { - latest: '@timestamp', - 'lastSuccess.timestamp': 'lastSuccess.@timestamp', - 'lastFailure.timestamp': 'lastFailure.@timestamp', - ...{ ...extendMap('lastSuccess', sourceFieldsMap) }, - ...{ ...extendMap('lastSuccess', hostFieldsMap) }, - ...{ ...extendMap('lastFailure', sourceFieldsMap) }, - ...{ ...extendMap('lastFailure', hostFieldsMap) }, -}; - -export const buildQuery = ({ - fields, - filterQuery, - timerange: { from, to }, - pagination: { querySize }, - defaultIndex, - docValueFields, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestOptionsPaginated) => { - const esFields = reduceFields(fields, { ...hostFieldsMap, ...sourceFieldsMap }); - - const filter = [ - ...createQueryFilterClauses(filterQuery), - { term: { 'event.category': 'authentication' } }, - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const agg = { - user_count: { - cardinality: { - field: 'user.name', - }, - }, - }; - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), - aggregations: { - ...agg, - group_by_users: { - terms: { - size: querySize, - field: 'user.name', - order: [{ 'successes.doc_count': 'desc' }, { 'failures.doc_count': 'desc' }], - }, - aggs: { - failures: { - filter: { - term: { - 'event.outcome': 'failure', - }, - }, - aggs: { - lastFailure: { - top_hits: { - size: 1, - _source: esFields, - sort: [{ '@timestamp': { order: 'desc' } }], - }, - }, - }, - }, - successes: { - filter: { - term: { - 'event.outcome': 'success', - }, - }, - aggs: { - lastSuccess: { - top_hits: { - size: 1, - _source: esFields, - sort: [{ '@timestamp': { order: 'desc' } }], - }, - }, - }, - }, - }, - }, - }, - query: { - bool: { - filter, - }, - }, - size: 0, - }, - track_total_hits: false, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/authentications/types.ts b/x-pack/plugins/security_solution/server/lib/authentications/types.ts deleted file mode 100644 index 2d2c7ba547c09..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/authentications/types.ts +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { AuthenticationsData, LastSourceHost } from '../../graphql/types'; -import { FrameworkRequest, RequestOptionsPaginated } from '../framework'; -import { Hit, SearchHit, TotalHit } from '../types'; - -export interface AuthenticationsAdapter { - getAuthentications( - req: FrameworkRequest, - options: RequestOptionsPaginated - ): Promise; -} - -type StringOrNumber = string | number; -export interface AuthenticationHit extends Hit { - _source: { - '@timestamp': string; - lastSuccess?: LastSourceHost; - lastFailure?: LastSourceHost; - }; - user: string; - failures: number; - successes: number; - cursor?: string; - sort: StringOrNumber[]; -} - -export interface AuthenticationBucket { - key: { - user_uid: string; - }; - doc_count: number; - failures: { - doc_count: number; - }; - successes: { - doc_count: number; - }; - authentication: { - hits: { - total: TotalHit; - hits: ArrayLike; - }; - }; -} - -export interface AuthenticationData extends SearchHit { - sort: string[]; - aggregations: { - process_count: { - value: number; - }; - group_by_process: { - after_key: string; - buckets: AuthenticationBucket[]; - }; - }; -} diff --git a/x-pack/plugins/security_solution/server/lib/compose/kibana.ts b/x-pack/plugins/security_solution/server/lib/compose/kibana.ts index 6348ee930a109..433ee4a5f99fa 100644 --- a/x-pack/plugins/security_solution/server/lib/compose/kibana.ts +++ b/x-pack/plugins/security_solution/server/lib/compose/kibana.ts @@ -7,26 +7,17 @@ import { CoreSetup } from '../../../../../../src/core/server'; import { SetupPlugins } from '../../plugin'; -import { Authentications } from '../authentications'; -import { ElasticsearchAuthenticationAdapter } from '../authentications/elasticsearch_adapter'; -import { ElasticsearchEventsAdapter, Events } from '../events'; import { KibanaBackendFrameworkAdapter } from '../framework/kibana_framework_adapter'; import { ElasticsearchHostsAdapter, Hosts } from '../hosts'; -import { KpiHosts } from '../kpi_hosts'; -import { ElasticsearchKpiHostsAdapter } from '../kpi_hosts/elasticsearch_adapter'; import { ElasticsearchIndexFieldAdapter, IndexFields } from '../index_fields'; -import { KpiNetwork } from '../kpi_network'; -import { ElasticsearchKpiNetworkAdapter } from '../kpi_network/elasticsearch_adapter'; -import { ElasticsearchNetworkAdapter, Network } from '../network'; import { ElasticsearchSourceStatusAdapter, SourceStatus } from '../source_status'; import { ConfigurationSourcesAdapter, Sources } from '../sources'; import { AppBackendLibs, AppDomainLibs } from '../types'; import * as note from '../note/saved_object'; import * as pinnedEvent from '../pinned_event/saved_object'; import * as timeline from '../timeline/saved_object'; -import { ElasticsearchMatrixHistogramAdapter, MatrixHistogram } from '../matrix_histogram'; import { EndpointAppContext } from '../../endpoint/types'; export function compose( @@ -40,14 +31,8 @@ export function compose( const sourceStatus = new SourceStatus(new ElasticsearchSourceStatusAdapter(framework)); const domainLibs: AppDomainLibs = { - authentications: new Authentications(new ElasticsearchAuthenticationAdapter(framework)), - events: new Events(new ElasticsearchEventsAdapter(framework)), fields: new IndexFields(new ElasticsearchIndexFieldAdapter()), hosts: new Hosts(new ElasticsearchHostsAdapter(framework, endpointContext)), - kpiHosts: new KpiHosts(new ElasticsearchKpiHostsAdapter(framework)), - kpiNetwork: new KpiNetwork(new ElasticsearchKpiNetworkAdapter(framework)), - matrixHistogram: new MatrixHistogram(new ElasticsearchMatrixHistogramAdapter(framework)), - network: new Network(new ElasticsearchNetworkAdapter(framework)), }; const libs: AppBackendLibs = { diff --git a/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.test.ts deleted file mode 100644 index 42dc13d84fd98..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.test.ts +++ /dev/null @@ -1,549 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { EcsEdges, TimelineDetailsData } from '../../graphql/types'; -import { eventFieldsMap } from '../ecs_fields'; -import { FrameworkAdapter, FrameworkRequest } from '../framework'; - -import { - ElasticsearchEventsAdapter, - formatEventsData, - formatTimelineData, - getFieldCategory, -} from './elasticsearch_adapter'; -import { - mockDetailsQueryDsl, - mockOptions, - mockQueryDsl, - mockRequest, - mockResponseMap, - mockResponseSearchTimelineDetails, - mockTimelineDetailsResult, -} from './mock'; -import { EventHit } from './types'; - -jest.mock('./query.dsl', () => { - return { - buildQuery: jest.fn(() => mockQueryDsl), - buildDetailsQuery: jest.fn(() => mockDetailsQueryDsl), - }; -}); - -describe('events elasticsearch_adapter', () => { - const hit: EventHit = { - _index: 'index-123', - _type: 'type-123', - _id: 'id-123', - _score: 10, - aggregations: {}, - _source: { - '@timestamp': ['time-1'], - host: { - name: ['hostname-1'], - ip: ['hostip-1'], - }, - suricata: { - eve: { - alert: { - category: 'suricata-category-1', - signature: ['suricata-signature-1'], - signature_id: [5000], - severity: 1, - }, - flow_id: [100], - proto: ['suricata-proto-1'], - }, - }, - source: { - ip: ['source-ip-1'], - port: [100], - }, - destination: { - ip: ['destination-ip-1'], - port: [200], - geo: { - region_name: ['geo-region-1'], - country_iso_code: ['geo-iso-code-1'], - }, - }, - event: { - action: ['event-action-1'], - module: ['event-module-1'], - type: ['event-type-1'], - category: ['event-category-1'], - severity: [1], - id: ['event-id-1'], - }, - }, - sort: ['123567890', '1234'], - }; - - describe('#formatEventsData', () => { - test('it formats an event with a source of hostname correctly', () => { - const fields: readonly string[] = ['host.name']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - host: { - name: ['hostname-1'], - }, - }, - }; - expect(data).toEqual(expected); - }); - - test('it formats an event with a source of host ip correctly', () => { - const fields: readonly string[] = ['host.ip']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - host: { - ip: ['hostip-1'], - }, - }, - }; - expect(data).toEqual(expected); - }); - - test('it formats an event with a event category correctly', () => { - const fields: readonly string[] = ['event.category']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - event: { - category: ['event-category-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a event id correctly', () => { - const fields: readonly string[] = ['event.id']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - event: { - id: ['event-id-1'], - }, - }, - }; - expect(data).toEqual(expected); - }); - - test('it formats an event with a event module correctly', () => { - const fields: readonly string[] = ['event.module']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - event: { - module: ['event-module-1'], - }, - }, - }; - expect(data).toEqual(expected); - }); - - test('it formats an event with a event action correctly', () => { - const fields: readonly string[] = ['event.action']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - event: { - action: ['event-action-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a event severity correctly', () => { - const fields: readonly string[] = ['event.severity']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - event: { - severity: [1], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a suricata eve flow id correctly', () => { - const fields: readonly string[] = ['suricata.eve.flow_id']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - suricata: { - eve: { - flow_id: [100], - }, - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a suricata eve proto correctly', () => { - const fields: readonly string[] = ['suricata.eve.proto']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - suricata: { - eve: { - proto: ['suricata-proto-1'], - }, - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a suricata eve alert signature correctly', () => { - const fields: readonly string[] = ['suricata.eve.alert.signature']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - suricata: { - eve: { - alert: { - signature: ['suricata-signature-1'], - }, - }, - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a suricata eve alert signature id correctly', () => { - const fields: readonly string[] = ['suricata.eve.alert.signature_id']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - suricata: { - eve: { - alert: { - signature_id: [5000], - }, - }, - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a source ip correctly', () => { - const fields: readonly string[] = ['source.ip']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - source: { - ip: ['source-ip-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a source port correctly', () => { - const fields: readonly string[] = ['source.port']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - source: { - port: [100], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a destination ip correctly', () => { - const fields: readonly string[] = ['destination.ip']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - destination: { - ip: ['destination-ip-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a destination port correctly', () => { - const fields: readonly string[] = ['destination.port']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - destination: { - port: [200], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a geo region name correctly', () => { - const fields: readonly string[] = ['geo.region_name']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - geo: { - region_name: ['geo-region-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a geo country iso code correctly', () => { - const fields: readonly string[] = ['geo.country_iso_code']; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - geo: { - country_iso_code: ['geo-iso-code-1'], - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats an event with a lot of fields correctly', () => { - const fields: readonly string[] = [ - 'host.name', - 'host.ip', - 'suricata.eve.proto', - 'suricata.eve.alert.signature_id', - 'geo.region_name', - ]; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { - cursor: { - tiebreaker: '1234', - value: '123567890', - }, - node: { - _id: 'id-123', - _index: 'index-123', - host: { - name: ['hostname-1'], - ip: ['hostip-1'], - }, - geo: { - region_name: ['geo-region-1'], - }, - suricata: { - eve: { - proto: ['suricata-proto-1'], - alert: { - signature_id: [5000], - }, - }, - }, - }, - }; - - expect(data).toEqual(expected); - }); - - test('it formats a event data if fields are empty', () => { - const fields: readonly string[] = []; - const data = formatEventsData(fields, hit, eventFieldsMap); - const expected: EcsEdges = { cursor: { tiebreaker: null, value: '' }, node: { _id: '' } }; - - expect(data).toEqual(expected); - }); - }); - - describe('#formatTimelineData', () => { - test('it formats TimelineEdges from hit as expected ', () => { - const datafields: readonly string[] = [ - '@timestamp', - 'host.name', - 'suricata.eve.alert.signature_id', - ]; - const ecsfields: readonly string[] = ['host.name', 'suricata.eve.alert.signature_id']; - const data = formatTimelineData(datafields, ecsfields, hit, eventFieldsMap); - // TODO: Re-add TimelineEdges back once we settle on if data can contain numbers or not. - // otherwise delete this test. - const expected = { - cursor: { tiebreaker: '1234', value: '123567890' }, - node: { - _id: 'id-123', - _index: 'index-123', - data: [ - { field: 'host.name', value: ['hostname-1'] }, - { field: 'suricata.eve.alert.signature_id', value: [5000] }, - { field: '@timestamp', value: ['time-1'] }, - ], - ecs: { - _id: 'id-123', - _index: 'index-123', - host: { name: ['hostname-1'] }, - suricata: { eve: { alert: { signature_id: [5000] } } }, - }, - }, - }; - expect(data).toEqual(expected); - }); - }); - - describe('Timeline Details', () => { - test('Happy Path ', async () => { - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockImplementation((req: FrameworkRequest, method: string) => { - if (method === 'search') { - return mockResponseSearchTimelineDetails; - } - return mockResponseMap; - }); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - const EsNetworkTimelineDetail = new ElasticsearchEventsAdapter(mockFramework); - const data: TimelineDetailsData = await EsNetworkTimelineDetail.getTimelineDetails( - mockRequest as FrameworkRequest, - mockOptions - ); - - expect(data).toEqual(mockTimelineDetailsResult); - }); - describe('getFieldCategory', () => { - test('should return field category when passed field', () => { - const data = getFieldCategory('agent.id'); - expect(data).toEqual('agent'); - }); - test('should return "base" when passed a category of type "baseCategoryField"', () => { - const data = getFieldCategory('@timestamp'); - expect(data).toEqual('base'); - }); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.ts deleted file mode 100644 index 8b656272ecc99..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/elasticsearch_adapter.ts +++ /dev/null @@ -1,264 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - cloneDeep, - get, - getOr, - has, - isEmpty, - isNumber, - isObject, - isString, - last, - merge, - uniq, -} from 'lodash/fp'; - -import { - DetailItem, - EcsEdges, - LastEventTimeData, - TimelineData, - TimelineDetailsData, - TimelineEdges, -} from '../../graphql/types'; -import { reduceFields } from '../../utils/build_query/reduce_fields'; -import { mergeFieldsWithHit, inspectStringifyObject } from '../../utils/build_query'; -import { eventFieldsMap } from '../ecs_fields'; -import { FrameworkAdapter, FrameworkRequest } from '../framework'; -import { TermAggregation } from '../types'; - -import { buildDetailsQuery, buildTimelineQuery } from './query.dsl'; -import { buildLastEventTimeQuery } from './query.last_event_time.dsl'; -import { - EventHit, - EventsAdapter, - LastEventTimeHit, - LastEventTimeRequestOptions, - RequestDetailsOptions, - TimelineRequestOptions, -} from './types'; - -const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags']; - -export class ElasticsearchEventsAdapter implements EventsAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getTimelineData( - request: FrameworkRequest, - options: TimelineRequestOptions - ): Promise { - const { fieldRequested, ...queryOptions } = cloneDeep(options); - queryOptions.fields = uniq([ - ...fieldRequested, - ...reduceFields(queryOptions.fields, eventFieldsMap), - ]); - const dsl = buildTimelineQuery(queryOptions); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { limit } = options.pagination; - const totalCount = getOr(0, 'hits.total.value', response); - const hits = response.hits.hits; - const timelineEdges: TimelineEdges[] = hits.map((hit) => - formatTimelineData(options.fieldRequested, options.fields, hit, eventFieldsMap) - ); - const hasNextPage = timelineEdges.length === limit + 1; - const edges = hasNextPage ? timelineEdges.splice(0, limit) : timelineEdges; - const lastCursor = get('cursor', last(edges)); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - - return { edges, inspect, pageInfo: { hasNextPage, endCursor: lastCursor }, totalCount }; - } - - public async getTimelineDetails( - request: FrameworkRequest, - options: RequestDetailsOptions - ): Promise { - const dsl = buildDetailsQuery(options.indexName, options.eventId, options.docValueFields ?? []); - const searchResponse = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - - const sourceData = getOr({}, 'hits.hits.0._source', searchResponse); - const hitsData = getOr({}, 'hits.hits.0', searchResponse); - delete hitsData._source; - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(searchResponse)], - }; - const data = getDataFromHits(merge(sourceData, hitsData)); - - return { - data, - inspect, - }; - } - - public async getLastEventTimeData( - request: FrameworkRequest, - options: LastEventTimeRequestOptions - ): Promise { - const dsl = buildLastEventTimeQuery(options); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - return { - inspect, - lastSeen: getOr(null, 'aggregations.last_seen_event.value_as_string', response), - }; - } -} - -export const formatEventsData = ( - fields: readonly string[], - hit: EventHit, - fieldMap: Readonly> -) => - fields.reduce( - (flattenedFields, fieldName) => { - flattenedFields.node._id = hit._id; - flattenedFields.node._index = hit._index; - if (hit.sort && hit.sort.length > 1) { - flattenedFields.cursor.value = hit.sort[0]; - flattenedFields.cursor.tiebreaker = hit.sort[1]; - } - return mergeFieldsWithHit(fieldName, flattenedFields, fieldMap, hit); - }, - { - node: { _id: '' }, - cursor: { - value: '', - tiebreaker: null, - }, - } - ); - -export const formatTimelineData = ( - dataFields: readonly string[], - ecsFields: readonly string[], - hit: EventHit, - fieldMap: Readonly> -) => - uniq([...ecsFields, ...dataFields]).reduce( - (flattenedFields, fieldName) => { - flattenedFields.node._id = hit._id; - flattenedFields.node._index = hit._index; - flattenedFields.node.ecs._id = hit._id; - flattenedFields.node.ecs._index = hit._index; - if (hit.sort && hit.sort.length > 1) { - flattenedFields.cursor.value = hit.sort[0]; - flattenedFields.cursor.tiebreaker = hit.sort[1]; - } - return mergeTimelineFieldsWithHit( - fieldName, - flattenedFields, - fieldMap, - hit, - dataFields, - ecsFields - ); - }, - { - node: { ecs: { _id: '' }, data: [], _id: '', _index: '' }, - cursor: { - value: '', - tiebreaker: null, - }, - } - ); - -const specialFields = ['_id', '_index', '_type', '_score']; - -const mergeTimelineFieldsWithHit = ( - fieldName: string, - flattenedFields: T, - fieldMap: Readonly>, - hit: { _source: {} }, - dataFields: readonly string[], - ecsFields: readonly string[] -) => { - if (fieldMap[fieldName] != null || dataFields.includes(fieldName)) { - const esField = dataFields.includes(fieldName) ? fieldName : fieldMap[fieldName]; - if (has(esField, hit._source) || specialFields.includes(esField)) { - const objectWithProperty = { - node: { - ...get('node', flattenedFields), - data: dataFields.includes(fieldName) - ? [ - ...get('node.data', flattenedFields), - { - field: fieldName, - value: specialFields.includes(esField) - ? get(esField, hit) - : get(esField, hit._source), - }, - ] - : get('node.data', flattenedFields), - ecs: ecsFields.includes(fieldName) - ? { - ...get('node.ecs', flattenedFields), - ...fieldName - .split('.') - .reduceRight((obj, next) => ({ [next]: obj }), get(esField, hit._source)), - } - : get('node.ecs', flattenedFields), - }, - }; - return merge(flattenedFields, objectWithProperty); - } else { - return flattenedFields; - } - } else { - return flattenedFields; - } -}; - -export const getFieldCategory = (field: string): string => { - const fieldCategory = field.split('.')[0]; - if (!isEmpty(fieldCategory) && baseCategoryFields.includes(fieldCategory)) { - return 'base'; - } - return fieldCategory; -}; - -const getDataFromHits = (sources: EventSource, category?: string, path?: string): DetailItem[] => - Object.keys(sources).reduce((accumulator, source) => { - const item: EventSource = get(source, sources); - if (Array.isArray(item) || isString(item) || isNumber(item)) { - const field = path ? `${path}.${source}` : source; - const fieldCategory = getFieldCategory(field); - return [ - ...accumulator, - { - category: fieldCategory, - field, - values: item, - originalValue: item, - } as DetailItem, - ]; - } else if (isObject(item)) { - return [ - ...accumulator, - ...getDataFromHits(item, category || source, path ? `${path}.${source}` : source), - ]; - } - return accumulator; - }, []); diff --git a/x-pack/plugins/security_solution/server/lib/events/index.ts b/x-pack/plugins/security_solution/server/lib/events/index.ts deleted file mode 100644 index 9c1f87aa3d8bf..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/index.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { LastEventTimeData, TimelineData, TimelineDetailsData } from '../../graphql/types'; -import { FrameworkRequest } from '../framework'; -export * from './elasticsearch_adapter'; -import { - EventsAdapter, - TimelineRequestOptions, - LastEventTimeRequestOptions, - RequestDetailsOptions, -} from './types'; - -export class Events { - constructor(private readonly adapter: EventsAdapter) {} - - public async getTimelineData( - req: FrameworkRequest, - options: TimelineRequestOptions - ): Promise { - return this.adapter.getTimelineData(req, options); - } - - public async getTimelineDetails( - req: FrameworkRequest, - options: RequestDetailsOptions - ): Promise { - return this.adapter.getTimelineDetails(req, options); - } - - public async getLastEventTimeData( - req: FrameworkRequest, - options: LastEventTimeRequestOptions - ): Promise { - return this.adapter.getLastEventTimeData(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/events/mock.ts b/x-pack/plugins/security_solution/server/lib/events/mock.ts deleted file mode 100644 index a3350a08c7d34..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/mock.ts +++ /dev/null @@ -1,3412 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { cloneDeep } from 'lodash/fp'; -import { DEFAULT_INDEX_PATTERN } from '../../../common/constants'; -import { RequestDetailsOptions } from './types'; - -export const mockResponseSearchTimelineDetails = { - took: 5, - timed_out: false, - _shards: { - total: 1, - successful: 1, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 1, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'auditbeat-8.0.0-2019.03.29-000003', - _type: '_doc', - _id: 'TUfUymkBCQofM5eXGBYL', - _score: 1, - _source: { - '@timestamp': '2019-03-29T19:01:23.420Z', - service: { - type: 'auditd', - }, - user: { - audit: { - id: 'unset', - }, - group: { - id: '0', - name: 'root', - }, - effective: { - group: { - id: '0', - name: 'root', - }, - id: '0', - name: 'root', - }, - filesystem: { - group: { - name: 'root', - id: '0', - }, - name: 'root', - id: '0', - }, - saved: { - group: { - id: '0', - name: 'root', - }, - id: '0', - name: 'root', - }, - id: '0', - name: 'root', - }, - process: { - executable: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - working_directory: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat', - pid: 15990, - ppid: 1, - title: - '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat -e -c /root/go/src/github.com/elastic/beats/x-pack/auditbeat/au', - name: 'auditbeat', - }, - host: { - architecture: 'x86_64', - os: { - name: 'Ubuntu', - kernel: '4.15.0-45-generic', - codename: 'bionic', - platform: 'ubuntu', - version: '18.04.2 LTS (Bionic Beaver)', - family: 'debian', - }, - id: '7c21f5ed03b04d0299569d221fe18bbc', - containerized: false, - name: 'zeek-london', - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - mac: ['42:66:42:19:b3:b9'], - hostname: 'zeek-london', - }, - cloud: { - provider: 'digitalocean', - instance: { - id: '136398786', - }, - region: 'lon1', - }, - file: { - device: '00:00', - inode: '3926', - mode: '0644', - uid: '0', - gid: '0', - owner: 'root', - group: 'root', - path: '/etc/passwd', - }, - auditd: { - session: 'unset', - data: { - tty: '(none)', - a3: '0', - a2: '80000', - syscall: 'openat', - a1: '7fe0f63df220', - a0: 'ffffff9c', - arch: 'x86_64', - exit: '12', - }, - summary: { - actor: { - primary: 'unset', - secondary: 'root', - }, - object: { - primary: '/etc/passwd', - type: 'file', - }, - how: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - }, - paths: [ - { - rdev: '00:00', - cap_fe: '0', - nametype: 'NORMAL', - ogid: '0', - ouid: '0', - inode: '3926', - item: '0', - mode: '0100644', - name: '/etc/passwd', - cap_fi: '0000000000000000', - cap_fp: '0000000000000000', - cap_fver: '0', - dev: 'fc:01', - }, - ], - message_type: 'syscall', - sequence: 8817905, - result: 'success', - }, - event: { - category: 'audit-rule', - action: 'opened-file', - original: [ - 'type=SYSCALL msg=audit(1553886083.420:8817905): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7fe0f63df220 a2=80000 a3=0 items=1 ppid=1 pid=15990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditbeat" exe="/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat" key=(null)', - 'type=CWD msg=audit(1553886083.420:8817905): cwd="/root/go/src/github.com/elastic/beats/x-pack/auditbeat"', - 'type=PATH msg=audit(1553886083.420:8817905): item=0 name="/etc/passwd" inode=3926 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0', - 'type=PROCTITLE msg=audit(1553886083.420:8817905): proctitle=2F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F617564697462656174002D65002D63002F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F6175', - ], - module: 'auditd', - }, - ecs: { - version: '1.0.0', - }, - agent: { - ephemeral_id: '6d541d59-52d0-4e70-b4d2-2660c0a99ff7', - hostname: 'zeek-london', - id: 'cc1f4183-36c6-45c4-b21b-7ce70c3572db', - version: '8.0.0', - type: 'auditbeat', - }, - }, - }, - ], - }, -}; -export const mockOptions: RequestDetailsOptions = { - indexName: 'auditbeat-8.0.0-2019.03.29-000003', - eventId: 'TUfUymkBCQofM5eXGBYL', - defaultIndex: DEFAULT_INDEX_PATTERN, -}; - -export const mockRequest = { - body: { - operationName: 'GetNetworkTopNFlowQuery', - variables: { - indexName: 'auditbeat-8.0.0-2019.03.29-000003', - eventId: 'TUfUymkBCQofM5eXGBYL', - }, - query: `query GetTimelineDetailsQuery($eventId: String!, $indexName: String!) { - source(id: "default") { - TimelineDetails(eventId: $eventId, indexName: $indexName) { - data { - category - description - example - field - type - values - originalValue - } - } - } - }`, - }, -}; - -export const mockResponseMap = { - 'auditbeat-8.0.0-2019.03.29-000003': { - mappings: { - _meta: { - beat: 'auditbeat', - version: '8.0.0', - }, - dynamic_templates: [ - { - 'container.labels': { - path_match: 'container.labels.*', - match_mapping_type: 'string', - mapping: { - type: 'keyword', - }, - }, - }, - { - fields: { - path_match: 'fields.*', - match_mapping_type: 'string', - mapping: { - type: 'keyword', - }, - }, - }, - { - 'docker.container.labels': { - path_match: 'docker.container.labels.*', - match_mapping_type: 'string', - mapping: { - type: 'keyword', - }, - }, - }, - { - strings_as_keyword: { - match_mapping_type: 'string', - mapping: { - ignore_above: 1024, - type: 'keyword', - }, - }, - }, - ], - date_detection: false, - properties: { - '@timestamp': { - type: 'date', - }, - agent: { - properties: { - ephemeral_id: { - type: 'keyword', - ignore_above: 1024, - }, - hostname: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - auditd: { - properties: { - data: { - properties: { - a0: { - type: 'keyword', - ignore_above: 1024, - }, - a1: { - type: 'keyword', - ignore_above: 1024, - }, - a2: { - type: 'keyword', - ignore_above: 1024, - }, - a3: { - type: 'keyword', - ignore_above: 1024, - }, - 'a[0-3]': { - type: 'keyword', - ignore_above: 1024, - }, - acct: { - type: 'keyword', - ignore_above: 1024, - }, - acl: { - type: 'keyword', - ignore_above: 1024, - }, - action: { - type: 'keyword', - ignore_above: 1024, - }, - added: { - type: 'keyword', - ignore_above: 1024, - }, - addr: { - type: 'keyword', - ignore_above: 1024, - }, - apparmor: { - type: 'keyword', - ignore_above: 1024, - }, - arch: { - type: 'keyword', - ignore_above: 1024, - }, - argc: { - type: 'keyword', - ignore_above: 1024, - }, - audit_backlog_limit: { - type: 'keyword', - ignore_above: 1024, - }, - audit_backlog_wait_time: { - type: 'keyword', - ignore_above: 1024, - }, - audit_enabled: { - type: 'keyword', - ignore_above: 1024, - }, - audit_failure: { - type: 'keyword', - ignore_above: 1024, - }, - banners: { - type: 'keyword', - ignore_above: 1024, - }, - bool: { - type: 'keyword', - ignore_above: 1024, - }, - bus: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fe: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fi: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fp: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fver: { - type: 'keyword', - ignore_above: 1024, - }, - cap_pe: { - type: 'keyword', - ignore_above: 1024, - }, - cap_pi: { - type: 'keyword', - ignore_above: 1024, - }, - cap_pp: { - type: 'keyword', - ignore_above: 1024, - }, - capability: { - type: 'keyword', - ignore_above: 1024, - }, - cgroup: { - type: 'keyword', - ignore_above: 1024, - }, - changed: { - type: 'keyword', - ignore_above: 1024, - }, - cipher: { - type: 'keyword', - ignore_above: 1024, - }, - class: { - type: 'keyword', - ignore_above: 1024, - }, - cmd: { - type: 'keyword', - ignore_above: 1024, - }, - code: { - type: 'keyword', - ignore_above: 1024, - }, - compat: { - type: 'keyword', - ignore_above: 1024, - }, - daddr: { - type: 'keyword', - ignore_above: 1024, - }, - data: { - type: 'keyword', - ignore_above: 1024, - }, - 'default-context': { - type: 'keyword', - ignore_above: 1024, - }, - dev: { - type: 'keyword', - ignore_above: 1024, - }, - device: { - type: 'keyword', - ignore_above: 1024, - }, - dir: { - type: 'keyword', - ignore_above: 1024, - }, - direction: { - type: 'keyword', - ignore_above: 1024, - }, - dmac: { - type: 'keyword', - ignore_above: 1024, - }, - dport: { - type: 'keyword', - ignore_above: 1024, - }, - enforcing: { - type: 'keyword', - ignore_above: 1024, - }, - entries: { - type: 'keyword', - ignore_above: 1024, - }, - exit: { - type: 'keyword', - ignore_above: 1024, - }, - fam: { - type: 'keyword', - ignore_above: 1024, - }, - family: { - type: 'keyword', - ignore_above: 1024, - }, - fd: { - type: 'keyword', - ignore_above: 1024, - }, - fe: { - type: 'keyword', - ignore_above: 1024, - }, - feature: { - type: 'keyword', - ignore_above: 1024, - }, - fi: { - type: 'keyword', - ignore_above: 1024, - }, - file: { - type: 'keyword', - ignore_above: 1024, - }, - flags: { - type: 'keyword', - ignore_above: 1024, - }, - format: { - type: 'keyword', - ignore_above: 1024, - }, - fp: { - type: 'keyword', - ignore_above: 1024, - }, - fver: { - type: 'keyword', - ignore_above: 1024, - }, - grantors: { - type: 'keyword', - ignore_above: 1024, - }, - grp: { - type: 'keyword', - ignore_above: 1024, - }, - hook: { - type: 'keyword', - ignore_above: 1024, - }, - hostname: { - type: 'keyword', - ignore_above: 1024, - }, - icmp_type: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - igid: { - type: 'keyword', - ignore_above: 1024, - }, - 'img-ctx': { - type: 'keyword', - ignore_above: 1024, - }, - inif: { - type: 'keyword', - ignore_above: 1024, - }, - ino: { - type: 'keyword', - ignore_above: 1024, - }, - inode: { - type: 'keyword', - ignore_above: 1024, - }, - inode_gid: { - type: 'keyword', - ignore_above: 1024, - }, - inode_uid: { - type: 'keyword', - ignore_above: 1024, - }, - invalid_context: { - type: 'keyword', - ignore_above: 1024, - }, - ioctlcmd: { - type: 'keyword', - ignore_above: 1024, - }, - ip: { - type: 'keyword', - ignore_above: 1024, - }, - ipid: { - type: 'keyword', - ignore_above: 1024, - }, - 'ipx-net': { - type: 'keyword', - ignore_above: 1024, - }, - item: { - type: 'keyword', - ignore_above: 1024, - }, - items: { - type: 'keyword', - ignore_above: 1024, - }, - iuid: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - kind: { - type: 'keyword', - ignore_above: 1024, - }, - ksize: { - type: 'keyword', - ignore_above: 1024, - }, - laddr: { - type: 'keyword', - ignore_above: 1024, - }, - len: { - type: 'keyword', - ignore_above: 1024, - }, - list: { - type: 'keyword', - ignore_above: 1024, - }, - lport: { - type: 'keyword', - ignore_above: 1024, - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - macproto: { - type: 'keyword', - ignore_above: 1024, - }, - maj: { - type: 'keyword', - ignore_above: 1024, - }, - major: { - type: 'keyword', - ignore_above: 1024, - }, - minor: { - type: 'keyword', - ignore_above: 1024, - }, - mode: { - type: 'keyword', - ignore_above: 1024, - }, - model: { - type: 'keyword', - ignore_above: 1024, - }, - msg: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - nametype: { - type: 'keyword', - ignore_above: 1024, - }, - nargs: { - type: 'keyword', - ignore_above: 1024, - }, - net: { - type: 'keyword', - ignore_above: 1024, - }, - new: { - type: 'keyword', - ignore_above: 1024, - }, - 'new-chardev': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-disk': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-enabled': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-fs': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-level': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-log_passwd': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-mem': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-net': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-range': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-rng': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-role': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-seuser': { - type: 'keyword', - ignore_above: 1024, - }, - 'new-vcpu': { - type: 'keyword', - ignore_above: 1024, - }, - new_gid: { - type: 'keyword', - ignore_above: 1024, - }, - new_lock: { - type: 'keyword', - ignore_above: 1024, - }, - new_pe: { - type: 'keyword', - ignore_above: 1024, - }, - new_pi: { - type: 'keyword', - ignore_above: 1024, - }, - new_pp: { - type: 'keyword', - ignore_above: 1024, - }, - 'nlnk-fam': { - type: 'keyword', - ignore_above: 1024, - }, - 'nlnk-grp': { - type: 'keyword', - ignore_above: 1024, - }, - 'nlnk-pid': { - type: 'keyword', - ignore_above: 1024, - }, - oauid: { - type: 'keyword', - ignore_above: 1024, - }, - obj: { - type: 'keyword', - ignore_above: 1024, - }, - obj_gid: { - type: 'keyword', - ignore_above: 1024, - }, - obj_uid: { - type: 'keyword', - ignore_above: 1024, - }, - ocomm: { - type: 'keyword', - ignore_above: 1024, - }, - oflag: { - type: 'keyword', - ignore_above: 1024, - }, - old: { - type: 'keyword', - ignore_above: 1024, - }, - 'old-auid': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-chardev': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-disk': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-enabled': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-fs': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-level': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-log_passwd': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-mem': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-net': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-range': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-rng': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-role': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-ses': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-seuser': { - type: 'keyword', - ignore_above: 1024, - }, - 'old-vcpu': { - type: 'keyword', - ignore_above: 1024, - }, - old_enforcing: { - type: 'keyword', - ignore_above: 1024, - }, - old_lock: { - type: 'keyword', - ignore_above: 1024, - }, - old_pe: { - type: 'keyword', - ignore_above: 1024, - }, - old_pi: { - type: 'keyword', - ignore_above: 1024, - }, - old_pp: { - type: 'keyword', - ignore_above: 1024, - }, - old_prom: { - type: 'keyword', - ignore_above: 1024, - }, - old_val: { - type: 'keyword', - ignore_above: 1024, - }, - op: { - type: 'keyword', - ignore_above: 1024, - }, - opid: { - type: 'keyword', - ignore_above: 1024, - }, - oses: { - type: 'keyword', - ignore_above: 1024, - }, - outif: { - type: 'keyword', - ignore_above: 1024, - }, - parent: { - type: 'keyword', - ignore_above: 1024, - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - per: { - type: 'keyword', - ignore_above: 1024, - }, - perm: { - type: 'keyword', - ignore_above: 1024, - }, - perm_mask: { - type: 'keyword', - ignore_above: 1024, - }, - permissive: { - type: 'keyword', - ignore_above: 1024, - }, - pfs: { - type: 'keyword', - ignore_above: 1024, - }, - printer: { - type: 'keyword', - ignore_above: 1024, - }, - prom: { - type: 'keyword', - ignore_above: 1024, - }, - proto: { - type: 'keyword', - ignore_above: 1024, - }, - qbytes: { - type: 'keyword', - ignore_above: 1024, - }, - range: { - type: 'keyword', - ignore_above: 1024, - }, - rdev: { - type: 'keyword', - ignore_above: 1024, - }, - reason: { - type: 'keyword', - ignore_above: 1024, - }, - removed: { - type: 'keyword', - ignore_above: 1024, - }, - res: { - type: 'keyword', - ignore_above: 1024, - }, - resrc: { - type: 'keyword', - ignore_above: 1024, - }, - rport: { - type: 'keyword', - ignore_above: 1024, - }, - sauid: { - type: 'keyword', - ignore_above: 1024, - }, - scontext: { - type: 'keyword', - ignore_above: 1024, - }, - 'selected-context': { - type: 'keyword', - ignore_above: 1024, - }, - seperm: { - type: 'keyword', - ignore_above: 1024, - }, - seperms: { - type: 'keyword', - ignore_above: 1024, - }, - seqno: { - type: 'keyword', - ignore_above: 1024, - }, - seresult: { - type: 'keyword', - ignore_above: 1024, - }, - ses: { - type: 'keyword', - ignore_above: 1024, - }, - seuser: { - type: 'keyword', - ignore_above: 1024, - }, - sig: { - type: 'keyword', - ignore_above: 1024, - }, - sigev_signo: { - type: 'keyword', - ignore_above: 1024, - }, - smac: { - type: 'keyword', - ignore_above: 1024, - }, - socket: { - properties: { - addr: { - type: 'keyword', - ignore_above: 1024, - }, - family: { - type: 'keyword', - ignore_above: 1024, - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - port: { - type: 'keyword', - ignore_above: 1024, - }, - saddr: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - spid: { - type: 'keyword', - ignore_above: 1024, - }, - sport: { - type: 'keyword', - ignore_above: 1024, - }, - state: { - type: 'keyword', - ignore_above: 1024, - }, - subj: { - type: 'keyword', - ignore_above: 1024, - }, - success: { - type: 'keyword', - ignore_above: 1024, - }, - syscall: { - type: 'keyword', - ignore_above: 1024, - }, - table: { - type: 'keyword', - ignore_above: 1024, - }, - tclass: { - type: 'keyword', - ignore_above: 1024, - }, - tcontext: { - type: 'keyword', - ignore_above: 1024, - }, - terminal: { - type: 'keyword', - ignore_above: 1024, - }, - tty: { - type: 'keyword', - ignore_above: 1024, - }, - unit: { - type: 'keyword', - ignore_above: 1024, - }, - uri: { - type: 'keyword', - ignore_above: 1024, - }, - uuid: { - type: 'keyword', - ignore_above: 1024, - }, - val: { - type: 'keyword', - ignore_above: 1024, - }, - ver: { - type: 'keyword', - ignore_above: 1024, - }, - virt: { - type: 'keyword', - ignore_above: 1024, - }, - vm: { - type: 'keyword', - ignore_above: 1024, - }, - 'vm-ctx': { - type: 'keyword', - ignore_above: 1024, - }, - 'vm-pid': { - type: 'keyword', - ignore_above: 1024, - }, - watch: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - message_type: { - type: 'keyword', - ignore_above: 1024, - }, - paths: { - properties: { - cap_fe: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fi: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fp: { - type: 'keyword', - ignore_above: 1024, - }, - cap_fver: { - type: 'keyword', - ignore_above: 1024, - }, - dev: { - type: 'keyword', - ignore_above: 1024, - }, - inode: { - type: 'keyword', - ignore_above: 1024, - }, - item: { - type: 'keyword', - ignore_above: 1024, - }, - mode: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - nametype: { - type: 'keyword', - ignore_above: 1024, - }, - obj_domain: { - type: 'keyword', - ignore_above: 1024, - }, - obj_level: { - type: 'keyword', - ignore_above: 1024, - }, - obj_role: { - type: 'keyword', - ignore_above: 1024, - }, - obj_user: { - type: 'keyword', - ignore_above: 1024, - }, - objtype: { - type: 'keyword', - ignore_above: 1024, - }, - ogid: { - type: 'keyword', - ignore_above: 1024, - }, - ouid: { - type: 'keyword', - ignore_above: 1024, - }, - rdev: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - result: { - type: 'keyword', - ignore_above: 1024, - }, - sequence: { - type: 'long', - }, - session: { - type: 'keyword', - ignore_above: 1024, - }, - summary: { - properties: { - actor: { - properties: { - primary: { - type: 'keyword', - ignore_above: 1024, - }, - secondary: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - how: { - type: 'keyword', - ignore_above: 1024, - }, - object: { - properties: { - primary: { - type: 'keyword', - ignore_above: 1024, - }, - secondary: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - }, - }, - }, - }, - client: { - properties: { - address: { - type: 'keyword', - ignore_above: 1024, - }, - bytes: { - type: 'long', - }, - domain: { - type: 'keyword', - ignore_above: 1024, - }, - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - packets: { - type: 'long', - }, - port: { - type: 'long', - }, - }, - }, - cloud: { - properties: { - account: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - availability_zone: { - type: 'keyword', - ignore_above: 1024, - }, - instance: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - machine: { - properties: { - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - project: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - provider: { - type: 'keyword', - ignore_above: 1024, - }, - region: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - container: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - image: { - properties: { - name: { - type: 'keyword', - ignore_above: 1024, - }, - tag: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - labels: { - type: 'object', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - runtime: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - destination: { - properties: { - address: { - type: 'keyword', - ignore_above: 1024, - }, - bytes: { - type: 'long', - }, - domain: { - type: 'keyword', - ignore_above: 1024, - }, - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - packets: { - type: 'long', - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - port: { - type: 'long', - }, - }, - }, - docker: { - properties: { - container: { - properties: { - labels: { - type: 'object', - }, - }, - }, - }, - }, - ecs: { - properties: { - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - error: { - properties: { - code: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - message: { - type: 'text', - norms: false, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - event: { - properties: { - action: { - type: 'keyword', - ignore_above: 1024, - }, - category: { - type: 'keyword', - ignore_above: 1024, - }, - created: { - type: 'date', - }, - dataset: { - type: 'keyword', - ignore_above: 1024, - }, - duration: { - type: 'long', - }, - end: { - type: 'date', - }, - hash: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - kind: { - type: 'keyword', - ignore_above: 1024, - }, - module: { - type: 'keyword', - ignore_above: 1024, - }, - origin: { - type: 'keyword', - ignore_above: 1024, - }, - original: { - type: 'keyword', - index: false, - doc_values: false, - ignore_above: 1024, - }, - outcome: { - type: 'keyword', - ignore_above: 1024, - }, - risk_score: { - type: 'float', - }, - risk_score_norm: { - type: 'float', - }, - severity: { - type: 'long', - }, - start: { - type: 'date', - }, - timezone: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - fields: { - type: 'object', - }, - file: { - properties: { - ctime: { - type: 'date', - }, - device: { - type: 'keyword', - ignore_above: 1024, - }, - extension: { - type: 'keyword', - ignore_above: 1024, - }, - gid: { - type: 'keyword', - ignore_above: 1024, - }, - group: { - type: 'keyword', - ignore_above: 1024, - }, - inode: { - type: 'keyword', - ignore_above: 1024, - }, - mode: { - type: 'keyword', - ignore_above: 1024, - }, - mtime: { - type: 'date', - }, - origin: { - type: 'keyword', - fields: { - raw: { - type: 'keyword', - ignore_above: 1024, - }, - }, - ignore_above: 1024, - }, - owner: { - type: 'keyword', - ignore_above: 1024, - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - selinux: { - properties: { - domain: { - type: 'keyword', - ignore_above: 1024, - }, - level: { - type: 'keyword', - ignore_above: 1024, - }, - role: { - type: 'keyword', - ignore_above: 1024, - }, - user: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - setgid: { - type: 'boolean', - }, - setuid: { - type: 'boolean', - }, - size: { - type: 'long', - }, - target_path: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - uid: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - geoip: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - group: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - hash: { - properties: { - blake2b_256: { - type: 'keyword', - ignore_above: 1024, - }, - blake2b_384: { - type: 'keyword', - ignore_above: 1024, - }, - blake2b_512: { - type: 'keyword', - ignore_above: 1024, - }, - md5: { - type: 'keyword', - ignore_above: 1024, - }, - sha1: { - type: 'keyword', - ignore_above: 1024, - }, - sha224: { - type: 'keyword', - ignore_above: 1024, - }, - sha256: { - type: 'keyword', - ignore_above: 1024, - }, - sha384: { - type: 'keyword', - ignore_above: 1024, - }, - sha3_224: { - type: 'keyword', - ignore_above: 1024, - }, - sha3_256: { - type: 'keyword', - ignore_above: 1024, - }, - sha3_384: { - type: 'keyword', - ignore_above: 1024, - }, - sha3_512: { - type: 'keyword', - ignore_above: 1024, - }, - sha512: { - type: 'keyword', - ignore_above: 1024, - }, - sha512_224: { - type: 'keyword', - ignore_above: 1024, - }, - sha512_256: { - type: 'keyword', - ignore_above: 1024, - }, - xxh64: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - host: { - properties: { - architecture: { - type: 'keyword', - ignore_above: 1024, - }, - containerized: { - type: 'boolean', - }, - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - hostname: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - os: { - properties: { - codename: { - type: 'keyword', - ignore_above: 1024, - }, - family: { - type: 'keyword', - ignore_above: 1024, - }, - full: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - platform: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - http: { - properties: { - request: { - properties: { - body: { - properties: { - bytes: { - type: 'long', - }, - content: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - bytes: { - type: 'long', - }, - method: { - type: 'keyword', - ignore_above: 1024, - }, - referrer: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - response: { - properties: { - body: { - properties: { - bytes: { - type: 'long', - }, - content: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - bytes: { - type: 'long', - }, - status_code: { - type: 'long', - }, - }, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - kubernetes: { - properties: { - annotations: { - type: 'object', - }, - container: { - properties: { - image: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - labels: { - type: 'object', - }, - namespace: { - type: 'keyword', - ignore_above: 1024, - }, - node: { - properties: { - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - pod: { - properties: { - name: { - type: 'keyword', - ignore_above: 1024, - }, - uid: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - }, - }, - labels: { - type: 'object', - }, - log: { - properties: { - level: { - type: 'keyword', - ignore_above: 1024, - }, - original: { - type: 'keyword', - index: false, - doc_values: false, - ignore_above: 1024, - }, - }, - }, - message: { - type: 'text', - norms: false, - }, - network: { - properties: { - application: { - type: 'keyword', - ignore_above: 1024, - }, - bytes: { - type: 'long', - }, - community_id: { - type: 'keyword', - ignore_above: 1024, - }, - direction: { - type: 'keyword', - ignore_above: 1024, - }, - forwarded_ip: { - type: 'ip', - }, - iana_number: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - packets: { - type: 'long', - }, - protocol: { - type: 'keyword', - ignore_above: 1024, - }, - transport: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - observer: { - properties: { - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - hostname: { - type: 'keyword', - ignore_above: 1024, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - os: { - properties: { - family: { - type: 'keyword', - ignore_above: 1024, - }, - full: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - platform: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - serial_number: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - vendor: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - organization: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - os: { - properties: { - family: { - type: 'keyword', - ignore_above: 1024, - }, - full: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - platform: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - process: { - properties: { - args: { - type: 'keyword', - ignore_above: 1024, - }, - entity_id: { - type: 'keyword', - ignore_above: 1024, - }, - executable: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - pid: { - type: 'long', - }, - ppid: { - type: 'long', - }, - start: { - type: 'date', - }, - thread: { - properties: { - id: { - type: 'long', - }, - }, - }, - title: { - type: 'keyword', - ignore_above: 1024, - }, - working_directory: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - related: { - properties: { - ip: { - type: 'ip', - }, - }, - }, - server: { - properties: { - address: { - type: 'keyword', - ignore_above: 1024, - }, - bytes: { - type: 'long', - }, - domain: { - type: 'keyword', - ignore_above: 1024, - }, - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - packets: { - type: 'long', - }, - port: { - type: 'long', - }, - }, - }, - service: { - properties: { - ephemeral_id: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - state: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - socket: { - properties: { - entity_id: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - source: { - properties: { - address: { - type: 'keyword', - ignore_above: 1024, - }, - bytes: { - type: 'long', - }, - domain: { - type: 'keyword', - ignore_above: 1024, - }, - geo: { - properties: { - city_name: { - type: 'keyword', - ignore_above: 1024, - }, - continent_name: { - type: 'keyword', - ignore_above: 1024, - }, - country_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - country_name: { - type: 'keyword', - ignore_above: 1024, - }, - location: { - type: 'geo_point', - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - region_iso_code: { - type: 'keyword', - ignore_above: 1024, - }, - region_name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - packets: { - type: 'long', - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - port: { - type: 'long', - }, - }, - }, - system: { - properties: { - audit: { - properties: { - host: { - properties: { - architecture: { - type: 'keyword', - ignore_above: 1024, - }, - boottime: { - type: 'date', - }, - containerized: { - type: 'boolean', - }, - hostname: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - ip: { - type: 'ip', - }, - mac: { - type: 'keyword', - ignore_above: 1024, - }, - os: { - properties: { - family: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - platform: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - timezone: { - properties: { - name: { - type: 'keyword', - ignore_above: 1024, - }, - offset: { - properties: { - sec: { - type: 'long', - }, - }, - }, - }, - }, - uptime: { - type: 'long', - }, - }, - }, - package: { - properties: { - arch: { - type: 'keyword', - ignore_above: 1024, - }, - entity_id: { - type: 'keyword', - ignore_above: 1024, - }, - installtime: { - type: 'date', - }, - license: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - release: { - type: 'keyword', - ignore_above: 1024, - }, - size: { - type: 'long', - }, - summary: { - type: 'keyword', - ignore_above: 1024, - }, - url: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - user: { - properties: { - dir: { - type: 'keyword', - ignore_above: 1024, - }, - gid: { - type: 'keyword', - ignore_above: 1024, - }, - group: { - properties: { - gid: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - password: { - properties: { - last_changed: { - type: 'date', - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - shell: { - type: 'keyword', - ignore_above: 1024, - }, - uid: { - type: 'keyword', - ignore_above: 1024, - }, - user_information: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - }, - }, - }, - }, - tags: { - type: 'keyword', - ignore_above: 1024, - }, - url: { - properties: { - domain: { - type: 'keyword', - ignore_above: 1024, - }, - fragment: { - type: 'keyword', - ignore_above: 1024, - }, - full: { - type: 'keyword', - ignore_above: 1024, - }, - original: { - type: 'keyword', - ignore_above: 1024, - }, - password: { - type: 'keyword', - ignore_above: 1024, - }, - path: { - type: 'keyword', - ignore_above: 1024, - }, - port: { - type: 'long', - }, - query: { - type: 'keyword', - ignore_above: 1024, - }, - scheme: { - type: 'keyword', - ignore_above: 1024, - }, - username: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - user: { - properties: { - audit: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - effective: { - properties: { - group: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - email: { - type: 'keyword', - ignore_above: 1024, - }, - entity_id: { - type: 'keyword', - ignore_above: 1024, - }, - filesystem: { - properties: { - group: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - full_name: { - type: 'keyword', - ignore_above: 1024, - }, - group: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - hash: { - type: 'keyword', - ignore_above: 1024, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - name_map: { - type: 'object', - }, - ogid: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - ouid: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - saved: { - properties: { - group: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - id: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - selinux: { - properties: { - category: { - type: 'keyword', - ignore_above: 1024, - }, - domain: { - type: 'keyword', - ignore_above: 1024, - }, - level: { - type: 'keyword', - ignore_above: 1024, - }, - role: { - type: 'keyword', - ignore_above: 1024, - }, - user: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - terminal: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - user_agent: { - properties: { - device: { - properties: { - name: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - original: { - type: 'keyword', - ignore_above: 1024, - }, - os: { - properties: { - family: { - type: 'keyword', - ignore_above: 1024, - }, - full: { - type: 'keyword', - ignore_above: 1024, - }, - kernel: { - type: 'keyword', - ignore_above: 1024, - }, - name: { - type: 'keyword', - ignore_above: 1024, - }, - platform: { - type: 'keyword', - ignore_above: 1024, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - version: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - }, - }, - }, -}; - -export const mockDetailsQueryDsl = { - mockDetailsQueryDsl: 'mockDetailsQueryDsl', -}; - -export const mockQueryDsl = { - mockQueryDsl: 'mockQueryDsl', -}; - -const mockTimelineDetailsInspectResponse = cloneDeep(mockResponseSearchTimelineDetails); -// @ts-expect-error -delete mockTimelineDetailsInspectResponse.hits.hits[0]._source; - -export const mockTimelineDetailsResult = { - inspect: { - dsl: [JSON.stringify(mockDetailsQueryDsl, null, 2)], - response: [JSON.stringify(mockTimelineDetailsInspectResponse, null, 2)], - }, - data: [ - { - category: 'base', - field: '@timestamp', - values: '2019-03-29T19:01:23.420Z', - originalValue: '2019-03-29T19:01:23.420Z', - }, - { - category: 'service', - field: 'service.type', - values: 'auditd', - originalValue: 'auditd', - }, - { - category: 'user', - field: 'user.audit.id', - values: 'unset', - originalValue: 'unset', - }, - { - category: 'user', - field: 'user.group.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.group.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.effective.group.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.effective.group.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.effective.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.effective.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.filesystem.group.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.filesystem.group.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.filesystem.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.filesystem.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.saved.group.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.saved.group.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.saved.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.saved.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'user', - field: 'user.id', - values: '0', - originalValue: '0', - }, - { - category: 'user', - field: 'user.name', - values: 'root', - originalValue: 'root', - }, - { - category: 'process', - field: 'process.executable', - values: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - originalValue: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - }, - { - category: 'process', - field: 'process.working_directory', - values: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat', - originalValue: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat', - }, - { - category: 'process', - field: 'process.pid', - values: 15990, - originalValue: 15990, - }, - { - category: 'process', - field: 'process.ppid', - values: 1, - originalValue: 1, - }, - { - category: 'process', - field: 'process.title', - values: - '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat -e -c /root/go/src/github.com/elastic/beats/x-pack/auditbeat/au', - originalValue: - '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat -e -c /root/go/src/github.com/elastic/beats/x-pack/auditbeat/au', - }, - { - category: 'process', - field: 'process.name', - values: 'auditbeat', - originalValue: 'auditbeat', - }, - { - category: 'host', - field: 'host.architecture', - values: 'x86_64', - originalValue: 'x86_64', - }, - { - category: 'host', - field: 'host.os.name', - values: 'Ubuntu', - originalValue: 'Ubuntu', - }, - { - category: 'host', - field: 'host.os.kernel', - values: '4.15.0-45-generic', - originalValue: '4.15.0-45-generic', - }, - { - category: 'host', - field: 'host.os.codename', - values: 'bionic', - originalValue: 'bionic', - }, - { - category: 'host', - field: 'host.os.platform', - values: 'ubuntu', - originalValue: 'ubuntu', - }, - { - category: 'host', - field: 'host.os.version', - values: '18.04.2 LTS (Bionic Beaver)', - originalValue: '18.04.2 LTS (Bionic Beaver)', - }, - { - category: 'host', - field: 'host.os.family', - values: 'debian', - originalValue: 'debian', - }, - { - category: 'host', - field: 'host.id', - values: '7c21f5ed03b04d0299569d221fe18bbc', - originalValue: '7c21f5ed03b04d0299569d221fe18bbc', - }, - { - category: 'host', - field: 'host.name', - values: 'zeek-london', - originalValue: 'zeek-london', - }, - { - category: 'host', - field: 'host.ip', - values: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - originalValue: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - { - category: 'host', - field: 'host.mac', - values: ['42:66:42:19:b3:b9'], - originalValue: ['42:66:42:19:b3:b9'], - }, - { - category: 'host', - field: 'host.hostname', - values: 'zeek-london', - originalValue: 'zeek-london', - }, - { - category: 'cloud', - field: 'cloud.provider', - values: 'digitalocean', - originalValue: 'digitalocean', - }, - { - category: 'cloud', - field: 'cloud.instance.id', - values: '136398786', - originalValue: '136398786', - }, - { - category: 'cloud', - field: 'cloud.region', - values: 'lon1', - originalValue: 'lon1', - }, - { - category: 'file', - field: 'file.device', - values: '00:00', - originalValue: '00:00', - }, - { - category: 'file', - field: 'file.inode', - values: '3926', - originalValue: '3926', - }, - { - category: 'file', - field: 'file.mode', - values: '0644', - originalValue: '0644', - }, - { - category: 'file', - field: 'file.uid', - values: '0', - originalValue: '0', - }, - { - category: 'file', - field: 'file.gid', - values: '0', - originalValue: '0', - }, - { - category: 'file', - field: 'file.owner', - values: 'root', - originalValue: 'root', - }, - { - category: 'file', - field: 'file.group', - values: 'root', - originalValue: 'root', - }, - { - category: 'file', - field: 'file.path', - values: '/etc/passwd', - originalValue: '/etc/passwd', - }, - { - category: 'auditd', - field: 'auditd.session', - values: 'unset', - originalValue: 'unset', - }, - { - category: 'auditd', - field: 'auditd.data.tty', - values: '(none)', - originalValue: '(none)', - }, - { - category: 'auditd', - field: 'auditd.data.a3', - values: '0', - originalValue: '0', - }, - { - category: 'auditd', - field: 'auditd.data.a2', - values: '80000', - originalValue: '80000', - }, - { - category: 'auditd', - field: 'auditd.data.syscall', - values: 'openat', - originalValue: 'openat', - }, - { - category: 'auditd', - field: 'auditd.data.a1', - values: '7fe0f63df220', - originalValue: '7fe0f63df220', - }, - { - category: 'auditd', - field: 'auditd.data.a0', - values: 'ffffff9c', - originalValue: 'ffffff9c', - }, - { - category: 'auditd', - field: 'auditd.data.arch', - values: 'x86_64', - originalValue: 'x86_64', - }, - { - category: 'auditd', - field: 'auditd.data.exit', - values: '12', - originalValue: '12', - }, - { - category: 'auditd', - field: 'auditd.summary.actor.primary', - values: 'unset', - originalValue: 'unset', - }, - { - category: 'auditd', - field: 'auditd.summary.actor.secondary', - values: 'root', - originalValue: 'root', - }, - { - category: 'auditd', - field: 'auditd.summary.object.primary', - values: '/etc/passwd', - originalValue: '/etc/passwd', - }, - { - category: 'auditd', - field: 'auditd.summary.object.type', - values: 'file', - originalValue: 'file', - }, - { - category: 'auditd', - field: 'auditd.summary.how', - values: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - originalValue: '/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat', - }, - { - category: 'auditd', - field: 'auditd.paths', - values: [ - { - rdev: '00:00', - cap_fe: '0', - nametype: 'NORMAL', - ogid: '0', - ouid: '0', - inode: '3926', - item: '0', - mode: '0100644', - name: '/etc/passwd', - cap_fi: '0000000000000000', - cap_fp: '0000000000000000', - cap_fver: '0', - dev: 'fc:01', - }, - ], - originalValue: [ - { - rdev: '00:00', - cap_fe: '0', - nametype: 'NORMAL', - ogid: '0', - ouid: '0', - inode: '3926', - item: '0', - mode: '0100644', - name: '/etc/passwd', - cap_fi: '0000000000000000', - cap_fp: '0000000000000000', - cap_fver: '0', - dev: 'fc:01', - }, - ], - }, - { - category: 'auditd', - field: 'auditd.message_type', - values: 'syscall', - originalValue: 'syscall', - }, - { - category: 'auditd', - field: 'auditd.sequence', - values: 8817905, - originalValue: 8817905, - }, - { - category: 'auditd', - field: 'auditd.result', - values: 'success', - originalValue: 'success', - }, - { - category: 'event', - field: 'event.category', - values: 'audit-rule', - originalValue: 'audit-rule', - }, - { - category: 'event', - field: 'event.action', - values: 'opened-file', - originalValue: 'opened-file', - }, - { - category: 'event', - field: 'event.original', - values: [ - 'type=SYSCALL msg=audit(1553886083.420:8817905): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7fe0f63df220 a2=80000 a3=0 items=1 ppid=1 pid=15990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditbeat" exe="/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat" key=(null)', - 'type=CWD msg=audit(1553886083.420:8817905): cwd="/root/go/src/github.com/elastic/beats/x-pack/auditbeat"', - 'type=PATH msg=audit(1553886083.420:8817905): item=0 name="/etc/passwd" inode=3926 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0', - 'type=PROCTITLE msg=audit(1553886083.420:8817905): proctitle=2F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F617564697462656174002D65002D63002F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F6175', - ], - originalValue: [ - 'type=SYSCALL msg=audit(1553886083.420:8817905): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7fe0f63df220 a2=80000 a3=0 items=1 ppid=1 pid=15990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditbeat" exe="/root/go/src/github.com/elastic/beats/x-pack/auditbeat/auditbeat" key=(null)', - 'type=CWD msg=audit(1553886083.420:8817905): cwd="/root/go/src/github.com/elastic/beats/x-pack/auditbeat"', - 'type=PATH msg=audit(1553886083.420:8817905): item=0 name="/etc/passwd" inode=3926 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0', - 'type=PROCTITLE msg=audit(1553886083.420:8817905): proctitle=2F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F617564697462656174002D65002D63002F726F6F742F676F2F7372632F6769746875622E636F6D2F656C61737469632F62656174732F782D7061636B2F6175646974626561742F6175', - ], - }, - { - category: 'event', - field: 'event.module', - values: 'auditd', - originalValue: 'auditd', - }, - { - category: 'ecs', - field: 'ecs.version', - values: '1.0.0', - originalValue: '1.0.0', - }, - { - category: 'agent', - field: 'agent.ephemeral_id', - values: '6d541d59-52d0-4e70-b4d2-2660c0a99ff7', - originalValue: '6d541d59-52d0-4e70-b4d2-2660c0a99ff7', - }, - { - category: 'agent', - field: 'agent.hostname', - values: 'zeek-london', - originalValue: 'zeek-london', - }, - { - category: 'agent', - field: 'agent.id', - values: 'cc1f4183-36c6-45c4-b21b-7ce70c3572db', - originalValue: 'cc1f4183-36c6-45c4-b21b-7ce70c3572db', - }, - { - category: 'agent', - field: 'agent.version', - values: '8.0.0', - originalValue: '8.0.0', - }, - { - category: 'agent', - field: 'agent.type', - values: 'auditbeat', - originalValue: 'auditbeat', - }, - { - category: '_index', - field: '_index', - values: 'auditbeat-8.0.0-2019.03.29-000003', - originalValue: 'auditbeat-8.0.0-2019.03.29-000003', - }, - { - category: '_type', - field: '_type', - values: '_doc', - originalValue: '_doc', - }, - { - category: '_id', - field: '_id', - values: 'TUfUymkBCQofM5eXGBYL', - originalValue: 'TUfUymkBCQofM5eXGBYL', - }, - { - category: '_score', - field: '_score', - values: 1, - originalValue: 1, - }, - ], -}; diff --git a/x-pack/plugins/security_solution/server/lib/events/query.dsl.ts b/x-pack/plugins/security_solution/server/lib/events/query.dsl.ts deleted file mode 100644 index 143ef1e9d5bf0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/query.dsl.ts +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { isEmpty } from 'lodash/fp'; - -import { SortField, TimerangeInput, DocValueFieldsInput } from '../../graphql/types'; -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestOptions } from '../framework'; -import { SortRequest } from '../types'; - -import { TimerangeFilter } from './types'; - -export const buildTimelineQuery = (options: RequestOptions) => { - const { limit, cursor, tiebreaker } = options.pagination; - const { fields, filterQuery } = options; - const filterClause = [...createQueryFilterClauses(filterQuery)]; - const defaultIndex = options.defaultIndex; - - const getTimerangeFilter = (timerange: TimerangeInput | undefined): TimerangeFilter[] => { - if (timerange) { - const { to, from } = timerange; - return [ - { - range: { - [options.sourceConfiguration.fields.timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - } - return []; - }; - - const filter = [...filterClause, ...getTimerangeFilter(options.timerange), { match_all: {} }]; - - const getSortField = (sortField: SortField) => { - if (sortField.sortFieldId) { - const field: string = - sortField.sortFieldId === 'timestamp' ? '@timestamp' : sortField.sortFieldId; - - return [ - { [field]: sortField.direction }, - { [options.sourceConfiguration.fields.tiebreaker]: sortField.direction }, - ]; - } - return []; - }; - - const sort: SortRequest = getSortField(options.sortField!); - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - ...(isEmpty(options.docValueFields) ? { docvalue_fields: options.docValueFields } : {}), - query: { - bool: { - filter, - }, - }, - size: limit + 1, - track_total_hits: true, - sort, - _source: fields, - }, - }; - - if (cursor && tiebreaker) { - return { - ...dslQuery, - body: { - ...dslQuery.body, - search_after: [cursor, tiebreaker], - }, - }; - } - - return dslQuery; -}; - -export const buildDetailsQuery = ( - indexName: string, - id: string, - docValueFields: DocValueFieldsInput[] -) => ({ - allowNoIndices: true, - index: indexName, - ignoreUnavailable: true, - body: { - docvalue_fields: docValueFields, - query: { - terms: { - _id: [id], - }, - }, - }, - size: 1, -}); diff --git a/x-pack/plugins/security_solution/server/lib/events/query.last_event_time.dsl.ts b/x-pack/plugins/security_solution/server/lib/events/query.last_event_time.dsl.ts deleted file mode 100644 index 02badd3ccee8f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/query.last_event_time.dsl.ts +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { isEmpty } from 'lodash/fp'; - -import { assertUnreachable } from '../../../common/utility_types'; -import { LastEventTimeRequestOptions } from './types'; -import { LastEventIndexKey } from '../../graphql/types'; - -interface EventIndices { - [key: string]: string[]; -} - -export const buildLastEventTimeQuery = ({ - indexKey, - details, - defaultIndex, - docValueFields, -}: LastEventTimeRequestOptions) => { - const indicesToQuery: EventIndices = { - hosts: defaultIndex, - network: defaultIndex, - }; - const getHostDetailsFilter = (hostName: string) => [{ term: { 'host.name': hostName } }]; - const getIpDetailsFilter = (ip: string) => [ - { term: { 'source.ip': ip } }, - { term: { 'destination.ip': ip } }, - ]; - const getQuery = (eventIndexKey: LastEventIndexKey) => { - switch (eventIndexKey) { - case LastEventIndexKey.ipDetails: - if (details.ip) { - return { - allowNoIndices: true, - index: indicesToQuery.network, - ignoreUnavailable: true, - body: { - ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), - aggregations: { - last_seen_event: { max: { field: '@timestamp' } }, - }, - query: { bool: { should: getIpDetailsFilter(details.ip) } }, - size: 0, - track_total_hits: false, - }, - }; - } - throw new Error('buildLastEventTimeQuery - no IP argument provided'); - case LastEventIndexKey.hostDetails: - if (details.hostName) { - return { - allowNoIndices: true, - index: indicesToQuery.hosts, - ignoreUnavailable: true, - body: { - ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), - aggregations: { - last_seen_event: { max: { field: '@timestamp' } }, - }, - query: { bool: { filter: getHostDetailsFilter(details.hostName) } }, - size: 0, - track_total_hits: false, - }, - }; - } - throw new Error('buildLastEventTimeQuery - no hostName argument provided'); - case LastEventIndexKey.hosts: - case LastEventIndexKey.network: - return { - allowNoIndices: true, - index: indicesToQuery[indexKey], - ignoreUnavailable: true, - body: { - ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), - aggregations: { - last_seen_event: { max: { field: '@timestamp' } }, - }, - query: { match_all: {} }, - size: 0, - track_total_hits: false, - }, - }; - default: - return assertUnreachable(eventIndexKey); - } - }; - return getQuery(indexKey); -}; diff --git a/x-pack/plugins/security_solution/server/lib/events/types.ts b/x-pack/plugins/security_solution/server/lib/events/types.ts deleted file mode 100644 index aae2360e42e65..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/events/types.ts +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - LastEventIndexKey, - LastEventTimeData, - LastTimeDetails, - SourceConfiguration, - TimelineData, - TimelineDetailsData, - DocValueFieldsInput, -} from '../../graphql/types'; -import { FrameworkRequest, RequestOptions, RequestOptionsPaginated } from '../framework'; -import { SearchHit } from '../types'; - -export interface EventsAdapter { - getTimelineData(req: FrameworkRequest, options: TimelineRequestOptions): Promise; - getTimelineDetails( - req: FrameworkRequest, - options: RequestDetailsOptions - ): Promise; - getLastEventTimeData( - req: FrameworkRequest, - options: LastEventTimeRequestOptions - ): Promise; -} - -export interface TimelineRequestOptions extends RequestOptions { - fieldRequested: string[]; -} - -export interface EventsRequestOptions extends RequestOptionsPaginated { - fieldRequested: string[]; -} - -export interface EventSource { - // eslint-disable-next-line @typescript-eslint/no-explicit-any - [field: string]: any; -} - -export interface EventHit extends SearchHit { - sort: string[]; - _source: EventSource; - aggregations: { - // eslint-disable-next-line @typescript-eslint/no-explicit-any - [agg: string]: any; - }; -} - -export interface LastEventTimeHit extends SearchHit { - aggregations: { - last_seen_event: { - value_as_string: string; - }; - }; -} -export interface LastEventTimeRequestOptions { - indexKey: LastEventIndexKey; - details: LastTimeDetails; - sourceConfiguration: SourceConfiguration; - defaultIndex: string[]; - docValueFields: DocValueFieldsInput[]; -} - -export interface TimerangeFilter { - range: { - [timestamp: string]: { - gte: string; - lte: string; - format: string; - }; - }; -} - -export interface RequestDetailsOptions { - indexName: string; - eventId: string; - defaultIndex: string[]; - docValueFields?: DocValueFieldsInput[]; -} - -interface EventsOverTimeHistogramData { - key_as_string: string; - key: number; - doc_count: number; -} - -export interface EventsActionGroupData { - key: number; - events: { - bucket: EventsOverTimeHistogramData[]; - }; - doc_count: number; -} diff --git a/x-pack/plugins/security_solution/server/lib/framework/types.ts b/x-pack/plugins/security_solution/server/lib/framework/types.ts index 68b40b72866b1..1f626d9fb2dc7 100644 --- a/x-pack/plugins/security_solution/server/lib/framework/types.ts +++ b/x-pack/plugins/security_solution/server/lib/framework/types.ts @@ -16,8 +16,6 @@ import { SortField, SourceConfiguration, TimerangeInput, - Maybe, - HistogramType, DocValueFieldsInput, } from '../../graphql/types'; @@ -119,11 +117,6 @@ export interface RequestBasicOptions { docValueFields?: DocValueFieldsInput[]; } -export interface MatrixHistogramRequestOptions extends RequestBasicOptions { - stackByField: Maybe; - histogramType: HistogramType; -} - export interface RequestOptions extends RequestBasicOptions { pagination: PaginationInput; fields: readonly string[]; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.test.ts deleted file mode 100644 index 059d15220b619..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.test.ts +++ /dev/null @@ -1,282 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { FrameworkAdapter, FrameworkRequest } from '../framework'; - -import { ElasticsearchKpiHostsAdapter } from './elasticsearch_adapter'; -import { - mockKpiHostsAuthQuery, - mockKpiHostDetailsAuthQuery, - mockHostsQuery, - mockKpiHostsUniqueIpsQuery, - mockKpiHostDetailsUniqueIpsQuery, - mockKpiHostsMsearchOptions, - mockKpiHostsOptions, - mockKpiHostDetailsOptions, - mockKpiHostsRequest, - mockKpiHostDetailsRequest, - mockKpiHostsResponse, - mockKpiHostDetailsResponse, - mockKpiHostsResult, - mockKpiHostDetailsResult, - mockKpiHostDetailsDsl, - mockKpiHostsQueryDsl, - mockKpiHostDetailsMsearchOptions, - mockKpiHostsResponseNodata, - mockKpiHostDetailsResponseNoData, -} from './mock'; -import { buildAuthQuery } from './query_authentication.dsl'; -import { buildUniqueIpsQuery } from './query_unique_ips.dsl'; -import { buildHostsQuery } from './query_hosts.dsl'; -import { KpiHostsData, KpiHostDetailsData } from '../../graphql/types'; - -jest.mock('./query_authentication.dsl', () => { - return { - buildAuthQuery: jest.fn(), - }; -}); -jest.mock('./query_unique_ips.dsl', () => { - return { - buildUniqueIpsQuery: jest.fn(), - }; -}); -jest.mock('./query_hosts.dsl', () => { - return { - buildHostsQuery: jest.fn(), - }; -}); - -describe('getKpiHosts', () => { - let data: KpiHostsData; - const mockCallWithRequest = jest.fn(); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - let EsKpiHosts: ElasticsearchKpiHostsAdapter; - - describe('getKpiHosts - call stack', () => { - beforeAll(async () => { - (buildUniqueIpsQuery as jest.Mock).mockReset(); - (buildUniqueIpsQuery as jest.Mock).mockReturnValue(mockKpiHostsUniqueIpsQuery); - (buildAuthQuery as jest.Mock).mockReset(); - (buildAuthQuery as jest.Mock).mockReturnValue(mockKpiHostsAuthQuery); - (buildHostsQuery as jest.Mock).mockReset(); - (buildHostsQuery as jest.Mock).mockReturnValue(mockHostsQuery); - mockCallWithRequest.mockResolvedValue(mockKpiHostsResponse); - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - EsKpiHosts = new ElasticsearchKpiHostsAdapter(mockFramework); - data = await EsKpiHosts.getKpiHosts( - mockKpiHostsRequest as FrameworkRequest, - mockKpiHostsOptions - ); - }); - - afterAll(() => { - mockCallWithRequest.mockRestore(); - (buildUniqueIpsQuery as jest.Mock).mockClear(); - (buildAuthQuery as jest.Mock).mockClear(); - (buildHostsQuery as jest.Mock).mockClear(); - }); - - test('should build general query with correct option', () => { - expect(buildUniqueIpsQuery).toHaveBeenCalledWith(mockKpiHostsOptions); - }); - - test('should build auth query with correct option', () => { - expect(buildAuthQuery).toHaveBeenCalledWith(mockKpiHostsOptions); - }); - - test('should build hosts query with correct option', () => { - expect(buildHostsQuery).toHaveBeenCalledWith(mockKpiHostsOptions); - }); - - test('should send msearch request', () => { - expect(mockCallWithRequest).toHaveBeenCalledWith( - mockKpiHostsRequest, - 'msearch', - mockKpiHostsMsearchOptions - ); - }); - - test('Happy Path - get Data', () => { - expect(data).toEqual(mockKpiHostsResult); - }); - }); - - describe('Unhappy Path - No data', () => { - beforeAll(async () => { - (buildUniqueIpsQuery as jest.Mock).mockReset(); - (buildUniqueIpsQuery as jest.Mock).mockReturnValue(mockKpiHostsUniqueIpsQuery); - (buildAuthQuery as jest.Mock).mockReset(); - (buildAuthQuery as jest.Mock).mockReturnValue(mockKpiHostsAuthQuery); - (buildHostsQuery as jest.Mock).mockReset(); - (buildHostsQuery as jest.Mock).mockReturnValue(mockHostsQuery); - mockCallWithRequest.mockResolvedValue(mockKpiHostsResponseNodata); - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - EsKpiHosts = new ElasticsearchKpiHostsAdapter(mockFramework); - data = await EsKpiHosts.getKpiHosts( - mockKpiHostsRequest as FrameworkRequest, - mockKpiHostsOptions - ); - }); - - afterAll(() => { - mockCallWithRequest.mockReset(); - (buildUniqueIpsQuery as jest.Mock).mockClear(); - (buildAuthQuery as jest.Mock).mockClear(); - (buildHostsQuery as jest.Mock).mockClear(); - }); - - test('getKpiHosts - response without data', async () => { - expect(data).toEqual({ - inspect: { - dsl: mockKpiHostsQueryDsl, - response: [ - JSON.stringify(mockKpiHostsResponseNodata.responses[0], null, 2), - JSON.stringify(mockKpiHostsResponseNodata.responses[1], null, 2), - JSON.stringify(mockKpiHostsResponseNodata.responses[2], null, 2), - ], - }, - hosts: null, - hostsHistogram: null, - authSuccess: null, - authSuccessHistogram: null, - authFailure: null, - authFailureHistogram: null, - uniqueSourceIps: null, - uniqueSourceIpsHistogram: null, - uniqueDestinationIps: null, - uniqueDestinationIpsHistogram: null, - }); - }); - }); -}); - -describe('getKpiHostDetails', () => { - let data: KpiHostDetailsData; - const mockCallWithRequest = jest.fn(); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - let EsKpiHosts: ElasticsearchKpiHostsAdapter; - - describe('getKpiHostDetails - call stack', () => { - beforeAll(async () => { - (buildUniqueIpsQuery as jest.Mock).mockReset(); - (buildUniqueIpsQuery as jest.Mock).mockReturnValue(mockKpiHostDetailsUniqueIpsQuery); - (buildAuthQuery as jest.Mock).mockReset(); - (buildAuthQuery as jest.Mock).mockReturnValue(mockKpiHostDetailsAuthQuery); - (buildHostsQuery as jest.Mock).mockReset(); - mockCallWithRequest.mockReset(); - mockCallWithRequest.mockResolvedValue(mockKpiHostDetailsResponse); - - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - EsKpiHosts = new ElasticsearchKpiHostsAdapter(mockFramework); - data = await EsKpiHosts.getKpiHostDetails( - mockKpiHostDetailsRequest as FrameworkRequest, - mockKpiHostDetailsOptions - ); - }); - - afterAll(() => { - mockCallWithRequest.mockRestore(); - (buildUniqueIpsQuery as jest.Mock).mockClear(); - (buildAuthQuery as jest.Mock).mockClear(); - (buildHostsQuery as jest.Mock).mockClear(); - }); - - test('should build unique Ip query with correct option', () => { - expect(buildUniqueIpsQuery).toHaveBeenCalledWith(mockKpiHostDetailsOptions); - }); - - test('should build auth query with correct option', () => { - expect(buildAuthQuery).toHaveBeenCalledWith(mockKpiHostDetailsOptions); - }); - - test('should not build hosts query', () => { - expect(buildHostsQuery).not.toHaveBeenCalled(); - }); - - test('should send msearch request', () => { - expect(mockCallWithRequest).toHaveBeenCalledWith( - mockKpiHostDetailsRequest, - 'msearch', - mockKpiHostDetailsMsearchOptions - ); - }); - }); - - describe('Happy Path - get Data', () => { - beforeAll(async () => { - mockCallWithRequest.mockResolvedValue(mockKpiHostDetailsResponse); - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - EsKpiHosts = new ElasticsearchKpiHostsAdapter(mockFramework); - data = await EsKpiHosts.getKpiHostDetails( - mockKpiHostDetailsRequest as FrameworkRequest, - mockKpiHostDetailsOptions - ); - }); - - afterAll(() => { - mockCallWithRequest.mockReset(); - }); - - test('getKpiHostDetails - response with data', () => { - expect(data).toEqual(mockKpiHostDetailsResult); - }); - }); - - describe('Unhappy Path - no Data', () => { - beforeEach(async () => { - mockCallWithRequest.mockResolvedValue(mockKpiHostDetailsResponseNoData); - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - EsKpiHosts = new ElasticsearchKpiHostsAdapter(mockFramework); - data = await EsKpiHosts.getKpiHostDetails( - mockKpiHostDetailsRequest as FrameworkRequest, - mockKpiHostDetailsOptions - ); - }); - - afterAll(() => { - mockCallWithRequest.mockRestore(); - }); - - test('getKpiHostDetails - response without data', async () => { - expect(data).toEqual({ - inspect: { - dsl: mockKpiHostDetailsDsl, - response: [ - JSON.stringify(mockKpiHostDetailsResponseNoData.responses[0]), - JSON.stringify(mockKpiHostDetailsResponseNoData.responses[1]), - ], - }, - authSuccess: null, - authSuccessHistogram: null, - authFailure: null, - authFailureHistogram: null, - uniqueSourceIps: null, - uniqueSourceIpsHistogram: null, - uniqueDestinationIps: null, - uniqueDestinationIpsHistogram: null, - }); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.ts deleted file mode 100644 index 01d005be68010..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/elasticsearch_adapter.ts +++ /dev/null @@ -1,205 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { getOr } from 'lodash/fp'; - -import { FrameworkAdapter, FrameworkRequest, RequestBasicOptions } from '../framework'; -import { TermAggregation } from '../types'; -import { buildHostsQuery } from './query_hosts.dsl'; -import { buildAuthQuery } from './query_authentication.dsl'; -import { buildUniqueIpsQuery } from './query_unique_ips.dsl'; -import { - KpiHostsAdapter, - KpiHostsESMSearchBody, - KpiHostsAuthHit, - KpiHostHistogram, - KpiHostGeneralHistogramCount, - KpiHostAuthHistogramCount, - KpiHostsUniqueIpsHit, - KpiHostsHostsHit, -} from './types'; -import { KpiHostHistogramData, KpiHostsData, KpiHostDetailsData } from '../../graphql/types'; -import { inspectStringifyObject } from '../../utils/build_query'; - -const formatGeneralHistogramData = ( - data: Array> -): KpiHostHistogramData[] | null => { - return data && data.length > 0 - ? data.map(({ key, count }) => ({ - x: key, - y: count.value, - })) - : null; -}; - -const formatAuthHistogramData = ( - data: Array> -): KpiHostHistogramData[] | null => { - return data && data.length > 0 - ? data.map(({ key, count }) => ({ - x: key, - y: count.doc_count, - })) - : null; -}; - -export class ElasticsearchKpiHostsAdapter implements KpiHostsAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getKpiHosts( - request: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - const hostsQuery: KpiHostsESMSearchBody[] = buildHostsQuery(options); - const uniqueIpsQuery: KpiHostsESMSearchBody[] = buildUniqueIpsQuery(options); - const authQuery: KpiHostsESMSearchBody[] = buildAuthQuery(options); - const response = await this.framework.callWithRequest< - KpiHostsHostsHit | KpiHostsUniqueIpsHit | KpiHostsAuthHit, - TermAggregation - >(request, 'msearch', { - body: [...hostsQuery, ...authQuery, ...uniqueIpsQuery], - }); - - const hostsHistogram = getOr( - null, - 'responses.0.aggregations.hosts_histogram.buckets', - response - ); - const authSuccessHistogram = getOr( - null, - 'responses.1.aggregations.authentication_success_histogram.buckets', - response - ); - const authFailureHistogram = getOr( - null, - 'responses.1.aggregations.authentication_failure_histogram.buckets', - response - ); - const uniqueSourceIpsHistogram = getOr( - null, - 'responses.2.aggregations.unique_source_ips_histogram.buckets', - response - ); - const uniqueDestinationIpsHistogram = getOr( - null, - 'responses.2.aggregations.unique_destination_ips_histogram.buckets', - response - ); - - const inspect = { - dsl: [ - inspectStringifyObject({ ...hostsQuery[0], body: hostsQuery[1] }), - inspectStringifyObject({ - ...authQuery[0], - body: authQuery[1], - }), - inspectStringifyObject({ - ...uniqueIpsQuery[0], - body: uniqueIpsQuery[1], - }), - ], - response: [ - inspectStringifyObject(response.responses[0]), - inspectStringifyObject(response.responses[1]), - inspectStringifyObject(response.responses[2]), - ], - }; - return { - inspect, - hosts: getOr(null, 'responses.0.aggregations.hosts.value', response), - hostsHistogram: formatGeneralHistogramData(hostsHistogram), - authSuccess: getOr( - null, - 'responses.1.aggregations.authentication_success.doc_count', - response - ), - authSuccessHistogram: formatAuthHistogramData(authSuccessHistogram), - authFailure: getOr( - null, - 'responses.1.aggregations.authentication_failure.doc_count', - response - ), - authFailureHistogram: formatAuthHistogramData(authFailureHistogram), - uniqueSourceIps: getOr(null, 'responses.2.aggregations.unique_source_ips.value', response), - uniqueSourceIpsHistogram: formatGeneralHistogramData(uniqueSourceIpsHistogram), - uniqueDestinationIps: getOr( - null, - 'responses.2.aggregations.unique_destination_ips.value', - response - ), - uniqueDestinationIpsHistogram: formatGeneralHistogramData(uniqueDestinationIpsHistogram), - }; - } - - public async getKpiHostDetails( - request: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - const uniqueIpsQuery: KpiHostsESMSearchBody[] = buildUniqueIpsQuery(options); - const authQuery: KpiHostsESMSearchBody[] = buildAuthQuery(options); - const response = await this.framework.callWithRequest< - KpiHostsUniqueIpsHit | KpiHostsAuthHit, - TermAggregation - >(request, 'msearch', { - body: [...authQuery, ...uniqueIpsQuery], - }); - - const authSuccessHistogram = getOr( - null, - 'responses.0.aggregations.authentication_success_histogram.buckets', - response - ); - const authFailureHistogram = getOr( - null, - 'responses.0.aggregations.authentication_failure_histogram.buckets', - response - ); - const uniqueSourceIpsHistogram = getOr( - null, - 'responses.1.aggregations.unique_source_ips_histogram.buckets', - response - ); - const uniqueDestinationIpsHistogram = getOr( - null, - 'responses.1.aggregations.unique_destination_ips_histogram.buckets', - response - ); - const inspect = { - dsl: [ - inspectStringifyObject({ ...authQuery[0], body: authQuery[1] }), - inspectStringifyObject({ ...uniqueIpsQuery[0], body: uniqueIpsQuery[1] }), - ], - response: [ - inspectStringifyObject(response.responses[0]), - inspectStringifyObject(response.responses[1]), - ], - }; - - return { - inspect, - authSuccess: getOr( - null, - 'responses.0.aggregations.authentication_success.doc_count', - response - ), - authSuccessHistogram: formatAuthHistogramData(authSuccessHistogram), - authFailure: getOr( - null, - 'responses.0.aggregations.authentication_failure.doc_count', - response - ), - authFailureHistogram: formatAuthHistogramData(authFailureHistogram), - uniqueSourceIps: getOr(null, 'responses.1.aggregations.unique_source_ips.value', response), - uniqueSourceIpsHistogram: formatGeneralHistogramData(uniqueSourceIpsHistogram), - uniqueDestinationIps: getOr( - null, - 'responses.1.aggregations.unique_destination_ips.value', - response - ), - uniqueDestinationIpsHistogram: formatGeneralHistogramData(uniqueDestinationIpsHistogram), - }; - } -} diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.test.ts deleted file mode 100644 index 838eb5d9bcef9..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.test.ts +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { isKpiHostDetailsQuery } from './helpers'; -import { mockKpiHostsOptions, mockKpiHostDetailsOptions } from './mock'; - -describe('helpers', () => { - const table: Array<[typeof mockKpiHostDetailsOptions, boolean]> = [ - [mockKpiHostsOptions, false], - [mockKpiHostDetailsOptions, true], - ]; - - describe.each(table)('isHostDetails', (option, expected) => { - test(`it should tell if it is kpiHostDetails option`, () => { - expect(isKpiHostDetailsQuery(option)).toBe(expected); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.ts deleted file mode 100644 index 189921a18bc53..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/helpers.ts +++ /dev/null @@ -1,11 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { RequestBasicOptions } from '../framework'; - -export const isKpiHostDetailsQuery = (options: RequestBasicOptions): boolean => { - return options.filterQuery !== undefined && Object.keys(options.filterQuery).length > 0; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/index.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/index.ts deleted file mode 100644 index 6d1e88d54171a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/index.ts +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { FrameworkRequest, RequestBasicOptions } from '../framework'; - -import { KpiHostsAdapter } from './types'; -import { KpiHostsData, KpiHostDetailsData } from '../../graphql/types'; - -export class KpiHosts { - constructor(private readonly adapter: KpiHostsAdapter) {} - - public async getKpiHosts( - req: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - return this.adapter.getKpiHosts(req, options); - } - - public async getKpiHostDetails( - req: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - return this.adapter.getKpiHostDetails(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/mock.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/mock.ts deleted file mode 100644 index 876d2f9c16bed..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/mock.ts +++ /dev/null @@ -1,606 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { DEFAULT_INDEX_PATTERN } from '../../../common/constants'; -import { RequestBasicOptions } from '../framework/types'; - -const FROM = '2019-05-03T13:24:00.660Z'; -const TO = '2019-05-04T13:24:00.660Z'; - -export const mockKpiHostsOptions: RequestBasicOptions = { - defaultIndex: DEFAULT_INDEX_PATTERN, - sourceConfiguration: { - fields: { - container: 'docker.container.name', - host: 'beat.hostname', - message: ['message', '@message'], - pod: 'kubernetes.pod.name', - tiebreaker: '_doc', - timestamp: '@timestamp', - }, - }, - timerange: { interval: '12h', to: TO, from: FROM }, - filterQuery: undefined, -}; - -export const mockKpiHostDetailsOptions: RequestBasicOptions = { - defaultIndex: DEFAULT_INDEX_PATTERN, - sourceConfiguration: { - fields: { - container: 'docker.container.name', - host: 'beat.hostname', - message: ['message', '@message'], - pod: 'kubernetes.pod.name', - tiebreaker: '_doc', - timestamp: '@timestamp', - }, - }, - timerange: { interval: '12h', to: TO, from: FROM }, - filterQuery: { term: { 'host.name': 'beats-ci-immutable-ubuntu-1604-1560970771368235343' } }, -}; - -export const mockKpiHostsRequest = { - body: { - operationName: 'GetKpiHostsQuery', - variables: { - sourceId: 'default', - timerange: { interval: '12h', from: FROM, to: TO }, - filterQuery: '', - }, - query: - 'fragment KpiHostChartFields on KpiHostHistogramData {\n x\n y\n __typename\n}\n\nquery GetKpiHostsQuery($sourceId: ID!, $timerange: TimerangeInput!, $filterQuery: String, $defaultIndex: [String!]!) {\n source(id: $sourceId) {\n id\n KpiHosts(timerange: $timerange, filterQuery: $filterQuery, defaultIndex: $defaultIndex) {\n hosts\n hostsHistogram {\n ...KpiHostChartFields\n __typename\n }\n authSuccess\n authSuccessHistogram {\n ...KpiHostChartFields\n __typename\n }\n authFailure\n authFailureHistogram {\n ...KpiHostChartFields\n __typename\n }\n uniqueSourceIps\n uniqueSourceIpsHistogram {\n ...KpiHostChartFields\n __typename\n }\n uniqueDestinationIps\n uniqueDestinationIpsHistogram {\n ...KpiHostChartFields\n __typename\n }\n __typename\n }\n __typename\n }\n}\n', - }, -}; - -export const mockKpiHostDetailsRequest = { - body: { - operationName: 'GetKpiHostDetailsQuery', - variables: { - sourceId: 'default', - timerange: { interval: '12h', from: FROM, to: TO }, - filterQuery: { term: { 'host.name': 'beats-ci-immutable-ubuntu-1604-1560970771368235343' } }, - }, - query: - 'fragment KpiHostDetailsChartFields on KpiHostHistogramData {\n x\n y\n __typename\n}\n\nquery GetKpiHostDetailsQuery($sourceId: ID!, $timerange: TimerangeInput!, $filterQuery: String, $defaultIndex: [String!]!, $hostName: String!) {\n source(id: $sourceId) {\n id\n KpiHostDetails(timerange: $timerange, filterQuery: $filterQuery, defaultIndex: $defaultIndex, hostName: $hostName) {\n authSuccess\n authSuccessHistogram {\n ...KpiHostDetailsChartFields\n __typename\n }\n authFailure\n authFailureHistogram {\n ...KpiHostDetailsChartFields\n __typename\n }\n uniqueSourceIps\n uniqueSourceIpsHistogram {\n ...KpiHostDetailsChartFields\n __typename\n }\n uniqueDestinationIps\n uniqueDestinationIpsHistogram {\n ...KpiHostDetailsChartFields\n __typename\n }\n __typename\n }\n __typename\n }\n}\n', - }, -}; - -const mockUniqueIpsResponse = { - took: 1234, - timed_out: false, - _shards: { - total: 71, - successful: 71, - skipped: 65, - failed: 0, - }, - hits: { - max_score: null, - hits: [], - }, - aggregations: { - unique_destination_ips: { - value: 1954, - }, - unique_destination_ips_histogram: { - buckets: [ - { - key_as_string: '2019-05-03T13:00:00.000Z', - key: 1556888400000, - doc_count: 3158515, - count: { - value: 1809, - }, - }, - { - key_as_string: '2019-05-04T01:00:00.000Z', - key: 1556931600000, - doc_count: 703032, - count: { - value: 407, - }, - }, - { - key_as_string: '2019-05-04T13:00:00.000Z', - key: 1556974800000, - doc_count: 1780, - count: { - value: 64, - }, - }, - ], - interval: '12h', - }, - unique_source_ips: { - value: 1407, - }, - unique_source_ips_histogram: { - buckets: [ - { - key_as_string: '2019-05-03T13:00:00.000Z', - key: 1556888400000, - doc_count: 3158515, - count: { - value: 1182, - }, - }, - { - key_as_string: '2019-05-04T01:00:00.000Z', - key: 1556931600000, - doc_count: 703032, - count: { - value: 364, - }, - }, - { - key_as_string: '2019-05-04T13:00:00.000Z', - key: 1556974800000, - doc_count: 1780, - count: { - value: 63, - }, - }, - ], - interval: '12h', - }, - }, - status: 200, -}; - -const mockAuthResponse = { - took: 320, - timed_out: false, - _shards: { - total: 71, - successful: 71, - skipped: 65, - failed: 0, - }, - hits: { - max_score: null, - hits: [], - }, - aggregations: { - authentication_success: { - doc_count: 61, - }, - authentication_failure: { - doc_count: 15722, - }, - authentication_failure_histogram: { - buckets: [ - { - key_as_string: '2019-05-03T13:00:00.000Z', - key: 1556888400000, - doc_count: 11739, - count: { - doc_count: 11731, - }, - }, - { - key_as_string: '2019-05-04T01:00:00.000Z', - key: 1556931600000, - doc_count: 4031, - count: { - doc_count: 3979, - }, - }, - { - key_as_string: '2019-05-04T13:00:00.000Z', - key: 1556974800000, - doc_count: 13, - count: { - doc_count: 12, - }, - }, - ], - interval: '12h', - }, - authentication_success_histogram: { - buckets: [ - { - key_as_string: '2019-05-03T13:00:00.000Z', - key: 1556888400000, - doc_count: 11739, - count: { - doc_count: 8, - }, - }, - { - key_as_string: '2019-05-04T01:00:00.000Z', - key: 1556931600000, - doc_count: 4031, - count: { - doc_count: 52, - }, - }, - { - key_as_string: '2019-05-04T13:00:00.000Z', - key: 1556974800000, - doc_count: 13, - count: { - doc_count: 1, - }, - }, - ], - interval: '12h', - }, - }, - status: 200, -}; - -const mockHostsReponse = { - took: 1234, - timed_out: false, - _shards: { - total: 71, - successful: 71, - skipped: 65, - failed: 0, - }, - hits: { - max_score: null, - hits: [], - }, - aggregations: { - hosts: { - value: 986, - }, - hosts_histogram: { - buckets: [ - { - key_as_string: '2019-05-03T13:00:00.000Z', - key: 1556888400000, - doc_count: 3158515, - count: { - value: 919, - }, - }, - { - key_as_string: '2019-05-04T01:00:00.000Z', - key: 1556931600000, - doc_count: 703032, - count: { - value: 82, - }, - }, - { - key_as_string: '2019-05-04T13:00:00.000Z', - key: 1556974800000, - doc_count: 1780, - count: { - value: 4, - }, - }, - ], - interval: '12h', - }, - }, - status: 200, -}; - -export const mockKpiHostsResponse = { - took: 4405, - responses: [mockHostsReponse, mockAuthResponse, mockUniqueIpsResponse], -}; - -export const mockKpiHostsResponseNodata = { responses: [null, null, null] }; - -const mockMsearchHeader = { - index: DEFAULT_INDEX_PATTERN, - allowNoIndices: true, - ignoreUnavailable: true, -}; - -const mockHostNameFilter = { - term: { 'host.name': 'beats-ci-immutable-ubuntu-1604-1560970771368235343' }, -}; -const mockTimerangeFilter = { range: { '@timestamp': { gte: FROM, lte: TO } } }; - -export const mockHostsQuery = [ - mockMsearchHeader, - { - aggregations: { - hosts: { cardinality: { field: 'host.name' } }, - hosts_histogram: { - auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { cardinality: { field: 'host.name' } } }, - }, - }, - query: { - bool: { filter: [{ range: { '@timestamp': mockTimerangeFilter } }] }, - }, - size: 0, - track_total_hits: false, - }, -]; - -const mockUniqueIpsAggs = { - unique_source_ips: { cardinality: { field: 'source.ip' } }, - unique_source_ips_histogram: { - auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { cardinality: { field: 'source.ip' } } }, - }, - unique_destination_ips: { cardinality: { field: 'destination.ip' } }, - unique_destination_ips_histogram: { - auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { cardinality: { field: 'destination.ip' } } }, - }, -}; - -export const mockKpiHostsUniqueIpsQuery = [ - mockMsearchHeader, - { - aggregations: mockUniqueIpsAggs, - query: { - bool: { filter: [mockTimerangeFilter] }, - }, - size: 0, - track_total_hits: false, - }, -]; - -export const mockKpiHostDetailsUniqueIpsQuery = [ - mockMsearchHeader, - { - aggregations: mockUniqueIpsAggs, - query: { - bool: { filter: [mockHostNameFilter, mockTimerangeFilter] }, - }, - size: 0, - track_total_hits: false, - }, -]; - -const mockAuthAggs = { - authentication_success: { filter: { term: { 'event.outcome': 'success' } } }, - authentication_success_histogram: { - auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.outcome': 'success' } } } }, - }, - authentication_failure: { filter: { term: { 'event.outcome': 'failure' } } }, - authentication_failure_histogram: { - auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.outcome': 'failure' } } } }, - }, -}; - -const mockAuthFilter = { - bool: { - filter: [ - { - term: { - 'event.category': 'authentication', - }, - }, - ], - }, -}; - -export const mockKpiHostsAuthQuery = [ - mockMsearchHeader, - { - aggs: mockAuthAggs, - query: { - bool: { - filter: [mockAuthFilter, mockTimerangeFilter], - }, - }, - size: 0, - track_total_hits: false, - }, -]; - -export const mockKpiHostDetailsAuthQuery = [ - mockMsearchHeader, - { - aggs: mockAuthAggs, - query: { - bool: { - filter: [mockHostNameFilter, mockAuthFilter, mockTimerangeFilter], - }, - }, - size: 0, - track_total_hits: false, - }, -]; - -export const mockKpiHostsMsearchOptions = { - body: [...mockHostsQuery, ...mockKpiHostsAuthQuery, ...mockKpiHostsUniqueIpsQuery], -}; - -export const mockKpiHostDetailsMsearchOptions = { - body: [...mockKpiHostDetailsAuthQuery, ...mockKpiHostDetailsUniqueIpsQuery], -}; - -export const mockKpiHostsQueryDsl = [ - JSON.stringify({ ...mockHostsQuery[0], body: mockHostsQuery[1] }, null, 2), - JSON.stringify({ ...mockKpiHostsAuthQuery[0], body: mockKpiHostsAuthQuery[1] }, null, 2), - JSON.stringify( - { ...mockKpiHostsUniqueIpsQuery[0], body: mockKpiHostsUniqueIpsQuery[1] }, - null, - 2 - ), -]; - -export const mockKpiHostsResult = { - inspect: { - dsl: mockKpiHostsQueryDsl, - response: [ - JSON.stringify(mockKpiHostsResponse.responses[0], null, 2), - JSON.stringify(mockKpiHostsResponse.responses[1], null, 2), - JSON.stringify(mockKpiHostsResponse.responses[2], null, 2), - ], - }, - hosts: 986, - hostsHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 919, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 82, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 4, - }, - ], - authSuccess: 61, - authSuccessHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 8, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 52, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 1, - }, - ], - authFailure: 15722, - authFailureHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 11731, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 3979, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 12, - }, - ], - uniqueSourceIps: 1407, - uniqueSourceIpsHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 1182, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 364, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 63, - }, - ], - uniqueDestinationIps: 1954, - uniqueDestinationIpsHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 1809, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 407, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 64, - }, - ], -}; - -export const mockKpiHostDetailsResponse = { - took: 4405, - responses: [mockAuthResponse, mockUniqueIpsResponse], -}; - -export const mockKpiHostDetailsResponseNoData = { - took: 4405, - responses: [null, null], -}; - -export const mockKpiHostDetailsDsl = [ - JSON.stringify( - { ...mockKpiHostDetailsAuthQuery[0], body: mockKpiHostDetailsAuthQuery[1] }, - null, - 2 - ), - JSON.stringify( - { ...mockKpiHostDetailsUniqueIpsQuery[0], body: mockKpiHostDetailsUniqueIpsQuery[1] }, - null, - 2 - ), -]; - -export const mockKpiHostDetailsResult = { - inspect: { - dsl: mockKpiHostDetailsDsl, - response: [ - JSON.stringify(mockKpiHostDetailsResponse.responses[0], null, 2), - JSON.stringify(mockKpiHostDetailsResponse.responses[1], null, 2), - ], - }, - authSuccess: 61, - authSuccessHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 8, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 52, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 1, - }, - ], - authFailure: 15722, - authFailureHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 11731, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 3979, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 12, - }, - ], - uniqueSourceIps: 1407, - uniqueSourceIpsHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 1182, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 364, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 63, - }, - ], - uniqueDestinationIps: 1954, - uniqueDestinationIpsHistogram: [ - { - x: new Date('2019-05-03T13:00:00.000Z').valueOf(), - y: 1809, - }, - { - x: new Date('2019-05-04T01:00:00.000Z').valueOf(), - y: 407, - }, - { - x: new Date('2019-05-04T13:00:00.000Z').valueOf(), - y: 64, - }, - ], -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.test.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.test.ts deleted file mode 100644 index b6da35f75b16a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.test.ts +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - mockKpiHostsOptions, - mockKpiHostsAuthQuery, - mockKpiHostDetailsOptions, - mockKpiHostDetailsAuthQuery, -} from './mock'; -import { buildAuthQuery } from './query_authentication.dsl'; - -const table = [ - [mockKpiHostsOptions, mockKpiHostsAuthQuery] as [ - typeof mockKpiHostsOptions, - typeof mockKpiHostsAuthQuery - ], - [mockKpiHostDetailsOptions, mockKpiHostDetailsAuthQuery] as [ - typeof mockKpiHostDetailsOptions, - typeof mockKpiHostDetailsAuthQuery - ], -]; - -describe.each(table)('buildAuthQuery', (option, expected) => { - test(`returns correct query by option type`, () => { - expect(buildAuthQuery(option)).toMatchObject(expected); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.ts deleted file mode 100644 index ee9e6cd5a66c5..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_authentication.dsl.ts +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { KpiHostsESMSearchBody } from './types'; -import { RequestBasicOptions } from '../framework'; - -export const buildAuthQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiHostsESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - bool: { - filter: [ - { - term: { - 'event.category': 'authentication', - }, - }, - ], - }, - }, - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - aggs: { - authentication_success: { - filter: { - term: { - 'event.outcome': 'success', - }, - }, - }, - authentication_success_histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - filter: { - term: { - 'event.outcome': 'success', - }, - }, - }, - }, - }, - authentication_failure: { - filter: { - term: { - 'event.outcome': 'failure', - }, - }, - }, - authentication_failure_histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - filter: { - term: { - 'event.outcome': 'failure', - }, - }, - }, - }, - }, - }, - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: false, - }, - ]; - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_hosts.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_hosts.dsl.ts deleted file mode 100644 index 0c1d7d4ae9de7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_hosts.dsl.ts +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { KpiHostsESMSearchBody } from './types'; -import { RequestBasicOptions } from '../framework'; - -export const buildHostsQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiHostsESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - aggregations: { - hosts: { - cardinality: { - field: 'host.name', - }, - }, - hosts_histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - cardinality: { - field: 'host.name', - }, - }, - }, - }, - }, - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: false, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.test.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.test.ts deleted file mode 100644 index 2309bc029d861..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.test.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - mockKpiHostsOptions, - mockKpiHostsUniqueIpsQuery, - mockKpiHostDetailsOptions, - mockKpiHostDetailsUniqueIpsQuery, -} from './mock'; -import { buildUniqueIpsQuery } from './query_unique_ips.dsl'; - -const table: Array<[typeof mockKpiHostDetailsOptions, typeof mockKpiHostDetailsUniqueIpsQuery]> = [ - [mockKpiHostsOptions, mockKpiHostsUniqueIpsQuery], - [mockKpiHostDetailsOptions, mockKpiHostDetailsUniqueIpsQuery], -]; - -describe.each(table)('buildUniqueIpsQuery', (option, expected) => { - test(`returns correct query by option type`, () => { - expect(buildUniqueIpsQuery(option)).toMatchObject(expected); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.ts deleted file mode 100644 index 9813f73101235..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/query_unique_ips.dsl.ts +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { KpiHostsESMSearchBody } from './types'; -import { RequestBasicOptions } from '../framework'; - -export const buildUniqueIpsQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiHostsESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - aggregations: { - unique_source_ips: { - cardinality: { - field: 'source.ip', - }, - }, - unique_source_ips_histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - cardinality: { - field: 'source.ip', - }, - }, - }, - }, - unique_destination_ips: { - cardinality: { - field: 'destination.ip', - }, - }, - unique_destination_ips_histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - cardinality: { - field: 'destination.ip', - }, - }, - }, - }, - }, - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: false, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_hosts/types.ts b/x-pack/plugins/security_solution/server/lib/kpi_hosts/types.ts deleted file mode 100644 index acc6ae5a340fa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_hosts/types.ts +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { FrameworkRequest, RequestBasicOptions } from '../framework'; -import { MSearchHeader, SearchHit } from '../types'; -import { KpiHostsData, KpiHostDetailsData } from '../../graphql/types'; - -export interface KpiHostsAdapter { - getKpiHosts(request: FrameworkRequest, options: RequestBasicOptions): Promise; - getKpiHostDetails( - request: FrameworkRequest, - options: RequestBasicOptions - ): Promise; -} - -export interface KpiHostHistogram { - key_as_string: string; - key: number; - doc_count: number; - count: T; -} - -export interface KpiHostGeneralHistogramCount { - value: number; -} - -export interface KpiHostAuthHistogramCount { - doc_count: number; -} - -export interface KpiHostsHostsHit extends SearchHit { - aggregations: { - hosts: { - value: number; - }; - hosts_histogram: { - buckets: Array>; - }; - }; - _shards: { - total: number; - successful: number; - skipped: number; - failed: number; - }; - hits: { - max_score: number | null; - hits: []; - }; - took: number; - timeout: number; -} - -export interface KpiHostsUniqueIpsHit extends SearchHit { - aggregations: { - unique_source_ips: { - value: number; - }; - unique_source_ips_histogram: { - buckets: Array>; - }; - unique_destination_ips: { - value: number; - }; - unique_destination_ips_histogram: { - buckets: Array>; - }; - }; - _shards: { - total: number; - successful: number; - skipped: number; - failed: number; - }; - hits: { - max_score: number | null; - hits: []; - }; - took: number; - timeout: number; -} - -export interface KpiHostsAuthHit extends SearchHit { - aggregations: { - authentication_success: { - doc_count: number; - }; - authentication_success_histogram: { - buckets: Array>; - }; - authentication_failure: { - doc_count: number; - }; - authentication_failure_histogram: { - buckets: Array>; - }; - }; - _shards: { - total: number; - successful: number; - skipped: number; - failed: number; - }; - hits: { - max_score: number | null; - hits: []; - }; - took: number; - timeout: number; -} - -export interface KpiHostsBody { - query?: object; - aggregations?: object; - size?: number; - track_total_hits?: boolean; -} - -export type KpiHostsESMSearchBody = KpiHostsBody | MSearchHeader; - -export interface EventModuleAttributeQuery { - agentType: 'auditbeat' | 'winlogbeat' | 'filebeat'; - eventModule?: 'file_integrity' | 'auditd'; -} diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/elastic_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/elastic_adapter.test.ts deleted file mode 100644 index 58ee7c9aa1cf8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/elastic_adapter.test.ts +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - mockMsearchOptions, - mockOptions, - mockRequest, - mockResponse, - mockResult, - mockNetworkEventsQueryDsl, - mockUniqueFlowIdsQueryDsl, - mockUniquePrvateIpsQueryDsl, - mockDnsQueryDsl, - mockTlsHandshakesQueryDsl, - mockResultNoData, - mockResponseNoData, -} from './mock'; -import { buildNetworkEventsQuery } from './query_network_events'; -import { buildUniqueFlowIdsQuery } from './query_unique_flow'; -import { buildDnsQuery } from './query_dns.dsl'; -import { buildTlsHandshakeQuery } from './query_tls_handshakes.dsl'; -import { buildUniquePrvateIpQuery } from './query_unique_private_ips.dsl'; -import { KpiNetworkData } from '../../graphql/types'; -import { ElasticsearchKpiNetworkAdapter } from './elasticsearch_adapter'; -import { FrameworkRequest, FrameworkAdapter } from '../framework'; - -jest.mock('./query_network_events', () => { - return { buildNetworkEventsQuery: jest.fn() }; -}); -jest.mock('./query_unique_flow', () => { - return { buildUniqueFlowIdsQuery: jest.fn() }; -}); -jest.mock('./query_dns.dsl', () => { - return { buildDnsQuery: jest.fn() }; -}); -jest.mock('./query_tls_handshakes.dsl', () => { - return { buildTlsHandshakeQuery: jest.fn() }; -}); -jest.mock('./query_unique_private_ips.dsl', () => { - return { buildUniquePrvateIpQuery: jest.fn() }; -}); - -describe('Network Kpi elasticsearch_adapter', () => { - let data: KpiNetworkData; - - const mockCallWithRequest = jest.fn(); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - - let EsKpiNetwork: ElasticsearchKpiNetworkAdapter; - - describe('getKpiNetwork - call stack', () => { - beforeAll(async () => { - (buildNetworkEventsQuery as jest.Mock).mockReset(); - (buildNetworkEventsQuery as jest.Mock).mockReturnValue(mockNetworkEventsQueryDsl); - (buildUniqueFlowIdsQuery as jest.Mock).mockReset(); - (buildUniqueFlowIdsQuery as jest.Mock).mockReturnValue(mockUniqueFlowIdsQueryDsl); - (buildDnsQuery as jest.Mock).mockReset(); - (buildDnsQuery as jest.Mock).mockReturnValue(mockDnsQueryDsl); - (buildUniquePrvateIpQuery as jest.Mock).mockReset(); - (buildUniquePrvateIpQuery as jest.Mock).mockReturnValue(mockUniquePrvateIpsQueryDsl); - (buildTlsHandshakeQuery as jest.Mock).mockReset(); - (buildTlsHandshakeQuery as jest.Mock).mockReturnValue(mockTlsHandshakesQueryDsl); - - mockCallWithRequest.mockResolvedValue(mockResponse); - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - EsKpiNetwork = new ElasticsearchKpiNetworkAdapter(mockFramework); - data = await EsKpiNetwork.getKpiNetwork(mockRequest as FrameworkRequest, mockOptions); - }); - - afterAll(() => { - mockCallWithRequest.mockReset(); - (buildNetworkEventsQuery as jest.Mock).mockClear(); - (buildUniqueFlowIdsQuery as jest.Mock).mockClear(); - (buildDnsQuery as jest.Mock).mockClear(); - (buildUniquePrvateIpQuery as jest.Mock).mockClear(); - (buildTlsHandshakeQuery as jest.Mock).mockClear(); - }); - - test('should build query for network events with correct option', () => { - expect(buildNetworkEventsQuery).toHaveBeenCalledWith(mockOptions); - }); - - test('should build query for unique flow IDs with correct option', () => { - expect(buildUniqueFlowIdsQuery).toHaveBeenCalledWith(mockOptions); - }); - - test('should build query for unique private ip with correct option', () => { - expect(buildUniquePrvateIpQuery).toHaveBeenCalledWith(mockOptions); - }); - - test('should build query for dns with correct option', () => { - expect(buildDnsQuery).toHaveBeenCalledWith(mockOptions); - }); - - test('should build query for tls handshakes with correct option', () => { - expect(buildTlsHandshakeQuery).toHaveBeenCalledWith(mockOptions); - }); - - test('should send msearch request', () => { - expect(mockCallWithRequest).toHaveBeenCalledWith(mockRequest, 'msearch', mockMsearchOptions); - }); - - test('Happy Path - get Data', () => { - expect(data).toEqual(mockResult); - }); - }); - - describe('Unhappy Path - No data', () => { - beforeAll(async () => { - mockCallWithRequest.mockResolvedValue(mockResponseNoData); - (buildNetworkEventsQuery as jest.Mock).mockClear(); - (buildUniqueFlowIdsQuery as jest.Mock).mockClear(); - (buildDnsQuery as jest.Mock).mockClear(); - (buildUniquePrvateIpQuery as jest.Mock).mockClear(); - (buildTlsHandshakeQuery as jest.Mock).mockClear(); - - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - EsKpiNetwork = new ElasticsearchKpiNetworkAdapter(mockFramework); - data = await EsKpiNetwork.getKpiNetwork(mockRequest as FrameworkRequest, mockOptions); - }); - - afterAll(() => { - mockCallWithRequest.mockReset(); - (buildNetworkEventsQuery as jest.Mock).mockClear(); - (buildUniqueFlowIdsQuery as jest.Mock).mockClear(); - (buildDnsQuery as jest.Mock).mockClear(); - (buildUniquePrvateIpQuery as jest.Mock).mockClear(); - (buildTlsHandshakeQuery as jest.Mock).mockClear(); - }); - - test('getKpiNetwork - response without data', async () => { - expect(data).toEqual(mockResultNoData); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/elasticsearch_adapter.ts deleted file mode 100644 index 11d8299725f2a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/elasticsearch_adapter.ts +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { getOr } from 'lodash/fp'; - -import { inspectStringifyObject } from '../../utils/build_query'; -import { FrameworkAdapter, FrameworkRequest, RequestBasicOptions } from '../framework'; - -import { buildDnsQuery } from './query_dns.dsl'; -import { buildTlsHandshakeQuery } from './query_tls_handshakes.dsl'; -import { buildUniquePrvateIpQuery } from './query_unique_private_ips.dsl'; -import { - KpiNetworkHit, - KpiNetworkAdapter, - KpiNetworkESMSearchBody, - KpiNetworkGeneralHit, - KpiNetworkUniquePrivateIpsHit, -} from './types'; -import { TermAggregation } from '../types'; -import { KpiNetworkHistogramData, KpiNetworkData } from '../../graphql/types'; -import { buildNetworkEventsQuery } from './query_network_events'; -import { buildUniqueFlowIdsQuery } from './query_unique_flow'; - -const formatHistogramData = ( - data: Array<{ key: number; count: { value: number } }> -): KpiNetworkHistogramData[] | null => { - return data && data.length > 0 - ? data.map(({ key, count }) => { - return { - x: key, - y: getOr(null, 'value', count), - }; - }) - : null; -}; - -export class ElasticsearchKpiNetworkAdapter implements KpiNetworkAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getKpiNetwork( - request: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - const networkEventsQuery: KpiNetworkESMSearchBody[] = buildNetworkEventsQuery(options); - const uniqueFlowIdsQuery: KpiNetworkESMSearchBody[] = buildUniqueFlowIdsQuery(options); - const uniquePrivateIpsQuery: KpiNetworkESMSearchBody[] = buildUniquePrvateIpQuery(options); - const dnsQuery: KpiNetworkESMSearchBody[] = buildDnsQuery(options); - const tlsHandshakesQuery: KpiNetworkESMSearchBody[] = buildTlsHandshakeQuery(options); - const response = await this.framework.callWithRequest< - KpiNetworkGeneralHit | KpiNetworkHit | KpiNetworkUniquePrivateIpsHit, - TermAggregation - >(request, 'msearch', { - body: [ - ...networkEventsQuery, - ...dnsQuery, - ...uniquePrivateIpsQuery, - ...uniqueFlowIdsQuery, - ...tlsHandshakesQuery, - ], - }); - const uniqueSourcePrivateIpsHistogram = getOr( - null, - 'responses.2.aggregations.source.histogram.buckets', - response - ); - const uniqueDestinationPrivateIpsHistogram = getOr( - null, - 'responses.2.aggregations.destination.histogram.buckets', - response - ); - - const inspect = { - dsl: [ - inspectStringifyObject({ ...networkEventsQuery[0], body: networkEventsQuery[1] }), - inspectStringifyObject({ ...dnsQuery[0], body: dnsQuery[1] }), - inspectStringifyObject({ ...uniquePrivateIpsQuery[0], body: uniquePrivateIpsQuery[1] }), - inspectStringifyObject({ ...uniqueFlowIdsQuery[0], body: uniqueFlowIdsQuery[1] }), - inspectStringifyObject({ ...tlsHandshakesQuery[0], body: tlsHandshakesQuery[1] }), - ], - response: [ - inspectStringifyObject(response.responses[0]), - inspectStringifyObject(response.responses[1]), - inspectStringifyObject(response.responses[2]), - inspectStringifyObject(response.responses[3]), - inspectStringifyObject(response.responses[4]), - ], - }; - return { - inspect, - networkEvents: getOr(null, 'responses.0.hits.total.value', response), - dnsQueries: getOr(null, 'responses.1.hits.total.value', response), - uniqueSourcePrivateIps: getOr( - null, - 'responses.2.aggregations.source.unique_private_ips.value', - response - ), - uniqueSourcePrivateIpsHistogram: formatHistogramData(uniqueSourcePrivateIpsHistogram), - uniqueDestinationPrivateIps: getOr( - null, - 'responses.2.aggregations.destination.unique_private_ips.value', - response - ), - uniqueDestinationPrivateIpsHistogram: formatHistogramData( - uniqueDestinationPrivateIpsHistogram - ), - uniqueFlowId: getOr(null, 'responses.3.aggregations.unique_flow_id.value', response), - tlsHandshakes: getOr(null, 'responses.4.hits.total.value', response), - }; - } -} diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/helpers.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/helpers.ts deleted file mode 100644 index ed98e0226475c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/helpers.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export const getIpFilter = () => [ - { - bool: { - should: [ - { - exists: { - field: 'source.ip', - }, - }, - { - exists: { - field: 'destination.ip', - }, - }, - ], - minimum_should_match: 1, - }, - }, -]; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/index.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/index.ts deleted file mode 100644 index b27026a462f5c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/index.ts +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { FrameworkRequest, RequestBasicOptions } from '../framework'; - -import { KpiNetworkAdapter } from './types'; -import { KpiNetworkData } from '../../graphql/types'; - -export class KpiNetwork { - constructor(private readonly adapter: KpiNetworkAdapter) {} - - public async getKpiNetwork( - req: FrameworkRequest, - options: RequestBasicOptions - ): Promise { - return this.adapter.getKpiNetwork(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/mock.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/mock.ts deleted file mode 100644 index fc9b64ae0746f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/mock.ts +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { DEFAULT_INDEX_PATTERN } from '../../../common/constants'; -import { RequestBasicOptions } from '../framework/types'; - -export const mockOptions: RequestBasicOptions = { - defaultIndex: DEFAULT_INDEX_PATTERN, - sourceConfiguration: { - fields: { - container: 'docker.container.name', - host: 'beat.hostname', - message: ['message', '@message'], - pod: 'kubernetes.pod.name', - tiebreaker: '_doc', - timestamp: '@timestamp', - }, - }, - timerange: { interval: '12h', to: '2019-02-11T02:26:46.071Z', from: '2019-02-10T02:26:46.071Z' }, - filterQuery: {}, -}; - -export const mockRequest = { - body: { - operationName: 'GetKpiNetworkQuery', - variables: { - sourceId: 'default', - timerange: { - interval: '12h', - from: '2019-05-09T23:48:41.842Z', - to: '2019-05-10T23:48:41.842Z', - }, - filterQuery: '', - }, - query: - 'fragment KpiNetworkChartFields on KpiNetworkHistogramData {\n x\n y\n __typename\n}\n\nquery GetKpiNetworkQuery($sourceId: ID!, $timerange: TimerangeInput!, $filterQuery: String, $defaultIndex: [String!]!) {\n source(id: $sourceId) {\n id\n KpiNetwork(timerange: $timerange, filterQuery: $filterQuery, defaultIndex: $defaultIndex) {\n networkEvents\n uniqueFlowId\n uniqueSourcePrivateIps\n uniqueSourcePrivateIpsHistogram {\n ...KpiNetworkChartFields\n __typename\n }\n uniqueDestinationPrivateIps\n uniqueDestinationPrivateIpsHistogram {\n ...KpiNetworkChartFields\n __typename\n }\n dnsQueries\n tlsHandshakes\n __typename\n }\n __typename\n }\n}\n', - }, -}; - -export const mockResponse = { - responses: [ - { - took: 384, - timed_out: false, - _shards: { - total: 10, - successful: 10, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 733106, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - status: 200, - }, - { - took: 64, - timed_out: false, - _shards: { - total: 10, - successful: 10, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 10942, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - status: 200, - }, - { - took: 224, - timed_out: false, - _shards: { - total: 10, - successful: 10, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 480755, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - aggregations: { - source: { - histogram: { - buckets: [ - { - key_as_string: '2019-05-09T23:00:00.000Z', - key: 1557442800000, - doc_count: 42109, - count: { - value: 14, - }, - }, - { - key_as_string: '2019-05-10T11:00:00.000Z', - key: 1557486000000, - doc_count: 437160, - count: { - value: 385, - }, - }, - { - key_as_string: '2019-05-10T23:00:00.000Z', - key: 1557529200000, - doc_count: 1486, - count: { - value: 7, - }, - }, - ], - interval: '12h', - }, - unique_private_ips: { - value: 387, - }, - }, - destination: { - histogram: { - buckets: [ - { - key_as_string: '2019-05-09T23:00:00.000Z', - key: 1557442800000, - doc_count: 36253, - count: { - value: 11, - }, - }, - { - key_as_string: '2019-05-10T11:00:00.000Z', - key: 1557486000000, - doc_count: 421719, - count: { - value: 877, - }, - }, - { - key_as_string: '2019-05-10T23:00:00.000Z', - key: 1557529200000, - doc_count: 1311, - count: { - value: 7, - }, - }, - ], - interval: '12h', - }, - unique_private_ips: { - value: 878, - }, - }, - }, - status: 200, - }, - { - took: 384, - timed_out: false, - _shards: { - total: 10, - successful: 10, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 733106, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - aggregations: { - unique_flow_id: { - value: 195415, - }, - }, - status: 200, - }, - { - took: 57, - timed_out: false, - _shards: { - total: 10, - successful: 10, - skipped: 0, - failed: 0, - }, - hits: { - total: { - value: 54482, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - status: 200, - }, - ], -}; -const mockMsearchHeader = { - index: 'defaultIndex', - allowNoIndices: true, - ignoreUnavailable: true, -}; -const mockMsearchBody = { - query: {}, - aggregations: {}, - size: 0, - track_total_hits: false, -}; -export const mockNetworkEventsQueryDsl = [mockMsearchHeader, mockMsearchBody]; -export const mockUniqueFlowIdsQueryDsl = [ - mockMsearchHeader, - { mockUniqueFlowIdsQueryDsl: 'mockUniqueFlowIdsQueryDsl' }, -]; -export const mockUniquePrvateIpsQueryDsl = [ - mockMsearchHeader, - { mockUniquePrvateIpsQueryDsl: 'mockUniquePrvateIpsQueryDsl' }, -]; -export const mockDnsQueryDsl = [mockMsearchHeader, { mockDnsQueryDsl: 'mockDnsQueryDsl' }]; -export const mockTlsHandshakesQueryDsl = [ - mockMsearchHeader, - { mockTlsHandshakesQueryDsl: 'mockTlsHandshakesQueryDsl' }, -]; - -export const mockMsearchOptions = { - body: [ - ...mockNetworkEventsQueryDsl, - ...mockDnsQueryDsl, - ...mockUniquePrvateIpsQueryDsl, - ...mockUniqueFlowIdsQueryDsl, - ...mockTlsHandshakesQueryDsl, - ], -}; - -const mockDsl = [ - JSON.stringify({ ...mockNetworkEventsQueryDsl[0], body: mockNetworkEventsQueryDsl[1] }, null, 2), - JSON.stringify({ ...mockDnsQueryDsl[0], body: mockDnsQueryDsl[1] }, null, 2), - JSON.stringify( - { ...mockUniquePrvateIpsQueryDsl[0], body: mockUniquePrvateIpsQueryDsl[1] }, - null, - 2 - ), - JSON.stringify({ ...mockUniqueFlowIdsQueryDsl[0], body: mockUniqueFlowIdsQueryDsl[1] }, null, 2), - JSON.stringify({ ...mockTlsHandshakesQueryDsl[0], body: mockTlsHandshakesQueryDsl[1] }, null, 2), -]; - -export const mockResult = { - inspect: { - dsl: mockDsl, - response: [ - JSON.stringify(mockResponse.responses[0], null, 2), - JSON.stringify(mockResponse.responses[1], null, 2), - JSON.stringify(mockResponse.responses[2], null, 2), - JSON.stringify(mockResponse.responses[3], null, 2), - JSON.stringify(mockResponse.responses[4], null, 2), - ], - }, - dnsQueries: 10942, - networkEvents: 733106, - tlsHandshakes: 54482, - uniqueDestinationPrivateIps: 878, - uniqueDestinationPrivateIpsHistogram: [ - { - x: new Date('2019-05-09T23:00:00.000Z').valueOf(), - y: 11, - }, - { - x: new Date('2019-05-10T11:00:00.000Z').valueOf(), - y: 877, - }, - { - x: new Date('2019-05-10T23:00:00.000Z').valueOf(), - y: 7, - }, - ], - uniqueFlowId: 195415, - uniqueSourcePrivateIps: 387, - uniqueSourcePrivateIpsHistogram: [ - { - x: new Date('2019-05-09T23:00:00.000Z').valueOf(), - y: 14, - }, - { - x: new Date('2019-05-10T11:00:00.000Z').valueOf(), - y: 385, - }, - { - x: new Date('2019-05-10T23:00:00.000Z').valueOf(), - y: 7, - }, - ], -}; - -export const mockResponseNoData = { - responses: [null, null, null, null, null], -}; - -export const mockResultNoData = { - inspect: { - dsl: mockDsl, - response: [ - JSON.stringify(mockResponseNoData.responses[0], null, 2), - JSON.stringify(mockResponseNoData.responses[1], null, 2), - JSON.stringify(mockResponseNoData.responses[2], null, 2), - JSON.stringify(mockResponseNoData.responses[3], null, 2), - JSON.stringify(mockResponseNoData.responses[4], null, 2), - ], - }, - networkEvents: null, - uniqueFlowId: null, - uniqueSourcePrivateIps: null, - uniqueSourcePrivateIpsHistogram: null, - uniqueDestinationPrivateIps: null, - uniqueDestinationPrivateIpsHistogram: null, - dnsQueries: null, - tlsHandshakes: null, -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/query_dns.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/query_dns.dsl.ts deleted file mode 100644 index b3dba9b1d0fab..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/query_dns.dsl.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestBasicOptions } from '../framework'; - -import { KpiNetworkESMSearchBody } from './types'; - -const getDnsQueryFilter = () => [ - { - bool: { - should: [ - { - exists: { - field: 'dns.question.name', - }, - }, - { - term: { - 'suricata.eve.dns.type': { - value: 'query', - }, - }, - }, - { - exists: { - field: 'zeek.dns.query', - }, - }, - ], - minimum_should_match: 1, - }, - }, -]; - -export const buildDnsQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiNetworkESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - ...getDnsQueryFilter(), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/query_network_events.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/query_network_events.ts deleted file mode 100644 index 17f705fe98d03..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/query_network_events.ts +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestBasicOptions } from '../framework'; - -import { KpiNetworkESMSearchBody } from './types'; -import { getIpFilter } from './helpers'; - -export const buildNetworkEventsQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiNetworkESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - ...getIpFilter(), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/query_tls_handshakes.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/query_tls_handshakes.dsl.ts deleted file mode 100644 index 5032863e7d324..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/query_tls_handshakes.dsl.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestBasicOptions } from '../framework'; - -import { KpiNetworkESMSearchBody } from './types'; -import { getIpFilter } from './helpers'; - -const getTlsHandshakesQueryFilter = () => [ - { - bool: { - should: [ - { - exists: { - field: 'tls.version', - }, - }, - { - exists: { - field: 'suricata.eve.tls.version', - }, - }, - { - exists: { - field: 'zeek.ssl.version', - }, - }, - ], - minimum_should_match: 1, - }, - }, -]; - -export const buildTlsHandshakeQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiNetworkESMSearchBody[] => { - const filter = [ - ...getIpFilter(), - ...createQueryFilterClauses(filterQuery), - ...getTlsHandshakesQueryFilter(), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_flow.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_flow.ts deleted file mode 100644 index fb717df2b4608..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_flow.ts +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestBasicOptions } from '../framework'; - -import { KpiNetworkESMSearchBody } from './types'; -import { getIpFilter } from './helpers'; - -export const buildUniqueFlowIdsQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiNetworkESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - ...getIpFilter(), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - }, - { - aggregations: { - unique_flow_id: { - cardinality: { - field: 'network.community_id', - }, - }, - }, - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: false, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_private_ips.dsl.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_private_ips.dsl.ts deleted file mode 100644 index 77d6efdcfdaa0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/query_unique_private_ips.dsl.ts +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { createQueryFilterClauses } from '../../utils/build_query'; -import { RequestBasicOptions } from '../framework'; - -import { KpiNetworkESMSearchBody, UniquePrivateAttributeQuery } from './types'; - -const getUniquePrivateIpsFilter = (attrQuery: UniquePrivateAttributeQuery) => ({ - bool: { - should: [ - { - term: { - [`${attrQuery}.ip`]: '10.0.0.0/8', - }, - }, - { - term: { - [`${attrQuery}.ip`]: '192.168.0.0/16', - }, - }, - { - term: { - [`${attrQuery}.ip`]: '172.16.0.0/12', - }, - }, - { - term: { - [`${attrQuery}.ip`]: 'fd00::/8', - }, - }, - ], - minimum_should_match: 1, - }, -}); - -const getAggs = (attrQuery: 'source' | 'destination') => ({ - [attrQuery]: { - filter: getUniquePrivateIpsFilter(attrQuery), - aggs: { - unique_private_ips: { - cardinality: { - field: `${attrQuery}.ip`, - }, - }, - histogram: { - auto_date_histogram: { - field: '@timestamp', - buckets: '6', - }, - aggs: { - count: { - cardinality: { - field: `${attrQuery}.ip`, - }, - }, - }, - }, - }, - }, -}); - -export const buildUniquePrvateIpQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, -}: RequestBasicOptions): KpiNetworkESMSearchBody[] => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = [ - { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - }, - { - aggregations: { - ...getAggs('source'), - ...getAggs('destination'), - }, - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: false, - }, - ]; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/kpi_network/types.ts b/x-pack/plugins/security_solution/server/lib/kpi_network/types.ts deleted file mode 100644 index b0a00e0ba968f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/kpi_network/types.ts +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { FrameworkRequest, RequestBasicOptions } from '../framework'; -import { MSearchHeader, SearchHit } from '../types'; -import { KpiNetworkHistogramData, KpiNetworkData } from '../../graphql/types'; - -export interface KpiNetworkAdapter { - getKpiNetwork(request: FrameworkRequest, options: RequestBasicOptions): Promise; -} - -export interface KpiNetworkHit { - hits: { - total: { - value: number; - }; - }; -} - -export interface KpiNetworkGeneralHit extends SearchHit, KpiNetworkHit { - aggregations: { - unique_flow_id: { - value: number; - }; - }; -} - -export interface KpiNetworkUniquePrivateIpsHit extends SearchHit { - aggregations: { - unique_private_ips: { - value: number; - }; - histogram: { - buckets: [KpiNetworkHistogramData]; - }; - }; -} - -export interface KpiNetworkBody { - query?: object; - aggregations?: object; - size?: number; - track_total_hits?: boolean; -} - -export type KpiNetworkESMSearchBody = KpiNetworkBody | MSearchHeader; - -export type UniquePrivateAttributeQuery = 'source' | 'destination'; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticsearch_adapter.ts deleted file mode 100644 index f661fe165130e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticsearch_adapter.ts +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { getOr } from 'lodash/fp'; - -import { MatrixHistogramOverTimeData, HistogramType } from '../../graphql/types'; -import { inspectStringifyObject } from '../../utils/build_query'; -import { FrameworkAdapter, FrameworkRequest, MatrixHistogramRequestOptions } from '../framework'; -import { MatrixHistogramAdapter, MatrixHistogramDataConfig, MatrixHistogramHit } from './types'; -import { TermAggregation } from '../types'; -import { buildAnomaliesOverTimeQuery } from './query.anomalies_over_time.dsl'; -import { buildDnsHistogramQuery } from './query_dns_histogram.dsl'; -import { buildEventsOverTimeQuery } from './query.events_over_time.dsl'; -import { getDnsParsedData, getGenericData } from './utils'; -import { buildAuthenticationsOverTimeQuery } from './query.authentications_over_time.dsl'; -import { buildAlertsHistogramQuery } from './query_alerts.dsl'; - -const matrixHistogramConfig: MatrixHistogramDataConfig = { - [HistogramType.alerts]: { - buildDsl: buildAlertsHistogramQuery, - aggName: 'aggregations.alertsGroup.buckets', - parseKey: 'alerts.buckets', - }, - [HistogramType.anomalies]: { - buildDsl: buildAnomaliesOverTimeQuery, - aggName: 'aggregations.anomalyActionGroup.buckets', - parseKey: 'anomalies.buckets', - }, - [HistogramType.authentications]: { - buildDsl: buildAuthenticationsOverTimeQuery, - aggName: 'aggregations.eventActionGroup.buckets', - parseKey: 'events.buckets', - }, - [HistogramType.dns]: { - buildDsl: buildDnsHistogramQuery, - aggName: 'aggregations.NetworkDns.buckets', - parseKey: 'dns.buckets', - parser: getDnsParsedData, - }, - [HistogramType.events]: { - buildDsl: buildEventsOverTimeQuery, - aggName: 'aggregations.eventActionGroup.buckets', - parseKey: 'events.buckets', - }, -}; - -export class ElasticsearchMatrixHistogramAdapter implements MatrixHistogramAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getHistogramData( - request: FrameworkRequest, - options: MatrixHistogramRequestOptions - ): Promise { - const myConfig = getOr(null, options.histogramType, matrixHistogramConfig); - if (myConfig == null) { - throw new Error(`This histogram type ${options.histogramType} is unknown to the server side`); - } - const dsl = myConfig.buildDsl(options); - const response = await this.framework.callWithRequest< - MatrixHistogramHit, - TermAggregation - >(request, 'search', dsl); - const totalCount = getOr(0, 'hits.total.value', response); - const matrixHistogramData = getOr([], myConfig.aggName, response); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - - return { - inspect, - matrixHistogramData: myConfig.parser - ? myConfig.parser(matrixHistogramData, myConfig.parseKey) - : getGenericData(matrixHistogramData, myConfig.parseKey), - totalCount, - }; - } -} diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticseatch_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticseatch_adapter.test.ts deleted file mode 100644 index 0b63785d2203b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/elasticseatch_adapter.test.ts +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { FrameworkAdapter, FrameworkRequest, MatrixHistogramRequestOptions } from '../framework'; - -import expect from '@kbn/expect'; -import { ElasticsearchMatrixHistogramAdapter } from './elasticsearch_adapter'; -import { - mockRequest, - mockOptions, - mockAlertsHistogramDataResponse, - mockAlertsHistogramQueryDsl, - mockAlertsHistogramDataFormattedResponse, -} from './mock'; - -jest.mock('./query_alerts.dsl', () => { - return { - buildAlertsHistogramQuery: jest.fn(() => mockAlertsHistogramQueryDsl), - }; -}); - -describe('alerts elasticsearch_adapter', () => { - describe('getAlertsHistogramData', () => { - test('Happy Path ', async () => { - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockImplementation((req: FrameworkRequest, method: string) => { - return mockAlertsHistogramDataResponse; - }); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - const adapter = new ElasticsearchMatrixHistogramAdapter(mockFramework); - const data = await adapter.getHistogramData( - (mockRequest as unknown) as FrameworkRequest, - (mockOptions as unknown) as MatrixHistogramRequestOptions - ); - - expect(data).to.eql({ - matrixHistogramData: mockAlertsHistogramDataFormattedResponse, - inspect: { - dsl: ['"mockAlertsHistogramQueryDsl"'], - response: [JSON.stringify(mockAlertsHistogramDataResponse, null, 2)], - }, - totalCount: 1599508, - }); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/index.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/index.ts deleted file mode 100644 index 900a6ab619ae0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/index.ts +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { FrameworkRequest, MatrixHistogramRequestOptions } from '../framework'; -export * from './elasticsearch_adapter'; -import { MatrixHistogramAdapter } from './types'; -import { MatrixHistogramOverTimeData } from '../../graphql/types'; - -export class MatrixHistogram { - constructor(private readonly adapter: MatrixHistogramAdapter) {} - - public async getMatrixHistogramData( - req: FrameworkRequest, - options: MatrixHistogramRequestOptions - ): Promise { - return this.adapter.getHistogramData(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/mock.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/mock.ts deleted file mode 100644 index 1d1ebfff936d2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/mock.ts +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { DEFAULT_INDEX_PATTERN } from '../../../common/constants'; -import { HistogramType } from '../../graphql/types'; - -export const mockAlertsHistogramDataResponse = { - took: 513, - timed_out: false, - _shards: { - total: 62, - successful: 61, - skipped: 0, - failed: 1, - failures: [ - { - shard: 0, - index: 'auditbeat-7.2.0', - node: 'jBC5kcOeT1exvECDMrk5Ug', - reason: { - type: 'illegal_argument_exception', - reason: - 'Fielddata is disabled on text fields by default. Set fielddata=true on [event.module] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.', - }, - }, - ], - }, - hits: { - total: { - value: 1599508, - relation: 'eq', - }, - max_score: null, - hits: [], - }, - aggregations: { - alertsGroup: { - doc_count_error_upper_bound: 0, - sum_other_doc_count: 802087, - buckets: [ - { - key: 'All others', - doc_count: 451519, - alerts: { - buckets: [ - { - key_as_string: '2019-12-15T09:30:00.000Z', - key: 1576402200000, - doc_count: 3008, - }, - { - key_as_string: '2019-12-15T10:00:00.000Z', - key: 1576404000000, - doc_count: 8671, - }, - ], - }, - }, - { - key: 'suricata', - doc_count: 345902, - alerts: { - buckets: [ - { - key_as_string: '2019-12-15T09:30:00.000Z', - key: 1576402200000, - doc_count: 1785, - }, - { - key_as_string: '2019-12-15T10:00:00.000Z', - key: 1576404000000, - doc_count: 5342, - }, - ], - }, - }, - ], - }, - }, -}; -export const mockAlertsHistogramDataFormattedResponse = [ - { - x: 1576402200000, - y: 3008, - g: 'All others', - }, - { - x: 1576404000000, - y: 8671, - g: 'All others', - }, - { - x: 1576402200000, - y: 1785, - g: 'suricata', - }, - { - x: 1576404000000, - y: 5342, - g: 'suricata', - }, -]; -export const mockAlertsHistogramQueryDsl = 'mockAlertsHistogramQueryDsl'; -export const mockRequest = 'mockRequest'; -export const mockOptions = { - sourceConfiguration: { field: {} }, - timerange: { - to: 9999, - from: 1234, - }, - defaultIndex: DEFAULT_INDEX_PATTERN, - filterQuery: '', - stackByField: 'event.module', - histogramType: HistogramType.alerts, -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.anomalies_over_time.dsl.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.anomalies_over_time.dsl.ts deleted file mode 100644 index fb4e666cda964..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.anomalies_over_time.dsl.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import moment from 'moment'; - -import { createQueryFilterClauses, calculateTimeSeriesInterval } from '../../utils/build_query'; -import { MatrixHistogramRequestOptions } from '../framework'; - -export const buildAnomaliesOverTimeQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - stackByField = 'job_id', -}: MatrixHistogramRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - timestamp: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const getHistogramAggregation = () => { - const interval = calculateTimeSeriesInterval(from, to); - const histogramTimestampField = 'timestamp'; - const dateHistogram = { - date_histogram: { - field: histogramTimestampField, - fixed_interval: interval, - min_doc_count: 0, - extended_bounds: { - min: moment(from).valueOf(), - max: moment(to).valueOf(), - }, - }, - }; - return { - anomalyActionGroup: { - terms: { - field: stackByField, - order: { - _count: 'desc', - }, - size: 10, - }, - aggs: { - anomalies: dateHistogram, - }, - }, - }; - }; - - const dslQuery = { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - body: { - aggs: getHistogramAggregation(), - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts deleted file mode 100644 index 174cc907214a9..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import moment from 'moment'; - -import { createQueryFilterClauses, calculateTimeSeriesInterval } from '../../utils/build_query'; -import { MatrixHistogramRequestOptions } from '../framework'; - -export const buildAuthenticationsOverTimeQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, - stackByField = 'event.outcome', -}: MatrixHistogramRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - bool: { - must: [ - { - term: { - 'event.category': 'authentication', - }, - }, - ], - }, - }, - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const getHistogramAggregation = () => { - const interval = calculateTimeSeriesInterval(from, to); - const histogramTimestampField = '@timestamp'; - const dateHistogram = { - date_histogram: { - field: histogramTimestampField, - fixed_interval: interval, - min_doc_count: 0, - extended_bounds: { - min: moment(from).valueOf(), - max: moment(to).valueOf(), - }, - }, - }; - return { - eventActionGroup: { - terms: { - field: stackByField, - include: ['success', 'failure'], - order: { - _count: 'desc', - }, - size: 2, - }, - aggs: { - events: dateHistogram, - }, - }, - }; - }; - - const dslQuery = { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - body: { - aggregations: getHistogramAggregation(), - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.events_over_time.dsl.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.events_over_time.dsl.ts deleted file mode 100644 index fa7c1b9e55b9e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query.events_over_time.dsl.ts +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import moment from 'moment'; - -import { showAllOthersBucket } from '../../../common/constants'; -import { createQueryFilterClauses, calculateTimeSeriesInterval } from '../../utils/build_query'; -import { MatrixHistogramRequestOptions } from '../framework'; - -import * as i18n from './translations'; - -export const buildEventsOverTimeQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, - stackByField = 'event.action', -}: MatrixHistogramRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const getHistogramAggregation = () => { - const interval = calculateTimeSeriesInterval(from, to); - const histogramTimestampField = '@timestamp'; - const dateHistogram = { - date_histogram: { - field: histogramTimestampField, - fixed_interval: interval, - min_doc_count: 0, - extended_bounds: { - min: moment(from).valueOf(), - max: moment(to).valueOf(), - }, - }, - }; - - const missing = - stackByField != null && showAllOthersBucket.includes(stackByField) - ? { - missing: stackByField?.endsWith('.ip') ? '0.0.0.0' : i18n.ALL_OTHERS, - } - : {}; - - return { - eventActionGroup: { - terms: { - field: stackByField, - ...missing, - order: { - _count: 'desc', - }, - size: 10, - }, - aggs: { - events: dateHistogram, - }, - }, - }; - }; - - const dslQuery = { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - body: { - aggregations: getHistogramAggregation(), - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_alerts.dsl.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_alerts.dsl.ts deleted file mode 100644 index dd45109672480..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_alerts.dsl.ts +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import moment from 'moment'; - -import { createQueryFilterClauses, calculateTimeSeriesInterval } from '../../utils/build_query'; -import { buildTimelineQuery } from '../events/query.dsl'; -import { RequestOptions, MatrixHistogramRequestOptions } from '../framework'; - -export const buildAlertsQuery = (options: RequestOptions) => { - const eventsQuery = buildTimelineQuery(options); - const eventsFilter = eventsQuery.body.query.bool.filter; - const alertsFilter = [ - ...createQueryFilterClauses({ match: { 'event.kind': { query: 'alert' } } }), - ]; - - return { - ...eventsQuery, - body: { - ...eventsQuery.body, - query: { - bool: { - filter: [...eventsFilter, ...alertsFilter], - }, - }, - }, - }; -}; - -export const buildAlertsHistogramQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, - stackByField, -}: MatrixHistogramRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - bool: { - filter: [ - { - bool: { - should: [ - { - match: { - 'event.kind': 'alert', - }, - }, - ], - minimum_should_match: 1, - }, - }, - ], - }, - }, - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const getHistogramAggregation = () => { - const interval = calculateTimeSeriesInterval(from, to); - const histogramTimestampField = '@timestamp'; - const dateHistogram = { - date_histogram: { - field: histogramTimestampField, - fixed_interval: interval, - min_doc_count: 0, - extended_bounds: { - min: moment(from).valueOf(), - max: moment(to).valueOf(), - }, - }, - }; - return { - alertsGroup: { - terms: { - field: stackByField, - missing: 'All others', - order: { - _count: 'desc', - }, - size: 10, - }, - aggs: { - alerts: dateHistogram, - }, - }, - }; - }; - - const dslQuery = { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - body: { - aggregations: getHistogramAggregation(), - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_dns_histogram.dsl.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_dns_histogram.dsl.ts deleted file mode 100644 index 7e71263988957..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/query_dns_histogram.dsl.ts +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { createQueryFilterClauses, calculateTimeSeriesInterval } from '../../utils/build_query'; -import { MatrixHistogramRequestOptions } from '../framework'; - -export const buildDnsHistogramQuery = ({ - filterQuery, - timerange: { from, to }, - defaultIndex, - sourceConfiguration: { - fields: { timestamp }, - }, - stackByField, -}: MatrixHistogramRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const getHistogramAggregation = () => { - const interval = calculateTimeSeriesInterval(from, to); - const histogramTimestampField = '@timestamp'; - const dateHistogram = { - date_histogram: { - field: histogramTimestampField, - fixed_interval: interval, - }, - }; - - return { - NetworkDns: { - ...dateHistogram, - aggs: { - dns: { - terms: { - field: stackByField, - order: { - orderAgg: 'desc', - }, - size: 10, - }, - aggs: { - orderAgg: { - cardinality: { - field: 'dns.question.name', - }, - }, - }, - }, - }, - }, - }; - }; - - const dslQuery = { - index: defaultIndex, - allowNoIndices: true, - ignoreUnavailable: true, - body: { - aggregations: getHistogramAggregation(), - query: { - bool: { - filter, - }, - }, - size: 0, - track_total_hits: true, - }, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/translations.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/translations.ts deleted file mode 100644 index 0e46f5cff1445..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/translations.ts +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { i18n } from '@kbn/i18n'; - -export const ALL_OTHERS = i18n.translate( - 'xpack.securitySolution.detectionEngine.alerts.histogram.allOthersGroupingLabel', - { - defaultMessage: 'All others', - } -); diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/types.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/types.ts deleted file mode 100644 index 87ea4b81f5fba..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/types.ts +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - MatrixHistogramOverTimeData, - HistogramType, - MatrixOverTimeHistogramData, -} from '../../graphql/types'; -import { FrameworkRequest, MatrixHistogramRequestOptions } from '../framework'; -import { SearchHit } from '../types'; -import { EventHit } from '../events/types'; -import { AuthenticationHit } from '../authentications/types'; - -export interface HistogramBucket { - key: number; - doc_count: number; -} - -interface AlertsGroupData { - key: string; - doc_count: number; - alerts: { - buckets: HistogramBucket[]; - }; -} - -interface AnomaliesOverTimeHistogramData { - key_as_string: string; - key: number; - doc_count: number; -} - -export interface AnomaliesActionGroupData { - key: number; - anomalies: { - bucket: AnomaliesOverTimeHistogramData[]; - }; - doc_count: number; -} - -export interface AnomalySource { - [field: string]: any; // eslint-disable-line @typescript-eslint/no-explicit-any -} - -export interface AnomalyHit extends SearchHit { - sort: string[]; - _source: AnomalySource; - aggregations: { - [agg: string]: any; // eslint-disable-line @typescript-eslint/no-explicit-any - }; -} - -interface EventsOverTimeHistogramData { - key_as_string: string; - key: number; - doc_count: number; -} - -export interface EventsActionGroupData { - key: number; - events: { - bucket: EventsOverTimeHistogramData[]; - }; - doc_count: number; -} - -export interface DnsHistogramSubBucket { - key: string; - doc_count: number; - orderAgg: { - value: number; - }; -} -interface DnsHistogramBucket { - doc_count_error_upper_bound: number; - sum_other_doc_count: number; - buckets: DnsHistogramSubBucket[]; -} - -export interface DnsHistogramGroupData { - key: number; - doc_count: number; - key_as_string: string; - histogram: DnsHistogramBucket; -} - -export interface MatrixHistogramSchema { - buildDsl: (options: MatrixHistogramRequestOptions) => {}; - aggName: string; - parseKey: string; - parser?: ( - data: MatrixHistogramParseData, - keyBucket: string - ) => MatrixOverTimeHistogramData[]; -} - -export type MatrixHistogramParseData = T extends HistogramType.alerts - ? AlertsGroupData[] - : T extends HistogramType.anomalies - ? AnomaliesActionGroupData[] - : T extends HistogramType.dns - ? DnsHistogramGroupData[] - : T extends HistogramType.authentications - ? AuthenticationsActionGroupData[] - : T extends HistogramType.events - ? EventsActionGroupData[] - : never; - -export type MatrixHistogramHit = T extends HistogramType.alerts - ? EventHit - : T extends HistogramType.anomalies - ? AnomalyHit - : T extends HistogramType.dns - ? EventHit - : T extends HistogramType.authentications - ? AuthenticationHit - : T extends HistogramType.events - ? EventHit - : never; - -export type MatrixHistogramDataConfig = Record>; -interface AuthenticationsOverTimeHistogramData { - key_as_string: string; - key: number; - doc_count: number; -} - -export interface AuthenticationsActionGroupData { - key: number; - events: { - bucket: AuthenticationsOverTimeHistogramData[]; - }; - doc_count: number; -} - -export interface MatrixHistogramAdapter { - getHistogramData( - request: FrameworkRequest, - options: MatrixHistogramRequestOptions - ): Promise; -} diff --git a/x-pack/plugins/security_solution/server/lib/matrix_histogram/utils.ts b/x-pack/plugins/security_solution/server/lib/matrix_histogram/utils.ts deleted file mode 100644 index 4a6a38421f42a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/matrix_histogram/utils.ts +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { get, getOr } from 'lodash/fp'; -import { MatrixHistogramParseData, DnsHistogramSubBucket, HistogramBucket } from './types'; -import { MatrixOverTimeHistogramData } from '../../graphql/types'; - -export const getDnsParsedData = ( - data: MatrixHistogramParseData, - keyBucket: string -): MatrixOverTimeHistogramData[] => { - let result: MatrixOverTimeHistogramData[] = []; - data.forEach((bucketData: unknown) => { - const time = get('key', bucketData); - const histData = getOr([], keyBucket, bucketData).map( - // eslint-disable-next-line @typescript-eslint/naming-convention - ({ key, doc_count }: DnsHistogramSubBucket) => ({ - x: time, - y: doc_count, - g: key, - }) - ); - result = [...result, ...histData]; - }); - return result; -}; - -export const getGenericData = ( - data: MatrixHistogramParseData, - keyBucket: string -): MatrixOverTimeHistogramData[] => { - let result: MatrixOverTimeHistogramData[] = []; - data.forEach((bucketData: unknown) => { - const group = get('key', bucketData); - const histData = getOr([], keyBucket, bucketData).map( - // eslint-disable-next-line @typescript-eslint/naming-convention - ({ key, doc_count }: HistogramBucket) => ({ - x: key, - y: doc_count, - g: group, - }) - ); - result = [...result, ...histData]; - }); - - return result; -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/__snapshots__/elastic_adapter.test.ts.snap b/x-pack/plugins/security_solution/server/lib/network/__snapshots__/elastic_adapter.test.ts.snap deleted file mode 100644 index 50454fcb6b351..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/__snapshots__/elastic_adapter.test.ts.snap +++ /dev/null @@ -1,1366 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`Network Top N flow elasticsearch_adapter with FlowTarget=source Unhappy Path - No geo data getNetworkTopNFlow 1`] = ` -Object { - "edges": Array [ - Object { - "cursor": Object { - "tiebreaker": null, - "value": "1.1.1.1", - }, - "node": Object { - "_id": "1.1.1.1", - "network": Object { - "bytes_in": 11276023407, - "bytes_out": 1025631, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.1.net", - ], - "flows": 1234567, - "ip": "1.1.1.1", - "location": null, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "2.2.2.2", - }, - "node": Object { - "_id": "2.2.2.2", - "network": Object { - "bytes_in": 5469323342, - "bytes_out": 2811441, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.2.net", - ], - "flows": 1234567, - "ip": "2.2.2.2", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "3.3.3.3", - }, - "node": Object { - "_id": "3.3.3.3", - "network": Object { - "bytes_in": 3807671322, - "bytes_out": 4494034, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.3.com", - "test.3-duplicate.com", - ], - "flows": 1234567, - "ip": "3.3.3.3", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "4.4.4.4", - }, - "node": Object { - "_id": "4.4.4.4", - "network": Object { - "bytes_in": 166517626, - "bytes_out": 3194782, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.4.com", - ], - "flows": 1234567, - "ip": "4.4.4.4", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "5.5.5.5", - }, - "node": Object { - "_id": "5.5.5.5", - "network": Object { - "bytes_in": 104785026, - "bytes_out": 1838597, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.5.com", - ], - "flows": 1234567, - "ip": "5.5.5.5", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "6.6.6.6", - }, - "node": Object { - "_id": "6.6.6.6", - "network": Object { - "bytes_in": 28804250, - "bytes_out": 482982, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.6.com", - ], - "flows": 1234567, - "ip": "6.6.6.6", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "7.7.7.7", - }, - "node": Object { - "_id": "7.7.7.7", - "network": Object { - "bytes_in": 23032363, - "bytes_out": 400623, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.7.com", - ], - "flows": 1234567, - "ip": "7.7.7.7", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "8.8.8.8", - }, - "node": Object { - "_id": "8.8.8.8", - "network": Object { - "bytes_in": 21424889, - "bytes_out": 344357, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.8.com", - ], - "flows": 1234567, - "ip": "8.8.8.8", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "9.9.9.9", - }, - "node": Object { - "_id": "9.9.9.9", - "network": Object { - "bytes_in": 19205000, - "bytes_out": 355663, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.9.com", - ], - "flows": 1234567, - "ip": "9.9.9.9", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - Object { - "cursor": Object { - "tiebreaker": null, - "value": "10.10.10.10", - }, - "node": Object { - "_id": "10.10.10.10", - "network": Object { - "bytes_in": 11407633, - "bytes_out": 199360, - }, - "source": Object { - "autonomous_system": Object { - "name": "Level 3 Parent, LLC", - "number": 3356, - }, - "destination_ips": 345345, - "domain": Array [ - "test.10.com", - ], - "flows": 1234567, - "ip": "10.10.10.10", - "location": Object { - "flowTarget": "source", - "geo": Object { - "city_name": "Philadelphia", - "continent_name": "North America", - "country_iso_code": "US", - "location": Object { - "lat": 39.9359, - "lon": -75.1534, - }, - "region_iso_code": "US-PA", - "region_name": "Pennsylvania", - }, - }, - }, - }, - }, - ], - "inspect": Object { - "dsl": Array [ - "{ - \\"mockTopNFlowQueryDsl\\": \\"mockTopNFlowQueryDsl\\" -}", - ], - "response": Array [ - "{ - \\"took\\": 122, - \\"timed_out\\": false, - \\"_shards\\": { - \\"total\\": 11, - \\"successful\\": 11, - \\"skipped\\": 0, - \\"failed\\": 0 - }, - \\"hits\\": { - \\"max_score\\": null, - \\"hits\\": [] - }, - \\"aggregations\\": { - \\"top_n_flow_count\\": { - \\"value\\": 545 - }, - \\"source\\": { - \\"buckets\\": [ - { - \\"key\\": \\"1.1.1.1\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 11276023407 - }, - \\"bytes_out\\": { - \\"value\\": 1025631 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.1.net\\" - } - ] - } - }, - { - \\"key\\": \\"2.2.2.2\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 5469323342 - }, - \\"bytes_out\\": { - \\"value\\": 2811441 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.2.net\\" - } - ] - } - }, - { - \\"key\\": \\"3.3.3.3\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 3807671322 - }, - \\"bytes_out\\": { - \\"value\\": 4494034 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.3.com\\" - }, - { - \\"key\\": \\"test.3-duplicate.com\\" - } - ] - } - }, - { - \\"key\\": \\"4.4.4.4\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 166517626 - }, - \\"bytes_out\\": { - \\"value\\": 3194782 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.4.com\\" - } - ] - } - }, - { - \\"key\\": \\"5.5.5.5\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 104785026 - }, - \\"bytes_out\\": { - \\"value\\": 1838597 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.5.com\\" - } - ] - } - }, - { - \\"key\\": \\"6.6.6.6\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 28804250 - }, - \\"bytes_out\\": { - \\"value\\": 482982 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"doc_count_error_upper_bound\\": 0, - \\"sum_other_doc_count\\": 31, - \\"buckets\\": [ - { - \\"key\\": \\"test.6.com\\" - } - ] - } - }, - { - \\"key\\": \\"7.7.7.7\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 23032363 - }, - \\"bytes_out\\": { - \\"value\\": 400623 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"doc_count_error_upper_bound\\": 0, - \\"sum_other_doc_count\\": 0, - \\"buckets\\": [ - { - \\"key\\": \\"test.7.com\\" - } - ] - } - }, - { - \\"key\\": \\"8.8.8.8\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 21424889 - }, - \\"bytes_out\\": { - \\"value\\": 344357 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.8.com\\" - } - ] - } - }, - { - \\"key\\": \\"9.9.9.9\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 19205000 - }, - \\"bytes_out\\": { - \\"value\\": 355663 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.9.com\\" - } - ] - } - }, - { - \\"key\\": \\"10.10.10.10\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 11407633 - }, - \\"bytes_out\\": { - \\"value\\": 199360 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.10.com\\" - } - ] - } - }, - { - \\"key\\": \\"11.11.11.11\\", - \\"flows\\": { - \\"value\\": 1234567 - }, - \\"destination_ips\\": { - \\"value\\": 345345 - }, - \\"bytes_in\\": { - \\"value\\": 11393327 - }, - \\"bytes_out\\": { - \\"value\\": 195914 - }, - \\"location\\": { - \\"doc_count\\": 14, - \\"top_geo\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"geo\\": { - \\"continent_name\\": \\"North America\\", - \\"region_iso_code\\": \\"US-PA\\", - \\"city_name\\": \\"Philadelphia\\", - \\"country_iso_code\\": \\"US\\", - \\"region_name\\": \\"Pennsylvania\\", - \\"location\\": { - \\"lon\\": -75.1534, - \\"lat\\": 39.9359 - } - } - } - } - } - ] - } - } - }, - \\"autonomous_system\\": { - \\"doc_count\\": 14, - \\"top_as\\": { - \\"hits\\": { - \\"total\\": { - \\"value\\": 14, - \\"relation\\": \\"eq\\" - }, - \\"max_score\\": 1, - \\"hits\\": [ - { - \\"_index\\": \\"filebeat-8.0.0-2019.06.19-000005\\", - \\"_type\\": \\"_doc\\", - \\"_id\\": \\"dd4fa2d4bd-692279846149410\\", - \\"_score\\": 1, - \\"_source\\": { - \\"source\\": { - \\"as\\": { - \\"number\\": 3356, - \\"organization\\": { - \\"name\\": \\"Level 3 Parent, LLC\\" - } - } - } - } - } - ] - } - } - }, - \\"domain\\": { - \\"buckets\\": [ - { - \\"key\\": \\"test.11.com\\" - } - ] - } - } - ] - } - } -}", - ], - }, - "pageInfo": Object { - "activePage": 0, - "fakeTotalCount": 50, - "showMorePagesIndicator": true, - }, - "totalCount": 545, -} -`; diff --git a/x-pack/plugins/security_solution/server/lib/network/elastic_adapter.test.ts b/x-pack/plugins/security_solution/server/lib/network/elastic_adapter.test.ts deleted file mode 100644 index eab461ee07ca7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/elastic_adapter.test.ts +++ /dev/null @@ -1,171 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { cloneDeep } from 'lodash/fp'; - -import { FlowTargetSourceDest, NetworkTopNFlowData } from '../../graphql/types'; -import { FrameworkAdapter, FrameworkRequest } from '../framework'; - -import { ElasticsearchNetworkAdapter } from './elasticsearch_adapter'; -import { - mockOptions, - mockRequest, - mockResponse, - mockResult, - mockOptionsIp, - mockRequestIp, - mockResponseIp, - mockResultIp, - mockTopNFlowQueryDsl, -} from './mock'; - -jest.mock('./query_top_n_flow.dsl', () => { - const r = jest.requireActual('./query_top_n_flow.dsl'); - return { - ...r, - buildTopNFlowQuery: jest.fn(() => mockTopNFlowQueryDsl), - }; -}); - -describe('Network Top N flow elasticsearch_adapter with FlowTarget=source', () => { - describe('Happy Path - get Data', () => { - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockResolvedValue(mockResponse); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - getIndexPatternsService: jest.fn(), - registerGraphQLEndpoint: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - test('getNetworkTopNFlow', async () => { - const EsNetworkTopNFlow = new ElasticsearchNetworkAdapter(mockFramework); - const data: NetworkTopNFlowData = await EsNetworkTopNFlow.getNetworkTopNFlow( - mockRequest as FrameworkRequest, - mockOptions - ); - expect(data).toEqual(mockResult); - }); - }); - - describe('Unhappy Path - No data', () => { - const mockNoDataResponse = cloneDeep(mockResponse); - mockNoDataResponse.aggregations.top_n_flow_count.value = 0; - mockNoDataResponse.aggregations[FlowTargetSourceDest.source].buckets = []; - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockResolvedValue(mockNoDataResponse); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - test('getNetworkTopNFlow', async () => { - const EsNetworkTopNFlow = new ElasticsearchNetworkAdapter(mockFramework); - const data: NetworkTopNFlowData = await EsNetworkTopNFlow.getNetworkTopNFlow( - mockRequest as FrameworkRequest, - mockOptions - ); - expect(data).toEqual({ - inspect: { - dsl: [JSON.stringify(mockTopNFlowQueryDsl, null, 2)], - response: [JSON.stringify(mockNoDataResponse, null, 2)], - }, - edges: [], - pageInfo: { - activePage: 0, - fakeTotalCount: 0, - showMorePagesIndicator: false, - }, - totalCount: 0, - }); - }); - }); - - describe('Unhappy Path - No geo data', () => { - const mockCallWithRequest = jest.fn(); - const mockNoGeoDataResponse = cloneDeep(mockResponse); - // sometimes bad things happen to good ecs - mockNoGeoDataResponse.aggregations[ - FlowTargetSourceDest.source - ].buckets[0].location.top_geo.hits.hits = []; - mockCallWithRequest.mockResolvedValue(mockNoGeoDataResponse); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - getIndexPatternsService: jest.fn(), - registerGraphQLEndpoint: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - test('getNetworkTopNFlow', async () => { - const EsNetworkTopNFlow = new ElasticsearchNetworkAdapter(mockFramework); - const data: NetworkTopNFlowData = await EsNetworkTopNFlow.getNetworkTopNFlow( - mockRequest as FrameworkRequest, - mockOptions - ); - expect(data).toMatchSnapshot(); - }); - }); - - describe('No pagination', () => { - const mockNoPaginationResponse = cloneDeep(mockResponse); - mockNoPaginationResponse.aggregations.top_n_flow_count.value = 10; - mockNoPaginationResponse.aggregations[ - FlowTargetSourceDest.source - ].buckets = mockNoPaginationResponse.aggregations[FlowTargetSourceDest.source].buckets.slice( - 0, - -1 - ); - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockResolvedValue(mockNoPaginationResponse); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - registerGraphQLEndpoint: jest.fn(), - getIndexPatternsService: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - test('getNetworkTopNFlow', async () => { - const EsNetworkTopNFlow = new ElasticsearchNetworkAdapter(mockFramework); - const data: NetworkTopNFlowData = await EsNetworkTopNFlow.getNetworkTopNFlow( - mockRequest as FrameworkRequest, - mockOptions - ); - expect(data.pageInfo.showMorePagesIndicator).toBeFalsy(); - }); - }); - - describe('Filter by IP', () => { - const mockCallWithRequest = jest.fn(); - mockCallWithRequest.mockResolvedValue(mockResponseIp); - const mockFramework: FrameworkAdapter = { - callWithRequest: mockCallWithRequest, - getIndexPatternsService: jest.fn(), - registerGraphQLEndpoint: jest.fn(), - }; - jest.doMock('../framework', () => ({ - callWithRequest: mockCallWithRequest, - })); - - test('getNetworkTopNFlow', async () => { - const EsNetworkTopNFlow = new ElasticsearchNetworkAdapter(mockFramework); - const data: NetworkTopNFlowData = await EsNetworkTopNFlow.getNetworkTopNFlow( - mockRequestIp as FrameworkRequest, - mockOptionsIp - ); - expect(data).toEqual(mockResultIp); - }); - }); -}); diff --git a/x-pack/plugins/security_solution/server/lib/network/elasticsearch_adapter.ts b/x-pack/plugins/security_solution/server/lib/network/elasticsearch_adapter.ts deleted file mode 100644 index d12d225cc8908..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/elasticsearch_adapter.ts +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { get, getOr } from 'lodash/fp'; - -import { - FlowTargetSourceDest, - AutonomousSystemItem, - GeoItem, - NetworkDnsData, - NetworkDnsEdges, - NetworkTopCountriesData, - NetworkTopCountriesEdges, - NetworkTopNFlowData, - NetworkHttpData, - NetworkHttpEdges, - NetworkTopNFlowEdges, -} from '../../graphql/types'; -import { inspectStringifyObject } from '../../utils/build_query'; -import { DatabaseSearchResponse, FrameworkAdapter, FrameworkRequest } from '../framework'; -import { TermAggregation } from '../types'; -import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../common/constants'; - -import { - NetworkDnsRequestOptions, - NetworkTopCountriesRequestOptions, - NetworkHttpRequestOptions, - NetworkTopNFlowRequestOptions, -} from './index'; -import { buildDnsQuery } from './query_dns.dsl'; -import { buildTopNFlowQuery, getOppositeField } from './query_top_n_flow.dsl'; -import { buildHttpQuery } from './query_http.dsl'; -import { buildTopCountriesQuery } from './query_top_countries.dsl'; -import { - NetworkAdapter, - NetworkDnsBuckets, - NetworkTopCountriesBuckets, - NetworkHttpBuckets, - NetworkTopNFlowBuckets, -} from './types'; - -export class ElasticsearchNetworkAdapter implements NetworkAdapter { - constructor(private readonly framework: FrameworkAdapter) {} - - public async getNetworkTopCountries( - request: FrameworkRequest, - options: NetworkTopCountriesRequestOptions - ): Promise { - if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) { - throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`); - } - const dsl = buildTopCountriesQuery(options); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; - const totalCount = getOr(0, 'aggregations.top_countries_count.value', response); - const networkTopCountriesEdges: NetworkTopCountriesEdges[] = getTopCountriesEdges( - response, - options - ); - const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const edges = networkTopCountriesEdges.splice(cursorStart, querySize - cursorStart); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - const showMorePagesIndicator = totalCount > fakeTotalCount; - - return { - edges, - inspect, - pageInfo: { - activePage: activePage ? activePage : 0, - fakeTotalCount, - showMorePagesIndicator, - }, - totalCount, - }; - } - - public async getNetworkTopNFlow( - request: FrameworkRequest, - options: NetworkTopNFlowRequestOptions - ): Promise { - if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) { - throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`); - } - const dsl = buildTopNFlowQuery(options); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; - const totalCount = getOr(0, 'aggregations.top_n_flow_count.value', response); - const networkTopNFlowEdges: NetworkTopNFlowEdges[] = getTopNFlowEdges(response, options); - const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const edges = networkTopNFlowEdges.splice(cursorStart, querySize - cursorStart); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - const showMorePagesIndicator = totalCount > fakeTotalCount; - - return { - edges, - inspect, - pageInfo: { - activePage: activePage ? activePage : 0, - fakeTotalCount, - showMorePagesIndicator, - }, - totalCount, - }; - } - - public async getNetworkDns( - request: FrameworkRequest, - options: NetworkDnsRequestOptions - ): Promise { - if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) { - throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`); - } - const dsl = buildDnsQuery(options); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; - const totalCount = getOr(0, 'aggregations.dns_count.value', response); - const networkDnsEdges: NetworkDnsEdges[] = formatDnsEdges( - getOr([], 'aggregations.dns_name_query_count.buckets', response) - ); - const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const edges = networkDnsEdges.splice(cursorStart, querySize - cursorStart); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - const showMorePagesIndicator = totalCount > fakeTotalCount; - return { - edges, - inspect, - pageInfo: { - activePage: activePage ? activePage : 0, - fakeTotalCount, - showMorePagesIndicator, - }, - totalCount, - }; - } - - public async getNetworkHttp( - request: FrameworkRequest, - options: NetworkHttpRequestOptions - ): Promise { - if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) { - throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`); - } - const dsl = buildHttpQuery(options); - const response = await this.framework.callWithRequest( - request, - 'search', - dsl - ); - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; - const totalCount = getOr(0, 'aggregations.http_count.value', response); - const networkHttpEdges: NetworkHttpEdges[] = getHttpEdges(response); - const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const edges = networkHttpEdges.splice(cursorStart, querySize - cursorStart); - const inspect = { - dsl: [inspectStringifyObject(dsl)], - response: [inspectStringifyObject(response)], - }; - const showMorePagesIndicator = totalCount > fakeTotalCount; - - return { - edges, - inspect, - pageInfo: { - activePage: activePage ? activePage : 0, - fakeTotalCount, - showMorePagesIndicator, - }, - totalCount, - }; - } -} - -const getTopNFlowEdges = ( - response: DatabaseSearchResponse, - options: NetworkTopNFlowRequestOptions -): NetworkTopNFlowEdges[] => { - return formatTopNFlowEdges( - getOr([], `aggregations.${options.flowTarget}.buckets`, response), - options.flowTarget - ); -}; - -const getTopCountriesEdges = ( - response: DatabaseSearchResponse, - options: NetworkTopCountriesRequestOptions -): NetworkTopCountriesEdges[] => { - return formatTopCountriesEdges( - getOr([], `aggregations.${options.flowTarget}.buckets`, response), - options.flowTarget - ); -}; - -const getHttpEdges = ( - response: DatabaseSearchResponse -): NetworkHttpEdges[] => { - return formatHttpEdges(getOr([], `aggregations.url.buckets`, response)); -}; - -const getFlowTargetFromString = (flowAsString: string) => - flowAsString === 'source' ? FlowTargetSourceDest.source : FlowTargetSourceDest.destination; - -const getGeoItem = (result: NetworkTopNFlowBuckets): GeoItem | null => - result.location.top_geo.hits.hits.length > 0 && result.location.top_geo.hits.hits[0]._source - ? { - geo: getOr( - '', - `location.top_geo.hits.hits[0]._source.${ - Object.keys(result.location.top_geo.hits.hits[0]._source)[0] - }.geo`, - result - ), - flowTarget: getFlowTargetFromString( - Object.keys(result.location.top_geo.hits.hits[0]._source)[0] - ), - } - : null; - -const getAsItem = (result: NetworkTopNFlowBuckets): AutonomousSystemItem | null => - result.autonomous_system.top_as.hits.hits.length > 0 && - result.autonomous_system.top_as.hits.hits[0]._source - ? { - number: getOr( - null, - `autonomous_system.top_as.hits.hits[0]._source.${ - Object.keys(result.autonomous_system.top_as.hits.hits[0]._source)[0] - }.as.number`, - result - ), - name: getOr( - '', - `autonomous_system.top_as.hits.hits[0]._source.${ - Object.keys(result.autonomous_system.top_as.hits.hits[0]._source)[0] - }.as.organization.name`, - result - ), - } - : null; - -const formatTopNFlowEdges = ( - buckets: NetworkTopNFlowBuckets[], - flowTarget: FlowTargetSourceDest -): NetworkTopNFlowEdges[] => - buckets.map((bucket: NetworkTopNFlowBuckets) => ({ - node: { - _id: bucket.key, - [flowTarget]: { - domain: bucket.domain.buckets.map((bucketDomain) => bucketDomain.key), - ip: bucket.key, - location: getGeoItem(bucket), - autonomous_system: getAsItem(bucket), - flows: getOr(0, 'flows.value', bucket), - [`${getOppositeField(flowTarget)}_ips`]: getOr( - 0, - `${getOppositeField(flowTarget)}_ips.value`, - bucket - ), - }, - network: { - bytes_in: getOr(0, 'bytes_in.value', bucket), - bytes_out: getOr(0, 'bytes_out.value', bucket), - }, - }, - cursor: { - value: bucket.key, - tiebreaker: null, - }, - })); - -const formatTopCountriesEdges = ( - buckets: NetworkTopCountriesBuckets[], - flowTarget: FlowTargetSourceDest -): NetworkTopCountriesEdges[] => - buckets.map((bucket: NetworkTopCountriesBuckets) => ({ - node: { - _id: bucket.key, - [flowTarget]: { - country: bucket.key, - flows: getOr(0, 'flows.value', bucket), - [`${getOppositeField(flowTarget)}_ips`]: getOr( - 0, - `${getOppositeField(flowTarget)}_ips.value`, - bucket - ), - [`${flowTarget}_ips`]: getOr(0, `${flowTarget}_ips.value`, bucket), - }, - network: { - bytes_in: getOr(0, 'bytes_in.value', bucket), - bytes_out: getOr(0, 'bytes_out.value', bucket), - }, - }, - cursor: { - value: bucket.key, - tiebreaker: null, - }, - })); - -const formatDnsEdges = (buckets: NetworkDnsBuckets[]): NetworkDnsEdges[] => - buckets.map((bucket: NetworkDnsBuckets) => ({ - node: { - _id: bucket.key, - dnsBytesIn: getOrNumber('dns_bytes_in.value', bucket), - dnsBytesOut: getOrNumber('dns_bytes_out.value', bucket), - dnsName: bucket.key, - queryCount: bucket.doc_count, - uniqueDomains: getOrNumber('unique_domains.value', bucket), - }, - cursor: { - value: bucket.key, - tiebreaker: null, - }, - })); - -const formatHttpEdges = (buckets: NetworkHttpBuckets[]): NetworkHttpEdges[] => - buckets.map((bucket: NetworkHttpBuckets) => ({ - node: { - _id: bucket.key, - domains: bucket.domains.buckets.map(({ key }) => key), - methods: bucket.methods.buckets.map(({ key }) => key), - statuses: bucket.status.buckets.map(({ key }) => `${key}`), - lastHost: get('source.hits.hits[0]._source.host.name', bucket), - lastSourceIp: get('source.hits.hits[0]._source.source.ip', bucket), - path: bucket.key, - requestCount: bucket.doc_count, - }, - cursor: { - value: bucket.key, - tiebreaker: null, - }, - })); - -const getOrNumber = (path: string, bucket: NetworkTopNFlowBuckets | NetworkDnsBuckets) => { - const numb = get(path, bucket); - if (numb == null) { - return null; - } - return numb; -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/index.ts b/x-pack/plugins/security_solution/server/lib/network/index.ts deleted file mode 100644 index 42ce9f0726ddb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/index.ts +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - FlowTargetSourceDest, - Maybe, - NetworkDnsData, - NetworkDnsSortField, - NetworkHttpData, - NetworkHttpSortField, - NetworkTopCountriesData, - NetworkTopNFlowData, - NetworkTopTablesSortField, -} from '../../graphql/types'; -import { FrameworkRequest, RequestOptionsPaginated } from '../framework'; -export * from './elasticsearch_adapter'; -import { NetworkAdapter } from './types'; - -export * from './types'; - -export interface NetworkTopNFlowRequestOptions extends RequestOptionsPaginated { - networkTopNFlowSort: NetworkTopTablesSortField; - flowTarget: FlowTargetSourceDest; - ip?: Maybe; -} - -export interface NetworkTopCountriesRequestOptions extends RequestOptionsPaginated { - networkTopCountriesSort: NetworkTopTablesSortField; - flowTarget: FlowTargetSourceDest; - ip?: Maybe; -} - -export interface NetworkHttpRequestOptions extends RequestOptionsPaginated { - networkHttpSort: NetworkHttpSortField; - ip?: Maybe; -} - -export interface NetworkDnsRequestOptions extends RequestOptionsPaginated { - isPtrIncluded: boolean; - networkDnsSortField: NetworkDnsSortField; - stackByField?: Maybe; -} - -export class Network { - constructor(private readonly adapter: NetworkAdapter) {} - - public async getNetworkTopCountries( - req: FrameworkRequest, - options: NetworkTopCountriesRequestOptions - ): Promise { - return this.adapter.getNetworkTopCountries(req, options); - } - - public async getNetworkTopNFlow( - req: FrameworkRequest, - options: NetworkTopNFlowRequestOptions - ): Promise { - return this.adapter.getNetworkTopNFlow(req, options); - } - - public async getNetworkDns( - req: FrameworkRequest, - options: NetworkDnsRequestOptions - ): Promise { - return this.adapter.getNetworkDns(req, options); - } - - public async getNetworkHttp( - req: FrameworkRequest, - options: NetworkHttpRequestOptions - ): Promise { - return this.adapter.getNetworkHttp(req, options); - } -} diff --git a/x-pack/plugins/security_solution/server/lib/network/mock.ts b/x-pack/plugins/security_solution/server/lib/network/mock.ts deleted file mode 100644 index b421f7af56603..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/mock.ts +++ /dev/null @@ -1,1675 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { DEFAULT_INDEX_PATTERN } from '../../../common/constants'; -import { Direction, FlowTargetSourceDest, NetworkTopTablesFields } from '../../graphql/types'; - -import { NetworkTopNFlowRequestOptions } from '.'; - -export const mockOptions: NetworkTopNFlowRequestOptions = { - defaultIndex: DEFAULT_INDEX_PATTERN, - sourceConfiguration: { - fields: { - container: 'docker.container.name', - host: 'beat.hostname', - message: ['message', '@message'], - pod: 'kubernetes.pod.name', - tiebreaker: '_doc', - timestamp: '@timestamp', - }, - }, - timerange: { interval: '12h', to: '2019-02-11T02:26:46.071Z', from: '2019-02-11T02:26:46.071Z' }, - pagination: { - activePage: 0, - cursorStart: 0, - fakePossibleCount: 50, - querySize: 10, - }, - filterQuery: {}, - fields: [ - 'totalCount', - 'source.ip', - 'source.domain', - 'source.__typename', - 'destination.ip', - 'destination.domain', - 'destination.__typename', - 'event.duration', - 'event.__typename', - 'network.bytes_in', - 'network.bytes_out', - 'network.__typename', - '__typename', - 'edges.cursor.value', - 'edges.cursor.__typename', - 'edges.__typename', - 'pageInfo.activePage', - 'pageInfo.__typename', - 'pageInfo.fakeTotalCount', - 'pageInfo.__typename', - 'pageInfo.showMorePagesIndicator', - 'pageInfo.__typename', - '__typename', - ], - networkTopNFlowSort: { field: NetworkTopTablesFields.bytes_out, direction: Direction.desc }, - flowTarget: FlowTargetSourceDest.source, -}; - -export const mockRequest = { - body: { - operationName: 'GetNetworkTopNFlowQuery', - variables: { - filterQuery: '', - flowTarget: FlowTargetSourceDest.source, - pagination: { - activePage: 0, - cursorStart: 0, - fakePossibleCount: 50, - querySize: 10, - }, - sourceId: 'default', - timerange: { interval: '12h', from: 1549765830772, to: 1549852230772 }, - }, - query: ` - query GetNetworkTopNFlowQuery( - $sourceId: ID! - $ip: String - $filterQuery: String - $pagination: PaginationInputPaginated! - $sort: NetworkTopTablesSortField! - $flowTarget: FlowTargetSourceDest! - $timerange: TimerangeInput! - $defaultIndex: [String!]! - $inspect: Boolean! - ) { - source(id: $sourceId) { - id - NetworkTopNFlow( - filterQuery: $filterQuery - flowTarget: $flowTarget - ip: $ip - pagination: $pagination - sort: $sort - timerange: $timerange - defaultIndex: $defaultIndex - ) { - totalCount - edges { - node { - source { - autonomous_system { - name - number - } - domain - ip - location { - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - flowTarget - } - flows - destination_ips - } - destination { - autonomous_system { - name - number - } - domain - ip - location { - geo { - continent_name - country_name - country_iso_code - city_name - region_iso_code - region_name - } - flowTarget - } - flows - source_ips - } - network { - bytes_in - bytes_out - } - } - cursor { - value - } - } - pageInfo { - activePage - fakeTotalCount - showMorePagesIndicator - } - inspect @include(if: $inspect) { - dsl - response - } - } - } - } -`, - }, -}; - -export const mockResponse = { - took: 122, - timed_out: false, - _shards: { - total: 11, - successful: 11, - skipped: 0, - failed: 0, - }, - hits: { - max_score: null, - hits: [], - }, - aggregations: { - top_n_flow_count: { - value: 545, - }, - [FlowTargetSourceDest.source]: { - buckets: [ - { - key: '1.1.1.1', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 11276023407, - }, - bytes_out: { - value: 1025631, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.1.net', - }, - ], - }, - }, - { - key: '2.2.2.2', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 5469323342, - }, - bytes_out: { - value: 2811441, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.2.net', - }, - ], - }, - }, - { - key: '3.3.3.3', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 3807671322, - }, - bytes_out: { - value: 4494034, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.3.com', - }, - { - key: 'test.3-duplicate.com', - }, - ], - }, - }, - { - key: '4.4.4.4', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 166517626, - }, - bytes_out: { - value: 3194782, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.4.com', - }, - ], - }, - }, - { - key: '5.5.5.5', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 104785026, - }, - bytes_out: { - value: 1838597, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.5.com', - }, - ], - }, - }, - { - key: '6.6.6.6', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 28804250, - }, - bytes_out: { - value: 482982, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - doc_count_error_upper_bound: 0, - sum_other_doc_count: 31, - buckets: [ - { - key: 'test.6.com', - }, - ], - }, - }, - { - key: '7.7.7.7', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 23032363, - }, - bytes_out: { - value: 400623, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - doc_count_error_upper_bound: 0, - sum_other_doc_count: 0, - buckets: [ - { - key: 'test.7.com', - }, - ], - }, - }, - { - key: '8.8.8.8', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 21424889, - }, - bytes_out: { - value: 344357, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.8.com', - }, - ], - }, - }, - { - key: '9.9.9.9', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 19205000, - }, - bytes_out: { - value: 355663, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.9.com', - }, - ], - }, - }, - { - key: '10.10.10.10', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 11407633, - }, - bytes_out: { - value: 199360, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.10.com', - }, - ], - }, - }, - { - key: '11.11.11.11', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 11393327, - }, - bytes_out: { - value: 195914, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.11.com', - }, - ], - }, - }, - ], - }, - }, -}; - -export const mockTopNFlowQueryDsl = { - mockTopNFlowQueryDsl: 'mockTopNFlowQueryDsl', -}; - -export const mockResult = { - inspect: { - dsl: [JSON.stringify(mockTopNFlowQueryDsl, null, 2)], - response: [JSON.stringify(mockResponse, null, 2)], - }, - edges: [ - { - cursor: { - tiebreaker: null, - value: '1.1.1.1', - }, - node: { - _id: '1.1.1.1', - network: { - bytes_in: 11276023407, - bytes_out: 1025631, - }, - source: { - domain: ['test.1.net'], - ip: '1.1.1.1', - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '2.2.2.2', - }, - node: { - _id: '2.2.2.2', - network: { - bytes_in: 5469323342, - bytes_out: 2811441, - }, - source: { - domain: ['test.2.net'], - ip: '2.2.2.2', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '3.3.3.3', - }, - node: { - _id: '3.3.3.3', - network: { - bytes_in: 3807671322, - bytes_out: 4494034, - }, - source: { - domain: ['test.3.com', 'test.3-duplicate.com'], - ip: '3.3.3.3', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '4.4.4.4', - }, - node: { - _id: '4.4.4.4', - network: { - bytes_in: 166517626, - bytes_out: 3194782, - }, - source: { - domain: ['test.4.com'], - ip: '4.4.4.4', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '5.5.5.5', - }, - node: { - _id: '5.5.5.5', - network: { - bytes_in: 104785026, - bytes_out: 1838597, - }, - source: { - domain: ['test.5.com'], - ip: '5.5.5.5', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '6.6.6.6', - }, - node: { - _id: '6.6.6.6', - network: { - bytes_in: 28804250, - bytes_out: 482982, - }, - source: { - domain: ['test.6.com'], - ip: '6.6.6.6', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '7.7.7.7', - }, - node: { - _id: '7.7.7.7', - network: { - bytes_in: 23032363, - bytes_out: 400623, - }, - source: { - domain: ['test.7.com'], - ip: '7.7.7.7', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '8.8.8.8', - }, - node: { - _id: '8.8.8.8', - network: { - bytes_in: 21424889, - bytes_out: 344357, - }, - source: { - domain: ['test.8.com'], - ip: '8.8.8.8', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '9.9.9.9', - }, - node: { - _id: '9.9.9.9', - network: { - bytes_in: 19205000, - bytes_out: 355663, - }, - source: { - domain: ['test.9.com'], - ip: '9.9.9.9', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - { - cursor: { - tiebreaker: null, - value: '10.10.10.10', - }, - node: { - _id: '10.10.10.10', - network: { - bytes_in: 11407633, - bytes_out: 199360, - }, - source: { - domain: ['test.10.com'], - ip: '10.10.10.10', - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - ], - pageInfo: { - activePage: 0, - fakeTotalCount: 50, - showMorePagesIndicator: true, - }, - totalCount: 545, -}; - -export const mockOptionsIp: NetworkTopNFlowRequestOptions = { - ...mockOptions, - ip: '1.1.1.1', -}; - -export const mockRequestIp = { - ...mockRequest, - body: { - ...mockRequest.body, - variables: { - ...mockRequest.body.variables, - ip: '1.1.1.1', - }, - }, -}; - -export const mockResponseIp = { - took: 122, - timed_out: false, - _shards: { - total: 1, - successful: 1, - skipped: 0, - failed: 0, - }, - hits: { - max_score: null, - hits: [], - }, - aggregations: { - top_n_flow_count: { - value: 1, - }, - [FlowTargetSourceDest.source]: { - buckets: [ - { - key: '1.1.1.1', - flows: { value: 1234567 }, - destination_ips: { value: 345345 }, - bytes_in: { - value: 11276023407, - }, - bytes_out: { - value: 1025631, - }, - location: { - doc_count: 14, - top_geo: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-PA', - city_name: 'Philadelphia', - country_iso_code: 'US', - region_name: 'Pennsylvania', - location: { - lon: -75.1534, - lat: 39.9359, - }, - }, - }, - }, - }, - ], - }, - }, - }, - autonomous_system: { - doc_count: 14, - top_as: { - hits: { - total: { - value: 14, - relation: 'eq', - }, - max_score: 1, - hits: [ - { - _index: 'filebeat-8.0.0-2019.06.19-000005', - _type: '_doc', - _id: 'dd4fa2d4bd-692279846149410', - _score: 1, - _source: { - source: { - as: { - number: 3356, - organization: { - name: 'Level 3 Parent, LLC', - }, - }, - }, - }, - }, - ], - }, - }, - }, - domain: { - buckets: [ - { - key: 'test.1.net', - }, - ], - }, - }, - ], - }, - }, -}; - -export const mockResultIp = { - inspect: { - dsl: [JSON.stringify(mockTopNFlowQueryDsl, null, 2)], - response: [JSON.stringify(mockResponseIp, null, 2)], - }, - edges: [ - { - cursor: { - tiebreaker: null, - value: '1.1.1.1', - }, - node: { - _id: '1.1.1.1', - network: { - bytes_in: 11276023407, - bytes_out: 1025631, - }, - source: { - domain: ['test.1.net'], - ip: '1.1.1.1', - autonomous_system: { - name: 'Level 3 Parent, LLC', - number: 3356, - }, - location: { - flowTarget: 'source', - geo: { - city_name: 'Philadelphia', - continent_name: 'North America', - country_iso_code: 'US', - location: { - lat: 39.9359, - lon: -75.1534, - }, - region_iso_code: 'US-PA', - region_name: 'Pennsylvania', - }, - }, - flows: 1234567, - destination_ips: 345345, - }, - }, - }, - ], - pageInfo: { - activePage: 0, - fakeTotalCount: 1, - showMorePagesIndicator: false, - }, - totalCount: 1, -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/query_dns.dsl.ts b/x-pack/plugins/security_solution/server/lib/network/query_dns.dsl.ts deleted file mode 100644 index 90781e7b48b4a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/query_dns.dsl.ts +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { isEmpty } from 'lodash/fp'; - -import { assertUnreachable } from '../../../common/utility_types'; -import { Direction, NetworkDnsFields, NetworkDnsSortField } from '../../graphql/types'; -import { createQueryFilterClauses } from '../../utils/build_query'; - -import { NetworkDnsRequestOptions } from './index'; - -type QueryOrder = - | { _count: Direction } - | { _key: Direction } - | { unique_domains: Direction } - | { dns_bytes_in: Direction } - | { dns_bytes_out: Direction }; - -const getQueryOrder = (networkDnsSortField: NetworkDnsSortField): QueryOrder => { - switch (networkDnsSortField.field) { - case NetworkDnsFields.queryCount: - return { _count: networkDnsSortField.direction }; - case NetworkDnsFields.dnsName: - return { _key: networkDnsSortField.direction }; - case NetworkDnsFields.uniqueDomains: - return { unique_domains: networkDnsSortField.direction }; - case NetworkDnsFields.dnsBytesIn: - return { dns_bytes_in: networkDnsSortField.direction }; - case NetworkDnsFields.dnsBytesOut: - return { dns_bytes_out: networkDnsSortField.direction }; - } - assertUnreachable(networkDnsSortField.field); -}; - -const getCountAgg = () => ({ - dns_count: { - cardinality: { - field: 'dns.question.registered_domain', - }, - }, -}); - -const createIncludePTRFilter = (isPtrIncluded: boolean) => - isPtrIncluded - ? {} - : { - must_not: [ - { - term: { - 'dns.question.type': { - value: 'PTR', - }, - }, - }, - ], - }; - -export const buildDnsQuery = ({ - defaultIndex, - docValueFields, - filterQuery, - isPtrIncluded, - networkDnsSortField, - pagination: { querySize }, - sourceConfiguration: { - fields: { timestamp }, - }, - stackByField = 'dns.question.registered_domain', - timerange: { from, to }, -}: NetworkDnsRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { - gte: from, - lte: to, - format: 'strict_date_optional_time', - }, - }, - }, - ]; - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), - aggregations: { - ...getCountAgg(), - dns_name_query_count: { - terms: { - field: stackByField, - size: querySize, - order: { - ...getQueryOrder(networkDnsSortField), - }, - }, - aggs: { - unique_domains: { - cardinality: { - field: 'dns.question.name', - }, - }, - dns_bytes_in: { - sum: { - field: 'source.bytes', - }, - }, - dns_bytes_out: { - sum: { - field: 'destination.bytes', - }, - }, - }, - }, - }, - query: { - bool: { - filter, - ...createIncludePTRFilter(isPtrIncluded), - }, - }, - }, - size: 0, - track_total_hits: false, - }; - - return dslQuery; -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/query_http.dsl.ts b/x-pack/plugins/security_solution/server/lib/network/query_http.dsl.ts deleted file mode 100644 index a2d1963414be1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/query_http.dsl.ts +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -import { NetworkHttpSortField } from '../../graphql/types'; -import { createQueryFilterClauses } from '../../utils/build_query'; - -import { NetworkHttpRequestOptions } from './index'; - -const getCountAgg = () => ({ - http_count: { - cardinality: { - field: 'url.path', - }, - }, -}); - -export const buildHttpQuery = ({ - defaultIndex, - filterQuery, - networkHttpSort, - pagination: { querySize }, - sourceConfiguration: { - fields: { timestamp }, - }, - timerange: { from, to }, - ip, -}: NetworkHttpRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { gte: from, lte: to, format: 'strict_date_optional_time' }, - }, - }, - { exists: { field: 'http.request.method' } }, - ]; - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - aggregations: { - ...getCountAgg(), - ...getHttpAggs(networkHttpSort, querySize), - }, - query: { - bool: ip - ? { - filter, - should: [ - { - term: { - 'source.ip': ip, - }, - }, - { - term: { - 'destination.ip': ip, - }, - }, - ], - minimum_should_match: 1, - } - : { - filter, - }, - }, - }, - size: 0, - track_total_hits: false, - }; - return dslQuery; -}; - -const getHttpAggs = (networkHttpSortField: NetworkHttpSortField, querySize: number) => ({ - url: { - terms: { - field: `url.path`, - size: querySize, - order: { - _count: networkHttpSortField.direction, - }, - }, - aggs: { - methods: { - terms: { - field: 'http.request.method', - size: 4, - }, - }, - domains: { - terms: { - field: 'url.domain', - size: 4, - }, - }, - status: { - terms: { - field: 'http.response.status_code', - size: 4, - }, - }, - source: { - top_hits: { - size: 1, - _source: { - includes: ['host.name', 'source.ip'], - }, - }, - }, - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/lib/network/query_top_countries.dsl.ts b/x-pack/plugins/security_solution/server/lib/network/query_top_countries.dsl.ts deleted file mode 100644 index be0b8fb64c76a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/query_top_countries.dsl.ts +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - Direction, - FlowTargetSourceDest, - NetworkTopTablesSortField, - NetworkTopTablesFields, -} from '../../graphql/types'; -import { createQueryFilterClauses } from '../../utils/build_query'; -import { assertUnreachable } from '../../../common/utility_types'; -import { NetworkTopCountriesRequestOptions } from './index'; - -const getCountAgg = (flowTarget: FlowTargetSourceDest) => ({ - top_countries_count: { - cardinality: { - field: `${flowTarget}.geo.country_iso_code`, - }, - }, -}); - -export const buildTopCountriesQuery = ({ - defaultIndex, - filterQuery, - flowTarget, - networkTopCountriesSort, - pagination: { querySize }, - sourceConfiguration: { - fields: { timestamp }, - }, - timerange: { from, to }, - ip, -}: NetworkTopCountriesRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { gte: from, lte: to, format: 'strict_date_optional_time' }, - }, - }, - ]; - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - aggregations: { - ...getCountAgg(flowTarget), - ...getFlowTargetAggs(networkTopCountriesSort, flowTarget, querySize), - }, - query: { - bool: ip - ? { - filter, - should: [ - { - term: { - [`${getOppositeField(flowTarget)}.ip`]: ip, - }, - }, - ], - minimum_should_match: 1, - } - : { - filter, - }, - }, - }, - size: 0, - track_total_hits: false, - }; - return dslQuery; -}; - -const getFlowTargetAggs = ( - networkTopCountriesSortField: NetworkTopTablesSortField, - flowTarget: FlowTargetSourceDest, - querySize: number -) => ({ - [flowTarget]: { - terms: { - field: `${flowTarget}.geo.country_iso_code`, - size: querySize, - order: { - ...getQueryOrder(networkTopCountriesSortField), - }, - }, - aggs: { - bytes_in: { - sum: { - field: `${getOppositeField(flowTarget)}.bytes`, - }, - }, - bytes_out: { - sum: { - field: `${flowTarget}.bytes`, - }, - }, - flows: { - cardinality: { - field: 'network.community_id', - }, - }, - source_ips: { - cardinality: { - field: 'source.ip', - }, - }, - destination_ips: { - cardinality: { - field: 'destination.ip', - }, - }, - }, - }, -}); - -export const getOppositeField = (flowTarget: FlowTargetSourceDest): FlowTargetSourceDest => { - switch (flowTarget) { - case FlowTargetSourceDest.source: - return FlowTargetSourceDest.destination; - case FlowTargetSourceDest.destination: - return FlowTargetSourceDest.source; - } - assertUnreachable(flowTarget); -}; - -type QueryOrder = - | { bytes_in: Direction } - | { bytes_out: Direction } - | { flows: Direction } - | { destination_ips: Direction } - | { source_ips: Direction }; - -const getQueryOrder = (networkTopCountriesSortField: NetworkTopTablesSortField): QueryOrder => { - switch (networkTopCountriesSortField.field) { - case NetworkTopTablesFields.bytes_in: - return { bytes_in: networkTopCountriesSortField.direction }; - case NetworkTopTablesFields.bytes_out: - return { bytes_out: networkTopCountriesSortField.direction }; - case NetworkTopTablesFields.flows: - return { flows: networkTopCountriesSortField.direction }; - case NetworkTopTablesFields.destination_ips: - return { destination_ips: networkTopCountriesSortField.direction }; - case NetworkTopTablesFields.source_ips: - return { source_ips: networkTopCountriesSortField.direction }; - } - assertUnreachable(networkTopCountriesSortField.field); -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/query_top_n_flow.dsl.ts b/x-pack/plugins/security_solution/server/lib/network/query_top_n_flow.dsl.ts deleted file mode 100644 index 14a9c5e33aca0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/query_top_n_flow.dsl.ts +++ /dev/null @@ -1,194 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { assertUnreachable } from '../../../common/utility_types'; -import { - Direction, - FlowTargetSourceDest, - NetworkTopTablesSortField, - NetworkTopTablesFields, -} from '../../graphql/types'; -import { createQueryFilterClauses } from '../../utils/build_query'; - -import { NetworkTopNFlowRequestOptions } from './index'; - -const getCountAgg = (flowTarget: FlowTargetSourceDest) => ({ - top_n_flow_count: { - cardinality: { - field: `${flowTarget}.ip`, - }, - }, -}); - -export const buildTopNFlowQuery = ({ - defaultIndex, - filterQuery, - flowTarget, - networkTopNFlowSort, - pagination: { querySize }, - sourceConfiguration: { - fields: { timestamp }, - }, - timerange: { from, to }, - ip, -}: NetworkTopNFlowRequestOptions) => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - range: { - [timestamp]: { gte: from, lte: to, format: 'strict_date_optional_time' }, - }, - }, - ]; - - const dslQuery = { - allowNoIndices: true, - index: defaultIndex, - ignoreUnavailable: true, - body: { - aggregations: { - ...getCountAgg(flowTarget), - ...getFlowTargetAggs(networkTopNFlowSort, flowTarget, querySize), - }, - query: { - bool: ip - ? { - filter, - should: [ - { - term: { - [`${getOppositeField(flowTarget)}.ip`]: ip, - }, - }, - ], - minimum_should_match: 1, - } - : { - filter, - }, - }, - }, - size: 0, - track_total_hits: false, - }; - return dslQuery; -}; - -const getFlowTargetAggs = ( - networkTopNFlowSortField: NetworkTopTablesSortField, - flowTarget: FlowTargetSourceDest, - querySize: number -) => ({ - [flowTarget]: { - terms: { - field: `${flowTarget}.ip`, - size: querySize, - order: { - ...getQueryOrder(networkTopNFlowSortField), - }, - }, - aggs: { - bytes_in: { - sum: { - field: `${getOppositeField(flowTarget)}.bytes`, - }, - }, - bytes_out: { - sum: { - field: `${flowTarget}.bytes`, - }, - }, - domain: { - terms: { - field: `${flowTarget}.domain`, - order: { - timestamp: 'desc', - }, - }, - aggs: { - timestamp: { - max: { - field: '@timestamp', - }, - }, - }, - }, - location: { - filter: { - exists: { - field: `${flowTarget}.geo`, - }, - }, - aggs: { - top_geo: { - top_hits: { - _source: `${flowTarget}.geo.*`, - size: 1, - }, - }, - }, - }, - autonomous_system: { - filter: { - exists: { - field: `${flowTarget}.as`, - }, - }, - aggs: { - top_as: { - top_hits: { - _source: `${flowTarget}.as.*`, - size: 1, - }, - }, - }, - }, - flows: { - cardinality: { - field: 'network.community_id', - }, - }, - [`${getOppositeField(flowTarget)}_ips`]: { - cardinality: { - field: `${getOppositeField(flowTarget)}.ip`, - }, - }, - }, - }, -}); - -export const getOppositeField = (flowTarget: FlowTargetSourceDest): FlowTargetSourceDest => { - switch (flowTarget) { - case FlowTargetSourceDest.source: - return FlowTargetSourceDest.destination; - case FlowTargetSourceDest.destination: - return FlowTargetSourceDest.source; - } - assertUnreachable(flowTarget); -}; - -type QueryOrder = - | { bytes_in: Direction } - | { bytes_out: Direction } - | { flows: Direction } - | { destination_ips: Direction } - | { source_ips: Direction }; - -const getQueryOrder = (networkTopNFlowSortField: NetworkTopTablesSortField): QueryOrder => { - switch (networkTopNFlowSortField.field) { - case NetworkTopTablesFields.bytes_in: - return { bytes_in: networkTopNFlowSortField.direction }; - case NetworkTopTablesFields.bytes_out: - return { bytes_out: networkTopNFlowSortField.direction }; - case NetworkTopTablesFields.flows: - return { flows: networkTopNFlowSortField.direction }; - case NetworkTopTablesFields.destination_ips: - return { destination_ips: networkTopNFlowSortField.direction }; - case NetworkTopTablesFields.source_ips: - return { source_ips: networkTopNFlowSortField.direction }; - } - assertUnreachable(networkTopNFlowSortField.field); -}; diff --git a/x-pack/plugins/security_solution/server/lib/network/types.ts b/x-pack/plugins/security_solution/server/lib/network/types.ts deleted file mode 100644 index b7848be097151..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/network/types.ts +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - NetworkDnsData, - NetworkHttpData, - NetworkTopCountriesData, - NetworkTopNFlowData, -} from '../../graphql/types'; -import { FrameworkRequest, RequestOptionsPaginated } from '../framework'; -import { TotalValue } from '../types'; -import { NetworkDnsRequestOptions } from '.'; - -export interface NetworkAdapter { - getNetworkTopCountries( - req: FrameworkRequest, - options: RequestOptionsPaginated - ): Promise; - getNetworkTopNFlow( - req: FrameworkRequest, - options: RequestOptionsPaginated - ): Promise; - getNetworkDns(req: FrameworkRequest, options: NetworkDnsRequestOptions): Promise; - getNetworkHttp(req: FrameworkRequest, options: RequestOptionsPaginated): Promise; -} - -export interface GenericBuckets { - key: string; - doc_count: number; -} - -interface LocationHit { - doc_count: number; - top_geo: { - hits: { - total: TotalValue | number; - max_score: number | null; - hits: Array<{ - _source: T; - sort?: [number]; - _index?: string; - _type?: string; - _id?: string; - _score?: number | null; - }>; - }; - }; -} - -interface AutonomousSystemHit { - doc_count: number; - top_as: { - hits: { - total: TotalValue | number; - max_score: number | null; - hits: Array<{ - _source: T; - sort?: [number]; - _index?: string; - _type?: string; - _id?: string; - _score?: number | null; - }>; - }; - }; -} - -interface HttpHit { - hits: { - total: TotalValue | number; - max_score: number | null; - hits: Array<{ - _source: T; - sort?: [number]; - _index?: string; - _type?: string; - _id?: string; - _score?: number | null; - }>; - }; -} - -export interface NetworkTopNFlowBuckets { - key: string; - autonomous_system: AutonomousSystemHit; - bytes_in: { - value: number; - }; - bytes_out: { - value: number; - }; - domain: { - buckets: GenericBuckets[]; - }; - location: LocationHit; - flows: number; - destination_ips?: number; - source_ips?: number; -} - -export interface NetworkTopCountriesBuckets { - country: string; - key: string; - bytes_in: { - value: number; - }; - bytes_out: { - value: number; - }; - flows: number; - destination_ips: number; - source_ips: number; -} - -export interface NetworkDnsBuckets { - key: string; - doc_count: number; - unique_domains: { - value: number; - }; - dns_bytes_in: { - value: number; - }; - dns_bytes_out: { - value: number; - }; -} - -export interface NetworkHttpBuckets { - key: string; - doc_count: number; - domains: { - buckets: GenericBuckets[]; - }; - methods: { - buckets: GenericBuckets[]; - }; - source: HttpHit; - status: { - buckets: GenericBuckets[]; - }; -} - -interface DnsHistogramSubBucket { - key: string; - doc_count: number; - orderAgg: { - value: number; - }; -} -interface DnsHistogramBucket { - doc_count_error_upper_bound: number; - sum_other_doc_count: number; - buckets: DnsHistogramSubBucket[]; -} - -export interface DnsHistogramGroupData { - key: number; - doc_count: number; - key_as_string: string; - histogram: DnsHistogramBucket; -} diff --git a/x-pack/plugins/security_solution/server/lib/types.ts b/x-pack/plugins/security_solution/server/lib/types.ts index 6e233f6e49d3b..7e59280cd1358 100644 --- a/x-pack/plugins/security_solution/server/lib/types.ts +++ b/x-pack/plugins/security_solution/server/lib/types.ts @@ -8,32 +8,20 @@ import { AuthenticatedUser } from '../../../security/common/model'; import { RequestHandlerContext } from '../../../../../src/core/server'; export { ConfigType as Configuration } from '../config'; -import { Authentications } from './authentications'; -import { Events } from './events'; import { FrameworkAdapter, FrameworkRequest } from './framework'; import { Hosts } from './hosts'; import { IndexFields } from './index_fields'; -import { KpiHosts } from './kpi_hosts'; -import { KpiNetwork } from './kpi_network'; -import { Network } from './network'; import { SourceStatus } from './source_status'; import { Sources } from './sources'; import { Note } from './note/saved_object'; import { PinnedEvent } from './pinned_event/saved_object'; import { Timeline } from './timeline/saved_object'; -import { MatrixHistogram } from './matrix_histogram'; export * from './hosts'; export interface AppDomainLibs { - authentications: Authentications; - events: Events; fields: IndexFields; hosts: Hosts; - matrixHistogram: MatrixHistogram; - network: Network; - kpiNetwork: KpiNetwork; - kpiHosts: KpiHosts; } export interface AppBackendLibs extends AppDomainLibs { diff --git a/x-pack/test/api_integration/apis/security_solution/index.js b/x-pack/test/api_integration/apis/security_solution/index.js index a143d94dde172..a6089c540a78b 100644 --- a/x-pack/test/api_integration/apis/security_solution/index.js +++ b/x-pack/test/api_integration/apis/security_solution/index.js @@ -6,12 +6,12 @@ export default function ({ loadTestFile }) { describe('Siem GraphQL Endpoints', () => { - loadTestFile(require.resolve('./authentications')); + // loadTestFile(require.resolve('./authentications')); loadTestFile(require.resolve('./hosts')); - loadTestFile(require.resolve('./kpi_network')); - loadTestFile(require.resolve('./kpi_hosts')); - loadTestFile(require.resolve('./network_dns')); - loadTestFile(require.resolve('./network_top_n_flow')); + // loadTestFile(require.resolve('./kpi_network')); + // loadTestFile(require.resolve('./kpi_hosts')); + // loadTestFile(require.resolve('./network_dns')); + // loadTestFile(require.resolve('./network_top_n_flow')); // loadTestFile(require.resolve('./overview_host')); loadTestFile(require.resolve('./saved_objects/notes')); loadTestFile(require.resolve('./saved_objects/pinned_events')); diff --git a/x-pack/test/api_integration/apis/security_solution/kpi_host_details.ts b/x-pack/test/api_integration/apis/security_solution/kpi_host_details.ts index c446fbb149e3a..27e4e02ee7d08 100644 --- a/x-pack/test/api_integration/apis/security_solution/kpi_host_details.ts +++ b/x-pack/test/api_integration/apis/security_solution/kpi_host_details.ts @@ -5,7 +5,9 @@ */ import expect from '@kbn/expect'; +// @ts-expect-error import { kpiHostDetailsQuery } from '../../../../plugins/security_solution/public/hosts/containers/kpi_host_details/index.gql_query'; +// @ts-expect-error import { GetKpiHostDetailsQuery } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts b/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts index dcea52edcddf9..64109bd4d9321 100644 --- a/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts +++ b/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts @@ -5,7 +5,9 @@ */ import expect from '@kbn/expect'; +// @ts-expect-error import { kpiHostsQuery } from '../../../../plugins/security_solution/public/hosts/containers/kpi_hosts/index.gql_query'; +// @ts-expect-error import { GetKpiHostsQuery } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/kpi_network.ts b/x-pack/test/api_integration/apis/security_solution/kpi_network.ts index 654607913d44a..14b061d678898 100644 --- a/x-pack/test/api_integration/apis/security_solution/kpi_network.ts +++ b/x-pack/test/api_integration/apis/security_solution/kpi_network.ts @@ -5,7 +5,9 @@ */ import expect from '@kbn/expect'; +// @ts-expect-error import { kpiNetworkQuery } from '../../../../plugins/security_solution/public/network/containers/kpi_network/index.gql_query'; +// @ts-expect-error import { GetKpiNetworkQuery } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/timeline.ts b/x-pack/test/api_integration/apis/security_solution/timeline.ts index 5bd015a130a5a..8ae562a961431 100644 --- a/x-pack/test/api_integration/apis/security_solution/timeline.ts +++ b/x-pack/test/api_integration/apis/security_solution/timeline.ts @@ -6,9 +6,11 @@ import expect from '@kbn/expect'; +// @ts-expect-error import { timelineQuery } from '../../../../plugins/security_solution/public/timelines/containers/index.gql_query'; import { Direction, + // @ts-expect-error GetTimelineQuery, } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/timeline_details.ts b/x-pack/test/api_integration/apis/security_solution/timeline_details.ts index 35f419fde894d..559cdc8c29c09 100644 --- a/x-pack/test/api_integration/apis/security_solution/timeline_details.ts +++ b/x-pack/test/api_integration/apis/security_solution/timeline_details.ts @@ -7,9 +7,12 @@ import expect from '@kbn/expect'; import { sortBy } from 'lodash'; +// @ts-expect-error import { timelineDetailsQuery } from '../../../../plugins/security_solution/public/timelines/containers/details/index.gql_query'; import { + // @ts-expect-error DetailItem, + // @ts-expect-error GetTimelineDetailsQuery, } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; From 8fc22a41e625404f5c1ca7978df9c6da725c862e Mon Sep 17 00:00:00 2001 From: Patryk Kopycinski Date: Thu, 24 Sep 2020 13:14:04 +0200 Subject: [PATCH 2/4] cleanup --- .../public/graphql/introspection.json | 31 ------------------- .../security_solution/public/graphql/types.ts | 7 ----- .../security_solution/server/graphql/index.ts | 2 -- .../security_solution/server/graphql/types.ts | 29 ----------------- .../server/graphql/who_am_i/index.ts | 8 ----- .../server/graphql/who_am_i/resolvers.ts | 28 ----------------- .../server/graphql/who_am_i/schema.gql.ts | 19 ------------ .../security_solution/server/init_server.ts | 2 -- .../apis/security_solution/index.js | 4 +-- 9 files changed, 2 insertions(+), 128 deletions(-) delete mode 100644 x-pack/plugins/security_solution/server/graphql/who_am_i/index.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/who_am_i/resolvers.ts delete mode 100644 x-pack/plugins/security_solution/server/graphql/who_am_i/schema.gql.ts diff --git a/x-pack/plugins/security_solution/public/graphql/introspection.json b/x-pack/plugins/security_solution/public/graphql/introspection.json index ccd68195271e2..8d780137b847c 100644 --- a/x-pack/plugins/security_solution/public/graphql/introspection.json +++ b/x-pack/plugins/security_solution/public/graphql/introspection.json @@ -906,14 +906,6 @@ }, "isDeprecated": false, "deprecationReason": null - }, - { - "name": "whoAmI", - "description": "Just a simple example to get the app name", - "args": [], - "type": { "kind": "OBJECT", "name": "SayMyName", "ofType": null }, - "isDeprecated": false, - "deprecationReason": null } ], "inputFields": null, @@ -1922,29 +1914,6 @@ "enumValues": null, "possibleTypes": null }, - { - "kind": "OBJECT", - "name": "SayMyName", - "description": "", - "fields": [ - { - "name": "appName", - "description": "The id of the source", - "args": [], - "type": { - "kind": "NON_NULL", - "name": null, - "ofType": { "kind": "SCALAR", "name": "String", "ofType": null } - }, - "isDeprecated": false, - "deprecationReason": null - } - ], - "inputFields": null, - "interfaces": [], - "enumValues": null, - "possibleTypes": null - }, { "kind": "OBJECT", "name": "TimelineResult", diff --git a/x-pack/plugins/security_solution/public/graphql/types.ts b/x-pack/plugins/security_solution/public/graphql/types.ts index ae89beee8f160..df8333ea63055 100644 --- a/x-pack/plugins/security_solution/public/graphql/types.ts +++ b/x-pack/plugins/security_solution/public/graphql/types.ts @@ -439,8 +439,6 @@ export interface Source { HostOverview: HostItem; HostFirstLastSeen: FirstLastSeenHost; - /** Just a simple example to get the app name */ - whoAmI?: Maybe; } /** A set of configuration options for a security data source */ @@ -587,11 +585,6 @@ export interface FirstLastSeenHost { lastSeen?: Maybe; } -export interface SayMyName { - /** The id of the source */ - appName: string; -} - export interface TimelineResult { columns?: Maybe; diff --git a/x-pack/plugins/security_solution/server/graphql/index.ts b/x-pack/plugins/security_solution/server/graphql/index.ts index 308572a6a7e65..5eed9919825c3 100644 --- a/x-pack/plugins/security_solution/server/graphql/index.ts +++ b/x-pack/plugins/security_solution/server/graphql/index.ts @@ -19,7 +19,6 @@ import { toNumberSchema } from './scalar_to_number_array'; import { sourceStatusSchema } from './source_status'; import { sourcesSchema } from './sources'; import { timelineSchema } from './timeline'; -import { whoAmISchema } from './who_am_i'; export const schemas = [ ecsSchema, dateSchema, @@ -35,5 +34,4 @@ export const schemas = [ sourceStatusSchema, sharedSchema, timelineSchema, - whoAmISchema, ]; diff --git a/x-pack/plugins/security_solution/server/graphql/types.ts b/x-pack/plugins/security_solution/server/graphql/types.ts index c980ddba9f223..7d2ce8a284994 100644 --- a/x-pack/plugins/security_solution/server/graphql/types.ts +++ b/x-pack/plugins/security_solution/server/graphql/types.ts @@ -441,8 +441,6 @@ export interface Source { HostOverview: HostItem; HostFirstLastSeen: FirstLastSeenHost; - /** Just a simple example to get the app name */ - whoAmI?: Maybe; } /** A set of configuration options for a security data source */ @@ -589,11 +587,6 @@ export interface FirstLastSeenHost { lastSeen?: Maybe; } -export interface SayMyName { - /** The id of the source */ - appName: string; -} - export interface TimelineResult { columns?: Maybe; @@ -2057,8 +2050,6 @@ export namespace SourceResolvers { HostOverview?: HostOverviewResolver; HostFirstLastSeen?: HostFirstLastSeenResolver; - /** Just a simple example to get the app name */ - whoAmI?: WhoAmIResolver, TypeParent, TContext>; } export type IdResolver = Resolver< @@ -2127,12 +2118,6 @@ export namespace SourceResolvers { docValueFields: DocValueFieldsInput[]; } - - export type WhoAmIResolver< - R = Maybe, - Parent = Source, - TContext = SiemContext - > = Resolver; } /** A set of configuration options for a security data source */ export namespace SourceConfigurationResolvers { @@ -2600,19 +2585,6 @@ export namespace FirstLastSeenHostResolvers { > = Resolver; } -export namespace SayMyNameResolvers { - export interface Resolvers { - /** The id of the source */ - appName?: AppNameResolver; - } - - export type AppNameResolver = Resolver< - R, - Parent, - TContext - >; -} - export namespace TimelineResultResolvers { export interface Resolvers { columns?: ColumnsResolver, TypeParent, TContext>; @@ -6077,7 +6049,6 @@ export type IResolvers = { CursorType?: CursorTypeResolvers.Resolvers; PageInfoPaginated?: PageInfoPaginatedResolvers.Resolvers; FirstLastSeenHost?: FirstLastSeenHostResolvers.Resolvers; - SayMyName?: SayMyNameResolvers.Resolvers; TimelineResult?: TimelineResultResolvers.Resolvers; ColumnHeaderResult?: ColumnHeaderResultResolvers.Resolvers; DataProviderResult?: DataProviderResultResolvers.Resolvers; diff --git a/x-pack/plugins/security_solution/server/graphql/who_am_i/index.ts b/x-pack/plugins/security_solution/server/graphql/who_am_i/index.ts deleted file mode 100644 index 6ef7f1ae8a2eb..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/who_am_i/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { createWhoAmIResolvers } from './resolvers'; -export { whoAmISchema } from './schema.gql'; diff --git a/x-pack/plugins/security_solution/server/graphql/who_am_i/resolvers.ts b/x-pack/plugins/security_solution/server/graphql/who_am_i/resolvers.ts deleted file mode 100644 index 065edfb99ccea..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/who_am_i/resolvers.ts +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { SourceResolvers } from '../../graphql/types'; -import { AppResolverOf, ChildResolverOf } from '../../lib/framework'; -import { QuerySourceResolver } from '../sources/resolvers'; - -export type QueryWhoAmIResolver = ChildResolverOf< - AppResolverOf, - QuerySourceResolver ->; - -export const createWhoAmIResolvers = (): { - Source: { - whoAmI: QueryWhoAmIResolver; - }; -} => ({ - Source: { - async whoAmI(root, args) { - return { - appName: 'SIEM', - }; - }, - }, -}); diff --git a/x-pack/plugins/security_solution/server/graphql/who_am_i/schema.gql.ts b/x-pack/plugins/security_solution/server/graphql/who_am_i/schema.gql.ts deleted file mode 100644 index 0a264cd2988fe..0000000000000 --- a/x-pack/plugins/security_solution/server/graphql/who_am_i/schema.gql.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import gql from 'graphql-tag'; - -export const whoAmISchema = gql` - type SayMyName { - "The id of the source" - appName: String! - } - - extend type Source { - "Just a simple example to get the app name" - whoAmI: SayMyName - } -`; diff --git a/x-pack/plugins/security_solution/server/init_server.ts b/x-pack/plugins/security_solution/server/init_server.ts index 43cf6aae7855b..997240a33ad22 100644 --- a/x-pack/plugins/security_solution/server/init_server.ts +++ b/x-pack/plugins/security_solution/server/init_server.ts @@ -18,7 +18,6 @@ import { createScalarToNumberArrayValueResolvers } from './graphql/scalar_to_num import { createSourceStatusResolvers } from './graphql/source_status'; import { createSourcesResolvers } from './graphql/sources'; import { createTimelineResolvers } from './graphql/timeline'; -import { createWhoAmIResolvers } from './graphql/who_am_i'; import { AppBackendLibs } from './lib/types'; export const initServer = (libs: AppBackendLibs) => { @@ -37,7 +36,6 @@ export const initServer = (libs: AppBackendLibs) => { createSourcesResolvers(libs) as IResolvers, createSourceStatusResolvers(libs) as IResolvers, createTimelineResolvers(libs) as IResolvers, - createWhoAmIResolvers() as IResolvers, ], typeDefs: schemas, }); diff --git a/x-pack/test/api_integration/apis/security_solution/index.js b/x-pack/test/api_integration/apis/security_solution/index.js index a6089c540a78b..3d24af4413800 100644 --- a/x-pack/test/api_integration/apis/security_solution/index.js +++ b/x-pack/test/api_integration/apis/security_solution/index.js @@ -18,8 +18,8 @@ export default function ({ loadTestFile }) { loadTestFile(require.resolve('./saved_objects/timeline')); loadTestFile(require.resolve('./sources')); // loadTestFile(require.resolve('./overview_network')); - loadTestFile(require.resolve('./timeline')); - loadTestFile(require.resolve('./timeline_details')); + // loadTestFile(require.resolve('./timeline')); + // loadTestFile(require.resolve('./timeline_details')); // loadTestFile(require.resolve('./uncommon_processes')); // loadTestFile(require.resolve('./users')); // loadTestFile(require.resolve('./tls')); From 1d218e252d2ea2dcb5136a6b7070342608e6976b Mon Sep 17 00:00:00 2001 From: Patryk Kopycinski Date: Thu, 24 Sep 2020 14:31:41 +0200 Subject: [PATCH 3/4] cleanup --- .../__snapshots__/index.test.tsx.snap | 101 +++++++++++++++++- .../apis/security_solution/authentications.ts | 2 + .../apis/security_solution/network_dns.ts | 3 + .../security_solution/network_top_n_flow.ts | 3 + 4 files changed, 108 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/network/components/network_http_table/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/network/components/network_http_table/__snapshots__/index.test.tsx.snap index 7adee9531b1f3..c5df0f6603fbf 100644 --- a/x-pack/plugins/security_solution/public/network/components/network_http_table/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/network/components/network_http_table/__snapshots__/index.test.tsx.snap @@ -1,3 +1,102 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`NetworkHttp Table Component rendering it renders the default NetworkHttp table 1`] = `null`; +exports[`NetworkHttp Table Component rendering it renders the default NetworkHttp table 1`] = ` + +`; diff --git a/x-pack/test/api_integration/apis/security_solution/authentications.ts b/x-pack/test/api_integration/apis/security_solution/authentications.ts index 277ac7316e92d..d36f9aeaa8804 100644 --- a/x-pack/test/api_integration/apis/security_solution/authentications.ts +++ b/x-pack/test/api_integration/apis/security_solution/authentications.ts @@ -6,7 +6,9 @@ import expect from '@kbn/expect'; +// @ts-expect-error import { authenticationsQuery } from '../../../../plugins/security_solution/public/hosts/containers/authentications/index.gql_query'; +// @ts-expect-error import { GetAuthenticationsQuery } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/network_dns.ts b/x-pack/test/api_integration/apis/security_solution/network_dns.ts index e5f3ed18d32ea..c16b6a1cd28bc 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_dns.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_dns.ts @@ -5,10 +5,13 @@ */ import expect from '@kbn/expect'; +// @ts-expect-error import { networkDnsQuery } from '../../../../plugins/security_solution/public/network/containers/network_dns/index.gql_query'; import { Direction, + // @ts-expect-error GetNetworkDnsQuery, + // @ts-expect-error NetworkDnsFields, } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts b/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts index 6033fdfefa4db..0db7f14813c4b 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts @@ -5,11 +5,14 @@ */ import expect from '@kbn/expect'; +// @ts-expect-error import { networkTopNFlowQuery } from '../../../../plugins/security_solution/public/network/containers/network_top_n_flow/index.gql_query'; import { Direction, FlowTargetSourceDest, + // @ts-expect-error GetNetworkTopNFlowQuery, + // @ts-expect-error NetworkTopTablesFields, } from '../../../../plugins/security_solution/public/graphql/types'; import { FtrProviderContext } from '../../ftr_provider_context'; From 28a1500558ac84e386b7b0e05ff5effaa3f832f0 Mon Sep 17 00:00:00 2001 From: Patryk Kopycinski Date: Thu, 24 Sep 2020 15:23:25 +0200 Subject: [PATCH 4/4] fix types --- .../test/api_integration/apis/security_solution/network_dns.ts | 2 ++ .../apis/security_solution/network_top_n_flow.ts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/x-pack/test/api_integration/apis/security_solution/network_dns.ts b/x-pack/test/api_integration/apis/security_solution/network_dns.ts index c16b6a1cd28bc..b53e2cc72853a 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_dns.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_dns.ts @@ -56,6 +56,7 @@ export default function ({ getService }: FtrProviderContext) { const networkDns = resp.data.source.NetworkDns; expect(networkDns.edges.length).to.be(10); expect(networkDns.totalCount).to.be(44); + // @ts-expect-error expect(networkDns.edges.map((i) => i.node.dnsName).join(',')).to.be( 'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,crowbird.com,d1oxlq5h9kq8q5.cloudfront.net' ); @@ -93,6 +94,7 @@ export default function ({ getService }: FtrProviderContext) { const networkDns = resp.data.source.NetworkDns; expect(networkDns.edges.length).to.be(10); expect(networkDns.totalCount).to.be(44); + // @ts-expect-error expect(networkDns.edges.map((i) => i.node.dnsName).join(',')).to.be( 'nflxvideo.net,apple.com,netflix.com,samsungcloudsolution.com,samsungqbe.com,samsungelectronics.com,internetat.tv,samsungcloudsolution.net,samsungosp.com,cbsnews.com' ); diff --git a/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts b/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts index 0db7f14813c4b..81a1924019a55 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts @@ -58,6 +58,7 @@ export default function ({ getService }: FtrProviderContext) { const networkTopNFlow = resp.data.source.NetworkTopNFlow; expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH); expect(networkTopNFlow.totalCount).to.be(121); + // @ts-expect-error expect(networkTopNFlow.edges.map((i) => i.node.source!.ip).join(',')).to.be( '10.100.7.196,10.100.7.199,10.100.7.197,10.100.7.198,3.82.33.170,17.249.172.100,10.100.4.1,8.248.209.244,8.248.211.247,8.248.213.244' ); @@ -96,6 +97,7 @@ export default function ({ getService }: FtrProviderContext) { const networkTopNFlow = resp.data.source.NetworkTopNFlow; expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH); expect(networkTopNFlow.totalCount).to.be(121); + // @ts-expect-error expect(networkTopNFlow.edges.map((i) => i.node.source!.ip).join(',')).to.be( '8.248.209.244,8.248.211.247,8.248.213.244,8.248.223.246,8.250.107.245,8.250.121.236,8.250.125.244,8.253.38.231,8.253.157.112,8.253.157.240' );