diff --git a/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts b/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts index d3854e1b122a7..3e554b3355f00 100644 --- a/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts +++ b/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts @@ -120,6 +120,7 @@ const SecurityAlertRequired = rt.type({ }); // prettier-ignore const SecurityAlertOptional = rt.partial({ + 'actor.entity.id': schemaStringArray, 'ecs.version': schemaString, 'event.action': schemaString, 'event.kind': schemaString, @@ -219,10 +220,12 @@ const SecurityAlertOptional = rt.partial({ 'kibana.alert.workflow_tags': schemaStringArray, 'kibana.alert.workflow_user': schemaString, 'kibana.version': schemaString, + 'related.entity': schemaStringArray, 'service.asset.criticality': schemaString, 'service.risk.calculated_level': schemaString, 'service.risk.calculated_score_norm': schemaNumber, tags: schemaStringArray, + 'target.entity.id': schemaStringArray, 'user.asset.criticality': schemaString, }); diff --git a/x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap b/x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap index 09b6aa598dd53..eab534b44ab5d 100644 --- a/x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap +++ b/x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap @@ -814,6 +814,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -1549,6 +1554,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -1949,6 +1959,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -1967,6 +1982,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -2702,6 +2722,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -3102,6 +3127,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -3120,6 +3150,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -3855,6 +3890,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -4255,6 +4295,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -4273,6 +4318,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -5008,6 +5058,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -5408,6 +5463,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -5426,6 +5486,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -6161,6 +6226,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -6561,6 +6631,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -6585,6 +6660,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -7320,6 +7400,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -7720,6 +7805,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -7738,6 +7828,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -8473,6 +8568,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -8873,6 +8973,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, @@ -8891,6 +8996,11 @@ Object { "required": true, "type": "date", }, + "actor.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "ecs.version": Object { "array": false, "required": false, @@ -9626,6 +9736,11 @@ Object { "required": false, "type": "version", }, + "related.entity": Object { + "array": true, + "required": false, + "type": "keyword", + }, "service.asset.criticality": Object { "array": false, "required": false, @@ -10026,6 +10141,11 @@ Object { "required": false, "type": "keyword", }, + "target.entity.id": Object { + "array": true, + "required": false, + "type": "keyword", + }, "user.asset.criticality": Object { "array": false, "required": false, diff --git a/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts b/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts new file mode 100644 index 0000000000000..986778b8195b6 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { alertsFieldMap8190 } from '../8.19.0'; +import { ACTOR_ENTITY_ID, RELATED_ENTITY, TARGET_ENTITY_ID } from '../field_names'; + +export const alertsFieldMap920 = { + ...alertsFieldMap8190, + /** + * Part of audit logs fields that are now processed. These fields helps us present alerts and logs in a graphical way. + * Both actor and target fields are a work in progress to become part of ECS. + * Right now, these fields are only relevant for security's alerts and audit logs. Therefore, we add them here. + */ + [ACTOR_ENTITY_ID]: { + type: 'keyword', + array: true, + required: false, + }, + [RELATED_ENTITY]: { + type: 'keyword', + array: true, + required: false, + }, + [TARGET_ENTITY_ID]: { + type: 'keyword', + array: true, + required: false, + }, +} as const; + +export type AlertsFieldMap920 = typeof alertsFieldMap920; diff --git a/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/index.ts b/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/index.ts new file mode 100644 index 0000000000000..b7084c372044d --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export type { AlertsFieldMap920 } from './alerts'; +export { alertsFieldMap920 } from './alerts'; diff --git a/x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts b/x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts index e09741906759c..bc61cfdbf4b2d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts @@ -65,3 +65,7 @@ export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as c export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; export const ALERT_RULE_TIMESTAMP_OVERRIDE = `${ALERT_RULE_NAMESPACE}.timestamp_override` as const; export const ALERT_RULE_INDICES = `${ALERT_RULE_NAMESPACE}.indices` as const; + +export const ACTOR_ENTITY_ID = 'actor.entity.id' as const; +export const RELATED_ENTITY = 'related.entity' as const; +export const TARGET_ENTITY_ID = 'target.entity.id' as const; diff --git a/x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts b/x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts index 1011d69a2d1e9..7cde73b3e310b 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts @@ -4,9 +4,9 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import type { AlertsFieldMap8190 } from './8.19.0'; -import { alertsFieldMap8190 } from './8.19.0'; +import type { AlertsFieldMap920 } from './9.2.0'; +import { alertsFieldMap920 } from './9.2.0'; import type { RulesFieldMap } from './8.0.0/rules'; import { rulesFieldMap } from './8.0.0/rules'; -export type { AlertsFieldMap8190 as AlertsFieldMap, RulesFieldMap }; -export { alertsFieldMap8190 as alertsFieldMap, rulesFieldMap }; +export type { AlertsFieldMap920 as AlertsFieldMap, RulesFieldMap }; +export { alertsFieldMap920 as alertsFieldMap, rulesFieldMap };