From b249faed4e03b3c64c76acac8428d6a607f18cc4 Mon Sep 17 00:00:00 2001 From: Carlos Crespo Date: Tue, 7 Feb 2023 11:20:10 +0100 Subject: [PATCH 01/27] [Infrastructure UI] Add link to k8s dashboard and refactor Inventory UI (#150198) ## Summary closes #149626 This PR adds a new experimental link to the Inventory UI, that will redirect the user to the list of managed Kubernetes Dashboards. - Before the user interacts with the link image image - After the user interacts with the link image ### How to test it pre: Make sure you have `Kubernetes` integration package installed - Go to `Observability > Inventory` - If the button hasn't been clicked yet, the link should be pink and the badge should be present - Click on the badge and/or the link - The list of managed Kubernetes dashboards will render (if you haven't installed the integration package, the list will be empty) - Return to the Inventory UI - The link color will be blue and the badge will be hidden We populate a localStorage key named `inventoryUI:k8sDashboardClicked` ### For maintainers - I've also refactored the Inventory UI `layout.tsx` file, removing some usages of the `AutoSizer` component in favor of css. --- .../components/experimental_badge.tsx | 0 .../infra/public/components/try_it_button.tsx | 77 +++++++++ .../enable_hosts_view_page.tsx | 2 +- .../public/pages/metrics/hosts/index.tsx | 2 +- .../components/bottom_drawer.tsx | 115 ++++++++----- .../components/hosts_view_intro_panel.tsx | 53 ------ .../inventory_view/components/layout.tsx | 158 +++++++++--------- .../components/nodes_overview.tsx | 8 +- .../inventory_view/components/waffle/map.tsx | 1 - .../pages/metrics/inventory_view/index.tsx | 6 +- .../page_objects/infra_home_page.ts | 7 +- .../page_objects/infra_hosts_view.ts | 2 +- 12 files changed, 246 insertions(+), 185 deletions(-) rename x-pack/plugins/infra/public/{pages/metrics/hosts => }/components/experimental_badge.tsx (100%) create mode 100644 x-pack/plugins/infra/public/components/try_it_button.tsx delete mode 100644 x-pack/plugins/infra/public/pages/metrics/inventory_view/components/hosts_view_intro_panel.tsx diff --git a/x-pack/plugins/infra/public/pages/metrics/hosts/components/experimental_badge.tsx b/x-pack/plugins/infra/public/components/experimental_badge.tsx similarity index 100% rename from x-pack/plugins/infra/public/pages/metrics/hosts/components/experimental_badge.tsx rename to x-pack/plugins/infra/public/components/experimental_badge.tsx diff --git a/x-pack/plugins/infra/public/components/try_it_button.tsx b/x-pack/plugins/infra/public/components/try_it_button.tsx new file mode 100644 index 0000000000000..eeb9d68a93a69 --- /dev/null +++ b/x-pack/plugins/infra/public/components/try_it_button.tsx @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiFlexGroup, EuiFlexItem, EuiBetaBadge, EuiLink } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { LinkDescriptor, useLinkProps } from '@kbn/observability-plugin/public'; +import { css } from '@emotion/react'; +import { EuiLinkColor } from '@elastic/eui'; +import { ExperimentalBadge } from './experimental_badge'; + +interface Props { + color?: EuiLinkColor; + 'data-test-subj'?: string; + experimental?: boolean; + label: string; + link: LinkDescriptor; + hideBadge?: boolean; + onClick?: () => void; +} +export const TryItButton = ({ + label, + link, + color = 'primary', + experimental = false, + hideBadge = false, + onClick, + ...props +}: Props) => { + const linkProps = useLinkProps({ ...link }); + + return ( + + {!hideBadge && ( + + + + + + )} + + + + + {experimental && ( + + + + )} + {label} + + + + + ); +}; diff --git a/x-pack/plugins/infra/public/pages/metrics/hosts/components/enable_hosts_view_page/enable_hosts_view_page.tsx b/x-pack/plugins/infra/public/pages/metrics/hosts/components/enable_hosts_view_page/enable_hosts_view_page.tsx index 07f73d5c5c360..886de82f1e9b8 100644 --- a/x-pack/plugins/infra/public/pages/metrics/hosts/components/enable_hosts_view_page/enable_hosts_view_page.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/hosts/components/enable_hosts_view_page/enable_hosts_view_page.tsx @@ -13,7 +13,7 @@ import { i18n } from '@kbn/i18n'; import { useTrackPageview } from '@kbn/observability-plugin/public'; import { MetricsPageTemplate } from '../../../page_template'; import hostsLandingBeta from './hosts_landing_beta.svg'; -import { ExperimentalBadge } from '../experimental_badge'; +import { ExperimentalBadge } from '../../../../../components/experimental_badge'; interface Props { actions?: ReactNode; diff --git a/x-pack/plugins/infra/public/pages/metrics/hosts/index.tsx b/x-pack/plugins/infra/public/pages/metrics/hosts/index.tsx index fcee32404d9d3..bd2594fe28d96 100644 --- a/x-pack/plugins/infra/public/pages/metrics/hosts/index.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/hosts/index.tsx @@ -21,7 +21,7 @@ import { MetricsDataViewProvider } from './hooks/use_data_view'; import { fullHeightContentStyles } from '../../../page_template.styles'; import { UnifiedSearchProvider } from './hooks/use_unified_search'; import { HostContainer } from './components/hosts_container'; -import { ExperimentalBadge } from './components/experimental_badge'; +import { ExperimentalBadge } from '../../../components/experimental_badge'; const HOSTS_FEEDBACK_LINK = 'https://ela.st/host-feedback'; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/bottom_drawer.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/bottom_drawer.tsx index 87c63cef36428..4ebaeb0d874b7 100644 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/bottom_drawer.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/bottom_drawer.tsx @@ -5,11 +5,13 @@ * 2.0. */ -import React, { useCallback, useState, useEffect } from 'react'; +import React, { useCallback, useState, useEffect, useRef } from 'react'; import { i18n } from '@kbn/i18n'; -import { EuiFlexGroup, EuiFlexItem, EuiButtonEmpty } from '@elastic/eui'; +import { EuiFlexGroup, EuiFlexItem, EuiButtonEmpty, EuiPanel } from '@elastic/eui'; import { euiStyled } from '@kbn/kibana-react-plugin/common'; import { useUiTracker } from '@kbn/observability-plugin/public'; +import useLocalStorage from 'react-use/lib/useLocalStorage'; +import { TryItButton } from '../../../../components/try_it_button'; import { useWaffleOptionsContext } from '../hooks/use_waffle_options'; import { InfraFormatter } from '../../../../lib/lib'; import { Timeline } from './timeline/timeline'; @@ -21,14 +23,41 @@ const hideHistory = i18n.translate('xpack.infra.hideHistory', { defaultMessage: 'Hide history', }); -const TRANSITION_MS = 300; - -export const BottomDrawer: React.FC<{ - measureRef: (instance: HTMLElement | null) => void; +interface Props { interval: string; formatter: InfraFormatter; - width: number; -}> = ({ measureRef, width, interval, formatter, children }) => { + view: string; +} + +const LOCAL_STORAGE_KEY = 'inventoryUI:k8sDashboardClicked'; +const KubernetesButton = () => { + const [clicked, setClicked] = useLocalStorage(LOCAL_STORAGE_KEY, false); + const clickedRef = useRef(clicked); + return ( + { + if (!clickedRef.current) { + setClicked(true); + } + }} + hideBadge={clickedRef.current} + /> + ); +}; +export const BottomDrawer = ({ interval, formatter, view }: Props) => { const { timelineOpen, changeTimelineOpen } = useWaffleOptionsContext(); const [isOpen, setIsOpen] = useState(Boolean(timelineOpen)); @@ -44,45 +73,55 @@ export const BottomDrawer: React.FC<{ changeTimelineOpen(!isOpen); }, [isOpen, trackDrawerOpen, changeTimelineOpen]); - return ( - - - - - {isOpen ? hideHistory : showHistory} - - - - + return view === 'table' ? ( + + + + ) : ( + + + + + + {isOpen ? hideHistory : showHistory} + + + + + + + + ); }; -const BottomActionContainer = euiStyled.div<{ isOpen: boolean; outerWidth: number }>` - padding: ${(props) => props.theme.eui.euiSizeM} 0; - position: fixed; +const BottomActionContainer = euiStyled.div` + position: sticky; bottom: 0; - right: 0; - transition: transform ${TRANSITION_MS}ms; - transform: translateY(${(props) => (props.isOpen ? 0 : '224px')}); - width: ${(props) => props.outerWidth + 34}px; + left: 0; + background: ${(props) => props.theme.eui.euiColorGhost}; + width: calc(100% + ${(props) => props.theme.eui.euiSizeL} * 2); + margin-left: -${(props) => props.theme.eui.euiSizeL}; `; // Additional width comes from the padding on the EuiPageBody and inner nodes container -const BottomActionTopBar = euiStyled(EuiFlexGroup).attrs({ - justifyContent: 'spaceBetween', - alignItems: 'center', -})` - margin-bottom: 0; - height: 48px; +const BottomPanel = euiStyled(EuiPanel)` + padding: ${(props) => props.theme.eui.euiSizeL} 0; `; -const ShowHideButton = euiStyled(EuiButtonEmpty).attrs({ size: 's' })` - width: 140px; +const StickyPanel = euiStyled(EuiPanel)` + padding: 0 ${(props) => props.theme.eui.euiSizeL}; `; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/hosts_view_intro_panel.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/hosts_view_intro_panel.tsx deleted file mode 100644 index 9fad879ecad96..0000000000000 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/hosts_view_intro_panel.tsx +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiFlexGroup, EuiFlexItem, EuiBetaBadge, EuiLink } from '@elastic/eui'; -import { i18n } from '@kbn/i18n'; -import { useLinkProps } from '@kbn/observability-plugin/public'; -import { css } from '@emotion/react'; -import { ExperimentalBadge } from '../../hosts/components/experimental_badge'; - -export const HostViewIntroPanel = () => { - const link = useLinkProps({ - app: 'metrics', - pathname: '/hosts', - }); - - return ( - - - - - - - - - - {i18n.translate('xpack.infra.layout.hostsLandingPageLink', { - defaultMessage: 'Introducing a new Hosts analysis experience', - })} - - - - ); -}; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/layout.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/layout.tsx index 4bcf2c192d436..8938e1960d3d9 100644 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/layout.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/layout.tsx @@ -7,9 +7,10 @@ import React, { useCallback, useEffect, useState } from 'react'; import useInterval from 'react-use/lib/useInterval'; - +import { css } from '@emotion/react'; import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { euiStyled } from '@kbn/kibana-react-plugin/common'; +import { i18n } from '@kbn/i18n'; import { SnapshotNode } from '../../../../../common/http_api'; import { SavedView } from '../../../../containers/saved_view/saved_view'; import { AutoSizer } from '../../../../components/auto_sizer'; @@ -31,7 +32,7 @@ import { createLegend } from '../lib/create_legend'; import { useWaffleViewState } from '../hooks/use_waffle_view_state'; import { BottomDrawer } from './bottom_drawer'; import { LegendControls } from './waffle/legend_controls'; -import { HostViewIntroPanel } from './hosts_view_intro_panel'; +import { TryItButton } from '../../../../components/try_it_button'; interface Props { shouldLoadDefault: boolean; @@ -141,92 +142,83 @@ export const Layout = React.memo( return ( <> - - {({ measureRef: pageMeasureRef, bounds: { width = 0 } }) => ( - - - {({ - measureRef: topActionMeasureRef, - bounds: { height: topActionHeight = 0 }, - }) => ( - <> - - - - - {view === 'map' && ( - - - - )} - - - - - - - - - {({ measureRef, bounds: { height = 0 } }) => ( - <> - - {view === 'map' && ( - - )} - - )} - - + + + + + + {view === 'map' && ( + + + )} - - - )} - + + + + + + + + + + + + {({ bounds: { height = 0 } }) => ( + + )} + + + + ); } ); -const MainContainer = euiStyled.div` - position: relative; - flex: 1 1 auto; -`; - -const TopActionContainer = euiStyled.div` - padding: ${(props) => `12px ${props.theme.eui.euiSizeM}`}; +const TopActionContainer = euiStyled(EuiFlexItem)` + padding: ${(props) => `${props.theme.eui.euiSizeM} 0`}; `; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/nodes_overview.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/nodes_overview.tsx index 0e6a47b2417c7..c7d5e425efbab 100644 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/nodes_overview.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/nodes_overview.tsx @@ -38,7 +38,6 @@ interface Props { autoBounds: boolean; formatter: InfraFormatter; bottomMargin: number; - topMargin: number; showLoading: boolean; } @@ -55,7 +54,6 @@ export const NodesOverview = ({ formatter, onDrilldown, bottomMargin, - topMargin, showLoading, }: Props) => { const currentBreakpoint = useCurrentEuiBreakpoint(); @@ -121,7 +119,7 @@ export const NodesOverview = ({ ); } return ( - + props.theme.eui.euiSizeL}; `; -const MapContainer = euiStyled.div<{ top: number; positionStatic: boolean }>` +const MapContainer = euiStyled.div<{ positionStatic: boolean }>` position: ${(props) => (props.positionStatic ? 'static' : 'absolute')}; display: flex; - top: ${(props) => props.top}px; + top: 0; right: 0; bottom: 0; left: 0; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/waffle/map.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/waffle/map.tsx index a4558d6a7e9b0..6a0a6dad79eab 100644 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/waffle/map.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/waffle/map.tsx @@ -115,5 +115,4 @@ const WaffleMapInnerContainer = euiStyled.div` flex-wrap: wrap; justify-content: center; align-content: flex-start; - padding: 10px; `; diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/index.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/index.tsx index fde2a4923441d..d0f7e56cf17c8 100644 --- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/index.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/index.tsx @@ -9,6 +9,7 @@ import { EuiErrorBoundary } from '@elastic/eui'; import React from 'react'; import { useTrackPageview } from '@kbn/observability-plugin/public'; import { APP_WRAPPER_CLASS } from '@kbn/core/public'; +import { css } from '@emotion/react'; import { FilterBar } from './components/filter_bar'; import { SourceErrorPage } from '../../../components/source_error_page'; import { SourceLoadingPage } from '../../../components/source_loading_page'; @@ -64,7 +65,10 @@ export const SnapshotPage = () => { }} pageSectionProps={{ contentProps: { - css: fullHeightContentStyles, + css: css` + ${fullHeightContentStyles}; + padding-bottom: 0; + `, }, }} > diff --git a/x-pack/test/functional/page_objects/infra_home_page.ts b/x-pack/test/functional/page_objects/infra_home_page.ts index a13c9a89ae0cb..68d69832caf3b 100644 --- a/x-pack/test/functional/page_objects/infra_home_page.ts +++ b/x-pack/test/functional/page_objects/infra_home_page.ts @@ -163,7 +163,12 @@ export function InfraHomePageProvider({ getService, getPageObjects }: FtrProvide async closeTimeline() { await testSubjects.click('toggleTimelineButton'); - await testSubjects.existOrFail('timelineContainerClosed'); + const timelineSelectorsVisible = await Promise.all([ + testSubjects.exists('timelineContainerClosed'), + testSubjects.exists('timelineContainerOpen'), + ]); + + return timelineSelectorsVisible.every((visible) => !visible); }, async openInvenotrySwitcher() { diff --git a/x-pack/test/functional/page_objects/infra_hosts_view.ts b/x-pack/test/functional/page_objects/infra_hosts_view.ts index e5c30934146d6..ddc7f24029d46 100644 --- a/x-pack/test/functional/page_objects/infra_hosts_view.ts +++ b/x-pack/test/functional/page_objects/infra_hosts_view.ts @@ -16,7 +16,7 @@ export function InfraHostsViewProvider({ getService }: FtrProviderContext) { }, async clickTryHostViewBadge() { - return await testSubjects.click('inventory-hostsView-badge'); + return await testSubjects.click('inventory-hostsView-link-badge'); }, async getHostsLandingPageDisabled() { From b31b18d93d8a4dd1bcb0235cd47ce14aa04cbc99 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 7 Feb 2023 11:21:03 +0100 Subject: [PATCH 02/27] Update react-query to ^4.24.4 (main) (#150348) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@tanstack/react-query](https://tanstack.com/query) ([source](https://togithub.com/tanstack/query)) | [`^4.24.2` -> `^4.24.4`](https://renovatebot.com/diffs/npm/@tanstack%2freact-query/4.24.4/4.24.4) | [![age](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query/4.24.4/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query/4.24.4/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query/4.24.4/compatibility-slim/4.24.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query/4.24.4/confidence-slim/4.24.4)](https://docs.renovatebot.com/merge-confidence/) | | [@tanstack/react-query-devtools](https://tanstack.com/query) ([source](https://togithub.com/tanstack/query)) | [`^4.24.2` -> `^4.24.4`](https://renovatebot.com/diffs/npm/@tanstack%2freact-query-devtools/4.24.4/4.24.4) | [![age](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query-devtools/4.24.4/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query-devtools/4.24.4/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query-devtools/4.24.4/compatibility-slim/4.24.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@tanstack%2freact-query-devtools/4.24.4/confidence-slim/4.24.4)](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/elastic/kibana). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package.json | 4 ++-- yarn.lock | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 23fd401733c3c..04f0e1035325b 100644 --- a/package.json +++ b/package.json @@ -424,8 +424,8 @@ "@opentelemetry/semantic-conventions": "^1.4.0", "@reduxjs/toolkit": "1.7.2", "@slack/webhook": "^5.0.4", - "@tanstack/react-query": "^4.24.2", - "@tanstack/react-query-devtools": "^4.24.2", + "@tanstack/react-query": "^4.24.4", + "@tanstack/react-query-devtools": "^4.24.4", "@turf/along": "6.0.1", "@turf/area": "6.0.1", "@turf/bbox": "6.0.1", diff --git a/yarn.lock b/yarn.lock index 8019abe753c62..4613bc8853a69 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6278,7 +6278,7 @@ resolved "https://registry.yarnpkg.com/@tanstack/query-core/-/query-core-4.24.4.tgz#6fe78777286fdd805ac319c7c743df4935e18ee2" integrity sha512-9dqjv9eeB6VHN7lD3cLo16ZAjfjCsdXetSAD5+VyKqLUvcKTL0CklGQRJu+bWzdrS69R6Ea4UZo8obHYZnG6aA== -"@tanstack/react-query-devtools@^4.24.2": +"@tanstack/react-query-devtools@^4.24.4": version "4.24.4" resolved "https://registry.yarnpkg.com/@tanstack/react-query-devtools/-/react-query-devtools-4.24.4.tgz#5f0bd45f929950ff2b56a1a3ed18a006780e3495" integrity sha512-4mldcR99QDX8k94I+STM9gPsYF+FDAD2EQJvHtxR2HrDNegbfmY474xuW0QUZaNW/vJi09Gak6b6Vy2INWhL6w== @@ -6287,7 +6287,7 @@ superjson "^1.10.0" use-sync-external-store "^1.2.0" -"@tanstack/react-query@^4.24.2": +"@tanstack/react-query@^4.24.4": version "4.24.4" resolved "https://registry.yarnpkg.com/@tanstack/react-query/-/react-query-4.24.4.tgz#79e892edac33d8aa394795390c0f79e4a8c9be4d" integrity sha512-RpaS/3T/a3pHuZJbIAzAYRu+1nkp+/enr9hfRXDS/mojwx567UiMksoqW4wUFWlwIvWTXyhot2nbIipTKEg55Q== From c25da5920dac3233f7327d373b75ed1061ff7429 Mon Sep 17 00:00:00 2001 From: Sander Philipse <94373878+sphilipse@users.noreply.github.com> Date: Tue, 7 Feb 2023 11:26:35 +0100 Subject: [PATCH 03/27] [Enterprise Search] Check in progress syncs for connector (#150362) ## Summary This adds a warning about in-progress syncs, and cancels any that exist when deleting a connector. --- .../api/connector/cancel_syncs_api_logic.ts | 4 +- .../api/index/fetch_index_api_logic.ts | 10 ++- .../search_index/index_view_logic.ts | 9 +-- .../search_indices/delete_index_modal.tsx | 71 +++++++++++++++++-- .../search_indices/indices_logic.test.ts | 16 ++++- .../search_indices/indices_logic.ts | 56 ++++++++++++--- .../lib/connectors/add_connector.test.ts | 8 +-- .../lib/connectors/delete_connector.test.ts | 16 +++-- .../server/lib/connectors/delete_connector.ts | 10 ++- .../lib/connectors/post_cancel_syncs.test.ts | 4 +- .../lib/connectors/post_cancel_syncs.ts | 4 +- .../server/lib/indices/fetch_index.test.ts | 9 ++- .../server/lib/indices/fetch_index.ts | 29 +++++++- 13 files changed, 205 insertions(+), 41 deletions(-) diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/connector/cancel_syncs_api_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/connector/cancel_syncs_api_logic.ts index 53324ceb9f635..b4f1b349f44f5 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/connector/cancel_syncs_api_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/connector/cancel_syncs_api_logic.ts @@ -7,7 +7,7 @@ import { i18n } from '@kbn/i18n'; -import { createApiLogic } from '../../../shared/api_logic/create_api_logic'; +import { Actions, createApiLogic } from '../../../shared/api_logic/create_api_logic'; import { HttpLogic } from '../../../shared/http'; export interface CancelSyncsApiArgs { @@ -25,3 +25,5 @@ export const CancelSyncsApiLogic = createApiLogic(['cancel_syncs_api_logic'], ca defaultMessage: 'Successfully canceled syncs', }), }); + +export type CancelSyncsActions = Actions; diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/index/fetch_index_api_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/index/fetch_index_api_logic.ts index 9ba818bc6c57a..e8d67f6228889 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/index/fetch_index_api_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/index/fetch_index_api_logic.ts @@ -6,24 +6,28 @@ */ import { ElasticsearchIndexWithIngestion } from '../../../../../common/types/indices'; -import { createApiLogic } from '../../../shared/api_logic/create_api_logic'; +import { Actions, createApiLogic } from '../../../shared/api_logic/create_api_logic'; import { HttpLogic } from '../../../shared/http'; export interface FetchIndexApiParams { indexName: string; } -export type FetchIndexApiResponse = ElasticsearchIndexWithIngestion; +export type FetchIndexApiResponse = ElasticsearchIndexWithIngestion & { + has_in_progress_syncs?: boolean; +}; export const fetchIndex = async ({ indexName, }: FetchIndexApiParams): Promise => { const route = `/internal/enterprise_search/indices/${indexName}`; - return await HttpLogic.values.http.get(route); + return await HttpLogic.values.http.get(route); }; export const FetchIndexApiLogic = createApiLogic(['fetch_index_api_logic'], fetchIndex, { clearFlashMessagesOnMakeRequest: false, showErrorFlash: false, }); + +export type FetchIndexActions = Actions; diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/index_view_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/index_view_logic.ts index 4ed5b7cef1b41..b89e122f03c7f 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/index_view_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/index_view_logic.ts @@ -16,7 +16,6 @@ import { IngestPipelineParams, SyncStatus, } from '../../../../../common/types/connectors'; -import { ElasticsearchIndexWithIngestion } from '../../../../../common/types/indices'; import { Actions } from '../../../shared/api_logic/create_api_logic'; import { flashSuccessToast } from '../../../shared/flash_messages'; @@ -26,6 +25,7 @@ import { CachedFetchIndexApiLogicActions, } from '../../api/index/cached_fetch_index_api_logic'; +import { FetchIndexApiResponse } from '../../api/index/fetch_index_api_logic'; import { ElasticsearchViewIndex, IngestionMethod, IngestionStatus } from '../../types'; import { getIngestionMethod, @@ -232,11 +232,12 @@ export const IndexViewLogic = kea [selectors.indexData], - (data: ElasticsearchIndexWithIngestion | undefined) => isConnectorIndex(data), + (data: FetchIndexApiResponse | undefined) => isConnectorIndex(data), ], isSyncing: [ - () => [selectors.syncStatus], - (syncStatus: SyncStatus) => syncStatus === SyncStatus.IN_PROGRESS, + () => [selectors.indexData, selectors.syncStatus], + (indexData: FetchIndexApiResponse | null, syncStatus: SyncStatus) => + indexData?.has_in_progress_syncs || syncStatus === SyncStatus.IN_PROGRESS, ], isWaitingForSync: [ () => [selectors.fetchIndexApiData, selectors.localSyncNowValue], diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/delete_index_modal.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/delete_index_modal.tsx index c7b5ebaf66617..085aacbd59b03 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/delete_index_modal.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/delete_index_modal.tsx @@ -5,11 +5,19 @@ * 2.0. */ -import React from 'react'; +import React, { useState } from 'react'; import { useActions, useValues } from 'kea'; -import { EuiConfirmModal } from '@elastic/eui'; +import { + EuiCallOut, + EuiConfirmModal, + EuiFieldText, + EuiForm, + EuiFormRow, + EuiSpacer, +} from '@elastic/eui'; + import { i18n } from '@kbn/i18n'; import { ingestionMethodToText } from '../../utils/indices'; @@ -20,10 +28,15 @@ export const DeleteIndexModal: React.FC = () => { const { closeDeleteModal, deleteIndex } = useActions(IndicesLogic); const { deleteModalIndexName: indexName, + deleteModalIndexHasInProgressSyncs, deleteModalIngestionMethod: ingestionMethod, isDeleteModalVisible, isDeleteLoading, + isFetchIndexDetailsLoading, } = useValues(IndicesLogic); + + const [inputIndexName, setInputIndexName] = useState(''); + return isDeleteModalVisible ? ( { )} defaultFocusedButton="confirm" buttonColor="danger" - isLoading={isDeleteLoading} + confirmButtonDisabled={inputIndexName.trim() !== indexName} + isLoading={isDeleteLoading || isFetchIndexDetailsLoading} >

{i18n.translate( 'xpack.enterpriseSearch.content.searchIndices.deleteModal.delete.description', { defaultMessage: - 'Deleting this index will also delete all of its data and its {ingestionMethod} configuration. Any associated search engines will no longer be able to access any data stored in this index.This can not be undone.', + 'Deleting this index will also delete all of its data and its {ingestionMethod} configuration. Any associated search engines will no longer be able to access any data stored in this index.', values: { ingestionMethod: ingestionMethodToText(ingestionMethod), }, } )}

+ {deleteModalIndexHasInProgressSyncs && ( + <> + +

+ {i18n.translate( + 'xpack.enterpriseSearch.content.searchIndices.deleteModal.syncsWarning.description', + { + defaultMessage: + 'This index has in-progress syncs. Deleting the index without stopping these syncs may result in dangling sync job records or the index being re-created.', + } + )} +

+ + + + )} +

+ {i18n.translate( + 'xpack.enterpriseSearch.content.searchIndices.deleteModal.syncsWarning.indexNameDescription', + { + defaultMessage: 'This action cannot be undone. Please type {indexName} to confirm.', + values: { indexName }, + } + )} +

+ + + setInputIndexName(e.target.value)} + value={inputIndexName} + /> + + ) : ( <> diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts index acf1eaa9f8331..16ee5faff914a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts @@ -29,13 +29,17 @@ import { IndicesLogic } from './indices_logic'; const DEFAULT_VALUES = { data: undefined, deleteModalIndex: null, + deleteModalIndexHasInProgressSyncs: false, deleteModalIndexName: '', deleteModalIngestionMethod: IngestionMethod.API, deleteStatus: Status.IDLE, hasNoIndices: false, + indexDetails: undefined, + indexDetailsStatus: 0, indices: [], isDeleteLoading: false, isDeleteModalVisible: false, + isFetchIndexDetailsLoading: true, isFirstRequest: true, isLoading: true, meta: DEFAULT_META, @@ -80,21 +84,27 @@ describe('IndicesLogic', () => { }); describe('openDeleteModal', () => { it('should set deleteIndexName and set isDeleteModalVisible to true', () => { + IndicesLogic.actions.fetchIndexDetails = jest.fn(); IndicesLogic.actions.openDeleteModal(connectorIndex); expect(IndicesLogic.values).toEqual({ ...DEFAULT_VALUES, - deleteModalIndex: connectorIndex, deleteModalIndexName: 'connector', - deleteModalIngestionMethod: IngestionMethod.CONNECTOR, isDeleteModalVisible: true, }); + expect(IndicesLogic.actions.fetchIndexDetails).toHaveBeenCalledWith({ + indexName: 'connector', + }); }); }); describe('closeDeleteModal', () => { it('should set deleteIndexName to empty and set isDeleteModalVisible to false', () => { IndicesLogic.actions.openDeleteModal(connectorIndex); + IndicesLogic.actions.fetchIndexDetails = jest.fn(); IndicesLogic.actions.closeDeleteModal(); - expect(IndicesLogic.values).toEqual(DEFAULT_VALUES); + expect(IndicesLogic.values).toEqual({ + ...DEFAULT_VALUES, + indexDetailsStatus: Status.LOADING, + }); }); }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts index 282566637e103..953fce853904b 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts @@ -13,11 +13,20 @@ import { ElasticsearchIndexWithIngestion } from '../../../../../common/types/ind import { Actions } from '../../../shared/api_logic/create_api_logic'; import { DEFAULT_META } from '../../../shared/constants'; import { updateMetaPageIndex } from '../../../shared/table_pagination'; +import { + CancelSyncsActions, + CancelSyncsApiLogic, +} from '../../api/connector/cancel_syncs_api_logic'; import { DeleteIndexApiLogic, DeleteIndexApiLogicArgs, DeleteIndexApiLogicValues, } from '../../api/index/delete_index_api_logic'; +import { + FetchIndexActions, + FetchIndexApiLogic, + FetchIndexApiResponse, +} from '../../api/index/fetch_index_api_logic'; import { FetchIndicesAPILogic } from '../../api/index/fetch_indices_api_logic'; import { ElasticsearchViewIndex, IngestionMethod } from '../../types'; import { getIngestionMethod, indexToViewIndex } from '../../utils/indices'; @@ -43,10 +52,12 @@ export interface IndicesActions { returnHiddenIndices: boolean; searchQuery?: string; }; + cancelSuccess: CancelSyncsActions['apiSuccess']; closeDeleteModal(): void; deleteError: Actions['apiError']; deleteIndex: Actions['makeRequest']; deleteSuccess: Actions['apiSuccess']; + fetchIndexDetails: FetchIndexActions['makeRequest']; fetchIndices({ meta, returnHiddenIndices, @@ -63,14 +74,18 @@ export interface IndicesActions { } export interface IndicesValues { data: typeof FetchIndicesAPILogic.values.data; - deleteModalIndex: ElasticsearchViewIndex | null; + deleteModalIndex: FetchIndexApiResponse | null; + deleteModalIndexHasInProgressSyncs: boolean; deleteModalIndexName: string; deleteModalIngestionMethod: IngestionMethod; deleteStatus: typeof DeleteIndexApiLogic.values.status; hasNoIndices: boolean; + indexDetails: FetchIndexApiResponse | null; + indexDetailsStatus: Status; indices: ElasticsearchViewIndex[]; isDeleteLoading: boolean; isDeleteModalVisible: boolean; + isFetchIndexDetailsLoading: boolean; isFirstRequest: boolean; isLoading: boolean; meta: Meta; @@ -92,12 +107,18 @@ export const IndicesLogic = kea>({ }, connect: { actions: [ + CancelSyncsApiLogic, + ['apiSuccess as cancelSuccess'], + FetchIndexApiLogic, + ['makeRequest as fetchIndexDetails'], FetchIndicesAPILogic, ['makeRequest', 'apiSuccess', 'apiError'], DeleteIndexApiLogic, ['apiError as deleteError', 'apiSuccess as deleteSuccess', 'makeRequest as deleteIndex'], ], values: [ + FetchIndexApiLogic, + ['data as indexDetails', 'status as indexDetailsStatus'], FetchIndicesAPILogic, ['data', 'status'], DeleteIndexApiLogic, @@ -105,6 +126,9 @@ export const IndicesLogic = kea>({ ], }, listeners: ({ actions, values }) => ({ + cancelSuccess: async () => { + actions.fetchIndexDetails({ indexName: values.deleteModalIndexName }); + }, deleteSuccess: () => { actions.closeDeleteModal(); actions.fetchIndices(values.searchParams); @@ -113,14 +137,17 @@ export const IndicesLogic = kea>({ await breakpoint(150); actions.makeRequest(input); }, + openDeleteModal: ({ index }) => { + actions.fetchIndexDetails({ indexName: index.name }); + }, }), path: ['enterprise_search', 'content', 'indices_logic'], reducers: () => ({ - deleteModalIndex: [ - null, + deleteModalIndexName: [ + '', { - closeDeleteModal: () => null, - openDeleteModal: (_, { index }) => index, + closeDeleteModal: () => '', + openDeleteModal: (_, { index: { name } }) => name, }, ], isDeleteModalVisible: [ @@ -154,10 +181,18 @@ export const IndicesLogic = kea>({ ], }), selectors: ({ selectors }) => ({ - deleteModalIndexName: [() => [selectors.deleteModalIndex], (index) => index?.name ?? ''], - deleteModalIngestionMethod: [ + deleteModalIndex: [ + () => [selectors.deleteModalIndexName, selectors.indexDetails], + (indexName: string, indexDetails: FetchIndexApiResponse | null) => + indexName === indexDetails?.name ? indexDetails : null, + ], + deleteModalIndexHasInProgressSyncs: [ () => [selectors.deleteModalIndex], - (index: ElasticsearchViewIndex | null) => + (index: FetchIndexApiResponse | null) => (index ? index.has_in_progress_syncs : false), + ], + deleteModalIngestionMethod: [ + () => [selectors.indexDetails], + (index: FetchIndexApiResponse | null) => index ? getIngestionMethod(index) : IngestionMethod.API, ], hasNoIndices: [ @@ -174,6 +209,11 @@ export const IndicesLogic = kea>({ () => [selectors.deleteStatus], (status: IndicesValues['deleteStatus']) => [Status.LOADING].includes(status), ], + isFetchIndexDetailsLoading: [ + () => [selectors.indexDetailsStatus], + (status: IndicesValues['indexDetailsStatus']) => + [Status.IDLE, Status.LOADING].includes(status), + ], isLoading: [ () => [selectors.status, selectors.isFirstRequest], (status, isFirstRequest) => [Status.LOADING, Status.IDLE].includes(status) && isFirstRequest, diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts index e6584c0a8b205..d51db7398d146 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts @@ -17,6 +17,7 @@ import { fetchCrawlerByIndexName } from '../crawler/fetch_crawlers'; import { textAnalysisSettings } from '../indices/text_analysis'; import { addConnector } from './add_connector'; +import { deleteConnectorById } from './delete_connector'; import { fetchConnectorByIndexName } from './fetch_connectors'; jest.mock('../../index_management/setup_indices', () => ({ @@ -24,12 +25,12 @@ jest.mock('../../index_management/setup_indices', () => ({ })); jest.mock('./fetch_connectors', () => ({ fetchConnectorByIndexName: jest.fn() })); +jest.mock('./delete_connector', () => ({ deleteConnectorById: jest.fn() })); jest.mock('../crawler/fetch_crawlers', () => ({ fetchCrawlerByIndexName: jest.fn() })); describe('addConnector lib function', () => { const mockClient = { asCurrentUser: { - delete: jest.fn(), index: jest.fn(), indices: { create: jest.fn(), @@ -262,10 +263,7 @@ describe('addConnector lib function', () => { language: null, }) ).resolves.toEqual({ id: 'fakeId', index_name: 'index_name' }); - expect(mockClient.asCurrentUser.delete).toHaveBeenCalledWith({ - id: 'connectorId', - index: CONNECTORS_INDEX, - }); + expect(deleteConnectorById).toHaveBeenCalledWith(mockClient, 'connectorId'); expect(mockClient.asCurrentUser.index).toHaveBeenCalledWith({ document: { api_key_id: null, diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.test.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.test.ts index 4e43667c4063b..0ce9e53632835 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.test.ts @@ -11,6 +11,11 @@ import { CONNECTORS_INDEX } from '../..'; import { deleteConnectorById } from './delete_connector'; +jest.mock('./post_cancel_syncs', () => ({ + cancelSyncs: jest.fn(), +})); +import { cancelSyncs } from './post_cancel_syncs'; + describe('deleteConnector lib function', () => { const mockClient = { asCurrentUser: { @@ -21,16 +26,19 @@ describe('deleteConnector lib function', () => { beforeEach(() => { jest.clearAllMocks(); + jest.useFakeTimers(); }); - it('should delete connector', async () => { + it('should delete connector and cancel syncs', async () => { mockClient.asCurrentUser.delete.mockImplementation(() => true); - await expect( - deleteConnectorById(mockClient as unknown as IScopedClusterClient, 'connectorId') - ).resolves.toEqual(true); + + await deleteConnectorById(mockClient as unknown as IScopedClusterClient, 'connectorId'); + expect(cancelSyncs as jest.Mock).toHaveBeenCalledWith(mockClient, 'connectorId'); expect(mockClient.asCurrentUser.delete).toHaveBeenCalledWith({ id: 'connectorId', index: CONNECTORS_INDEX, + refresh: 'wait_for', }); + jest.useRealTimers(); }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.ts index 1ea6af4dd74d3..cd935f32c2c15 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/delete_connector.ts @@ -9,6 +9,14 @@ import { IScopedClusterClient } from '@kbn/core/server'; import { CONNECTORS_INDEX } from '../..'; +import { cancelSyncs } from './post_cancel_syncs'; + export const deleteConnectorById = async (client: IScopedClusterClient, id: string) => { - return await client.asCurrentUser.delete({ id, index: CONNECTORS_INDEX }); + // timeout function to mitigate race condition with external connector running job and recreating index + const timeout = async () => { + const promise = new Promise((resolve) => setTimeout(resolve, 500)); + return promise; + }; + await Promise.all([cancelSyncs(client, id), timeout]); + return await client.asCurrentUser.delete({ id, index: CONNECTORS_INDEX, refresh: 'wait_for' }); }; diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.test.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.test.ts index adac70f88276c..be8a295398bbb 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.test.ts @@ -52,7 +52,6 @@ describe('addConnector lib function', () => { ], }, }, - refresh: true, script: { lang: 'painless', source: `ctx._source['status'] = '${SyncStatus.CANCELED}'; @@ -79,7 +78,6 @@ ctx._source['completed_at'] = '${new Date(Date.now()).toISOString()}';`, ], }, }, - refresh: true, script: { lang: 'painless', source: `ctx._source['status'] = '${SyncStatus.CANCELING}'; @@ -90,7 +88,7 @@ ctx._source['cancelation_requested_at'] = '${new Date(Date.now()).toISOString()} doc: { last_sync_status: SyncStatus.CANCELED, sync_now: false }, id: 'connectorId', index: CONNECTORS_INDEX, - refresh: true, + refresh: 'wait_for', }); }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.ts index d76a1df08ec50..eb9eefebb3c48 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/post_cancel_syncs.ts @@ -32,7 +32,6 @@ export const cancelSyncs = async ( ], }, }, - refresh: true, script: { lang: 'painless', source: `ctx._source['status'] = '${SyncStatus.CANCELED}'; @@ -59,7 +58,6 @@ ctx._source['completed_at'] = '${new Date(Date.now()).toISOString()}';`, ], }, }, - refresh: true, script: { lang: 'painless', source: `ctx._source['status'] = '${SyncStatus.CANCELING}'; @@ -70,6 +68,6 @@ ctx._source['cancelation_requested_at'] = '${new Date(Date.now()).toISOString()} doc: { last_sync_status: SyncStatus.CANCELED, sync_now: false }, id: connectorId, index: CONNECTORS_INDEX, - refresh: true, + refresh: 'wait_for', }); }; diff --git a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.test.ts b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.test.ts index c9b4979d79a84..56831b5f651ec 100644 --- a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.test.ts @@ -65,6 +65,7 @@ describe('fetchIndex lib function', () => { const result = { aliases: [], count: 100, + has_in_progress_syncs: false, health: 'green', hidden: false, name: 'index_name', @@ -114,7 +115,11 @@ describe('fetchIndex lib function', () => { await expect( fetchIndex(mockClient as unknown as IScopedClusterClient, 'index_name') - ).resolves.toEqual({ ...result, connector: { doc: 'doc', service_type: 'some-service-type' } }); + ).resolves.toEqual({ + ...result, + connector: { doc: 'doc', service_type: 'some-service-type' }, + has_in_progress_syncs: true, + }); }); it('should return data and stats for index and crawler if crawler is present', async () => { @@ -144,6 +149,7 @@ describe('fetchIndex lib function', () => { }); it('should return data and stats for index and crawler if a crawler registered as a connector is present', async () => { + mockClient.asCurrentUser.count.mockReturnValue({ count: 0 }); mockClient.asCurrentUser.indices.get.mockImplementation(() => Promise.resolve({ index_name: { aliases: [], data: 'full index' }, @@ -167,6 +173,7 @@ describe('fetchIndex lib function', () => { ).resolves.toEqual({ ...result, connector: { doc: 'doc', service_type: ENTERPRISE_SEARCH_CONNECTOR_CRAWLER_SERVICE_TYPE }, + count: 0, crawler: { id: '1234' }, }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.ts b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.ts index 140a1180360ed..7549d59da6ffc 100644 --- a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.ts +++ b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_index.ts @@ -7,13 +7,34 @@ import { IScopedClusterClient } from '@kbn/core/server'; +import { CONNECTORS_JOBS_INDEX } from '../..'; + import { ENTERPRISE_SEARCH_CONNECTOR_CRAWLER_SERVICE_TYPE } from '../../../common/constants'; +import { SyncStatus } from '../../../common/types/connectors'; import { ElasticsearchIndexWithIngestion } from '../../../common/types/indices'; import { fetchConnectorByIndexName } from '../connectors/fetch_connectors'; import { fetchCrawlerByIndexName } from '../crawler/fetch_crawlers'; import { mapIndexStats } from './utils/map_index_stats'; +const hasInProgressSyncs = async ( + client: IScopedClusterClient, + connectorId: string +): Promise => { + const inProgressCount = await client.asCurrentUser.count({ + index: CONNECTORS_JOBS_INDEX, + query: { + bool: { + filter: [ + { term: { 'connector.id': connectorId } }, + { term: { status: SyncStatus.IN_PROGRESS } }, + ], + }, + }, + }); + return inProgressCount.count > 0; +}; + export const fetchIndex = async ( client: IScopedClusterClient, index: string @@ -28,12 +49,18 @@ export const fetchIndex = async ( throw new Error('404'); } const indexStats = indices[index]; + + const connector = await fetchConnectorByIndexName(client, index); + const hasInProgressSyncsResult = connector + ? await hasInProgressSyncs(client, connector.id) + : false; + const indexResult = { count, ...mapIndexStats(indexData, indexStats, index), + has_in_progress_syncs: hasInProgressSyncsResult, }; - const connector = await fetchConnectorByIndexName(client, index); if (connector && connector.service_type !== ENTERPRISE_SEARCH_CONNECTOR_CRAWLER_SERVICE_TYPE) { return { ...indexResult, From ec192acac2298b467861df929e0b7bec3227956b Mon Sep 17 00:00:00 2001 From: James Gowdy Date: Tue, 7 Feb 2023 10:53:36 +0000 Subject: [PATCH 04/27] [ML] Add a new memory usage by job and by model view (#149419) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a new Memory usage page to the ML app. This contains the page which was originally called Nodes, under the Model Management section, and introduces a new tree map chart to display memory usage of jobs and trained models. ![image](https://user-images.githubusercontent.com/22172091/217040806-bf1b2d51-32ce-4801-8d8f-e27c3d7a9f62.png) If kibana is running in a serverless environment, the Memory usage page will only show the overall memory usage chart. There will be no reference made to "nodes". **Refactoring** Organises related server side code under a `model_management` section. Moves routes to a new `model_management` file. Adds a new `isServerless` function to the client side to spoof information we should son get from kibana to tell whether we are running in a serverless environment. --------- Co-authored-by: István Zoltán Szabó --- x-pack/plugins/ml/common/constants/locator.ts | 2 +- x-pack/plugins/ml/common/types/locator.ts | 10 +- .../plugins/ml/common/types/trained_models.ts | 45 +++ x-pack/plugins/ml/public/application/app.tsx | 7 + .../components/ml_page/ml_page.tsx | 2 +- .../components/ml_page/side_nav.tsx | 18 +- .../contexts/kibana/use_is_serverless.ts | 14 + .../analytics_id_selector.tsx | 2 +- .../space_management/columns.tsx | 2 +- .../public/application/memory_usage/index.ts | 8 + .../memory_usage/memory_item_colors.ts | 34 +++ .../memory_usage/memory_tree_map/index.ts | 9 + .../memory_tree_map/memory_page.tsx | 26 ++ .../memory_usage/memory_tree_map/tree_map.tsx | 201 +++++++++++++ .../memory_usage/memory_usage_page.tsx | 72 +++++ .../nodes_overview/allocated_models.tsx | 0 .../nodes_overview/expanded_row.tsx | 151 ++++++++++ .../nodes_overview/index.ts | 0 .../nodes_overview/memory_preview_chart.tsx | 19 +- .../nodes_overview/nodes_list.tsx | 4 +- .../delete_models_modal.tsx | 6 +- .../deployment_setup.tsx | 4 +- .../expanded_row.tsx | 37 ++- .../force_stop_dialog.tsx | 0 .../index.ts | 0 .../model_actions.tsx | 16 +- .../model_link.tsx | 4 +- .../models_list.tsx | 26 +- .../pipelines/expanded_row.tsx | 4 +- .../pipelines/index.ts | 0 .../pipelines/pipelines.tsx | 2 +- .../test_models/index.ts | 0 .../test_models/inference_error.tsx | 0 .../test_models/models/index.ts | 0 .../test_models/models/index_input.tsx | 2 +- .../test_models/models/inference_base.ts | 6 +- .../test_models/models/inference_info.tsx | 0 .../models/inference_input_form/index.tsx | 0 .../inference_input_form/index_input.tsx | 2 +- .../inference_input_form.tsx | 0 .../inference_input_form/text_input.tsx | 2 +- .../test_models/models/ner/index.ts | 0 .../test_models/models/ner/ner_inference.ts | 4 +- .../test_models/models/ner/ner_output.tsx | 2 +- .../models/question_answering/index.ts | 0 .../question_answering_inference.ts | 4 +- .../question_answering_input.tsx | 0 .../question_answering_output.tsx | 2 +- .../test_models/models/raw_output.tsx | 2 +- .../models/text_classification/common.ts | 0 .../fill_mask_inference.ts | 4 +- .../text_classification/fill_mask_output.tsx | 0 .../models/text_classification/index.ts | 0 .../models/text_classification/lang_codes.ts | 0 .../lang_ident_inference.ts | 2 +- .../text_classification/lang_ident_output.tsx | 0 .../text_classification_inference.ts | 4 +- .../text_classification_output.tsx | 0 .../zero_shot_classification_inference.ts | 4 +- .../zero_shot_classification_input.tsx | 0 .../models/text_embedding/index.ts | 0 .../text_embedding_inference.ts | 4 +- .../text_embedding/text_embedding_output.tsx | 0 .../test_models/models/text_input.tsx | 0 .../test_models/output_loading.tsx | 0 .../test_models/selected_model.tsx | 4 +- .../test_models/test_flyout.tsx | 2 +- .../test_models/utils.ts | 4 +- .../application/overview/overview_page.tsx | 6 +- .../application/routing/routes/index.ts | 1 + .../routing/routes/memory_usage.tsx | 53 ++++ .../routing/routes/trained_models/index.ts | 1 - .../routes/trained_models/models_list.tsx | 4 +- .../routes/trained_models/nodes_list.tsx | 68 ----- .../services/ml_api_service/trained_models.ts | 12 +- .../nodes_overview/expanded_row.tsx | 113 ------- .../locator/formatters/trained_models.ts | 13 +- .../plugins/ml/public/locator/ml_locator.ts | 6 +- .../search_deep_links.ts | 8 +- .../models/data_frame_analytics/index.ts | 1 - .../data_frame_analytics/models_provider.ts | 220 -------------- .../__mocks__/mock_deployment_response.json | 0 .../server/models/model_management/index.ts | 9 + .../memory_usage.test.ts} | 14 +- .../models/model_management/memory_usage.ts | 277 ++++++++++++++++++ .../model_management/models_provider.ts | 55 ++++ x-pack/plugins/ml/server/plugin.ts | 2 + x-pack/plugins/ml/server/routes/apidoc.json | 7 +- .../ml/server/routes/model_management.ts | 98 +++++++ .../ml/server/routes/schemas/saved_objects.ts | 1 + .../ml/server/routes/trained_models.ts | 41 +-- .../translations/translations/fr-FR.json | 4 - .../translations/translations/ja-JP.json | 4 - .../translations/translations/zh-CN.json | 4 - 94 files changed, 1215 insertions(+), 586 deletions(-) create mode 100644 x-pack/plugins/ml/public/application/contexts/kibana/use_is_serverless.ts create mode 100644 x-pack/plugins/ml/public/application/memory_usage/index.ts create mode 100644 x-pack/plugins/ml/public/application/memory_usage/memory_item_colors.ts create mode 100644 x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/index.ts create mode 100644 x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/memory_page.tsx create mode 100644 x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/tree_map.tsx create mode 100644 x-pack/plugins/ml/public/application/memory_usage/memory_usage_page.tsx rename x-pack/plugins/ml/public/application/{trained_models => memory_usage}/nodes_overview/allocated_models.tsx (100%) create mode 100644 x-pack/plugins/ml/public/application/memory_usage/nodes_overview/expanded_row.tsx rename x-pack/plugins/ml/public/application/{trained_models => memory_usage}/nodes_overview/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models => memory_usage}/nodes_overview/memory_preview_chart.tsx (90%) rename x-pack/plugins/ml/public/application/{trained_models => memory_usage}/nodes_overview/nodes_list.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/delete_models_modal.tsx (92%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/deployment_setup.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/expanded_row.tsx (94%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/force_stop_dialog.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/model_actions.tsx (95%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/model_link.tsx (85%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/models_list.tsx (94%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/pipelines/expanded_row.tsx (97%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/pipelines/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/pipelines/pipelines.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/inference_error.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/index_input.tsx (99%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_base.ts (97%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_info.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_input_form/index.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_input_form/index_input.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_input_form/inference_input_form.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/inference_input_form/text_input.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/ner/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/ner/ner_inference.ts (95%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/ner/ner_output.tsx (98%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/question_answering/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/question_answering/question_answering_inference.ts (96%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/question_answering/question_answering_input.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/question_answering/question_answering_output.tsx (95%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/raw_output.tsx (96%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/common.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/fill_mask_inference.ts (93%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/fill_mask_output.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/lang_codes.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/lang_ident_inference.ts (96%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/lang_ident_output.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/text_classification_inference.ts (93%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/text_classification_output.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/zero_shot_classification_inference.ts (95%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_classification/zero_shot_classification_input.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_embedding/index.ts (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_embedding/text_embedding_inference.ts (94%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_embedding/text_embedding_output.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/models/text_input.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/output_loading.tsx (100%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/selected_model.tsx (95%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/test_flyout.tsx (96%) rename x-pack/plugins/ml/public/application/{trained_models/models_management => model_management}/test_models/utils.ts (85%) create mode 100644 x-pack/plugins/ml/public/application/routing/routes/memory_usage.tsx delete mode 100644 x-pack/plugins/ml/public/application/routing/routes/trained_models/nodes_list.tsx delete mode 100644 x-pack/plugins/ml/public/application/trained_models/nodes_overview/expanded_row.tsx delete mode 100644 x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.ts rename x-pack/plugins/ml/server/models/{data_frame_analytics => model_management}/__mocks__/mock_deployment_response.json (100%) create mode 100644 x-pack/plugins/ml/server/models/model_management/index.ts rename x-pack/plugins/ml/server/models/{data_frame_analytics/models_provider.test.ts => model_management/memory_usage.test.ts} (97%) create mode 100644 x-pack/plugins/ml/server/models/model_management/memory_usage.ts create mode 100644 x-pack/plugins/ml/server/models/model_management/models_provider.ts create mode 100644 x-pack/plugins/ml/server/routes/model_management.ts diff --git a/x-pack/plugins/ml/common/constants/locator.ts b/x-pack/plugins/ml/common/constants/locator.ts index 6ef9d2c27c40d..8e11a93f059ec 100644 --- a/x-pack/plugins/ml/common/constants/locator.ts +++ b/x-pack/plugins/ml/common/constants/locator.ts @@ -15,7 +15,7 @@ export const ML_PAGES = { DATA_FRAME_ANALYTICS_SOURCE_SELECTION: 'data_frame_analytics/source_selection', DATA_FRAME_ANALYTICS_CREATE_JOB: 'data_frame_analytics/new_job', TRAINED_MODELS_MANAGE: 'trained_models', - TRAINED_MODELS_NODES: 'trained_models/nodes', + MEMORY_USAGE: 'memory_usage', DATA_FRAME_ANALYTICS_EXPLORATION: 'data_frame_analytics/exploration', DATA_FRAME_ANALYTICS_MAP: 'data_frame_analytics/map', /** diff --git a/x-pack/plugins/ml/common/types/locator.ts b/x-pack/plugins/ml/common/types/locator.ts index a86fb70d9c315..9ee32765b5daa 100644 --- a/x-pack/plugins/ml/common/types/locator.ts +++ b/x-pack/plugins/ml/common/types/locator.ts @@ -203,7 +203,7 @@ export interface TrainedModelsQueryState { modelId?: string; } -export interface TrainedModelsNodesQueryState { +export interface MemoryUsageNodesQueryState { nodeId?: string; } @@ -276,7 +276,7 @@ export type MlLocatorState = | MlGenericUrlState | NotificationsUrlState | TrainedModelsUrlState - | TrainedModelsNodesUrlState; + | MemoryUsageUrlState; export type MlLocatorParams = MlLocatorState & SerializableRecord; @@ -287,9 +287,9 @@ export type TrainedModelsUrlState = MLPageState< TrainedModelsQueryState | undefined >; -export type TrainedModelsNodesUrlState = MLPageState< - typeof ML_PAGES.TRAINED_MODELS_NODES, - TrainedModelsNodesQueryState | undefined +export type MemoryUsageUrlState = MLPageState< + typeof ML_PAGES.MEMORY_USAGE, + MemoryUsageNodesQueryState | undefined >; export interface NotificationsQueryState { diff --git a/x-pack/plugins/ml/common/types/trained_models.ts b/x-pack/plugins/ml/common/types/trained_models.ts index 2dea2eecd5e5a..e68e89a6ac93a 100644 --- a/x-pack/plugins/ml/common/types/trained_models.ts +++ b/x-pack/plugins/ml/common/types/trained_models.ts @@ -9,6 +9,7 @@ import type { DataFrameAnalyticsConfig } from './data_frame_analytics'; import type { FeatureImportanceBaseline, TotalFeatureImportance } from './feature_importance'; import type { XOR } from './common'; import type { DeploymentState, TrainedModelType } from '../constants/trained_models'; +import type { MlSavedObjectType } from './saved_objects'; export interface IngestStats { count: number; @@ -236,3 +237,47 @@ export interface NodesOverviewResponse { _nodes: { total: number; failed: number; successful: number }; nodes: NodeDeploymentStatsResponse[]; } + +export interface MemoryUsageInfo { + id: string; + type: MlSavedObjectType; + size: number; + nodeNames: string[]; +} + +export interface MemoryStatsResponse { + _nodes: { total: number; failed: number; successful: number }; + cluster_name: string; + nodes: Record< + string, + { + jvm: { + heap_max_in_bytes: number; + java_inference_in_bytes: number; + java_inference_max_in_bytes: number; + }; + mem: { + adjusted_total_in_bytes: number; + total_in_bytes: number; + ml: { + data_frame_analytics_in_bytes: number; + native_code_overhead_in_bytes: number; + max_in_bytes: number; + anomaly_detectors_in_bytes: number; + native_inference_in_bytes: number; + }; + }; + transport_address: string; + roles: string[]; + name: string; + attributes: Record<`${'ml.'}${string}`, string>; + ephemeral_id: string; + } + >; +} + +// @ts-expect-error TrainedModelDeploymentStatsResponse missing properties from MlTrainedModelDeploymentStats +export interface TrainedModelStatsResponse extends estypes.MlTrainedModelStats { + deployment_stats?: Omit; + model_size_stats?: TrainedModelModelSizeStats; +} diff --git a/x-pack/plugins/ml/public/application/app.tsx b/x-pack/plugins/ml/public/application/app.tsx index 5e5099937c7e1..ffd3fa9e8d654 100644 --- a/x-pack/plugins/ml/public/application/app.tsx +++ b/x-pack/plugins/ml/public/application/app.tsx @@ -45,6 +45,12 @@ interface AppProps { const localStorage = new Storage(window.localStorage); +// temporary function to hardcode the serverless state +// this will be replaced by the true serverless information from kibana +export function isServerless() { + return false; +} + /** * Provides global services available across the entire ML app. */ @@ -54,6 +60,7 @@ export function getMlGlobalServices(httpStart: HttpStart, usageCollection?: Usag httpService, mlApiServices: mlApiServicesProvider(httpService), mlUsageCollection: mlUsageCollectionProvider(usageCollection), + isServerless, }; } diff --git a/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx b/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx index ba4c034cda581..2498aa280fa9b 100644 --- a/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx +++ b/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx @@ -169,7 +169,7 @@ const CommonPageWrapper: FC = React.memo(({ pageDeps, ro {routeList.map((route) => { return ( { diff --git a/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx b/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx index 6a928b2a365a8..f3270068740d0 100644 --- a/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx +++ b/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx @@ -96,6 +96,15 @@ export function useSideNavItems(activeRoute: MlRoute | undefined) { disabled: disableLinks, testSubj: 'mlMainTab notifications', }, + { + id: 'memory_usage', + pathId: ML_PAGES.MEMORY_USAGE, + name: i18n.translate('xpack.ml.navMenu.memoryUsageText', { + defaultMessage: 'Memory Usage', + }), + disabled: disableLinks || !canViewMlNodes, + testSubj: 'mlMainTab nodesOverview', + }, ], }, { @@ -196,15 +205,6 @@ export function useSideNavItems(activeRoute: MlRoute | undefined) { disabled: disableLinks, testSubj: 'mlMainTab trainedModels', }, - { - id: 'nodes_overview', - pathId: ML_PAGES.TRAINED_MODELS_NODES, - name: i18n.translate('xpack.ml.navMenu.nodesOverviewText', { - defaultMessage: 'Nodes', - }), - disabled: disableLinks || !canViewMlNodes, - testSubj: 'mlMainTab nodesOverview', - }, ], }, { diff --git a/x-pack/plugins/ml/public/application/contexts/kibana/use_is_serverless.ts b/x-pack/plugins/ml/public/application/contexts/kibana/use_is_serverless.ts new file mode 100644 index 0000000000000..120ae02b8d466 --- /dev/null +++ b/x-pack/plugins/ml/public/application/contexts/kibana/use_is_serverless.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMemo } from 'react'; +import { useMlKibana } from './kibana_context'; + +export const useIsServerless = () => { + const isServerless = useMlKibana().services.mlServices.isServerless; + return useMemo(() => isServerless(), [isServerless]); +}; diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/components/analytics_selector/analytics_id_selector.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/components/analytics_selector/analytics_id_selector.tsx index 15836fb276a46..9528c54758bc0 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/components/analytics_selector/analytics_id_selector.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/components/analytics_selector/analytics_id_selector.tsx @@ -27,7 +27,7 @@ import { BUILT_IN_MODEL_TAG } from '../../../../../../common/constants/data_fram import { useTrainedModelsApiService } from '../../../../services/ml_api_service/trained_models'; import { GetDataFrameAnalyticsResponse } from '../../../../services/ml_api_service/data_frame_analytics'; import { useToastNotificationService } from '../../../../services/toast_notification_service'; -import { ModelsTableToConfigMapping } from '../../../../trained_models/models_management'; +import { ModelsTableToConfigMapping } from '../../../../model_management'; import { DataFrameAnalyticsConfig } from '../../../common'; import { useMlApiContext } from '../../../../contexts/kibana'; import { TrainedModelConfigResponse } from '../../../../../../common/types/trained_models'; diff --git a/x-pack/plugins/ml/public/application/management/jobs_list/components/jobs_list_page/space_management/columns.tsx b/x-pack/plugins/ml/public/application/management/jobs_list/components/jobs_list_page/space_management/columns.tsx index 90191c4f22dca..221c028603fd0 100644 --- a/x-pack/plugins/ml/public/application/management/jobs_list/components/jobs_list_page/space_management/columns.tsx +++ b/x-pack/plugins/ml/public/application/management/jobs_list/components/jobs_list_page/space_management/columns.tsx @@ -7,7 +7,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import { EuiBasicTableColumn } from '@elastic/eui'; -import { TrainedModelLink } from '../../../../../trained_models/models_management'; +import { TrainedModelLink } from '../../../../../model_management'; import type { MlSavedObjectType } from '../../../../../../../common/types/saved_objects'; import type { AnalyticsManagementItems, diff --git a/x-pack/plugins/ml/public/application/memory_usage/index.ts b/x-pack/plugins/ml/public/application/memory_usage/index.ts new file mode 100644 index 0000000000000..eddabe8bf4b02 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { MemoryUsagePage } from './memory_usage_page'; diff --git a/x-pack/plugins/ml/public/application/memory_usage/memory_item_colors.ts b/x-pack/plugins/ml/public/application/memory_usage/memory_item_colors.ts new file mode 100644 index 0000000000000..b03658aae77a1 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/memory_item_colors.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + euiPaletteComplimentary, + euiPaletteForTemperature, + euiPaletteGray, + euiPalettePositive, + euiPaletteWarm, +} from '@elastic/eui'; +import { MlSavedObjectType } from '../../../common/types/saved_objects'; + +type MemoryItem = MlSavedObjectType | 'jvm-heap-size' | 'estimated-available-memory'; + +export function getMemoryItemColor(typeIn: MemoryItem) { + switch (typeIn) { + case 'anomaly-detector': + return euiPaletteWarm(5)[1]; + case 'data-frame-analytics': + return euiPalettePositive(5)[2]; + case 'trained-model': + return euiPaletteForTemperature(5)[1]; + case 'estimated-available-memory': + return euiPaletteGray(5)[0]; + case 'jvm-heap-size': + return euiPaletteComplimentary(5)[4]; + default: + return euiPaletteGray(5)[4]; + } +} diff --git a/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/index.ts b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/index.ts new file mode 100644 index 0000000000000..2065b170529a7 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { JobMemoryTreeMap } from './tree_map'; +export { MemoryPage } from './memory_page'; diff --git a/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/memory_page.tsx b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/memory_page.tsx new file mode 100644 index 0000000000000..82a3b2cdedd94 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/memory_page.tsx @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiCallOut, EuiSpacer } from '@elastic/eui'; +import React, { FC } from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { JobMemoryTreeMap } from './tree_map'; + +export const MemoryPage: FC = () => { + return ( + <> + + + + + + + ); +}; diff --git a/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/tree_map.tsx b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/tree_map.tsx new file mode 100644 index 0000000000000..35d9b216d6f24 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/memory_tree_map/tree_map.tsx @@ -0,0 +1,201 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { FC, useEffect, useState, useCallback, useMemo } from 'react'; +import { + Chart, + Settings, + Partition, + PartitionLayout, + ShapeTreeNode, + LIGHT_THEME, + DARK_THEME, +} from '@elastic/charts'; +import { EUI_CHARTS_THEME_DARK, EUI_CHARTS_THEME_LIGHT } from '@elastic/eui/dist/eui_charts_theme'; +import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; +import { EuiComboBox, EuiComboBoxOptionOption, EuiEmptyPrompt, EuiSpacer } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { MemoryUsageInfo } from '../../../../common/types/trained_models'; +import { JobType, MlSavedObjectType } from '../../../../common/types/saved_objects'; +import { useTrainedModelsApiService } from '../../services/ml_api_service/trained_models'; +import { LoadingWrapper } from '../../jobs/new_job/pages/components/charts/loading_wrapper'; +import { useFieldFormatter, useUiSettings } from '../../contexts/kibana'; + +import { useRefresh } from '../../routing/use_refresh'; +import { getMemoryItemColor } from '../memory_item_colors'; +import { useToastNotificationService } from '../../services/toast_notification_service'; + +interface Props { + node?: string; + type?: MlSavedObjectType; + height?: string; +} + +const DEFAULT_CHART_HEIGHT = '400px'; + +const TYPE_LABELS: Record = { + [i18n.translate('xpack.ml.memoryUsage.treeMap.adLabel', { + defaultMessage: 'Anomaly detection jobs', + })]: 'anomaly-detector', + [i18n.translate('xpack.ml.memoryUsage.treeMap.dfaLabel', { + defaultMessage: 'Data frame analytics jobs', + })]: 'data-frame-analytics', + [i18n.translate('xpack.ml.memoryUsage.treeMap.modelsLabel', { + defaultMessage: 'Trained models', + })]: 'trained-model', +} as const; + +const TYPE_LABELS_INVERTED = Object.entries(TYPE_LABELS).reduce>( + (acc, [label, type]) => { + acc[type] = label; + return acc; + }, + {} as Record +); + +const TYPE_OPTIONS: EuiComboBoxOptionOption[] = Object.entries(TYPE_LABELS).map( + ([label, type]) => ({ + label, + color: getMemoryItemColor(type), + }) +); + +export const JobMemoryTreeMap: FC = ({ node, type, height }) => { + const isDarkTheme = useUiSettings().get('theme:darkMode'); + const { theme, baseTheme } = useMemo( + () => + isDarkTheme + ? { theme: EUI_CHARTS_THEME_DARK, baseTheme: DARK_THEME } + : { theme: EUI_CHARTS_THEME_LIGHT, baseTheme: LIGHT_THEME }, + [isDarkTheme] + ); + + const bytesFormatter = useFieldFormatter(FIELD_FORMAT_IDS.BYTES); + const { displayErrorToast } = useToastNotificationService(); + const refresh = useRefresh(); + const chartHeight = height ?? DEFAULT_CHART_HEIGHT; + + const trainedModelsApiService = useTrainedModelsApiService(); + const [allData, setAllData] = useState([]); + const [data, setData] = useState([]); + const [loading, setLoading] = useState(false); + const [selectedOptions, setSelectedOptions] = useState(TYPE_OPTIONS); + + const filterData = useCallback( + (dataIn: MemoryUsageInfo[]) => { + const types = selectedOptions.map((o) => TYPE_LABELS[o.label]); + return dataIn.filter((d) => types.includes(d.type)); + }, + [selectedOptions] + ); + + const loadJobMemorySize = useCallback(async () => { + setLoading(true); + try { + const resp = await trainedModelsApiService.memoryUsage(type, node); + setAllData(resp); + } catch (error) { + displayErrorToast( + error, + i18n.translate('xpack.ml.memoryUsage.treeMap.fetchFailedErrorMessage', { + defaultMessage: 'Models memory usage fetch failed', + }) + ); + } + setLoading(false); + }, [trainedModelsApiService, type, node, displayErrorToast]); + + useEffect( + function redrawOnFilterChange() { + setData(filterData(allData)); + }, + [selectedOptions, allData, filterData] + ); + + useEffect( + function updateOnTimerRefresh() { + loadJobMemorySize(); + }, + [loadJobMemorySize, refresh] + ); + + return ( +
+ + 0} loading={loading}> + + + + + {data.length ? ( + + + + id="memoryUsageTreeMap" + data={data} + layout={PartitionLayout.treemap} + valueAccessor={(d) => d.size} + valueFormatter={(size: number) => bytesFormatter(size)} + layers={[ + { + groupByRollup: (d: MemoryUsageInfo) => d.type, + nodeLabel: (d) => TYPE_LABELS_INVERTED[d as MlSavedObjectType], + fillLabel: { + valueFormatter: (size: number) => bytesFormatter(size), + }, + shape: { + fillColor: (d: ShapeTreeNode) => getMemoryItemColor(d.dataName as JobType), + }, + }, + { + groupByRollup: (d: MemoryUsageInfo) => d.id, + nodeLabel: (d) => `${d}`, + fillLabel: { + valueFont: { + fontWeight: 100, + }, + }, + shape: { + fillColor: (d: ShapeTreeNode) => { + // color the shape the same as its parent. + const parentId = d.parent.path[d.parent.path.length - 1].value as JobType; + return getMemoryItemColor(parentId); + }, + }, + }, + ]} + /> + + ) : ( + + + + } + /> + )} + +
+ ); +}; diff --git a/x-pack/plugins/ml/public/application/memory_usage/memory_usage_page.tsx b/x-pack/plugins/ml/public/application/memory_usage/memory_usage_page.tsx new file mode 100644 index 0000000000000..24e3dbab771b5 --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/memory_usage_page.tsx @@ -0,0 +1,72 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { FC, useCallback, useState } from 'react'; +import { mlTimefilterRefresh$, useTimefilter } from '@kbn/ml-date-picker'; +import { EuiFlexGroup, EuiFlexItem, EuiTabs, EuiTab } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { NodesList } from './nodes_overview'; +import { MlPageHeader } from '../components/page_header'; +import { MemoryPage, JobMemoryTreeMap } from './memory_tree_map'; +import { useIsServerless } from '../contexts/kibana/use_is_serverless'; +import { SavedObjectsWarning } from '../components/saved_objects_warning'; + +enum TAB { + NODES, + MEMORY_USAGE, +} + +export const MemoryUsagePage: FC = () => { + const serverless = useIsServerless(); + const [selectedTab, setSelectedTab] = useState(TAB.NODES); + useTimefilter({ timeRangeSelector: false, autoRefreshSelector: true }); + + const refresh = useCallback(() => { + mlTimefilterRefresh$.next({ + lastRefresh: Date.now(), + }); + }, []); + + return ( + <> + + + + + + + + + + + {serverless ? ( + + ) : ( + <> + + setSelectedTab(TAB.NODES)} + > + + + setSelectedTab(TAB.MEMORY_USAGE)} + > + + + + {selectedTab === TAB.NODES ? : } + + )} + + ); +}; diff --git a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/allocated_models.tsx b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/allocated_models.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/nodes_overview/allocated_models.tsx rename to x-pack/plugins/ml/public/application/memory_usage/nodes_overview/allocated_models.tsx diff --git a/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/expanded_row.tsx b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/expanded_row.tsx new file mode 100644 index 0000000000000..cf44b275a0f5d --- /dev/null +++ b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/expanded_row.tsx @@ -0,0 +1,151 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { FC, useState } from 'react'; +import { + EuiDescriptionList, + EuiFlexGrid, + EuiFlexItem, + EuiPanel, + EuiSpacer, + EuiTab, + EuiTabs, + EuiTitle, +} from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { cloneDeep } from 'lodash'; +import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; +import { css } from '@emotion/react'; +import { NodeItem } from './nodes_list'; +import { useListItemsFormatter } from '../../model_management/expanded_row'; +import { AllocatedModels } from './allocated_models'; +import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; +import { JobMemoryTreeMap } from '../memory_tree_map'; + +interface ExpandedRowProps { + item: NodeItem; +} + +enum TAB { + DETAILS, + MEMORY_USAGE, +} + +export const ExpandedRow: FC = ({ item }) => { + const bytesFormatter = useFieldFormatter(FIELD_FORMAT_IDS.BYTES); + const [selectedTab, setSelectedTab] = useState(TAB.DETAILS); + + const formatToListItems = useListItemsFormatter(); + + const { + allocated_models: allocatedModels, + attributes, + memory_overview: memoryOverview, + id, + ...details + } = cloneDeep(item); + + // Process node attributes + attributes['ml.machine_memory'] = bytesFormatter(attributes['ml.machine_memory']); + attributes['ml.max_jvm_size'] = bytesFormatter(attributes['ml.max_jvm_size']); + + return ( +
+ + setSelectedTab(TAB.DETAILS)} + > + + + setSelectedTab(TAB.MEMORY_USAGE)} + > + + + + + {selectedTab === TAB.DETAILS ? ( + <> + + + + + +
+ +
+ + + + + + + + + +
+ +
+ + + + + + + {allocatedModels.length > 0 ? ( + <> + + + +
+ +
+ + + + + + + ) : null} + + ) : ( + <> + + + )} +
+ ); +}; diff --git a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/index.ts b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/nodes_overview/index.ts rename to x-pack/plugins/ml/public/application/memory_usage/nodes_overview/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/memory_preview_chart.tsx b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/memory_preview_chart.tsx similarity index 90% rename from x-pack/plugins/ml/public/application/trained_models/nodes_overview/memory_preview_chart.tsx rename to x-pack/plugins/ml/public/application/memory_usage/nodes_overview/memory_preview_chart.tsx index 2decf3c1d2b1b..f57fa18dc4286 100644 --- a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/memory_preview_chart.tsx +++ b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/memory_preview_chart.tsx @@ -18,11 +18,11 @@ import { LineAnnotation, AnnotationDomainType, } from '@elastic/charts'; -import { EuiIcon, euiPaletteGray } from '@elastic/eui'; +import { EuiIcon } from '@elastic/eui'; import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; import { NodeDeploymentStatsResponse } from '../../../../common/types/trained_models'; import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; -import { useCurrentEuiTheme } from '../../components/color_range_legend'; +import { getMemoryItemColor } from '../memory_item_colors'; interface MemoryPreviewChartProps { memoryOverview: NodeDeploymentStatsResponse['memory_overview']; @@ -31,42 +31,39 @@ interface MemoryPreviewChartProps { export const MemoryPreviewChart: FC = ({ memoryOverview }) => { const bytesFormatter = useFieldFormatter(FIELD_FORMAT_IDS.BYTES); - const { euiTheme } = useCurrentEuiTheme(); - const groups = useMemo( () => ({ jvm: { name: i18n.translate('xpack.ml.trainedModels.nodesList.jvmHeapSIze', { defaultMessage: 'JVM heap size', }), - colour: euiTheme.euiColorVis1, + color: getMemoryItemColor('jvm-heap-size'), }, trained_models: { name: i18n.translate('xpack.ml.trainedModels.nodesList.modelsMemoryUsage', { defaultMessage: 'Trained models', }), - colour: euiTheme.euiColorVis2, + color: getMemoryItemColor('trained-model'), }, anomaly_detection: { name: i18n.translate('xpack.ml.trainedModels.nodesList.adMemoryUsage', { defaultMessage: 'Anomaly detection jobs', }), - colour: euiTheme.euiColorVis6, + color: getMemoryItemColor('anomaly-detector'), }, dfa_training: { name: i18n.translate('xpack.ml.trainedModels.nodesList.dfaMemoryUsage', { defaultMessage: 'Data frame analytics jobs', }), - colour: euiTheme.euiColorVis4, + color: getMemoryItemColor('data-frame-analytics'), }, available: { name: i18n.translate('xpack.ml.trainedModels.nodesList.availableMemory', { defaultMessage: 'Estimated available memory', }), - colour: euiPaletteGray(5)[0], + color: getMemoryItemColor('estimated-available-memory'), }, }), - // eslint-disable-next-line react-hooks/exhaustive-deps [] ); @@ -106,7 +103,7 @@ export const MemoryPreviewChart: FC = ({ memoryOverview const barSeriesColorAccessor: SeriesColorAccessor = ({ specId, yAccessor, splitAccessors }) => { const group = splitAccessors.get('g'); - return Object.values(groups).find((v) => v.name === group)!.colour; + return Object.values(groups).find((v) => v.name === group)!.color; }; return ( diff --git a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/nodes_list.tsx b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/nodes_list.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/nodes_overview/nodes_list.tsx rename to x-pack/plugins/ml/public/application/memory_usage/nodes_overview/nodes_list.tsx index 9ec06645d8e29..a615e40c9e3ea 100644 --- a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/nodes_list.tsx +++ b/x-pack/plugins/ml/public/application/memory_usage/nodes_overview/nodes_list.tsx @@ -33,7 +33,7 @@ import { useRefresh } from '../../routing/use_refresh'; export type NodeItem = NodeDeploymentStatsResponse; interface PageUrlState { - pageKey: typeof ML_PAGES.TRAINED_MODELS_NODES; + pageKey: typeof ML_PAGES.MEMORY_USAGE; pageUrlState: ListingPageUrlState; } @@ -61,7 +61,7 @@ export const NodesList: FC = ({ compactView = false }) => { {} ); const [pageState, updatePageState] = usePageUrlState( - ML_PAGES.TRAINED_MODELS_NODES, + ML_PAGES.MEMORY_USAGE, getDefaultNodesListState() ); diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/delete_models_modal.tsx b/x-pack/plugins/ml/public/application/model_management/delete_models_modal.tsx similarity index 92% rename from x-pack/plugins/ml/public/application/trained_models/models_management/delete_models_modal.tsx rename to x-pack/plugins/ml/public/application/model_management/delete_models_modal.tsx index b4f0bc0ec505e..e730dad0c36aa 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/delete_models_modal.tsx +++ b/x-pack/plugins/ml/public/application/model_management/delete_models_modal.tsx @@ -16,9 +16,9 @@ import { EuiButton, } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; -import { useTrainedModelsApiService } from '../../services/ml_api_service/trained_models'; -import { useToastNotificationService } from '../../services/toast_notification_service'; -import { DeleteSpaceAwareItemCheckModal } from '../../components/delete_space_aware_item_check_modal'; +import { useTrainedModelsApiService } from '../services/ml_api_service/trained_models'; +import { useToastNotificationService } from '../services/toast_notification_service'; +import { DeleteSpaceAwareItemCheckModal } from '../components/delete_space_aware_item_check_modal'; interface DeleteModelsModalProps { modelIds: string[]; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/deployment_setup.tsx b/x-pack/plugins/ml/public/application/model_management/deployment_setup.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/models_management/deployment_setup.tsx rename to x-pack/plugins/ml/public/application/model_management/deployment_setup.tsx index 4c4bd6293bc8a..9068f679cf261 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/deployment_setup.tsx +++ b/x-pack/plugins/ml/public/application/model_management/deployment_setup.tsx @@ -30,8 +30,8 @@ import type { Observable } from 'rxjs'; import type { CoreTheme, OverlayStart } from '@kbn/core/public'; import { css } from '@emotion/react'; import { numberValidator } from '@kbn/ml-agg-utils'; -import { isCloudTrial } from '../../services/ml_server_info'; -import { composeValidators, requiredValidator } from '../../../../common/util/validators'; +import { isCloudTrial } from '../services/ml_server_info'; +import { composeValidators, requiredValidator } from '../../../common/util/validators'; interface DeploymentSetupProps { config: ThreadingParams; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/expanded_row.tsx b/x-pack/plugins/ml/public/application/model_management/expanded_row.tsx similarity index 94% rename from x-pack/plugins/ml/public/application/trained_models/models_management/expanded_row.tsx rename to x-pack/plugins/ml/public/application/model_management/expanded_row.tsx index daa813fe4e1e6..99dc3f687a7e0 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/expanded_row.tsx +++ b/x-pack/plugins/ml/public/application/model_management/expanded_row.tsx @@ -20,6 +20,7 @@ import { EuiTabbedContent, EuiTabbedContentTab, EuiTitle, + useEuiPaddingSize, } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; @@ -27,30 +28,38 @@ import { isPopulatedObject } from '@kbn/ml-is-populated-object'; import { isDefined } from '@kbn/ml-is-defined'; import type { ModelItemFull } from './models_list'; import { ModelPipelines } from './pipelines'; -import { AllocatedModels } from '../nodes_overview/allocated_models'; -import type { AllocatedModel } from '../../../../common/types/trained_models'; -import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; +import { AllocatedModels } from '../memory_usage/nodes_overview/allocated_models'; +import type { AllocatedModel } from '../../../common/types/trained_models'; +import { useFieldFormatter } from '../contexts/kibana/use_field_formatter'; interface ExpandedRowProps { item: ModelItemFull; } -const badgeFormatter = (items: string[]) => { - if (items.length === 0) return; - return ( -
- {items.map((item) => ( - - {item} - - ))} -
- ); +const useBadgeFormatter = () => { + const xs = useEuiPaddingSize('xs'); + + function badgeFormatter(items: string[]) { + if (items.length === 0) return; + return ( +
+ {items.map((item) => ( + + + {item} + + + ))} +
+ ); + } + return { badgeFormatter }; }; export function useListItemsFormatter() { const bytesFormatter = useFieldFormatter(FIELD_FORMAT_IDS.BYTES); const dateFormatter = useFieldFormatter(FIELD_FORMAT_IDS.DATE); + const { badgeFormatter } = useBadgeFormatter(); const formatterDictionary: Record JSX.Element | string | undefined> = useMemo( diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/force_stop_dialog.tsx b/x-pack/plugins/ml/public/application/model_management/force_stop_dialog.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/force_stop_dialog.tsx rename to x-pack/plugins/ml/public/application/model_management/force_stop_dialog.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/index.ts b/x-pack/plugins/ml/public/application/model_management/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/index.ts rename to x-pack/plugins/ml/public/application/model_management/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/model_actions.tsx b/x-pack/plugins/ml/public/application/model_management/model_actions.tsx similarity index 95% rename from x-pack/plugins/ml/public/application/trained_models/models_management/model_actions.tsx rename to x-pack/plugins/ml/public/application/model_management/model_actions.tsx index a8258e537c60e..5545fa6c7d5fe 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/model_actions.tsx +++ b/x-pack/plugins/ml/public/application/model_management/model_actions.tsx @@ -10,16 +10,16 @@ import { i18n } from '@kbn/i18n'; import { isPopulatedObject } from '@kbn/ml-is-populated-object'; import { EuiToolTip } from '@elastic/eui'; import React, { useCallback, useMemo } from 'react'; -import { BUILT_IN_MODEL_TAG } from '../../../../common/constants/data_frame_analytics'; -import { useTrainedModelsApiService } from '../../services/ml_api_service/trained_models'; +import { BUILT_IN_MODEL_TAG } from '../../../common/constants/data_frame_analytics'; +import { useTrainedModelsApiService } from '../services/ml_api_service/trained_models'; import { getUserConfirmationProvider } from './force_stop_dialog'; -import { useToastNotificationService } from '../../services/toast_notification_service'; +import { useToastNotificationService } from '../services/toast_notification_service'; import { getUserInputThreadingParamsProvider } from './deployment_setup'; -import { useMlKibana, useMlLocator, useNavigateToPath } from '../../contexts/kibana'; -import { getAnalysisType } from '../../../../common/util/analytics_utils'; -import { DataFrameAnalysisConfigType } from '../../../../common/types/data_frame_analytics'; -import { ML_PAGES } from '../../../../common/constants/locator'; -import { DEPLOYMENT_STATE, TRAINED_MODEL_TYPE } from '../../../../common/constants/trained_models'; +import { useMlKibana, useMlLocator, useNavigateToPath } from '../contexts/kibana'; +import { getAnalysisType } from '../../../common/util/analytics_utils'; +import { DataFrameAnalysisConfigType } from '../../../common/types/data_frame_analytics'; +import { ML_PAGES } from '../../../common/constants/locator'; +import { DEPLOYMENT_STATE, TRAINED_MODEL_TYPE } from '../../../common/constants/trained_models'; import { isTestable } from './test_models'; import { ModelItem } from './models_list'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/model_link.tsx b/x-pack/plugins/ml/public/application/model_management/model_link.tsx similarity index 85% rename from x-pack/plugins/ml/public/application/trained_models/models_management/model_link.tsx rename to x-pack/plugins/ml/public/application/model_management/model_link.tsx index 82a122cbaeb90..2acf8951dcd15 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/model_link.tsx +++ b/x-pack/plugins/ml/public/application/model_management/model_link.tsx @@ -7,8 +7,8 @@ import { EuiLink } from '@elastic/eui'; import React, { FC } from 'react'; -import { useMlLink } from '../../contexts/kibana'; -import { ML_PAGES } from '../../../../common/constants/locator'; +import { useMlLink } from '../contexts/kibana'; +import { ML_PAGES } from '../../../common/constants/locator'; export interface TrainedModelLinkProps { id: string; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/models_list.tsx b/x-pack/plugins/ml/public/application/model_management/models_list.tsx similarity index 94% rename from x-pack/plugins/ml/public/application/trained_models/models_management/models_list.tsx rename to x-pack/plugins/ml/public/application/model_management/models_list.tsx index 9fbd05d978eae..4d04e4b814254 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/models_list.tsx +++ b/x-pack/plugins/ml/public/application/model_management/models_list.tsx @@ -29,25 +29,25 @@ import { usePageUrlState } from '@kbn/ml-url-state'; import { useTimefilter } from '@kbn/ml-date-picker'; import { useModelActions } from './model_actions'; import { ModelsTableToConfigMapping } from '.'; -import { ModelsBarStats, StatsBar } from '../../components/stats_bar'; -import { useMlKibana } from '../../contexts/kibana'; -import { useTrainedModelsApiService } from '../../services/ml_api_service/trained_models'; +import { ModelsBarStats, StatsBar } from '../components/stats_bar'; +import { useMlKibana } from '../contexts/kibana'; +import { useTrainedModelsApiService } from '../services/ml_api_service/trained_models'; import { ModelPipelines, TrainedModelConfigResponse, TrainedModelStat, -} from '../../../../common/types/trained_models'; -import { BUILT_IN_MODEL_TAG } from '../../../../common/constants/data_frame_analytics'; +} from '../../../common/types/trained_models'; +import { BUILT_IN_MODEL_TAG } from '../../../common/constants/data_frame_analytics'; import { DeleteModelsModal } from './delete_models_modal'; -import { ML_PAGES } from '../../../../common/constants/locator'; -import { ListingPageUrlState } from '../../../../common/types/common'; +import { ML_PAGES } from '../../../common/constants/locator'; +import { ListingPageUrlState } from '../../../common/types/common'; import { ExpandedRow } from './expanded_row'; -import { useTableSettings } from '../../data_frame_analytics/pages/analytics_management/components/analytics_list/use_table_settings'; -import { useToastNotificationService } from '../../services/toast_notification_service'; -import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; -import { useRefresh } from '../../routing/use_refresh'; -import { BUILT_IN_MODEL_TYPE } from '../../../../common/constants/trained_models'; -import { SavedObjectsWarning } from '../../components/saved_objects_warning'; +import { useTableSettings } from '../data_frame_analytics/pages/analytics_management/components/analytics_list/use_table_settings'; +import { useToastNotificationService } from '../services/toast_notification_service'; +import { useFieldFormatter } from '../contexts/kibana/use_field_formatter'; +import { useRefresh } from '../routing/use_refresh'; +import { BUILT_IN_MODEL_TYPE } from '../../../common/constants/trained_models'; +import { SavedObjectsWarning } from '../components/saved_objects_warning'; import { TestTrainedModelFlyout } from './test_models'; type Stats = Omit; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/expanded_row.tsx b/x-pack/plugins/ml/public/application/model_management/pipelines/expanded_row.tsx similarity index 97% rename from x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/expanded_row.tsx rename to x-pack/plugins/ml/public/application/model_management/pipelines/expanded_row.tsx index 86284bd23796b..24b45659938e7 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/expanded_row.tsx +++ b/x-pack/plugins/ml/public/application/model_management/pipelines/expanded_row.tsx @@ -12,9 +12,9 @@ import { FormattedMessage } from '@kbn/i18n-react'; import { EuiBasicTableColumn } from '@elastic/eui/src/components/basic_table/basic_table'; import { i18n } from '@kbn/i18n'; import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; -import { useFieldFormatter } from '../../../contexts/kibana/use_field_formatter'; +import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; import { IngestStatsResponse } from './pipelines'; -import { HelpIcon } from '../../../components/help_icon'; +import { HelpIcon } from '../../components/help_icon'; interface ProcessorsStatsProps { stats: Exclude['pipelines'][string]['processors']; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/index.ts b/x-pack/plugins/ml/public/application/model_management/pipelines/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/index.ts rename to x-pack/plugins/ml/public/application/model_management/pipelines/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/pipelines.tsx b/x-pack/plugins/ml/public/application/model_management/pipelines/pipelines.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/pipelines.tsx rename to x-pack/plugins/ml/public/application/model_management/pipelines/pipelines.tsx index 6ea883ed84706..ac8156ae0053b 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/pipelines/pipelines.tsx +++ b/x-pack/plugins/ml/public/application/model_management/pipelines/pipelines.tsx @@ -16,7 +16,7 @@ import { EuiAccordion, } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; -import { useMlKibana } from '../../../contexts/kibana'; +import { useMlKibana } from '../../contexts/kibana'; import { ModelItem } from '../models_list'; import { ProcessorsStats } from './expanded_row'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/inference_error.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/inference_error.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/inference_error.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/inference_error.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/index_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/index_input.tsx similarity index 99% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/index_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/index_input.tsx index 484515f4a59cf..c80a84c5e1f4a 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/index_input.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/index_input.tsx @@ -14,7 +14,7 @@ import { EuiSpacer, EuiSelect, EuiFormRow, EuiAccordion, EuiCodeBlock } from '@e import { isPopulatedObject } from '@kbn/ml-is-populated-object'; import { i18n } from '@kbn/i18n'; -import { useMlKibana } from '../../../../contexts/kibana'; +import { useMlKibana } from '../../../contexts/kibana'; import { RUNNING_STATE } from './inference_base'; import type { InferrerType } from '.'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_base.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_base.ts similarity index 97% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_base.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_base.ts index 28b3073cfbb14..355137faeb1af 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_base.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_base.ts @@ -10,9 +10,9 @@ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { i18n } from '@kbn/i18n'; import { map } from 'rxjs/operators'; -import { MLHttpFetchError } from '../../../../../../common/util/errors'; -import { SupportedPytorchTasksType } from '../../../../../../common/constants/trained_models'; -import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; +import { MLHttpFetchError } from '../../../../../common/util/errors'; +import { SupportedPytorchTasksType } from '../../../../../common/constants/trained_models'; +import { trainedModelsApiProvider } from '../../../services/ml_api_service/trained_models'; import { getInferenceInfoComponent } from './inference_info'; export type InferenceType = diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_info.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_info.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_info.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_info.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/index.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/index.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/index.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/index.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/index_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/index_input.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/index_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/index_input.tsx index 02a9a217f547a..5060f0033fd6c 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/index_input.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/index_input.tsx @@ -22,7 +22,7 @@ import { } from '@elastic/eui'; import { ErrorMessage } from '../../inference_error'; -import { extractErrorMessage } from '../../../../../../../common'; +import { extractErrorMessage } from '../../../../../../common'; import type { InferrerType } from '..'; import { useIndexInput, InferenceInputFormIndexControls } from '../index_input'; import { RUNNING_STATE } from '../inference_base'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/inference_input_form.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/inference_input_form.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/inference_input_form.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/inference_input_form.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/text_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/text_input.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/text_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/text_input.tsx index eda62469515ee..3446bda477b4a 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/inference_input_form/text_input.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/inference_input_form/text_input.tsx @@ -12,7 +12,7 @@ import { FormattedMessage } from '@kbn/i18n-react'; import { EuiSpacer, EuiButton, EuiTabs, EuiTab, EuiForm } from '@elastic/eui'; import { ErrorMessage } from '../../inference_error'; -import { extractErrorMessage } from '../../../../../../../common'; +import { extractErrorMessage } from '../../../../../../common'; import type { InferrerType } from '..'; import { OutputLoadingContent } from '../../output_loading'; import { RUNNING_STATE } from '../inference_base'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/ner/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/ner/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_inference.ts similarity index 95% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_inference.ts index 94ec27ce0c4aa..4330684086909 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_inference.ts @@ -7,12 +7,12 @@ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { i18n } from '@kbn/i18n'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; import { InferenceBase, INPUT_TYPE } from '../inference_base'; import type { InferResponse } from '../inference_base'; import { getGeneralInputComponent } from '../text_input'; import { getNerOutputComponent } from './ner_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; export type FormattedNerResponse = Array<{ value: string; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_output.tsx similarity index 98% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_output.tsx index 9baeb3d0afb6b..90b416b817b87 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/ner/ner_output.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/ner/ner_output.tsx @@ -21,7 +21,7 @@ import { import { useCurrentEuiTheme, EuiThemeType, -} from '../../../../../components/color_range_legend/use_color_range'; +} from '../../../../components/color_range_legend/use_color_range'; import type { NerInference, NerResponse } from './ner_inference'; import { INPUT_TYPE } from '../inference_base'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_inference.ts similarity index 96% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_inference.ts index eb132ce2e3fdd..0555b5779900b 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_inference.ts @@ -13,8 +13,8 @@ import { InferenceBase, INPUT_TYPE } from '../inference_base'; import type { InferResponse } from '../inference_base'; import { getQuestionAnsweringInput } from './question_answering_input'; import { getQuestionAnsweringOutputComponent } from './question_answering_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; export interface RawQuestionAnsweringResponse { inference_results: Array<{ diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_input.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_input.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_output.tsx similarity index 95% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_output.tsx index 03bb94646635d..54a2a61855758 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/question_answering/question_answering_output.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/question_answering/question_answering_output.tsx @@ -10,7 +10,7 @@ import useObservable from 'react-use/lib/useObservable'; import { EuiBadge, EuiHorizontalRule } from '@elastic/eui'; -import { useCurrentEuiTheme } from '../../../../../components/color_range_legend/use_color_range'; +import { useCurrentEuiTheme } from '../../../../components/color_range_legend/use_color_range'; import type { QuestionAnsweringInference, diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/raw_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/raw_output.tsx similarity index 96% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/raw_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/raw_output.tsx index 6656333f259f8..59ffa21e9945a 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/raw_output.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/raw_output.tsx @@ -9,7 +9,7 @@ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import React, { FC } from 'react'; import { Observable } from 'rxjs'; import useObservable from 'react-use/lib/useObservable'; -import { MLJobEditor } from '../../../../jobs/jobs_list/components/ml_job_editor'; +import { MLJobEditor } from '../../../jobs/jobs_list/components/ml_job_editor'; import type { InferrerType } from '.'; import { NerResponse } from './ner'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/common.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/common.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/common.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/common.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/fill_mask_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/fill_mask_inference.ts similarity index 93% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/fill_mask_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/fill_mask_inference.ts index 2dd72529e7b7d..de3ac2528df5e 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/fill_mask_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/fill_mask_inference.ts @@ -13,8 +13,8 @@ import type { TextClassificationResponse, RawTextClassificationResponse } from ' import { processResponse, processInferenceResult } from './common'; import { getGeneralInputComponent } from '../text_input'; import { getFillMaskOutputComponent } from './fill_mask_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; const MASK = '[MASK]'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/fill_mask_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/fill_mask_output.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/fill_mask_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/fill_mask_output.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_codes.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_codes.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_codes.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_codes.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_ident_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_ident_inference.ts similarity index 96% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_ident_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_ident_inference.ts index 2309a8885e989..ff6565de32b19 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_ident_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_ident_inference.ts @@ -13,7 +13,7 @@ import { processInferenceResult, processResponse } from './common'; import { getGeneralInputComponent } from '../text_input'; import { getLangIdentOutputComponent } from './lang_ident_output'; import type { TextClassificationResponse, RawTextClassificationResponse } from './common'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; export class LangIdentInference extends InferenceBase { protected inferenceType: InferenceType = 'classification'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_ident_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_ident_output.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/lang_ident_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/lang_ident_output.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/text_classification_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/text_classification_inference.ts similarity index 93% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/text_classification_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/text_classification_inference.ts index 783483c161d2e..0bb9640327548 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/text_classification_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/text_classification_inference.ts @@ -12,8 +12,8 @@ import { processInferenceResult, processResponse } from './common'; import type { TextClassificationResponse, RawTextClassificationResponse } from './common'; import { getGeneralInputComponent } from '../text_input'; import { getTextClassificationOutputComponent } from './text_classification_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; export class TextClassificationInference extends InferenceBase { protected inferenceType = SUPPORTED_PYTORCH_TASKS.TEXT_CLASSIFICATION; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/text_classification_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/text_classification_output.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/text_classification_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/text_classification_output.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/zero_shot_classification_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/zero_shot_classification_inference.ts similarity index 95% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/zero_shot_classification_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/zero_shot_classification_inference.ts index de8ccbf99cbf5..8b04bb1ec8155 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/zero_shot_classification_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/zero_shot_classification_inference.ts @@ -9,14 +9,14 @@ import { i18n } from '@kbn/i18n'; import { BehaviorSubject } from 'rxjs'; import { map } from 'rxjs/operators'; import { estypes } from '@elastic/elasticsearch'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; import { InferenceBase, INPUT_TYPE } from '../inference_base'; import { processInferenceResult, processResponse } from './common'; import type { TextClassificationResponse, RawTextClassificationResponse } from './common'; import { getZeroShotClassificationInput } from './zero_shot_classification_input'; import { getTextClassificationOutputComponent } from './text_classification_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; export class ZeroShotClassificationInference extends InferenceBase { protected inferenceType = SUPPORTED_PYTORCH_TASKS.ZERO_SHOT_CLASSIFICATION; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/zero_shot_classification_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/zero_shot_classification_input.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_classification/zero_shot_classification_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_classification/zero_shot_classification_input.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/index.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/index.ts similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/index.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/index.ts diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/text_embedding_inference.ts b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/text_embedding_inference.ts similarity index 94% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/text_embedding_inference.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/text_embedding_inference.ts index 961d71fdc452a..cbc6fd8edca68 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/text_embedding_inference.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/text_embedding_inference.ts @@ -11,8 +11,8 @@ import { InferenceBase, INPUT_TYPE } from '../inference_base'; import type { InferResponse } from '../inference_base'; import { getGeneralInputComponent } from '../text_input'; import { getTextEmbeddingOutputComponent } from './text_embedding_output'; -import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../../common/constants/trained_models'; -import { trainedModelsApiProvider } from '../../../../../services/ml_api_service/trained_models'; +import { SUPPORTED_PYTORCH_TASKS } from '../../../../../../common/constants/trained_models'; +import { trainedModelsApiProvider } from '../../../../services/ml_api_service/trained_models'; export interface RawTextEmbeddingResponse { inference_results: Array<{ predicted_value: number[] }>; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/text_embedding_output.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/text_embedding_output.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_embedding/text_embedding_output.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_embedding/text_embedding_output.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_input.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/models/text_input.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/models/text_input.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/models/text_input.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/output_loading.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/output_loading.tsx similarity index 100% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/output_loading.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/output_loading.tsx diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/selected_model.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/selected_model.tsx similarity index 95% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/selected_model.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/selected_model.tsx index 3f992b9d4aa28..d0dee3e32a1b3 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/selected_model.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/selected_model.tsx @@ -23,8 +23,8 @@ import { TextEmbeddingInference } from './models/text_embedding'; import { TRAINED_MODEL_TYPE, SUPPORTED_PYTORCH_TASKS, -} from '../../../../../common/constants/trained_models'; -import { useMlApiContext } from '../../../contexts/kibana'; +} from '../../../../common/constants/trained_models'; +import { useMlApiContext } from '../../contexts/kibana'; import { InferenceInputForm } from './models/inference_input_form'; import { InferrerType } from './models'; import { INPUT_TYPE } from './models/inference_base'; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/test_flyout.tsx b/x-pack/plugins/ml/public/application/model_management/test_models/test_flyout.tsx similarity index 96% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/test_flyout.tsx rename to x-pack/plugins/ml/public/application/model_management/test_models/test_flyout.tsx index 6804a654711cf..1ee8a853bb477 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/test_flyout.tsx +++ b/x-pack/plugins/ml/public/application/model_management/test_models/test_flyout.tsx @@ -22,7 +22,7 @@ import { import { SelectedModel } from './selected_model'; import { INPUT_TYPE } from './models/inference_base'; -import { useTrainedModelsApiService } from '../../../services/ml_api_service/trained_models'; +import { useTrainedModelsApiService } from '../../services/ml_api_service/trained_models'; interface Props { modelId: string; diff --git a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/utils.ts b/x-pack/plugins/ml/public/application/model_management/test_models/utils.ts similarity index 85% rename from x-pack/plugins/ml/public/application/trained_models/models_management/test_models/utils.ts rename to x-pack/plugins/ml/public/application/model_management/test_models/utils.ts index de38ac9b86c39..431845d9c74e3 100644 --- a/x-pack/plugins/ml/public/application/trained_models/models_management/test_models/utils.ts +++ b/x-pack/plugins/ml/public/application/model_management/test_models/utils.ts @@ -9,8 +9,8 @@ import { TRAINED_MODEL_TYPE, DEPLOYMENT_STATE, SUPPORTED_PYTORCH_TASKS, -} from '../../../../../common/constants/trained_models'; -import type { SupportedPytorchTasksType } from '../../../../../common/constants/trained_models'; +} from '../../../../common/constants/trained_models'; +import type { SupportedPytorchTasksType } from '../../../../common/constants/trained_models'; import type { ModelItem } from '../models_list'; const PYTORCH_TYPES = Object.values(SUPPORTED_PYTORCH_TASKS); diff --git a/x-pack/plugins/ml/public/application/overview/overview_page.tsx b/x-pack/plugins/ml/public/application/overview/overview_page.tsx index b6cd342eb11e9..b524bbe27f080 100644 --- a/x-pack/plugins/ml/public/application/overview/overview_page.tsx +++ b/x-pack/plugins/ml/public/application/overview/overview_page.tsx @@ -19,11 +19,13 @@ import { SavedObjectsWarning } from '../components/saved_objects_warning'; import { UpgradeWarning } from '../components/upgrade'; import { HelpMenu } from '../components/help_menu'; import { useMlKibana } from '../contexts/kibana'; -import { NodesList } from '../trained_models/nodes_overview'; +import { NodesList } from '../memory_usage/nodes_overview'; import { MlPageHeader } from '../components/page_header'; import { PageTitle } from '../components/page_title'; +import { useIsServerless } from '../contexts/kibana/use_is_serverless'; export const OverviewPage: FC = () => { + const serverless = useIsServerless(); const canViewMlNodes = checkPermission('canViewMlNodes'); const disableCreateAnomalyDetectionJob = !checkPermission('canCreateJob') || !mlNodesAvailable(); @@ -62,7 +64,7 @@ export const OverviewPage: FC = () => { - {canViewMlNodes ? ( + {canViewMlNodes && serverless === false ? ( <> diff --git a/x-pack/plugins/ml/public/application/routing/routes/index.ts b/x-pack/plugins/ml/public/application/routing/routes/index.ts index 3b481ab6cde59..c25fa9a01a1dd 100644 --- a/x-pack/plugins/ml/public/application/routing/routes/index.ts +++ b/x-pack/plugins/ml/public/application/routing/routes/index.ts @@ -17,3 +17,4 @@ export * from './explorer'; export * from './access_denied'; export * from './trained_models'; export * from './notifications'; +export * from './memory_usage'; diff --git a/x-pack/plugins/ml/public/application/routing/routes/memory_usage.tsx b/x-pack/plugins/ml/public/application/routing/routes/memory_usage.tsx new file mode 100644 index 0000000000000..a10eb9610667b --- /dev/null +++ b/x-pack/plugins/ml/public/application/routing/routes/memory_usage.tsx @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { FC } from 'react'; +import { i18n } from '@kbn/i18n'; +import { ML_PAGES } from '../../../locator'; +import { NavigateToPath } from '../../contexts/kibana'; +import { MlRoute, PageLoader, PageProps, createPath } from '../router'; +import { useResolver } from '../use_resolver'; +import { basicResolvers } from '../resolvers'; +import { getBreadcrumbWithUrlForApp } from '../breadcrumbs'; +import { MemoryUsagePage } from '../../memory_usage'; + +export const nodesListRouteFactory = ( + navigateToPath: NavigateToPath, + basePath: string +): MlRoute => ({ + path: createPath(ML_PAGES.MEMORY_USAGE), + render: (props, deps) => , + title: i18n.translate('xpack.ml.modelManagement.memoryUsage.docTitle', { + defaultMessage: 'Memory Usage', + }), + breadcrumbs: [ + getBreadcrumbWithUrlForApp('ML_BREADCRUMB', navigateToPath, basePath), + { + text: i18n.translate('xpack.ml.trainedModelsBreadcrumbs.nodeOverviewLabel', { + defaultMessage: 'Memory Usage', + }), + }, + ], + enableDatePicker: true, +}); + +const PageWrapper: FC = ({ location, deps }) => { + const { context } = useResolver( + undefined, + undefined, + deps.config, + deps.dataViewsContract, + deps.getSavedSearchDeps, + basicResolvers(deps) + ); + + return ( + + + + ); +}; diff --git a/x-pack/plugins/ml/public/application/routing/routes/trained_models/index.ts b/x-pack/plugins/ml/public/application/routing/routes/trained_models/index.ts index 53b9ffd0ee87e..d69a2256335e3 100644 --- a/x-pack/plugins/ml/public/application/routing/routes/trained_models/index.ts +++ b/x-pack/plugins/ml/public/application/routing/routes/trained_models/index.ts @@ -6,4 +6,3 @@ */ export * from './models_list'; -export * from './nodes_list'; diff --git a/x-pack/plugins/ml/public/application/routing/routes/trained_models/models_list.tsx b/x-pack/plugins/ml/public/application/routing/routes/trained_models/models_list.tsx index 46fd368829344..e1d093f9003e7 100644 --- a/x-pack/plugins/ml/public/application/routing/routes/trained_models/models_list.tsx +++ b/x-pack/plugins/ml/public/application/routing/routes/trained_models/models_list.tsx @@ -15,7 +15,7 @@ import { createPath, MlRoute, PageLoader, PageProps } from '../../router'; import { useResolver } from '../../use_resolver'; import { basicResolvers } from '../../resolvers'; import { getBreadcrumbWithUrlForApp } from '../../breadcrumbs'; -import { ModelsList } from '../../../trained_models/models_management'; +import { ModelsList } from '../../../model_management'; import { MlPageHeader } from '../../../components/page_header'; export const modelsListRouteFactory = ( @@ -52,7 +52,6 @@ const PageWrapper: FC = ({ location, deps }) => { ); return ( - @@ -63,6 +62,7 @@ const PageWrapper: FC = ({ location, deps }) => { + ); }; diff --git a/x-pack/plugins/ml/public/application/routing/routes/trained_models/nodes_list.tsx b/x-pack/plugins/ml/public/application/routing/routes/trained_models/nodes_list.tsx deleted file mode 100644 index 78d99daf0d2d7..0000000000000 --- a/x-pack/plugins/ml/public/application/routing/routes/trained_models/nodes_list.tsx +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { FC } from 'react'; -import { FormattedMessage } from '@kbn/i18n-react'; -import { i18n } from '@kbn/i18n'; -import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; -import { useTimefilter } from '@kbn/ml-date-picker'; -import { ML_PAGES } from '../../../../locator'; -import { NavigateToPath } from '../../../contexts/kibana'; -import { createPath, MlRoute, PageLoader, PageProps } from '../../router'; -import { useResolver } from '../../use_resolver'; -import { basicResolvers } from '../../resolvers'; -import { getBreadcrumbWithUrlForApp } from '../../breadcrumbs'; -import { NodesList } from '../../../trained_models/nodes_overview'; -import { MlPageHeader } from '../../../components/page_header'; - -export const nodesListRouteFactory = ( - navigateToPath: NavigateToPath, - basePath: string -): MlRoute => ({ - path: createPath(ML_PAGES.TRAINED_MODELS_NODES), - render: (props, deps) => , - title: i18n.translate('xpack.ml.modelManagement.nodesOverview.docTitle', { - defaultMessage: 'Nodes', - }), - breadcrumbs: [ - getBreadcrumbWithUrlForApp('ML_BREADCRUMB', navigateToPath, basePath), - getBreadcrumbWithUrlForApp('TRAINED_MODELS', navigateToPath, basePath), - { - text: i18n.translate('xpack.ml.trainedModelsBreadcrumbs.nodeOverviewLabel', { - defaultMessage: 'Nodes', - }), - }, - ], - enableDatePicker: true, -}); - -const PageWrapper: FC = ({ location, deps }) => { - const { context } = useResolver( - undefined, - undefined, - deps.config, - deps.dataViewsContract, - deps.getSavedSearchDeps, - basicResolvers(deps) - ); - useTimefilter({ timeRangeSelector: false, autoRefreshSelector: true }); - return ( - - - - - - - - - - - ); -}; diff --git a/x-pack/plugins/ml/public/application/services/ml_api_service/trained_models.ts b/x-pack/plugins/ml/public/application/services/ml_api_service/trained_models.ts index 2d8864d755f3b..1548a298acd18 100644 --- a/x-pack/plugins/ml/public/application/services/ml_api_service/trained_models.ts +++ b/x-pack/plugins/ml/public/application/services/ml_api_service/trained_models.ts @@ -9,6 +9,7 @@ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { useMemo } from 'react'; import { HttpFetchQuery } from '@kbn/core/public'; +import { MlSavedObjectType } from '../../../../common/types/saved_objects'; import { HttpService } from '../http_service'; import { basePath } from '.'; import { useMlKibana } from '../../contexts/kibana'; @@ -17,6 +18,7 @@ import type { ModelPipelines, TrainedModelStat, NodesOverviewResponse, + MemoryUsageInfo, } from '../../../../common/types/trained_models'; export interface InferenceQueryParams { @@ -119,7 +121,7 @@ export function trainedModelsApiProvider(httpService: HttpService) { getTrainedModelsNodesOverview() { return httpService.http({ - path: `${apiBasePath}/trained_models/nodes_overview`, + path: `${apiBasePath}/model_management/nodes_overview`, method: 'GET', }); }, @@ -185,6 +187,14 @@ export function trainedModelsApiProvider(httpService: HttpService) { body, }); }, + + memoryUsage(type?: MlSavedObjectType, node?: string, showClosedJobs = false) { + return httpService.http({ + path: `${apiBasePath}/model_management/memory_usage`, + method: 'GET', + query: { type, node, showClosedJobs }, + }); + }, }; } diff --git a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/expanded_row.tsx b/x-pack/plugins/ml/public/application/trained_models/nodes_overview/expanded_row.tsx deleted file mode 100644 index a6b6adc4fbc20..0000000000000 --- a/x-pack/plugins/ml/public/application/trained_models/nodes_overview/expanded_row.tsx +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { FC } from 'react'; -import { - EuiDescriptionList, - EuiFlexGrid, - EuiFlexItem, - EuiPanel, - EuiSpacer, - EuiTitle, -} from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n-react'; -import { cloneDeep } from 'lodash'; -import { FIELD_FORMAT_IDS } from '@kbn/field-formats-plugin/common'; -import { css } from '@emotion/react'; -import { NodeItem } from './nodes_list'; -import { useListItemsFormatter } from '../models_management/expanded_row'; -import { AllocatedModels } from './allocated_models'; -import { useFieldFormatter } from '../../contexts/kibana/use_field_formatter'; - -interface ExpandedRowProps { - item: NodeItem; -} - -export const ExpandedRow: FC = ({ item }) => { - const bytesFormatter = useFieldFormatter(FIELD_FORMAT_IDS.BYTES); - - const formatToListItems = useListItemsFormatter(); - - const { - allocated_models: allocatedModels, - attributes, - memory_overview: memoryOverview, - id, - ...details - } = cloneDeep(item); - - // Process node attributes - attributes['ml.machine_memory'] = bytesFormatter(attributes['ml.machine_memory']); - attributes['ml.max_jvm_size'] = bytesFormatter(attributes['ml.max_jvm_size']); - - return ( -
- - - - -
- -
- - - - - - - - - -
- -
- - - - - - - - {allocatedModels.length > 0 ? ( - <> - - - -
- -
- - - - - - - ) : null} -
- ); -}; diff --git a/x-pack/plugins/ml/public/locator/formatters/trained_models.ts b/x-pack/plugins/ml/public/locator/formatters/trained_models.ts index e2526480bbfab..ddf4782005b42 100644 --- a/x-pack/plugins/ml/public/locator/formatters/trained_models.ts +++ b/x-pack/plugins/ml/public/locator/formatters/trained_models.ts @@ -6,10 +6,7 @@ */ import { setStateToKbnUrl } from '@kbn/kibana-utils-plugin/public'; -import type { - TrainedModelsNodesUrlState, - TrainedModelsUrlState, -} from '../../../common/types/locator'; +import type { MemoryUsageUrlState, TrainedModelsUrlState } from '../../../common/types/locator'; import { ML_PAGES } from '../../../common/constants/locator'; import type { AppPageState, ListingPageUrlState } from '../../../common/types/common'; @@ -41,11 +38,11 @@ export function formatTrainedModelsManagementUrl( return url; } -export function formatTrainedModelsNodesManagementUrl( +export function formatMemoryUsageUrl( appBasePath: string, - mlUrlGeneratorState: TrainedModelsNodesUrlState['pageState'] + mlUrlGeneratorState: MemoryUsageUrlState['pageState'] ): string { - let url = `${appBasePath}/${ML_PAGES.TRAINED_MODELS_NODES}`; + let url = `${appBasePath}/${ML_PAGES.MEMORY_USAGE}`; if (mlUrlGeneratorState) { const { nodeId } = mlUrlGeneratorState; if (nodeId) { @@ -54,7 +51,7 @@ export function formatTrainedModelsNodesManagementUrl( }; const queryState: AppPageState = { - [ML_PAGES.TRAINED_MODELS_NODES]: nodesListState, + [ML_PAGES.MEMORY_USAGE]: nodesListState, }; url = setStateToKbnUrl>( diff --git a/x-pack/plugins/ml/public/locator/ml_locator.ts b/x-pack/plugins/ml/public/locator/ml_locator.ts index 8f9e83fa12034..765af5da1cf9d 100644 --- a/x-pack/plugins/ml/public/locator/ml_locator.ts +++ b/x-pack/plugins/ml/public/locator/ml_locator.ts @@ -29,7 +29,7 @@ import { } from './formatters'; import { formatTrainedModelsManagementUrl, - formatTrainedModelsNodesManagementUrl, + formatMemoryUsageUrl, } from './formatters/trained_models'; export type { MlLocatorParams, MlLocator }; @@ -74,8 +74,8 @@ export class MlLocatorDefinition implements LocatorDefinition { case ML_PAGES.TRAINED_MODELS_MANAGE: path = formatTrainedModelsManagementUrl('', params.pageState); break; - case ML_PAGES.TRAINED_MODELS_NODES: - path = formatTrainedModelsNodesManagementUrl('', params.pageState); + case ML_PAGES.MEMORY_USAGE: + path = formatMemoryUsageUrl('', params.pageState); break; case ML_PAGES.ANOMALY_DETECTION_CREATE_JOB: case ML_PAGES.ANOMALY_DETECTION_CREATE_JOB_RECOGNIZER: diff --git a/x-pack/plugins/ml/public/register_helper/register_search_links/search_deep_links.ts b/x-pack/plugins/ml/public/register_helper/register_search_links/search_deep_links.ts index 979027ba30f55..ab8b15c94e260 100644 --- a/x-pack/plugins/ml/public/register_helper/register_search_links/search_deep_links.ts +++ b/x-pack/plugins/ml/public/register_helper/register_search_links/search_deep_links.ts @@ -49,11 +49,11 @@ const MODEL_MANAGEMENT_DEEP_LINK: AppDeepLink = { path: `/${ML_PAGES.TRAINED_MODELS_MANAGE}`, }, { - id: 'mlNodesOverviewDeepLink', - title: i18n.translate('xpack.ml.deepLink.nodesOverview', { - defaultMessage: 'Nodes', + id: 'mlMemoryUsageDeepLink', + title: i18n.translate('xpack.ml.deepLink.memoryUsage', { + defaultMessage: 'Memory usage', }), - path: `/${ML_PAGES.TRAINED_MODELS_NODES}`, + path: `/${ML_PAGES.MEMORY_USAGE}`, }, ], }; diff --git a/x-pack/plugins/ml/server/models/data_frame_analytics/index.ts b/x-pack/plugins/ml/server/models/data_frame_analytics/index.ts index 75c98bed17b8e..7385ba566269c 100644 --- a/x-pack/plugins/ml/server/models/data_frame_analytics/index.ts +++ b/x-pack/plugins/ml/server/models/data_frame_analytics/index.ts @@ -6,5 +6,4 @@ */ export { analyticsAuditMessagesProvider } from './analytics_audit_messages'; -export { modelsProvider } from './models_provider'; export { AnalyticsManager } from './analytics_manager'; diff --git a/x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.ts b/x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.ts deleted file mode 100644 index ccb60e6379e48..0000000000000 --- a/x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.ts +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type { IScopedClusterClient } from '@kbn/core/server'; -import { pick } from 'lodash'; -import { - MlTrainedModelStats, - NodesInfoNodeInfo, -} from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { isDefined } from '@kbn/ml-is-defined'; -import type { - NodeDeploymentStatsResponse, - PipelineDefinition, - NodesOverviewResponse, -} from '../../../common/types/trained_models'; -import type { MlClient } from '../../lib/ml_client'; -import { - TrainedModelDeploymentStatsResponse, - TrainedModelModelSizeStats, -} from '../../../common/types/trained_models'; - -export type ModelService = ReturnType; - -const NODE_FIELDS = ['attributes', 'name', 'roles'] as const; - -export type RequiredNodeFields = Pick; - -// @ts-expect-error TrainedModelDeploymentStatsResponse missing properties from MlTrainedModelDeploymentStats -interface TrainedModelStatsResponse extends MlTrainedModelStats { - deployment_stats?: Omit; - model_size_stats?: TrainedModelModelSizeStats; -} - -export interface MemoryStatsResponse { - _nodes: { total: number; failed: number; successful: number }; - cluster_name: string; - nodes: Record< - string, - { - jvm: { - heap_max_in_bytes: number; - java_inference_in_bytes: number; - java_inference_max_in_bytes: number; - }; - mem: { - adjusted_total_in_bytes: number; - total_in_bytes: number; - ml: { - data_frame_analytics_in_bytes: number; - native_code_overhead_in_bytes: number; - max_in_bytes: number; - anomaly_detectors_in_bytes: number; - native_inference_in_bytes: number; - }; - }; - transport_address: string; - roles: string[]; - name: string; - attributes: Record<`${'ml.'}${string}`, string>; - ephemeral_id: string; - } - >; -} - -export function modelsProvider(client: IScopedClusterClient, mlClient: MlClient) { - return { - /** - * Retrieves the map of model ids and aliases with associated pipelines. - * @param modelIds - Array of models ids and model aliases. - */ - async getModelsPipelines(modelIds: string[]) { - const modelIdsMap = new Map | null>( - modelIds.map((id: string) => [id, null]) - ); - - try { - const body = await client.asCurrentUser.ingest.getPipeline(); - - for (const [pipelineName, pipelineDefinition] of Object.entries(body)) { - const { processors } = pipelineDefinition as { processors: Array> }; - - for (const processor of processors) { - const id = processor.inference?.model_id; - if (modelIdsMap.has(id)) { - const obj = modelIdsMap.get(id); - if (obj === null) { - modelIdsMap.set(id, { [pipelineName]: pipelineDefinition }); - } else { - obj![pipelineName] = pipelineDefinition; - } - } - } - } - } catch (error) { - if (error.statusCode === 404) { - // ES returns 404 when there are no pipelines - // Instead, we should return the modelIdsMap and a 200 - return modelIdsMap; - } - throw error; - } - - return modelIdsMap; - }, - - /** - * Provides the ML nodes overview with allocated models. - */ - async getNodesOverview(): Promise { - // TODO set node_id to ml:true when elasticsearch client is updated. - const response = (await mlClient.getMemoryStats()) as MemoryStatsResponse; - - const { trained_model_stats: trainedModelStats } = await mlClient.getTrainedModelsStats({ - size: 10000, - }); - - const mlNodes = Object.entries(response.nodes).filter(([, node]) => - node.roles.includes('ml') - ); - - const nodeDeploymentStatsResponses: NodeDeploymentStatsResponse[] = mlNodes.map( - ([nodeId, node]) => { - const nodeFields = pick(node, NODE_FIELDS) as RequiredNodeFields; - - nodeFields.attributes = nodeFields.attributes; - - const allocatedModels = (trainedModelStats as TrainedModelStatsResponse[]) - .filter( - (d) => - isDefined(d.deployment_stats) && - isDefined(d.deployment_stats.nodes) && - d.deployment_stats.nodes.some((n) => Object.keys(n.node)[0] === nodeId) - ) - .map((d) => { - const modelSizeState = d.model_size_stats; - const deploymentStats = d.deployment_stats; - - if (!deploymentStats || !modelSizeState) { - throw new Error('deploymentStats or modelSizeState not defined'); - } - - const { nodes, ...rest } = deploymentStats; - - const { node: tempNode, ...nodeRest } = nodes.find( - (v) => Object.keys(v.node)[0] === nodeId - )!; - return { - model_id: d.model_id, - ...rest, - ...modelSizeState, - node: nodeRest, - }; - }); - - const modelsMemoryUsage = allocatedModels.map((v) => { - return { - model_id: v.model_id, - model_size: v.required_native_memory_bytes, - }; - }); - - const memoryRes = { - adTotalMemory: node.mem.ml.anomaly_detectors_in_bytes, - dfaTotalMemory: node.mem.ml.data_frame_analytics_in_bytes, - trainedModelsTotalMemory: node.mem.ml.native_inference_in_bytes, - }; - - for (const key of Object.keys(memoryRes)) { - if (memoryRes[key as keyof typeof memoryRes] > 0) { - /** - * The amount of memory needed to load the ML native code shared libraries. The assumption is that the first - * ML job to run on a given node will do this, and then subsequent ML jobs on the same node will reuse the - * same already-loaded code. - */ - memoryRes[key as keyof typeof memoryRes] += node.mem.ml.native_code_overhead_in_bytes; - break; - } - } - - return { - id: nodeId, - ...nodeFields, - allocated_models: allocatedModels, - memory_overview: { - machine_memory: { - total: node.mem.adjusted_total_in_bytes, - jvm: node.jvm.heap_max_in_bytes, - }, - anomaly_detection: { - total: memoryRes.adTotalMemory, - }, - dfa_training: { - total: memoryRes.dfaTotalMemory, - }, - trained_models: { - total: memoryRes.trainedModelsTotalMemory, - by_model: modelsMemoryUsage, - }, - ml_max_in_bytes: node.mem.ml.max_in_bytes, - }, - }; - } - ); - - return { - // TODO preserve _nodes from the response when getMemoryStats method is updated to support ml:true filter - _nodes: { - ...response._nodes, - total: mlNodes.length, - successful: mlNodes.length, - }, - nodes: nodeDeploymentStatsResponses, - }; - }, - }; -} diff --git a/x-pack/plugins/ml/server/models/data_frame_analytics/__mocks__/mock_deployment_response.json b/x-pack/plugins/ml/server/models/model_management/__mocks__/mock_deployment_response.json similarity index 100% rename from x-pack/plugins/ml/server/models/data_frame_analytics/__mocks__/mock_deployment_response.json rename to x-pack/plugins/ml/server/models/model_management/__mocks__/mock_deployment_response.json diff --git a/x-pack/plugins/ml/server/models/model_management/index.ts b/x-pack/plugins/ml/server/models/model_management/index.ts new file mode 100644 index 0000000000000..191d806ade22d --- /dev/null +++ b/x-pack/plugins/ml/server/models/model_management/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { modelsProvider } from './models_provider'; +export { MemoryUsageService } from './memory_usage'; diff --git a/x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.test.ts b/x-pack/plugins/ml/server/models/model_management/memory_usage.test.ts similarity index 97% rename from x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.test.ts rename to x-pack/plugins/ml/server/models/model_management/memory_usage.test.ts index cf4ef22b44016..e08a94e4d951c 100644 --- a/x-pack/plugins/ml/server/models/data_frame_analytics/models_provider.test.ts +++ b/x-pack/plugins/ml/server/models/model_management/memory_usage.test.ts @@ -5,16 +5,12 @@ * 2.0. */ -import { MemoryStatsResponse, ModelService, modelsProvider } from './models_provider'; -import { IScopedClusterClient } from '@kbn/core/server'; -import { MlClient } from '../../lib/ml_client'; +import { MemoryUsageService } from './memory_usage'; +import type { MlClient } from '../../lib/ml_client'; import mockResponse from './__mocks__/mock_deployment_response.json'; +import type { MemoryStatsResponse } from '../../../common/types/trained_models'; describe('Model service', () => { - const client = { - asInternalUser: {}, - } as unknown as jest.Mocked; - const mlClient = { getTrainedModelsStats: jest.fn(() => { return Promise.resolve({ @@ -137,10 +133,10 @@ describe('Model service', () => { }), } as unknown as jest.Mocked; - let service: ModelService; + let service: MemoryUsageService; beforeEach(() => { - service = modelsProvider(client, mlClient); + service = new MemoryUsageService(mlClient); }); afterEach(() => {}); diff --git a/x-pack/plugins/ml/server/models/model_management/memory_usage.ts b/x-pack/plugins/ml/server/models/model_management/memory_usage.ts new file mode 100644 index 0000000000000..29c51055efe5b --- /dev/null +++ b/x-pack/plugins/ml/server/models/model_management/memory_usage.ts @@ -0,0 +1,277 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import numeral from '@elastic/numeral'; +import { pick } from 'lodash'; +import { isDefined } from '@kbn/ml-is-defined'; +import type { + MemoryUsageInfo, + TrainedModelStatsResponse, + MemoryStatsResponse, +} from '../../../common/types/trained_models'; + +import type { JobStats } from '../../../common/types/anomaly_detection_jobs'; +import type { MlSavedObjectType } from '../../../common/types/saved_objects'; +import type { MlClient } from '../../lib/ml_client'; +import type { + NodeDeploymentStatsResponse, + NodesOverviewResponse, +} from '../../../common/types/trained_models'; + +// @ts-expect-error numeral missing value +const AD_EXTRA_MEMORY = numeral('10MB').value(); +// @ts-expect-error numeral missing value +const DFA_EXTRA_MEMORY = numeral('5MB').value(); + +const NODE_FIELDS = ['attributes', 'name', 'roles'] as const; + +export type RequiredNodeFields = Pick; + +export class MemoryUsageService { + constructor(private readonly mlClient: MlClient) {} + + public async getMemorySizes(itemType?: MlSavedObjectType, node?: string, showClosedJobs = false) { + let memories: MemoryUsageInfo[] = []; + + switch (itemType) { + case 'anomaly-detector': + memories = await this.getADJobsSizes(); + break; + case 'data-frame-analytics': + memories = await this.getDFAJobsSizes(); + break; + case 'trained-model': + memories = await this.getTrainedModelsSizes(); + break; + default: + memories = [ + ...(await this.getADJobsSizes()), + ...(await this.getDFAJobsSizes()), + ...(await this.getTrainedModelsSizes()), + ]; + break; + } + return memories.filter((m) => nodeFilter(m, node, showClosedJobs)); + } + + private async getADJobsSizes() { + const jobs = await this.mlClient.getJobStats(); + return jobs.jobs.map(this.getADJobMemorySize); + } + + private async getTrainedModelsSizes() { + const [models, stats] = await Promise.all([ + this.mlClient.getTrainedModels(), + this.mlClient.getTrainedModelsStats(), + ]); + const statsMap = stats.trained_model_stats.reduce>( + (acc, cur) => { + acc[cur.model_id] = cur; + return acc; + }, + {} + ); + + return models.trained_model_configs.map((m) => + this.getTrainedModelMemorySize(m, statsMap[m.model_id]) + ); + } + + private async getDFAJobsSizes() { + const [jobs, jobsStats] = await Promise.all([ + this.mlClient.getDataFrameAnalytics(), + this.mlClient.getDataFrameAnalyticsStats(), + ]); + const statsMap = jobsStats.data_frame_analytics.reduce< + Record + >((acc, cur) => { + acc[cur.id] = cur; + return acc; + }, {}); + + return jobs.data_frame_analytics.map((j) => this.getDFAJobMemorySize(j, statsMap[j.id])); + } + + private getADJobMemorySize(jobStats: JobStats): MemoryUsageInfo { + let memory = 0; + switch (jobStats.model_size_stats.assignment_memory_basis) { + case 'model_memory_limit': + memory = (jobStats.model_size_stats.model_bytes_memory_limit as number) ?? 0; + break; + case 'current_model_bytes': + memory = jobStats.model_size_stats.model_bytes as number; + break; + case 'peak_model_bytes': + memory = (jobStats.model_size_stats.peak_model_bytes as number) ?? 0; + break; + } + + const size = memory + AD_EXTRA_MEMORY; + const nodeName = jobStats.node?.name; + return { + id: jobStats.job_id, + type: 'anomaly-detector', + size, + nodeNames: nodeName ? [nodeName] : [], + }; + } + + private getDFAJobMemorySize( + job: estypes.MlDataframeAnalyticsSummary, + jobStats: estypes.MlDataframeAnalytics + ): MemoryUsageInfo { + const mml = job.model_memory_limit ?? '0mb'; + // @ts-expect-error numeral missing value + const memory = numeral(mml.toUpperCase()).value(); + const size = memory + DFA_EXTRA_MEMORY; + const nodeName = jobStats.node?.name; + return { + id: jobStats.id, + type: 'data-frame-analytics', + size, + nodeNames: nodeName ? [nodeName] : [], + }; + } + + private getTrainedModelMemorySize( + trainedModel: estypes.MlTrainedModelConfig, + trainedModelStats: estypes.MlTrainedModelStats + ): MemoryUsageInfo { + const memory = trainedModelStats.model_size_stats.required_native_memory_bytes; + + const size = memory + AD_EXTRA_MEMORY; + const nodes = (trainedModelStats.deployment_stats?.nodes ?? + []) as estypes.MlTrainedModelDeploymentNodesStats[]; + return { + id: trainedModelStats.model_id, + type: 'trained-model', + size, + nodeNames: nodes.map((n) => Object.values(n.node)[0].name), + }; + } + + /** + * Provides the ML nodes overview with allocated models. + */ + async getNodesOverview(): Promise { + // TODO set node_id to ml:true when elasticsearch client is updated. + const response = (await this.mlClient.getMemoryStats()) as MemoryStatsResponse; + + const { trained_model_stats: trainedModelStats } = await this.mlClient.getTrainedModelsStats({ + size: 10000, + }); + + const mlNodes = Object.entries(response.nodes).filter(([, node]) => node.roles.includes('ml')); + + const nodeDeploymentStatsResponses: NodeDeploymentStatsResponse[] = mlNodes.map( + ([nodeId, node]) => { + const nodeFields = pick(node, NODE_FIELDS) as RequiredNodeFields; + + nodeFields.attributes = nodeFields.attributes; + + const allocatedModels = (trainedModelStats as TrainedModelStatsResponse[]) + .filter( + (d) => + isDefined(d.deployment_stats) && + isDefined(d.deployment_stats.nodes) && + d.deployment_stats.nodes.some((n) => Object.keys(n.node)[0] === nodeId) + ) + .map((d) => { + const modelSizeState = d.model_size_stats; + const deploymentStats = d.deployment_stats; + + if (!deploymentStats || !modelSizeState) { + throw new Error('deploymentStats or modelSizeState not defined'); + } + + const { nodes, ...rest } = deploymentStats; + + const { node: tempNode, ...nodeRest } = nodes.find( + (v) => Object.keys(v.node)[0] === nodeId + )!; + return { + model_id: d.model_id, + ...rest, + ...modelSizeState, + node: nodeRest, + }; + }); + + const modelsMemoryUsage = allocatedModels.map((v) => { + return { + model_id: v.model_id, + model_size: v.required_native_memory_bytes, + }; + }); + + const memoryRes = { + adTotalMemory: node.mem.ml.anomaly_detectors_in_bytes, + dfaTotalMemory: node.mem.ml.data_frame_analytics_in_bytes, + trainedModelsTotalMemory: node.mem.ml.native_inference_in_bytes, + }; + + for (const key of Object.keys(memoryRes)) { + if (memoryRes[key as keyof typeof memoryRes] > 0) { + /** + * The amount of memory needed to load the ML native code shared libraries. The assumption is that the first + * ML job to run on a given node will do this, and then subsequent ML jobs on the same node will reuse the + * same already-loaded code. + */ + memoryRes[key as keyof typeof memoryRes] += node.mem.ml.native_code_overhead_in_bytes; + break; + } + } + + return { + id: nodeId, + ...nodeFields, + allocated_models: allocatedModels, + memory_overview: { + machine_memory: { + total: node.mem.adjusted_total_in_bytes, + jvm: node.jvm.heap_max_in_bytes, + }, + anomaly_detection: { + total: memoryRes.adTotalMemory, + }, + dfa_training: { + total: memoryRes.dfaTotalMemory, + }, + trained_models: { + total: memoryRes.trainedModelsTotalMemory, + by_model: modelsMemoryUsage, + }, + ml_max_in_bytes: node.mem.ml.max_in_bytes, + }, + }; + } + ); + + return { + // TODO preserve _nodes from the response when getMemoryStats method is updated to support ml:true filter + _nodes: { + ...response._nodes, + total: mlNodes.length, + successful: mlNodes.length, + }, + nodes: nodeDeploymentStatsResponses, + }; + } +} + +function nodeFilter(m: MemoryUsageInfo, node?: string, showClosedJobs = false) { + if (m.nodeNames.length === 0) { + return showClosedJobs; + } + + if (node === undefined) { + return true; + } + + return m.nodeNames.includes(node); +} diff --git a/x-pack/plugins/ml/server/models/model_management/models_provider.ts b/x-pack/plugins/ml/server/models/model_management/models_provider.ts new file mode 100644 index 0000000000000..e4ba7e2df04a9 --- /dev/null +++ b/x-pack/plugins/ml/server/models/model_management/models_provider.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { IScopedClusterClient } from '@kbn/core/server'; + +import type { PipelineDefinition } from '../../../common/types/trained_models'; + +export type ModelService = ReturnType; + +export function modelsProvider(client: IScopedClusterClient) { + return { + /** + * Retrieves the map of model ids and aliases with associated pipelines. + * @param modelIds - Array of models ids and model aliases. + */ + async getModelsPipelines(modelIds: string[]) { + const modelIdsMap = new Map | null>( + modelIds.map((id: string) => [id, null]) + ); + + try { + const body = await client.asCurrentUser.ingest.getPipeline(); + + for (const [pipelineName, pipelineDefinition] of Object.entries(body)) { + const { processors } = pipelineDefinition as { processors: Array> }; + + for (const processor of processors) { + const id = processor.inference?.model_id; + if (modelIdsMap.has(id)) { + const obj = modelIdsMap.get(id); + if (obj === null) { + modelIdsMap.set(id, { [pipelineName]: pipelineDefinition }); + } else { + obj![pipelineName] = pipelineDefinition; + } + } + } + } + } catch (error) { + if (error.statusCode === 404) { + // ES returns 404 when there are no pipelines + // Instead, we should return the modelIdsMap and a 200 + return modelIdsMap; + } + throw error; + } + + return modelIdsMap; + }, + }; +} diff --git a/x-pack/plugins/ml/server/plugin.ts b/x-pack/plugins/ml/server/plugin.ts index fc12a261031ef..f9b69c1c6ab2c 100644 --- a/x-pack/plugins/ml/server/plugin.ts +++ b/x-pack/plugins/ml/server/plugin.ts @@ -47,6 +47,7 @@ import { jobServiceRoutes } from './routes/job_service'; import { savedObjectsRoutes } from './routes/saved_objects'; import { jobValidationRoutes } from './routes/job_validation'; import { resultsServiceRoutes } from './routes/results_service'; +import { modelManagementRoutes } from './routes/model_management'; import { systemRoutes } from './routes/system'; import { MlLicense } from '../common/license'; import { createSharedServices, SharedServices } from './shared_services'; @@ -217,6 +218,7 @@ export class MlServerPlugin jobRoutes(routeInit); jobServiceRoutes(routeInit); managementRoutes(routeInit); + modelManagementRoutes(routeInit); resultsServiceRoutes(routeInit); jobValidationRoutes(routeInit); savedObjectsRoutes(routeInit, { diff --git a/x-pack/plugins/ml/server/routes/apidoc.json b/x-pack/plugins/ml/server/routes/apidoc.json index e265f2c828f09..573080a1d187a 100644 --- a/x-pack/plugins/ml/server/routes/apidoc.json +++ b/x-pack/plugins/ml/server/routes/apidoc.json @@ -170,7 +170,6 @@ "GetTrainedModel", "GetTrainedModelStats", "GetTrainedModelStatsById", - "GetTrainedModelsNodesOverview", "GetTrainedModelPipelines", "StartTrainedModelDeployment", "UpdateTrainedModelDeployment", @@ -184,6 +183,10 @@ "PreviewAlert", "Management", - "ManagementList" + "ManagementList", + + "ModelManagement", + "GetModelManagementNodesOverview", + "GetModelManagementMemoryUsage" ] } diff --git a/x-pack/plugins/ml/server/routes/model_management.ts b/x-pack/plugins/ml/server/routes/model_management.ts new file mode 100644 index 0000000000000..a72e515a6dd9d --- /dev/null +++ b/x-pack/plugins/ml/server/routes/model_management.ts @@ -0,0 +1,98 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema } from '@kbn/config-schema'; +import { RouteInitialization } from '../types'; +import { wrapError } from '../client/error_wrapper'; + +import { MemoryUsageService } from '../models/model_management'; +import { itemTypeLiterals } from './schemas/saved_objects'; + +export function modelManagementRoutes({ router, routeGuard }: RouteInitialization) { + /** + * @apiGroup ModelManagement + * + * @api {get} /api/ml/model_management/nodes_overview Get node overview about the models allocation + * @apiName GetModelManagementNodesOverview + * @apiDescription Retrieves the list of ML nodes with memory breakdown and allocated models info + */ + router.get( + { + path: '/api/ml/model_management/nodes_overview', + validate: {}, + options: { + tags: [ + 'access:ml:canViewMlNodes', + 'access:ml:canGetDataFrameAnalytics', + 'access:ml:canGetJobs', + 'access:ml:canGetTrainedModels', + ], + }, + }, + routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, response }) => { + try { + const memoryUsageService = new MemoryUsageService(mlClient); + const result = await memoryUsageService.getNodesOverview(); + return response.ok({ + body: result, + }); + } catch (e) { + return response.customError(wrapError(e)); + } + }) + ); + + /** + * @apiGroup ModelManagement + * + * @api {get} /api/ml/model_management/memory_usage Memory usage for jobs and trained models + * @apiName GetModelManagementMemoryUsage + * @apiDescription Returns the memory usage for jobs and trained models + */ + router.get( + { + path: '/api/ml/model_management/memory_usage', + validate: { + query: schema.object({ + type: schema.maybe(itemTypeLiterals), + node: schema.maybe(schema.string()), + showClosedJobs: schema.maybe(schema.boolean()), + }), + }, + options: { + tags: [ + 'access:ml:canViewMlNodes', + 'access:ml:canGetDataFrameAnalytics', + 'access:ml:canGetJobs', + 'access:ml:canGetTrainedModels', + ], + }, + }, + + routeGuard.fullLicenseAPIGuard(async ({ mlClient, response, request }) => { + try { + const memoryUsageService = new MemoryUsageService(mlClient); + return response.ok({ + body: await memoryUsageService.getMemorySizes( + request.query.type, + request.query.node, + request.query.showClosedJobs + ), + }); + } catch (e) { + return response.customError(wrapError(e)); + } + }) + ); +} diff --git a/x-pack/plugins/ml/server/routes/schemas/saved_objects.ts b/x-pack/plugins/ml/server/routes/schemas/saved_objects.ts index ef5c81a08a516..fb133fb8955cc 100644 --- a/x-pack/plugins/ml/server/routes/schemas/saved_objects.ts +++ b/x-pack/plugins/ml/server/routes/schemas/saved_objects.ts @@ -19,6 +19,7 @@ export const itemTypeLiterals = schema.oneOf([ ]); export const itemTypeSchema = schema.object({ jobType: itemTypeLiterals }); +export const jobTypeSchema = schema.object({ jobType: jobTypeLiterals }); export const updateJobsSpaces = schema.object({ jobType: jobTypeLiterals, diff --git a/x-pack/plugins/ml/server/routes/trained_models.ts b/x-pack/plugins/ml/server/routes/trained_models.ts index a234163dbde99..c09b46f7c23cb 100644 --- a/x-pack/plugins/ml/server/routes/trained_models.ts +++ b/x-pack/plugins/ml/server/routes/trained_models.ts @@ -19,10 +19,11 @@ import { pipelineSimulateBody, updateDeploymentParamsSchema, } from './schemas/inference_schema'; -import { modelsProvider } from '../models/data_frame_analytics'; + import { TrainedModelConfigResponse } from '../../common/types/trained_models'; import { mlLog } from '../lib/log'; import { forceQuerySchema } from './schemas/anomaly_detectors_schema'; +import { modelsProvider } from '../models/model_management'; export function trainedModelsRoutes({ router, routeGuard }: RouteInitialization) { /** @@ -68,7 +69,7 @@ export function trainedModelsRoutes({ router, routeGuard }: RouteInitialization) ) ); - const pipelinesResponse = await modelsProvider(client, mlClient).getModelsPipelines( + const pipelinesResponse = await modelsProvider(client).getModelsPipelines( modelIdsAndAliases ); for (const model of result) { @@ -178,9 +179,7 @@ export function trainedModelsRoutes({ router, routeGuard }: RouteInitialization) routeGuard.fullLicenseAPIGuard(async ({ client, request, mlClient, response }) => { try { const { modelId } = request.params; - const result = await modelsProvider(client, mlClient).getModelsPipelines( - modelId.split(',') - ); + const result = await modelsProvider(client).getModelsPipelines(modelId.split(',')); return response.ok({ body: [...result].map(([id, pipelines]) => ({ model_id: id, pipelines })), }); @@ -260,38 +259,6 @@ export function trainedModelsRoutes({ router, routeGuard }: RouteInitialization) }) ); - /** - * @apiGroup TrainedModels - * - * @api {get} /api/ml/trained_models/nodes_overview Get node overview about the models allocation - * @apiName GetTrainedModelsNodesOverview - * @apiDescription Retrieves the list of ML nodes with memory breakdown and allocated models info - */ - router.get( - { - path: '/api/ml/trained_models/nodes_overview', - validate: {}, - options: { - tags: [ - 'access:ml:canViewMlNodes', - 'access:ml:canGetDataFrameAnalytics', - 'access:ml:canGetJobs', - 'access:ml:canGetTrainedModels', - ], - }, - }, - routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, request, response }) => { - try { - const result = await modelsProvider(client, mlClient).getNodesOverview(); - return response.ok({ - body: result, - }); - } catch (e) { - return response.customError(wrapError(e)); - } - }) - ); - /** * @apiGroup TrainedModels * diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 69a2dfeda1909..a45a8a7dab559 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -21232,7 +21232,6 @@ "xpack.ml.deepLink.filterListsSettings": "Listes de filtres", "xpack.ml.deepLink.indexDataVisualizer": "Index Data Visualizer (Visualiseur de données pour les index)", "xpack.ml.deepLink.modelManagement": "Gestion des modèles", - "xpack.ml.deepLink.nodesOverview": "Nœuds", "xpack.ml.deepLink.overview": "Aperçu", "xpack.ml.deepLink.settings": "Paramètres", "xpack.ml.deepLink.trainedModels": "Modèles entraînés", @@ -21772,8 +21771,6 @@ "xpack.ml.mlEntitySelector.dfaOptionsLabel": "Analyse du cadre de données", "xpack.ml.mlEntitySelector.fetchError": "Impossible de récupérer les entités de ML", "xpack.ml.mlEntitySelector.trainedModelsLabel": "Modèles entraînés", - "xpack.ml.modelManagement.nodesOverview.docTitle": "Nœuds", - "xpack.ml.modelManagement.nodesOverviewHeader": "Nœuds", "xpack.ml.modelManagement.trainedModels.docTitle": "Modèles entraînés", "xpack.ml.modelManagement.trainedModelsHeader": "Modèles entraînés", "xpack.ml.modelManagementLabel": "Gestion des modèles", @@ -21884,7 +21881,6 @@ "xpack.ml.navMenu.logCategorizationLinkText": "Analyse du modèle de log", "xpack.ml.navMenu.mlAppNameText": "Machine Learning", "xpack.ml.navMenu.modelManagementText": "Gestion des modèles", - "xpack.ml.navMenu.nodesOverviewText": "Nœuds", "xpack.ml.navMenu.notificationsTabLinkText": "Notifications", "xpack.ml.navMenu.overviewTabLinkText": "Aperçu", "xpack.ml.navMenu.settingsTabLinkText": "Paramètres", diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index aafb384cf9400..2dd00ba312030 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -21212,7 +21212,6 @@ "xpack.ml.deepLink.filterListsSettings": "フィルターリスト", "xpack.ml.deepLink.indexDataVisualizer": "インデックスデータビジュアライザー", "xpack.ml.deepLink.modelManagement": "モデル管理", - "xpack.ml.deepLink.nodesOverview": "ノード", "xpack.ml.deepLink.overview": "概要", "xpack.ml.deepLink.settings": "設定", "xpack.ml.deepLink.trainedModels": "学習済みモデル", @@ -21752,8 +21751,6 @@ "xpack.ml.mlEntitySelector.dfaOptionsLabel": "データフレーム分析", "xpack.ml.mlEntitySelector.fetchError": "MLエンティティを取得できませんでした", "xpack.ml.mlEntitySelector.trainedModelsLabel": "学習済みモデル", - "xpack.ml.modelManagement.nodesOverview.docTitle": "ノード", - "xpack.ml.modelManagement.nodesOverviewHeader": "ノード", "xpack.ml.modelManagement.trainedModels.docTitle": "学習済みモデル", "xpack.ml.modelManagement.trainedModelsHeader": "学習済みモデル", "xpack.ml.modelManagementLabel": "モデル管理", @@ -21864,7 +21861,6 @@ "xpack.ml.navMenu.logCategorizationLinkText": "ログパターン分析", "xpack.ml.navMenu.mlAppNameText": "機械学習", "xpack.ml.navMenu.modelManagementText": "モデル管理", - "xpack.ml.navMenu.nodesOverviewText": "ノード", "xpack.ml.navMenu.notificationsTabLinkText": "通知", "xpack.ml.navMenu.overviewTabLinkText": "概要", "xpack.ml.navMenu.settingsTabLinkText": "設定", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index ea907ebb37ab9..9bfbda1558039 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -21242,7 +21242,6 @@ "xpack.ml.deepLink.filterListsSettings": "筛选列表", "xpack.ml.deepLink.indexDataVisualizer": "索引数据可视化工具", "xpack.ml.deepLink.modelManagement": "模型管理", - "xpack.ml.deepLink.nodesOverview": "节点", "xpack.ml.deepLink.overview": "概览", "xpack.ml.deepLink.settings": "设置", "xpack.ml.deepLink.trainedModels": "已训练模型", @@ -21782,8 +21781,6 @@ "xpack.ml.mlEntitySelector.dfaOptionsLabel": "数据帧分析", "xpack.ml.mlEntitySelector.fetchError": "无法提取 ML 实体", "xpack.ml.mlEntitySelector.trainedModelsLabel": "已训练模型", - "xpack.ml.modelManagement.nodesOverview.docTitle": "节点", - "xpack.ml.modelManagement.nodesOverviewHeader": "节点", "xpack.ml.modelManagement.trainedModels.docTitle": "已训练模型", "xpack.ml.modelManagement.trainedModelsHeader": "已训练模型", "xpack.ml.modelManagementLabel": "模型管理", @@ -21894,7 +21891,6 @@ "xpack.ml.navMenu.logCategorizationLinkText": "日志模式分析", "xpack.ml.navMenu.mlAppNameText": "Machine Learning", "xpack.ml.navMenu.modelManagementText": "模型管理", - "xpack.ml.navMenu.nodesOverviewText": "节点", "xpack.ml.navMenu.notificationsTabLinkText": "通知", "xpack.ml.navMenu.overviewTabLinkText": "概览", "xpack.ml.navMenu.settingsTabLinkText": "设置", From a496623003e4a3f51d582b8a0447a8a9b10d94a3 Mon Sep 17 00:00:00 2001 From: Sander Philipse <94373878+sphilipse@users.noreply.github.com> Date: Tue, 7 Feb 2023 12:59:48 +0100 Subject: [PATCH 05/27] [Enterprise Search] Add integration tiles for new connectors (#150369) ## Summary This adds a bunch of integration tiles for our new connectors: Azure Cloud, Google Cloud, Amazon S3, MS SQL, PostgreSQL and Oracle. --- .../apis/custom_integration/integrations.ts | 2 +- .../public/assets/source_icons/amazon_s3.svg | 14 ++ .../assets/source_icons/azure_cloud.svg | 13 ++ .../assets/source_icons/google_cloud.svg | 16 ++ .../assets/source_icons/microsoft_sql.svg | 19 ++ .../public/assets/source_icons/oracle.svg | 3 + .../public/assets/source_icons/postgresql.svg | 13 ++ .../enterprise_search/server/integrations.ts | 167 ++++++++++++++++++ 8 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/amazon_s3.svg create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/azure_cloud.svg create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/google_cloud.svg create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/microsoft_sql.svg create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/oracle.svg create mode 100644 x-pack/plugins/enterprise_search/public/assets/source_icons/postgresql.svg diff --git a/test/api_integration/apis/custom_integration/integrations.ts b/test/api_integration/apis/custom_integration/integrations.ts index c1b6518f6684a..a924b416f30c8 100644 --- a/test/api_integration/apis/custom_integration/integrations.ts +++ b/test/api_integration/apis/custom_integration/integrations.ts @@ -22,7 +22,7 @@ export default function ({ getService }: FtrProviderContext) { expect(resp.body).to.be.an('array'); - expect(resp.body.length).to.be(43); + expect(resp.body.length).to.be(49); // Test for sample data card expect(resp.body.findIndex((c: { id: string }) => c.id === 'sample_data_all')).to.be.above( diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/amazon_s3.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/amazon_s3.svg new file mode 100644 index 0000000000000..d7f6497c26c95 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/amazon_s3.svg @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/azure_cloud.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/azure_cloud.svg new file mode 100644 index 0000000000000..2a32f39698611 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/azure_cloud.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/google_cloud.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/google_cloud.svg new file mode 100644 index 0000000000000..937f8382a0cac --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/google_cloud.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/microsoft_sql.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/microsoft_sql.svg new file mode 100644 index 0000000000000..7eabdd8e3e9d8 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/microsoft_sql.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/oracle.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/oracle.svg new file mode 100644 index 0000000000000..29028d24fdf63 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/oracle.svg @@ -0,0 +1,3 @@ + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/source_icons/postgresql.svg b/x-pack/plugins/enterprise_search/public/assets/source_icons/postgresql.svg new file mode 100644 index 0000000000000..28ff5332e9ceb --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/source_icons/postgresql.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/server/integrations.ts b/x-pack/plugins/enterprise_search/server/integrations.ts index 6a147552c24d6..b7d1516764187 100644 --- a/x-pack/plugins/enterprise_search/server/integrations.ts +++ b/x-pack/plugins/enterprise_search/server/integrations.ts @@ -471,4 +471,171 @@ export const registerEnterpriseSearchIntegrations = ( shipper: 'enterprise_search', isBeta: false, }); + + customIntegrations.registerCustomIntegration({ + id: 'postgresql', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.postgresqlName', { + defaultMessage: 'PostgreSQL', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.postgreSQLDescription', + { + defaultMessage: 'Search over your content on PostgreSQL with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'elastic_stack', 'custom', 'datastore'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend('/plugins/enterpriseSearch/assets/source_icons/postgresql.svg'), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'oracle', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.oracleName', { + defaultMessage: 'Oracle', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.oracleDescription', + { + defaultMessage: 'Search over your content on Oracle with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'elastic_stack', 'custom', 'datastore'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend('/plugins/enterpriseSearch/assets/source_icons/oracle.svg'), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'ms_sql', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.msSqlName', { + defaultMessage: 'Microsoft SQL', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.msSqlDescription', + { + defaultMessage: 'Search over your content on Microsoft SQL Server with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'custom', 'elastic_stack', 'datastore'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend( + '/plugins/enterpriseSearch/assets/source_icons/microsoft_sql.svg' + ), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'ms_sql', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.networkDriveName', { + defaultMessage: 'Network Drive', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.netowkrDriveDescription', + { + defaultMessage: 'Search over your Network Drive content with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'custom', 'elastic_stack', 'file_storage'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend( + '/plugins/enterpriseSearch/assets/source_icons/network_drive.svg' + ), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'amazon_s3', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.s3', { + defaultMessage: 'Amazon S3', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.s3Description', + { + defaultMessage: 'Search over your content on Amazon S3 with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'datastore', 'elastic_stack'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend('/plugins/enterpriseSearch/assets/source_icons/amazon_s3.svg'), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'google_cloud_storage', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.googleCloud', { + defaultMessage: 'Google Cloud Storage', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.googleCloudDescription', + { + defaultMessage: 'Search over your content on Google Cloud Storage with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'elastic_stack', 'custom'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend( + '/plugins/enterpriseSearch/assets/source_icons/google_cloud.svg' + ), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); + + customIntegrations.registerCustomIntegration({ + id: 'azure_cloud_storage', + title: i18n.translate('xpack.enterpriseSearch.workplaceSearch.integrations.azureCloud', { + defaultMessage: 'Azure Cloud Storage', + }), + description: i18n.translate( + 'xpack.enterpriseSearch.workplaceSearch.integrations.azureCloudDescription', + { + defaultMessage: 'Search over your content on Azure Cloud Storage with Enterprise Search.', + } + ), + categories: ['enterprise_search', 'elastic_stack', 'custom'], + uiInternalPath: '/app/enterprise_search/content/search_indices/new_index?method=connector', + icons: [ + { + type: 'svg', + src: http.basePath.prepend('/plugins/enterpriseSearch/assets/source_icons/azure_cloud.svg'), + }, + ], + shipper: 'enterprise_search', + isBeta: false, + }); }; From 50444bbd598d8304eb2d99092266435266c744c5 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Tue, 7 Feb 2023 13:07:13 +0100 Subject: [PATCH 06/27] Change default value of csp.disableUnsafeEval to 'true' (#150157) This change ensures that the `unsafe-eval` source expression isn't included in the Kibana Content Security Policy (CSP) by default. Users can set `csp.disableUnsafeEval: false` to reintroduce `unsafe-eval`. However, since this config option is deprecated as of this commit, it's recommended to instead set `csp.script_src: ['unsafe-eval']`. Closes #150156 --- docs/setup/settings.asciidoc | 6 ++--- .../src/csp/config.ts | 8 +----- .../src/csp/csp_config.test.mocks.ts | 25 ----------------- .../src/csp/csp_config.test.ts | 27 +++---------------- .../src/csp/csp_config.ts | 2 ++ .../collectors/csp/csp_collector.test.ts | 1 - test/common/config.js | 1 - 7 files changed, 9 insertions(+), 61 deletions(-) delete mode 100644 packages/core/http/core-http-server-internal/src/csp/csp_config.test.mocks.ts diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc index 3914dfabaf137..3c45338c4da90 100644 --- a/docs/setup/settings.asciidoc +++ b/docs/setup/settings.asciidoc @@ -26,11 +26,11 @@ Set to `false` to disable Console. *Default: `true`* Add sources for the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src[Content Security Policy `script-src` directive]. `csp.disableUnsafeEval`:: -experimental[] Set this to `true` to remove the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions[`unsafe-eval`] source expression from the `script-src` directive. *Default: `false`* +deprecated:[8.7.0,Use `csp.script_src: ['unsafe-eval']` instead if you wish to enable `unsafe-eval`. This config option will have no effect in a future version.] Set this to `false` to add the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions[`unsafe-eval`] source expression to the `script-src` directive. *Default: `true`* + -By enabling `csp.disableUnsafeEval`, Kibana will use a custom version of the Handlebars template library. +When `csp.disableUnsafeEval` is set to `true`, Kibana will use a custom version of the Handlebars template library. Handlebars is used in various locations in the Kibana frontend where custom templates can be supplied by the user when for instance setting up a visualisation. -If you experience any issues rendering Handlebars templates after turning on `csp.disableUnsafeEval`, please revert this setting to `false` and https://github.com/elastic/kibana/issues/new/choose[open an issue] in the Kibana GitHub repository. +If you experience any issues rendering Handlebars templates, please set this setting to `false` and https://github.com/elastic/kibana/issues/new/choose[open an issue] in the Kibana GitHub repository. `csp.worker_src`:: Add sources for the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src[Content Security Policy `worker-src` directive]. diff --git a/packages/core/http/core-http-server-internal/src/csp/config.ts b/packages/core/http/core-http-server-internal/src/csp/config.ts index 2bd145abd8581..d192ddda9a108 100644 --- a/packages/core/http/core-http-server-internal/src/csp/config.ts +++ b/packages/core/http/core-http-server-internal/src/csp/config.ts @@ -39,13 +39,7 @@ const getDirectiveValueValidator = ({ allowNone, allowNonce }: DirectiveValidati const configSchema = schema.object( { - disableUnsafeEval: schema.conditional( - // Default disableUnsafeEval to false if it's not a distributable release - schema.contextRef('dist'), - true, - schema.boolean({ defaultValue: false }), - schema.boolean({ defaultValue: true }) - ), + disableUnsafeEval: schema.boolean({ defaultValue: true }), script_src: schema.arrayOf(schema.string(), { defaultValue: [], validate: getDirectiveValidator({ allowNone: false, allowNonce: false }), diff --git a/packages/core/http/core-http-server-internal/src/csp/csp_config.test.mocks.ts b/packages/core/http/core-http-server-internal/src/csp/csp_config.test.mocks.ts deleted file mode 100644 index d1c7303648e16..0000000000000 --- a/packages/core/http/core-http-server-internal/src/csp/csp_config.test.mocks.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { schema } from '@kbn/config-schema'; -import { cspConfig } from './config'; - -const origSchema = cspConfig.schema; - -export const mockConfig = { - create(defaultDisableUnsafeEval: boolean) { - // @ts-expect-error: Property 'extends' does not exist on type?? - cspConfig.schema = cspConfig.schema.extends({ - disableUnsafeEval: schema.boolean({ defaultValue: defaultDisableUnsafeEval }), - }); - return cspConfig; - }, - reset() { - cspConfig.schema = origSchema; - }, -}; diff --git a/packages/core/http/core-http-server-internal/src/csp/csp_config.test.ts b/packages/core/http/core-http-server-internal/src/csp/csp_config.test.ts index b7c3d4b77ebad..da3a21e5816af 100644 --- a/packages/core/http/core-http-server-internal/src/csp/csp_config.test.ts +++ b/packages/core/http/core-http-server-internal/src/csp/csp_config.test.ts @@ -8,7 +8,6 @@ import { CspConfig } from './csp_config'; import { cspConfig, CspConfigType } from './config'; -import { mockConfig } from './csp_config.test.mocks'; // CSP rules aren't strictly additive, so any change can potentially expand or // restrict the policy in a way we consider a breaking change. For that reason, @@ -34,6 +33,7 @@ describe('CspConfig', () => { expect(CspConfig.DEFAULT).toMatchInlineSnapshot(` CspConfig { "disableEmbedding": false, + "disableUnsafeEval": true, "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "strict": true, "warnLegacyBrowsers": true, @@ -140,36 +140,15 @@ describe('CspConfig', () => { ); }); - test('when "disableUnsafeEval" is not set, and the default value is "false", the `unsafe-eval` CSP should be set', () => { - // The default value for `disableUnsafeEval` depends on whether Kibana is a distributable or not. To test both scenarios, we mock the config. - const mockedConfig = mockConfig.create(false).schema.validate({}); - - const config = new CspConfig({ - ...mockedConfig, - script_src: ['foo', 'bar'], - }); - - expect(config.header).toEqual( - `script-src 'self' 'unsafe-eval' foo bar; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` - ); - - mockConfig.reset(); - }); - - test('when "disableUnsafeEval" is not set, and the default value is "true", the `unsafe-eval` CSP should not be set', () => { - // The default value for `disableUnsafeEval` depends on whether Kibana is a distributable or not. To test both scenarios, we mock the config. - const mockedConfig = mockConfig.create(true).schema.validate({}); - + test('when "disableUnsafeEval" is not set, the `unsafe-eval` CSP should not be set', () => { const config = new CspConfig({ - ...mockedConfig, + ...defaultConfig, script_src: ['foo', 'bar'], }); expect(config.header).toEqual( `script-src 'self' foo bar; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); - - mockConfig.reset(); }); }); diff --git a/packages/core/http/core-http-server-internal/src/csp/csp_config.ts b/packages/core/http/core-http-server-internal/src/csp/csp_config.ts index 3d0a6e292b61d..049d6c02ed472 100644 --- a/packages/core/http/core-http-server-internal/src/csp/csp_config.ts +++ b/packages/core/http/core-http-server-internal/src/csp/csp_config.ts @@ -21,6 +21,7 @@ export class CspConfig implements ICspConfig { readonly #directives: CspDirectives; public readonly strict: boolean; + public readonly disableUnsafeEval: boolean; public readonly warnLegacyBrowsers: boolean; public readonly disableEmbedding: boolean; public readonly header: string; @@ -37,6 +38,7 @@ export class CspConfig implements ICspConfig { } this.header = this.#directives.getCspHeader(); this.strict = rawCspConfig.strict; + this.disableUnsafeEval = rawCspConfig.disableUnsafeEval; this.warnLegacyBrowsers = rawCspConfig.warnLegacyBrowsers; this.disableEmbedding = rawCspConfig.disableEmbedding; } diff --git a/src/plugins/kibana_usage_collection/server/collectors/csp/csp_collector.test.ts b/src/plugins/kibana_usage_collection/server/collectors/csp/csp_collector.test.ts index 7cc95fe1470e4..e8ada00137da4 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/csp/csp_collector.test.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/csp/csp_collector.test.ts @@ -24,7 +24,6 @@ describe('csp collector', () => { function updateCsp(config: Partial) { httpMock.csp = new CspConfig({ ...CspConfig.DEFAULT, - disableUnsafeEval: false, style_src: [], worker_src: [], script_src: [], diff --git a/test/common/config.js b/test/common/config.js index b0a7072930b5c..297890aa5869b 100644 --- a/test/common/config.js +++ b/test/common/config.js @@ -43,7 +43,6 @@ export default function () { // Needed for async search functional tests to introduce a delay `--data.search.aggs.shardDelay.enabled=true`, `--security.showInsecureClusterWarning=false`, - '--csp.disableUnsafeEval=true', '--telemetry.banner=false', '--telemetry.optIn=false', // These are *very* important to have them pointing to staging From 7403df89481a0607b99d6a1f2056a2db38c48e8b Mon Sep 17 00:00:00 2001 From: Angela Chuang <6295984+angorayc@users.noreply.github.com> Date: Tue, 7 Feb 2023 12:14:14 +0000 Subject: [PATCH 07/27] [SecuritySolution] Missing reset button when there is no data to display (#149835) ## Summary issue: https://github.com/elastic/kibana/issues/149828 Please enable feature flag: chartEmbeddablesEnabled Steps to verify: 1. Go to alerts trend or table chart 2. Delete one or more group by fields 3. You should see chart actions available when there is no data to display 4. Clicking on the reset group by field action, the group by fields should be reset https://user-images.githubusercontent.com/6295984/215500707-4b7f8076-3e63-4664-beb4-8e5b8fde9f1c.mov ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --- .../show_top_n/show_top_n_component.test.tsx | 2 +- .../common/components/charts/areachart.tsx | 2 +- .../common/components/charts/barchart.tsx | 2 +- .../events_tab/events_query_tab_body.test.tsx | 2 +- .../hover_actions/actions/show_top_n.test.tsx | 4 +- .../matrix_histogram/index.test.tsx | 10 +- .../components/matrix_histogram/index.tsx | 2 +- .../common/components/top_n/index.test.tsx | 4 +- .../common/components/top_n/top_n.test.tsx | 4 +- .../__mocks__/actions.tsx | 17 +++ .../visualization_actions/__mocks__/index.tsx | 9 -- .../{index.test.tsx => actions.test.tsx} | 43 +++++- .../{index.tsx => actions.tsx} | 127 +++++++++++------- .../visualization_actions/lens_embeddable.tsx | 35 +++-- .../components/visualization_actions/types.ts | 2 + .../components/stat_items/metric.test.tsx | 6 +- .../explore/components/stat_items/metric.tsx | 2 +- .../stat_items/metric_embeddable.test.tsx | 6 +- .../components/stat_items/stat_items.test.tsx | 6 +- .../hosts/pages/details/details_tabs.test.tsx | 4 +- .../public/explore/hosts/pages/hosts.test.tsx | 4 +- .../explore/network/pages/network.test.tsx | 4 +- .../authentications_query_tab_body.test.tsx | 2 +- .../explore/users/pages/users_tabs.test.tsx | 4 +- .../public/overview/pages/overview.test.tsx | 5 +- 25 files changed, 185 insertions(+), 123 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/actions.tsx delete mode 100644 x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/index.tsx rename x-pack/plugins/security_solution/public/common/components/visualization_actions/{index.test.tsx => actions.test.tsx} (85%) rename x-pack/plugins/security_solution/public/common/components/visualization_actions/{index.tsx => actions.tsx} (66%) diff --git a/x-pack/plugins/security_solution/public/actions/show_top_n/show_top_n_component.test.tsx b/x-pack/plugins/security_solution/public/actions/show_top_n/show_top_n_component.test.tsx index 6c702bb20fd90..49ddc83563fd7 100644 --- a/x-pack/plugins/security_solution/public/actions/show_top_n/show_top_n_component.test.tsx +++ b/x-pack/plugins/security_solution/public/actions/show_top_n/show_top_n_component.test.tsx @@ -20,7 +20,7 @@ jest.mock('react-router-dom', () => { useLocation: jest.fn().mockReturnValue({ pathname: '/test' }), }; }); -jest.mock('../../common/components/visualization_actions'); +jest.mock('../../common/components/visualization_actions/actions'); const casesService = { ui: { getCasesContext: () => mockCasesContext }, diff --git a/x-pack/plugins/security_solution/public/common/components/charts/areachart.tsx b/x-pack/plugins/security_solution/public/common/components/charts/areachart.tsx index d458c00558aa6..e0a2f623ebe74 100644 --- a/x-pack/plugins/security_solution/public/common/components/charts/areachart.tsx +++ b/x-pack/plugins/security_solution/public/common/components/charts/areachart.tsx @@ -25,7 +25,7 @@ import { Wrapper, ChartWrapper, } from './common'; -import { VisualizationActions } from '../visualization_actions'; +import { VisualizationActions } from '../visualization_actions/actions'; import type { VisualizationActionsProps } from '../visualization_actions/types'; import { HoverVisibilityContainer } from '../hover_visibility_container'; diff --git a/x-pack/plugins/security_solution/public/common/components/charts/barchart.tsx b/x-pack/plugins/security_solution/public/common/components/charts/barchart.tsx index 7e9b6b3bd01dc..9390c2edeee9a 100644 --- a/x-pack/plugins/security_solution/public/common/components/charts/barchart.tsx +++ b/x-pack/plugins/security_solution/public/common/components/charts/barchart.tsx @@ -35,7 +35,7 @@ import { import { DraggableLegend } from './draggable_legend'; import type { LegendItem } from './draggable_legend_item'; import type { ChartData, ChartSeriesConfigs, ChartSeriesData } from './common'; -import { VisualizationActions } from '../visualization_actions'; +import { VisualizationActions } from '../visualization_actions/actions'; import type { VisualizationActionsProps } from '../visualization_actions/types'; import { HoverVisibilityContainer } from '../hover_visibility_container'; import { VISUALIZATION_ACTIONS_BUTTON_CLASS } from '../visualization_actions/utils'; diff --git a/x-pack/plugins/security_solution/public/common/components/events_tab/events_query_tab_body.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_tab/events_query_tab_body.test.tsx index 1387784d82860..a1f69bbda6587 100644 --- a/x-pack/plugins/security_solution/public/common/components/events_tab/events_query_tab_body.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/events_tab/events_query_tab_body.test.tsx @@ -47,7 +47,7 @@ jest.mock('../../lib/kibana', () => { }; }); -jest.mock('../visualization_actions'); +jest.mock('../visualization_actions/actions'); jest.mock('../visualization_actions/lens_embeddable'); jest.mock('react-router-dom', () => ({ diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx index e7f80e613fab3..46731ffe17e63 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx @@ -12,9 +12,7 @@ import { TestProviders } from '../../../mock'; import { ShowTopNButton } from './show_top_n'; import { TimelineId } from '../../../../../common/types'; -jest.mock('../../visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../visualization_actions/actions'); jest.mock('../../../lib/kibana', () => { const original = jest.requireActual('../../../lib/kibana'); diff --git a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.test.tsx index ec4a25039e912..5591927b35f35 100644 --- a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.test.tsx @@ -29,11 +29,7 @@ jest.mock('../charts/barchart', () => ({ jest.mock('../../containers/matrix_histogram'); -jest.mock('../visualization_actions', () => ({ - VisualizationActions: jest.fn(({ className }: { className: string }) => ( -
- )), -})); +jest.mock('../visualization_actions/actions'); jest.mock('./utils', () => ({ getBarchartConfigs: jest.fn(), @@ -197,8 +193,8 @@ describe('Matrix Histogram Component', () => { wrapper = mount(, { wrappingComponent: TestProviders, }); - expect(wrapper.find('[data-test-subj="mock-viz-actions"]').exists()).toBe(true); - expect(wrapper.find('[data-test-subj="mock-viz-actions"]').prop('className')).toEqual( + expect(wrapper.find('[data-test-subj="visualizationActions"]').exists()).toBe(true); + expect(wrapper.find('[data-test-subj="visualizationActions"]').prop('className')).toEqual( 'histogram-viz-actions' ); }); diff --git a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.tsx b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.tsx index 48e812ff2afa3..426c2a16f8cf9 100644 --- a/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/matrix_histogram/index.tsx @@ -29,7 +29,7 @@ import type { GlobalTimeArgs } from '../../containers/use_global_time'; import { setAbsoluteRangeDatePicker } from '../../store/inputs/actions'; import { InputsModelId } from '../../store/inputs/constants'; import { HoverVisibilityContainer } from '../hover_visibility_container'; -import { VisualizationActions } from '../visualization_actions'; +import { VisualizationActions } from '../visualization_actions/actions'; import type { GetLensAttributes, LensAttributes } from '../visualization_actions/types'; import { useQueryToggle } from '../../containers/query_toggle'; import { useIsExperimentalFeatureEnabled } from '../../hooks/use_experimental_features'; diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx index 180063d1786e5..05207caa9ffab 100644 --- a/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx @@ -43,9 +43,7 @@ jest.mock('react-router-dom', () => { jest.mock('../link_to'); jest.mock('../../lib/kibana'); jest.mock('../../../timelines/store/timeline/actions'); -jest.mock('../visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../visualization_actions/actions'); const field = 'process.name'; const value = 'nice'; diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/top_n.test.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/top_n.test.tsx index b52746ad14c57..191a2c0201646 100644 --- a/x-pack/plugins/security_solution/public/common/components/top_n/top_n.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/top_n/top_n.test.tsx @@ -32,9 +32,7 @@ jest.mock('react-router-dom', () => { jest.mock('../../lib/kibana'); jest.mock('../link_to'); -jest.mock('../visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../visualization_actions/actions'); jest.mock('uuid', () => { return { diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/actions.tsx b/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/actions.tsx new file mode 100644 index 0000000000000..bd8b81e053a1e --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/actions.tsx @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import type { VisualizationActionsProps } from '../types'; + +export const VisualizationActions = (props: VisualizationActionsProps) => { + const { title, ...testProps } = props; + return ( +
+ {title} +
+ ); +}; diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/index.tsx b/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/index.tsx deleted file mode 100644 index b222b3a2a8be7..0000000000000 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/__mocks__/index.tsx +++ /dev/null @@ -1,9 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -import React from 'react'; - -export const VisualizationActions = () =>
; diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.test.tsx similarity index 85% rename from x-pack/plugins/security_solution/public/common/components/visualization_actions/index.test.tsx rename to x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.test.tsx index 526e78aa65cba..51bcef5b17051 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.test.tsx @@ -6,8 +6,10 @@ */ import React from 'react'; import { fireEvent, render, screen } from '@testing-library/react'; +import type { Action } from '@kbn/ui-actions-plugin/public'; + import { dnsTopDomainsLensAttributes } from './lens_attributes/network/dns_top_domains'; -import { VisualizationActions } from '.'; +import { VisualizationActions } from './actions'; import { createSecuritySolutionStorageMock, kibanaObservable, @@ -247,4 +249,43 @@ describe('VisualizationActions', () => { expect(mockGetAllCasesSelectorModalOpen).toBeCalled(); }); + + test('Should not render default actions when withDefaultActions = false', () => { + const testProps = { ...props, withDefaultActions: false }; + render( + + + + ); + + expect( + screen.queryByTestId(`[data-test-subj="stat-networkDnsHistogramQuery"]`) + ).not.toBeInTheDocument(); + expect(screen.queryByText('Inspect')).not.toBeInTheDocument(); + expect(screen.queryByText('Add to new case')).not.toBeInTheDocument(); + expect(screen.queryByText('Add to existing case')).not.toBeInTheDocument(); + expect(screen.queryByText('Open in Lens')).not.toBeInTheDocument(); + }); + + test('Should render extra actions when extraAction is provided', () => { + const testProps = { + ...props, + extraActions: [ + { + getIconType: () => 'reset', + id: 'resetField', + execute: jest.fn(), + getDisplayName: () => 'Reset Field', + } as unknown as Action, + ], + }; + const { container } = render( + + + + ); + + fireEvent.click(container.querySelector(`[data-test-subj="stat-networkDnsHistogramQuery"]`)!); + expect(screen.getByText('Reset Field')).toBeInTheDocument(); + }); }); diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/index.tsx b/x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.tsx similarity index 66% rename from x-pack/plugins/security_solution/public/common/components/visualization_actions/index.tsx rename to x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.tsx index 16336bbded826..029f7545d3a42 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/actions.tsx @@ -5,6 +5,8 @@ * 2.0. */ import { EuiButtonIcon, EuiContextMenuItem, EuiContextMenuPanel, EuiPopover } from '@elastic/eui'; +import type { Action, ActionExecutionContext } from '@kbn/ui-actions-plugin/public'; + import React, { useCallback, useMemo, useState } from 'react'; import styled from 'styled-components'; @@ -40,6 +42,7 @@ const Wrapper = styled.div` const VisualizationActionsComponent: React.FC = ({ className, + extraActions, getLensAttributes, inputId = InputsModelId.global, inspectIndex = 0, @@ -51,6 +54,7 @@ const VisualizationActionsComponent: React.FC = ({ timerange, title, stackByField, + withDefaultActions = true, }) => { const { lens } = useKibana().services; @@ -139,56 +143,76 @@ const VisualizationActionsComponent: React.FC = ({ [attributes, canUseEditor] ); - const items = useMemo( - () => [ - - {INSPECT} - , - - {OPEN_IN_LENS} - , - - {ADD_TO_NEW_CASE} - , - - {ADD_TO_EXISTING_CASE} - , - ], - [ - disableInspectButton, - disabledOpenInLens, - handleInspectButtonClick, - isAddToExistingCaseDisabled, - isAddToNewCaseDisabled, - onAddToExistingCaseClicked, - onAddToNewCaseClicked, - onOpenInLens, - ] - ); + const items = useMemo(() => { + const context = {} as ActionExecutionContext; + const extraActionsItems = + extraActions?.map((item: Action) => { + return ( + item.execute(context)} + data-test-subj={`viz-actions-${item.id}`} + > + {item.getDisplayName(context)} + + ); + }) ?? []; + return [ + ...(extraActionsItems ? extraActionsItems : []), + ...(withDefaultActions + ? [ + + {INSPECT} + , + + {ADD_TO_NEW_CASE} + , + + {ADD_TO_EXISTING_CASE} + , + + {OPEN_IN_LENS} + , + ] + : []), + ]; + }, [ + disableInspectButton, + disabledOpenInLens, + extraActions, + handleInspectButtonClick, + isAddToExistingCaseDisabled, + isAddToNewCaseDisabled, + onAddToExistingCaseClicked, + onAddToNewCaseClicked, + onOpenInLens, + withDefaultActions, + ]); const button = useMemo( () => ( @@ -205,7 +229,7 @@ const VisualizationActionsComponent: React.FC = ({ return ( - {request !== null && response !== null && ( + {items.length > 0 && ( = ({ panelPaddingSize="none" anchorPosition="downLeft" panelClassName="withHoverActions__popover" + data-test-subj="viz-actions-popover" > diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_embeddable.tsx b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_embeddable.tsx index 19805b8ce96f3..a2d80d8ab4568 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_embeddable.tsx +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_embeddable.tsx @@ -11,7 +11,7 @@ import { useDispatch } from 'react-redux'; import { FormattedMessage } from '@kbn/i18n-react'; import { ViewMode } from '@kbn/embeddable-plugin/public'; import styled from 'styled-components'; -import { EuiEmptyPrompt } from '@elastic/eui'; +import { EuiEmptyPrompt, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { setAbsoluteRangeDatePicker } from '../../store/inputs/actions'; import { useKibana } from '../../lib/kibana'; import { useLensAttributes } from './use_lens_attributes'; @@ -23,6 +23,7 @@ import { ModalInspectQuery } from '../inspect/modal'; import { InputsModelId } from '../../store/inputs/constants'; import { getRequestsAndResponses } from './utils'; import { SourcererScopeName } from '../../store/sourcerer/model'; +import { VisualizationActions } from './actions'; const LensComponentWrapper = styled.div<{ height?: string; width?: string }>` height: ${({ height }) => height ?? 'auto'}; @@ -180,14 +181,32 @@ const LensEmbeddableComponent: React.FC = ({ (visualizationData?.responses != null && visualizationData?.responses?.length === 0) ) { return ( - + + + } + /> + + + - } - /> + + ); } diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/types.ts b/x-pack/plugins/security_solution/public/common/components/visualization_actions/types.ts index b761aba812100..d323d0b7ccbfd 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/types.ts +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/types.ts @@ -21,6 +21,7 @@ export type GetLensAttributes = ( export interface VisualizationActionsProps { className?: string; + extraActions?: Action[]; getLensAttributes?: GetLensAttributes; inputId?: InputsModelId.global | InputsModelId.timeline; inspectIndex?: number; @@ -32,6 +33,7 @@ export interface VisualizationActionsProps { stackByField?: string; timerange: { from: string; to: string }; title: React.ReactNode; + withDefaultActions?: boolean; } export interface EmbeddableData { diff --git a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.test.tsx b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.test.tsx index 6582ffba002a6..30627023c91cf 100644 --- a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.test.tsx @@ -13,11 +13,7 @@ import React from 'react'; import { TestProviders } from '../../../common/mock'; import type { LensAttributes } from '../../../common/components/visualization_actions/types'; -jest.mock('../../../common/components/visualization_actions', () => { - return { - VisualizationActions: () =>
, - }; -}); +jest.mock('../../../common/components/visualization_actions/actions'); describe('Metric', () => { const testProps = { diff --git a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.tsx b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.tsx index af659d1d07633..1dd14b262108c 100644 --- a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.tsx +++ b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric.tsx @@ -8,7 +8,7 @@ import { EuiFlexGroup, EuiIcon } from '@elastic/eui'; import React from 'react'; import type { StatItem } from './types'; import { HoverVisibilityContainer } from '../../../common/components/hover_visibility_container'; -import { VisualizationActions } from '../../../common/components/visualization_actions'; +import { VisualizationActions } from '../../../common/components/visualization_actions/actions'; import { FlexItem, StatValue } from './utils'; import { getEmptyTagValue } from '../../../common/components/empty_value'; import { VISUALIZATION_ACTIONS_BUTTON_CLASS } from '../../../common/components/visualization_actions/utils'; diff --git a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric_embeddable.test.tsx b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric_embeddable.test.tsx index b801102b6739a..87760cc856e7d 100644 --- a/x-pack/plugins/security_solution/public/explore/components/stat_items/metric_embeddable.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/components/stat_items/metric_embeddable.test.tsx @@ -13,11 +13,7 @@ import React from 'react'; import { TestProviders } from '../../../common/mock'; import type { LensAttributes } from '../../../common/components/visualization_actions/types'; -jest.mock('../../../common/components/visualization_actions', () => { - return { - VisualizationActions: () =>
, - }; -}); +jest.mock('../../../common/components/visualization_actions/actions'); jest.mock('../../../common/components/visualization_actions/lens_embeddable', () => { return { diff --git a/x-pack/plugins/security_solution/public/explore/components/stat_items/stat_items.test.tsx b/x-pack/plugins/security_solution/public/explore/components/stat_items/stat_items.test.tsx index 39682dc3301aa..c4a714887c377 100644 --- a/x-pack/plugins/security_solution/public/explore/components/stat_items/stat_items.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/components/stat_items/stat_items.test.tsx @@ -40,11 +40,7 @@ jest.mock('../../../common/components/charts/barchart', () => { return { BarChart: () =>
}; }); -jest.mock('../../../common/components/visualization_actions', () => { - return { - VisualizationActions: () =>
, - }; -}); +jest.mock('../../../common/components/visualization_actions/actions'); const mockSetToggle = jest.fn(); diff --git a/x-pack/plugins/security_solution/public/explore/hosts/pages/details/details_tabs.test.tsx b/x-pack/plugins/security_solution/public/explore/hosts/pages/details/details_tabs.test.tsx index 3d6dd5c6c4658..41b9564d2c9be 100644 --- a/x-pack/plugins/security_solution/public/explore/hosts/pages/details/details_tabs.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/hosts/pages/details/details_tabs.test.tsx @@ -71,9 +71,7 @@ jest.mock('../../../../common/components/query_bar', () => ({ const mockUseResizeObserver: jest.Mock = useResizeObserver as jest.Mock; jest.mock('use-resize-observer/polyfilled'); mockUseResizeObserver.mockImplementation(() => ({})); -jest.mock('../../../../common/components/visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../../../common/components/visualization_actions/actions'); const myState: State = mockGlobalState; const { storage } = createSecuritySolutionStorageMock(); diff --git a/x-pack/plugins/security_solution/public/explore/hosts/pages/hosts.test.tsx b/x-pack/plugins/security_solution/public/explore/hosts/pages/hosts.test.tsx index 3462bae20afc4..887e38cffaf53 100644 --- a/x-pack/plugins/security_solution/public/explore/hosts/pages/hosts.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/hosts/pages/hosts.test.tsx @@ -39,9 +39,7 @@ jest.mock('../../../common/components/search_bar', () => ({ jest.mock('../../../common/components/query_bar', () => ({ QueryBar: () => null, })); -jest.mock('../../../common/components/visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../../common/components/visualization_actions/actions'); jest.mock('../../../common/components/visualization_actions/lens_embeddable', () => ({ LensEmbeddable: jest.fn(() =>
), })); diff --git a/x-pack/plugins/security_solution/public/explore/network/pages/network.test.tsx b/x-pack/plugins/security_solution/public/explore/network/pages/network.test.tsx index 61b279d6ac2f5..a0a6c873c8979 100644 --- a/x-pack/plugins/security_solution/public/explore/network/pages/network.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/network/pages/network.test.tsx @@ -39,9 +39,7 @@ jest.mock('../../../common/components/search_bar', () => ({ jest.mock('../../../common/components/query_bar', () => ({ QueryBar: () => null, })); -jest.mock('../../../common/components/visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../../common/components/visualization_actions/actions'); type Action = 'PUSH' | 'POP' | 'REPLACE'; const pop: Action = 'POP'; diff --git a/x-pack/plugins/security_solution/public/explore/users/pages/navigation/authentications_query_tab_body.test.tsx b/x-pack/plugins/security_solution/public/explore/users/pages/navigation/authentications_query_tab_body.test.tsx index 7d860e5a99611..c627120bdf634 100644 --- a/x-pack/plugins/security_solution/public/explore/users/pages/navigation/authentications_query_tab_body.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/users/pages/navigation/authentications_query_tab_body.test.tsx @@ -17,7 +17,7 @@ jest.mock('../../../containers/authentications'); jest.mock('../../../../common/containers/query_toggle'); jest.mock('../../../../common/lib/kibana'); -jest.mock('../../../../common/components/visualization_actions'); +jest.mock('../../../../common/components/visualization_actions/actions'); jest.mock('../../../../common/components/visualization_actions/lens_embeddable'); describe('Authentications query tab body', () => { diff --git a/x-pack/plugins/security_solution/public/explore/users/pages/users_tabs.test.tsx b/x-pack/plugins/security_solution/public/explore/users/pages/users_tabs.test.tsx index 402118e2543f5..b8a7a2450e46b 100644 --- a/x-pack/plugins/security_solution/public/explore/users/pages/users_tabs.test.tsx +++ b/x-pack/plugins/security_solution/public/explore/users/pages/users_tabs.test.tsx @@ -24,9 +24,7 @@ jest.mock('../../../common/components/search_bar', () => ({ jest.mock('../../../common/components/query_bar', () => ({ QueryBar: () => null, })); -jest.mock('../../../common/components/visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../../common/components/visualization_actions/actions'); const mockNavigateToApp = jest.fn(); jest.mock('../../../common/lib/kibana', () => { const original = jest.requireActual('../../../common/lib/kibana'); diff --git a/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx b/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx index 3197066aeab49..c18f2b3a91684 100644 --- a/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx +++ b/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx @@ -50,7 +50,6 @@ jest.mock('../../common/lib/kibana', () => { }); jest.mock('../../common/containers/source'); jest.mock('../../common/containers/sourcerer'); -jest.mock('../../common/components/visualization_actions'); jest.mock('../../common/components/visualization_actions/lens_embeddable'); jest.mock('../../common/containers/use_global_time', () => ({ useGlobalTime: jest.fn().mockReturnValue({ @@ -89,9 +88,7 @@ jest.mock('../../common/containers/local_storage/use_messages_storage'); jest.mock('../containers/overview_cti_links'); -jest.mock('../../common/components/visualization_actions', () => ({ - VisualizationActions: jest.fn(() =>
), -})); +jest.mock('../../common/components/visualization_actions/actions'); const useCtiDashboardLinksMock = useCtiDashboardLinks as jest.Mock; useCtiDashboardLinksMock.mockReturnValue(mockCtiLinksResponse); From 56d53675d164dd5110b627744fcdbe21e07188f7 Mon Sep 17 00:00:00 2001 From: Kevin Logan <56395104+kevinlog@users.noreply.github.com> Date: Tue, 7 Feb 2023 07:17:01 -0500 Subject: [PATCH 08/27] [Security Solution] Add File operation RBAC switch description text to role creation (#150386) ## Summary Adds description text for the file operations RBAC switch image ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) --- x-pack/plugins/security_solution/server/features.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/x-pack/plugins/security_solution/server/features.ts b/x-pack/plugins/security_solution/server/features.ts index 107e1c7f5eb9b..197b9fc926cc7 100644 --- a/x-pack/plugins/security_solution/server/features.ts +++ b/x-pack/plugins/security_solution/server/features.ts @@ -234,6 +234,12 @@ const responseActionSubFeatures: SubFeatureConfig[] = [ name: i18n.translate('xpack.securitySolution.featureRegistry.subFeatures.fileOperations', { defaultMessage: 'File Operations', }), + description: i18n.translate( + 'xpack.securitySolution.featureRegistry.subFeatures.fileOperations.description', + { + defaultMessage: 'Perform file-related response actions in the response console.', + } + ), privilegeGroups: [ { groupType: 'mutually_exclusive', From b42bb18119962e60a05eb10c6a6989b0ecea56b6 Mon Sep 17 00:00:00 2001 From: Joseph Crail Date: Tue, 7 Feb 2023 04:22:59 -0800 Subject: [PATCH 09/27] [Profiling] Prepare for inline stackframes (#150401) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR adds initial support for initial stackframes as described in elastic/prodfiler#2918. It also adds tests and a minor refactor to account for the removal of synthetic source from stackframes (see elastic/prodfiler#2850). For stackframes, the profiling stack is composed of multiple write paths into Elasticsearch and multiple read paths out of Elasticsearch: * there are three services that can write into Elasticsearch (`APM agent`, `pf-elastic-collector`, and `pf-elastic-symbolizer`). * there are also two ways to read from Elasticsearch (the profiling plugin in Elasticsearch, and a combination of `search` and `mget` calls). This PR was written to handle all permutations of these paths. For those reviewers that wish to try the PR, please keep this in mind. I also wrote tests to handle these permutations. Note: Future PRs will add full support for inline stackframes. At this time, we only read the first inlined stackframe since the UI does not support inline stackframes. --------- Co-authored-by: Tim Rühsen --- .../plugins/profiling/common/stack_traces.ts | 10 +- .../server/routes/search_stacktraces.test.ts | 16 +-- .../server/routes/search_stacktraces.ts | 13 +- .../server/routes/stacktrace.test.ts | 111 +++++++++++++++++- .../profiling/server/routes/stacktrace.ts | 87 ++++++++++---- 5 files changed, 194 insertions(+), 43 deletions(-) diff --git a/x-pack/plugins/profiling/common/stack_traces.ts b/x-pack/plugins/profiling/common/stack_traces.ts index 7ad6fe2f32113..d1f041ee2e6ea 100644 --- a/x-pack/plugins/profiling/common/stack_traces.ts +++ b/x-pack/plugins/profiling/common/stack_traces.ts @@ -22,11 +22,11 @@ interface ProfilingStackTraces { [key: string]: ProfilingStackTrace; } -interface ProfilingStackFrame { - ['file_name']: string | undefined; - ['function_name']: string; - ['function_offset']: number | undefined; - ['line_number']: number | undefined; +export interface ProfilingStackFrame { + ['file_name']: string[]; + ['function_name']: string[]; + ['function_offset']: number[]; + ['line_number']: number[]; } interface ProfilingStackFrames { diff --git a/x-pack/plugins/profiling/server/routes/search_stacktraces.test.ts b/x-pack/plugins/profiling/server/routes/search_stacktraces.test.ts index a689fb837a9af..e9d30215e72b1 100644 --- a/x-pack/plugins/profiling/server/routes/search_stacktraces.test.ts +++ b/x-pack/plugins/profiling/server/routes/search_stacktraces.test.ts @@ -55,10 +55,10 @@ describe('Stack trace response operations', () => { }, stack_frames: { abc: { - file_name: 'pthread.c', - function_name: 'pthread_create', - function_offset: 0, - line_number: 0, + file_name: ['pthread.c'], + function_name: ['pthread_create'], + function_offset: [0], + line_number: [0], }, }, executables: { @@ -128,10 +128,10 @@ describe('Stack trace response operations', () => { }, stack_frames: { abc: { - file_name: undefined, - function_name: 'pthread_create', - function_offset: undefined, - line_number: undefined, + file_name: [], + function_name: ['pthread_create'], + function_offset: [], + line_number: [], }, }, executables: { diff --git a/x-pack/plugins/profiling/server/routes/search_stacktraces.ts b/x-pack/plugins/profiling/server/routes/search_stacktraces.ts index 082ff1124f5d7..a1211bfc72edb 100644 --- a/x-pack/plugins/profiling/server/routes/search_stacktraces.ts +++ b/x-pack/plugins/profiling/server/routes/search_stacktraces.ts @@ -35,11 +35,16 @@ export function decodeStackTraceResponse(response: StackTraceResponse) { const stackFrames: Map = new Map(); for (const [key, value] of Object.entries(response.stack_frames ?? {})) { + // Each field in a stackframe is represented by an array. This is + // necessary to support inline frames. + // + // We only take the first available inline stackframe until the UI + // can support all of them. stackFrames.set(key, { - FileName: value.file_name ? value.file_name[0] : [], - FunctionName: value.function_name ? value.function_name[0] : [], - FunctionOffset: value.function_offset, - LineNumber: value.line_number, + FileName: value.file_name[0], + FunctionName: value.function_name[0], + FunctionOffset: value.function_offset[0], + LineNumber: value.line_number[0], } as StackFrame); } diff --git a/x-pack/plugins/profiling/server/routes/stacktrace.test.ts b/x-pack/plugins/profiling/server/routes/stacktrace.test.ts index 91b55312928c3..4fff2d9c84e63 100644 --- a/x-pack/plugins/profiling/server/routes/stacktrace.test.ts +++ b/x-pack/plugins/profiling/server/routes/stacktrace.test.ts @@ -5,9 +5,10 @@ * 2.0. */ -import { createStackFrameID, StackTrace } from '../../common/profiling'; +import LRUCache from 'lru-cache'; +import { createStackFrameID, StackFrame, StackFrameID, StackTrace } from '../../common/profiling'; import { runLengthEncode } from '../../common/run_length_encoding'; -import { decodeStackTrace, EncodedStackTrace } from './stacktrace'; +import { decodeStackTrace, EncodedStackTrace, updateStackFrameMap } from './stacktrace'; enum fileID { A = 'aQpJmTLWydNvOapSFZOwKg', @@ -86,3 +87,109 @@ describe('Stack trace operations', () => { } }); }); + +describe('Stack frame operations', () => { + test('updateStackFrameMap with no frames', () => { + const stackFrameMap = new Map(); + const stackFrameCache = new LRUCache(); + + const hits = updateStackFrameMap([], stackFrameMap, stackFrameCache); + + expect(hits).toEqual(0); + expect(stackFrameMap.size).toEqual(0); + expect(stackFrameCache.length).toEqual(0); + }); + + test('updateStackFrameMap with missing frames', () => { + const stackFrameMap = new Map(); + const stackFrameCache = new LRUCache(); + + const stackFrames = [ + { + _index: 'profiling-stackframes', + _id: 'stackframe-001', + found: false, + }, + ]; + + const hits = updateStackFrameMap(stackFrames, stackFrameMap, stackFrameCache); + + expect(hits).toEqual(0); + expect(stackFrameMap.size).toEqual(1); + expect(stackFrameCache.length).toEqual(1); + }); + + test('updateStackFrameMap with one partial non-inlined frame', () => { + const stackFrameMap = new Map(); + const stackFrameCache = new LRUCache(); + + const id = 'stackframe-001'; + const source = { + 'ecs.version': '1.0.0', + 'Stackframe.function.name': 'calloc', + }; + const expected = { + FileName: undefined, + FunctionName: 'calloc', + FunctionOffset: undefined, + LineNumber: undefined, + SourceType: undefined, + }; + + const stackFrames = [ + { + _index: 'profiling-stackframes', + _id: id, + _version: 1, + _seq_no: 1, + _primary_term: 1, + found: true, + _source: source, + }, + ]; + + const hits = updateStackFrameMap(stackFrames, stackFrameMap, stackFrameCache); + + expect(hits).toEqual(1); + expect(stackFrameMap.size).toEqual(1); + expect(stackFrameCache.length).toEqual(1); + expect(stackFrameMap.get(id)).toEqual(expected); + }); + + test('updateStackFrameMap with one partial inlined frame', () => { + const stackFrameMap = new Map(); + const stackFrameCache = new LRUCache(); + + const id = 'stackframe-001'; + const source = { + 'ecs.version': '1.0.0', + 'Stackframe.function.name': ['calloc', 'memset'], + }; + const expected = { + FileName: undefined, + FunctionName: 'calloc', + FunctionOffset: undefined, + LineNumber: undefined, + SourceType: undefined, + }; + + const stackFrames = [ + { + _index: 'profiling-stackframes', + _id: id, + _version: 1, + _seq_no: 1, + _primary_term: 1, + found: true, + _source: source, + }, + ]; + + const hits = updateStackFrameMap(stackFrames, stackFrameMap, stackFrameCache); + + expect(hits).toEqual(1); + expect(stackFrameMap.size).toEqual(1); + expect(stackFrameCache.length).toEqual(1); + expect(stackFrameMap.get(id)).toEqual(expected); + }); +}); diff --git a/x-pack/plugins/profiling/server/routes/stacktrace.ts b/x-pack/plugins/profiling/server/routes/stacktrace.ts index c0fb39de2151f..4d26851b7781f 100644 --- a/x-pack/plugins/profiling/server/routes/stacktrace.ts +++ b/x-pack/plugins/profiling/server/routes/stacktrace.ts @@ -285,6 +285,68 @@ export function clearStackFrameCache(): number { return numDeleted; } +export function updateStackFrameMap( + stackFrames: any, + stackFrameMap: Map, + stackFrameCache: LRUCache +): number { + let found = 0; + for (const frame of stackFrames) { + if ('error' in frame) { + continue; + } + if (frame.found) { + found++; + + const fileName = frame._source[ProfilingESField.StackframeFileName]; + const functionName = frame._source[ProfilingESField.StackframeFunctionName]; + const functionOffset = frame._source[ProfilingESField.StackframeFunctionOffset]; + const lineNumber = frame._source[ProfilingESField.StackframeLineNumber]; + + let stackFrame; + if (Array.isArray(functionName)) { + // Each field in a stackframe is represented by an array. This is + // necessary to support inline frames. + // + // We only take the first available inline stackframe until the UI + // can support all of them. + stackFrame = { + FileName: fileName && fileName[0], + FunctionName: functionName && functionName[0], + FunctionOffset: functionOffset && functionOffset[0], + LineNumber: lineNumber && lineNumber[0], + }; + } else { + if (fileName || functionName) { + stackFrame = { + FileName: fileName, + FunctionName: functionName, + FunctionOffset: functionOffset, + LineNumber: lineNumber, + }; + } else { + // pre 8.7 format with synthetic source + const sf = frame._source.Stackframe; + stackFrame = { + FileName: sf?.file?.name, + FunctionName: sf?.function?.name, + FunctionOffset: sf?.function?.offset, + LineNumber: sf?.line?.number, + }; + } + } + + stackFrameMap.set(frame._id, stackFrame); + stackFrameCache.set(frame._id, stackFrame); + continue; + } + + stackFrameMap.set(frame._id, emptyStackFrame); + stackFrameCache.set(frame._id, emptyStackFrame); + } + return found; +} + export async function mgetStackFrames({ logger, client, @@ -319,31 +381,8 @@ export async function mgetStackFrames({ realtime: true, }); - // Create a lookup map StackFrameID -> StackFrame. - let queryHits = 0; const t0 = Date.now(); - const docs = resStackFrames.docs; - for (const frame of docs) { - if ('error' in frame) { - continue; - } - if (frame.found) { - queryHits++; - const stackFrame = { - FileName: frame._source!.Stackframe.file?.name, - FunctionName: frame._source!.Stackframe.function?.name, - FunctionOffset: frame._source!.Stackframe.function?.offset, - LineNumber: frame._source!.Stackframe.line?.number, - }; - stackFrames.set(frame._id, stackFrame); - frameLRU.set(frame._id, stackFrame); - continue; - } - - stackFrames.set(frame._id, emptyStackFrame); - frameLRU.set(frame._id, emptyStackFrame); - } - + const queryHits = updateStackFrameMap(resStackFrames.docs, stackFrames, frameLRU); logger.info(`processing data took ${Date.now() - t0} ms`); summarizeCacheAndQuery(logger, 'frames', cacheHits, cacheTotal, queryHits, stackFrameIDs.size); From ce6bde172b605133a01055f8498a09e34ad70ce1 Mon Sep 17 00:00:00 2001 From: Christos Nasikas Date: Tue, 7 Feb 2023 14:26:56 +0200 Subject: [PATCH 10/27] [Cases] Break long titles in toaster (#150257) ## Summary In some toasters, the title of the toaster is set from user input. It is possible for long titles to overflow the toaster. This PR fixes this issue by forcing long titles to break. Uses the EUI CSS utility class `eui-textBreakWord`. Fixes: https://github.com/elastic/kibana/issues/149485 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../cases/public/common/use_cases_toast.test.tsx | 5 ++++- .../cases/public/common/use_cases_toast.tsx | 2 +- .../assignees/use_assignees_action.test.tsx | 14 ++++++++------ .../actions/copy_id/use_copy_id_action.test.tsx | 7 ++++--- .../actions/delete/use_delete_action.test.tsx | 14 ++++++++------ .../actions/severity/use_severity_action.test.tsx | 14 ++++++++------ .../actions/status/use_status_action.test.tsx | 14 ++++++++------ .../actions/tags/use_tags_action.test.tsx | 14 ++++++++------ .../components/actions/use_items_action.test.tsx | 7 ++++--- .../containers/use_bulk_update_case.test.tsx | 5 ++++- .../public/containers/use_delete_cases.test.tsx | 5 ++++- .../public/containers/use_post_push_to_service.tsx | 5 ++++- .../plugins/cases/public/containers/utils.test.ts | 7 +++++++ x-pack/plugins/cases/public/containers/utils.ts | 1 + 14 files changed, 73 insertions(+), 41 deletions(-) diff --git a/x-pack/plugins/cases/public/common/use_cases_toast.test.tsx b/x-pack/plugins/cases/public/common/use_cases_toast.test.tsx index cabca3ea69f7a..6c33c86d29d51 100644 --- a/x-pack/plugins/cases/public/common/use_cases_toast.test.tsx +++ b/x-pack/plugins/cases/public/common/use_cases_toast.test.tsx @@ -346,7 +346,10 @@ describe('Use cases toast hook', () => { result.current.showSuccessToast('my title'); - expect(successMock).toHaveBeenCalledWith('my title'); + expect(successMock).toHaveBeenCalledWith({ + className: 'eui-textBreakWord', + title: 'my title', + }); }); }); }); diff --git a/x-pack/plugins/cases/public/common/use_cases_toast.tsx b/x-pack/plugins/cases/public/common/use_cases_toast.tsx index d866f9791fc2d..3d90005546464 100644 --- a/x-pack/plugins/cases/public/common/use_cases_toast.tsx +++ b/x-pack/plugins/cases/public/common/use_cases_toast.tsx @@ -167,7 +167,7 @@ export const useCasesToast = () => { } }, showSuccessToast: (title: string) => { - toasts.addSuccess(title); + toasts.addSuccess({ title, className: 'eui-textBreakWord' }); }, }; }; diff --git a/x-pack/plugins/cases/public/components/actions/assignees/use_assignees_action.test.tsx b/x-pack/plugins/cases/public/components/actions/assignees/use_assignees_action.test.tsx index 91c47edc276c7..11b91c483d151 100644 --- a/x-pack/plugins/cases/public/components/actions/assignees/use_assignees_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/assignees/use_assignees_action.test.tsx @@ -111,9 +111,10 @@ describe('useAssigneesAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Edited case' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Edited case', + className: 'eui-textBreakWord', + }); }); }); @@ -136,9 +137,10 @@ describe('useAssigneesAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Edited 2 cases' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Edited 2 cases', + className: 'eui-textBreakWord', + }); }); }); }); diff --git a/x-pack/plugins/cases/public/components/actions/copy_id/use_copy_id_action.test.tsx b/x-pack/plugins/cases/public/components/actions/copy_id/use_copy_id_action.test.tsx index 7cc4f7677286b..0c33980b3ab63 100644 --- a/x-pack/plugins/cases/public/components/actions/copy_id/use_copy_id_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/copy_id/use_copy_id_action.test.tsx @@ -83,9 +83,10 @@ describe('useCopyIDAction', () => { await waitFor(() => { expect(onActionSuccess).toHaveBeenCalled(); - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Copied Case ID to clipboard' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Copied Case ID to clipboard', + className: 'eui-textBreakWord', + }); }); }); }); diff --git a/x-pack/plugins/cases/public/components/actions/delete/use_delete_action.test.tsx b/x-pack/plugins/cases/public/components/actions/delete/use_delete_action.test.tsx index 3e89fc83ca92b..8859267208817 100644 --- a/x-pack/plugins/cases/public/components/actions/delete/use_delete_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/delete/use_delete_action.test.tsx @@ -155,9 +155,10 @@ describe('useDeleteAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Deleted case' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Deleted case', + className: 'eui-textBreakWord', + }); }); }); @@ -180,9 +181,10 @@ describe('useDeleteAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Deleted 2 cases' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Deleted 2 cases', + className: 'eui-textBreakWord', + }); }); }); }); diff --git a/x-pack/plugins/cases/public/components/actions/severity/use_severity_action.test.tsx b/x-pack/plugins/cases/public/components/actions/severity/use_severity_action.test.tsx index 42fea8e679608..695b90624fdd6 100644 --- a/x-pack/plugins/cases/public/components/actions/severity/use_severity_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/severity/use_severity_action.test.tsx @@ -136,9 +136,10 @@ describe('useSeverityAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - expectedMessage - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: expectedMessage, + className: 'eui-textBreakWord', + }); }); } ); @@ -168,9 +169,10 @@ describe('useSeverityAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - expectedMessage - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: expectedMessage, + className: 'eui-textBreakWord', + }); }); } ); diff --git a/x-pack/plugins/cases/public/components/actions/status/use_status_action.test.tsx b/x-pack/plugins/cases/public/components/actions/status/use_status_action.test.tsx index 03d3da5101d38..201783db6bd95 100644 --- a/x-pack/plugins/cases/public/components/actions/status/use_status_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/status/use_status_action.test.tsx @@ -126,9 +126,10 @@ describe('useStatusAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - expectedMessage - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: expectedMessage, + className: 'eui-textBreakWord', + }); }); } ); @@ -157,9 +158,10 @@ describe('useStatusAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - expectedMessage - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: expectedMessage, + className: 'eui-textBreakWord', + }); }); } ); diff --git a/x-pack/plugins/cases/public/components/actions/tags/use_tags_action.test.tsx b/x-pack/plugins/cases/public/components/actions/tags/use_tags_action.test.tsx index 1c4af4705bf38..c4aa68a578f2d 100644 --- a/x-pack/plugins/cases/public/components/actions/tags/use_tags_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/tags/use_tags_action.test.tsx @@ -105,9 +105,10 @@ describe('useTagsAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Edited case' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Edited case', + className: 'eui-textBreakWord', + }); }); }); @@ -130,9 +131,10 @@ describe('useTagsAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'Edited 2 cases' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'Edited 2 cases', + className: 'eui-textBreakWord', + }); }); }); }); diff --git a/x-pack/plugins/cases/public/components/actions/use_items_action.test.tsx b/x-pack/plugins/cases/public/components/actions/use_items_action.test.tsx index a53eca39562e8..1ce613b9ded83 100644 --- a/x-pack/plugins/cases/public/components/actions/use_items_action.test.tsx +++ b/x-pack/plugins/cases/public/components/actions/use_items_action.test.tsx @@ -221,9 +221,10 @@ describe('useItemsAction', () => { }); await waitFor(() => { - expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith( - 'My toaster title' - ); + expect(appMockRender.coreStart.notifications.toasts.addSuccess).toHaveBeenCalledWith({ + title: 'My toaster title', + className: 'eui-textBreakWord', + }); }); }); diff --git a/x-pack/plugins/cases/public/containers/use_bulk_update_case.test.tsx b/x-pack/plugins/cases/public/containers/use_bulk_update_case.test.tsx index be89dc92f9d06..06d641e753dce 100644 --- a/x-pack/plugins/cases/public/containers/use_bulk_update_case.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_bulk_update_case.test.tsx @@ -74,7 +74,10 @@ describe('useUpdateCases', () => { await waitForNextUpdate(); - expect(addSuccess).toHaveBeenCalledWith('Success title'); + expect(addSuccess).toHaveBeenCalledWith({ + title: 'Success title', + className: 'eui-textBreakWord', + }); }); it('shows a toast error when the api return an error', async () => { diff --git a/x-pack/plugins/cases/public/containers/use_delete_cases.test.tsx b/x-pack/plugins/cases/public/containers/use_delete_cases.test.tsx index 2059b7331e298..6df1c886f146e 100644 --- a/x-pack/plugins/cases/public/containers/use_delete_cases.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_delete_cases.test.tsx @@ -74,7 +74,10 @@ describe('useDeleteCases', () => { await waitForNextUpdate(); - expect(addSuccess).toHaveBeenCalledWith('Success title'); + expect(addSuccess).toHaveBeenCalledWith({ + title: 'Success title', + className: 'eui-textBreakWord', + }); }); it('shows a toast error when the api return an error', async () => { diff --git a/x-pack/plugins/cases/public/containers/use_post_push_to_service.tsx b/x-pack/plugins/cases/public/containers/use_post_push_to_service.tsx index 3a5e8bddcea63..d13500dcbc5fa 100644 --- a/x-pack/plugins/cases/public/containers/use_post_push_to_service.tsx +++ b/x-pack/plugins/cases/public/containers/use_post_push_to_service.tsx @@ -77,7 +77,10 @@ export const usePostPushToService = (): UsePostPushToService => { if (!cancel.current) { dispatch({ type: 'FETCH_SUCCESS' }); - toasts.addSuccess(i18n.SUCCESS_SEND_TO_EXTERNAL_SERVICE(connector.name)); + toasts.addSuccess({ + title: i18n.SUCCESS_SEND_TO_EXTERNAL_SERVICE(connector.name), + className: 'eui-textBreakWord', + }); } return response; diff --git a/x-pack/plugins/cases/public/containers/utils.test.ts b/x-pack/plugins/cases/public/containers/utils.test.ts index fbb9f7a72d1d0..c87c81a02f818 100644 --- a/x-pack/plugins/cases/public/containers/utils.test.ts +++ b/x-pack/plugins/cases/public/containers/utils.test.ts @@ -58,6 +58,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Alerts in "My case" have been synced', + className: 'eui-textBreakWord', }); }); @@ -74,6 +75,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', + className: 'eui-textBreakWord', }); }); @@ -85,6 +87,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', + className: 'eui-textBreakWord', }); }); @@ -100,6 +103,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', text: 'Updated the statuses of attached alerts.', + className: 'eui-textBreakWord', }); }); @@ -114,6 +118,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', + className: 'eui-textBreakWord', }); }); @@ -128,6 +133,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', + className: 'eui-textBreakWord', }); }); @@ -142,6 +148,7 @@ describe('utils', () => { expect(toast).toEqual({ title: 'Updated "My case"', + className: 'eui-textBreakWord', }); }); }); diff --git a/x-pack/plugins/cases/public/containers/utils.ts b/x-pack/plugins/cases/public/containers/utils.ts index f0c37ddb9e424..a2d5c91417ec1 100644 --- a/x-pack/plugins/cases/public/containers/utils.ts +++ b/x-pack/plugins/cases/public/containers/utils.ts @@ -115,6 +115,7 @@ export const createUpdateSuccessToaster = ( const toast: ToastInputFields = { title: i18n.UPDATED_CASE(caseAfterUpdate.title), + className: 'eui-textBreakWord', }; if (valueToUpdateIsSettings(key, value) && value?.syncAlerts && caseHasAlerts) { From 36cce21ad7bf1a70531c9831008c306dcd5fb552 Mon Sep 17 00:00:00 2001 From: Christos Nasikas Date: Tue, 7 Feb 2023 14:27:21 +0200 Subject: [PATCH 11/27] [Cases] Improve assignees layout in the create case page (#150255) ## Summary Improves the assignees' list in the create case page to match the list in the single case page. Fixes: https://github.com/elastic/kibana/issues/149190 ## Before Screenshot 2023-02-03 at 8 10 32 PM ## After Screenshot 2023-02-03 at 8 10 17 PM ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../public/components/create/assignees.tsx | 47 +++++++++++++++---- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/cases/public/components/create/assignees.tsx b/x-pack/plugins/cases/public/components/create/assignees.tsx index 8634d60d70e85..3c5b0bc9b119d 100644 --- a/x-pack/plugins/cases/public/components/create/assignees.tsx +++ b/x-pack/plugins/cases/public/components/create/assignees.tsx @@ -9,10 +9,12 @@ import { isEmpty } from 'lodash'; import React, { memo, useCallback, useState } from 'react'; import type { EuiComboBoxOptionOption } from '@elastic/eui'; import { + EuiFlexGroup, + EuiFlexItem, + EuiHighlight, EuiComboBox, EuiFormRow, EuiLink, - EuiSelectableListItem, EuiTextColor, } from '@elastic/eui'; import type { UserProfileWithAvatar, UserProfile } from '@kbn/user-profile-components'; @@ -113,18 +115,42 @@ const AssigneesFieldComponent: React.FC = React.memo( const renderOption = useCallback( (option: EuiComboBoxOptionOption, searchValue: string, contentClassName: string) => { - const { user, data, value } = option as EuiComboBoxOptionOption & - UserProfileWithAvatar; + const { user, data } = option as EuiComboBoxOptionOption & UserProfileWithAvatar; + + const displayName = getUserDisplayName(user); return ( - } - className={contentClassName} - append={{user.email}} + - {getUserDisplayName(user)} - + + + + + + + {displayName} + + + {user.email && user.email !== displayName ? ( + + + + {user.email} + + + + ) : null} + + ); }, [] @@ -165,6 +191,7 @@ const AssigneesFieldComponent: React.FC = React.memo( onChange={onComboChange} onSearchChange={onSearchComboChange} renderOption={renderOption} + rowHeight={35} /> ); From 418f7dff9ae0599871c3b539afd68320c3f9bc08 Mon Sep 17 00:00:00 2001 From: Sander Philipse <94373878+sphilipse@users.noreply.github.com> Date: Tue, 7 Feb 2023 14:00:00 +0100 Subject: [PATCH 12/27] [Enterprise Search] Show password input for password fields (#150415) ## Summary This adds an actual password fields for fields that are (likely) passwords in the connector configuration. Screenshot 2023-02-07 at 10 47 21 --- .../connector_configuration_form.tsx | 36 +++++++++++++------ .../connector_configuration_logic.test.ts | 17 ++++----- .../connector_configuration_logic.ts | 3 ++ 3 files changed, 37 insertions(+), 19 deletions(-) diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_form.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_form.tsx index 29df3ccc5212b..5f24dc3fec76b 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_form.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_form.tsx @@ -17,6 +17,7 @@ import { EuiFlexItem, EuiButton, EuiButtonEmpty, + EuiFieldPassword, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; @@ -41,17 +42,30 @@ export const ConnectorConfigurationForm = () => { }} component="form" > - {localConfigView.map(({ key, label, value }) => ( - - { - setLocalConfigEntry({ key, label, value: event.target.value }); - }} - /> - - ))} + {localConfigView.map((configEntry) => { + const { key, isPasswordField, label, value } = configEntry; + return ( + + {isPasswordField ? ( + { + setLocalConfigEntry({ ...configEntry, value: event.target.value }); + }} + /> + ) : ( + { + setLocalConfigEntry({ ...configEntry, value: event.target.value }); + }} + /> + )} + + ); + })} diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.test.ts index 632d60fac3cad..5faf6206a565a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.test.ts @@ -73,13 +73,14 @@ describe('ConnectorConfigurationLogic', () => { it('should set local config entry and sort keys', () => { ConnectorConfigurationLogic.actions.setConfigState({ bar: { label: 'foo', value: 'foofoo' }, - foo: { label: 'thirdBar', value: 'fourthBar' }, + password: { label: 'thirdBar', value: 'fourthBar' }, }); ConnectorConfigurationLogic.actions.setLocalConfigState({ bar: { label: 'foo', value: 'foofoo' }, - foo: { label: 'thirdBar', value: 'fourthBar' }, + password: { label: 'thirdBar', value: 'fourthBar' }, }); ConnectorConfigurationLogic.actions.setLocalConfigEntry({ + isPasswordField: false, key: 'bar', label: 'foo', value: 'fafa', @@ -88,19 +89,19 @@ describe('ConnectorConfigurationLogic', () => { ...DEFAULT_VALUES, configState: { bar: { label: 'foo', value: 'foofoo' }, - foo: { label: 'thirdBar', value: 'fourthBar' }, + password: { label: 'thirdBar', value: 'fourthBar' }, }, configView: [ { key: 'bar', label: 'foo', value: 'foofoo' }, - { key: 'foo', label: 'thirdBar', value: 'fourthBar' }, + { key: 'password', label: 'thirdBar', value: 'fourthBar' }, ], localConfigState: { bar: { label: 'foo', value: 'fafa' }, - foo: { label: 'thirdBar', value: 'fourthBar' }, + password: { label: 'thirdBar', value: 'fourthBar' }, }, localConfigView: [ - { key: 'bar', label: 'foo', value: 'fafa' }, - { key: 'foo', label: 'thirdBar', value: 'fourthBar' }, + { isPasswordField: false, key: 'bar', label: 'foo', value: 'fafa' }, + { isPasswordField: true, key: 'password', label: 'thirdBar', value: 'fourthBar' }, ], }); }); @@ -140,7 +141,7 @@ describe('ConnectorConfigurationLogic', () => { }, isEditing: true, localConfigState: connectorIndex.connector.configuration, - localConfigView: [{ key: 'foo', label: 'bar', value: 'barbar' }], + localConfigView: [{ isPasswordField: false, key: 'foo', label: 'bar', value: 'barbar' }], shouldStartInEditMode: true, }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.ts index bc705db85ed81..dec8044c5c447 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/connector/connector_configuration_logic.ts @@ -50,6 +50,7 @@ interface ConnectorConfigurationValues { } interface ConfigEntry { + isPasswordField: boolean; key: string; label: string; value: string; @@ -179,6 +180,8 @@ export const ConnectorConfigurationLogic = kea< (configState) => Object.keys(configState) .map((key) => ({ + isPasswordField: + key.includes('password') || configState[key].label.toLowerCase().includes('password'), key, label: configState[key].label, value: configState[key].value, From 969f7b575df30f95fd9835939bdd655d42e81312 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Istv=C3=A1n=20Zolt=C3=A1n=20Szab=C3=B3?= Date: Tue, 7 Feb 2023 14:03:45 +0100 Subject: [PATCH 13/27] [ML] Reviews data frame analytics UI text (#150060) ## Summary This PR edits the DFA UI text to be in line with the EUI guidelines and the AD UI text. * Removes the getting started callout box from the Overview page. * Changes the third-person singular form of verbs in helper texts. * Makes the DFA job descriptions shorter on the job creation page. --- .../advanced_step/advanced_step_form.tsx | 4 +- .../advanced_step/hyper_parameters.tsx | 2 +- .../outlier_hyper_parameters.tsx | 4 +- .../configuration_step/job_type.tsx | 6 +- .../details_step/details_step_form.tsx | 6 +- .../components/getting_started_callout.tsx | 92 ------------------- .../application/overview/overview_page.tsx | 3 - .../translations/translations/fr-FR.json | 6 -- .../translations/translations/ja-JP.json | 6 -- .../translations/translations/zh-CN.json | 6 -- .../apps/ml/permissions/full_ml_access.ts | 3 - .../apps/ml/permissions/read_ml_access.ts | 2 - .../functional/services/ml/overview_page.ts | 14 --- 13 files changed, 11 insertions(+), 143 deletions(-) delete mode 100644 x-pack/plugins/ml/public/application/overview/components/getting_started_callout.tsx diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/advanced_step_form.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/advanced_step_form.tsx index a566aa685b7bc..f926890424545 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/advanced_step_form.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/advanced_step_form.tsx @@ -264,7 +264,7 @@ export const AdvancedStepForm: FC = ({ 'xpack.ml.dataframe.analytics.create.computeFeatureInfluenceLabelHelpText', { defaultMessage: - 'Specifies whether the feature influence calculation is enabled. Defaults to true.', + 'Specify whether the feature influence calculation is enabled. Defaults to true.', } )} > @@ -399,7 +399,7 @@ export const AdvancedStepForm: FC = ({ 'xpack.ml.dataframe.analytics.create.predictionFieldNameHelpText', { defaultMessage: - 'Defines the name of the prediction field in the results. Defaults to _prediction.', + 'Define the name of the prediction field in the results. The default is _prediction.', } )} > diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/hyper_parameters.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/hyper_parameters.tsx index 704b2cc77a7f9..35b408213ab70 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/hyper_parameters.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/hyper_parameters.tsx @@ -366,7 +366,7 @@ export const HyperParameters: FC = ({ actions, state, advancedParamErrors 'xpack.ml.dataframe.analytics.create.softTreeDepthToleranceText', { defaultMessage: - 'Controls how quickly the loss increases when tree depths exceed soft limits. The smaller the value, the faster the loss increases. Must be greater than or equal to 0.01. ', + 'Control how quickly the loss increases when tree depths exceed soft limits. The smaller the value, the faster the loss increases. Must be greater than or equal to 0.01. ', } )} isInvalid={ diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/outlier_hyper_parameters.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/outlier_hyper_parameters.tsx index d347a8147469d..a47b28fd150e9 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/outlier_hyper_parameters.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/advanced_step/outlier_hyper_parameters.tsx @@ -30,7 +30,7 @@ export const OutlierHyperParameters: FC = ({ actions, state, advancedPara })} helpText={i18n.translate('xpack.ml.dataframe.analytics.create.methodHelpText', { defaultMessage: - 'Sets the method that outlier detection uses. If not set, uses an ensemble of different methods, normalizes and combines their individual outlier scores to obtain the overall outlier score. It is recommended to use the ensemble method.', + 'Set the method that outlier detection uses. If not set, uses an ensemble of different methods, normalizes and combines their individual outlier scores to obtain the overall outlier score. It is recommended to use the ensemble method.', })} isInvalid={advancedParamErrors[ANALYSIS_ADVANCED_FIELDS.METHOD] !== undefined} error={advancedParamErrors[ANALYSIS_ADVANCED_FIELDS.METHOD]} @@ -86,7 +86,7 @@ export const OutlierHyperParameters: FC = ({ actions, state, advancedPara })} helpText={i18n.translate('xpack.ml.dataframe.analytics.create.outlierFractionHelpText', { defaultMessage: - 'Sets the proportion of the data set that is assumed to be outlying prior to outlier detection.', + 'Set the proportion of the data set that is assumed to be outlying prior to outlier detection.', })} isInvalid={advancedParamErrors[ANALYSIS_ADVANCED_FIELDS.OUTLIER_FRACTION] !== undefined} error={advancedParamErrors[ANALYSIS_ADVANCED_FIELDS.OUTLIER_FRACTION]} diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/job_type.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/job_type.tsx index 5f54ba3c2bb7c..d66421e41d62e 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/job_type.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/job_type.tsx @@ -30,7 +30,7 @@ type JobDetails = Record; const jobDetails: JobDetails = { [ANALYSIS_CONFIG_TYPE.OUTLIER_DETECTION]: { helpText: i18n.translate('xpack.ml.dataframe.analytics.create.outlierDetectionHelpText', { - defaultMessage: 'Outlier detection identifies unusual data points in the data set.', + defaultMessage: 'Identify unusual data points in the data set.', }), icon: 'outlierDetectionJob', title: i18n.translate('xpack.ml.dataframe.analytics.create.outlierDetectionTitle', { @@ -39,7 +39,7 @@ const jobDetails: JobDetails = { }, [ANALYSIS_CONFIG_TYPE.REGRESSION]: { helpText: i18n.translate('xpack.ml.dataframe.analytics.create.regressionHelpText', { - defaultMessage: 'Regression predicts numerical values in the data set.', + defaultMessage: 'Predict numerical values in the data set.', }), icon: 'regressionJob', title: i18n.translate('xpack.ml.dataframe.analytics.create.regressionTitle', { @@ -48,7 +48,7 @@ const jobDetails: JobDetails = { }, [ANALYSIS_CONFIG_TYPE.CLASSIFICATION]: { helpText: i18n.translate('xpack.ml.dataframe.analytics.create.classificationHelpText', { - defaultMessage: 'Classification predicts classes of data points in the data set.', + defaultMessage: 'Predict classes of data points in the data set.', }), icon: 'classificationJob', title: i18n.translate('xpack.ml.dataframe.analytics.create.classificationTitle', { diff --git a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/details_step/details_step_form.tsx b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/details_step/details_step_form.tsx index a033137413ef4..265018ec23f9f 100644 --- a/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/details_step/details_step_form.tsx +++ b/x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/details_step/details_step_form.tsx @@ -297,7 +297,7 @@ export const DetailsStepForm: FC = ({ disabled={isJobCreated} name="mlDataFrameAnalyticsUseResultsFieldDefault" label={i18n.translate('xpack.ml.dataframe.analytics.create.UseResultsFieldDefaultLabel', { - defaultMessage: 'Use results field default value "{defaultValue}"', + defaultMessage: 'Use results field default value: "{defaultValue}"', values: { defaultValue: DEFAULT_RESULTS_FIELD }, })} checked={useResultsFieldDefault === true} @@ -318,12 +318,12 @@ export const DetailsStepForm: FC = ({ })} helpText={i18n.translate('xpack.ml.dataframe.analytics.create.resultsFieldHelpText', { defaultMessage: - 'Defines the name of the field in which to store the results of the analysis. Defaults to ml.', + 'Define the name of the field in which to store the results of the analysis. Defaults to ml.', })} > setFormState({ resultsField: e.target.value })} aria-label={i18n.translate( diff --git a/x-pack/plugins/ml/public/application/overview/components/getting_started_callout.tsx b/x-pack/plugins/ml/public/application/overview/components/getting_started_callout.tsx deleted file mode 100644 index d7a0370b4aeac..0000000000000 --- a/x-pack/plugins/ml/public/application/overview/components/getting_started_callout.tsx +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { FC } from 'react'; -import { EuiButton, EuiCallOut, EuiLink, EuiSpacer } from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n-react'; -import { useStorage } from '@kbn/ml-local-storage'; -import { useMlKibana } from '../../contexts/kibana'; -import { ML_GETTING_STARTED_CALLOUT_DISMISSED } from '../../../../common/types/storage'; - -const feedbackLink = 'https://www.elastic.co/community/'; - -export const GettingStartedCallout: FC = () => { - const { - services: { docLinks }, - } = useMlKibana(); - - const docsLink = docLinks.links.ml.guide; - - const [isCalloutDismissed, setIsCalloutDismissed] = useStorage( - ML_GETTING_STARTED_CALLOUT_DISMISSED, - false - ); - - if (isCalloutDismissed) return null; - - return ( - <> - - } - iconType="iInCircle" - > -

- - - - ), - }} - /> -

-

- - - - ), - }} - /> -

-

- - - -

- - - - - ); -}; diff --git a/x-pack/plugins/ml/public/application/overview/overview_page.tsx b/x-pack/plugins/ml/public/application/overview/overview_page.tsx index b524bbe27f080..3a37e5bd623cc 100644 --- a/x-pack/plugins/ml/public/application/overview/overview_page.tsx +++ b/x-pack/plugins/ml/public/application/overview/overview_page.tsx @@ -11,7 +11,6 @@ import { i18n } from '@kbn/i18n'; import { mlTimefilterRefresh$, useTimefilter } from '@kbn/ml-date-picker'; import { checkPermission } from '../capabilities/check_capabilities'; import { mlNodesAvailable } from '../ml_nodes_check'; -import { GettingStartedCallout } from './components/getting_started_callout'; import { OverviewContent } from './components/content'; import { NodeAvailableWarning } from '../components/node_available_warning'; import { JobsAwaitingNodeWarning } from '../components/jobs_awaiting_node_warning'; @@ -62,8 +61,6 @@ export const OverviewPage: FC = () => { /> - - {canViewMlNodes && serverless === false ? ( <> diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index a45a8a7dab559..b06153172685e 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -20357,8 +20357,6 @@ "xpack.ml.notificationsIndicator.errorsAndWarningLabel": "Il y a {count, plural, one {# notification} other {# notifications}} avec un niveau d'erreur ou d'avertissement depuis {lastCheckedAt}", "xpack.ml.notificationsIndicator.unreadLabel": "Vous avez des notifications non lues depuis {lastCheckedAt}", "xpack.ml.overview.analyticsList.emptyPromptHelperText": "Avant de créer une tâche d'analyse du cadre de données, utilisez des {transforms} pour créer une {sourcedata}.", - "xpack.ml.overview.feedbackSectionText": "Si vous avez un avis ou des suggestions concernant votre expérience, envoyez des {feedbackLink}.", - "xpack.ml.overview.gettingStartedSectionText": "Bienvenue dans Machine Learning. Commencez en passant en revue nos {docs} ou en créant une nouvelle tâche.", "xpack.ml.previewAlert.otherValuesLabel": "et {count, plural, one {# autre} other {# autres}}", "xpack.ml.previewAlert.previewMessage": "Trouvé {alertsCount, plural, one {# anomalie} other {# anomalies}} dans le dernier {interval}.", "xpack.ml.privilege.pleaseContactAdministratorTooltip": "{message} Veuillez contacter votre administrateur.", @@ -22273,11 +22271,7 @@ "xpack.ml.overview.anomalyDetection.tableTypicalTooltip": "Valeurs typiques dans les résultats d'enregistrement des anomalies.", "xpack.ml.overview.anomalyDetection.viewJobsActionName": "Afficher les tâches", "xpack.ml.overview.anomalyDetection.viewResultsActionName": "Afficher dans l’Explorateur d'anomalies", - "xpack.ml.overview.feedbackSectionLink": "commentaires en ligne", - "xpack.ml.overview.gettingStartedSectionDismiss": "Rejeter", - "xpack.ml.overview.gettingStartedSectionDocs": "documentation", "xpack.ml.overview.gettingStartedSectionSourceData": "ensemble de données source centré sur les entités", - "xpack.ml.overview.gettingStartedSectionTitle": "Premiers pas", "xpack.ml.overview.gettingStartedSectionTransforms": "transformations", "xpack.ml.overview.notificationsLabel": "Notifications", "xpack.ml.overview.overviewLabel": "Aperçu", diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 2dd00ba312030..42ffa67a86fd6 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -20339,8 +20339,6 @@ "xpack.ml.notificationsIndicator.errorsAndWarningLabel": "{lastCheckedAt}以降に、エラーまたは警告レベルの{count, plural, other {# 通知があります}}", "xpack.ml.notificationsIndicator.unreadLabel": "{lastCheckedAt}以降に未読の通知があります", "xpack.ml.overview.analyticsList.emptyPromptHelperText": "データフレーム分析ジョブを構築する前に、{transforms}を使用して{sourcedata}を作成してください。", - "xpack.ml.overview.feedbackSectionText": "ご利用に際し、ご意見やご提案がありましたら、{feedbackLink}までお送りください。", - "xpack.ml.overview.gettingStartedSectionText": "機械学習へようこそ。はじめに{docs}をご覧になるか、新しいジョブを作成してください。", "xpack.ml.previewAlert.otherValuesLabel": "および{count, plural, other {#その他}}", "xpack.ml.previewAlert.previewMessage": "過去{interval}に{alertsCount, plural, other {# 件の異常}}が見つかりました。", "xpack.ml.privilege.pleaseContactAdministratorTooltip": "{message} 管理者にお問い合わせください。", @@ -22253,11 +22251,7 @@ "xpack.ml.overview.anomalyDetection.tableTypicalTooltip": "異常レコード結果の標準的な値。", "xpack.ml.overview.anomalyDetection.viewJobsActionName": "ジョブを表示", "xpack.ml.overview.anomalyDetection.viewResultsActionName": "異常エクスプローラーで表示", - "xpack.ml.overview.feedbackSectionLink": "オンラインでのフィードバック", - "xpack.ml.overview.gettingStartedSectionDismiss": "閉じる", - "xpack.ml.overview.gettingStartedSectionDocs": "ドキュメンテーション", "xpack.ml.overview.gettingStartedSectionSourceData": "エンティティ中心のソースデータセット", - "xpack.ml.overview.gettingStartedSectionTitle": "はじめて使う", "xpack.ml.overview.gettingStartedSectionTransforms": "変換", "xpack.ml.overview.notificationsLabel": "通知", "xpack.ml.overview.overviewLabel": "概要", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 9bfbda1558039..e41ae9b029458 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -20367,8 +20367,6 @@ "xpack.ml.notificationsIndicator.errorsAndWarningLabel": "自 {lastCheckedAt} 以来有 {count, plural, other {# 个通知}}包含错误或警告级别", "xpack.ml.notificationsIndicator.unreadLabel": "自 {lastCheckedAt} 以来您有未读通知", "xpack.ml.overview.analyticsList.emptyPromptHelperText": "构建数据帧分析作业之前,请使用 {transforms} 构造一个 {sourcedata}。", - "xpack.ml.overview.feedbackSectionText": "如果您在体验方面有任何意见或建议,请提交{feedbackLink}。", - "xpack.ml.overview.gettingStartedSectionText": "欢迎使用 Machine Learning。首先查看我们的{docs}或创建新作业。", "xpack.ml.previewAlert.otherValuesLabel": "及另外 {count, plural, other {# 个}}", "xpack.ml.previewAlert.previewMessage": "在过去 {interval} 找到 {alertsCount, plural, other {# 个异常}}。", "xpack.ml.privilege.pleaseContactAdministratorTooltip": "{message}请联系您的管理员。", @@ -22283,11 +22281,7 @@ "xpack.ml.overview.anomalyDetection.tableTypicalTooltip": "异常记录结果中的典型值。", "xpack.ml.overview.anomalyDetection.viewJobsActionName": "查看作业", "xpack.ml.overview.anomalyDetection.viewResultsActionName": "在 Anomaly Explorer 中查看", - "xpack.ml.overview.feedbackSectionLink": "在线反馈", - "xpack.ml.overview.gettingStartedSectionDismiss": "关闭", - "xpack.ml.overview.gettingStartedSectionDocs": "文档", "xpack.ml.overview.gettingStartedSectionSourceData": "实体中心型源数据集", - "xpack.ml.overview.gettingStartedSectionTitle": "入门", "xpack.ml.overview.gettingStartedSectionTransforms": "转换", "xpack.ml.overview.notificationsLabel": "通知", "xpack.ml.overview.overviewLabel": "概览", diff --git a/x-pack/test/functional/apps/ml/permissions/full_ml_access.ts b/x-pack/test/functional/apps/ml/permissions/full_ml_access.ts index 1745694e30831..1c289dd66f0e7 100644 --- a/x-pack/test/functional/apps/ml/permissions/full_ml_access.ts +++ b/x-pack/test/functional/apps/ml/permissions/full_ml_access.ts @@ -87,8 +87,6 @@ export default function ({ getService }: FtrProviderContext) { await ml.commonUI.waitForDatePickerIndicatorLoaded(); await ml.testExecution.logTestStep('should display a welcome callout'); - await ml.overviewPage.assertGettingStartedCalloutVisible(true); - await ml.overviewPage.dismissGettingStartedCallout(); await ml.testExecution.logTestStep('should display ML Nodes panel'); await ml.mlNodesPanel.assertNodeOverviewPanel(); @@ -107,7 +105,6 @@ export default function ({ getService }: FtrProviderContext) { 'should persist the getting started callout state after refresh' ); await browser.refresh(); - await ml.overviewPage.assertGettingStartedCalloutVisible(false); }); }); } diff --git a/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts b/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts index 6d32e399493fe..960c3a6a4b0b8 100644 --- a/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts +++ b/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts @@ -88,8 +88,6 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await ml.commonUI.waitForDatePickerIndicatorLoaded(); await ml.testExecution.logTestStep('should display a welcome callout'); - await ml.overviewPage.assertGettingStartedCalloutVisible(true); - await ml.overviewPage.dismissGettingStartedCallout(); await ml.testExecution.logTestStep('should not display ML Nodes panel'); await ml.mlNodesPanel.assertNodesOverviewPanelExists(false); diff --git a/x-pack/test/functional/services/ml/overview_page.ts b/x-pack/test/functional/services/ml/overview_page.ts index ac860382f7b67..851a3dac4014e 100644 --- a/x-pack/test/functional/services/ml/overview_page.ts +++ b/x-pack/test/functional/services/ml/overview_page.ts @@ -13,20 +13,6 @@ export function MachineLearningOverviewPageProvider({ getService }: FtrProviderC const testSubjects = getService('testSubjects'); return { - async assertGettingStartedCalloutVisible(expectVisible: boolean = true) { - if (expectVisible) { - await testSubjects.existOrFail('mlGettingStartedCallout'); - } else { - await testSubjects.missingOrFail('mlGettingStartedCallout'); - } - }, - - async dismissGettingStartedCallout() { - await this.assertGettingStartedCalloutVisible(true); - await testSubjects.click('mlDismissGettingStartedCallout'); - await this.assertGettingStartedCalloutVisible(false); - }, - async assertADEmptyStateExists() { await testSubjects.existOrFail('mlAnomalyDetectionEmptyState'); }, From 807b402f0b3c9c4ff68662c44cd512950aa41db4 Mon Sep 17 00:00:00 2001 From: Dario Gieselaar Date: Tue, 7 Feb 2023 14:10:30 +0100 Subject: [PATCH 14/27] [Profling] Single-click setup from Kibana (#148959) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: inge4pres Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Tim Rühsen Co-authored-by: Francesco Gualazzi Closes https://github.com/elastic/prodfiler/issues/2884 --- .eslintrc.js | 5 +- x-pack/plugins/profiling/common/index.ts | 3 + x-pack/plugins/profiling/kibana.json | 5 +- x-pack/plugins/profiling/public/app.tsx | 47 ++- .../public/components/check_setup.tsx | 145 ++++++++ .../components/flame_graphs_view/index.tsx | 2 +- .../public/components/no_data_page.tsx | 327 ++++++++++++++++++ .../profiling_app_page_template/index.tsx | 17 +- .../primary_profiling_search_bar.tsx | 12 +- .../profiling_header_action_menu.tsx | 30 ++ .../profiling/public/hooks/use_async.ts | 69 +--- .../hooks/use_auto_aborted_http_client.ts | 70 ++++ x-pack/plugins/profiling/public/plugin.tsx | 5 +- .../profiling/public/routing/index.tsx | 10 + x-pack/plugins/profiling/public/services.ts | 81 +++-- .../lib/setup/get_setup_instructions.ts | 40 +++ .../server/lib/setup/has_profiling_data.ts | 23 ++ .../server/lib/setup/mappings/README.md | 53 +++ ...catch_resource_already_exists_exception.ts | 16 + .../component_template_profiling_events.json | 76 ++++ ...ponent_template_profiling_executables.json | 35 ++ .../component_template_profiling_ilm.json | 9 + ...ponent_template_profiling_stackframes.json | 43 +++ ...ponent_template_profiling_stacktraces.json | 27 ++ .../lib/setup/steps/get_apm_package_step.ts | 44 +++ .../server/lib/setup/steps/get_apm_policy.ts | 21 ++ .../setup/steps/get_cluster_settings_step.ts | 32 ++ .../steps/get_component_templates_step.ts | 86 +++++ .../steps/get_create_events_data_streams.ts | 63 ++++ .../setup/steps/get_create_indices_step.ts | 321 +++++++++++++++++ .../lib/setup/steps/get_fleet_policy_step.ts | 106 ++++++ .../server/lib/setup/steps/get_ilm_step.ts | 43 +++ .../setup/steps/get_index_templates_step.ts | 80 +++++ .../setup/steps/get_is_cloud_enabled_step.ts | 24 ++ .../lib/setup/steps/get_security_step.ts | 49 +++ .../server/lib/setup/steps/ilm_profiling.json | 35 ++ .../profiling/server/lib/setup/steps/index.ts | 35 ++ .../profiling/server/lib/setup/types.ts | 26 ++ x-pack/plugins/profiling/server/plugin.ts | 13 +- .../plugins/profiling/server/routes/index.ts | 12 +- .../plugins/profiling/server/routes/setup.ts | 165 +++++++++ .../profiling/server/routes/topn.test.ts | 1 + x-pack/plugins/profiling/server/types.ts | 23 +- .../utils/create_profiling_es_client.ts | 4 + x-pack/plugins/profiling/tsconfig.json | 10 +- 45 files changed, 2213 insertions(+), 130 deletions(-) create mode 100644 x-pack/plugins/profiling/public/components/check_setup.tsx create mode 100644 x-pack/plugins/profiling/public/components/no_data_page.tsx create mode 100644 x-pack/plugins/profiling/public/components/profiling_header_action_menu.tsx create mode 100644 x-pack/plugins/profiling/public/hooks/use_auto_aborted_http_client.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/get_setup_instructions.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/has_profiling_data.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/mappings/README.md create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/catch_resource_already_exists_exception.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_events.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_executables.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_ilm.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stackframes.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stacktraces.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_apm_package_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_apm_policy.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_cluster_settings_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_component_templates_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_create_events_data_streams.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_create_indices_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_fleet_policy_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_ilm_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_index_templates_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_is_cloud_enabled_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/get_security_step.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/ilm_profiling.json create mode 100644 x-pack/plugins/profiling/server/lib/setup/steps/index.ts create mode 100644 x-pack/plugins/profiling/server/lib/setup/types.ts create mode 100644 x-pack/plugins/profiling/server/routes/setup.ts diff --git a/.eslintrc.js b/.eslintrc.js index 2ce780c297a7d..57c880a3c790b 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -902,7 +902,10 @@ module.exports = { files: ['x-pack/plugins/profiling/**/*.{js,mjs,ts,tsx}'], rules: { 'react-hooks/rules-of-hooks': 'error', // Checks rules of Hooks - 'react-hooks/exhaustive-deps': ['error', { additionalHooks: '^(useAsync)$' }], + 'react-hooks/exhaustive-deps': [ + 'error', + { additionalHooks: '^(useAsync|useTimeRangeAsync|useAutoAbortedHttpClient)$' }, + ], }, }, { diff --git a/x-pack/plugins/profiling/common/index.ts b/x-pack/plugins/profiling/common/index.ts index 5c0e469585d53..3f29a4398eb47 100644 --- a/x-pack/plugins/profiling/common/index.ts +++ b/x-pack/plugins/profiling/common/index.ts @@ -29,6 +29,9 @@ export function getRoutePaths() { Flamechart: `${BASE_ROUTE_PATH}/flamechart`, CacheExecutables: `${BASE_ROUTE_PATH}/cache/executables`, CacheStackFrames: `${BASE_ROUTE_PATH}/cache/stackframes`, + HasSetupESResources: `${BASE_ROUTE_PATH}/setup/es_resources`, + HasSetupDataCollection: `${BASE_ROUTE_PATH}/setup/has_data`, + SetupDataCollectionInstructions: `${BASE_ROUTE_PATH}/setup/instructions`, }; } diff --git a/x-pack/plugins/profiling/kibana.json b/x-pack/plugins/profiling/kibana.json index 0ead3e39f83f6..b72686a37c19e 100644 --- a/x-pack/plugins/profiling/kibana.json +++ b/x-pack/plugins/profiling/kibana.json @@ -19,7 +19,10 @@ "kibanaReact", "unifiedSearch", "dataViews", - "charts" + "charts", + "spaces", + "cloud", + "fleet" ], "optionalPlugins": [], "configPath": [ diff --git a/x-pack/plugins/profiling/public/app.tsx b/x-pack/plugins/profiling/public/app.tsx index da92e839d05d4..bf3a35d060f05 100644 --- a/x-pack/plugins/profiling/public/app.tsx +++ b/x-pack/plugins/profiling/public/app.tsx @@ -6,21 +6,22 @@ */ import { AppMountParameters, CoreSetup, CoreStart } from '@kbn/core/public'; -import React, { useMemo } from 'react'; -import ReactDOM from 'react-dom'; - import { KibanaContextProvider, KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; import { Storage } from '@kbn/kibana-utils-plugin/public'; -import { RouteRenderer, RouterProvider } from '@kbn/typed-react-router-config'; - import { RedirectAppLinks } from '@kbn/shared-ux-link-redirect-app'; +import { RouteRenderer, RouterProvider } from '@kbn/typed-react-router-config'; +import React, { useMemo } from 'react'; +import ReactDOM from 'react-dom'; +import { HeaderMenuPortal } from '@kbn/observability-plugin/public'; +import { CheckSetup } from './components/check_setup'; import { ProfilingDependenciesContextProvider } from './components/contexts/profiling_dependencies/profiling_dependencies_context'; +import { RouteBreadcrumbsContextProvider } from './components/contexts/route_breadcrumbs_context'; +import { TimeRangeContextProvider } from './components/contexts/time_range_context'; import { RedirectWithDefaultDateRange } from './components/redirect_with_default_date_range'; import { profilingRouter } from './routing'; import { Services } from './services'; import { ProfilingPluginPublicSetupDeps, ProfilingPluginPublicStartDeps } from './types'; -import { RouteBreadcrumbsContextProvider } from './components/contexts/route_breadcrumbs_context'; -import { TimeRangeContextProvider } from './components/contexts/time_range_context'; +import { ProfilingHeaderActionMenu } from './components/profiling_header_action_menu'; interface Props { profilingFetchServices: Services; @@ -30,10 +31,25 @@ interface Props { pluginsSetup: ProfilingPluginPublicSetupDeps; theme$: AppMountParameters['theme$']; history: AppMountParameters['history']; + setHeaderActionMenu: AppMountParameters['setHeaderActionMenu']; } const storage = new Storage(localStorage); +function MountProfilingActionMenu({ + theme$, + setHeaderActionMenu, +}: { + theme$: AppMountParameters['theme$']; + setHeaderActionMenu: AppMountParameters['setHeaderActionMenu']; +}) { + return ( + + + + ); +} + function App({ coreStart, coreSetup, @@ -42,6 +58,7 @@ function App({ profilingFetchServices, theme$, history, + setHeaderActionMenu, }: Props) { const i18nCore = coreStart.i18n; @@ -67,11 +84,17 @@ function App({ - - - - - + + + + + + + + diff --git a/x-pack/plugins/profiling/public/components/check_setup.tsx b/x-pack/plugins/profiling/public/components/check_setup.tsx new file mode 100644 index 0000000000000..566ff7382aacf --- /dev/null +++ b/x-pack/plugins/profiling/public/components/check_setup.tsx @@ -0,0 +1,145 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { EuiButton, EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner, EuiText } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import React, { useState } from 'react'; +import { AsyncStatus, useAsync } from '../hooks/use_async'; +import { useAutoAbortedHttpClient } from '../hooks/use_auto_aborted_http_client'; +import { useProfilingDependencies } from './contexts/profiling_dependencies/use_profiling_dependencies'; +import { NoDataPage } from './no_data_page'; +import { ProfilingAppPageTemplate } from './profiling_app_page_template'; + +export function CheckSetup({ children }: { children: React.ReactElement }) { + const { + start: { core }, + services: { fetchHasSetup, postSetupResources }, + } = useProfilingDependencies(); + + const [postSetupLoading, setPostSetupLoading] = useState(false); + + const { status, data, error, refresh } = useAsync( + ({ http }) => { + return fetchHasSetup({ http }); + }, + [fetchHasSetup] + ); + + const http = useAutoAbortedHttpClient([]); + + const displaySetupScreen = + (status === AsyncStatus.Settled && data?.has_setup !== true) || !!error; + + const displayNoDataScreen = + status === AsyncStatus.Settled && data?.has_setup === true && data?.has_data === false; + + const displayUi = data?.has_data === true; + + const docsLink = `https://elastic.github.io/universal-profiling-documentation`; + + const displayLoadingScreen = status !== AsyncStatus.Settled; + + if (displayLoadingScreen) { + return ( + + + + + + + + ); + } + + if (displayUi) { + return children; + } + + if (displayNoDataScreen) { + return ( + + ); + } + + if (displaySetupScreen) { + return ( + + {i18n.translate('xpack.profiling.noDataConfig.action.title', { + defaultMessage: `Universal Profiling provides fleet-wide, whole-system, continuous profiling with zero instrumentation. + Understand what lines of code are consuming compute resources, at all times, and across your entire infrastructure.`, + })} + + ), + onClick: (event: React.MouseEvent) => { + event.preventDefault(); + }, + button: ( + { + event.preventDefault(); + + setPostSetupLoading(true); + + postSetupResources({ http }) + .then(() => refresh()) + .catch((err) => { + const message = err?.body?.message ?? err.message ?? String(err); + + core.notifications.toasts.addError(err, { + title: i18n.translate( + 'xpack.profiling.checkSetup.setupFailureToastTitle', + { defaultMessage: 'Failed to complete setup' } + ), + toastMessage: message, + }); + }) + .finally(() => { + setPostSetupLoading(false); + }); + }} + fill + isLoading={postSetupLoading} + > + {!postSetupLoading + ? i18n.translate('xpack.profiling.noDataConfig.action.buttonLabel', { + defaultMessage: 'Setup Universal Profiling', + }) + : i18n.translate('xpack.profiling.noDataConfig.action.buttonLoadingLabel', { + defaultMessage: 'Setting up Universal Profiling...', + })} + + ), + }, + }, + solution: i18n.translate('xpack.profiling.noDataConfig.solutionName', { + defaultMessage: 'Universal Profiling', + }), + }} + hideSearchBar + > + <> + + ); + } + + throw new Error('Invalid state'); +} diff --git a/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx b/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx index dab912902ba46..18abf1f3e66ae 100644 --- a/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx +++ b/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx @@ -116,7 +116,7 @@ export function FlameGraphsView({ children }: { children: React.ReactElement }) } return ( - + {isDifferentialView ? ( diff --git a/x-pack/plugins/profiling/public/components/no_data_page.tsx b/x-pack/plugins/profiling/public/components/no_data_page.tsx new file mode 100644 index 0000000000000..d045b4146dd9c --- /dev/null +++ b/x-pack/plugins/profiling/public/components/no_data_page.tsx @@ -0,0 +1,327 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { + EuiCodeBlock, + EuiFlexGroup, + EuiFlexItem, + EuiIcon, + EuiLink, + EuiLoadingSpinner, + EuiPanel, + EuiSpacer, + EuiSplitPanel, + EuiSteps, + EuiTab, + EuiTabs, + EuiText, +} from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import React, { useState } from 'react'; +import { AsyncStatus, useAsync } from '../hooks/use_async'; +import { useProfilingDependencies } from './contexts/profiling_dependencies/use_profiling_dependencies'; +import { ProfilingAppPageTemplate } from './profiling_app_page_template'; + +export function NoDataPage({ subTitle }: { subTitle: string }) { + const { + services: { setupDataCollectionInstructions }, + } = useProfilingDependencies(); + + const { data, status } = useAsync( + ({ http }) => { + return setupDataCollectionInstructions({ http }); + }, + [setupDataCollectionInstructions] + ); + + const secretToken = data?.variables.secretToken; + const collectionAgentHostPort = data?.variables.apmServerUrl.replace('https://', ''); + + const tabs = [ + { + key: 'kubernetes', + title: i18n.translate('xpack.profiling.tabs.kubernetesTitle', { + defaultMessage: 'Kubernetes', + }), + steps: [ + { + title: i18n.translate('xpack.profiling.tabs.kubernetesRepositoryStep', { + defaultMessage: 'Configure the Universal Profiling host-agent Helm repository:', + }), + content: ( + + helm repo add optimyze https://optimyze.cloud/helm-charts + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.kubernetesInstallStep', { + defaultMessage: 'Install host-agent via Helm:', + }), + content: ( + + {`helm install --create-namespace -n=universal-profiling universal-profiling-agent \\ +--set "projectID=1,secretToken=${secretToken}" \\ +--set "collectionAgentHostPort=${collectionAgentHostPort}" \\ +--set "image.baseUrl=docker.elastic.co,image.repository=observability,image.name=profiling-agent" \\ +optimyze/pf-host-agent`} + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.kubernetesValidationStep', { + defaultMessage: 'Validate the host-agent pods are running:', + }), + content: ( + + kubectl -n universal-profiling get pods + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.postValidationStep', { + defaultMessage: + 'Use the Helm install output to get host-agent logs and spot potential errors', + }), + content: <>, + }, + ], + }, + { + key: 'docker', + title: i18n.translate('xpack.profiling.tabs.dockerTitle', { + defaultMessage: 'Docker', + }), + steps: [ + { + title: i18n.translate('xpack.profiling.tabs.dockerRunContainerStep', { + defaultMessage: 'Run the Universal Profiling container:', + }), + content: ( + + {`docker run --name host-agent --privileged --pid=host -v /etc/machine-id:/etc/machine-id:ro \\ +-v /var/run/docker.sock:/var/run/docker.sock -v /sys/kernel/debug:/sys/kernel/debug:ro \\ +docker.elastic.co/observability/profiling-agent:stable /root/pf-host-agent \\ +-project-id=1 -secret-token=${secretToken} \\ +-collection-agent=${collectionAgentHostPort}`} + + ), + }, + ], + }, + { + key: 'binary', + title: i18n.translate('xpack.profiling.tabs.binaryTitle', { + defaultMessage: 'Binary', + }), + steps: [ + { + title: i18n.translate('xpack.profiling.tabs.binaryDownloadStep', { + defaultMessage: 'Download the latest binary:', + }), + content: ( + + wget -O- https://releases.prodfiler.com/stable/pf-host-agent_linux_amd64.tgz | tar xz + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.binaryGrantPermissionStep', { + defaultMessage: 'Grant executable permissions:', + }), + content: ( + + chmod +x pf-host-agent/pf-host-agent + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.binaryRunHostAgentStep', { + defaultMessage: 'Run the Universal Profiling host-agent (requires root privileges):', + }), + content: ( + + {`sudo pf-host-agent/pf-host-agent -project-id=1 -secret-token=${secretToken} -collection-agent=${collectionAgentHostPort}`} + + ), + }, + ], + }, + { + key: 'deb', + title: i18n.translate('xpack.profiling.tabs.debTitle', { + defaultMessage: 'DEB Package', + }), + steps: [ + { + title: i18n.translate('xpack.profiling.tabs.debDownloadPackageStep', { + defaultMessage: + 'Open the URL below and download the right DEB package for your CPU architecture:', + }), + content: ( + + https://releases.prodfiler.com/stable/index.html + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.debInstallPackageStep', { + defaultMessage: 'Install the DEB package (requires root privileges):', + }), + content: ( + + {`sudo dpkg -i pf-host-agent*.deb`} + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.debEditConfigStep', { + defaultMessage: 'Edit the configuration (requires root privileges):', + }), + content: ( + + {`echo -e "project-id 1\nsecret-token ${secretToken}\ncollection-agent ${collectionAgentHostPort}" | sudo tee -a /etc/prodfiler/prodfiler.conf`} + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.debStartSystemdServiceStep', { + defaultMessage: + 'Start the Universal Profiling systemd service (requires root privileges):', + }), + content: ( + + {`sudo systemctl enable pf-host-agent && sudo systemctl restart pf-host-agent`} + + ), + }, + ], + }, + { + key: 'rpm', + title: i18n.translate('xpack.profiling.tabs.rpmTitle', { + defaultMessage: 'RPM Package', + }), + steps: [ + { + title: i18n.translate('xpack.profiling.tabs.rpmDownloadPackageStep', { + defaultMessage: + 'Open the URL below and download the right RPM package for your CPU architecture:', + }), + content: ( + + https://releases.prodfiler.com/stable/index.html + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.rpmInstallPackageStep', { + defaultMessage: 'Install the RPM package (requires root privileges):', + }), + content: ( + + {`sudo rpm -i pf-host-agent*.rpm`} + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.rpmEditConfigStep', { + defaultMessage: 'Edit the configuration (requires root privileges):', + }), + content: ( + + {`echo -e "project-id 1\nsecret-token ${secretToken}\ncollection-agent ${collectionAgentHostPort}" | sudo tee -a /etc/prodfiler/prodfiler.conf`} + + ), + }, + { + title: i18n.translate('xpack.profiling.tabs.rpmStartSystemdServiceStep', { + defaultMessage: + 'Start the Universal Profiling systemd service (requires root privileges):', + }), + content: ( + + {`sudo systemctl enable pf-host-agent && sudo systemctl restart pf-host-agent`} + + ), + }, + ], + }, + ]; + + const [selectedTab, setSelectedTab] = useState(tabs[0].key); + + const displayedTab = tabs.find((tab) => tab.key === selectedTab)!; + + const displayedSteps = displayedTab.steps ?? []; + + const isLoading = status === AsyncStatus.Loading; + + return ( + + + + + + {i18n.translate('xpack.profiling.noDataPage.pageTitle', { + defaultMessage: 'Add profiling data', + })} + + {isLoading ? ( + + + + ) : null} + + } + > + {isLoading ? ( + <> + ) : ( + <> + {subTitle} + + + + + + {tabs.map((tab) => { + return ( + setSelectedTab(tab.key)} + isSelected={tab.key === selectedTab} + > + {tab.title} + + ); + })} + + + + + { + return { + title: step.title, + children: step.content, + status: 'incomplete', + }; + })} + /> + + + + + )} + + ); +} diff --git a/x-pack/plugins/profiling/public/components/profiling_app_page_template/index.tsx b/x-pack/plugins/profiling/public/components/profiling_app_page_template/index.tsx index 03a04b6a3a8e0..0e635aba6bb5a 100644 --- a/x-pack/plugins/profiling/public/components/profiling_app_page_template/index.tsx +++ b/x-pack/plugins/profiling/public/components/profiling_app_page_template/index.tsx @@ -9,6 +9,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiPageHeaderContentProps } from '@elastic/e import { i18n } from '@kbn/i18n'; import React, { useEffect } from 'react'; import { useHistory } from 'react-router-dom'; +import { NoDataPageProps } from '@kbn/shared-ux-page-no-data-types'; import { useProfilingDependencies } from '../contexts/profiling_dependencies/use_profiling_dependencies'; import { PrimaryProfilingSearchBar } from './primary_profiling_search_bar'; @@ -16,12 +17,18 @@ export function ProfilingAppPageTemplate({ children, tabs, hideSearchBar = false, - fullHeight = false, + noDataConfig, + restrictWidth = false, + pageTitle = i18n.translate('xpack.profiling.appPageTemplate.pageTitle', { + defaultMessage: 'Universal Profiling', + }), }: { children: React.ReactElement; tabs: EuiPageHeaderContentProps['tabs']; hideSearchBar?: boolean; - fullHeight?: boolean; + noDataConfig?: NoDataPageProps; + restrictWidth?: boolean; + pageTitle?: React.ReactNode; }) { const { start: { observability }, @@ -37,12 +44,12 @@ export function ProfilingAppPageTemplate({ return ( + + + + + + + {i18n.translate('xpack.profiling.headerActionMenu.addData', { + defaultMessage: 'Add data', + })} + + + + + ); +} diff --git a/x-pack/plugins/profiling/public/hooks/use_async.ts b/x-pack/plugins/profiling/public/hooks/use_async.ts index 7156b4e8bfffd..585e2882e493d 100644 --- a/x-pack/plugins/profiling/public/hooks/use_async.ts +++ b/x-pack/plugins/profiling/public/hooks/use_async.ts @@ -4,11 +4,9 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { HttpFetchOptions, HttpHandler, HttpStart } from '@kbn/core-http-browser'; import { AbortError } from '@kbn/kibana-utils-plugin/common'; -import { useEffect, useRef, useState } from 'react'; -import { Overwrite, ValuesType } from 'utility-types'; -import { useProfilingDependencies } from '../components/contexts/profiling_dependencies/use_profiling_dependencies'; +import { useCallback, useEffect, useState } from 'react'; +import { AutoAbortedHttpService, useAutoAbortedHttpClient } from './use_auto_aborted_http_client'; export enum AsyncStatus { Loading = 'loading', @@ -20,69 +18,39 @@ export interface AsyncState { data?: T; error?: Error; status: AsyncStatus; + refresh: () => void; } -const HTTP_METHODS = ['fetch', 'get', 'post', 'put', 'delete', 'patch'] as const; - -type HttpMethod = ValuesType; - -type AutoAbortedHttpMethod = ( - path: string, - options: Omit -) => ReturnType; - -export type AutoAbortedHttpService = Overwrite< - HttpStart, - Record ->; - export type UseAsync = ( fn: ({ http }: { http: AutoAbortedHttpService }) => Promise | undefined, dependencies: any[] ) => AsyncState; export const useAsync: UseAsync = (fn, dependencies) => { - const { - start: { - core: { http }, - }, - } = useProfilingDependencies(); + const [refreshId, setRefreshId] = useState(0); + + const refresh = useCallback(() => { + setRefreshId((id) => id + 1); + }, []); + const [asyncState, setAsyncState] = useState>({ status: AsyncStatus.Init, + refresh, }); const { data, error } = asyncState; - const controllerRef = useRef(new AbortController()); + const httpClient = useAutoAbortedHttpClient(dependencies); useEffect(() => { - controllerRef.current.abort(); - - controllerRef.current = new AbortController(); - - const autoAbortedMethods = {} as Record; - - for (const key of HTTP_METHODS) { - autoAbortedMethods[key] = (path, options) => { - return http[key](path, { ...options, signal: controllerRef.current.signal }).catch( - (err) => { - if (err.name === 'AbortError') { - // return never-resolving promise - return new Promise(() => {}); - } - throw err; - } - ); - }; - } - - const returnValue = fn({ http: { ...http, ...autoAbortedMethods } }); + const returnValue = fn({ http: httpClient }); if (returnValue === undefined) { setAsyncState({ status: AsyncStatus.Init, data: undefined, error: undefined, + refresh, }); return; } @@ -91,12 +59,14 @@ export const useAsync: UseAsync = (fn, dependencies) => { status: AsyncStatus.Loading, data, error, + refresh, }); returnValue.then((nextData) => { setAsyncState({ status: AsyncStatus.Settled, data: nextData, + refresh, }); }); @@ -107,17 +77,12 @@ export const useAsync: UseAsync = (fn, dependencies) => { setAsyncState({ status: AsyncStatus.Settled, error: nextError, + refresh, }); throw nextError; }); // eslint-disable-next-line react-hooks/exhaustive-deps - }, [http, ...dependencies]); - - useEffect(() => { - return () => { - controllerRef.current.abort(); - }; - }, []); + }, [httpClient, refreshId, ...dependencies]); return asyncState; }; diff --git a/x-pack/plugins/profiling/public/hooks/use_auto_aborted_http_client.ts b/x-pack/plugins/profiling/public/hooks/use_auto_aborted_http_client.ts new file mode 100644 index 0000000000000..f88ca2f0f0b8b --- /dev/null +++ b/x-pack/plugins/profiling/public/hooks/use_auto_aborted_http_client.ts @@ -0,0 +1,70 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect, useMemo, useRef } from 'react'; +import { Overwrite, ValuesType } from 'utility-types'; +import { HttpFetchOptions, HttpHandler, HttpStart } from '@kbn/core/public'; +import { useProfilingDependencies } from '../components/contexts/profiling_dependencies/use_profiling_dependencies'; + +const HTTP_METHODS = ['fetch', 'get', 'post', 'put', 'delete', 'patch'] as const; + +type HttpMethod = ValuesType; + +type AutoAbortedHttpMethod = ( + path: string, + options: Omit +) => ReturnType; + +export type AutoAbortedHttpService = Overwrite< + HttpStart, + Record +>; + +export function useAutoAbortedHttpClient(dependencies: any[]): AutoAbortedHttpService { + const controller = useRef(new AbortController()); + + const { + start: { + core: { http }, + }, + } = useProfilingDependencies(); + + const httpClient = useMemo(() => { + controller.current.abort(); + + controller.current = new AbortController(); + + const autoAbortedMethods = {} as Record; + + for (const key of HTTP_METHODS) { + autoAbortedMethods[key] = (path, options) => { + return http[key](path, { ...options, signal: controller.current.signal }).catch((err) => { + if (err.name === 'AbortError') { + // return never-resolving promise + return new Promise(() => {}); + } + throw err; + }); + }; + } + + return { + ...http, + ...autoAbortedMethods, + }; + + // eslint-disable-next-line react-hooks/exhaustive-deps + }, [http, ...dependencies]); + + useEffect(() => { + return () => { + controller.current.abort(); + }; + }, []); + + return httpClient; +} diff --git a/x-pack/plugins/profiling/public/plugin.tsx b/x-pack/plugins/profiling/public/plugin.tsx index ead023a079e29..4875af624fb9b 100644 --- a/x-pack/plugins/profiling/public/plugin.tsx +++ b/x-pack/plugins/profiling/public/plugin.tsx @@ -53,10 +53,10 @@ export class ProfilingPlugin implements Plugin { map(([_, kuery]) => { const sections: NavigationSection[] = [ { - // TODO: add beta badge to section label, needs support in Observability plugin label: i18n.translate('xpack.profiling.navigation.sectionLabel', { defaultMessage: 'Universal Profiling', }), + isBetaFeature: true, entries: links.map((link) => { return { app: 'profiling', @@ -83,7 +83,7 @@ export class ProfilingPlugin implements Plugin { appRoute: '/app/profiling', category: DEFAULT_APP_CATEGORIES.observability, deepLinks: links, - async mount({ element, history, theme$ }: AppMountParameters) { + async mount({ element, history, theme$, setHeaderActionMenu }: AppMountParameters) { const [coreStart, pluginsStart] = (await coreSetup.getStartServices()) as [ CoreStart, ProfilingPluginPublicStartDeps, @@ -111,6 +111,7 @@ export class ProfilingPlugin implements Plugin { pluginsSetup, history, theme$, + setHeaderActionMenu, }, element ); diff --git a/x-pack/plugins/profiling/public/routing/index.tsx b/x-pack/plugins/profiling/public/routing/index.tsx index d7b79abc0a9a7..1ca3a597e4782 100644 --- a/x-pack/plugins/profiling/public/routing/index.tsx +++ b/x-pack/plugins/profiling/public/routing/index.tsx @@ -17,6 +17,7 @@ import { FunctionsView } from '../components/functions_view'; import { RedirectTo } from '../components/redirect_to'; import { RouteBreadcrumb } from '../components/route_breadcrumb'; import { StackTracesView } from '../components/stack_traces_view'; +import { NoDataPage } from '../components/no_data_page'; const routes = { '/': { @@ -31,6 +32,15 @@ const routes = { ), children: { + '/add-data-instructions': { + element: ( + + ), + }, '/': { children: { '/stacktraces/{topNType}': { diff --git a/x-pack/plugins/profiling/public/services.ts b/x-pack/plugins/profiling/public/services.ts index 4dcad550d0bbb..edd8922ddd3b0 100644 --- a/x-pack/plugins/profiling/public/services.ts +++ b/x-pack/plugins/profiling/public/services.ts @@ -9,7 +9,8 @@ import { getRoutePaths } from '../common'; import { BaseFlameGraph, createFlameGraph, ElasticFlameGraph } from '../common/flamegraph'; import { TopNFunctions } from '../common/functions'; import { TopNResponse } from '../common/topn'; -import { AutoAbortedHttpService } from './hooks/use_async'; +import type { SetupDataCollectionInstructions } from '../server/lib/setup/get_setup_instructions'; +import { AutoAbortedHttpService } from './hooks/use_auto_aborted_http_client'; export interface Services { fetchTopN: (params: { @@ -33,6 +34,13 @@ export interface Services { timeTo: number; kuery: string; }) => Promise; + fetchHasSetup: (params: { + http: AutoAbortedHttpService; + }) => Promise<{ has_setup: boolean; has_data: boolean }>; + postSetupResources: (params: { http: AutoAbortedHttpService }) => Promise; + setupDataCollectionInstructions: (params: { + http: AutoAbortedHttpService; + }) => Promise; } export function getServices(): Services { @@ -40,45 +48,50 @@ export function getServices(): Services { return { fetchTopN: async ({ http, type, timeFrom, timeTo, kuery }) => { - try { - const query: HttpFetchQuery = { - timeFrom, - timeTo, - kuery, - }; - return await http.get(`${paths.TopN}/${type}`, { query }); - } catch (e) { - return e; - } + const query: HttpFetchQuery = { + timeFrom, + timeTo, + kuery, + }; + return (await http.get(`${paths.TopN}/${type}`, { query })) as Promise; }, fetchTopNFunctions: async ({ http, timeFrom, timeTo, startIndex, endIndex, kuery }) => { - try { - const query: HttpFetchQuery = { - timeFrom, - timeTo, - startIndex, - endIndex, - kuery, - }; - return await http.get(paths.TopNFunctions, { query }); - } catch (e) { - return e; - } + const query: HttpFetchQuery = { + timeFrom, + timeTo, + startIndex, + endIndex, + kuery, + }; + return (await http.get(paths.TopNFunctions, { query })) as Promise; }, fetchElasticFlamechart: async ({ http, timeFrom, timeTo, kuery }) => { - try { - const query: HttpFetchQuery = { - timeFrom, - timeTo, - kuery, - }; - const baseFlamegraph = (await http.get(paths.Flamechart, { query })) as BaseFlameGraph; - return createFlameGraph(baseFlamegraph); - } catch (e) { - return e; - } + const query: HttpFetchQuery = { + timeFrom, + timeTo, + kuery, + }; + const baseFlamegraph = (await http.get(paths.Flamechart, { query })) as BaseFlameGraph; + return createFlameGraph(baseFlamegraph); + }, + fetchHasSetup: async ({ http }) => { + const hasSetup = (await http.get(paths.HasSetupESResources, {})) as { + has_setup: boolean; + has_data: boolean; + }; + return hasSetup; + }, + postSetupResources: async ({ http }) => { + await http.post(paths.HasSetupESResources, {}); + }, + setupDataCollectionInstructions: async ({ http }) => { + const instructions = (await http.get( + paths.SetupDataCollectionInstructions, + {} + )) as SetupDataCollectionInstructions; + return instructions; }, }; } diff --git a/x-pack/plugins/profiling/server/lib/setup/get_setup_instructions.ts b/x-pack/plugins/profiling/server/lib/setup/get_setup_instructions.ts new file mode 100644 index 0000000000000..8a9540e1fd583 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/get_setup_instructions.ts @@ -0,0 +1,40 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsClientContract } from '@kbn/core/server'; +import { PackagePolicyClient } from '@kbn/fleet-plugin/server'; +import { getApmPolicy } from './steps/get_apm_policy'; + +export interface SetupDataCollectionInstructions { + variables: { + apmServerUrl: string; + secretToken: string; + }; +} + +export async function getSetupInstructions({ + packagePolicyClient, + soClient, +}: { + packagePolicyClient: PackagePolicyClient; + soClient: SavedObjectsClientContract; +}): Promise { + const apmPolicy = await getApmPolicy({ packagePolicyClient, soClient }); + + if (!apmPolicy) { + throw new Error('Could not find APM policy'); + } + + const apmServerVars = apmPolicy.inputs[0].vars; + + return { + variables: { + apmServerUrl: apmServerVars!.url.value!, + secretToken: apmServerVars!.secret_token.value!, + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/has_profiling_data.ts b/x-pack/plugins/profiling/server/lib/setup/has_profiling_data.ts new file mode 100644 index 0000000000000..d4478ee6c70ed --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/has_profiling_data.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingESClient } from '../../utils/create_profiling_es_client'; + +export async function hasProfilingData({ + client, +}: { + client: ProfilingESClient; +}): Promise { + const hasProfilingDataResponse = await client.search('has_any_profiling_data', { + index: 'profiling*', + size: 0, + track_total_hits: 1, + terminate_after: 1, + }); + + return hasProfilingDataResponse.hits.total.value > 0; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/mappings/README.md b/x-pack/plugins/profiling/server/lib/setup/mappings/README.md new file mode 100644 index 0000000000000..cf72b0ec7c650 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/mappings/README.md @@ -0,0 +1,53 @@ +## Universal Profiling mappings + +### Server routes + +* Check if ES setup is done + + curl -H "content-type: application/json" -u \ + -XGET "http://localhost:5601/api/profiling/v1/setup/es_resources" + +* Apply the ES setup (mappings + Fleet policy) + + curl -H "content-type: application/json" -u -H "kbn-xsrf: reporting" \ + -XPOST "http://localhost:5601/api/profiling/v1/setup/es_resources" + +* check data has been ingested + + curl -H "content-type: application/json" -u \ + -XGET "http://localhost:5601/api/profiling/v1/setup/has_data" + + +### Testing in Cloud + +Be sure to have configured `EC_API_KEY` env var with an API key for Cloud (ESS). + +Build and push a Kibana image with the latest changes. +Choose a unique identifier for the build, then: + +``` +node scripts/build --docker-images --skip-docker-ubi --skip-docker-ubuntu +docker tag docker.elastic.co/kibana-ci/kibana-cloud:8.7.0-SNAPSHOT docker.elastic.co/observability-ci/kibana: +docker push docker.elastic.co/observability-ci/kibana: +``` + +Then, within `apm-server` repo: + +``` +cd testing/cloud +make +vim docker_image.auto.tfvars +``` + +Replace the `"kibana"` key in `docker_image_tag_override=` map with your unique identifier tag from previous step. +Now you can run: + +``` +terraform init +terraform apply -var-file docker_image.auto.tfvars +``` + +and once completed, you'll see the output with information on how to access the deployment. + +When changing code in Kibana, you don't need to tear down the Terraform deployment, simply update the `docker_image.auto.tfvars` +with the new tag and run `terraform apply ...` as above: this will update Kibana. diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/catch_resource_already_exists_exception.ts b/x-pack/plugins/profiling/server/lib/setup/steps/catch_resource_already_exists_exception.ts new file mode 100644 index 0000000000000..eaea6c2708342 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/catch_resource_already_exists_exception.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { isResponseError } from '@kbn/es-errors'; + +export function catchResourceAlreadyExistsException(error: any) { + if (isResponseError(error) && error.body?.error?.type === 'resource_already_exists_exception') { + return Promise.resolve(); + } + + return Promise.reject(error); +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_events.json b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_events.json new file mode 100644 index 0000000000000..d1df1d206b60f --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_events.json @@ -0,0 +1,76 @@ +{ + "settings": { + "index": { + "number_of_shards": "4", + "max_result_window": 150000, + "refresh_interval": "10s", + "sort": { + "field": [ + "service.name", + "@timestamp", + "orchestrator.resource.name", + "container.name", + "process.thread.name", + "host.id" + ] + } + }, + "codec": "best_compression" + }, + "mappings": { + "_source": { + "enabled": false + }, + "properties": { + "ecs.version": { + "type": "keyword", + "index": true + }, + "service.name": { + "type": "keyword" + }, + "@timestamp": { + "type": "date", + "format": "epoch_second" + }, + "host.id": { + "type": "keyword" + }, + "Stacktrace.id": { + "type": "keyword", + "index": false + }, + "orchestrator.resource.name": { + "type": "keyword" + }, + "container.name": { + "type": "keyword" + }, + "process.thread.name": { + "type": "keyword" + }, + "Stacktrace.count": { + "type": "short", + "index": false + }, + "agent.version": { + "type": "keyword" + }, + "host.ip": { + "type": "ip" + }, + "host.ipstring": { + "type": "keyword" + }, + "host.name": { + "type": "keyword" + }, + "os.kernel": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_executables.json b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_executables.json new file mode 100644 index 0000000000000..f80cf8a92a26f --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_executables.json @@ -0,0 +1,35 @@ +{ + "settings": { + "index": { + "refresh_interval": "10s" + } + }, + "mappings": { + "_source": { + "mode": "synthetic" + }, + "properties": { + "ecs.version": { + "type": "keyword", + "index": true + }, + "Executable.build.id": { + "type": "keyword", + "index": true + }, + "Executable.file.name": { + "type": "keyword", + "index": true + }, + "@timestamp": { + "type": "date", + "format": "epoch_second" + }, + "Symbolization.lastprocessed": { + "type": "date", + "format": "epoch_second", + "index": false + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_ilm.json b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_ilm.json new file mode 100644 index 0000000000000..36741bc9310a0 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_ilm.json @@ -0,0 +1,9 @@ +{ + "settings": { + "index": { + "lifecycle": { + "name": "profiling" + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stackframes.json b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stackframes.json new file mode 100644 index 0000000000000..67fcf4a80820a --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stackframes.json @@ -0,0 +1,43 @@ +{ + "settings": { + "index": { + "number_of_shards": 16, + "refresh_interval": "10s" + } + }, + "mappings": { + "_source": { + "enabled": true + }, + "properties": { + "ecs.version": { + "type": "keyword", + "index": true, + "doc_values": false, + "store": false + }, + "Stackframe.line.number": { + "type": "integer", + "index": false, + "doc_values": false, + "store": false + }, + "Stackframe.file.name": { + "type": "keyword", + "index": false, + "doc_values": false, + "store": false + }, + "Stackframe.function.name": { + "type": "keyword", + "index": false + }, + "Stackframe.function.offset": { + "type": "integer", + "index": false, + "doc_values": false, + "store": false + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stacktraces.json b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stacktraces.json new file mode 100644 index 0000000000000..a72db59a9cf6c --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/component_template_profiling_stacktraces.json @@ -0,0 +1,27 @@ +{ + "settings": { + "index": { + "number_of_shards": 16, + "refresh_interval": "10s" + } + }, + "mappings": { + "_source": { + "mode": "synthetic" + }, + "properties": { + "ecs.version": { + "type": "keyword", + "index": true + }, + "Stacktrace.frame.ids": { + "type": "keyword", + "index": false + }, + "Stacktrace.frame.types": { + "type": "keyword", + "index": false + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_package_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_package_step.ts new file mode 100644 index 0000000000000..ad31b85baef19 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_package_step.ts @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { installPackage, getInstallation } from '@kbn/fleet-plugin/server/services/epm/packages'; +import { + fetchFindLatestPackageOrThrow, + pkgToPkgKey, +} from '@kbn/fleet-plugin/server/services/epm/registry'; +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; + +export function getApmPackageStep({ + client, + soClient, + spaceId, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + return { + name: 'apm_package', + hasCompleted: async () => { + const installation = await getInstallation({ + pkgName: 'apm', + savedObjectsClient: soClient, + }); + + return !!installation; + }, + init: async () => { + const { name, version } = await fetchFindLatestPackageOrThrow('apm'); + + await installPackage({ + installSource: 'registry', + esClient, + savedObjectsClient: soClient, + pkgkey: pkgToPkgKey({ name, version }), + spaceId, + force: true, + }); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_policy.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_policy.ts new file mode 100644 index 0000000000000..ee7a5913e1a57 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_apm_policy.ts @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsClientContract } from '@kbn/core/server'; +import { PackagePolicyClient } from '@kbn/fleet-plugin/server'; + +export const ELASTIC_CLOUD_APM_POLICY = 'elastic-cloud-apm'; + +export async function getApmPolicy({ + packagePolicyClient, + soClient, +}: { + packagePolicyClient: PackagePolicyClient; + soClient: SavedObjectsClientContract; +}) { + return await packagePolicyClient.get(soClient, ELASTIC_CLOUD_APM_POLICY); +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_cluster_settings_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_cluster_settings_step.ts new file mode 100644 index 0000000000000..b281745552eb2 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_cluster_settings_step.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; + +const MAX_BUCKETS = 150000; + +export function getClusterSettingsStep({ + client, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + return { + name: 'cluster_settings', + hasCompleted: async () => { + const settings = await client.getEsClient().cluster.getSettings({}); + + return settings.persistent.search?.max_buckets === MAX_BUCKETS.toString(); + }, + init: async () => { + await client.getEsClient().cluster.putSettings({ + persistent: { + search: { + max_buckets: MAX_BUCKETS, + }, + }, + }); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_component_templates_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_component_templates_step.ts new file mode 100644 index 0000000000000..3a37e3e3970d2 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_component_templates_step.ts @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { IndicesIndexState } from '@elastic/elasticsearch/lib/api/types'; +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import componentTemplateProfilingIlm from './component_template_profiling_ilm.json'; +import componentTemplateProfilingEvents from './component_template_profiling_events.json'; +import componentTemplateProfilingExecutables from './component_template_profiling_executables.json'; +import componentTemplateProfilingStackframes from './component_template_profiling_stackframes.json'; +import componentTemplateProfilingStacktraces from './component_template_profiling_stacktraces.json'; + +export enum ProfilingComponentTemplateName { + Ilm = 'profiling-ilm', + Events = 'profiling-events', + Executables = 'profiling-executables', + Stackframes = 'profiling-stackframes', + Stacktraces = 'profiling-stacktraces', +} + +export function getComponentTemplatesStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + + return { + name: 'component_templates', + hasCompleted: async () => { + return Promise.all( + [ + ProfilingComponentTemplateName.Ilm, + ProfilingComponentTemplateName.Events, + ProfilingComponentTemplateName.Executables, + ProfilingComponentTemplateName.Stackframes, + ProfilingComponentTemplateName.Stacktraces, + ].map((componentTemplateName) => + esClient.cluster.getComponentTemplate({ + name: componentTemplateName, + }) + ) + ).then( + () => Promise.resolve(true), + (error) => { + logger.debug('Some component templates could not be fetched'); + logger.debug(error); + return Promise.resolve(false); + } + ); + }, + init: async () => { + await Promise.all([ + esClient.cluster.putComponentTemplate({ + name: ProfilingComponentTemplateName.Ilm, + create: false, + template: componentTemplateProfilingIlm, + }), + esClient.cluster.putComponentTemplate({ + name: ProfilingComponentTemplateName.Events, + create: false, + template: componentTemplateProfilingEvents as IndicesIndexState, + _meta: { + description: 'Mappings for profiling events data stream', + }, + }), + esClient.cluster.putComponentTemplate({ + name: ProfilingComponentTemplateName.Executables, + create: false, + template: componentTemplateProfilingExecutables as IndicesIndexState, + }), + esClient.cluster.putComponentTemplate({ + name: ProfilingComponentTemplateName.Stackframes, + create: false, + template: componentTemplateProfilingStackframes as IndicesIndexState, + }), + esClient.cluster.putComponentTemplate({ + name: ProfilingComponentTemplateName.Stacktraces, + create: false, + template: componentTemplateProfilingStacktraces as IndicesIndexState, + }), + ]); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_create_events_data_streams.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_create_events_data_streams.ts new file mode 100644 index 0000000000000..16cdee47f000d --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_create_events_data_streams.ts @@ -0,0 +1,63 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { catchResourceAlreadyExistsException } from './catch_resource_already_exists_exception'; + +function getEventDataStreamNames() { + const subSampledIndicesIdx = Array.from(Array(11).keys(), (item: number) => item + 1); + const subSampledIndexName = (pow: number): string => { + return `profiling-events-5pow${String(pow).padStart(2, '0')}`; + }; + // Generate all the possible index template names + const eventsIndices = ['profiling-events-all'].concat( + subSampledIndicesIdx.map((pow) => subSampledIndexName(pow)) + ); + + return eventsIndices; +} + +export function getCreateEventsDataStreamsStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + + const dataStreamNames = getEventDataStreamNames(); + + return { + name: 'create_events_data_streams', + hasCompleted: async () => { + const dataStreams = await esClient.indices.getDataStream({ + name: 'profiling-events*', + }); + + const allDataStreams = dataStreams.data_streams.map((dataStream) => dataStream.name); + + const missingDataStreams = dataStreamNames.filter( + (eventIndex) => !allDataStreams.includes(eventIndex) + ); + + if (missingDataStreams.length > 0) { + logger.debug(`Missing event indices: ${missingDataStreams.join(', ')}`); + } + + return missingDataStreams.length === 0; + }, + init: async () => { + await Promise.all( + dataStreamNames.map((dataStreamName) => + esClient.indices + .createDataStream({ + name: dataStreamName, + }) + .catch(catchResourceAlreadyExistsException) + ) + ); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_create_indices_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_create_indices_step.ts new file mode 100644 index 0000000000000..6bfca0fbe3a51 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_create_indices_step.ts @@ -0,0 +1,321 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { MappingSourceField } from '@elastic/elasticsearch/lib/api/types'; +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { catchResourceAlreadyExistsException } from './catch_resource_already_exists_exception'; + +const SQ_EXECUTABLES_INDEX = 'profiling-sq-executables'; +const LEAFFRAMES_INDEX = 'profiling-sq-leafframes'; +const SYMBOLS_INDEX = 'profiling-symbols'; +const ILM_LOCK_INDEX = '.profiling-ilm-lock'; + +const getKeyValueIndices = () => { + const kvIndices = ['profiling-stacktraces', 'profiling-stackframes', 'profiling-executables']; + + const pairs: Array<{ index: string; alias: string }> = kvIndices.flatMap((index) => { + return [ + { index: `${index}-000001`, alias: index }, + { index: `${index}-000002`, alias: `${index}-next` }, + ]; + }); + + return pairs; +}; + +export function getCreateIndicesStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + const keyValueIndices = getKeyValueIndices(); + + return { + name: 'create_indices', + hasCompleted: async () => { + const nonKvIndices = [SQ_EXECUTABLES_INDEX, LEAFFRAMES_INDEX, SYMBOLS_INDEX, ILM_LOCK_INDEX]; + + const results = await Promise.all([ + esClient.cat + .indices({ + index: keyValueIndices + .map(({ index }) => index) + .concat(nonKvIndices) + .map((index) => index + '*') + .join(','), + format: 'json', + }) + .then((response) => { + const allIndices = response.map((index) => index.index!); + + const missingIndices = keyValueIndices + .map(({ index }) => index) + .concat(nonKvIndices) + .filter((index) => !allIndices.includes(index)); + + if (missingIndices.length) { + logger.debug(`Missing indices: ${missingIndices.join(',')}`); + } + + return missingIndices.length === 0; + }) + .catch((error) => { + logger.debug(`Failed fetching indices: ${error}`); + return Promise.resolve(false); + }), + esClient.cat + .aliases({ + name: keyValueIndices.map(({ alias }) => alias + '*').join(','), + format: 'json', + }) + .then((response) => { + const allAliases = response.map((index) => index.alias!); + + const missingAliases = keyValueIndices + .map(({ alias }) => alias) + .filter((alias) => !allAliases.includes(alias)); + + if (missingAliases.length) { + logger.debug(`Missing aliases: ${missingAliases.join(',')}`); + } + + return missingAliases.length === 0; + }) + .catch((error) => { + logger.debug(`Failed fetching aliases: ${error}`); + return Promise.resolve(false); + }), + ]); + + return results.every(Boolean); + }, + init: async () => { + await Promise.all([ + ...keyValueIndices.map(({ index, alias }) => { + return esClient.indices + .create({ + index, + aliases: { + [alias]: { + is_write_index: true, + }, + }, + }) + .catch(catchResourceAlreadyExistsException); + }), + esClient.indices + .create({ + index: SQ_EXECUTABLES_INDEX, + settings: { + index: { + refresh_interval: '10s', + }, + }, + mappings: { + _source: { + mode: 'synthetic', + } as MappingSourceField, + properties: { + 'ecs.version': { + type: 'keyword', + index: true, + }, + 'Executable.file.id': { + type: 'keyword', + index: false, + }, + 'Time.created': { + type: 'date', + index: true, + }, + 'Symbolization.time.next': { + type: 'date', + index: true, + }, + 'Symbolization.retries': { + type: 'short', + index: true, + }, + }, + }, + }) + .catch(catchResourceAlreadyExistsException), + esClient.indices + .create({ + index: LEAFFRAMES_INDEX, + settings: { + index: { + refresh_interval: '10s', + }, + }, + mappings: { + _source: { + mode: 'synthetic', + } as MappingSourceField, + properties: { + 'ecs.version': { + type: 'keyword', + index: true, + }, + 'Stacktrace.frame.id': { + type: 'keyword', + index: false, + }, + 'Time.created': { + type: 'date', + index: true, + }, + 'Symbolization.time.next': { + type: 'date', + index: true, + }, + 'Symbolization.retries': { + type: 'short', + index: true, + }, + }, + }, + }) + .catch(catchResourceAlreadyExistsException), + esClient.indices + .create({ + index: SYMBOLS_INDEX, + settings: { + index: { + number_of_shards: '16', + refresh_interval: '10s', + }, + }, + mappings: { + _source: { + enabled: true, + } as MappingSourceField, + properties: { + 'ecs.version': { + type: 'keyword', + index: true, + doc_values: false, + store: false, + }, + 'Symbol.function.name': { + // name of the function + type: 'keyword', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.file.name': { + // file path + type: 'keyword', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.call.file.name': { + // (for inlined functions) file path where inline function was called + type: 'keyword', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.call.line': { + // (for inlined functions) line where inline function was called + type: 'integer', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.function.line': { + // function start line (only available from DWARF). Currently unused. + type: 'integer', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.depth': { + // inline depth + type: 'integer', + index: false, + doc_values: false, + store: false, + }, + // pairs of (32bit PC offset, 32bit line number) followed by 64bit PC range base at the end. + // To find line number for a given PC: find lowest offset such as offsetBase+PC >= offset, then read corresponding line number. + // offsetBase could seemingly be available from exec_pc_range (it's the first value of the pair), but it's not the case. + // Ranges are stored as points, which cannot be retrieve when disabling _source. + // See https://www.elastic.co/guide/en/elasticsearch/reference/current/point.html . + 'Symbol.linetable.base': { + // Linetable: base for offsets (64bit PC range base) + type: 'unsigned_long', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.linetable.length': { + // Linetable: length of range (PC range is [base, base+length)) + type: 'unsigned_long', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.linetable.offsets': { + // Linetable: concatenated offsets (each value is ULEB128encoded) + type: 'keyword', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.linetable.lines': { + // Linetable: concatenated lines (each value is ULEB128 encoded) + type: 'keyword', + index: false, + doc_values: false, + store: false, + }, + 'Symbol.file.id': { + // fileID. used for deletion and Symbol.exec.pcrange collision handling on symbolization + type: 'keyword', + index: true, + doc_values: false, + store: false, + }, + 'Symbol.exec.pcrange': { + // PC ranges [begin, end) + type: 'ip_range', + index: true, + doc_values: false, + store: false, + }, + }, + }, + }) + .catch(catchResourceAlreadyExistsException), + esClient.indices + .create({ + index: ILM_LOCK_INDEX, + settings: { + index: { + hidden: true, + }, + }, + mappings: { + properties: { + '@timestamp': { + type: 'date', + format: 'epoch_second', + }, + phase: { + type: 'keyword', + }, + }, + }, + }) + .catch(catchResourceAlreadyExistsException), + ]); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_fleet_policy_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_fleet_policy_step.ts new file mode 100644 index 0000000000000..7f7222a8a6e9d --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_fleet_policy_step.ts @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ElasticsearchClient } from '@kbn/core/server'; +import { merge, omit } from 'lodash'; +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { getApmPolicy } from './get_apm_policy'; + +async function createIngestAPIKey(esClient: ElasticsearchClient) { + const apiKeyResponse = await esClient.security.createApiKey({ + name: 'profiling-manager', + role_descriptors: { + profiling_manager: { + indices: [ + { + names: ['profiling-*', '.profiling-*'], + privileges: [ + 'read', + 'create_doc', + 'create', + 'write', + 'index', + 'create_index', + 'view_index_metadata', + 'manage', + ], + }, + ], + cluster: ['monitor'], + }, + }, + }); + + return atob(apiKeyResponse.encoded); +} + +export function getFleetPolicyStep({ + client, + soClient, + logger, + packagePolicyClient, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + return { + name: 'fleet_policy', + hasCompleted: async () => { + try { + const apmPolicy = await getApmPolicy({ packagePolicyClient, soClient }); + + return apmPolicy && apmPolicy?.inputs[0].config?.['apm-server'].value.profiling; + } catch (error) { + logger.debug('Could not fetch fleet policy'); + logger.debug(error); + return false; + } + }, + init: async () => { + const apmPolicyApiKey = await createIngestAPIKey(client.getEsClient()); + + const profilingApmConfig = { + profiling: { + enabled: true, + elasticsearch: { + api_key: apmPolicyApiKey, + }, + metrics: { + elasticsearch: { + hosts: [ + 'https://1b6c02856ea642a6ac14499b01507233.us-east-2.aws.elastic-cloud.com:443', + ], + api_key: 'woq-IoMBRbbiEbPugtWW:_iBmc1PdSout7sf5FCkEpA', + }, + }, + keyvalue_retention: { + // 60 days + age: '1440h', + // 200 Gib + size_bytes: 200 * 1024 * 1024 * 1024, + execution_interval: '12h', + }, + }, + }; + + const apmPolicy = await getApmPolicy({ packagePolicyClient, soClient }); + + if (!apmPolicy) { + throw new Error(`Could not find APM policy`); + } + + const modifiedPolicyInputs = apmPolicy.inputs.map((input) => { + return input.type === 'apm' + ? merge({}, input, { config: { 'apm-server': { value: profilingApmConfig } } }) + : input; + }); + + await packagePolicyClient.update(soClient, esClient, apmPolicy.id, { + ...omit(apmPolicy, 'id', 'revision', 'updated_at', 'updated_by'), + inputs: modifiedPolicyInputs, + }); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_ilm_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_ilm_step.ts new file mode 100644 index 0000000000000..04d57b3c11d15 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_ilm_step.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { catchResourceAlreadyExistsException } from './catch_resource_already_exists_exception'; +import ilmProfiling from './ilm_profiling.json'; + +const LIFECYCLE_POLICY_NAME = 'profiling'; + +export function getIlmStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + + return { + name: 'ilm', + hasCompleted: () => { + return esClient.ilm.getLifecycle({ name: LIFECYCLE_POLICY_NAME }).then( + () => { + return Promise.resolve(true); + }, + (error) => { + logger.debug('ILM policy not installed'); + logger.debug(error); + return Promise.resolve(false); + } + ); + }, + init: async () => { + await esClient.ilm + .putLifecycle({ + name: LIFECYCLE_POLICY_NAME, + policy: ilmProfiling, + }) + .catch(catchResourceAlreadyExistsException); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_index_templates_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_index_templates_step.ts new file mode 100644 index 0000000000000..2e6fd0bec1f56 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_index_templates_step.ts @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { ProfilingComponentTemplateName } from './get_component_templates_step'; + +enum ProfilingIndexTemplate { + Events = 'profiling-events', + Executables = 'profiling-executables', + Stacktraces = 'profiling-stacktraces', + Stackframes = 'profiling-stackframes', +} + +export function getIndexTemplatesStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + + return { + name: 'index_templates', + hasCompleted: async () => { + return Promise.all( + [ + ProfilingIndexTemplate.Events, + ProfilingIndexTemplate.Executables, + ProfilingIndexTemplate.Stacktraces, + ProfilingIndexTemplate.Stackframes, + ].map((indexTemplateName) => + esClient.indices.getIndexTemplate({ + name: indexTemplateName, + }) + ) + ).then( + () => Promise.resolve(true), + (error) => { + logger.debug('Some index templates could not be fetched'); + logger.debug(error); + return Promise.resolve(false); + } + ); + }, + init: async () => { + await Promise.all([ + esClient.indices.putIndexTemplate({ + name: ProfilingIndexTemplate.Events, + create: false, + index_patterns: [ProfilingIndexTemplate.Events + '*'], + data_stream: { + hidden: false, + }, + composed_of: [ProfilingComponentTemplateName.Events, ProfilingComponentTemplateName.Ilm], + priority: 100, + _meta: { + description: `Index template for ${ProfilingIndexTemplate.Events}`, + }, + }), + ...[ + ProfilingIndexTemplate.Executables, + ProfilingIndexTemplate.Stacktraces, + ProfilingIndexTemplate.Stackframes, + ].map((indexTemplateName) => { + return esClient.indices.putIndexTemplate({ + name: indexTemplateName, + // Don't fail if the index template already exists, simply overwrite the format + create: false, + index_patterns: [indexTemplateName + '*'], + composed_of: [indexTemplateName], + _meta: { + description: `Index template for ${indexTemplateName}`, + }, + }); + }), + ]); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_is_cloud_enabled_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_is_cloud_enabled_step.ts new file mode 100644 index 0000000000000..920317eb47974 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_is_cloud_enabled_step.ts @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; + +export function getIsCloudEnabledStep({ + isCloudEnabled, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + return { + name: 'is_cloud', + hasCompleted: async () => { + return isCloudEnabled; + }, + init: async () => { + if (!isCloudEnabled) { + throw new Error(`Universal Profiling is only available on Elastic Cloud.`); + } + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/get_security_step.ts b/x-pack/plugins/profiling/server/lib/setup/steps/get_security_step.ts new file mode 100644 index 0000000000000..c3ae1a41488a6 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/get_security_step.ts @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; + +const PROFILING_READER_ROLE_NAME = 'profiling-reader'; + +export function getSecurityStep({ + client, + logger, +}: ProfilingSetupStepFactoryOptions): ProfilingSetupStep { + const esClient = client.getEsClient(); + + return { + name: 'security', + hasCompleted: () => { + return esClient.security + .getRole({ + name: PROFILING_READER_ROLE_NAME, + }) + .then( + () => { + return Promise.resolve(true); + }, + (error) => { + logger.debug('Could not fetch profiling-reader role'); + logger.debug(error); + return Promise.resolve(false); + } + ); + }, + init: async () => { + await esClient.security.putRole({ + name: PROFILING_READER_ROLE_NAME, + indices: [ + { + names: ['profiling-*'], + privileges: ['read', 'view_index_metadata'], + }, + ], + cluster: ['monitor'], + }); + }, + }; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/ilm_profiling.json b/x-pack/plugins/profiling/server/lib/setup/steps/ilm_profiling.json new file mode 100644 index 0000000000000..0d39bf08b0a02 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/ilm_profiling.json @@ -0,0 +1,35 @@ +{ + "phases": { + "hot": { + "min_age": "0ms", + "actions": { + "rollover": { + "max_primary_shard_size": "50gb", + "max_age": "7d" + }, + "set_priority": { + "priority": 100 + } + } + }, + "warm": { + "min_age": "30d", + "actions": { + "set_priority": { + "priority": 50 + }, + "shrink": { + "number_of_shards": 2 + } + } + }, + "delete": { + "min_age": "60d", + "actions": { + "delete": { + "delete_searchable_snapshot": true + } + } + } + } +} diff --git a/x-pack/plugins/profiling/server/lib/setup/steps/index.ts b/x-pack/plugins/profiling/server/lib/setup/steps/index.ts new file mode 100644 index 0000000000000..b0c5bbf0a50e7 --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/steps/index.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getClusterSettingsStep } from './get_cluster_settings_step'; +import { ProfilingSetupStep, ProfilingSetupStepFactoryOptions } from '../types'; +import { getComponentTemplatesStep } from './get_component_templates_step'; +import { getIlmStep } from './get_ilm_step'; +import { getIndexTemplatesStep } from './get_index_templates_step'; +import { getFleetPolicyStep } from './get_fleet_policy_step'; +import { getSecurityStep } from './get_security_step'; +import { getApmPackageStep } from './get_apm_package_step'; +import { getCreateEventsDataStreamsStep } from './get_create_events_data_streams'; +import { getCreateIndicesStep } from './get_create_indices_step'; +import { getIsCloudEnabledStep } from './get_is_cloud_enabled_step'; + +export function getProfilingSetupSteps( + options: ProfilingSetupStepFactoryOptions +): ProfilingSetupStep[] { + return [ + getIsCloudEnabledStep(options), + getApmPackageStep(options), + getClusterSettingsStep(options), + getIlmStep(options), + getComponentTemplatesStep(options), + getIndexTemplatesStep(options), + getCreateEventsDataStreamsStep(options), + getCreateIndicesStep(options), + getSecurityStep(options), + getFleetPolicyStep(options), + ]; +} diff --git a/x-pack/plugins/profiling/server/lib/setup/types.ts b/x-pack/plugins/profiling/server/lib/setup/types.ts new file mode 100644 index 0000000000000..65a0ae684052b --- /dev/null +++ b/x-pack/plugins/profiling/server/lib/setup/types.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsClientContract } from '@kbn/core/server'; +import { PackagePolicyClient } from '@kbn/fleet-plugin/server'; +import { Logger } from '@kbn/logging'; +import { ProfilingESClient } from '../../utils/create_profiling_es_client'; + +export interface ProfilingSetupStep { + name: string; + init: () => Promise; + hasCompleted: () => Promise; +} + +export interface ProfilingSetupStepFactoryOptions { + client: ProfilingESClient; + soClient: SavedObjectsClientContract; + packagePolicyClient: PackagePolicyClient; + logger: Logger; + spaceId: string; + isCloudEnabled: boolean; +} diff --git a/x-pack/plugins/profiling/server/plugin.ts b/x-pack/plugins/profiling/server/plugin.ts index 923f87a87267d..6807f48fdd5d0 100644 --- a/x-pack/plugins/profiling/server/plugin.ts +++ b/x-pack/plugins/profiling/server/plugin.ts @@ -59,10 +59,15 @@ export class ProfilingPlugin setup: deps, }, services: { - createProfilingEsClient: ({ request, esClient: defaultEsClient }) => { - const esClient = profilingSpecificEsClient - ? profilingSpecificEsClient.asScoped(request).asInternalUser - : defaultEsClient; + createProfilingEsClient: ({ + request, + esClient: defaultEsClient, + useDefaultAuth = false, + }) => { + const esClient = + profilingSpecificEsClient && !useDefaultAuth + ? profilingSpecificEsClient.asScoped(request).asInternalUser + : defaultEsClient; return createProfilingEsClient({ request, esClient }); }, diff --git a/x-pack/plugins/profiling/server/routes/index.ts b/x-pack/plugins/profiling/server/routes/index.ts index a9bd74a7e9bf5..245a0e5925365 100644 --- a/x-pack/plugins/profiling/server/routes/index.ts +++ b/x-pack/plugins/profiling/server/routes/index.ts @@ -5,21 +5,19 @@ * 2.0. */ -import type { IRouter, Logger } from '@kbn/core/server'; -import type { KibanaRequest } from '@kbn/core-http-server'; import type { ElasticsearchClient } from '@kbn/core-elasticsearch-server'; +import type { KibanaRequest } from '@kbn/core-http-server'; +import type { IRouter, Logger } from '@kbn/core/server'; import { ProfilingPluginSetupDeps, ProfilingPluginStartDeps, ProfilingRequestHandlerContext, } from '../types'; import { ProfilingESClient } from '../utils/create_profiling_es_client'; - import { registerCacheExecutablesRoute, registerCacheStackFramesRoute } from './cache'; - import { registerFlameChartSearchRoute } from './flamechart'; import { registerTopNFunctionsSearchRoute } from './functions'; - +import { registerSetupRoute } from './setup'; import { registerTraceEventsTopNContainersSearchRoute, registerTraceEventsTopNDeploymentsSearchRoute, @@ -39,6 +37,7 @@ export interface RouteRegisterParameters { createProfilingEsClient: (params: { request: KibanaRequest; esClient: ElasticsearchClient; + useDefaultAuth?: boolean; }) => ProfilingESClient; }; } @@ -53,4 +52,7 @@ export function registerRoutes(params: RouteRegisterParameters) { registerTraceEventsTopNHostsSearchRoute(params); registerTraceEventsTopNStackTracesSearchRoute(params); registerTraceEventsTopNThreadsSearchRoute(params); + // Setup of Profiling resources, automates the configuration of Universal Profiling + // and will show instructions on how to add data + registerSetupRoute(params); } diff --git a/x-pack/plugins/profiling/server/routes/setup.ts b/x-pack/plugins/profiling/server/routes/setup.ts new file mode 100644 index 0000000000000..4f97497b6ab96 --- /dev/null +++ b/x-pack/plugins/profiling/server/routes/setup.ts @@ -0,0 +1,165 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { eachSeries } from 'async'; +import { Logger } from '@kbn/logging'; +import { RouteRegisterParameters } from '.'; +import { getRoutePaths } from '../../common'; +import { getSetupInstructions } from '../lib/setup/get_setup_instructions'; +import { getProfilingSetupSteps } from '../lib/setup/steps'; +import { handleRouteHandlerError } from '../utils/handle_route_error_handler'; +import { hasProfilingData } from '../lib/setup/has_profiling_data'; +import { getClient } from './compat'; +import { ProfilingSetupStep } from '../lib/setup/types'; + +function checkSteps({ steps, logger }: { steps: ProfilingSetupStep[]; logger: Logger }) { + return Promise.all( + steps.map(async (step) => { + try { + return { name: step.name, completed: await step.hasCompleted() }; + } catch (error) { + logger.error(error); + return { name: step.name, completed: false, error: error.toString() }; + } + }) + ); +} + +export function registerSetupRoute({ + router, + logger, + services: { createProfilingEsClient }, + dependencies, +}: RouteRegisterParameters) { + const paths = getRoutePaths(); + // Check if ES resources needed for Universal Profiling to work exist + router.get( + { + path: paths.HasSetupESResources, + validate: false, + }, + async (context, request, response) => { + try { + const esClient = await getClient(context); + logger.debug('checking if profiling ES configurations are installed'); + const core = await context.core; + + const steps = getProfilingSetupSteps({ + client: createProfilingEsClient({ + esClient, + request, + useDefaultAuth: true, + }), + logger, + packagePolicyClient: dependencies.start.fleet.packagePolicyService, + soClient: core.savedObjects.client, + spaceId: dependencies.setup.spaces.spacesService.getSpaceId(request), + isCloudEnabled: dependencies.setup.cloud.isCloudEnabled, + }); + + const hasDataPromise = hasProfilingData({ + client: createProfilingEsClient({ + esClient, + request, + }), + }); + + const stepCompletionResultsPromises = checkSteps({ steps, logger }); + + const hasData = await hasDataPromise; + + if (hasData) { + return response.ok({ + body: { + has_data: true, + has_setup: true, + steps: [], + }, + }); + } + + const stepCompletionResults = await stepCompletionResultsPromises; + + // Reply to clients if we have already created all 12 events template indices. + // This is kind of simplistic but can be a good first step to ensure + // Profiling resources will be created. + return response.ok({ + body: { + has_setup: stepCompletionResults.every((step) => step.completed), + has_data: false, + steps: stepCompletionResults, + }, + }); + } catch (error) { + return handleRouteHandlerError({ error, logger, response }); + } + } + ); + // Configure ES resources needed by Universal Profiling using the mappings + router.post( + { + path: paths.HasSetupESResources, + validate: {}, + }, + async (context, request, response) => { + try { + const esClient = await getClient(context); + logger.info('Applying initial setup of Elasticsearch resources'); + const steps = getProfilingSetupSteps({ + client: createProfilingEsClient({ esClient, request, useDefaultAuth: true }), + logger, + packagePolicyClient: dependencies.start.fleet.packagePolicyService, + soClient: (await context.core).savedObjects.client, + spaceId: dependencies.setup.spaces.spacesService.getSpaceId(request), + isCloudEnabled: dependencies.setup.cloud.isCloudEnabled, + }); + + await eachSeries(steps, (step, cb) => { + logger.debug(`Executing step ${step.name}`); + step + .init() + .then(() => cb()) + .catch(cb); + }); + + const checkedSteps = await checkSteps({ steps, logger }); + + if (checkedSteps.every((step) => step.completed)) { + return response.ok(); + } + + return response.custom({ + statusCode: 500, + body: { + message: `Failed to complete all steps`, + steps: checkedSteps, + }, + }); + } catch (error) { + return handleRouteHandlerError({ error, logger, response }); + } + } + ); + // Show users the instructions on how to setup Universal Profiling agents + router.get( + { + path: paths.SetupDataCollectionInstructions, + validate: false, + }, + async (context, request, response) => { + try { + const setupInstructions = await getSetupInstructions({ + packagePolicyClient: dependencies.start.fleet.packagePolicyService, + soClient: (await context.core).savedObjects.client, + }); + + return response.ok({ body: setupInstructions }); + } catch (error) { + return handleRouteHandlerError({ error, logger, response }); + } + } + ); +} diff --git a/x-pack/plugins/profiling/server/routes/topn.test.ts b/x-pack/plugins/profiling/server/routes/topn.test.ts index f6eca43680194..c6fb4c7aa4d78 100644 --- a/x-pack/plugins/profiling/server/routes/topn.test.ts +++ b/x-pack/plugins/profiling/server/routes/topn.test.ts @@ -53,6 +53,7 @@ describe('TopN data from Elasticsearch', () => { }, }) as Promise ), + getEsClient: jest.fn(() => context.elasticsearch.client.asCurrentUser), }; const logger = loggerMock.create(); diff --git a/x-pack/plugins/profiling/server/types.ts b/x-pack/plugins/profiling/server/types.ts index 8432085ef1022..6112c2e9790cf 100644 --- a/x-pack/plugins/profiling/server/types.ts +++ b/x-pack/plugins/profiling/server/types.ts @@ -5,21 +5,32 @@ * 2.0. */ -import { RequestHandlerContext } from '@kbn/core/server'; -import { PluginSetupContract as FeaturesPluginSetup } from '@kbn/features-plugin/server'; -import { ObservabilityPluginSetup } from '@kbn/observability-plugin/server'; +import { CustomRequestHandlerContext } from '@kbn/core-http-request-handler-context-server'; +import type { PluginSetupContract as FeaturesPluginSetup } from '@kbn/features-plugin/server'; +import type { ObservabilityPluginSetup } from '@kbn/observability-plugin/server'; +import { SpacesPluginStart, SpacesPluginSetup } from '@kbn/spaces-plugin/server'; +import { CloudSetup, CloudStart } from '@kbn/cloud-plugin/server'; +import { FleetSetupContract, FleetStartContract } from '@kbn/fleet-plugin/server'; export interface ProfilingPluginSetupDeps { observability: ObservabilityPluginSetup; features: FeaturesPluginSetup; + spaces: SpacesPluginSetup; + cloud: CloudSetup; + fleet: FleetSetupContract; } -// eslint-disable-next-line @typescript-eslint/no-empty-interface -export interface ProfilingPluginStartDeps {} +export interface ProfilingPluginStartDeps { + observability: {}; + features: {}; + spaces: SpacesPluginStart; + cloud: CloudStart; + fleet: FleetStartContract; +} // eslint-disable-next-line @typescript-eslint/no-empty-interface export interface ProfilingPluginSetup {} // eslint-disable-next-line @typescript-eslint/no-empty-interface export interface ProfilingPluginStart {} -export type ProfilingRequestHandlerContext = RequestHandlerContext; +export type ProfilingRequestHandlerContext = CustomRequestHandlerContext<{}>; diff --git a/x-pack/plugins/profiling/server/utils/create_profiling_es_client.ts b/x-pack/plugins/profiling/server/utils/create_profiling_es_client.ts index 4aa132ab7a031..05df1e9d37fde 100644 --- a/x-pack/plugins/profiling/server/utils/create_profiling_es_client.ts +++ b/x-pack/plugins/profiling/server/utils/create_profiling_es_client.ts @@ -40,6 +40,7 @@ export interface ProfilingESClient { query: QueryDslQueryContainer; sampleSize: number; }): Promise; + getEsClient(): ElasticsearchClient; } export function createProfilingEsClient({ @@ -116,5 +117,8 @@ export function createProfilingEsClient({ return unwrapEsResponse(promise) as Promise; }, + getEsClient() { + return esClient; + }, }; } diff --git a/x-pack/plugins/profiling/tsconfig.json b/x-pack/plugins/profiling/tsconfig.json index 18bd0ec6bf481..b1044792b3209 100644 --- a/x-pack/plugins/profiling/tsconfig.json +++ b/x-pack/plugins/profiling/tsconfig.json @@ -9,7 +9,8 @@ "common/**/*.ts", "public/**/*.ts", "public/**/*.tsx", - "server/**/*.ts" + "server/**/*.ts", + "server/**/*.json" ], "kbn_references": [ "@kbn/core", @@ -19,7 +20,6 @@ "@kbn/observability-plugin", "@kbn/i18n", "@kbn/es-types", - "@kbn/core-http-browser", "@kbn/data-views-plugin", "@kbn/charts-plugin", "@kbn/typed-react-router-config", @@ -34,6 +34,12 @@ "@kbn/core-http-server", "@kbn/apm-utils", "@kbn/core-elasticsearch-server", + "@kbn/fleet-plugin", + "@kbn/shared-ux-page-no-data-types", + "@kbn/es-errors", + "@kbn/core-http-request-handler-context-server", + "@kbn/spaces-plugin", + "@kbn/cloud-plugin", // add references to other TypeScript projects the plugin depends on // requiredPlugins from ./kibana.json From eabeb3f1765c3b16421825f99d0e56ef830cc17b Mon Sep 17 00:00:00 2001 From: Tomasz Ciecierski Date: Tue, 7 Feb 2023 14:15:34 +0100 Subject: [PATCH 15/27] [Defend Workflows] [Osquery] Update field schemas (#150279) --- .../osquery/public/common/schemas/ecs/v8.5.0.json | 1 - .../osquery/public/common/schemas/ecs/v8.7.0.json | 1 + .../osquery/public/common/schemas/osquery/v5.5.1.json | 1 - .../osquery/public/common/schemas/osquery/v5.7.0.json | 1 + .../plugins/osquery/public/editor/osquery_tables.ts | 2 +- .../public/packs/queries/ecs_mapping_editor_field.tsx | 4 ++-- .../osquery/scripts/schema_formatter/ecs_formatter.ts | 11 +++++++++-- 7 files changed, 14 insertions(+), 7 deletions(-) delete mode 100644 x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json create mode 100644 x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json delete mode 100644 x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json create mode 100644 x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json diff --git a/x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json b/x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json deleted file mode 100644 index 5fe03a8130fd0..0000000000000 --- a/x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json +++ /dev/null @@ -1 +0,0 @@ -[{"field":"labels","type":"object","normalization":"","example":{"application":"foo-bar","env":"production"},"description":"Custom key/value pairs."},{"field":"message","type":"match_only_text","normalization":"","example":"Hello World","description":"Log message optimized for viewing in a log viewer."},{"field":"tags","type":"keyword","normalization":"array","example":["production","env2"],"description":"List of keywords used to tag each event."},{"field":"agent.build.original","type":"keyword","normalization":"","example":"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]","description":"Extended build information for the agent."},{"field":"client.address","type":"keyword","normalization":"","example":"","description":"Client network address."},{"field":"client.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"client.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the client to the server."},{"field":"client.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the client."},{"field":"client.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"client.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"client.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"client.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"client.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"client.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"client.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"client.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"client.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"client.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"client.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"client.ip","type":"ip","normalization":"","example":"","description":"IP address of the client."},{"field":"client.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the client."},{"field":"client.nat.ip","type":"ip","normalization":"","example":"","description":"Client NAT ip address"},{"field":"client.nat.port","type":"long","normalization":"","example":"","description":"Client NAT port"},{"field":"client.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the client to the server."},{"field":"client.port","type":"long","normalization":"","example":"","description":"Port of the client."},{"field":"client.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered client domain, stripped of the subdomain."},{"field":"client.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"client.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"client.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"client.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"client.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"client.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"client.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"client.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"client.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"client.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"client.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"client.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"cloud.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.origin.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.origin.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.origin.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.origin.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.origin.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.origin.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.origin.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.origin.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.origin.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.target.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.target.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.target.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.target.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.target.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.target.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.target.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.target.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.target.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.target.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.target.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"container.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"container.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"container.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"container.id","type":"keyword","normalization":"","example":"","description":"Unique container id."},{"field":"container.image.hash.all","type":"keyword","normalization":"array","example":"[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]","description":"An array of digests of the image the container was built on."},{"field":"container.image.name","type":"keyword","normalization":"","example":"","description":"Name of the image the container was built on."},{"field":"container.image.tag","type":"keyword","normalization":"array","example":"","description":"Container image tags."},{"field":"container.labels","type":"object","normalization":"","example":"","description":"Image labels."},{"field":"container.memory.usage","type":"scaled_float","normalization":"","example":"","description":"Percent memory used, between 0 and 1."},{"field":"container.name","type":"keyword","normalization":"","example":"","description":"Container name."},{"field":"container.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"container.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"container.runtime","type":"keyword","normalization":"","example":"docker","description":"Runtime managing this container."},{"field":"data_stream.dataset","type":"constant_keyword","normalization":"","example":"nginx.access","description":"The field can contain anything that makes sense to signify the source of the data."},{"field":"data_stream.namespace","type":"constant_keyword","normalization":"","example":"production","description":"A user defined namespace. Namespaces are useful to allow grouping of data."},{"field":"data_stream.type","type":"constant_keyword","normalization":"","example":"logs","description":"An overarching type for the data stream."},{"field":"destination.address","type":"keyword","normalization":"","example":"","description":"Destination network address."},{"field":"destination.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"destination.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the destination to the source."},{"field":"destination.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the destination."},{"field":"destination.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"destination.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"destination.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"destination.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"destination.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"destination.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"destination.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"destination.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"destination.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"destination.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"destination.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"destination.ip","type":"ip","normalization":"","example":"","description":"IP address of the destination."},{"field":"destination.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the destination."},{"field":"destination.nat.ip","type":"ip","normalization":"","example":"","description":"Destination NAT ip"},{"field":"destination.nat.port","type":"long","normalization":"","example":"","description":"Destination NAT Port"},{"field":"destination.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the destination to the source."},{"field":"destination.port","type":"long","normalization":"","example":"","description":"Port of the destination."},{"field":"destination.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered destination domain, stripped of the subdomain."},{"field":"destination.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"destination.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"destination.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"destination.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"destination.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"destination.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"destination.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"destination.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"destination.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"destination.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"destination.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"destination.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"dll.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"dll.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"dll.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"dll.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"dll.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"dll.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"dll.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"dll.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"dll.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"dll.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"dll.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"dll.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"dll.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"dll.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"dll.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"dll.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"dll.name","type":"keyword","normalization":"","example":"kernel32.dll","description":"Name of the library."},{"field":"dll.path","type":"keyword","normalization":"","example":"C:\\Windows\\System32\\kernel32.dll","description":"Full file path of the library."},{"field":"dll.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"dll.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"dll.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"dll.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"dll.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"dll.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"dll.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"dll.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"dns.answers","type":"object","normalization":"array","example":"","description":"Array of DNS answers."},{"field":"dns.answers.class","type":"keyword","normalization":"","example":"IN","description":"The class of DNS data contained in this resource record."},{"field":"dns.answers.data","type":"keyword","normalization":"","example":"10.10.10.10","description":"The data describing the resource."},{"field":"dns.answers.name","type":"keyword","normalization":"","example":"www.example.com","description":"The domain name to which this resource record pertains."},{"field":"dns.answers.ttl","type":"long","normalization":"","example":180,"description":"The time interval in seconds that this resource record may be cached before it should be discarded."},{"field":"dns.answers.type","type":"keyword","normalization":"","example":"CNAME","description":"The type of data contained in this resource record."},{"field":"dns.header_flags","type":"keyword","normalization":"array","example":["RD","RA"],"description":"Array of DNS header flags."},{"field":"dns.id","type":"keyword","normalization":"","example":62111,"description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response."},{"field":"dns.op_code","type":"keyword","normalization":"","example":"QUERY","description":"The DNS operation code that specifies the kind of query in the message."},{"field":"dns.question.class","type":"keyword","normalization":"","example":"IN","description":"The class of records being queried."},{"field":"dns.question.name","type":"keyword","normalization":"","example":"www.example.com","description":"The name being queried."},{"field":"dns.question.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered domain, stripped of the subdomain."},{"field":"dns.question.subdomain","type":"keyword","normalization":"","example":"www","description":"The subdomain of the domain."},{"field":"dns.question.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"dns.question.type","type":"keyword","normalization":"","example":"AAAA","description":"The type of record being queried."},{"field":"dns.resolved_ip","type":"ip","normalization":"array","example":["10.10.10.10","10.10.10.11"],"description":"Array containing all IPs seen in answers.data"},{"field":"dns.response_code","type":"keyword","normalization":"","example":"NOERROR","description":"The DNS response code."},{"field":"dns.type","type":"keyword","normalization":"","example":"answer","description":"The type of DNS event captured, query or answer."},{"field":"email.attachments","type":"nested","normalization":"array","example":"","description":"List of objects describing the attachments."},{"field":"email.attachments.file.extension","type":"keyword","normalization":"","example":"txt","description":"Attachment file extension."},{"field":"email.attachments.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"email.attachments.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"email.attachments.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"email.attachments.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"email.attachments.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"email.attachments.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"email.attachments.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"email.attachments.file.mime_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the attachment file."},{"field":"email.attachments.file.name","type":"keyword","normalization":"","example":"attachment.txt","description":"Name of the attachment file."},{"field":"email.attachments.file.size","type":"long","normalization":"","example":64329,"description":"Attachment file size."},{"field":"email.bcc.address","type":"keyword","normalization":"array","example":"bcc.user1@example.com","description":"Email address of BCC recipient"},{"field":"email.cc.address","type":"keyword","normalization":"array","example":"cc.user1@example.com","description":"Email address of CC recipient"},{"field":"email.content_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the email message."},{"field":"email.delivery_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time when message was delivered."},{"field":"email.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the message."},{"field":"email.from.address","type":"keyword","normalization":"array","example":"sender@example.com","description":"The sender's email address."},{"field":"email.local_id","type":"keyword","normalization":"","example":"c26dbea0-80d5-463b-b93c-4e8b708219ce","description":"Unique identifier given by the source."},{"field":"email.message_id","type":"wildcard","normalization":"","example":"81ce15$8r2j59@mail01.example.com","description":"Value from the Message-ID header."},{"field":"email.origination_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time the email was composed."},{"field":"email.reply_to.address","type":"keyword","normalization":"array","example":"reply.here@example.com","description":"Address replies should be delivered to."},{"field":"email.sender.address","type":"keyword","normalization":"","example":"","description":"Address of the message sender."},{"field":"email.subject","type":"keyword","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.subject.text","type":"match_only_text","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.to.address","type":"keyword","normalization":"array","example":"user1@example.com","description":"Email address of recipient"},{"field":"email.x_mailer","type":"keyword","normalization":"","example":"Spambot v2.5","description":"Application that drafted email."},{"field":"error.code","type":"keyword","normalization":"","example":"","description":"Error code describing the error."},{"field":"error.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the error."},{"field":"error.message","type":"match_only_text","normalization":"","example":"","description":"Error message."},{"field":"error.stack_trace","type":"wildcard","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.stack_trace.text","type":"match_only_text","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.type","type":"keyword","normalization":"","example":"java.lang.NullPointerException","description":"The type of the error, for example the class name of the exception."},{"field":"event.action","type":"keyword","normalization":"","example":"user-password-change","description":"The action captured by the event."},{"field":"event.category","type":"keyword","normalization":"array","example":"authentication","description":"Event category. The second categorization field in the hierarchy."},{"field":"event.code","type":"keyword","normalization":"","example":4648,"description":"Identification code for this event."},{"field":"event.created","type":"date","normalization":"","example":"2016-05-23T08:05:34.857Z","description":"Time when the event was first read by an agent or by your pipeline."},{"field":"event.dataset","type":"keyword","normalization":"","example":"apache.access","description":"Name of the dataset."},{"field":"event.duration","type":"long","normalization":"","example":"","description":"Duration of the event in nanoseconds."},{"field":"event.end","type":"date","normalization":"","example":"","description":"event.end contains the date when the event ended or when the activity was last observed."},{"field":"event.hash","type":"keyword","normalization":"","example":"123456789012345678901234567890ABCD","description":"Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity."},{"field":"event.id","type":"keyword","normalization":"","example":"8a4f500d","description":"Unique ID to describe the event."},{"field":"event.kind","type":"keyword","normalization":"","example":"alert","description":"The kind of the event. The highest categorization field in the hierarchy."},{"field":"event.original","type":"keyword","normalization":"","example":"Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232","description":"Raw text message of entire event."},{"field":"event.outcome","type":"keyword","normalization":"","example":"success","description":"The outcome of the event. The lowest level categorization field in the hierarchy."},{"field":"event.provider","type":"keyword","normalization":"","example":"kernel","description":"Source of the event."},{"field":"event.reason","type":"keyword","normalization":"","example":"Terminated an unexpected process","description":"Reason why this event happened, according to the source"},{"field":"event.reference","type":"keyword","normalization":"","example":"https://system.example.com/event/#0001234","description":"Event reference URL"},{"field":"event.risk_score","type":"float","normalization":"","example":"","description":"Risk score or priority of the event (e.g. security solutions). Use your system's original value here."},{"field":"event.risk_score_norm","type":"float","normalization":"","example":"","description":"Normalized risk score or priority of the event (0-100)."},{"field":"event.sequence","type":"long","normalization":"","example":"","description":"Sequence number of the event."},{"field":"event.severity","type":"long","normalization":"","example":7,"description":"Numeric severity of the event."},{"field":"event.start","type":"date","normalization":"","example":"","description":"event.start contains the date when the event started or when the activity was first observed."},{"field":"event.timezone","type":"keyword","normalization":"","example":"","description":"Event time zone."},{"field":"event.type","type":"keyword","normalization":"array","example":"","description":"Event type. The third categorization field in the hierarchy."},{"field":"event.url","type":"keyword","normalization":"","example":"https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe","description":"Event investigation URL"},{"field":"faas.coldstart","type":"boolean","normalization":"","example":"","description":"Boolean value indicating a cold start of a function."},{"field":"faas.execution","type":"keyword","normalization":"","example":"af9d5aa4-a685-4c5f-a22b-444f80b3cc28","description":"The execution ID of the current function execution."},{"field":"faas.id","type":"keyword","normalization":"","example":"arn:aws:lambda:us-west-2:123456789012:function:my-function","description":"The unique identifier of a serverless function."},{"field":"faas.name","type":"keyword","normalization":"","example":"my-function","description":"The name of a serverless function."},{"field":"faas.trigger","type":"nested","normalization":"","example":"","description":"Details about the function trigger."},{"field":"faas.trigger.request_id","type":"keyword","normalization":"","example":123456789,"description":"The ID of the trigger request , message, event, etc."},{"field":"faas.trigger.type","type":"keyword","normalization":"","example":"http","description":"The trigger for the function execution."},{"field":"faas.version","type":"keyword","normalization":"","example":123,"description":"The version of a serverless function."},{"field":"file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"host.boot.id","type":"keyword","normalization":"","example":"88a1f0ed-5ae5-41ee-af6b-41921c311872","description":"Linux boot uuid taken from /proc/sys/kernel/random/boot_id"},{"field":"host.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"host.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"host.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"host.domain","type":"keyword","normalization":"","example":"CONTOSO","description":"Name of the directory the group is a member of."},{"field":"host.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"host.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"host.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"host.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"host.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"host.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"host.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"host.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"host.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"host.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"host.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"host.name","type":"keyword","normalization":"","example":"","description":"Name of the host."},{"field":"host.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"host.network.egress.packets","type":"long","normalization":"","example":"","description":"The number of packets sent on all network interfaces."},{"field":"host.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"host.network.ingress.packets","type":"long","normalization":"","example":"","description":"The number of packets received on all network interfaces."},{"field":"host.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"host.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"host.pid_ns_ino","type":"keyword","normalization":"","example":256383,"description":"Pid namespace inode"},{"field":"host.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"host.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"host.type","type":"keyword","normalization":"","example":"","description":"Type of host."},{"field":"host.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the host has been up."},{"field":"http.request.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the request body."},{"field":"http.request.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the request (body and headers)."},{"field":"http.request.id","type":"keyword","normalization":"","example":"123e4567-e89b-12d3-a456-426614174000","description":"HTTP request ID."},{"field":"http.request.method","type":"keyword","normalization":"","example":"POST","description":"HTTP request method."},{"field":"http.request.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the request."},{"field":"http.request.referrer","type":"keyword","normalization":"","example":"https://blog.example.com/","description":"Referrer for this HTTP request."},{"field":"http.response.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the response body."},{"field":"http.response.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the response (body and headers)."},{"field":"http.response.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the response."},{"field":"http.response.status_code","type":"long","normalization":"","example":404,"description":"HTTP response status code."},{"field":"http.version","type":"keyword","normalization":"","example":1.1,"description":"HTTP version."},{"field":"log.file.path","type":"keyword","normalization":"","example":"/var/log/fun-times.log","description":"Full path to the log file this event came from."},{"field":"log.level","type":"keyword","normalization":"","example":"error","description":"Log level of the log event."},{"field":"log.logger","type":"keyword","normalization":"","example":"org.elasticsearch.bootstrap.Bootstrap","description":"Name of the logger."},{"field":"log.origin.file.line","type":"long","normalization":"","example":42,"description":"The line number of the file which originated the log event."},{"field":"log.origin.file.name","type":"keyword","normalization":"","example":"Bootstrap.java","description":"The code file which originated the log event."},{"field":"log.origin.function","type":"keyword","normalization":"","example":"init","description":"The function which originated the log event."},{"field":"log.syslog","type":"object","normalization":"","example":"","description":"Syslog metadata"},{"field":"log.syslog.appname","type":"keyword","normalization":"","example":"sshd","description":"The device or application that originated the Syslog message."},{"field":"log.syslog.facility.code","type":"long","normalization":"","example":23,"description":"Syslog numeric facility of the event."},{"field":"log.syslog.facility.name","type":"keyword","normalization":"","example":"local7","description":"Syslog text-based facility of the event."},{"field":"log.syslog.hostname","type":"keyword","normalization":"","example":"example-host","description":"The host that originated the Syslog message."},{"field":"log.syslog.msgid","type":"keyword","normalization":"","example":"ID47","description":"An identifier for the type of Syslog message."},{"field":"log.syslog.priority","type":"long","normalization":"","example":135,"description":"Syslog priority of the event."},{"field":"log.syslog.procid","type":"keyword","normalization":"","example":12345,"description":"The process name or ID that originated the Syslog message."},{"field":"log.syslog.severity.code","type":"long","normalization":"","example":3,"description":"Syslog numeric severity of the event."},{"field":"log.syslog.severity.name","type":"keyword","normalization":"","example":"Error","description":"Syslog text-based severity of the event."},{"field":"log.syslog.structured_data","type":"flattened","normalization":"","example":"","description":"Structured data expressed in RFC 5424 messages."},{"field":"log.syslog.version","type":"keyword","normalization":"","example":1,"description":"Syslog protocol version."},{"field":"network.application","type":"keyword","normalization":"","example":"aim","description":"Application level protocol name."},{"field":"network.bytes","type":"long","normalization":"","example":368,"description":"Total bytes transferred in both directions."},{"field":"network.community_id","type":"keyword","normalization":"","example":"1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=","description":"A hash of source and destination IPs and ports."},{"field":"network.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the network traffic."},{"field":"network.forwarded_ip","type":"ip","normalization":"","example":"192.1.1.2","description":"Host IP address when the source IP address is the proxy."},{"field":"network.iana_number","type":"keyword","normalization":"","example":6,"description":"IANA Protocol Number."},{"field":"network.inner","type":"object","normalization":"","example":"","description":"Inner VLAN tag information"},{"field":"network.inner.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.inner.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"network.name","type":"keyword","normalization":"","example":"Guest Wifi","description":"Name given by operators to sections of their network."},{"field":"network.packets","type":"long","normalization":"","example":24,"description":"Total packets transferred in both directions."},{"field":"network.protocol","type":"keyword","normalization":"","example":"http","description":"Application protocol name."},{"field":"network.transport","type":"keyword","normalization":"","example":"tcp","description":"Protocol Name corresponding to the field `iana_number`."},{"field":"network.type","type":"keyword","normalization":"","example":"ipv4","description":"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"},{"field":"network.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress","type":"object","normalization":"","example":"","description":"Object field for egress information"},{"field":"observer.egress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.egress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.egress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.egress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.egress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress.zone","type":"keyword","normalization":"","example":"Public_Internet","description":"Observer Egress zone"},{"field":"observer.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"observer.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"observer.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"observer.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"observer.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"observer.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"observer.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"observer.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"observer.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"observer.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"observer.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"observer.hostname","type":"keyword","normalization":"","example":"","description":"Hostname of the observer."},{"field":"observer.ingress","type":"object","normalization":"","example":"","description":"Object field for ingress information"},{"field":"observer.ingress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.ingress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.ingress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.ingress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.ingress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.ingress.zone","type":"keyword","normalization":"","example":"DMZ","description":"Observer ingress zone"},{"field":"observer.ip","type":"ip","normalization":"array","example":"","description":"IP addresses of the observer."},{"field":"observer.mac","type":"keyword","normalization":"array","example":["00-00-5E-00-53-23","00-00-5E-00-53-24"],"description":"MAC addresses of the observer."},{"field":"observer.name","type":"keyword","normalization":"","example":"1_proxySG","description":"Custom name of the observer."},{"field":"observer.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"observer.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"observer.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"observer.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"observer.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"observer.product","type":"keyword","normalization":"","example":"s200","description":"The product name of the observer."},{"field":"observer.serial_number","type":"keyword","normalization":"","example":"","description":"Observer serial number."},{"field":"observer.type","type":"keyword","normalization":"","example":"firewall","description":"The type of the observer the data is coming from."},{"field":"observer.vendor","type":"keyword","normalization":"","example":"Symantec","description":"Vendor name of the observer."},{"field":"observer.version","type":"keyword","normalization":"","example":"","description":"Observer version."},{"field":"orchestrator.api_version","type":"keyword","normalization":"","example":"v1beta1","description":"API version being used to carry out the action"},{"field":"orchestrator.cluster.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the cluster."},{"field":"orchestrator.cluster.name","type":"keyword","normalization":"","example":"","description":"Name of the cluster."},{"field":"orchestrator.cluster.url","type":"keyword","normalization":"","example":"","description":"URL of the API used to manage the cluster."},{"field":"orchestrator.cluster.version","type":"keyword","normalization":"","example":"","description":"The version of the cluster."},{"field":"orchestrator.namespace","type":"keyword","normalization":"","example":"kube-system","description":"Namespace in which the action is taking place."},{"field":"orchestrator.organization","type":"keyword","normalization":"","example":"elastic","description":"Organization affected by the event (for multi-tenant orchestrator setups)."},{"field":"orchestrator.resource.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the resource being acted upon."},{"field":"orchestrator.resource.ip","type":"ip","normalization":"array","example":"","description":"IP address assigned to the resource associated with the event being observed."},{"field":"orchestrator.resource.name","type":"keyword","normalization":"","example":"test-pod-cdcws","description":"Name of the resource being acted upon."},{"field":"orchestrator.resource.parent.type","type":"keyword","normalization":"","example":"DaemonSet","description":"Type or kind of the parent resource associated with the event being observed."},{"field":"orchestrator.resource.type","type":"keyword","normalization":"","example":"service","description":"Type of resource being acted upon."},{"field":"orchestrator.type","type":"keyword","normalization":"","example":"kubernetes","description":"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."},{"field":"organization.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the organization."},{"field":"organization.name","type":"keyword","normalization":"","example":"","description":"Organization name."},{"field":"organization.name.text","type":"match_only_text","normalization":"","example":"","description":"Organization name."},{"field":"package.architecture","type":"keyword","normalization":"","example":"x86_64","description":"Package architecture."},{"field":"package.build_version","type":"keyword","normalization":"","example":"36f4f7e89dd61b0988b12ee000b98966867710cd","description":"Build version information"},{"field":"package.checksum","type":"keyword","normalization":"","example":"68b329da9893e34099c7d8ad5cb9c940","description":"Checksum of the installed package for verification."},{"field":"package.description","type":"keyword","normalization":"","example":"Open source programming language to build simple/reliable/efficient software.","description":"Description of the package."},{"field":"package.install_scope","type":"keyword","normalization":"","example":"global","description":"Indicating how the package was installed, e.g. user-local, global."},{"field":"package.installed","type":"date","normalization":"","example":"","description":"Time when package was installed."},{"field":"package.license","type":"keyword","normalization":"","example":"Apache License 2.0","description":"Package license"},{"field":"package.name","type":"keyword","normalization":"","example":"go","description":"Package name"},{"field":"package.path","type":"keyword","normalization":"","example":"/usr/local/Cellar/go/1.12.9/","description":"Path where the package is installed."},{"field":"package.reference","type":"keyword","normalization":"","example":"https://golang.org","description":"Package home page or reference URL"},{"field":"package.size","type":"long","normalization":"","example":62231,"description":"Package size in bytes."},{"field":"package.type","type":"keyword","normalization":"","example":"rpm","description":"Package type"},{"field":"package.version","type":"keyword","normalization":"","example":"1.12.9","description":"Package version"},{"field":"process.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"process.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.entry_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.entry_leader.attested_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.attested_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.attested_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.attested_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.entry_meta.source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"process.entry_leader.entry_meta.type","type":"keyword","normalization":"","example":"","description":"The entry type for the entry session leader."},{"field":"process.entry_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.entry_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.entry_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.entry_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.entry_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.entry_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.entry_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.env_vars","type":"keyword","normalization":"array","example":["PATH=/usr/local/bin:/usr/bin","USER=ubuntu"],"description":"Array of environment variable bindings."},{"field":"process.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.group_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.group_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.group_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.group_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.group_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.group_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.group_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.group_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.group_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.group_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.group_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.group_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.parent.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.parent.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.parent.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.parent.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.parent.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.parent.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.parent.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.parent.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.parent.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.parent.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.parent.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.parent.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.parent.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.parent.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.parent.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.parent.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.parent.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.parent.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.parent.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.parent.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"process.parent.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.parent.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.parent.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.parent.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.parent.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.parent.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.parent.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.parent.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.parent.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.parent.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.parent.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.parent.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.parent.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.parent.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.parent.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.parent.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.parent.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.parent.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.parent.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.parent.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.parent.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.parent.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.parent.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.parent.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.parent.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.parent.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.parent.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.parent.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.parent.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.parent.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.parent.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.parent.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.parent.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.parent.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.parent.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.parent.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.parent.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.parent.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.parent.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.parent.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.parent.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.parent.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.parent.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.previous.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.previous.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.previous.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.previous.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.session_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.session_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.session_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.session_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.session_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.session_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.session_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.session_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.tty.columns","type":"long","normalization":"","example":80,"description":"The number of character columns per line. e.g terminal width"},{"field":"process.tty.rows","type":"long","normalization":"","example":24,"description":"The number of character rows in the terminal. e.g terminal height"},{"field":"process.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"related.hash","type":"keyword","normalization":"array","example":"","description":"All the hashes seen on your event."},{"field":"related.hosts","type":"keyword","normalization":"array","example":"","description":"All the host identifiers seen on your event."},{"field":"related.ip","type":"ip","normalization":"array","example":"","description":"All of the IPs seen on your event."},{"field":"related.user","type":"keyword","normalization":"array","example":"","description":"All the user names or other user identifiers seen on the event."},{"field":"rule.author","type":"keyword","normalization":"array","example":["Star-Lord"],"description":"Rule author"},{"field":"rule.category","type":"keyword","normalization":"","example":"Attempted Information Leak","description":"Rule category"},{"field":"rule.description","type":"keyword","normalization":"","example":"Block requests to public DNS over HTTPS / TLS protocols","description":"Rule description"},{"field":"rule.id","type":"keyword","normalization":"","example":101,"description":"Rule ID"},{"field":"rule.license","type":"keyword","normalization":"","example":"Apache 2.0","description":"Rule license"},{"field":"rule.name","type":"keyword","normalization":"","example":"BLOCK_DNS_over_TLS","description":"Rule name"},{"field":"rule.reference","type":"keyword","normalization":"","example":"https://en.wikipedia.org/wiki/DNS_over_TLS","description":"Rule reference URL"},{"field":"rule.ruleset","type":"keyword","normalization":"","example":"Standard_Protocol_Filters","description":"Rule ruleset"},{"field":"rule.uuid","type":"keyword","normalization":"","example":1100110011,"description":"Rule UUID"},{"field":"rule.version","type":"keyword","normalization":"","example":1.1,"description":"Rule version"},{"field":"server.address","type":"keyword","normalization":"","example":"","description":"Server network address."},{"field":"server.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"server.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the server to the client."},{"field":"server.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the server."},{"field":"server.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"server.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"server.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"server.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"server.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"server.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"server.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"server.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"server.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"server.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"server.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"server.ip","type":"ip","normalization":"","example":"","description":"IP address of the server."},{"field":"server.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the server."},{"field":"server.nat.ip","type":"ip","normalization":"","example":"","description":"Server NAT ip"},{"field":"server.nat.port","type":"long","normalization":"","example":"","description":"Server NAT port"},{"field":"server.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the server to the client."},{"field":"server.port","type":"long","normalization":"","example":"","description":"Port of the server."},{"field":"server.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered server domain, stripped of the subdomain."},{"field":"server.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"server.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"server.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"server.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"server.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"server.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"server.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"server.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"server.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"server.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"server.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"server.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"service.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.origin.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.origin.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.origin.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.origin.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.origin.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.origin.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.origin.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.origin.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.origin.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.target.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.target.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.target.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.target.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.target.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.target.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.target.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.target.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.target.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"source.address","type":"keyword","normalization":"","example":"","description":"Source network address."},{"field":"source.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"source.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the source to the destination."},{"field":"source.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the source."},{"field":"source.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"source.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"source.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"source.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"source.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"source.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"source.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"source.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"source.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"source.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"source.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"source.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the source."},{"field":"source.nat.ip","type":"ip","normalization":"","example":"","description":"Source NAT ip"},{"field":"source.nat.port","type":"long","normalization":"","example":"","description":"Source NAT port"},{"field":"source.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the source to the destination."},{"field":"source.port","type":"long","normalization":"","example":"","description":"Port of the source."},{"field":"source.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered source domain, stripped of the subdomain."},{"field":"source.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"source.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"source.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"source.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"source.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"source.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"source.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"source.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"source.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"source.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"source.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"source.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"span.id","type":"keyword","normalization":"","example":"3ff9a8981b7ccd5a","description":"Unique identifier of the span within the scope of its trace."},{"field":"threat.enrichments","type":"nested","normalization":"array","example":"","description":"List of objects containing indicators enriching the event."},{"field":"threat.enrichments.indicator","type":"object","normalization":"","example":"","description":"Object containing indicators enriching the event."},{"field":"threat.enrichments.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.enrichments.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.enrichments.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.enrichments.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.enrichments.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.enrichments.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.enrichments.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.enrichments.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.enrichments.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.enrichments.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.enrichments.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.enrichments.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.enrichments.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.enrichments.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.enrichments.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.enrichments.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.enrichments.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.enrichments.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.enrichments.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.enrichments.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.enrichments.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.enrichments.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"threat.enrichments.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.enrichments.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.enrichments.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.enrichments.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.enrichments.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.enrichments.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.enrichments.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.enrichments.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.enrichments.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.enrichments.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.enrichments.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.enrichments.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.enrichments.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.enrichments.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.enrichments.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.enrichments.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.enrichments.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.enrichments.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.enrichments.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.enrichments.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.enrichments.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.enrichments.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.enrichments.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.enrichments.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.enrichments.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.enrichments.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.enrichments.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"threat.enrichments.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.enrichments.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.enrichments.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.enrichments.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.enrichments.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.enrichments.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.enrichments.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.enrichments.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.enrichments.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.enrichments.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.enrichments.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.enrichments.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.enrichments.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.enrichments.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.enrichments.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.enrichments.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.enrichments.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.enrichments.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.enrichments.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.enrichments.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.enrichments.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.enrichments.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.enrichments.indicator.marking.tlp","type":"keyword","normalization":"","example":"WHITE","description":"Indicator TLP marking"},{"field":"threat.enrichments.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.enrichments.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.enrichments.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.enrichments.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.enrichments.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.enrichments.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.enrichments.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.enrichments.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.enrichments.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.enrichments.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.enrichments.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.enrichments.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.enrichments.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.enrichments.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.enrichments.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.enrichments.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.enrichments.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.enrichments.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.enrichments.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"threat.enrichments.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.enrichments.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.enrichments.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.enrichments.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.enrichments.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.enrichments.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.enrichments.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.enrichments.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.enrichments.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.enrichments.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.matched.atomic","type":"keyword","normalization":"","example":"bad-domain.com","description":"Matched indicator value"},{"field":"threat.enrichments.matched.field","type":"keyword","normalization":"","example":"file.hash.sha256","description":"Matched indicator field"},{"field":"threat.enrichments.matched.id","type":"keyword","normalization":"","example":"ff93aee5-86a1-4a61-b0e6-0cdc313d01b5","description":"Matched indicator identifier"},{"field":"threat.enrichments.matched.index","type":"keyword","normalization":"","example":"filebeat-8.0.0-2021.05.23-000011","description":"Matched indicator index"},{"field":"threat.enrichments.matched.occurred","type":"date","normalization":"","example":"2021-10-05T17:00:58.326Z","description":"Date of match"},{"field":"threat.enrichments.matched.type","type":"keyword","normalization":"","example":"indicator_match_rule","description":"Type of indicator match"},{"field":"threat.feed.dashboard_id","type":"keyword","normalization":"","example":"5ba16340-72e6-11eb-a3e3-b3cc7c78a70f","description":"Feed dashboard ID."},{"field":"threat.feed.description","type":"keyword","normalization":"","example":"Threat feed from the AlienVault Open Threat eXchange network.","description":"Description of the threat feed."},{"field":"threat.feed.name","type":"keyword","normalization":"","example":"AlienVault OTX","description":"Name of the threat feed."},{"field":"threat.feed.reference","type":"keyword","normalization":"","example":"https://otx.alienvault.com","description":"Reference for the threat feed."},{"field":"threat.framework","type":"keyword","normalization":"","example":"MITRE ATT&CK","description":"Threat classification framework."},{"field":"threat.group.alias","type":"keyword","normalization":"array","example":["Magecart Group 6"],"description":"Alias of the group."},{"field":"threat.group.id","type":"keyword","normalization":"","example":"G0037","description":"ID of the group."},{"field":"threat.group.name","type":"keyword","normalization":"","example":"FIN6","description":"Name of the group."},{"field":"threat.group.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/groups/G0037/","description":"Reference URL of the group."},{"field":"threat.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"threat.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"threat.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.indicator.marking.tlp","type":"keyword","normalization":"","example":"WHITE","description":"Indicator TLP marking"},{"field":"threat.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"threat.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.software.alias","type":"keyword","normalization":"array","example":["X-Agent"],"description":"Alias of the software"},{"field":"threat.software.id","type":"keyword","normalization":"","example":"S0552","description":"ID of the software"},{"field":"threat.software.name","type":"keyword","normalization":"","example":"AdFind","description":"Name of the software."},{"field":"threat.software.platforms","type":"keyword","normalization":"array","example":["Windows"],"description":"Platforms of the software."},{"field":"threat.software.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/software/S0552/","description":"Software reference URL."},{"field":"threat.software.type","type":"keyword","normalization":"","example":"Tool","description":"Software type."},{"field":"threat.tactic.id","type":"keyword","normalization":"array","example":"TA0002","description":"Threat tactic id."},{"field":"threat.tactic.name","type":"keyword","normalization":"array","example":"Execution","description":"Threat tactic."},{"field":"threat.tactic.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/tactics/TA0002/","description":"Threat tactic URL reference."},{"field":"threat.technique.id","type":"keyword","normalization":"array","example":"T1059","description":"Threat technique id."},{"field":"threat.technique.name","type":"keyword","normalization":"array","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.name.text","type":"match_only_text","normalization":"","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/","description":"Threat technique URL reference."},{"field":"threat.technique.subtechnique.id","type":"keyword","normalization":"array","example":"T1059.001","description":"Threat subtechnique id."},{"field":"threat.technique.subtechnique.name","type":"keyword","normalization":"array","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.name.text","type":"match_only_text","normalization":"","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/001/","description":"Threat subtechnique URL reference."},{"field":"tls.cipher","type":"keyword","normalization":"","example":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","description":"String indicating the cipher used during the current connection."},{"field":"tls.client.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the client."},{"field":"tls.client.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the client."},{"field":"tls.client.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Distinguished name of subject of the issuer of the x.509 certificate presented by the client."},{"field":"tls.client.ja3","type":"keyword","normalization":"","example":"d4e5b18d6b55c71272893221c96ba240","description":"A hash that identifies clients based on how they perform an SSL/TLS handshake."},{"field":"tls.client.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is no longer considered valid."},{"field":"tls.client.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is first considered valid."},{"field":"tls.client.server_name","type":"keyword","normalization":"","example":"www.elastic.co","description":"Hostname the client is trying to connect to. Also called the SNI."},{"field":"tls.client.subject","type":"keyword","normalization":"","example":"CN=myclient, OU=Documentation Team, DC=example, DC=com","description":"Distinguished name of subject of the x.509 certificate presented by the client."},{"field":"tls.client.supported_ciphers","type":"keyword","normalization":"array","example":["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","..."],"description":"Array of ciphers offered by the client during the client hello."},{"field":"tls.client.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.client.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"tls.client.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.client.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.client.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.client.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.client.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.client.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.client.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.client.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.client.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.client.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.client.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.client.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.client.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"tls.client.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.client.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.client.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.client.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.client.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.curve","type":"keyword","normalization":"","example":"secp256r1","description":"String indicating the curve used for the given cipher, when applicable."},{"field":"tls.established","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."},{"field":"tls.next_protocol","type":"keyword","normalization":"","example":"http/1.1","description":"String indicating the protocol being tunneled."},{"field":"tls.resumed","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."},{"field":"tls.server.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the server."},{"field":"tls.server.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the server."},{"field":"tls.server.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the issuer of the x.509 certificate presented by the server."},{"field":"tls.server.ja3s","type":"keyword","normalization":"","example":"394441ab65754e2207b1e1b457b3641d","description":"A hash that identifies servers based on how they perform an SSL/TLS handshake."},{"field":"tls.server.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is no longer considered valid."},{"field":"tls.server.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is first considered valid."},{"field":"tls.server.subject","type":"keyword","normalization":"","example":"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the x.509 certificate presented by the server."},{"field":"tls.server.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.server.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"tls.server.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.server.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.server.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.server.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.server.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.server.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.server.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.server.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.server.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.server.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.server.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.server.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.server.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"tls.server.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.server.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.server.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.server.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.server.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.version","type":"keyword","normalization":"","example":1.2,"description":"Numeric part of the version parsed from the original string."},{"field":"tls.version_protocol","type":"keyword","normalization":"","example":"tls","description":"Normalized lowercase protocol name parsed from original string."},{"field":"trace.id","type":"keyword","normalization":"","example":"4bf92f3577b34da6a3ce929d0e0e4736","description":"Unique identifier of the trace."},{"field":"transaction.id","type":"keyword","normalization":"","example":"00f067aa0ba902b7","description":"Unique identifier of the transaction within the scope of its trace."},{"field":"url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"user.changes.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.changes.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.changes.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.changes.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.changes.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.changes.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.changes.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.changes.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.changes.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.changes.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.effective.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.effective.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.effective.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.effective.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.effective.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.effective.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.effective.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.effective.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"user.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.target.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.target.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.target.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.target.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.target.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.target.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.target.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.target.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.target.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.target.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user_agent.device.name","type":"keyword","normalization":"","example":"iPhone","description":"Name of the device."},{"field":"user_agent.name","type":"keyword","normalization":"","example":"Safari","description":"Name of the user agent."},{"field":"user_agent.original","type":"keyword","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.original.text","type":"match_only_text","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"user_agent.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"user_agent.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"user_agent.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"user_agent.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"user_agent.version","type":"keyword","normalization":"","example":12,"description":"Version of the user agent."},{"field":"vulnerability.category","type":"keyword","normalization":"array","example":["Firewall"],"description":"Category of a vulnerability."},{"field":"vulnerability.classification","type":"keyword","normalization":"","example":"CVSS","description":"Classification of the vulnerability."},{"field":"vulnerability.description","type":"keyword","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.description.text","type":"match_only_text","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.enumeration","type":"keyword","normalization":"","example":"CVE","description":"Identifier of the vulnerability."},{"field":"vulnerability.id","type":"keyword","normalization":"","example":"CVE-2019-00001","description":"ID of the vulnerability."},{"field":"vulnerability.reference","type":"keyword","normalization":"","example":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","description":"Reference of the vulnerability."},{"field":"vulnerability.report_id","type":"keyword","normalization":"","example":20191018.0001,"description":"Scan identification number."},{"field":"vulnerability.scanner.vendor","type":"keyword","normalization":"","example":"Tenable","description":"Name of the scanner vendor."},{"field":"vulnerability.score.base","type":"float","normalization":"","example":5.5,"description":"Vulnerability Base score."},{"field":"vulnerability.score.environmental","type":"float","normalization":"","example":5.5,"description":"Vulnerability Environmental score."},{"field":"vulnerability.score.temporal","type":"float","normalization":"","example":"","description":"Vulnerability Temporal score."},{"field":"vulnerability.score.version","type":"keyword","normalization":"","example":2,"description":"CVSS version."},{"field":"vulnerability.severity","type":"keyword","normalization":"","example":"Critical","description":"Severity of the vulnerability."}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json b/x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json new file mode 100644 index 0000000000000..0961ad25572a4 --- /dev/null +++ b/x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json @@ -0,0 +1 @@ +[{"field":"labels","type":"object","normalization":"","example":{"application":"foo-bar","env":"production"},"description":"Custom key/value pairs."},{"field":"message","type":"match_only_text","normalization":"","example":"Hello World","description":"Log message optimized for viewing in a log viewer."},{"field":"tags","type":"keyword","normalization":"array","example":["production","env2"],"description":"List of keywords used to tag each event."},{"field":"agent.build.original","type":"keyword","normalization":"","example":"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]","description":"Extended build information for the agent."},{"field":"client.address","type":"keyword","normalization":"","example":"","description":"Client network address."},{"field":"client.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"client.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the client to the server."},{"field":"client.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the client."},{"field":"client.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"client.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"client.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"client.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"client.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"client.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"client.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"client.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"client.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"client.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"client.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"client.ip","type":"ip","normalization":"","example":"","description":"IP address of the client."},{"field":"client.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the client."},{"field":"client.nat.ip","type":"ip","normalization":"","example":"","description":"Client NAT ip address"},{"field":"client.nat.port","type":"long","normalization":"","example":"","description":"Client NAT port"},{"field":"client.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the client to the server."},{"field":"client.port","type":"long","normalization":"","example":"","description":"Port of the client."},{"field":"client.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered client domain, stripped of the subdomain."},{"field":"client.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"client.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"client.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"client.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"client.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"client.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"client.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"client.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"client.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"client.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"client.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"client.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"cloud.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.origin.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.origin.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.origin.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.origin.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.origin.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.origin.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.origin.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.origin.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.origin.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.target.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.target.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.target.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.target.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.target.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.target.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.target.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.target.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.target.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.target.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.target.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"container.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"container.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"container.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"container.id","type":"keyword","normalization":"","example":"","description":"Unique container id."},{"field":"container.image.hash.all","type":"keyword","normalization":"array","example":"[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]","description":"An array of digests of the image the container was built on."},{"field":"container.image.name","type":"keyword","normalization":"","example":"","description":"Name of the image the container was built on."},{"field":"container.image.tag","type":"keyword","normalization":"array","example":"","description":"Container image tags."},{"field":"container.labels","type":"object","normalization":"","example":"","description":"Image labels."},{"field":"container.memory.usage","type":"scaled_float","normalization":"","example":"","description":"Percent memory used, between 0 and 1."},{"field":"container.name","type":"keyword","normalization":"","example":"","description":"Container name."},{"field":"container.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"container.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"container.runtime","type":"keyword","normalization":"","example":"docker","description":"Runtime managing this container."},{"field":"data_stream.dataset","type":"constant_keyword","normalization":"","example":"nginx.access","description":"The field can contain anything that makes sense to signify the source of the data."},{"field":"data_stream.namespace","type":"constant_keyword","normalization":"","example":"production","description":"A user defined namespace. Namespaces are useful to allow grouping of data."},{"field":"data_stream.type","type":"constant_keyword","normalization":"","example":"logs","description":"An overarching type for the data stream."},{"field":"destination.address","type":"keyword","normalization":"","example":"","description":"Destination network address."},{"field":"destination.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"destination.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the destination to the source."},{"field":"destination.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the destination."},{"field":"destination.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"destination.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"destination.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"destination.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"destination.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"destination.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"destination.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"destination.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"destination.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"destination.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"destination.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"destination.ip","type":"ip","normalization":"","example":"","description":"IP address of the destination."},{"field":"destination.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the destination."},{"field":"destination.nat.ip","type":"ip","normalization":"","example":"","description":"Destination NAT ip"},{"field":"destination.nat.port","type":"long","normalization":"","example":"","description":"Destination NAT Port"},{"field":"destination.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the destination to the source."},{"field":"destination.port","type":"long","normalization":"","example":"","description":"Port of the destination."},{"field":"destination.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered destination domain, stripped of the subdomain."},{"field":"destination.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"destination.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"destination.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"destination.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"destination.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"destination.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"destination.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"destination.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"destination.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"destination.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"destination.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"destination.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"device.id","type":"keyword","normalization":"","example":"00000000-54b3-e7c7-0000-000046bffd97","description":"The unique identifier of a device."},{"field":"device.manufacturer","type":"keyword","normalization":"","example":"Samsung","description":"The vendor name of the device manufacturer."},{"field":"device.model.identifier","type":"keyword","normalization":"","example":"SM-G920F","description":"The machine readable identifier of the device model."},{"field":"device.model.name","type":"keyword","normalization":"","example":"Samsung Galaxy S6","description":"The human readable marketing name of the device model."},{"field":"dll.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"dll.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"dll.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"dll.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"dll.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"dll.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"dll.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"dll.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"dll.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"dll.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"dll.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"dll.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"dll.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"dll.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"dll.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"dll.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"dll.name","type":"keyword","normalization":"","example":"kernel32.dll","description":"Name of the library."},{"field":"dll.path","type":"keyword","normalization":"","example":"C:\\Windows\\System32\\kernel32.dll","description":"Full file path of the library."},{"field":"dll.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"dll.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"dll.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"dll.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"dll.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"dll.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"dll.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"dll.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"dll.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"dll.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"dll.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"dll.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"dll.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"dll.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"dll.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"dll.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"dll.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"dll.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"dll.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"dll.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"dll.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"dll.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"dll.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"dns.answers","type":"object","normalization":"array","example":"","description":"Array of DNS answers."},{"field":"dns.answers.class","type":"keyword","normalization":"","example":"IN","description":"The class of DNS data contained in this resource record."},{"field":"dns.answers.data","type":"keyword","normalization":"","example":"10.10.10.10","description":"The data describing the resource."},{"field":"dns.answers.name","type":"keyword","normalization":"","example":"www.example.com","description":"The domain name to which this resource record pertains."},{"field":"dns.answers.ttl","type":"long","normalization":"","example":180,"description":"The time interval in seconds that this resource record may be cached before it should be discarded."},{"field":"dns.answers.type","type":"keyword","normalization":"","example":"CNAME","description":"The type of data contained in this resource record."},{"field":"dns.header_flags","type":"keyword","normalization":"array","example":["RD","RA"],"description":"Array of DNS header flags."},{"field":"dns.id","type":"keyword","normalization":"","example":62111,"description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response."},{"field":"dns.op_code","type":"keyword","normalization":"","example":"QUERY","description":"The DNS operation code that specifies the kind of query in the message."},{"field":"dns.question.class","type":"keyword","normalization":"","example":"IN","description":"The class of records being queried."},{"field":"dns.question.name","type":"keyword","normalization":"","example":"www.example.com","description":"The name being queried."},{"field":"dns.question.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered domain, stripped of the subdomain."},{"field":"dns.question.subdomain","type":"keyword","normalization":"","example":"www","description":"The subdomain of the domain."},{"field":"dns.question.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"dns.question.type","type":"keyword","normalization":"","example":"AAAA","description":"The type of record being queried."},{"field":"dns.resolved_ip","type":"ip","normalization":"array","example":["10.10.10.10","10.10.10.11"],"description":"Array containing all IPs seen in answers.data"},{"field":"dns.response_code","type":"keyword","normalization":"","example":"NOERROR","description":"The DNS response code."},{"field":"dns.type","type":"keyword","normalization":"","example":"answer","description":"The type of DNS event captured, query or answer."},{"field":"email.attachments","type":"nested","normalization":"array","example":"","description":"List of objects describing the attachments."},{"field":"email.attachments.file.extension","type":"keyword","normalization":"","example":"txt","description":"Attachment file extension."},{"field":"email.attachments.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"email.attachments.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"email.attachments.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"email.attachments.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"email.attachments.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"email.attachments.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"email.attachments.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"email.attachments.file.mime_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the attachment file."},{"field":"email.attachments.file.name","type":"keyword","normalization":"","example":"attachment.txt","description":"Name of the attachment file."},{"field":"email.attachments.file.size","type":"long","normalization":"","example":64329,"description":"Attachment file size."},{"field":"email.bcc.address","type":"keyword","normalization":"array","example":"bcc.user1@example.com","description":"Email address of BCC recipient"},{"field":"email.cc.address","type":"keyword","normalization":"array","example":"cc.user1@example.com","description":"Email address of CC recipient"},{"field":"email.content_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the email message."},{"field":"email.delivery_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time when message was delivered."},{"field":"email.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the message."},{"field":"email.from.address","type":"keyword","normalization":"array","example":"sender@example.com","description":"The sender's email address."},{"field":"email.local_id","type":"keyword","normalization":"","example":"c26dbea0-80d5-463b-b93c-4e8b708219ce","description":"Unique identifier given by the source."},{"field":"email.message_id","type":"wildcard","normalization":"","example":"81ce15$8r2j59@mail01.example.com","description":"Value from the Message-ID header."},{"field":"email.origination_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time the email was composed."},{"field":"email.reply_to.address","type":"keyword","normalization":"array","example":"reply.here@example.com","description":"Address replies should be delivered to."},{"field":"email.sender.address","type":"keyword","normalization":"","example":"","description":"Address of the message sender."},{"field":"email.subject","type":"keyword","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.subject.text","type":"match_only_text","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.to.address","type":"keyword","normalization":"array","example":"user1@example.com","description":"Email address of recipient"},{"field":"email.x_mailer","type":"keyword","normalization":"","example":"Spambot v2.5","description":"Application that drafted email."},{"field":"error.code","type":"keyword","normalization":"","example":"","description":"Error code describing the error."},{"field":"error.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the error."},{"field":"error.message","type":"match_only_text","normalization":"","example":"","description":"Error message."},{"field":"error.stack_trace","type":"wildcard","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.stack_trace.text","type":"match_only_text","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.type","type":"keyword","normalization":"","example":"java.lang.NullPointerException","description":"The type of the error, for example the class name of the exception."},{"field":"event.action","type":"keyword","normalization":"","example":"user-password-change","description":"The action captured by the event."},{"field":"event.category","type":"keyword","normalization":"array","example":"authentication","description":"Event category. The second categorization field in the hierarchy."},{"field":"event.code","type":"keyword","normalization":"","example":4648,"description":"Identification code for this event."},{"field":"event.created","type":"date","normalization":"","example":"2016-05-23T08:05:34.857Z","description":"Time when the event was first read by an agent or by your pipeline."},{"field":"event.dataset","type":"keyword","normalization":"","example":"apache.access","description":"Name of the dataset."},{"field":"event.duration","type":"long","normalization":"","example":"","description":"Duration of the event in nanoseconds."},{"field":"event.end","type":"date","normalization":"","example":"","description":"event.end contains the date when the event ended or when the activity was last observed."},{"field":"event.hash","type":"keyword","normalization":"","example":"123456789012345678901234567890ABCD","description":"Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity."},{"field":"event.id","type":"keyword","normalization":"","example":"8a4f500d","description":"Unique ID to describe the event."},{"field":"event.kind","type":"keyword","normalization":"","example":"alert","description":"The kind of the event. The highest categorization field in the hierarchy."},{"field":"event.original","type":"keyword","normalization":"","example":"Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232","description":"Raw text message of entire event."},{"field":"event.outcome","type":"keyword","normalization":"","example":"success","description":"The outcome of the event. The lowest level categorization field in the hierarchy."},{"field":"event.provider","type":"keyword","normalization":"","example":"kernel","description":"Source of the event."},{"field":"event.reason","type":"keyword","normalization":"","example":"Terminated an unexpected process","description":"Reason why this event happened, according to the source"},{"field":"event.reference","type":"keyword","normalization":"","example":"https://system.example.com/event/#0001234","description":"Event reference URL"},{"field":"event.risk_score","type":"float","normalization":"","example":"","description":"Risk score or priority of the event (e.g. security solutions). Use your system's original value here."},{"field":"event.risk_score_norm","type":"float","normalization":"","example":"","description":"Normalized risk score or priority of the event (0-100)."},{"field":"event.sequence","type":"long","normalization":"","example":"","description":"Sequence number of the event."},{"field":"event.severity","type":"long","normalization":"","example":7,"description":"Numeric severity of the event."},{"field":"event.start","type":"date","normalization":"","example":"","description":"event.start contains the date when the event started or when the activity was first observed."},{"field":"event.timezone","type":"keyword","normalization":"","example":"","description":"Event time zone."},{"field":"event.type","type":"keyword","normalization":"array","example":"","description":"Event type. The third categorization field in the hierarchy."},{"field":"event.url","type":"keyword","normalization":"","example":"https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe","description":"Event investigation URL"},{"field":"faas.coldstart","type":"boolean","normalization":"","example":"","description":"Boolean value indicating a cold start of a function."},{"field":"faas.execution","type":"keyword","normalization":"","example":"af9d5aa4-a685-4c5f-a22b-444f80b3cc28","description":"The execution ID of the current function execution."},{"field":"faas.id","type":"keyword","normalization":"","example":"arn:aws:lambda:us-west-2:123456789012:function:my-function","description":"The unique identifier of a serverless function."},{"field":"faas.name","type":"keyword","normalization":"","example":"my-function","description":"The name of a serverless function."},{"field":"faas.trigger","type":"nested","normalization":"","example":"","description":"Details about the function trigger."},{"field":"faas.trigger.request_id","type":"keyword","normalization":"","example":123456789,"description":"The ID of the trigger request , message, event, etc."},{"field":"faas.trigger.type","type":"keyword","normalization":"","example":"http","description":"The trigger for the function execution."},{"field":"faas.version","type":"keyword","normalization":"","example":123,"description":"The version of a serverless function."},{"field":"file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"file.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"file.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"file.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"file.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"file.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"file.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"file.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"host.boot.id","type":"keyword","normalization":"","example":"88a1f0ed-5ae5-41ee-af6b-41921c311872","description":"Linux boot uuid taken from /proc/sys/kernel/random/boot_id"},{"field":"host.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"host.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"host.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"host.domain","type":"keyword","normalization":"","example":"CONTOSO","description":"Name of the directory the group is a member of."},{"field":"host.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"host.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"host.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"host.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"host.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"host.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"host.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"host.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"host.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"host.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"host.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"host.name","type":"keyword","normalization":"","example":"","description":"Name of the host."},{"field":"host.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"host.network.egress.packets","type":"long","normalization":"","example":"","description":"The number of packets sent on all network interfaces."},{"field":"host.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"host.network.ingress.packets","type":"long","normalization":"","example":"","description":"The number of packets received on all network interfaces."},{"field":"host.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"host.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"host.pid_ns_ino","type":"keyword","normalization":"","example":256383,"description":"Pid namespace inode"},{"field":"host.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"host.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"host.type","type":"keyword","normalization":"","example":"","description":"Type of host."},{"field":"host.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the host has been up."},{"field":"http.request.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the request body."},{"field":"http.request.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the request (body and headers)."},{"field":"http.request.id","type":"keyword","normalization":"","example":"123e4567-e89b-12d3-a456-426614174000","description":"HTTP request ID."},{"field":"http.request.method","type":"keyword","normalization":"","example":"POST","description":"HTTP request method."},{"field":"http.request.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the request."},{"field":"http.request.referrer","type":"keyword","normalization":"","example":"https://blog.example.com/","description":"Referrer for this HTTP request."},{"field":"http.response.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the response body."},{"field":"http.response.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the response (body and headers)."},{"field":"http.response.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the response."},{"field":"http.response.status_code","type":"long","normalization":"","example":404,"description":"HTTP response status code."},{"field":"http.version","type":"keyword","normalization":"","example":1.1,"description":"HTTP version."},{"field":"log.file.path","type":"keyword","normalization":"","example":"/var/log/fun-times.log","description":"Full path to the log file this event came from."},{"field":"log.level","type":"keyword","normalization":"","example":"error","description":"Log level of the log event."},{"field":"log.logger","type":"keyword","normalization":"","example":"org.elasticsearch.bootstrap.Bootstrap","description":"Name of the logger."},{"field":"log.origin.file.line","type":"long","normalization":"","example":42,"description":"The line number of the file which originated the log event."},{"field":"log.origin.file.name","type":"keyword","normalization":"","example":"Bootstrap.java","description":"The code file which originated the log event."},{"field":"log.origin.function","type":"keyword","normalization":"","example":"init","description":"The function which originated the log event."},{"field":"log.syslog","type":"object","normalization":"","example":"","description":"Syslog metadata"},{"field":"log.syslog.appname","type":"keyword","normalization":"","example":"sshd","description":"The device or application that originated the Syslog message."},{"field":"log.syslog.facility.code","type":"long","normalization":"","example":23,"description":"Syslog numeric facility of the event."},{"field":"log.syslog.facility.name","type":"keyword","normalization":"","example":"local7","description":"Syslog text-based facility of the event."},{"field":"log.syslog.hostname","type":"keyword","normalization":"","example":"example-host","description":"The host that originated the Syslog message."},{"field":"log.syslog.msgid","type":"keyword","normalization":"","example":"ID47","description":"An identifier for the type of Syslog message."},{"field":"log.syslog.priority","type":"long","normalization":"","example":135,"description":"Syslog priority of the event."},{"field":"log.syslog.procid","type":"keyword","normalization":"","example":12345,"description":"The process name or ID that originated the Syslog message."},{"field":"log.syslog.severity.code","type":"long","normalization":"","example":3,"description":"Syslog numeric severity of the event."},{"field":"log.syslog.severity.name","type":"keyword","normalization":"","example":"Error","description":"Syslog text-based severity of the event."},{"field":"log.syslog.structured_data","type":"flattened","normalization":"","example":"","description":"Structured data expressed in RFC 5424 messages."},{"field":"log.syslog.version","type":"keyword","normalization":"","example":1,"description":"Syslog protocol version."},{"field":"network.application","type":"keyword","normalization":"","example":"aim","description":"Application level protocol name."},{"field":"network.bytes","type":"long","normalization":"","example":368,"description":"Total bytes transferred in both directions."},{"field":"network.community_id","type":"keyword","normalization":"","example":"1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=","description":"A hash of source and destination IPs and ports."},{"field":"network.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the network traffic."},{"field":"network.forwarded_ip","type":"ip","normalization":"","example":"192.1.1.2","description":"Host IP address when the source IP address is the proxy."},{"field":"network.iana_number","type":"keyword","normalization":"","example":6,"description":"IANA Protocol Number."},{"field":"network.inner","type":"object","normalization":"","example":"","description":"Inner VLAN tag information"},{"field":"network.inner.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.inner.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"network.name","type":"keyword","normalization":"","example":"Guest Wifi","description":"Name given by operators to sections of their network."},{"field":"network.packets","type":"long","normalization":"","example":24,"description":"Total packets transferred in both directions."},{"field":"network.protocol","type":"keyword","normalization":"","example":"http","description":"Application protocol name."},{"field":"network.transport","type":"keyword","normalization":"","example":"tcp","description":"Protocol Name corresponding to the field `iana_number`."},{"field":"network.type","type":"keyword","normalization":"","example":"ipv4","description":"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"},{"field":"network.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress","type":"object","normalization":"","example":"","description":"Object field for egress information"},{"field":"observer.egress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.egress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.egress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.egress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.egress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress.zone","type":"keyword","normalization":"","example":"Public_Internet","description":"Observer Egress zone"},{"field":"observer.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"observer.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"observer.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"observer.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"observer.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"observer.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"observer.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"observer.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"observer.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"observer.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"observer.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"observer.hostname","type":"keyword","normalization":"","example":"","description":"Hostname of the observer."},{"field":"observer.ingress","type":"object","normalization":"","example":"","description":"Object field for ingress information"},{"field":"observer.ingress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.ingress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.ingress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.ingress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.ingress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.ingress.zone","type":"keyword","normalization":"","example":"DMZ","description":"Observer ingress zone"},{"field":"observer.ip","type":"ip","normalization":"array","example":"","description":"IP addresses of the observer."},{"field":"observer.mac","type":"keyword","normalization":"array","example":["00-00-5E-00-53-23","00-00-5E-00-53-24"],"description":"MAC addresses of the observer."},{"field":"observer.name","type":"keyword","normalization":"","example":"1_proxySG","description":"Custom name of the observer."},{"field":"observer.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"observer.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"observer.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"observer.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"observer.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"observer.product","type":"keyword","normalization":"","example":"s200","description":"The product name of the observer."},{"field":"observer.serial_number","type":"keyword","normalization":"","example":"","description":"Observer serial number."},{"field":"observer.type","type":"keyword","normalization":"","example":"firewall","description":"The type of the observer the data is coming from."},{"field":"observer.vendor","type":"keyword","normalization":"","example":"Symantec","description":"Vendor name of the observer."},{"field":"observer.version","type":"keyword","normalization":"","example":"","description":"Observer version."},{"field":"orchestrator.api_version","type":"keyword","normalization":"","example":"v1beta1","description":"API version being used to carry out the action"},{"field":"orchestrator.cluster.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the cluster."},{"field":"orchestrator.cluster.name","type":"keyword","normalization":"","example":"","description":"Name of the cluster."},{"field":"orchestrator.cluster.url","type":"keyword","normalization":"","example":"","description":"URL of the API used to manage the cluster."},{"field":"orchestrator.cluster.version","type":"keyword","normalization":"","example":"","description":"The version of the cluster."},{"field":"orchestrator.namespace","type":"keyword","normalization":"","example":"kube-system","description":"Namespace in which the action is taking place."},{"field":"orchestrator.organization","type":"keyword","normalization":"","example":"elastic","description":"Organization affected by the event (for multi-tenant orchestrator setups)."},{"field":"orchestrator.resource.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the resource being acted upon."},{"field":"orchestrator.resource.ip","type":"ip","normalization":"array","example":"","description":"IP address assigned to the resource associated with the event being observed."},{"field":"orchestrator.resource.name","type":"keyword","normalization":"","example":"test-pod-cdcws","description":"Name of the resource being acted upon."},{"field":"orchestrator.resource.parent.type","type":"keyword","normalization":"","example":"DaemonSet","description":"Type or kind of the parent resource associated with the event being observed."},{"field":"orchestrator.resource.type","type":"keyword","normalization":"","example":"service","description":"Type of resource being acted upon."},{"field":"orchestrator.type","type":"keyword","normalization":"","example":"kubernetes","description":"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."},{"field":"organization.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the organization."},{"field":"organization.name","type":"keyword","normalization":"","example":"","description":"Organization name."},{"field":"organization.name.text","type":"match_only_text","normalization":"","example":"","description":"Organization name."},{"field":"package.architecture","type":"keyword","normalization":"","example":"x86_64","description":"Package architecture."},{"field":"package.build_version","type":"keyword","normalization":"","example":"36f4f7e89dd61b0988b12ee000b98966867710cd","description":"Build version information"},{"field":"package.checksum","type":"keyword","normalization":"","example":"68b329da9893e34099c7d8ad5cb9c940","description":"Checksum of the installed package for verification."},{"field":"package.description","type":"keyword","normalization":"","example":"Open source programming language to build simple/reliable/efficient software.","description":"Description of the package."},{"field":"package.install_scope","type":"keyword","normalization":"","example":"global","description":"Indicating how the package was installed, e.g. user-local, global."},{"field":"package.installed","type":"date","normalization":"","example":"","description":"Time when package was installed."},{"field":"package.license","type":"keyword","normalization":"","example":"Apache License 2.0","description":"Package license"},{"field":"package.name","type":"keyword","normalization":"","example":"go","description":"Package name"},{"field":"package.path","type":"keyword","normalization":"","example":"/usr/local/Cellar/go/1.12.9/","description":"Path where the package is installed."},{"field":"package.reference","type":"keyword","normalization":"","example":"https://golang.org","description":"Package home page or reference URL"},{"field":"package.size","type":"long","normalization":"","example":62231,"description":"Package size in bytes."},{"field":"package.type","type":"keyword","normalization":"","example":"rpm","description":"Package type"},{"field":"package.version","type":"keyword","normalization":"","example":"1.12.9","description":"Package version"},{"field":"process.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"process.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"process.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"process.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.entry_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.entry_leader.attested_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.attested_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.attested_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.attested_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.entry_meta.source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"process.entry_leader.entry_meta.type","type":"keyword","normalization":"","example":"","description":"The entry type for the entry session leader."},{"field":"process.entry_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.entry_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.entry_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.entry_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.entry_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.entry_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.entry_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.env_vars","type":"keyword","normalization":"array","example":["PATH=/usr/local/bin:/usr/bin","USER=ubuntu"],"description":"Array of environment variable bindings."},{"field":"process.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.group_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.group_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.group_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.group_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.group_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.group_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.group_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.group_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.group_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.group_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.group_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.group_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.io","type":"object","normalization":"","example":"","description":"A chunk of input or output (IO) from a single process."},{"field":"process.io.bytes_skipped","type":"object","normalization":"array","example":"","description":"An array of byte offsets and lengths denoting where IO data has been skipped."},{"field":"process.io.bytes_skipped.length","type":"long","normalization":"","example":"","description":"The length of bytes skipped."},{"field":"process.io.bytes_skipped.offset","type":"long","normalization":"","example":"","description":"The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped."},{"field":"process.io.max_bytes_per_process_exceeded","type":"boolean","normalization":"","example":"","description":"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."},{"field":"process.io.text","type":"wildcard","normalization":"","example":"","description":"A chunk of output or input sanitized to UTF-8."},{"field":"process.io.total_bytes_captured","type":"long","normalization":"","example":"","description":"The total number of bytes captured in this event."},{"field":"process.io.total_bytes_skipped","type":"long","normalization":"","example":"","description":"The total number of bytes that were not captured due to implementation restrictions such as buffer size limits."},{"field":"process.io.type","type":"keyword","normalization":"","example":"","description":"The type of object on which the IO action (read or write) was taken."},{"field":"process.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"process.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"process.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"process.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"process.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"process.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"process.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"process.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.parent.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.parent.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.parent.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.parent.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.parent.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.parent.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.parent.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.parent.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.parent.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.parent.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.parent.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.parent.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.parent.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.parent.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.parent.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.parent.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"process.parent.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.parent.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.parent.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.parent.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.parent.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"process.parent.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.parent.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.parent.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.parent.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"process.parent.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.parent.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.parent.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.parent.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.parent.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.parent.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.parent.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.parent.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.parent.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.parent.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.parent.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.parent.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.parent.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.parent.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.parent.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.parent.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.parent.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.parent.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.parent.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.parent.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.parent.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.parent.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.parent.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.parent.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"process.parent.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"process.parent.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"process.parent.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"process.parent.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"process.parent.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"process.parent.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"process.parent.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.parent.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.parent.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.parent.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.parent.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"process.parent.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.parent.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.parent.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.parent.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"process.parent.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"process.parent.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"process.parent.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"process.parent.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.parent.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.parent.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.parent.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.parent.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.parent.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.parent.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.parent.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.parent.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.parent.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"process.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"process.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"process.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"process.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"process.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"process.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.previous.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.previous.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.previous.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.previous.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.session_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.session_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.session_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.session_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.session_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.session_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.session_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.session_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device's major number."},{"field":"process.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device's minor number."},{"field":"process.tty.columns","type":"long","normalization":"","example":80,"description":"The number of character columns per line. e.g terminal width"},{"field":"process.tty.rows","type":"long","normalization":"","example":24,"description":"The number of character rows in the terminal. e.g terminal height"},{"field":"process.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"related.hash","type":"keyword","normalization":"array","example":"","description":"All the hashes seen on your event."},{"field":"related.hosts","type":"keyword","normalization":"array","example":"","description":"All the host identifiers seen on your event."},{"field":"related.ip","type":"ip","normalization":"array","example":"","description":"All of the IPs seen on your event."},{"field":"related.user","type":"keyword","normalization":"array","example":"","description":"All the user names or other user identifiers seen on the event."},{"field":"rule.author","type":"keyword","normalization":"array","example":["Star-Lord"],"description":"Rule author"},{"field":"rule.category","type":"keyword","normalization":"","example":"Attempted Information Leak","description":"Rule category"},{"field":"rule.description","type":"keyword","normalization":"","example":"Block requests to public DNS over HTTPS / TLS protocols","description":"Rule description"},{"field":"rule.id","type":"keyword","normalization":"","example":101,"description":"Rule ID"},{"field":"rule.license","type":"keyword","normalization":"","example":"Apache 2.0","description":"Rule license"},{"field":"rule.name","type":"keyword","normalization":"","example":"BLOCK_DNS_over_TLS","description":"Rule name"},{"field":"rule.reference","type":"keyword","normalization":"","example":"https://en.wikipedia.org/wiki/DNS_over_TLS","description":"Rule reference URL"},{"field":"rule.ruleset","type":"keyword","normalization":"","example":"Standard_Protocol_Filters","description":"Rule ruleset"},{"field":"rule.uuid","type":"keyword","normalization":"","example":1100110011,"description":"Rule UUID"},{"field":"rule.version","type":"keyword","normalization":"","example":1.1,"description":"Rule version"},{"field":"server.address","type":"keyword","normalization":"","example":"","description":"Server network address."},{"field":"server.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"server.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the server to the client."},{"field":"server.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the server."},{"field":"server.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"server.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"server.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"server.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"server.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"server.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"server.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"server.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"server.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"server.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"server.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"server.ip","type":"ip","normalization":"","example":"","description":"IP address of the server."},{"field":"server.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the server."},{"field":"server.nat.ip","type":"ip","normalization":"","example":"","description":"Server NAT ip"},{"field":"server.nat.port","type":"long","normalization":"","example":"","description":"Server NAT port"},{"field":"server.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the server to the client."},{"field":"server.port","type":"long","normalization":"","example":"","description":"Port of the server."},{"field":"server.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered server domain, stripped of the subdomain."},{"field":"server.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"server.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"server.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"server.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"server.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"server.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"server.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"server.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"server.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"server.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"server.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"server.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"service.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.origin.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.origin.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.origin.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.origin.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.origin.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.origin.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.origin.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.origin.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.origin.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.target.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.target.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.target.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.target.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.target.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.target.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.target.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.target.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.target.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"source.address","type":"keyword","normalization":"","example":"","description":"Source network address."},{"field":"source.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"source.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the source to the destination."},{"field":"source.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the source."},{"field":"source.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"source.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"source.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"source.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"source.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"source.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"source.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"source.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"source.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"source.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"source.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"source.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the source."},{"field":"source.nat.ip","type":"ip","normalization":"","example":"","description":"Source NAT ip"},{"field":"source.nat.port","type":"long","normalization":"","example":"","description":"Source NAT port"},{"field":"source.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the source to the destination."},{"field":"source.port","type":"long","normalization":"","example":"","description":"Port of the source."},{"field":"source.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered source domain, stripped of the subdomain."},{"field":"source.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"source.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"source.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"source.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"source.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"source.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"source.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"source.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"source.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"source.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"source.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"source.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"span.id","type":"keyword","normalization":"","example":"3ff9a8981b7ccd5a","description":"Unique identifier of the span within the scope of its trace."},{"field":"threat.enrichments","type":"nested","normalization":"array","example":"","description":"List of objects containing indicators enriching the event."},{"field":"threat.enrichments.indicator","type":"object","normalization":"","example":"","description":"Object containing indicators enriching the event."},{"field":"threat.enrichments.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.enrichments.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.enrichments.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.enrichments.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.enrichments.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.enrichments.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.enrichments.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.enrichments.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.enrichments.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.enrichments.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.enrichments.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.enrichments.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.enrichments.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.enrichments.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.enrichments.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.enrichments.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.enrichments.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.enrichments.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.enrichments.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.enrichments.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.enrichments.indicator.file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"threat.enrichments.indicator.file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.enrichments.indicator.file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.enrichments.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.enrichments.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"threat.enrichments.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.enrichments.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"threat.enrichments.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.enrichments.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.enrichments.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.enrichments.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.enrichments.indicator.file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.enrichments.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.enrichments.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.enrichments.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.enrichments.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.enrichments.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.enrichments.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.enrichments.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.enrichments.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.enrichments.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.enrichments.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.enrichments.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.enrichments.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.enrichments.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.enrichments.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.enrichments.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.enrichments.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.enrichments.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.enrichments.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.enrichments.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.enrichments.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.enrichments.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.enrichments.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"threat.enrichments.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.enrichments.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.enrichments.indicator.file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.enrichments.indicator.file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.enrichments.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.enrichments.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"threat.enrichments.indicator.file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"threat.enrichments.indicator.file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"threat.enrichments.indicator.file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"threat.enrichments.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.enrichments.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.enrichments.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.enrichments.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.enrichments.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.enrichments.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.enrichments.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.enrichments.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.enrichments.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.enrichments.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.enrichments.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.enrichments.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.enrichments.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.enrichments.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.enrichments.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.enrichments.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.enrichments.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.enrichments.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.enrichments.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.enrichments.indicator.marking.tlp","type":"keyword","normalization":"","example":"CLEAR","description":"Indicator TLP marking"},{"field":"threat.enrichments.indicator.marking.tlp_version","type":"keyword","normalization":"","example":2,"description":"Indicator TLP version"},{"field":"threat.enrichments.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.enrichments.indicator.name","type":"keyword","normalization":"","example":"5.2.75.227","description":"Indicator display name"},{"field":"threat.enrichments.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.enrichments.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.enrichments.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.enrichments.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.enrichments.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.enrichments.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.enrichments.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.enrichments.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.enrichments.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.enrichments.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.enrichments.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.enrichments.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.enrichments.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.enrichments.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.enrichments.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.enrichments.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.enrichments.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.enrichments.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"threat.enrichments.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.enrichments.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.enrichments.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.enrichments.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.enrichments.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.enrichments.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.enrichments.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.enrichments.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.enrichments.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.enrichments.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.matched.atomic","type":"keyword","normalization":"","example":"bad-domain.com","description":"Matched indicator value"},{"field":"threat.enrichments.matched.field","type":"keyword","normalization":"","example":"file.hash.sha256","description":"Matched indicator field"},{"field":"threat.enrichments.matched.id","type":"keyword","normalization":"","example":"ff93aee5-86a1-4a61-b0e6-0cdc313d01b5","description":"Matched indicator identifier"},{"field":"threat.enrichments.matched.index","type":"keyword","normalization":"","example":"filebeat-8.0.0-2021.05.23-000011","description":"Matched indicator index"},{"field":"threat.enrichments.matched.occurred","type":"date","normalization":"","example":"2021-10-05T17:00:58.326Z","description":"Date of match"},{"field":"threat.enrichments.matched.type","type":"keyword","normalization":"","example":"indicator_match_rule","description":"Type of indicator match"},{"field":"threat.feed.dashboard_id","type":"keyword","normalization":"","example":"5ba16340-72e6-11eb-a3e3-b3cc7c78a70f","description":"Feed dashboard ID."},{"field":"threat.feed.description","type":"keyword","normalization":"","example":"Threat feed from the AlienVault Open Threat eXchange network.","description":"Description of the threat feed."},{"field":"threat.feed.name","type":"keyword","normalization":"","example":"AlienVault OTX","description":"Name of the threat feed."},{"field":"threat.feed.reference","type":"keyword","normalization":"","example":"https://otx.alienvault.com","description":"Reference for the threat feed."},{"field":"threat.framework","type":"keyword","normalization":"","example":"MITRE ATT&CK","description":"Threat classification framework."},{"field":"threat.group.alias","type":"keyword","normalization":"array","example":["Magecart Group 6"],"description":"Alias of the group."},{"field":"threat.group.id","type":"keyword","normalization":"","example":"G0037","description":"ID of the group."},{"field":"threat.group.name","type":"keyword","normalization":"","example":"FIN6","description":"Name of the group."},{"field":"threat.group.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/groups/G0037/","description":"Reference URL of the group."},{"field":"threat.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.indicator.file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"threat.indicator.file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.indicator.file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\" for original ELF files."},{"field":"threat.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.indicator.file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"threat.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.indicator.file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.indicator.file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner's username."},{"field":"threat.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.indicator.file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"threat.indicator.file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.indicator.file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.indicator.file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"threat.indicator.file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"threat.indicator.file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"threat.indicator.file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.indicator.file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"threat.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.indicator.marking.tlp","type":"keyword","normalization":"","example":"CLEAR","description":"Indicator TLP marking"},{"field":"threat.indicator.marking.tlp_version","type":"keyword","normalization":"","example":2,"description":"Indicator TLP version"},{"field":"threat.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.indicator.name","type":"keyword","normalization":"","example":"5.2.75.227","description":"Indicator display name"},{"field":"threat.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\"C:\\rta\\red_ttp\\bin\\myapp.exe\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"threat.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"threat.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"threat.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.software.alias","type":"keyword","normalization":"array","example":["X-Agent"],"description":"Alias of the software"},{"field":"threat.software.id","type":"keyword","normalization":"","example":"S0552","description":"ID of the software"},{"field":"threat.software.name","type":"keyword","normalization":"","example":"AdFind","description":"Name of the software."},{"field":"threat.software.platforms","type":"keyword","normalization":"array","example":["Windows"],"description":"Platforms of the software."},{"field":"threat.software.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/software/S0552/","description":"Software reference URL."},{"field":"threat.software.type","type":"keyword","normalization":"","example":"Tool","description":"Software type."},{"field":"threat.tactic.id","type":"keyword","normalization":"array","example":"TA0002","description":"Threat tactic id."},{"field":"threat.tactic.name","type":"keyword","normalization":"array","example":"Execution","description":"Threat tactic."},{"field":"threat.tactic.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/tactics/TA0002/","description":"Threat tactic URL reference."},{"field":"threat.technique.id","type":"keyword","normalization":"array","example":"T1059","description":"Threat technique id."},{"field":"threat.technique.name","type":"keyword","normalization":"array","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.name.text","type":"match_only_text","normalization":"","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/","description":"Threat technique URL reference."},{"field":"threat.technique.subtechnique.id","type":"keyword","normalization":"array","example":"T1059.001","description":"Threat subtechnique id."},{"field":"threat.technique.subtechnique.name","type":"keyword","normalization":"array","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.name.text","type":"match_only_text","normalization":"","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/001/","description":"Threat subtechnique URL reference."},{"field":"tls.cipher","type":"keyword","normalization":"","example":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","description":"String indicating the cipher used during the current connection."},{"field":"tls.client.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the client."},{"field":"tls.client.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the client."},{"field":"tls.client.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Distinguished name of subject of the issuer of the x.509 certificate presented by the client."},{"field":"tls.client.ja3","type":"keyword","normalization":"","example":"d4e5b18d6b55c71272893221c96ba240","description":"A hash that identifies clients based on how they perform an SSL/TLS handshake."},{"field":"tls.client.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is no longer considered valid."},{"field":"tls.client.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is first considered valid."},{"field":"tls.client.server_name","type":"keyword","normalization":"","example":"www.elastic.co","description":"Hostname the client is trying to connect to. Also called the SNI."},{"field":"tls.client.subject","type":"keyword","normalization":"","example":"CN=myclient, OU=Documentation Team, DC=example, DC=com","description":"Distinguished name of subject of the x.509 certificate presented by the client."},{"field":"tls.client.supported_ciphers","type":"keyword","normalization":"array","example":["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","..."],"description":"Array of ciphers offered by the client during the client hello."},{"field":"tls.client.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.client.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"tls.client.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.client.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.client.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.client.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.client.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.client.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.client.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.client.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.client.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.client.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.client.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.client.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.client.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"tls.client.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.client.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.client.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.client.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.client.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.curve","type":"keyword","normalization":"","example":"secp256r1","description":"String indicating the curve used for the given cipher, when applicable."},{"field":"tls.established","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."},{"field":"tls.next_protocol","type":"keyword","normalization":"","example":"http/1.1","description":"String indicating the protocol being tunneled."},{"field":"tls.resumed","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."},{"field":"tls.server.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the server."},{"field":"tls.server.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the server."},{"field":"tls.server.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the issuer of the x.509 certificate presented by the server."},{"field":"tls.server.ja3s","type":"keyword","normalization":"","example":"394441ab65754e2207b1e1b457b3641d","description":"A hash that identifies servers based on how they perform an SSL/TLS handshake."},{"field":"tls.server.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is no longer considered valid."},{"field":"tls.server.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is first considered valid."},{"field":"tls.server.subject","type":"keyword","normalization":"","example":"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the x.509 certificate presented by the server."},{"field":"tls.server.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.server.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) codes"},{"field":"tls.server.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.server.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.server.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.server.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.server.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.server.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.server.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.server.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.server.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.server.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.server.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.server.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.server.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\(C) code"},{"field":"tls.server.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.server.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.server.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.server.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.server.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.version","type":"keyword","normalization":"","example":1.2,"description":"Numeric part of the version parsed from the original string."},{"field":"tls.version_protocol","type":"keyword","normalization":"","example":"tls","description":"Normalized lowercase protocol name parsed from original string."},{"field":"trace.id","type":"keyword","normalization":"","example":"4bf92f3577b34da6a3ce929d0e0e4736","description":"Unique identifier of the trace."},{"field":"transaction.id","type":"keyword","normalization":"","example":"00f067aa0ba902b7","description":"Unique identifier of the transaction within the scope of its trace."},{"field":"url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \"/search\"."},{"field":"url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"user.changes.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.changes.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.changes.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.changes.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.changes.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.changes.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.changes.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.changes.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.changes.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.changes.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.effective.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.effective.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.effective.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.effective.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.effective.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.effective.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.effective.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.effective.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"user.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.target.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.target.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.target.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.target.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User's full name, if available."},{"field":"user.target.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.target.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.target.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.target.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.target.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.target.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user_agent.device.name","type":"keyword","normalization":"","example":"iPhone","description":"Name of the device."},{"field":"user_agent.name","type":"keyword","normalization":"","example":"Safari","description":"Name of the user agent."},{"field":"user_agent.original","type":"keyword","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.original.text","type":"match_only_text","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"user_agent.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"user_agent.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"user_agent.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"user_agent.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"user_agent.version","type":"keyword","normalization":"","example":12,"description":"Version of the user agent."},{"field":"vulnerability.category","type":"keyword","normalization":"array","example":["Firewall"],"description":"Category of a vulnerability."},{"field":"vulnerability.classification","type":"keyword","normalization":"","example":"CVSS","description":"Classification of the vulnerability."},{"field":"vulnerability.description","type":"keyword","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.description.text","type":"match_only_text","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.enumeration","type":"keyword","normalization":"","example":"CVE","description":"Identifier of the vulnerability."},{"field":"vulnerability.id","type":"keyword","normalization":"","example":"CVE-2019-00001","description":"ID of the vulnerability."},{"field":"vulnerability.reference","type":"keyword","normalization":"","example":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","description":"Reference of the vulnerability."},{"field":"vulnerability.report_id","type":"keyword","normalization":"","example":20191018.0001,"description":"Scan identification number."},{"field":"vulnerability.scanner.vendor","type":"keyword","normalization":"","example":"Tenable","description":"Name of the scanner vendor."},{"field":"vulnerability.score.base","type":"float","normalization":"","example":5.5,"description":"Vulnerability Base score."},{"field":"vulnerability.score.environmental","type":"float","normalization":"","example":5.5,"description":"Vulnerability Environmental score."},{"field":"vulnerability.score.temporal","type":"float","normalization":"","example":"","description":"Vulnerability Temporal score."},{"field":"vulnerability.score.version","type":"keyword","normalization":"","example":2,"description":"CVSS version."},{"field":"vulnerability.severity","type":"keyword","normalization":"","example":"Critical","description":"Severity of the vulnerability."}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json deleted file mode 100644 index 046fd2e7a6a39..0000000000000 --- a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json +++ /dev/null @@ -1 +0,0 @@ -[{"name":"account_policy_data","description":"Additional macOS user account data from the AccountPolicy section of OpenDirectory.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the account was first created","type":"double","hidden":false,"required":false,"index":false},{"name":"failed_login_count","description":"The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"failed_login_timestamp","description":"The time of the last failed login attempt. Resets after a correct password is entered","type":"double","hidden":false,"required":false,"index":false},{"name":"password_last_set_time","description":"The time the password was last changed","type":"double","hidden":false,"required":false,"index":false}]},{"name":"acpi_tables","description":"Firmware ACPI functional table common metadata and content.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"ACPI table name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of compiled table data","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ad_config","description":"macOS Active Directory configuration.","platforms":["darwin"],"columns":[{"name":"name","description":"The macOS-specific configuration name","type":"text","hidden":false,"required":false,"index":false},{"name":"domain","description":"Active Directory trust domain","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"Canonical name of option","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Variable typed option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf","description":"macOS application layer firewall (ALF) service details.","platforms":["darwin"],"columns":[{"name":"allow_signed_enabled","description":"1 If allow signed mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"firewall_unload","description":"1 If firewall unloading enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"global_state","description":"1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_enabled","description":"1 If logging mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_option","description":"Firewall logging option","type":"integer","hidden":false,"required":false,"index":false},{"name":"stealth_enabled","description":"1 If stealth mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Application Layer Firewall version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf_exceptions","description":"macOS application layer firewall (ALF) service exceptions.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to the executable that is excepted","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Firewall exception state","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"alf_explicit_auths","description":"ALF services explicitly allowed to perform networking.","platforms":["darwin"],"columns":[{"name":"process","description":"Process name explicitly allowed","type":"text","hidden":false,"required":false,"index":false}]},{"name":"app_schemes","description":"macOS application schemes and handlers (e.g., http, file, mailto).","platforms":["darwin"],"columns":[{"name":"scheme","description":"Name of the scheme/protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"handler","description":"Application label for the handler","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this handler is the OS default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"external","description":"1 if this handler does NOT exist on macOS by default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"protected","description":"1 if this handler is protected (reserved) by macOS, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"apparmor_events","description":"Track AppArmor events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Raw audit message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"apparmor","description":"Apparmor Status like ALLOWED, DENIED etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"operation","description":"Permission requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process PID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"profile","description":"Apparmor profile name","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"denied_mask","description":"Denied permissions for the process","type":"text","hidden":false,"required":false,"index":false},{"name":"capname","description":"Capability requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ouid","description":"Object owner's user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"capability","description":"Capability number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"requested_mask","description":"Requested access mask","type":"text","hidden":false,"required":false,"index":false},{"name":"info","description":"Additional information","type":"text","hidden":false,"required":false,"index":false},{"name":"error","description":"Error information","type":"text","hidden":false,"required":false,"index":false},{"name":"namespace","description":"AppArmor namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"AppArmor label","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apparmor_profiles","description":"Track active AppArmor profiles.","platforms":["linux"],"columns":[{"name":"path","description":"Unique, aa-status compatible, policy identifier.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy name.","type":"text","hidden":false,"required":false,"index":false},{"name":"attach","description":"Which executable(s) a profile will attach to.","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"How the policy is applied.","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"A unique hash that identifies this policy.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"appcompat_shims","description":"Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.","platforms":["windows"],"columns":[{"name":"executable","description":"Name of the executable that is being shimmed. This is pulled from the registry.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the SDB.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Install time of the SDB","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"sdb_id","description":"Unique GUID of the SDB.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apps","description":"macOS applications installed in known search paths (e.g., /Applications).","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the Name.app folder","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute and full Name.app path","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_executable","description":"Info properties CFBundleExecutable label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"Info properties CFBundleIdentifier label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_name","description":"Info properties CFBundleName label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_short_version","description":"Info properties CFBundleShortVersionString label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_version","description":"Info properties CFBundleVersion label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_package_type","description":"Info properties CFBundlePackageType label","type":"text","hidden":false,"required":false,"index":false},{"name":"environment","description":"Application-set environment variables","type":"text","hidden":false,"required":false,"index":false},{"name":"element","description":"Does the app identify as a background agent","type":"text","hidden":false,"required":false,"index":false},{"name":"compiler","description":"Info properties DTCompiler label","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Info properties CFBundleDevelopmentRegion label","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Info properties CFBundleDisplayName label","type":"text","hidden":false,"required":false,"index":false},{"name":"info_string","description":"Info properties CFBundleGetInfoString label","type":"text","hidden":false,"required":false,"index":false},{"name":"minimum_system_version","description":"Minimum version of macOS required for the app to run","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The UTI that categorizes the app for the App Store","type":"text","hidden":false,"required":false,"index":false},{"name":"applescript_enabled","description":"Info properties NSAppleScriptEnabled label","type":"text","hidden":false,"required":false,"index":false},{"name":"copyright","description":"Info properties NSHumanReadableCopyright label","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"The time that the app was last used","type":"double","hidden":false,"required":false,"index":false}]},{"name":"apt_sources","description":"Current list of APT repositories or software channels.","platforms":["linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source file","type":"text","hidden":false,"required":false,"index":false},{"name":"base_uri","description":"Repository base URI","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Release name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Repository source version","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Repository maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"components","description":"Repository components","type":"text","hidden":false,"required":false,"index":false},{"name":"architectures","description":"Repository architectures","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"arp_cache","description":"Address resolution cache, both static and dynamic (from ARP, NDP).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IPv4 address target","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address of broadcasted address","type":"text","hidden":false,"required":false,"index":false},{"name":"interface","description":"Interface of the network for the MAC","type":"text","hidden":false,"required":false,"index":false},{"name":"permanent","description":"1 for true, 0 for false","type":"text","hidden":false,"required":false,"index":false}]},{"name":"asl","description":"Queries the Apple System Log data structure for system events.","platforms":["darwin"],"columns":[{"name":"time","description":"Unix timestamp. Set automatically","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_nano_sec","description":"Nanosecond time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Sender's address (set by the server).","type":"text","hidden":false,"required":false,"index":false},{"name":"sender","description":"Sender's identification string. Default is process name.","type":"text","hidden":false,"required":false,"index":false},{"name":"facility","description":"Sender's facility. Default is 'user'.","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Sending process ID encoded as a string. Set automatically.","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"GID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"UID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"level","description":"Log level number. See levels in asl.h.","type":"integer","hidden":false,"required":false,"index":false},{"name":"message","description":"Message text.","type":"text","hidden":false,"required":false,"index":false},{"name":"ref_pid","description":"Reference PID for messages proxied by launchd","type":"integer","hidden":false,"required":false,"index":false},{"name":"ref_proc","description":"Reference process for messages proxied by launchd","type":"text","hidden":false,"required":false,"index":false},{"name":"extra","description":"Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"atom_packages","description":"Lists all atom packages in a directory or globally installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package's package.json path","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"augeas","description":"Configuration files parsed by augeas.","platforms":["darwin","linux"],"columns":[{"name":"node","description":"The node path of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"The label of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path to the configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authenticode","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["windows"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"original_program_name","description":"The original program name that the publisher has signed","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_name","description":"The certificate issuer name","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_name","description":"The certificate subject name","type":"text","hidden":false,"required":false,"index":false},{"name":"result","description":"The signature check result","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorization_mechanisms","description":"macOS Authorization mechanisms database.","platforms":["darwin"],"columns":[{"name":"label","description":"Label of the authorization right","type":"text","hidden":false,"required":false,"index":false},{"name":"plugin","description":"Authorization plugin name","type":"text","hidden":false,"required":false,"index":false},{"name":"mechanism","description":"Name of the mechanism that will be called","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"If privileged it will run as root, else as an anonymous user","type":"text","hidden":false,"required":false,"index":false},{"name":"entry","description":"The whole string entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorizations","description":"macOS Authorization rights database.","platforms":["darwin"],"columns":[{"name":"label","description":"Item name, usually in reverse domain format","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_root","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"timeout","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"tries","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"authenticate_user","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"shared","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"session_owner","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorized_keys","description":"A line-delimited authorized_keys table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local owner of authorized_keys file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"algorithm","description":"Key type","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Key encoded as base64","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Optional list of login options","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to the authorized_keys file","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"autoexec","description":"Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the program","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source table of the autoexec item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_metadata","description":"Azure instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"location","description":"Azure Region the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"offer","description":"Offer information for the VM image (Azure image gallery VMs only)","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Publisher of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"SKU for the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Linux or Windows","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_update_domain","description":"Update domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_fault_domain","description":"Fault domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_size","description":"VM size","type":"text","hidden":false,"required":false,"index":false},{"name":"subscription_id","description":"Azure subscription for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"resource_group_name","description":"Resource group for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"placement_group_id","description":"Placement group for the VM scale set","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_scale_set_name","description":"VM scale set name","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_tags","description":"Azure instance tags.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"The tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"background_activities_moderator","description":"Background Activities Moderator (BAM) tracks application execution.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"battery","description":"Provides information about the internal battery of a Macbook.","platforms":["darwin"],"columns":[{"name":"manufacturer","description":"The battery manufacturer's name","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacture_date","description":"The date the battery was manufactured UNIX Epoch","type":"integer","hidden":false,"required":false,"index":false},{"name":"model","description":"The battery's model number","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The battery's unique serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"cycle_count","description":"The number of charge/discharge cycles","type":"integer","hidden":false,"required":false,"index":false},{"name":"health","description":"One of the following: \"Good\" describes a well-performing battery, \"Fair\" describes a functional battery with limited capacity, or \"Poor\" describes a battery that's not capable of providing power","type":"text","hidden":false,"required":false,"index":false},{"name":"condition","description":"One of the following: \"Normal\" indicates the condition of the battery is within normal tolerances, \"Service Needed\" indicates that the battery should be checked out by a licensed Mac repair service, \"Permanent Failure\" indicates the battery needs replacement","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"One of the following: \"AC Power\" indicates the battery is connected to an external power source, \"Battery Power\" indicates that the battery is drawing internal power, \"Off Line\" indicates the battery is off-line or no longer connected","type":"text","hidden":false,"required":false,"index":false},{"name":"charging","description":"1 if the battery is currently being charged by a power source. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"charged","description":"1 if the battery is currently completely charged. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"designed_capacity","description":"The battery's designed capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"The battery's actual capacity when it is fully charged in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_capacity","description":"The battery's current charged capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_remaining","description":"The percentage of battery remaining before it is drained","type":"integer","hidden":false,"required":false,"index":false},{"name":"amperage","description":"The battery's current amperage in mA","type":"integer","hidden":false,"required":false,"index":false},{"name":"voltage","description":"The battery's current voltage in mV","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_until_empty","description":"The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_to_full_charge","description":"The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"bitlocker_info","description":"Retrieve bitlocker status of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"ID of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"Drive letter of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent_volume_id","description":"Persistent ID of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"conversion_status","description":"The bitlocker conversion status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_status","description":"The bitlocker protection status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption_method","description":"The encryption type of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The FVE metadata version of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"percentage_encrypted","description":"The percentage of the drive that is encrypted.","type":"integer","hidden":false,"required":false,"index":false},{"name":"lock_status","description":"The accessibility status of the drive from Windows.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"block_devices","description":"Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Block device name","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Block device parent name","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Block device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Block device model string identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Block device size in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Block device Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Block device type string","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Block device label string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"bpf_process_events","description":"Track time/action process executions.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"json_cmdline","description":"Command line arguments, in JSON format","type":"text","hidden":true,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"bpf_socket_events","description":"Track network socket opens and closes.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The socket type","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"browser_plugins","description":"All C/NPAPI browser plugin details for all users. C/NPAPI has been deprecated on all major browsers. To query for plugins on modern browsers, try: `chrome_extensions` `firefox_addons` `safari_extensions`.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Plugin display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Plugin identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Plugin short version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Build SDK used to compile plugin","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Plugin description text","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Plugin language-localization","type":"text","hidden":false,"required":false,"index":false},{"name":"native","description":"Plugin requires native execution","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Is the plugin disabled. 1 = Disabled","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carbon_black_info","description":"Returns info about a Carbon Black sensor install.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"sensor_id","description":"Sensor ID of the Carbon Black sensor","type":"integer","hidden":false,"required":false,"index":false},{"name":"config_name","description":"Sensor group","type":"text","hidden":false,"required":false,"index":false},{"name":"collect_store_files","description":"If the sensor is configured to send back binaries to the Carbon Black server","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_loads","description":"If the sensor is configured to capture module loads","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_info","description":"If the sensor is configured to collect metadata of binaries","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_file_mods","description":"If the sensor is configured to collect file modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_reg_mods","description":"If the sensor is configured to collect registry modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_net_conns","description":"If the sensor is configured to collect network connections","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_processes","description":"If the sensor is configured to process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_cross_processes","description":"If the sensor is configured to cross process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_emet_events","description":"If the sensor is configured to EMET events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_data_file_writes","description":"If the sensor is configured to collect non binary file writes","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_process_user_context","description":"If the sensor is configured to collect the user running a process","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_sensor_operations","description":"Unknown","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_mb","description":"Event file disk quota in MB","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_percentage","description":"Event file disk quota in a percentage","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_disabled","description":"If the sensor is configured to report tamper events","type":"integer","hidden":false,"required":false,"index":false},{"name":"sensor_ip_addr","description":"IP address of the sensor","type":"text","hidden":false,"required":false,"index":false},{"name":"sensor_backend_server","description":"Carbon Black server","type":"text","hidden":false,"required":false,"index":false},{"name":"event_queue","description":"Size in bytes of Carbon Black event files on disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"binary_queue","description":"Size in bytes of binaries waiting to be sent to Carbon Black server","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carves","description":"List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"time","description":"Time at which the carve was kicked off","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"A SHA256 sum of the carved archive","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the carved archive","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the requested carve","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED","type":"text","hidden":false,"required":false,"index":false},{"name":"carve_guid","description":"Identifying value of the carve session","type":"text","hidden":false,"required":false,"index":false},{"name":"request_id","description":"Identifying value of the carve request (e.g., scheduled query name, distributed request, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"carve","description":"Set this value to '1' to start a file carve","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"certificates","description":"Certificate Authorities installed in Keychains/ca-bundles.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"common_name","description":"Certificate CommonName","type":"text","hidden":false,"required":false,"index":false},{"name":"subject","description":"Certificate distinguished name (deprecated, use subject2)","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer","description":"Certificate issuer distinguished name (deprecated, use issuer2)","type":"text","hidden":false,"required":false,"index":false},{"name":"ca","description":"1 if CA: true (certificate is an authority) else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"self_signed","description":"1 if self-signed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"not_valid_before","description":"Lower bound of valid date","type":"text","hidden":false,"required":false,"index":false},{"name":"not_valid_after","description":"Certificate expiration data","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_algorithm","description":"Signing algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_algorithm","description":"Key algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_strength","description":"Key size used for RSA/DSA, or curve name","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Certificate key usage and extended key usage","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_id","description":"SKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_id","description":"AKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the raw certificate contents","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Keychain or PEM bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"sid","description":"SID","type":"text","hidden":true,"required":false,"index":false},{"name":"store_location","description":"Certificate system store location","type":"text","hidden":true,"required":false,"index":false},{"name":"store","description":"Certificate system store","type":"text","hidden":true,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":true,"required":false,"index":false},{"name":"store_id","description":"Exists for service/user stores. Contains raw store id provided by WinAPI.","type":"text","hidden":true,"required":false,"index":false},{"name":"issuer2","description":"Certificate issuer distinguished name","type":"text","hidden":true,"required":false,"index":false},{"name":"subject2","description":"Certificate distinguished name","type":"text","hidden":true,"required":false,"index":false}]},{"name":"chassis_info","description":"Display information pertaining to the chassis and its security status.","platforms":["windows"],"columns":[{"name":"audible_alarm","description":"If TRUE, the frame is equipped with an audible alarm.","type":"text","hidden":false,"required":false,"index":false},{"name":"breach_description","description":"If provided, gives a more detailed description of a detected security breach.","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_types","description":"A comma-separated list of chassis types, such as Desktop or Laptop.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"An extended description of the chassis if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"lock","description":"If TRUE, the frame is equipped with a lock.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"security_breach","description":"The physical status of the chassis such as Breach Successful, Breach Attempted, etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"smbios_tag","description":"The assigned asset tag number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"The Stock Keeping Unit number if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.","type":"text","hidden":false,"required":false,"index":false},{"name":"visible_alarm","description":"If TRUE, the frame is equipped with a visual alarm.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chocolatey_packages","description":"Chocolatey packages installed in a system.","platforms":["windows"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this package resides","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chrome_extension_content_scripts","description":"Chrome browser extension content scripts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"script","description":"The content script used by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"The pattern that the script is matched against","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"chrome_extensions","description":"Chrome-based browser extensions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"profile","description":"The name of the Chrome profile that contains this extension","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced_identifier","description":"Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile.","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier, computed from its manifest. Empty in case of error.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Extension-optional description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_locale","description":"Default locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"current_locale","description":"Current locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent","description":"1 If extension is persistent across all tabs else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"The permissions required by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions_json","description":"The JSON-encoded permissions required by the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"optional_permissions","description":"The permissions optionally required by the extensions","type":"text","hidden":false,"required":false,"index":false},{"name":"optional_permissions_json","description":"The JSON-encoded permissions optionally required by the extensions","type":"text","hidden":true,"required":false,"index":false},{"name":"manifest_hash","description":"The SHA256 hash of the manifest.json file","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false},{"name":"from_webstore","description":"True if this extension was installed from the web store","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"1 if this extension is enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Extension install time, in its original Webkit format","type":"text","hidden":false,"required":false,"index":false},{"name":"install_timestamp","description":"Extension install time, converted to unix time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manifest_json","description":"The manifest file of the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"key","description":"The extension key, from the manifest file","type":"text","hidden":true,"required":false,"index":false}]},{"name":"connectivity","description":"Provides the overall system's network state.","platforms":["windows"],"columns":[{"name":"disconnected","description":"True if the all interfaces are not connected to any network","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_no_traffic","description":"True if any interface is connected via IPv4, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_no_traffic","description":"True if any interface is connected via IPv6, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_subnet","description":"True if any interface is connected to the local subnet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_local_network","description":"True if any interface is connected to a routed network via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_internet","description":"True if any interface is connected to the Internet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_subnet","description":"True if any interface is connected to the local subnet via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_local_network","description":"True if any interface is connected to a routed network via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_internet","description":"True if any interface is connected to the Internet via IPv6","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"cpu_info","description":"Retrieve cpu hardware info of the machine.","platforms":["linux","windows"],"columns":[{"name":"device_id","description":"The DeviceID of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"processor_type","description":"The processor type, such as Central, Math, or Video.","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_status","description":"The current operating status of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"number_of_cores","description":"The number of cores of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"logical_processors","description":"The number of logical processors of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"address_width","description":"The width of the CPU address bus.","type":"text","hidden":false,"required":false,"index":false},{"name":"current_clock_speed","description":"The current frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_clock_speed","description":"The maximum possible frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket_designation","description":"The assigned socket on the board for the given CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"availability","description":"The availability and status of the CPU.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"cpu_time","description":"Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.","platforms":["darwin","linux"],"columns":[{"name":"core","description":"Name of the cpu (core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"Time spent in user mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"nice","description":"Time spent in user mode with low priority (nice)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system","description":"Time spent in system mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idle","description":"Time spent in the idle task","type":"bigint","hidden":false,"required":false,"index":false},{"name":"iowait","description":"Time spent waiting for I/O to complete","type":"bigint","hidden":false,"required":false,"index":false},{"name":"irq","description":"Time spent servicing interrupts","type":"bigint","hidden":false,"required":false,"index":false},{"name":"softirq","description":"Time spent servicing softirqs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"steal","description":"Time spent in other operating systems when running in a virtualized environment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest","description":"Time spent running a virtual CPU for a guest OS under the control of the Linux kernel","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest_nice","description":"Time spent running a niced guest ","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"cpuid","description":"Useful CPU features from the cpuid ASM call.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"feature","description":"Present feature flags","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Bit value or string","type":"text","hidden":false,"required":false,"index":false},{"name":"output_register","description":"Register used to for feature value","type":"text","hidden":false,"required":false,"index":false},{"name":"output_bit","description":"Bit in register value for feature value","type":"integer","hidden":false,"required":false,"index":false},{"name":"input_eax","description":"Value of EAX used","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crashes","description":"Application, System, and Mobile App crash logs.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent PID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"responsible","description":"Process responsible for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the crashed process","type":"integer","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Date/Time at which the crash occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"crashed_thread","description":"Thread ID which crashed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Most recent frame from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_type","description":"Exception type of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_codes","description":"Exception codes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_notes","description":"Exception notes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The value of the system registers","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crontab","description":"Line parsed values from system and user cron/tab.","platforms":["darwin","linux"],"columns":[{"name":"event","description":"The job @event name (rare)","type":"text","hidden":false,"required":false,"index":false},{"name":"minute","description":"The exact minute for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"hour","description":"The hour of the day for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_month","description":"The day of the month for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"month","description":"The month of the year for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_week","description":"The day of the week for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Raw command string","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File parsed","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"cups_destinations","description":"Returns all configured printers.","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the printer","type":"text","hidden":false,"required":false,"index":false},{"name":"option_name","description":"Option name","type":"text","hidden":false,"required":false,"index":false},{"name":"option_value","description":"Option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cups_jobs","description":"Returns all completed print jobs from cups.","platforms":["darwin"],"columns":[{"name":"title","description":"Title of the printed job","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"The printer the job was sent to","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The user who printed the job","type":"text","hidden":false,"required":false,"index":false},{"name":"format","description":"The format of the print job","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the print job","type":"integer","hidden":false,"required":false,"index":false},{"name":"completed_time","description":"When the job completed printing","type":"integer","hidden":false,"required":false,"index":false},{"name":"processing_time","description":"How long the job took to process","type":"integer","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the print request was initiated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"curl","description":"Perform an http request and return stats about it.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"url","description":"The url for the request","type":"text","hidden":false,"required":true,"index":false},{"name":"method","description":"The HTTP method for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"user_agent","description":"The user-agent string to use for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"response_code","description":"The HTTP status code for the response","type":"integer","hidden":false,"required":false,"index":false},{"name":"round_trip_time","description":"Time taken to complete the request","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of bytes in the response","type":"bigint","hidden":false,"required":false,"index":false},{"name":"result","description":"The HTTP response body","type":"text","hidden":false,"required":false,"index":false}]},{"name":"curl_certificate","description":"Inspect TLS certificates by connecting to input hostnames.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Hostname to CURL (domain[:port], e.g. osquery.io)","type":"text","hidden":false,"required":true,"index":false},{"name":"common_name","description":"Common name of company issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization","description":"Organization issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization_unit","description":"Organization unit issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_common_name","description":"Issuer common name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization","description":"Issuer organization","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization_unit","description":"Issuer organization unit","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_from","description":"Period of validity start date","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_to","description":"Period of validity end date","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256_fingerprint","description":"SHA-256 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1_fingerprint","description":"SHA1 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version Number","type":"integer","hidden":false,"required":false,"index":false},{"name":"signature_algorithm","description":"Signature Algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"signature","description":"Signature","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_identifier","description":"Subject Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_identifier","description":"Authority Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"extended_key_usage","description":"Extended usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"policies","description":"Certificate Policies","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_alternative_names","description":"Subject Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_alternative_names","description":"Issuer Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"info_access","description":"Authority Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_info_access","description":"Subject Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_mappings","description":"Policy Mappings","type":"text","hidden":false,"required":false,"index":false},{"name":"has_expired","description":"1 if the certificate has expired, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"basic_constraint","description":"Basic Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"name_constraints","description":"Name Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_constraints","description":"Policy Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"dump_certificate","description":"Set this value to '1' to dump certificate","type":"integer","hidden":true,"required":false,"index":false},{"name":"timeout","description":"Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)","type":"integer","hidden":true,"required":false,"index":false},{"name":"pem","description":"Certificate PEM format","type":"text","hidden":false,"required":false,"index":false}]},{"name":"deb_packages","description":"The installed DEB package database.","platforms":["linux"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Package source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Package architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Package revision","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Package status","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Package maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"section","description":"Package section","type":"text","hidden":false,"required":false,"index":false},{"name":"priority","description":"Package priority","type":"text","hidden":false,"required":false,"index":false},{"name":"admindir","description":"libdpkg admindir. Defaults to /var/lib/dpkg","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"default_environment","description":"Default environment variables and values.","platforms":["windows"],"columns":[{"name":"variable","description":"Name of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"expand","description":"1 if the variable needs expanding, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"device_file","description":"Similar to the file table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"A logical path within the device node","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Creation time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_firmware","description":"A best-effort list of discovered firmware versions.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of device","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"The device name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Firmware version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_hash","description":"Similar to the hash table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_partitions","description":"Use TSK to enumerate details about partitions on a disk device.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number or description","type":"integer","hidden":false,"required":false,"index":false},{"name":"label","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Byte size of each block","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Number of blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Number of meta nodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"disk_encryption","description":"Disk encryption status and information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Disk name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Disk Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 If encrypted: true (disk is encrypted), else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Description of cipher type and mode if available","type":"text","hidden":false,"required":false,"index":false},{"name":"encryption_status","description":"Disk encryption status with one of following values: encrypted | not encrypted | undefined","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Currently authenticated user if available","type":"text","hidden":false,"required":false,"index":false},{"name":"user_uuid","description":"UUID of authenticated user if available","type":"text","hidden":false,"required":false,"index":false},{"name":"filevault_status","description":"FileVault status with one of following values: on | off | unknown","type":"text","hidden":false,"required":false,"index":false}]},{"name":"disk_events","description":"Track DMG disk image events (appearance/disappearance) when opened.","platforms":["darwin"],"columns":[{"name":"action","description":"Appear or disappear","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the DMG file accessed","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Disk event name","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Disk event BSD name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"UUID of the volume inside DMG if available","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of partition in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ejectable","description":"1 if ejectable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"mountable","description":"1 if mountable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"writable","description":"1 if writable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"content","description":"Disk event content","type":"text","hidden":false,"required":false,"index":false},{"name":"media_name","description":"Disk event media name string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Disk event vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"filesystem","description":"Filesystem if available","type":"text","hidden":false,"required":false,"index":false},{"name":"checksum","description":"UDIF Master checksum if available (CRC32)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of appearance/disappearance in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"disk_info","description":"Retrieve basic information about the physical disks of a system.","platforms":["windows"],"columns":[{"name":"partitions","description":"Number of detected partitions on disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"disk_index","description":"Physical drive number of the disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The interface type of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"pnp_device_id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"disk_size","description":"Size of the disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hard drive model.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"The label of the disk object.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The OS's description of the disk.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"dns_cache","description":"Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.","platforms":["windows"],"columns":[{"name":"name","description":"DNS record name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"DNS record type","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"DNS record flags","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"dns_resolvers","description":"Resolvers used by this host.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Address type index or order","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Address type: sortlist, nameserver, search","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Resolver IP/IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Address (sortlist) netmask length","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Resolver options","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"docker_container_envs","description":"Docker container environment variables.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Environment variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_fs_changes","description":"Changes to files or directories on container's filesystem.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"FIle or directory path relative to rootfs","type":"text","hidden":false,"required":false,"index":false},{"name":"change_type","description":"Type of change: C:Modified, A:Added, D:Deleted","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_labels","description":"Docker container labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_mounts","description":"Docker container mounts.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of mount (bind, volume)","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Optional mount name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source path on host","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"Destination path inside container","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver providing the mount","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"Mount options (rw, ro)","type":"text","hidden":false,"required":false,"index":false},{"name":"rw","description":"1 if read/write. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"propagation","description":"Mount propagation","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_networks","description":"Docker container networks.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"network_id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"endpoint_id","description":"Endpoint ID","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_address","description":"IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_prefix_len","description":"IP subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_gateway","description":"IPv6 gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_prefix_len","description":"IPv6 subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"mac_address","description":"MAC address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_ports","description":"Docker container ports.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Protocol (tcp, udp)","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Port inside the container","type":"integer","hidden":false,"required":false,"index":false},{"name":"host_ip","description":"Host IP address on which public port is listening","type":"text","hidden":false,"required":false,"index":false},{"name":"host_port","description":"Host port","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_container_processes","description":"Docker container processes.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start in seconds since boot (non-sleeping)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"User name","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Cumulative CPU time. [DD-]HH:MM:SS format","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu","description":"CPU utilization as percentage","type":"double","hidden":false,"required":false,"index":false},{"name":"mem","description":"Memory utilization as percentage","type":"double","hidden":false,"required":false,"index":false}]},{"name":"docker_container_stats","description":"Docker container statistics. Queries on this table take at least one second.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"pids","description":"Number of processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"read","description":"UNIX time when stats were read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"preread","description":"UNIX time when stats were last read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"interval","description":"Difference between read and preread in nano-seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_read","description":"Total disk read bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_write","description":"Total disk write bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"num_procs","description":"Number of processors","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_total_usage","description":"Total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_kernelmode_usage","description":"CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_usermode_usage","description":"CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_cpu_usage","description":"CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"online_cpus","description":"Online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"pre_cpu_total_usage","description":"Last read total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_kernelmode_usage","description":"Last read CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_usermode_usage","description":"Last read CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_system_cpu_usage","description":"Last read CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_online_cpus","description":"Last read online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_usage","description":"Memory usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_max_usage","description":"Memory maximum usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"Memory limit","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_rx_bytes","description":"Total network bytes read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_tx_bytes","description":"Total network bytes transmitted","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"docker_containers","description":"Docker containers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Docker image (name) used to launch this container","type":"text","hidden":false,"required":false,"index":false},{"name":"image_id","description":"Docker image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Command with arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"state","description":"Container state (created, restarting, running, removing, paused, exited, dead)","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Container status information","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Identifier of the initial process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Container path","type":"text","hidden":false,"required":false,"index":false},{"name":"config_entrypoint","description":"Container entrypoint(s)","type":"text","hidden":false,"required":false,"index":false},{"name":"started_at","description":"Container start time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"finished_at","description":"Container finish time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"Is the container privileged","type":"integer","hidden":false,"required":false,"index":false},{"name":"security_options","description":"List of container security options","type":"text","hidden":false,"required":false,"index":false},{"name":"env_variables","description":"Container environmental variables","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly_rootfs","description":"Is the root filesystem mounted as read only","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"ipc_namespace","description":"IPC namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"mnt_namespace","description":"Mount namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"net_namespace","description":"Network namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"pid_namespace","description":"PID namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"user_namespace","description":"User namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"uts_namespace","description":"UTS namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"docker_image_history","description":"Docker image history information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of instruction in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_by","description":"Created by instruction","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of tags","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Instruction comment","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_labels","description":"Docker image labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_layers","description":"Docker image layers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_id","description":"Layer ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_order","description":"Layer Order (1 = base layer)","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_images","description":"Docker images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size_bytes","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of repository tags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_info","description":"Docker system information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Docker system ID","type":"text","hidden":false,"required":false,"index":false},{"name":"containers","description":"Total number of containers","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_running","description":"Number of containers currently running","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_paused","description":"Number of containers in paused state","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_stopped","description":"Number of containers in stopped state","type":"integer","hidden":false,"required":false,"index":false},{"name":"images","description":"Number of images","type":"integer","hidden":false,"required":false,"index":false},{"name":"storage_driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"1 if memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"swap_limit","description":"1 if swap limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"kernel_memory","description":"1 if kernel memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_period","description":"1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_quota","description":"1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_shares","description":"1 if CPU share weighting support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_set","description":"1 if CPU set selection support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_forwarding","description":"1 if IPv4 forwarding is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_iptables","description":"1 if bridge netfilter iptables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_ip6tables","description":"1 if bridge netfilter ip6tables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"oom_kill_disable","description":"1 if Out-of-memory kill is disabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_driver","description":"Logging driver","type":"text","hidden":false,"required":false,"index":false},{"name":"cgroup_driver","description":"Control groups driver","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Operating system type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"cpus","description":"Number of CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory","description":"Total memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"http_proxy","description":"HTTP proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"https_proxy","description":"HTTPS proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"no_proxy","description":"Comma-separated list of domain extensions proxy should not be used for","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the docker host","type":"text","hidden":false,"required":false,"index":false},{"name":"server_version","description":"Server version","type":"text","hidden":false,"required":false,"index":false},{"name":"root_dir","description":"Docker root directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_network_labels","description":"Docker network labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_networks","description":"Docker networks information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Network driver","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"enable_ipv6","description":"1 if IPv6 is enabled on this network. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"subnet","description":"Network subnet","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Network gateway","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_version","description":"Docker version information.","platforms":["darwin","linux"],"columns":[{"name":"version","description":"Docker version","type":"text","hidden":false,"required":false,"index":false},{"name":"api_version","description":"API version","type":"text","hidden":false,"required":false,"index":false},{"name":"min_api_version","description":"Minimum API version supported","type":"text","hidden":false,"required":false,"index":false},{"name":"git_commit","description":"Docker build git commit","type":"text","hidden":false,"required":false,"index":false},{"name":"go_version","description":"Go version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Build time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volume_labels","description":"Docker volume labels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volumes","description":"Docker volumes information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Volume driver","type":"text","hidden":false,"required":false,"index":false},{"name":"mount_point","description":"Mount point","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Volume type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"drivers","description":"Details for in-use Windows device drivers. This does not display installed but unused drivers.","platforms":["windows"],"columns":[{"name":"device_id","description":"Device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"device_name","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Path to driver image file","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Driver description","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"Driver service name, if one exists","type":"text","hidden":false,"required":false,"index":false},{"name":"service_key","description":"Driver service registry key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Driver version","type":"text","hidden":false,"required":false,"index":false},{"name":"inf","description":"Associated inf file","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Device/driver class name","type":"text","hidden":false,"required":false,"index":false},{"name":"provider","description":"Driver provider","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Device manufacturer","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_key","description":"Driver key","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Driver date","type":"bigint","hidden":false,"required":false,"index":false},{"name":"signed","description":"Whether the driver is signed or not","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_metadata","description":"EC2 instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_type","description":"EC2 instance type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"region","description":"AWS region in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"availability_zone","description":"Availability zone in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Private IPv4 DNS hostname of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"local_ipv4","description":"Private IPv4 address of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address for the first network interface of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"security_groups","description":"Comma separated list of security group names","type":"text","hidden":false,"required":false,"index":false},{"name":"iam_arn","description":"If there is an IAM role associated with the instance, contains instance profile ARN","type":"text","hidden":false,"required":false,"index":false},{"name":"ami_id","description":"AMI ID used to launch this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"reservation_id","description":"ID of the reservation","type":"text","hidden":false,"required":false,"index":false},{"name":"account_id","description":"AWS account ID which owns this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_tags","description":"EC2 instance tag key value pairs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"es_process_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"original_parent","description":"Original parent process ID in case of reparenting","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_count","description":"Number of command line arguments","type":"bigint","hidden":false,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":false,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_id","description":"Signature identifier of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"team_id","description":"Team identifier of thd process","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Codesigning hash of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_binary","description":"Indicates if the binary is Apple signed binary (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of a process in case of an exit event","type":"integer","hidden":false,"required":false,"index":false},{"name":"child_pid","description":"Process ID of a child process in case of a fork event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"es_process_file_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"The source or target filename for the event","type":"text","hidden":false,"required":false,"index":false},{"name":"dest_filename","description":"Destination filename for the event","type":"text","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"etc_hosts","description":"Line-parsed /etc/hosts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IP address mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"hostnames","description":"Raw hosts mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"etc_protocols","description":"Line-parsed /etc/protocols.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Protocol name","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"Protocol number","type":"integer","hidden":false,"required":false,"index":false},{"name":"alias","description":"Protocol alias","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Comment with protocol description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"etc_services","description":"Line-parsed /etc/services.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Service port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Optional space separated list of other names for a service","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment for a service.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"event_taps","description":"Returns information about installed event taps.","platforms":["darwin"],"columns":[{"name":"enabled","description":"Is the Event Tap enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tap_id","description":"Unique ID for the Tap","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tapped","description":"The mask that identifies the set of events to be observed.","type":"text","hidden":false,"required":false,"index":false},{"name":"process_being_tapped","description":"The process ID of the target application","type":"integer","hidden":false,"required":false,"index":false},{"name":"tapping_process","description":"The process ID of the application that created the event tap.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"extended_attributes","description":"Returns the extended attributes for files (similar to Windows ADS).","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the value generated from the extended attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The parsed information from the attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"base64","description":"1 if the value is base64 encoded else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fan_speed_sensors","description":"Fan speeds.","platforms":["darwin"],"columns":[{"name":"fan","description":"Fan number","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Fan name","type":"text","hidden":false,"required":false,"index":false},{"name":"actual","description":"Actual speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"target","description":"Target speed","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fbsd_kmods","description":"Loaded FreeBSD kernel modules.","platforms":["freebsd"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Module reverse dependencies","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"file","description":"Interactive filesystem attributes and metadata.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Device ID (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"(B)irth or (cr)eate time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"symlink","description":"1 if the path is a symlink, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false},{"name":"attributes","description":"File attrib string. See: https://ss64.com/nt/attrib.html","type":"text","hidden":true,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number","type":"text","hidden":true,"required":false,"index":false},{"name":"file_id","description":"file ID","type":"text","hidden":true,"required":false,"index":false},{"name":"file_version","description":"File version","type":"text","hidden":true,"required":false,"index":false},{"name":"product_version","description":"File product version","type":"text","hidden":true,"required":false,"index":false},{"name":"original_filename","description":"(Executable files only) Original filename","type":"text","hidden":true,"required":false,"index":false},{"name":"bsd_flags","description":"The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"file_events","description":"Track time/action changes to files specified in configuration data.","platforms":["darwin","linux"],"columns":[{"name":"target_path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file defined in the config","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"md5","description":"The MD5 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"The SHA1 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"The SHA256 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"hashed","description":"1 if the file was hashed, 0 if not, -1 if hashing failed","type":"integer","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"firefox_addons","description":"Firefox browser extensions, webapps, and addons.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the addon","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Addon display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Addon identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"creator","description":"Addon-supported creator string","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Extension, addon, webapp","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Addon-supplied version string","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Addon-supplied description string","type":"text","hidden":false,"required":false,"index":false},{"name":"source_url","description":"URL that installed the addon","type":"text","hidden":false,"required":false,"index":false},{"name":"visible","description":"1 If the addon is shown in browser else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If the addon is active else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 If the addon is application-disabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"1 If the addon applies background updates else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"native","description":"1 If the addon includes binary components else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"location","description":"Global, profile location","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper","description":"macOS Gatekeeper Details.","platforms":["darwin"],"columns":[{"name":"assessments_enabled","description":"1 If a Gatekeeper is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"dev_id_enabled","description":"1 If a Gatekeeper allows execution from identified developers else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of Gatekeeper's gke.bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"opaque_version","description":"Version of Gatekeeper's gkopaque.bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper_approved_apps","description":"Gatekeeper apps a user has allowed to run.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of executable allowed to run","type":"text","hidden":false,"required":false,"index":false},{"name":"requirement","description":"Code signing requirement language","type":"text","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last change time","type":"double","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"double","hidden":false,"required":false,"index":false}]},{"name":"groups","description":"Local system groups.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","hidden":true,"required":false,"index":false},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"hardware_events","description":"Hardware (PCI/USB/HID) events from UDEV or IOKit.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"Remove, insert, change properties, etc","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local device path assigned (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of hardware and hardware event","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver claiming the device","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Hardware device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded Hardware vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Hardware device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded Hardware model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Device serial (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Device revision (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of hardware event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hash","description":"Filesystem hash data.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"homebrew_packages","description":"The installed homebrew package database.","platforms":["darwin"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package install path","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Current 'linked' version","type":"text","hidden":false,"required":false,"index":false},{"name":"prefix","description":"Homebrew install prefix","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hvci_status","description":"Retrieve HVCI info of the machine.","platforms":["windows"],"columns":[{"name":"version","description":"The version number of the Device Guard build.","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_identifier","description":"The instance ID of Device Guard.","type":"text","hidden":false,"required":false,"index":false},{"name":"vbs_status","description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"code_integrity_policy_enforcement_status","description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"umci_policy_status","description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ibridge_info","description":"Information about the Apple iBridge hardware controller.","platforms":["darwin"],"columns":[{"name":"boot_uuid","description":"Boot UUID of the iBridge controller","type":"text","hidden":false,"required":false,"index":false},{"name":"coprocessor_version","description":"The manufacturer and chip version","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"The build version of the firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"unique_chip_id","description":"Unique id of the iBridge controller","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ie_extensions","description":"Internet Explorer browser extensions.","platforms":["windows"],"columns":[{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"registry_path","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executable","type":"text","hidden":false,"required":false,"index":false}]},{"name":"intel_me_info","description":"Intel ME/CSE Info.","platforms":["linux","windows"],"columns":[{"name":"version","description":"Intel ME version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"interface_addresses","description":"Network interfaces and relevant metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"Interface netmask","type":"text","hidden":false,"required":false,"index":false},{"name":"broadcast","description":"Broadcast address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"point_to_point","description":"PtP address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of address. One of dhcp, manual, auto, other, unknown","type":"text","hidden":false,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_details","description":"Detailed information and stats of network interfaces.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC of interface (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Interface type (includes virtual)","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Network MTU","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Metric based on the speed of the interface","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags (netdevice) for the device","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipackets","description":"Input packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"opackets","description":"Output packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ibytes","description":"Input bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"obytes","description":"Output bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ierrors","description":"Input errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"oerrors","description":"Output errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idrops","description":"Input drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"odrops","description":"Output drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"collisions","description":"Packet Collisions detected","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Time of last device modification (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"link_speed","description":"Interface speed in Mb/s","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pci_slot","description":"PCI slot number","type":"text","hidden":true,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false},{"name":"description","description":"Short description of the object a one-line string.","type":"text","hidden":true,"required":false,"index":false},{"name":"manufacturer","description":"Name of the network adapter's manufacturer.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_id","description":"Name of the network connection as it appears in the Network Connections Control Panel program.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_status","description":"State of the network adapter connection to the network.","type":"text","hidden":true,"required":false,"index":false},{"name":"enabled","description":"Indicates whether the adapter is enabled or not.","type":"integer","hidden":true,"required":false,"index":false},{"name":"physical_adapter","description":"Indicates whether the adapter is a physical or a logical adapter.","type":"integer","hidden":true,"required":false,"index":false},{"name":"speed","description":"Estimate of the current bandwidth in bits per second.","type":"integer","hidden":true,"required":false,"index":false},{"name":"service","description":"The name of the service the network adapter uses.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_enabled","description":"If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.","type":"integer","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_expires","description":"Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_obtained","description":"Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_server","description":"IP address of the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain","description":"Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain_suffix_search_order","description":"Array of DNS domain suffixes to be appended to the end of host names during name resolution.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_host_name","description":"Host name used to identify the local computer for authentication by some utilities.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_server_search_order","description":"Array of server IP addresses to be used in querying for DNS servers.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_ipv6","description":"IPv6 configuration and stats of network interfaces.","platforms":["darwin","linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"hop_limit","description":"Current Hop Limit","type":"integer","hidden":false,"required":false,"index":false},{"name":"forwarding_enabled","description":"Enable IP forwarding","type":"integer","hidden":false,"required":false,"index":false},{"name":"redirect_accept","description":"Accept ICMP redirect messages","type":"integer","hidden":false,"required":false,"index":false},{"name":"rtadv_accept","description":"Accept ICMP Router Advertisement","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_devicetree","description":"The IOKit registry matching the DeviceTree plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Device node name","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent device registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device_path","description":"Device tree path","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"1 if the device conforms to IOService else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the device is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The device reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Device nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_registry","description":"The full IOKit registry without selecting a plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Default name of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the node is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The node reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Node nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iptables","description":"Linux IP packet filtering and NAT tool.","platforms":["linux"],"columns":[{"name":"filter_name","description":"Packet matching filter table name.","type":"text","hidden":false,"required":false,"index":false},{"name":"chain","description":"Size of module content.","type":"text","hidden":false,"required":false,"index":false},{"name":"policy","description":"Policy that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"target","description":"Target that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Protocol number identification.","type":"integer","hidden":false,"required":false,"index":false},{"name":"src_port","description":"Protocol source port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_port","description":"Protocol destination port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"src_ip","description":"Source IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"src_mask","description":"Source IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface","description":"Input interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface_mask","description":"Input interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_ip","description":"Destination IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_mask","description":"Destination IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface","description":"Output interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface_mask","description":"Output interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"Matching rule that applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"packets","description":"Number of matching packets for this rule.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of matching bytes for this rule.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"kernel_extensions","description":"macOS's kernel extensions, both loaded and within the load search path.","platforms":["darwin"],"columns":[{"name":"idx","description":"Extension load tag or index","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Bytes of wired memory used by extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension label","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"linked_against","description":"Indexes of extensions this extension is linked against","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Optional path to extension bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_info","description":"Basic active kernel information.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"arguments","description":"Kernel arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Kernel path","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Kernel device identifier","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_modules","description":"Linux kernel modules both loaded and within the load search path.","platforms":["linux"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"bigint","hidden":false,"required":false,"index":false},{"name":"used_by","description":"Module reverse dependencies","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Kernel module status","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_panics","description":"System kernel panic logs.","platforms":["darwin"],"columns":[{"name":"path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Formatted time of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"A space delimited line of register:value pairs","type":"text","hidden":false,"required":false,"index":false},{"name":"frame_backtrace","description":"Backtrace of the crashed module","type":"text","hidden":false,"required":false,"index":false},{"name":"module_backtrace","description":"Modules appearing in the crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"dependencies","description":"Module dependencies existing in crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name corresponding to crashed thread","type":"text","hidden":false,"required":false,"index":false},{"name":"os_version","description":"Version of the operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Version of the system kernel","type":"text","hidden":false,"required":false,"index":false},{"name":"system_model","description":"Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"System uptime at kernel panic in nanoseconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_loaded","description":"Last loaded module before panic","type":"text","hidden":false,"required":false,"index":false},{"name":"last_unloaded","description":"Last unloaded module before panic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_acls","description":"Applications that have ACL entries in the keychain.","platforms":["darwin"],"columns":[{"name":"keychain_path","description":"The path of the keychain","type":"text","hidden":false,"required":false,"index":false},{"name":"authorizations","description":"A space delimited set of authorization attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the authorized application","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The description included with the ACL entry","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"An optional label tag that may be included with the keychain entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_items","description":"Generic details about keychain items.","platforms":["darwin"],"columns":[{"name":"label","description":"Generic item name","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional item description","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional keychain comment","type":"text","hidden":false,"required":false,"index":false},{"name":"account","description":"Optional item account","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Data item was created","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Date of last modification","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Keychain item type (class)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to keychain containing item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"known_hosts","description":"A line-delimited known_hosts table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local user that owns the known_hosts file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"key","description":"parsed authorized keys line","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to known_hosts file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kva_speculative_info","description":"Display kernel virtual address and speculative execution information for the system.","platforms":["windows"],"columns":[{"name":"kva_shadow_enabled","description":"Kernel Virtual Address shadowing is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_user_global","description":"User pages are marked as global.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_pcid","description":"Kernel VA PCID flushing optimization is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_inv_pcid","description":"Kernel VA INVPCID is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_mitigations","description":"Branch Prediction mitigations are enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_system_pol_disabled","description":"Branch Predictions are disabled via system policy.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_microcode_disabled","description":"Branch Predictions are disabled due to lack of microcode update.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_spec_ctrl_supported","description":"SPEC_CTRL MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false},{"name":"ibrs_support_enabled","description":"Windows uses IBRS.","type":"integer","hidden":false,"required":false,"index":false},{"name":"stibp_support_enabled","description":"Windows uses STIBP.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_pred_cmd_supported","description":"PRED_CMD MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"last","description":"System logins and logouts.","platforms":["darwin","linux"],"columns":[{"name":"username","description":"Entry username","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Entry terminal","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Entry type, according to ut_type types (utmp.h)","type":"integer","hidden":false,"required":false,"index":false},{"name":"type_name","description":"Entry type name, according to ut_type types (utmp.h)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Entry hostname","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd","description":"LaunchAgents and LaunchDaemons from default search paths.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"File name of plist (used by launchd)","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"program","description":"Path to target program","type":"text","hidden":false,"required":false,"index":false},{"name":"run_at_load","description":"Should the program run on launch load","type":"text","hidden":false,"required":false,"index":false},{"name":"keep_alive","description":"Should the process be restarted if killed","type":"text","hidden":false,"required":false,"index":false},{"name":"on_demand","description":"Deprecated key, replaced by keep_alive","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Skip loading this daemon or agent on boot","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Run this daemon or agent as this username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Run this daemon or agent as this group","type":"text","hidden":false,"required":false,"index":false},{"name":"stdout_path","description":"Pipe stdout to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"stderr_path","description":"Pipe stderr to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"start_interval","description":"Frequency to run in seconds","type":"text","hidden":false,"required":false,"index":false},{"name":"program_arguments","description":"Command line arguments passed to program","type":"text","hidden":false,"required":false,"index":false},{"name":"watch_paths","description":"Key that launches daemon or agent if path is modified","type":"text","hidden":false,"required":false,"index":false},{"name":"queue_directories","description":"Similar to watch_paths but only with non-empty directories","type":"text","hidden":false,"required":false,"index":false},{"name":"inetd_compatibility","description":"Run this daemon or agent as it was launched from inetd","type":"text","hidden":false,"required":false,"index":false},{"name":"start_on_mount","description":"Run daemon or agent every time a filesystem is mounted","type":"text","hidden":false,"required":false,"index":false},{"name":"root_directory","description":"Key used to specify a directory to chroot to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"working_directory","description":"Key used to specify a directory to chdir to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"process_type","description":"Key describes the intended purpose of the job","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd_overrides","description":"Override keys, per user, for LaunchDaemons and Agents.","platforms":["darwin"],"columns":[{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Name of the override key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Overridden value","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID applied to the override, 0 applies to all","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"listening_ports","description":"Processes with listening (bound) network sockets/ports.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"port","description":"Transport layer port","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for bind","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path for UNIX domain sockets","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"load_average","description":"Displays information about the system wide load averages.","platforms":["darwin","linux"],"columns":[{"name":"period","description":"Period over which the average is calculated.","type":"text","hidden":false,"required":false,"index":false},{"name":"average","description":"Load average over the specified period.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"location_services","description":"Reports the status of the Location Services feature of the OS.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 if Location Services are enabled, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logged_in_users","description":"Users with an active shell on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"type","description":"Login type","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"User login name","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Remote hostname","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time entry was made","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"The user's unique security identifier","type":"text","hidden":true,"required":false,"index":false},{"name":"registry_hive","description":"HKEY_USERS registry hive","type":"text","hidden":true,"required":false,"index":false}]},{"name":"logical_drives","description":"Details for logical drives on the system. A logical drive generally represents a single partition.","platforms":["windows"],"columns":[{"name":"device_id","description":"The drive id, usually the drive name, e.g., 'C:'.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Deprecated (always 'Unknown').","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'.","type":"text","hidden":false,"required":false,"index":false},{"name":"free_space","description":"The amount of free space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The total amount of space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_system","description":"The file system of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"boot_partition","description":"True if Windows booted from this drive.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logon_sessions","description":"Windows Logon Session.","platforms":["windows"],"columns":[{"name":"logon_id","description":"A locally unique identifier (LUID) that identifies a logon session.","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"The account name of the security principal that owns the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_domain","description":"The name of the domain used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"authentication_package","description":"The authentication package used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_type","description":"The logon method.","type":"text","hidden":false,"required":false,"index":false},{"name":"session_id","description":"The Terminal Services session identifier.","type":"integer","hidden":false,"required":false,"index":false},{"name":"logon_sid","description":"The user's security identifier (SID).","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_time","description":"The time the session owner logged on.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"logon_server","description":"The name of the server used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_domain_name","description":"The DNS name for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"upn","description":"The user principal name (UPN) for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_script","description":"The script used for logging on.","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory_drive","description":"The drive location of the home directory of the logon session.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_certificates","description":"LXD certificates information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"fingerprint","description":"SHA256 hash of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"certificate","description":"Certificate content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster","description":"LXD cluster information.","platforms":["linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether clustering enabled (1) or not (0) on this node","type":"integer","hidden":false,"required":false,"index":false},{"name":"member_config_entity","description":"Type of configuration parameter for this node","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_name","description":"Name of configuration parameter","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_key","description":"Config key","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_value","description":"Config value","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_description","description":"Config description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster_members","description":"LXD cluster members information.","platforms":["linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"url","description":"URL of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"database","description":"Whether the server is a database node (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_images","description":"LXD images information.","platforms":["linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Target architecture for the image","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"OS on which image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"OS release version on which the image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Image description","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Comma-separated list of image aliases","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Filename of the image file","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auto_update","description":"Whether the image auto-updates (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"cached","description":"Whether image is cached (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"public","description":"Whether image is public (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of image creation","type":"text","hidden":false,"required":false,"index":false},{"name":"expires_at","description":"ISO time of image expiration","type":"text","hidden":false,"required":false,"index":false},{"name":"uploaded_at","description":"ISO time of image upload","type":"text","hidden":false,"required":false,"index":false},{"name":"last_used_at","description":"ISO time for the most recent use of this image in terms of container spawn","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_server","description":"Server for image update","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_protocol","description":"Protocol used for image information update and image import from source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_certificate","description":"Certificate for update source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_alias","description":"Alias of image at update source server","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_config","description":"LXD instance configuration information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Configuration parameter name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Configuration parameter value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_devices","description":"LXD instance devices information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"device","description":"Name of the device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device type","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Device info param name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Device info param value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instances","description":"LXD instances information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Instance state (running, stopped, etc.)","type":"text","hidden":false,"required":false,"index":false},{"name":"stateful","description":"Whether the instance is stateful(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ephemeral","description":"Whether the instance is ephemeral(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of creation","type":"text","hidden":false,"required":false,"index":false},{"name":"base_image","description":"ID of image used to launch this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Instance architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"The OS of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Instance description","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Instance's process ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"processes","description":"Number of processes running inside this instance","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_networks","description":"LXD network information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of network","type":"text","hidden":false,"required":false,"index":false},{"name":"managed","description":"1 if network created by LXD, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_address","description":"IPv4 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"used_by","description":"URLs for containers using this network","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_received","description":"Number of bytes received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes_sent","description":"Number of bytes sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_received","description":"Number of packets received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_sent","description":"Number of packets sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hwaddr","description":"Hardware address for this network","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Network status","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"MTU size","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_storage_pools","description":"LXD storage pool information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Storage pool source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"space_used","description":"Storage space used in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"space_total","description":"Total available storage space in bytes for this storage pool","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_used","description":"Number of inodes used","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_total","description":"Total number of inodes available in this storage pool","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"magic","description":"Magic number recognition library table.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute path to target file","type":"text","hidden":false,"required":true,"index":false},{"name":"magic_db_files","description":"Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Magic number data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_type","description":"MIME type data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_encoding","description":"MIME encoding data from libmagic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"managed_policies","description":"The managed configuration policies from AD, MDM, MCX, etc.","platforms":["darwin"],"columns":[{"name":"domain","description":"System or manager-chosen domain key","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Optional UUID assigned to policy set","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy key name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Policy value","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Policy applies only this user","type":"text","hidden":false,"required":false,"index":false},{"name":"manual","description":"1 if policy was loaded manually, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"md_devices","description":"Software RAID array settings.","platforms":["linux"],"columns":[{"name":"device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Current state of the array","type":"text","hidden":false,"required":false,"index":false},{"name":"raid_level","description":"Current raid level of the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"size of the array in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"chunk_size","description":"chunk size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"raid_disks","description":"Number of configured RAID disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"nr_raid_disks","description":"Number of partitions or disk devices to comprise the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"working_disks","description":"Number of working disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"active_disks","description":"Number of active disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"failed_disks","description":"Number of failed disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"spare_disks","description":"Number of idle disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"superblock_state","description":"State of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_version","description":"Version of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_update_time","description":"Unix timestamp of last update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bitmap_on_mem","description":"Pages allocated in in-memory bitmap, if enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_chunk_size","description":"Bitmap chunk size","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_external_file","description":"External referenced bitmap file","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_progress","description":"Progress of the recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_finish","description":"Estimated duration of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_speed","description":"Speed of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_progress","description":"Progress of the resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_finish","description":"Estimated duration of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_speed","description":"Speed of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_progress","description":"Progress of the reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_finish","description":"Estimated duration of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_speed","description":"Speed of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_progress","description":"Progress of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_finish","description":"Estimated duration of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_speed","description":"Speed of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"unused_devices","description":"Unused devices","type":"text","hidden":false,"required":false,"index":false},{"name":"other","description":"Other information associated with array from /proc/mdstat","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_drives","description":"Drive devices used for Software RAID.","platforms":["linux"],"columns":[{"name":"md_device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_name","description":"Drive device name","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"Slot position of disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the drive","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_personalities","description":"Software RAID setting supported by the kernel.","platforms":["linux"],"columns":[{"name":"name","description":"Name of personality supported by kernel","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mdfind","description":"Run searches against the spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file returned from spotlight","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The query that was run to find the file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"mdls","description":"Query file metadata in the Spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value stored in the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"valuetype","description":"CoreFoundation type of data stored in value","type":"text","hidden":true,"required":false,"index":false}]},{"name":"memory_array_mapped_addresses","description":"Data associated for address mapping of physical memory arrays.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_handle","description":"Handle of the memory array associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_width","description":"Number of memory devices that form a single row of memory for the address partition of this structure","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_arrays","description":"Data associated with collection of memory devices that operate to form a memory address.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the array","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Physical location of the memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"Function for which the array is used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_error_correction","description":"Primary hardware error correction or detection method supported","type":"text","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"Maximum capacity of array in gigabytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_error_info_handle","description":"Handle, or instance number, associated with any error that was detected for the array","type":"text","hidden":false,"required":false,"index":false},{"name":"number_memory_devices","description":"Number of memory devices on array","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_device_mapped_addresses","description":"Data associated for address mapping of physical memory devices.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_device_handle","description":"Handle of the memory device structure associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_mapped_address_handle","description":"Handle of the memory array mapped address to which this device range is mapped to","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_row_position","description":"Identifies the position of the referenced memory device in a row of the address partition","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_position","description":"The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_data_depth","description":"The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_devices","description":"Physical memory device (type 17) information retrieved from SMBIOS.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure in SMBIOS","type":"text","hidden":false,"required":false,"index":false},{"name":"array_handle","description":"The memory array that the device is attached to","type":"text","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Implementation form factor for this memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"total_width","description":"Total width, in bits, of this memory device, including any check or error-correction bits","type":"integer","hidden":false,"required":false,"index":false},{"name":"data_width","description":"Data width, in bits, of this memory device","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of memory device in Megabyte","type":"integer","hidden":false,"required":false,"index":false},{"name":"set","description":"Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"device_locator","description":"String number of the string that identifies the physically-labeled socket or board position where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"bank_locator","description":"String number of the string that identifies the physically-labeled bank where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type","description":"Type of memory used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type_details","description":"Additional details for memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"max_speed","description":"Max speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_clock_speed","description":"Configured speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Manufacturer ID string","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"asset_tag","description":"Manufacturer specific asset tag of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"part_number","description":"Manufacturer specific serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"min_voltage","description":"Minimum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_voltage","description":"Maximum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_voltage","description":"Configured operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_error_info","description":"Data associated with errors of a physical memory array.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"error_type","description":"type of error associated with current error status for array or device","type":"text","hidden":false,"required":false,"index":false},{"name":"error_granularity","description":"Granularity to which the error can be resolved","type":"text","hidden":false,"required":false,"index":false},{"name":"error_operation","description":"Memory access operation that caused the error","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_syndrome","description":"Vendor specific ECC syndrome or CRC data associated with the erroneous access","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_error_address","description":"32 bit physical address of the error based on the addressing of the bus to which the memory array is connected","type":"text","hidden":false,"required":false,"index":false},{"name":"device_error_address","description":"32 bit physical address of the error relative to the start of the failing memory address, in bytes","type":"text","hidden":false,"required":false,"index":false},{"name":"error_resolution","description":"Range, in bytes, within which this error can be determined, when an error address is given","type":"text","hidden":false,"required":false,"index":false}]},{"name":"memory_info","description":"Main memory information in bytes.","platforms":["linux"],"columns":[{"name":"memory_total","description":"Total amount of physical RAM, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_free","description":"The amount of physical RAM, in bytes, left unused by the system","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_available","description":"The amount of physical RAM, in bytes, available for starting new applications, without swapping","type":"bigint","hidden":false,"required":false,"index":false},{"name":"buffers","description":"The amount of physical RAM, in bytes, used for file buffers","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cached","description":"The amount of physical RAM, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_cached","description":"The amount of swap, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"The total amount of buffer or page cache memory, in bytes, that is in active use","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"The total amount of buffer or page cache memory, in bytes, that are free and available","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_total","description":"The total amount of swap available, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_free","description":"The total amount of swap free, in bytes","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"memory_map","description":"OS memory region map.","platforms":["linux"],"columns":[{"name":"name","description":"Region name","type":"text","hidden":false,"required":false,"index":false},{"name":"start","description":"Start address of memory region","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"End address of memory region","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mounts","description":"System mounted devices and filesystems (not process specific).","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Mounted device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_alias","description":"Mounted device alias","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Mounted device path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Mounted device type","type":"text","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Block size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Mounted device used blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_free","description":"Mounted device free blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_available","description":"Mounted device available blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Mounted device used inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_free","description":"Mounted device free inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"Mounted device flags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"msr","description":"Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.","platforms":["linux"],"columns":[{"name":"processor_number","description":"The processor number as reported in /proc/cpuinfo","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_disabled","description":"Whether the turbo feature is disabled.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_ratio_limit","description":"The turbo feature ratio limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"platform_info","description":"Platform information.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_ctl","description":"Performance setting for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_status","description":"Performance status for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"feature_control","description":"Bitfield controlling enabled features.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_limit","description":"Run Time Average Power Limiting power limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_energy_status","description":"Run Time Average Power Limiting energy status.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_units","description":"Run Time Average Power Limiting power units.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"nfs_shares","description":"NFS shares exported by the host.","platforms":["darwin"],"columns":[{"name":"share","description":"Filesystem path to the share","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Options string set on the export share","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly","description":"1 if the share is exported readonly else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"npm_packages","description":"Node packages installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package-supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Package-supplied author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where node_modules are located","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ntdomains","description":"Display basic NT domain information of a Windows machine.","platforms":["windows"],"columns":[{"name":"name","description":"The label by which the object is known.","type":"text","hidden":false,"required":false,"index":false},{"name":"client_site_name","description":"The name of the site where the domain controller is configured.","type":"text","hidden":false,"required":false,"index":false},{"name":"dc_site_name","description":"The name of the site where the domain controller is located.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_forest_name","description":"The name of the root of the DNS tree.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_address","description":"The IP Address of the discovered domain controller..","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_name","description":"The name of the discovered domain controller.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_name","description":"The name of the domain.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"The current status of the domain object.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_acl_permissions","description":"Retrieve NTFS ACL permission information for files and directories.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the file or directory.","type":"text","hidden":false,"required":true,"index":false},{"name":"type","description":"Type of access mode for the access control entry.","type":"text","hidden":false,"required":false,"index":false},{"name":"principal","description":"User or group to which the ACE applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"access","description":"Specific permissions that indicate the rights described by the ACE.","type":"text","hidden":false,"required":false,"index":false},{"name":"inherited_from","description":"The inheritance policy of the ACE.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_journal_events","description":"Track time/action changes to files specified in configuration data.","platforms":["windows"],"columns":[{"name":"action","description":"Change action (Write, Delete, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category that the event originated from","type":"text","hidden":false,"required":false,"index":false},{"name":"old_path","description":"Old path (renames only)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path","type":"text","hidden":false,"required":false,"index":false},{"name":"record_timestamp","description":"Journal record timestamp","type":"text","hidden":false,"required":false,"index":false},{"name":"record_usn","description":"The update sequence number that identifies the journal record","type":"text","hidden":false,"required":false,"index":false},{"name":"node_ref_number","description":"The ordinal that associates a journal record with a filename","type":"text","hidden":false,"required":false,"index":false},{"name":"parent_ref_number","description":"The ordinal that associates a journal record with a filename's parent directory","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"The drive letter identifying the source journal","type":"text","hidden":false,"required":false,"index":false},{"name":"file_attributes","description":"File attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"Set to 1 if either path or old_path only contains the file or folder name","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"nvram","description":"Apple NVRAM variable listing.","platforms":["darwin"],"columns":[{"name":"name","description":"Variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type (CFData, CFString, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Raw variable data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"oem_strings","description":"OEM defined strings retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the Type 11 structure","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"The string index of the structure","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the OEM string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"office_mru","description":"View recently opened Office documents.","platforms":["windows"],"columns":[{"name":"application","description":"Associated Office application","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Office application version number","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"Most recent opened time file was opened","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false}]},{"name":"os_version","description":"A single row containing the operating system name and version.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Distribution or product name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Pretty, suitable for presentation, OS version","type":"text","hidden":false,"required":false,"index":false},{"name":"major","description":"Major release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor","description":"Minor release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"patch","description":"Optional patch release","type":"integer","hidden":false,"required":false,"index":false},{"name":"build","description":"Optional build-specific or variant string","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"OS Platform or ID","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_like","description":"Closely related platforms","type":"text","hidden":false,"required":false,"index":false},{"name":"codename","description":"OS version codename","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"OS Architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"The install date of the OS.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"osquery_events","description":"Information about the event publishers and subscribers.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Event publisher or subscriber name","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the associated publisher","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either publisher or subscriber","type":"text","hidden":false,"required":false,"index":false},{"name":"subscriptions","description":"Number of subscriptions the publisher received or subscriber used","type":"integer","hidden":false,"required":false,"index":false},{"name":"events","description":"Number of events emitted or received since osquery started","type":"integer","hidden":false,"required":false,"index":false},{"name":"refreshes","description":"Publisher only: number of runloop restarts","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 if the publisher or subscriber is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_extensions","description":"List of active osquery extensions.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"uuid","description":"The transient ID assigned for communication","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension's name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension's version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk_version","description":"osquery SDK version used to build the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the extension's Thrift connection or library path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SDK extension type: core, extension, or module","type":"text","hidden":false,"required":false,"index":false}]},{"name":"osquery_flags","description":"Configurable flags that modify osquery's behavior.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Flag name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Flag type","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Flag description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_value","description":"Flag default value","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Flag value","type":"text","hidden":false,"required":false,"index":false},{"name":"shell_only","description":"Is the flag shell only?","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_info","description":"Top level information about the running version of osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"pid","description":"Process (or thread/handle) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_id","description":"Unique, long-lived ID per instance of osquery","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"osquery toolkit version","type":"text","hidden":false,"required":false,"index":false},{"name":"config_hash","description":"Hash of the working configuration state","type":"text","hidden":false,"required":false,"index":false},{"name":"config_valid","description":"1 if the config was loaded and considered valid, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"extensions","description":"osquery extensions status","type":"text","hidden":false,"required":false,"index":false},{"name":"build_platform","description":"osquery toolkit build platform","type":"text","hidden":false,"required":false,"index":false},{"name":"build_distro","description":"osquery toolkit platform distribution name (os version)","type":"text","hidden":false,"required":false,"index":false},{"name":"start_time","description":"UNIX time in seconds when the process started","type":"integer","hidden":false,"required":false,"index":false},{"name":"watcher","description":"Process (or thread/handle) ID of optional watcher process","type":"integer","hidden":false,"required":false,"index":false},{"name":"platform_mask","description":"The osquery platform bitmask","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_packs","description":"Information about the current query packs that are loaded in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query pack","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"Platforms this query is supported on","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Minimum osquery version that this query will run on","type":"text","hidden":false,"required":false,"index":false},{"name":"shard","description":"Shard restriction limit, 1-100, 0 meaning no restriction","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_cache_hits","description":"The number of times that the discovery query used cached values since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_executions","description":"The number of times that the discovery queries have been executed since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_registry","description":"List the osquery registry plugins.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"registry","description":"Name of the osquery registry","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the plugin item","type":"text","hidden":false,"required":false,"index":false},{"name":"owner_uuid","description":"Extension route UUID (0 for core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"internal","description":"1 If the plugin is internal else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If this plugin is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_schedule","description":"Information about the current queries that are scheduled in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The exact query to run","type":"text","hidden":false,"required":false,"index":false},{"name":"interval","description":"The interval in seconds to run this query, not an exact interval","type":"integer","hidden":false,"required":false,"index":false},{"name":"executions","description":"Number of times the query was executed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_executed","description":"UNIX time stamp in seconds of the last completed execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"denylisted","description":"1 if the query is denylisted else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"output_size","description":"Cumulative total number of bytes generated by the resultant rows of the query","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wall_time","description":"Total wall time in seconds spent executing (deprecated), hidden=True","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wall_time_ms","description":"Total wall time in milliseconds spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_wall_time_ms","description":"Wall time in milliseconds of the latest execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"Total user time in milliseconds spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_user_time","description":"User time in milliseconds of the latest execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"Total system time in milliseconds spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_system_time","description":"System time in milliseconds of the latest execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"average_memory","description":"Average of the bytes of resident memory left allocated after collecting results","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_memory","description":"Resident memory in bytes left allocated after collecting results of the latest execution","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"package_bom","description":"macOS package bill of materials (BOM) file list.","platforms":["darwin"],"columns":[{"name":"filepath","description":"Package file or directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Expected user of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"Expected group of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"mode","description":"Expected permissions","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Timestamp the file was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of package bom","type":"text","hidden":false,"required":true,"index":false}]},{"name":"package_install_history","description":"macOS package install history.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Label packageIdentifiers","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Label date as UNIX timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package display version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Install source: usually the installer process name","type":"text","hidden":false,"required":false,"index":false},{"name":"content_type","description":"Package content_type (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"package_receipts","description":"macOS package receipt details.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Package domain identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"package_filename","description":"Filename of original .pkg file","type":"text","hidden":true,"required":false,"index":false},{"name":"version","description":"Installed package version","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Optional relative install path on volume","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Timestamp of install time","type":"double","hidden":false,"required":false,"index":false},{"name":"installer_name","description":"Name of installer process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of receipt plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"password_policy","description":"Password Policies for macOS.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID for the policy, -1 for policies that are global","type":"bigint","hidden":false,"required":false,"index":false},{"name":"policy_identifier","description":"Policy Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_content","description":"Policy content","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_description","description":"Policy description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"patches","description":"Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).","platforms":["windows"],"columns":[{"name":"csname","description":"The name of the host the patch is installed on.","type":"text","hidden":false,"required":false,"index":false},{"name":"hotfix_id","description":"The KB ID of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Short description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Fuller description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"fix_comments","description":"Additional comments about the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_by","description":"The system context in which the patch as installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_on","description":"The date when the patch was installed.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pci_devices","description":"PCI devices active on the host system.","platforms":["darwin","linux"],"columns":[{"name":"pci_slot","description":"PCI Device used slot","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class","description":"PCI Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"PCI Device used driver","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"PCI Device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded PCI Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"PCI Device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded PCI Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class_id","description":"PCI Device class ID in hex format","type":"text","hidden":true,"required":false,"index":false},{"name":"pci_subclass_id","description":"PCI Device subclass in hex format","type":"text","hidden":true,"required":false,"index":false},{"name":"pci_subclass","description":"PCI Device subclass","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_vendor_id","description":"Vendor ID of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_vendor","description":"Vendor of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_model_id","description":"Model ID of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_model","description":"Device description of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false}]},{"name":"physical_disk_performance","description":"Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the physical disk","type":"text","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_read","description":"Average number of bytes transferred from the disk during read operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_write","description":"Average number of bytes transferred to the disk during write operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_read_queue_length","description":"Average number of read requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_write_queue_length","description":"Average number of write requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_read","description":"Average time, in seconds, of a read operation of data from the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_write","description":"Average time, in seconds, of a write operation of data to the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_disk_queue_length","description":"Number of requests outstanding on the disk at the time the performance data is collected","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_disk_read_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_write_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read or write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_idle_time","description":"Percentage of time during the sample interval that the disk was idle","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"pipes","description":"Named and Anonymous pipes.","platforms":["windows"],"columns":[{"name":"pid","description":"Process ID of the process to which the pipe belongs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the pipe","type":"text","hidden":false,"required":false,"index":false},{"name":"instances","description":"Number of instances of the named pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_instances","description":"The maximum number of instances creatable for this pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pkg_packages","description":"pkgng packages that are currently installed on the host system.","platforms":["freebsd"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"flatsize","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false}]},{"name":"platform_info","description":"Information about EFI/UEFI/ROM and platform/boot.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vendor","description":"Platform code vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Platform code version","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Self-reported platform code update date","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"BIOS major and minor revision","type":"text","hidden":false,"required":false,"index":false},{"name":"extra","description":"Platform-specific additional information","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_type","description":"The type of firmware (Uefi, Bios, Unknown).","type":"text","hidden":true,"required":false,"index":false},{"name":"address","description":"Relative address of firmware mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes of firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_size","description":"(Optional) size of firmware volume","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"plist","description":"Read and parse a plist file.","platforms":["darwin"],"columns":[{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intermediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"(required) read preferences from a plist","type":"text","hidden":false,"required":true,"index":false}]},{"name":"portage_keywords","description":"A summary about portage configurations like keywords, mask and unmask.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"keyword","description":"The keyword applied to the package","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"If the package is masked","type":"integer","hidden":false,"required":false,"index":false},{"name":"unmask","description":"If the package is unmasked","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_packages","description":"List of currently installed packages.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"The slot used by package","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Unix time when package was built","type":"bigint","hidden":false,"required":false,"index":false},{"name":"repository","description":"From which repository the ebuild was used","type":"text","hidden":false,"required":false,"index":false},{"name":"eapi","description":"The eapi for the ebuild","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the package","type":"bigint","hidden":false,"required":false,"index":false},{"name":"world","description":"If package is in the world file","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_use","description":"List of enabled portage USE values for specific package.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version of the installed package","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"USE flag which has been enabled for package","type":"text","hidden":false,"required":false,"index":false}]},{"name":"power_sensors","description":"Machine power (currents, voltages, wattages, etc) sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on macOS","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The sensor category: currents, voltage, wattage","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of power source","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Power in Watts","type":"text","hidden":false,"required":false,"index":false}]},{"name":"powershell_events","description":"Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received by the osquery event publisher","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the Powershell script event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_id","description":"The unique GUID of the powershell script to which this block belongs","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_count","description":"The total number of script blocks for this script","type":"integer","hidden":false,"required":false,"index":false},{"name":"script_text","description":"The text content of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_name","description":"The name of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_path","description":"The path for the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"cosine_similarity","description":"How similar the Powershell script is to a provided 'normal' character frequency","type":"double","hidden":false,"required":false,"index":false}]},{"name":"preferences","description":"macOS defaults and managed preferences.","platforms":["darwin"],"columns":[{"name":"domain","description":"Application ID usually in com.name.product format","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intemediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"forced","description":"1 if the value is forced/managed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"username","description":"(optional) read preferences for a specific user","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"'current' or 'any' host, where 'current' takes precedence","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prefetch","description":"Prefetch files show metadata related to file execution.","platforms":["windows"],"columns":[{"name":"path","description":"Prefetch file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Executable filename.","type":"text","hidden":false,"required":false,"index":false},{"name":"hash","description":"Prefetch CRC hash.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Most recent time application was run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"other_run_times","description":"Other execution times in prefetch file.","type":"text","hidden":false,"required":false,"index":false},{"name":"run_count","description":"Number of times the application has been run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Application file size.","type":"integer","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_creation","description":"Volume creation time.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_files_count","description":"Number of files accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_directories_count","description":"Number of directories accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_files","description":"Files accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_directories","description":"Directories accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_envs","description":"A key/value table of environment variables for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"key","description":"Environment variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_events","description":"Track time/action process executions.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File mode permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_size","description":"Actual size (bytes) of command line arguments","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":true,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env_size","description":"Actual size (bytes) of environment list","type":"bigint","hidden":true,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"File owner user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_gid","description":"File owner group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"File last access in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"File modification in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"File last metadata change in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"File creation in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"overflows","description":"List of structures that overflowed","type":"text","hidden":true,"required":false,"index":false},{"name":"parent","description":"Process parent's PID, or -1 if cannot be determined.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"status","description":"OpenBSM Attribute: Status of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"suid","description":"Saved user ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"sgid","description":"Saved group ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"syscall","description":"Syscall name: fork, vfork, clone, execve, execveat","type":"text","hidden":true,"required":false,"index":false}]},{"name":"process_file_events","description":"A File Integrity Monitor implementation using the audit service.","platforms":["linux"],"columns":[{"name":"operation","description":"Operation type","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ppid","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"executable","description":"The executable path","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"True if this is a partial event (i.e.: this process existed before we started osquery)","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The current working directory of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"dest_path","description":"The canonical path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The uid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"gid","description":"The gid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"process_memory_map","description":"Process memory mapped files and pseudo device/regions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"start","description":"Virtual start address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"Virtual end address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"r=read, w=write, x=execute, p=private (cow)","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset into mapped path","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device","description":"MA:MI Major/minor device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Mapped path inode, 0 means uninitialized (BSS)","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to mapped file or mapped type","type":"text","hidden":false,"required":false,"index":false},{"name":"pseudo","description":"1 If path is a pseudo path, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"process_namespaces","description":"Linux namespaces for processes running on the host system.","platforms":["linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"ipc_namespace","description":"ipc namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"mnt_namespace","description":"mnt namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"net namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_namespace","description":"pid namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"user_namespace","description":"user namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"uts_namespace","description":"uts namespace inode","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_files","description":"File descriptors for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"Process-specific file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Filesystem path of descriptor","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_pipes","description":"Pipes and partner processes for each process.","platforms":["linux"],"columns":[{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"File descriptor","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Pipe open mode (r/w)","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Pipe inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"type","description":"Pipe Type: named vs unnamed/anonymous","type":"text","hidden":false,"required":false,"index":false},{"name":"partner_pid","description":"Process ID of partner process sharing a particular pipe","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_fd","description":"File descriptor of shared pipe at partner's end","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_mode","description":"Mode of shared pipe at partner's end","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_sockets","description":"Processes which have open network sockets on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Socket local address","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Socket remote address","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Socket local port","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Socket remote port","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"For UNIX sockets (family=AF_UNIX), the domain path","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"TCP socket state","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"protection_type","description":"The protection type of the process","type":"text","hidden":true,"required":false,"index":false},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","hidden":false,"required":false,"index":false},{"name":"translated","description":"Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_path","description":"The full hierarchical path of the process's control group","type":"text","hidden":true,"required":false,"index":false}]},{"name":"programs","description":"Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.","platforms":["windows"],"columns":[{"name":"name","description":"Commonly used product name.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Product version information.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_location","description":"The installation location directory of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_source","description":"The installation source of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"language","description":"The language of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the product supplier.","type":"text","hidden":false,"required":false,"index":false},{"name":"uninstall_string","description":"Path and filename of the uninstaller.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Date that this product was installed on the system. ","type":"text","hidden":false,"required":false,"index":false},{"name":"identifying_number","description":"Product identification such as a serial number on software, or a die number on a hardware chip.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prometheus_metrics","description":"Retrieve metrics from a Prometheus server.","platforms":["darwin","linux"],"columns":[{"name":"target_name","description":"Address of prometheus target","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_name","description":"Name of collected Prometheus metric","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_value","description":"Value of collected Prometheus metric","type":"double","hidden":false,"required":false,"index":false},{"name":"timestamp_ms","description":"Unix timestamp of collected data in MS","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"python_packages","description":"Python packages installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where Python modules are located","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"quicklook_cache","description":"Files and thumbnails within macOS's Quicklook Cache.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of file","type":"text","hidden":false,"required":false,"index":false},{"name":"rowid","description":"Quicklook file rowid key","type":"integer","hidden":false,"required":false,"index":false},{"name":"fs_id","description":"Quicklook file fs_id key","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_id","description":"Parsed volume ID from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"inode","description":"Parsed file ID (inode) from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Parsed version date field","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Parsed version size field","type":"bigint","hidden":false,"required":false,"index":false},{"name":"label","description":"Parsed version 'gen' field","type":"text","hidden":false,"required":false,"index":false},{"name":"last_hit_date","description":"Apple date format for last thumbnail cache hit","type":"integer","hidden":false,"required":false,"index":false},{"name":"hit_count","description":"Number of cache hits on thumbnail","type":"text","hidden":false,"required":false,"index":false},{"name":"icon_mode","description":"Thumbnail icon mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cache_path","description":"Path to cache data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"registry","description":"All of the Windows registry hives.","platforms":["windows"],"columns":[{"name":"key","description":"Name of the key to search for","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Full path to the value","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the registry value entry","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the registry value, or 'subkey' if item is a subkey","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data content of registry value","type":"text","hidden":false,"required":false,"index":false},{"name":"mtime","description":"timestamp of the most recent registry write","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"routes","description":"The active route table for the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"destination","description":"Destination IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Netmask length","type":"integer","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Route gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Route source","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags to describe route","type":"integer","hidden":false,"required":false,"index":false},{"name":"interface","description":"Route local interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Maximum Transmission Unit for the route","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Cost of route. Lowest is preferred","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of route","type":"text","hidden":false,"required":false,"index":false},{"name":"hopcount","description":"Max hops expected","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"rpm_package_files","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"package","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path within the package","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"File default username from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"File default groupname from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File permissions mode from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size in bytes from RPM info DB","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 file digest from RPM info DB","type":"text","hidden":false,"required":false,"index":false}]},{"name":"rpm_packages","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"name","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Package release","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source RPM package name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the package contents","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false},{"name":"epoch","description":"Package epoch value","type":"integer","hidden":false,"required":false,"index":false},{"name":"install_time","description":"When the package was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Package vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"package_group","description":"Package group","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"running_apps","description":"macOS applications currently running on the host system.","platforms":["darwin"],"columns":[{"name":"pid","description":"The pid of the application","type":"integer","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"The bundle identifier of the application","type":"text","hidden":false,"required":false,"index":false},{"name":"is_active","description":"1 if the application is in focus, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"safari_extensions","description":"Safari browser extension details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension long version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Bundle SDK used to compile extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Optional developer identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional extension description text","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension XAR bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sandboxes","description":"macOS application sandboxes container details.","platforms":["darwin"],"columns":[{"name":"label","description":"UTI-format bundle or label ID","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"Sandbox owner","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Application sandboxings enabled on container","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_id","description":"Sandbox-specific identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"Application bundle used by the sandbox","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to sandbox container directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"scheduled_tasks","description":"Lists all of the tasks in the Windows task scheduler.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Actions executed by the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the executable to be run","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether or not the scheduled task is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"Whether or not the task is visible in the UI","type":"integer","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Timestamp the task last ran","type":"bigint","hidden":false,"required":false,"index":false},{"name":"next_run_time","description":"Timestamp the task is scheduled to run next","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_run_message","description":"Exit status message of the last task run","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_code","description":"Exit status code of the last task run","type":"text","hidden":false,"required":false,"index":false}]},{"name":"screenlock","description":"macOS screenlock status. Note: only fetches results for osquery's current logged-in user context. The user must also have recently logged in.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 If a password is required after sleep or the screensaver begins; else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"grace_period","description":"The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"seccomp_events","description":"A virtual table that tracks seccomp events.","platforms":["linux"],"columns":[{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID (loginuid) of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ses","description":"Session ID of the session from which the analyzed process was invoked","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"exe","description":"The path to the executable that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"sig","description":"Signal value sent to process by seccomp","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Information about the CPU architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"syscall","description":"Type of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"compat","description":"Is system call in compatibility mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ip","description":"Instruction pointer value","type":"text","hidden":false,"required":false,"index":false},{"name":"code","description":"The seccomp action","type":"text","hidden":false,"required":false,"index":false}]},{"name":"secureboot","description":"Secure Boot UEFI Settings.","platforms":["linux","windows"],"columns":[{"name":"secure_boot","description":"Whether secure boot is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"setup_mode","description":"Whether setup mode is enabled","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"selinux_events","description":"Track SELinux events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"selinux_settings","description":"Track active SELinux settings.","platforms":["linux"],"columns":[{"name":"scope","description":"Where the key is located inside the SELinuxFS mount point.","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Key or class name.","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Active value.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"services","description":"Lists all installed Windows services and their relevant data.","platforms":["windows"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"service_type","description":"Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Service Display name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"the Process ID of the service","type":"integer","hidden":false,"required":false,"index":false},{"name":"start_type","description":"Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED","type":"text","hidden":false,"required":false,"index":false},{"name":"win32_exit_code","description":"The error code that the service uses to report an error that occurs when it is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"service_exit_code","description":"The service-specific error code that the service returns when an error occurs while the service is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Service Executable","type":"text","hidden":false,"required":false,"index":false},{"name":"module_path","description":"Path to ServiceDll","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Service Description","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account","description":"The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\\UserName. If the account belongs to the built-in domain, the name can be of the form .\\UserName.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shadow","description":"Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.","platforms":["linux"],"columns":[{"name":"password_status","description":"Password status","type":"text","hidden":false,"required":false,"index":false},{"name":"hash_alg","description":"Password hashing algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Date of last password change (starting from UNIX epoch date)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimal number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"warning","description":"Number of days before password expires to warn user about it","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Number of days after password expires until account is blocked","type":"bigint","hidden":false,"required":false,"index":false},{"name":"expire","description":"Number of days since UNIX epoch date until account is disabled","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flag","description":"Reserved","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_folders","description":"Folders available to others via SMB or AFP.","platforms":["darwin"],"columns":[{"name":"name","description":"The shared name of the folder as it appears to other users","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute path of shared folder on the local system","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_memory","description":"OS shared memory regions.","platforms":["linux"],"columns":[{"name":"shmid","description":"Shared memory segment ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"User ID of owning process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_uid","description":"User ID of creator process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID to last use the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_pid","description":"Process ID that created the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Attached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"dtime","description":"Detached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Changed time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Memory segment permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"attached","description":"Number of attached processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Destination/attach status","type":"text","hidden":false,"required":false,"index":false},{"name":"locked","description":"1 if segment is locked else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shared_resources","description":"Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.","platforms":["windows"],"columns":[{"name":"description","description":"A textual description of the object","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"String that indicates the current status of the object.","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_maximum","description":"Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.","type":"integer","hidden":false,"required":false,"index":false},{"name":"maximum_allowed","description":"Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Alias given to a path set up as a share on a computer system running Windows.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local path of the Windows share.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"type_name","description":"Human readable value for the 'type' column","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sharing_preferences","description":"macOS Sharing preferences.","platforms":["darwin"],"columns":[{"name":"screen_sharing","description":"1 If screen sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"file_sharing","description":"1 If file sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"printer_sharing","description":"1 If printer sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_login","description":"1 If remote login is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_management","description":"1 If remote management is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_apple_events","description":"1 If remote apple events are enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"internet_sharing","description":"1 If internet sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"bluetooth_sharing","description":"1 If bluetooth sharing is enabled for any user else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disc_sharing","description":"1 If CD or DVD sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"content_caching","description":"1 If content caching is enabled else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shell_history","description":"A line-delimited (command) table of per-user .*_history data.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"Shell history owner","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp. It could be absent, default value is 0.","type":"integer","hidden":false,"required":false,"index":false},{"name":"command","description":"Unparsed date/line/command history line","type":"text","hidden":false,"required":false,"index":false},{"name":"history_file","description":"Path to the .*_history for this user","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shellbags","description":"Shows directories accessed via Windows Explorer.","platforms":["windows"],"columns":[{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Shellbags source Registry file","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Directory name.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Directory Modified time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_time","description":"Directory Created time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"accessed_time","description":"Directory Accessed time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Directory master file table entry.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Directory master file table sequence.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shimcache","description":"Application Compatibility Cache, contains artifacts of execution.","platforms":["windows"],"columns":[{"name":"entry","description":"Execution order.","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the executed file.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"File Modified time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"execution_flag","description":"Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"signature","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["darwin"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"hash_resources","description":"Set to 1 to also hash resources, or 0 otherwise. Default is 1","type":"integer","hidden":false,"required":false,"index":false},{"name":"arch","description":"If applicable, the arch of the signed code","type":"text","hidden":false,"required":false,"index":false},{"name":"signed","description":"1 If the file is signed else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"identifier","description":"The signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Hash of the application Code Directory","type":"text","hidden":false,"required":false,"index":false},{"name":"team_identifier","description":"The team signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"authority","description":"Certificate Common Name","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sip_config","description":"Apple's System Integrity Protection (rootless) status.","platforms":["darwin"],"columns":[{"name":"config_flag","description":"The System Integrity Protection config flag","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"enabled_nvram","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"smbios_tables","description":"BIOS (DMI) structure common details and content.","platforms":["darwin","linux"],"columns":[{"name":"number","description":"Table entry number","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Table entry type","type":"integer","hidden":false,"required":false,"index":false},{"name":"description","description":"Table entry description","type":"text","hidden":false,"required":false,"index":false},{"name":"handle","description":"Table entry handle","type":"integer","hidden":false,"required":false,"index":false},{"name":"header_size","description":"Header size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Table entry size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"smc_keys","description":"Apple's system management controller keys.","platforms":["darwin"],"columns":[{"name":"key","description":"4-character key","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SMC-reported type literal type","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Reported size of data in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"A type-encoded representation of the key value","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"1 if this key is normally hidden, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"socket_events","description":"Track network socket opens and closes.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"The socket action (bind, listen, close)","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"status","description":"Either 'succeeded', 'failed', 'in_progress' (connect() on non-blocking socket) or 'no_client' (null accept() on non-blocking socket)","type":"text","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":true,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket","description":"The local path (UNIX domain socket only)","type":"text","hidden":true,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"success","description":"Deprecated. Use the 'status' column instead","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"ssh_configs","description":"A table of parsed ssh_configs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local owner of the ssh_config file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block","description":"The host or match block","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"The option and value","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_config_file","description":"Path to the ssh_config file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"startup_items","description":"Applications and binaries set as user/login startup items.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Name of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"args","description":"Arguments provided to startup executable","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Startup Item or Login Item","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Directory or plist containing startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Startup status; either enabled or disabled","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"The user associated with the startup item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sudoers","description":"Rules for running commands as other users via sudo.","platforms":["darwin","linux"],"columns":[{"name":"source","description":"Source file containing the given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"header","description":"Symbol for given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"rule_details","description":"Rule definition","type":"text","hidden":false,"required":false,"index":false}]},{"name":"suid_bin","description":"suid binaries in common locations.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Binary owner username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Binary owner group","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Binary permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"syslog_events","description":"","platforms":["linux"],"columns":[{"name":"time","description":"Current unix epoch time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Time known to syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Hostname configured for syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"severity","description":"Syslog severity","type":"integer","hidden":false,"required":false,"index":false},{"name":"facility","description":"Syslog facility","type":"text","hidden":false,"required":false,"index":false},{"name":"tag","description":"The syslog tag","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"The syslog message","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"system_controls","description":"sysctl names, values, and settings information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Full sysctl MIB name","type":"text","hidden":false,"required":false,"index":false},{"name":"oid","description":"Control MIB","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"Subsystem ID, control type","type":"text","hidden":false,"required":false,"index":false},{"name":"current_value","description":"Value of setting","type":"text","hidden":false,"required":false,"index":false},{"name":"config_value","description":"The MIB value set in /etc/sysctl.conf","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type","type":"text","hidden":false,"required":false,"index":false},{"name":"field_name","description":"Specific attribute of opaque type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"system_extensions","description":"macOS (>= 10.15) system extension table.","platforms":["darwin"],"columns":[{"name":"path","description":"Original path of system extension","type":"text","hidden":false,"required":false,"index":false},{"name":"UUID","description":"Extension unique id","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"System extension state","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"System extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"System extension category","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"System extension bundle path","type":"text","hidden":false,"required":false,"index":false},{"name":"team","description":"Signing team ID","type":"text","hidden":false,"required":false,"index":false},{"name":"mdm_managed","description":"1 if managed by MDM system extension payload configuration, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"system_info","description":"System information for identification.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Network hostname including domain","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"CPU type","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"CPU subtype","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_brand","description":"CPU brand string, contains vendor and model","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_physical_cores","description":"Number of physical CPU cores in to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_logical_cores","description":"Number of logical CPU cores available to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_microcode","description":"Microcode version","type":"text","hidden":false,"required":false,"index":false},{"name":"physical_memory","description":"Total physical memory in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hardware_vendor","description":"Hardware vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hardware model","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_version","description":"Hardware version","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_serial","description":"Device serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"board_vendor","description":"Board vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"board_model","description":"Board model","type":"text","hidden":false,"required":false,"index":false},{"name":"board_version","description":"Board version","type":"text","hidden":false,"required":false,"index":false},{"name":"board_serial","description":"Board serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Friendly computer name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Local hostname (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"systemd_units","description":"Track systemd units.","platforms":["linux"],"columns":[{"name":"id","description":"Unique unit identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Unit description","type":"text","hidden":false,"required":false,"index":false},{"name":"load_state","description":"Reflects whether the unit definition was properly loaded","type":"text","hidden":false,"required":false,"index":false},{"name":"active_state","description":"The high-level unit activation state, i.e. generalization of SUB","type":"text","hidden":false,"required":false,"index":false},{"name":"sub_state","description":"The low-level unit activation state, values depend on unit type","type":"text","hidden":false,"required":false,"index":false},{"name":"following","description":"The name of another unit that this unit follows in state","type":"text","hidden":false,"required":false,"index":false},{"name":"object_path","description":"The object path for this unit","type":"text","hidden":false,"required":false,"index":false},{"name":"job_id","description":"Next queued job id","type":"bigint","hidden":false,"required":false,"index":false},{"name":"job_type","description":"Job type","type":"text","hidden":false,"required":false,"index":false},{"name":"job_path","description":"The object path for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"fragment_path","description":"The unit file path this unit was read from, if there is any","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The configured user, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"source_path","description":"Path to the (possibly generated) unit configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"temperature_sensors","description":"Machine's temperature sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on macOS","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of temperature source","type":"text","hidden":false,"required":false,"index":false},{"name":"celsius","description":"Temperature in Celsius","type":"double","hidden":false,"required":false,"index":false},{"name":"fahrenheit","description":"Temperature in Fahrenheit","type":"double","hidden":false,"required":false,"index":false}]},{"name":"time","description":"Track current date and time in UTC.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"weekday","description":"Current weekday in UTC","type":"text","hidden":false,"required":false,"index":false},{"name":"year","description":"Current year in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"month","description":"Current month in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"day","description":"Current day in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"hour","description":"Current hour in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Current minutes in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Current seconds in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"timezone","description":"Timezone for reported time (hardcoded to UTC)","type":"text","hidden":false,"required":false,"index":false},{"name":"local_timezone","description":"Current local timezone in of the system","type":"text","hidden":false,"required":false,"index":false},{"name":"unix_time","description":"Current UNIX time in UTC","type":"integer","hidden":false,"required":false,"index":false},{"name":"timestamp","description":"Current timestamp (log format) in UTC","type":"text","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Current date and time (ISO format) in UTC","type":"text","hidden":false,"required":false,"index":false},{"name":"iso_8601","description":"Current time (ISO format) in UTC","type":"text","hidden":false,"required":false,"index":false},{"name":"win_timestamp","description":"Timestamp value in 100 nanosecond units","type":"bigint","hidden":true,"required":false,"index":false}]},{"name":"time_machine_backups","description":"Backups to drives using TimeMachine.","platforms":["darwin"],"columns":[{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"backup_date","description":"Backup Date","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"time_machine_destinations","description":"Locations backed up to using Time Machine.","platforms":["darwin"],"columns":[{"name":"alias","description":"Human readable name of drive","type":"text","hidden":false,"required":false,"index":false},{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"consistency_scan_date","description":"Consistency scan date","type":"integer","hidden":false,"required":false,"index":false},{"name":"root_volume_uuid","description":"Root UUID of backup volume","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_available","description":"Bytes available on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes_used","description":"Bytes used on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption","description":"Last known encrypted state","type":"text","hidden":false,"required":false,"index":false}]},{"name":"tpm_info","description":"A table that lists the TPM related information.","platforms":["windows"],"columns":[{"name":"activated","description":"TPM is activated","type":"integer","hidden":false,"required":false,"index":false},{"name":"enabled","description":"TPM is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"owned","description":"TPM is owned","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer_version","description":"TPM version","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer_id","description":"TPM manufacturers ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer_name","description":"TPM manufacturers name","type":"text","hidden":false,"required":false,"index":false},{"name":"product_name","description":"Product name of the TPM","type":"text","hidden":false,"required":false,"index":false},{"name":"physical_presence_version","description":"Version of the Physical Presence Interface","type":"text","hidden":false,"required":false,"index":false},{"name":"spec_version","description":"Trusted Computing Group specification that the TPM supports","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ulimit_info","description":"System resource usage limits.","platforms":["darwin","linux"],"columns":[{"name":"type","description":"System resource to be limited","type":"text","hidden":false,"required":false,"index":false},{"name":"soft_limit","description":"Current limit value","type":"text","hidden":false,"required":false,"index":false},{"name":"hard_limit","description":"Maximum limit value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"unified_log","description":"Queries the OSLog framework for entries in the system log. The maximum number of rows returned is limited for performance issues. This table introduces a new idiom for extracting sequential data in batches using multiple queries, ordered by timestamp. To trigger it, the user should include the condition \"timestamp > -1\", and the table will handle pagination.","platforms":["darwin"],"columns":[{"name":"timestamp","description":"unix timestamp associated with the entry","type":"bigint","hidden":false,"required":false,"index":false},{"name":"storage","description":"the storage category for the entry","type":"integer","hidden":false,"required":false,"index":false},{"name":"message","description":"composed message","type":"text","hidden":false,"required":false,"index":false},{"name":"activity","description":"the activity ID associate with the entry","type":"bigint","hidden":false,"required":false,"index":false},{"name":"process","description":"the name of the process that made the entry","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"the pid of the process that made the entry","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sender","description":"the name of the binary image that made the entry","type":"text","hidden":false,"required":false,"index":false},{"name":"tid","description":"the tid of the thread that made the entry","type":"bigint","hidden":false,"required":false,"index":false},{"name":"category","description":"the category of the os_log_t used","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"the subsystem of the os_log_t used","type":"text","hidden":false,"required":false,"index":false},{"name":"level","description":"the severity level of the entry","type":"text","hidden":false,"required":false,"index":false},{"name":"max_rows","description":"the max number of rows returned (defaults to 100)","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"uptime","description":"Track time passed since last boot. Some systems track this as calendar time, some as runtime.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"days","description":"Days of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"hours","description":"Hours of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Minutes of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Seconds of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"total_seconds","description":"Total uptime seconds","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"usb_devices","description":"USB devices that are actively plugged into the host system.","platforms":["darwin","linux"],"columns":[{"name":"usb_address","description":"USB Device used address","type":"integer","hidden":false,"required":false,"index":false},{"name":"usb_port","description":"USB Device used port","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"USB Device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded USB Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"USB Device version number","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"USB Device model string","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded USB Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"USB Device serial connection","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"USB Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"subclass","description":"USB Device subclass","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"USB Device protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"removable","description":"1 If USB device is removable else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"user_events","description":"Track user events from the audit framework.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the event","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"The file description for the process socket","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Supplied path from event","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"The Internet protocol address or family ID","type":"text","hidden":false,"required":false,"index":false},{"name":"terminal","description":"The network protocol ID","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"user_groups","description":"Local system user group relationships.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_interaction_events","description":"Track user interaction events from macOS' event tapping framework.","platforms":["darwin"],"columns":[{"name":"time","description":"Time","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_ssh_keys","description":"Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the key file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to key file","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 if key is encrypted, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"key_type","description":"The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"userassist","description":"UserAssist Registry Key tracks when a user executes an application from Windows Explorer.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of times the application has been executed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"video_info","description":"Retrieve video card information of the machine.","platforms":["windows"],"columns":[{"name":"color_depth","description":"The amount of bits per pixel to represent color.","type":"integer","hidden":false,"required":false,"index":false},{"name":"driver","description":"The driver of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_date","description":"The date listed on the installed driver.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"driver_version","description":"The version of the installed driver.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"series","description":"The series of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"video_mode","description":"The current resolution of the display.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"virtual_memory_info","description":"Darwin Virtual Memory statistics.","platforms":["darwin"],"columns":[{"name":"free","description":"Total number of free pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"Total number of active pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Total number of inactive pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"speculative","description":"Total number of speculative pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"throttled","description":"Total number of throttled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired","description":"Total number of wired down pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purgeable","description":"Total number of purgeable pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"faults","description":"Total number of calls to vm_faults.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"copy","description":"Total number of copy-on-write pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"zero_fill","description":"Total number of zero filled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"reactivated","description":"Total number of reactivated pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purged","description":"Total number of purged pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_backed","description":"Total number of file backed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"anonymous","description":"Total number of anonymous pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uncompressed","description":"Total number of uncompressed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressor","description":"The number of pages used to store compressed VM pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"decompressed","description":"The total number of pages that have been decompressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressed","description":"The total number of pages that have been compressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_ins","description":"The total number of requests for pages from a pager.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_outs","description":"Total number of pages paged out.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_ins","description":"The total number of compressed pages that have been swapped out to disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_outs","description":"The total number of compressed pages that have been swapped back in from disk.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"wifi_networks","description":"macOS known/remembered Wi-Fi networks list.","platforms":["darwin"],"columns":[{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"last_connected","description":"Last time this network was connected to as a unix_time","type":"integer","hidden":true,"required":false,"index":false},{"name":"passpoint","description":"1 if Passpoint is supported, 0 otherwise","type":"integer","hidden":true,"required":false,"index":false},{"name":"possibly_hidden","description":"1 if network is possibly a hidden network, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"roaming","description":"1 if roaming is supported, 0 otherwise","type":"integer","hidden":true,"required":false,"index":false},{"name":"roaming_profile","description":"Describe the roaming profile, usually one of Single, Dual or Multi","type":"text","hidden":false,"required":false,"index":false},{"name":"auto_login","description":"1 if auto login is enabled, 0 otherwise","type":"integer","hidden":true,"required":false,"index":false},{"name":"temporarily_disabled","description":"1 if this network is temporarily disabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 if this network is disabled, 0 otherwise","type":"integer","hidden":true,"required":false,"index":false},{"name":"add_reason","description":"Shows why this network was added, via menubar or command line or something else ","type":"text","hidden":false,"required":false,"index":false},{"name":"added_at","description":"Time this network was added as a unix_time","type":"integer","hidden":false,"required":false,"index":false},{"name":"captive_portal","description":"1 if this network has a captive portal, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"captive_login_date","description":"Time this network logged in to a captive portal as unix_time","type":"integer","hidden":false,"required":false,"index":false},{"name":"was_captive_network","description":"1 if this network was previously a captive network, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"auto_join","description":"1 if this network set to join automatically, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"personal_hotspot","description":"1 if this network is a personal hotspot, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"wifi_status","description":"macOS current WiFi status.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false},{"name":"transmit_rate","description":"The current transmit rate","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"The current operating mode for the Wi-Fi interface","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wifi_survey","description":"Scan for nearby WiFi networks.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"winbaseobj","description":"Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.","platforms":["windows"],"columns":[{"name":"session_id","description":"Terminal Services Session Id","type":"integer","hidden":false,"required":false,"index":false},{"name":"object_name","description":"Object Name","type":"text","hidden":false,"required":false,"index":false},{"name":"object_type","description":"Object Type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_crashes","description":"Extracted information from Windows crash logs (Minidumps).","platforms":["windows"],"columns":[{"name":"datetime","description":"Timestamp (log format) of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"module","description":"Path of the crashed module within the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the executable file for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID of the crashed thread","type":"bigint","hidden":false,"required":false,"index":false},{"name":"version","description":"File version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"process_uptime","description":"Uptime of the process in seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Multiple stack frames from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_code","description":"The Windows exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_message","description":"The NTSTATUS error message associated with the exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_address","description":"Address (in hex) where the exception occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The values of the system registers","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line","description":"Command-line string passed to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"current_directory","description":"Current working directory of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Username of the user who ran the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"machine_name","description":"Name of the machine where the crash happened","type":"text","hidden":false,"required":false,"index":false},{"name":"major_version","description":"Windows major version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor_version","description":"Windows minor version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_number","description":"Windows build number of the crashing machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Path of the log file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_eventlog","description":"Table for querying all recorded Windows event logs.","platforms":["windows"],"columns":[{"name":"channel","description":"Source or channel of the event","type":"text","hidden":false,"required":true,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"Severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_range","description":"System time to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"timestamp","description":"Timestamp to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"xpath","description":"The custom query to filter events","type":"text","hidden":true,"required":true,"index":false}]},{"name":"windows_events","description":"Windows Event logs.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source or channel of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"The severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"windows_firewall_rules","description":"Provides the list of Windows firewall rules.","platforms":["windows"],"columns":[{"name":"name","description":"Friendly name of the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"app_name","description":"Friendly name of the application to which the rule applies","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Action for the rule or default setting","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if the rule is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"grouping","description":"Group to which an individual rule belongs","type":"text","hidden":false,"required":false,"index":false},{"name":"direction","description":"Direction of traffic for which the rule applies","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"IP protocol of the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"local_addresses","description":"Local addresses for the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_addresses","description":"Remote addresses for the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"local_ports","description":"Local ports for the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_ports","description":"Remote ports for the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"icmp_types_codes","description":"ICMP types and codes for the rule","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_domain","description":"1 if the rule profile type is domain","type":"integer","hidden":false,"required":false,"index":false},{"name":"profile_private","description":"1 if the rule profile type is private","type":"integer","hidden":false,"required":false,"index":false},{"name":"profile_public","description":"1 if the rule profile type is public","type":"integer","hidden":false,"required":false,"index":false},{"name":"service_name","description":"Service name property of the application","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_optional_features","description":"Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the feature","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Caption of feature in settings UI","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent","type":"integer","hidden":false,"required":false,"index":false},{"name":"statename","description":"Installation state name. 'Enabled','Disabled','Absent'","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_center","description":"The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".","platforms":["windows"],"columns":[{"name":"firewall","description":"The health of the monitored Firewall (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"The health of the Windows Autoupdate feature","type":"text","hidden":false,"required":false,"index":false},{"name":"antivirus","description":"The health of the monitored Antivirus solution (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"antispyware","description":"Deprecated (always 'Good').","type":"text","hidden":true,"required":false,"index":false},{"name":"internet_settings","description":"The health of the Internet Settings","type":"text","hidden":false,"required":false,"index":false},{"name":"windows_security_center_service","description":"The health of the Windows Security Center Service","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account_control","description":"The health of the User Account Control (UAC) capability in Windows","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_products","description":"Enumeration of registered Windows security products.","platforms":["windows"],"columns":[{"name":"type","description":"Type of security product","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of product","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"State of protection","type":"text","hidden":false,"required":false,"index":false},{"name":"state_timestamp","description":"Timestamp for the product state","type":"text","hidden":false,"required":false,"index":false},{"name":"remediation_path","description":"Remediation path","type":"text","hidden":false,"required":false,"index":false},{"name":"signatures_up_to_date","description":"1 if product signatures are up to date, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"windows_update_history","description":"Provides the history of the windows update events.","platforms":["windows"],"columns":[{"name":"client_app_id","description":"Identifier of the client application that processed an update","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Date and the time an update was applied","type":"bigint","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of an update","type":"text","hidden":false,"required":false,"index":false},{"name":"hresult","description":"HRESULT value that is returned from the operation on an update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"operation","description":"Operation on an update","type":"text","hidden":false,"required":false,"index":false},{"name":"result_code","description":"Result of an operation on an update","type":"text","hidden":false,"required":false,"index":false},{"name":"server_selection","description":"Value that indicates which server provided an update","type":"text","hidden":false,"required":false,"index":false},{"name":"service_id","description":"Service identifier of an update service that is not a Windows update","type":"text","hidden":false,"required":false,"index":false},{"name":"support_url","description":"Hyperlink to the language-specific support information for an update","type":"text","hidden":false,"required":false,"index":false},{"name":"title","description":"Title of an update","type":"text","hidden":false,"required":false,"index":false},{"name":"update_id","description":"Revision-independent identifier of an update","type":"text","hidden":false,"required":false,"index":false},{"name":"update_revision","description":"Revision number of an update","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"wmi_bios_info","description":"Lists important information from the system bios.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the Bios setting","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the Bios setting","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_cli_event_consumers","description":"WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique name of a consumer.","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line_template","description":"Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.","type":"text","hidden":false,"required":false,"index":false},{"name":"executable_path","description":"Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_event_filters","description":"Lists WMI event filters.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier of an event filter.","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.","type":"text","hidden":false,"required":false,"index":false},{"name":"query_language","description":"Query language that the query is written in.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_filter_consumer_binding","description":"Lists the relationship between event consumers and filters.","platforms":["windows"],"columns":[{"name":"consumer","description":"Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.","type":"text","hidden":false,"required":false,"index":false},{"name":"filter","description":"Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_script_event_consumers","description":"WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier for the event consumer. ","type":"text","hidden":false,"required":false,"index":false},{"name":"scripting_engine","description":"Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_file_name","description":"Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_text","description":"Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_entries","description":"Database of the machine's XProtect signatures.","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"launch_type","description":"Launch services content type","type":"text","hidden":false,"required":false,"index":false},{"name":"identity","description":"XProtect identity (SHA1) of content","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Use this file name to match","type":"text","hidden":false,"required":false,"index":false},{"name":"filetype","description":"Use this file type to match","type":"text","hidden":false,"required":false,"index":false},{"name":"optional","description":"Match any of the identities/patterns for this XProtect name","type":"integer","hidden":false,"required":false,"index":false},{"name":"uses_pattern","description":"Uses a match pattern instead of identity","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"xprotect_meta","description":"Database of the machine's XProtect browser-related signatures.","platforms":["darwin"],"columns":[{"name":"identifier","description":"Browser plugin or extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either plugin or extension","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Developer identity (SHA1) of extension","type":"text","hidden":false,"required":false,"index":false},{"name":"min_version","description":"The minimum allowed plugin version.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_reports","description":"Database of XProtect matches (if user generated/sent an XProtect report).","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"user_action","description":"Action taken by user after prompted","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Quarantine alert time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yara","description":"Track YARA matches for files or PIDs.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"The path scanned","type":"text","hidden":false,"required":true,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"sig_group","description":"Signature group used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigfile","description":"Signature file used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigrule","description":"Signature strings used","type":"text","hidden":true,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"sigurl","description":"Signature url","type":"text","hidden":true,"required":false,"index":false}]},{"name":"yara_events","description":"Track YARA matches for files specified in configuration data.","platforms":["darwin","linux","windows"],"columns":[{"name":"target_path","description":"The path scanned","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of the scan","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ycloud_instance_metadata","description":"Yandex.Cloud instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"folder_id","description":"Folder identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Hostname of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_port_enabled","description":"Indicates if serial port is enabled for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"metadata_endpoint","description":"Endpoint used to fetch VM metadata","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yum_sources","description":"Current list of Yum repositories or software channels.","platforms":["linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"baseurl","description":"Repository base URL","type":"text","hidden":false,"required":false,"index":false},{"name":"mirrorlist","description":"Mirrorlist URL","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether the repository is used","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgcheck","description":"Whether packages are GPG checked","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgkey","description":"URL to GPG key","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"host_users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"host_groups","description":"Local system groups.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","hidden":true,"required":false,"index":false},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"host_processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"protection_type","description":"The protection type of the process","type":"text","hidden":true,"required":false,"index":false},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","hidden":false,"required":false,"index":false},{"name":"translated","description":"Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_path","description":"The full hierarchical path of the process's control group","type":"text","hidden":true,"required":false,"index":false}]}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json new file mode 100644 index 0000000000000..8649b18090b76 --- /dev/null +++ b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json @@ -0,0 +1 @@ +[{"name":"account_policy_data","description":"Additional macOS user account data from the AccountPolicy section of OpenDirectory.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the account was first created","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"failed_login_count","description":"The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"failed_login_timestamp","description":"The time of the last failed login attempt. Resets after a correct password is entered","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"password_last_set_time","description":"The time the password was last changed","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"acpi_tables","description":"Firmware ACPI functional table common metadata and content.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"ACPI table name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of compiled table data","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table content","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ad_config","description":"macOS Active Directory configuration.","platforms":["darwin"],"columns":[{"name":"name","description":"The macOS-specific configuration name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"domain","description":"Active Directory trust domain","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"option","description":"Canonical name of option","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Variable typed option value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"alf","description":"macOS application layer firewall (ALF) service details.","platforms":["darwin"],"columns":[{"name":"allow_signed_enabled","description":"1 If allow signed mode is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"firewall_unload","description":"1 If firewall unloading enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"global_state","description":"1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"logging_enabled","description":"1 If logging mode is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"logging_option","description":"Firewall logging option","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"stealth_enabled","description":"1 If stealth mode is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Application Layer Firewall version","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"alf_exceptions","description":"macOS application layer firewall (ALF) service exceptions.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to the executable that is excepted","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Firewall exception state","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"alf_explicit_auths","description":"ALF services explicitly allowed to perform networking.","platforms":["darwin"],"columns":[{"name":"process","description":"Process name explicitly allowed","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"app_schemes","description":"macOS application schemes and handlers (e.g., http, file, mailto).","platforms":["darwin"],"columns":[{"name":"scheme","description":"Name of the scheme/protocol","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"handler","description":"Application label for the handler","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this handler is the OS default, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"external","description":"1 if this handler does NOT exist on macOS by default, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protected","description":"1 if this handler is protected (reserved) by macOS, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"apparmor_events","description":"Track AppArmor events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"Raw audit message","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"apparmor","description":"Apparmor Status like ALLOWED, DENIED etc.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"operation","description":"Permission requested by the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process PID","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"profile","description":"Apparmor profile name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"denied_mask","description":"Denied permissions for the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"capname","description":"Capability requested by the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ouid","description":"Object owner's user ID","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"capability","description":"Capability number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"requested_mask","description":"Requested access mask","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"info","description":"Additional information","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"error","description":"Error information","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"namespace","description":"AppArmor namespace","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"AppArmor label","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"apparmor_profiles","description":"Track active AppArmor profiles.","platforms":["linux"],"columns":[{"name":"path","description":"Unique, aa-status compatible, policy identifier.","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Policy name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"attach","description":"Which executable(s) a profile will attach to.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"How the policy is applied.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"A unique hash that identifies this policy.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"appcompat_shims","description":"Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.","platforms":["windows"],"columns":[{"name":"executable","description":"Name of the executable that is being shimmed. This is pulled from the registry.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the SDB database.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the SDB.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Install time of the SDB","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the SDB database.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sdb_id","description":"Unique GUID of the SDB.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"apps","description":"macOS applications installed in known search paths (e.g., /Applications).","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the Name.app folder","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute and full Name.app path","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"bundle_executable","description":"Info properties CFBundleExecutable label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"Info properties CFBundleIdentifier label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_name","description":"Info properties CFBundleName label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_short_version","description":"Info properties CFBundleShortVersionString label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_version","description":"Info properties CFBundleVersion label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_package_type","description":"Info properties CFBundlePackageType label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"environment","description":"Application-set environment variables","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"element","description":"Does the app identify as a background agent","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"compiler","description":"Info properties DTCompiler label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Info properties CFBundleDevelopmentRegion label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Info properties CFBundleDisplayName label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"info_string","description":"Info properties CFBundleGetInfoString label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"minimum_system_version","description":"Minimum version of macOS required for the app to run","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"The UTI that categorizes the app for the App Store","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"applescript_enabled","description":"Info properties NSAppleScriptEnabled label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"copyright","description":"Info properties NSHumanReadableCopyright label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"The time that the app was last used","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"apt_sources","description":"Current list of APT repositories or software channels.","platforms":["linux"],"columns":[{"name":"name","description":"Repository name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Source file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"base_uri","description":"Repository base URI","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"release","description":"Release name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Repository source version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Repository maintainer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"components","description":"Repository components","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"architectures","description":"Repository architectures","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"arp_cache","description":"Address resolution cache, both static and dynamic (from ARP, NDP).","platforms":["darwin","linux","windows"],"columns":[{"name":"address","description":"IPv4 address target","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address of broadcasted address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"interface","description":"Interface of the network for the MAC","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"permanent","description":"1 for true, 0 for false","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"asl","description":"Queries the Apple System Log data structure for system events.","platforms":["darwin"],"columns":[{"name":"time","description":"Unix timestamp. Set automatically","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"time_nano_sec","description":"Nanosecond time.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"host","description":"Sender's address (set by the server).","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sender","description":"Sender's identification string. Default is process name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"facility","description":"Sender's facility. Default is 'user'.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Sending process ID encoded as a string. Set automatically.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"GID that sent the log message (set by the server).","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"UID that sent the log message (set by the server).","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"level","description":"Log level number. See levels in asl.h.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"Message text.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ref_pid","description":"Reference PID for messages proxied by launchd","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ref_proc","description":"Reference process for messages proxied by launchd","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"extra","description":"Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"atom_packages","description":"Lists all atom packages in a directory or globally installed in a system.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Package display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Package's package.json path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the plugin","type":"bigint","notes":"","hidden":false,"required":false,"index":true}]},{"name":"augeas","description":"Configuration files parsed by augeas.","platforms":["darwin","linux"],"columns":[{"name":"node","description":"The node path of the configuration item","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"value","description":"The value of the configuration item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"The label of the configuration item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"The path to the configuration file","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"authenticode","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["windows"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"original_program_name","description":"The original program name that the publisher has signed","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The certificate serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer_name","description":"The certificate issuer name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject_name","description":"The certificate subject name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"result","description":"The signature check result","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"authorization_mechanisms","description":"macOS Authorization mechanisms database.","platforms":["darwin"],"columns":[{"name":"label","description":"Label of the authorization right","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"plugin","description":"Authorization plugin name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mechanism","description":"Name of the mechanism that will be called","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"privileged","description":"If privileged it will run as root, else as an anonymous user","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"entry","description":"The whole string entry","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"authorizations","description":"macOS Authorization rights database.","platforms":["darwin"],"columns":[{"name":"label","description":"Item name, usually in reverse domain format","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"modified","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"allow_root","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"timeout","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tries","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authenticate_user","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"shared","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"created","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"session_owner","description":"Label top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"authorized_keys","description":"A line-delimited authorized_keys table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local owner of authorized_keys file","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"algorithm","description":"Key type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"Key encoded as base64","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"options","description":"Optional list of login options","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to the authorized_keys file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"autoexec","description":"Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the executable","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Name of the program","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Source table of the autoexec item","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_metadata","description":"Azure instance metadata.","platforms":["darwin","linux","windows"],"columns":[{"name":"location","description":"Azure Region the VM is running in","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"offer","description":"Offer information for the VM image (Azure image gallery VMs only)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Publisher of the VM image","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sku","description":"SKU for the VM image","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the VM image","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Linux or Windows","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_update_domain","description":"Update domain the VM is running in","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_fault_domain","description":"Fault domain the VM is running in","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vm_id","description":"Unique identifier for the VM","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"vm_size","description":"VM size","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subscription_id","description":"Azure subscription for the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"resource_group_name","description":"Resource group for the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"placement_group_id","description":"Placement group for the VM scale set","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vm_scale_set_name","description":"VM scale set name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_tags","description":"Azure instance tags.","platforms":["darwin","linux","windows"],"columns":[{"name":"vm_id","description":"Unique identifier for the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"The tag key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"The tag value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"background_activities_moderator","description":"Background Activities Moderator (BAM) tracks application execution.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"battery","description":"Provides information about the internal battery of a Macbook.","platforms":["darwin"],"columns":[{"name":"manufacturer","description":"The battery manufacturer's name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacture_date","description":"The date the battery was manufactured UNIX Epoch","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"The battery's model number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The battery's unique serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cycle_count","description":"The number of charge/discharge cycles","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"health","description":"One of the following: \"Good\" describes a well-performing battery, \"Fair\" describes a functional battery with limited capacity, or \"Poor\" describes a battery that's not capable of providing power","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"condition","description":"One of the following: \"Normal\" indicates the condition of the battery is within normal tolerances, \"Service Needed\" indicates that the battery should be checked out by a licensed Mac repair service, \"Permanent Failure\" indicates the battery needs replacement","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"One of the following: \"AC Power\" indicates the battery is connected to an external power source, \"Battery Power\" indicates that the battery is drawing internal power, \"Off Line\" indicates the battery is off-line or no longer connected","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"charging","description":"1 if the battery is currently being charged by a power source. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"charged","description":"1 if the battery is currently completely charged. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"designed_capacity","description":"The battery's designed capacity in mAh","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"The battery's actual capacity when it is fully charged in mAh","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"current_capacity","description":"The battery's current charged capacity in mAh","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"percent_remaining","description":"The percentage of battery remaining before it is drained","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"amperage","description":"The battery's current amperage in mA","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"voltage","description":"The battery's current voltage in mV","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minutes_until_empty","description":"The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minutes_to_full_charge","description":"The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"bitlocker_info","description":"Retrieve bitlocker status of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"ID of the encrypted drive.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"Drive letter of the encrypted drive.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"persistent_volume_id","description":"Persistent ID of the drive.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"conversion_status","description":"The bitlocker conversion status of the drive.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protection_status","description":"The bitlocker protection status of the drive.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"encryption_method","description":"The encryption type of the device.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"The FVE metadata version of the drive.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"percentage_encrypted","description":"The percentage of the drive that is encrypted.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"lock_status","description":"The accessibility status of the drive from Windows.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"block_devices","description":"Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Block device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Block device parent name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Block device vendor string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"Block device model string identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Block device size in blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size in bytes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Block device Universally Unique Identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Block device type string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"Block device label string","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"bpf_process_events","description":"Track time/action process executions.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Binary path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Current working directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"json_cmdline","description":"Command line arguments, in JSON format","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","notes":"","hidden":true,"required":false,"index":false}]},{"name":"bpf_socket_events","description":"Track network socket opens and closes.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"The socket type","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","notes":"","hidden":true,"required":false,"index":false}]},{"name":"browser_plugins","description":"All C/NPAPI browser plugin details for all users. C/NPAPI has been deprecated on all major browsers. To query for plugins on modern browsers, try: `chrome_extensions` `firefox_addons` `safari_extensions`.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the plugin","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Plugin display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Plugin identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Plugin short version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Build SDK used to compile plugin","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Plugin description text","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Plugin language-localization","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"native","description":"Plugin requires native execution","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"disabled","description":"Is the plugin disabled. 1 = Disabled","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"carbon_black_info","description":"Returns info about a Carbon Black sensor install.","platforms":["darwin","linux","windows"],"columns":[{"name":"sensor_id","description":"Sensor ID of the Carbon Black sensor","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"config_name","description":"Sensor group","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_store_files","description":"If the sensor is configured to send back binaries to the Carbon Black server","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_module_loads","description":"If the sensor is configured to capture module loads","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_module_info","description":"If the sensor is configured to collect metadata of binaries","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_file_mods","description":"If the sensor is configured to collect file modification events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_reg_mods","description":"If the sensor is configured to collect registry modification events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_net_conns","description":"If the sensor is configured to collect network connections","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_processes","description":"If the sensor is configured to process events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_cross_processes","description":"If the sensor is configured to cross process events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_emet_events","description":"If the sensor is configured to EMET events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_data_file_writes","description":"If the sensor is configured to collect non binary file writes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_process_user_context","description":"If the sensor is configured to collect the user running a process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"collect_sensor_operations","description":"Unknown","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_mb","description":"Event file disk quota in MB","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_percentage","description":"Event file disk quota in a percentage","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protection_disabled","description":"If the sensor is configured to report tamper events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"sensor_ip_addr","description":"IP address of the sensor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sensor_backend_server","description":"Carbon Black server","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"event_queue","description":"Size in bytes of Carbon Black event files on disk","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"binary_queue","description":"Size in bytes of binaries waiting to be sent to Carbon Black server","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"carves","description":"List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.","platforms":["darwin","linux","windows"],"columns":[{"name":"time","description":"Time at which the carve was kicked off","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256","description":"A SHA256 sum of the carved archive","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the carved archive","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the requested carve","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"carve_guid","description":"Identifying value of the carve session","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"request_id","description":"Identifying value of the carve request (e.g., scheduled query name, distributed request, etc)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"carve","description":"Set this value to '1' to start a file carve","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"certificates","description":"Certificate Authorities installed in Keychains/ca-bundles.","platforms":["darwin","linux","windows"],"columns":[{"name":"common_name","description":"Certificate CommonName","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject","description":"Certificate distinguished name (deprecated, use subject2)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer","description":"Certificate issuer distinguished name (deprecated, use issuer2)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ca","description":"1 if CA: true (certificate is an authority) else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"self_signed","description":"1 if self-signed, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"not_valid_before","description":"Lower bound of valid date","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"not_valid_after","description":"Certificate expiration data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"signing_algorithm","description":"Signing algorithm used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_algorithm","description":"Key algorithm used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_strength","description":"Key size used for RSA/DSA, or curve name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Certificate key usage and extended key usage","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject_key_id","description":"SKID an optionally included SHA1","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authority_key_id","description":"AKID an optionally included SHA1","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the raw certificate contents","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Keychain or PEM bundle","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial","description":"Certificate serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sid","description":"SID","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"store_location","description":"Certificate system store location","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"store","description":"Certificate system store","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"username","description":"Username","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"store_id","description":"Exists for service/user stores. Contains raw store id provided by WinAPI.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"issuer2","description":"Certificate issuer distinguished name","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux","darwin"]},{"name":"subject2","description":"Certificate distinguished name","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux","darwin"]}]},{"name":"chassis_info","description":"Display information pertaining to the chassis and its security status.","platforms":["windows"],"columns":[{"name":"audible_alarm","description":"If TRUE, the frame is equipped with an audible alarm.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"breach_description","description":"If provided, gives a more detailed description of a detected security breach.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"chassis_types","description":"A comma-separated list of chassis types, such as Desktop or Laptop.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"An extended description of the chassis if available.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"lock","description":"If TRUE, the frame is equipped with a lock.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the chassis.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the chassis.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"security_breach","description":"The physical status of the chassis such as Breach Successful, Breach Attempted, etc.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the chassis.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"smbios_tag","description":"The assigned asset tag number of the chassis.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sku","description":"The Stock Keeping Unit number if available.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"visible_alarm","description":"If TRUE, the frame is equipped with a visual alarm.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"chocolatey_packages","description":"Chocolatey packages installed in a system.","platforms":["windows"],"columns":[{"name":"name","description":"Package display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this package resides","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"chrome_extension_content_scripts","description":"Chrome browser extension content scripts.","platforms":["darwin","linux","windows"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"identifier","description":"Extension identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script","description":"The content script used by the extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"match","description":"The pattern that the script is matched against","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"chrome_extensions","description":"Chrome-based browser extensions.","platforms":["darwin","linux","windows"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Extension display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"profile","description":"The name of the Chrome profile that contains this extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"referenced_identifier","description":"Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier, computed from its manifest. Empty in case of error.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Extension-optional description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"default_locale","description":"Default locale supported by extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"current_locale","description":"Current locale supported by extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"persistent","description":"1 If extension is persistent across all tabs else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"permissions","description":"The permissions required by the extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"permissions_json","description":"The JSON-encoded permissions required by the extension","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"optional_permissions","description":"The permissions optionally required by the extensions","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"optional_permissions_json","description":"The JSON-encoded permissions optionally required by the extensions","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"manifest_hash","description":"The SHA256 hash of the manifest.json file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"from_webstore","description":"True if this extension was installed from the web store","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"1 if this extension is enabled","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Extension install time, in its original Webkit format","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_timestamp","description":"Extension install time, converted to unix time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"manifest_json","description":"The manifest file of the extension","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"key","description":"The extension key, from the manifest file","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"connectivity","description":"Provides the overall system's network state.","platforms":["windows"],"columns":[{"name":"disconnected","description":"True if the all interfaces are not connected to any network","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_no_traffic","description":"True if any interface is connected via IPv4, but has seen no traffic","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_no_traffic","description":"True if any interface is connected via IPv6, but has seen no traffic","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_subnet","description":"True if any interface is connected to the local subnet via IPv4","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_local_network","description":"True if any interface is connected to a routed network via IPv4","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_internet","description":"True if any interface is connected to the Internet via IPv4","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_subnet","description":"True if any interface is connected to the local subnet via IPv6","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_local_network","description":"True if any interface is connected to a routed network via IPv6","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_internet","description":"True if any interface is connected to the Internet via IPv6","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"cpu_info","description":"Retrieve cpu hardware info of the machine.","platforms":["linux","windows"],"columns":[{"name":"device_id","description":"The DeviceID of the CPU.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the CPU.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the CPU.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"processor_type","description":"The processor type, such as Central, Math, or Video.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_status","description":"The current operating status of the CPU.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"number_of_cores","description":"The number of cores of the CPU.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"logical_processors","description":"The number of logical processors of the CPU.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"address_width","description":"The width of the CPU address bus.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"current_clock_speed","description":"The current frequency of the CPU.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"max_clock_speed","description":"The maximum possible frequency of the CPU.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"socket_designation","description":"The assigned socket on the board for the given CPU.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"availability","description":"The availability and status of the CPU.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]}]},{"name":"cpu_time","description":"Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.","platforms":["darwin","linux"],"columns":[{"name":"core","description":"Name of the cpu (core)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"Time spent in user mode","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"nice","description":"Time spent in user mode with low priority (nice)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"system","description":"Time spent in system mode","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"idle","description":"Time spent in the idle task","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"iowait","description":"Time spent waiting for I/O to complete","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"irq","description":"Time spent servicing interrupts","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"softirq","description":"Time spent servicing softirqs","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"steal","description":"Time spent in other operating systems when running in a virtualized environment","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"guest","description":"Time spent running a virtual CPU for a guest OS under the control of the Linux kernel","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"guest_nice","description":"Time spent running a niced guest ","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"cpuid","description":"Useful CPU features from the cpuid ASM call.","platforms":["darwin","linux","windows"],"columns":[{"name":"feature","description":"Present feature flags","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Bit value or string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"output_register","description":"Register used to for feature value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"output_bit","description":"Bit in register value for feature value","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"input_eax","description":"Value of EAX used","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"crashes","description":"Application, System, and Mobile App crash logs.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of crash log","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID of the crashed process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Location of log file","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"identifier","description":"Identifier of the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Version info of the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent PID of the crashed process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"responsible","description":"Process responsible for the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the crashed process","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"datetime","description":"Date/Time at which the crash occurred","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"crashed_thread","description":"Thread ID which crashed","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Most recent frame from the stack trace","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_type","description":"Exception type of the crash","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_codes","description":"Exception codes from the crash","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_notes","description":"Exception notes from the crash","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"registers","description":"The value of the system registers","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"crontab","description":"Line parsed values from system and user cron/tab.","platforms":["darwin","linux"],"columns":[{"name":"event","description":"The job @event name (rare)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"minute","description":"The exact minute for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hour","description":"The hour of the day for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"day_of_month","description":"The day of the month for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"month","description":"The month of the year for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"day_of_week","description":"The day of the week for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"command","description":"Raw command string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"File parsed","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"cups_destinations","description":"Returns all configured printers.","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the printer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"option_name","description":"Option name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"option_value","description":"Option value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"cups_jobs","description":"Returns all completed print jobs from cups.","platforms":["darwin"],"columns":[{"name":"title","description":"Title of the printed job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"destination","description":"The printer the job was sent to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"The user who printed the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"format","description":"The format of the print job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the print job","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"completed_time","description":"When the job completed printing","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"processing_time","description":"How long the job took to process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the print request was initiated","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"curl","description":"Perform an http request and return stats about it.","platforms":["darwin","linux","windows"],"columns":[{"name":"url","description":"The url for the request","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"method","description":"The HTTP method for the request","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user_agent","description":"The user-agent string to use for the request","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"response_code","description":"The HTTP status code for the response","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"round_trip_time","description":"Time taken to complete the request","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of bytes in the response","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"result","description":"The HTTP response body","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"curl_certificate","description":"Inspect TLS certificates by connecting to input hostnames.","platforms":["darwin","linux","windows"],"columns":[{"name":"hostname","description":"Hostname to CURL (domain[:port], e.g. osquery.io)","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"common_name","description":"Common name of company issued to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"organization","description":"Organization issued to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"organization_unit","description":"Organization unit issued to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Certificate serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer_common_name","description":"Issuer common name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer_organization","description":"Issuer organization","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer_organization_unit","description":"Issuer organization unit","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"valid_from","description":"Period of validity start date","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"valid_to","description":"Period of validity end date","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256_fingerprint","description":"SHA-256 fingerprint","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1_fingerprint","description":"SHA1 fingerprint","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Version Number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"signature_algorithm","description":"Signature Algorithm","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"signature","description":"Signature","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject_key_identifier","description":"Subject Key Identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authority_key_identifier","description":"Authority Key Identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Usage of key in certificate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"extended_key_usage","description":"Extended usage of key in certificate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policies","description":"Certificate Policies","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject_alternative_names","description":"Subject Alternative Name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"issuer_alternative_names","description":"Issuer Alternative Name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"info_access","description":"Authority Information Access","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subject_info_access","description":"Subject Information Access","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policy_mappings","description":"Policy Mappings","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"has_expired","description":"1 if the certificate has expired, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"basic_constraint","description":"Basic Constraints","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name_constraints","description":"Name Constraints","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policy_constraints","description":"Policy Constraints","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dump_certificate","description":"Set this value to '1' to dump certificate","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"timeout","description":"Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"pem","description":"Certificate PEM format","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"deb_packages","description":"The installed DEB package database.","platforms":["linux"],"columns":[{"name":"name","description":"Package name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Package source","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"Package architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"revision","description":"Package revision","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Package status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Package maintainer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"section","description":"Package section","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"priority","description":"Package priority","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"admindir","description":"libdpkg admindir. Defaults to /var/lib/dpkg","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"default_environment","description":"Default environment variables and values.","platforms":["windows"],"columns":[{"name":"variable","description":"Name of the environment variable","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the environment variable","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"expand","description":"1 if the variable needs expanding, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"device_file","description":"Similar to the file table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"partition","description":"A partition number","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"path","description":"A logical path within the device node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"uid","description":"Owning user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Creation time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"device_firmware","description":"A best-effort list of discovered firmware versions.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device","description":"The device name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"version","description":"Firmware version","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"device_hash","description":"Similar to the hash table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","notes":"","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided inode data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided inode data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided inode data","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"device_partitions","description":"Use TSK to enumerate details about partitions on a disk device.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number or description","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"offset","description":"","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Byte size of each block","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Number of blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Number of meta nodes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"disk_encryption","description":"Disk encryption status and information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Disk name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"uuid","description":"Disk Universally Unique Identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 If encrypted: true (disk is encrypted), else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Description of cipher type and mode if available","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"encryption_status","description":"Disk encryption status with one of following values: encrypted | not encrypted | undefined","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Currently authenticated user if available","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"user_uuid","description":"UUID of authenticated user if available","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"filevault_status","description":"FileVault status with one of following values: on | off | unknown","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]}]},{"name":"disk_events","description":"Track DMG disk image events (appearance/disappearance) when opened.","platforms":["darwin"],"columns":[{"name":"action","description":"Appear or disappear","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the DMG file accessed","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Disk event name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device","description":"Disk event BSD name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"UUID of the volume inside DMG if available","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of partition in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ejectable","description":"1 if ejectable, 0 if not","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"mountable","description":"1 if mountable, 0 if not","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"writable","description":"1 if writable, 0 if not","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"content","description":"Disk event content","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"media_name","description":"Disk event media name string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Disk event vendor string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filesystem","description":"Filesystem if available","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"checksum","description":"UDIF Master checksum if available (CRC32)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of appearance/disappearance in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"disk_info","description":"Retrieve basic information about the physical disks of a system.","platforms":["windows"],"columns":[{"name":"partitions","description":"Number of detected partitions on disk.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_index","description":"Physical drive number of the disk.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"The interface type of the disk.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"id","description":"The unique identifier of the drive on the system.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pnp_device_id","description":"The unique identifier of the drive on the system.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_size","description":"Size of the disk.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the disk.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hard drive model.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"The label of the disk object.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the disk.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"The OS's description of the disk.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"dns_cache","description":"Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.","platforms":["windows"],"columns":[{"name":"name","description":"DNS record name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"DNS record type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"DNS record flags","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"dns_resolvers","description":"Resolvers used by this host.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Address type index or order","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Address type: sortlist, nameserver, search","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"Resolver IP/IPv6 address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Address (sortlist) netmask length","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"options","description":"Resolver options","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"docker_container_envs","description":"Docker container environment variables.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Environment variable name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_fs_changes","description":"Changes to files or directories on container's filesystem.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"path","description":"FIle or directory path relative to rootfs","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"change_type","description":"Type of change: C:Modified, A:Added, D:Deleted","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_labels","description":"Docker container labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Label key","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"value","description":"Optional label value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_mounts","description":"Docker container mounts.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"type","description":"Type of mount (bind, volume)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Optional mount name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"source","description":"Source path on host","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"destination","description":"Destination path inside container","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver providing the mount","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Mount options (rw, ro)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"rw","description":"1 if read/write. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"propagation","description":"Mount propagation","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_networks","description":"Docker container networks.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Network name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"network_id","description":"Network ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"endpoint_id","description":"Endpoint ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Gateway","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ip_address","description":"IP address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ip_prefix_len","description":"IP subnet prefix length","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_gateway","description":"IPv6 gateway","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_prefix_len","description":"IPv6 subnet prefix length","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"mac_address","description":"MAC address","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_ports","description":"Docker container ports.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Protocol (tcp, udp)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"port","description":"Port inside the container","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"host_ip","description":"Host IP address on which public port is listening","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"host_port","description":"Host port","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_processes","description":"Docker container processes.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"pid","description":"Process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start in seconds since boot (non-sleeping)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"User name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Cumulative CPU time. [DD-]HH:MM:SS format","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu","description":"CPU utilization as percentage","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"mem","description":"Memory utilization as percentage","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_container_stats","description":"Docker container statistics. Queries on this table take at least one second.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"name","description":"Container name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"pids","description":"Number of processes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"read","description":"UNIX time when stats were read","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"preread","description":"UNIX time when stats were last read","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"interval","description":"Difference between read and preread in nano-seconds","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_read","description":"Total disk read bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_write","description":"Total disk write bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"num_procs","description":"Number of processors","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_total_usage","description":"Total CPU usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_kernelmode_usage","description":"CPU kernel mode usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_usermode_usage","description":"CPU user mode usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"system_cpu_usage","description":"CPU system usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"online_cpus","description":"Online CPUs","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"pre_cpu_total_usage","description":"Last read total CPU usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pre_cpu_kernelmode_usage","description":"Last read CPU kernel mode usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pre_cpu_usermode_usage","description":"Last read CPU user mode usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pre_system_cpu_usage","description":"Last read CPU system usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pre_online_cpus","description":"Last read online CPUs","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_usage","description":"Memory usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_max_usage","description":"Memory maximum usage","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"Memory limit","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"network_rx_bytes","description":"Total network bytes read","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"network_tx_bytes","description":"Total network bytes transmitted","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_containers","description":"Docker containers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Container name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"image","description":"Docker image (name) used to launch this container","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"image_id","description":"Docker image ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"command","description":"Command with arguments","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Container state (created, restarting, running, removing, paused, exited, dead)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Container status information","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Identifier of the initial process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Container path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"config_entrypoint","description":"Container entrypoint(s)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"started_at","description":"Container start time as string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"finished_at","description":"Container finish time as string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"privileged","description":"Is the container privileged","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"security_options","description":"List of container security options","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"env_variables","description":"Container environmental variables","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"readonly_rootfs","description":"Is the root filesystem mounted as read only","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"ipc_namespace","description":"IPC namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mnt_namespace","description":"Mount namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"net_namespace","description":"Network namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"pid_namespace","description":"PID namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"user_namespace","description":"User namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"uts_namespace","description":"UTS namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"docker_image_history","description":"Docker image history information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of instruction in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"created_by","description":"Created by instruction","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of tags","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Instruction comment","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_image_labels","description":"Docker image labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Label key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_image_layers","description":"Docker image layers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"layer_id","description":"Layer ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"layer_order","description":"Layer Order (1 = base layer)","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_images","description":"Docker images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"size_bytes","description":"Size of image in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of repository tags","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_info","description":"Docker system information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Docker system ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"containers","description":"Total number of containers","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"containers_running","description":"Number of containers currently running","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"containers_paused","description":"Number of containers in paused state","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"containers_stopped","description":"Number of containers in stopped state","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"images","description":"Number of images","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"storage_driver","description":"Storage driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"1 if memory limit support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_limit","description":"1 if swap limit support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"kernel_memory","description":"1 if kernel memory limit support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_period","description":"1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_quota","description":"1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_shares","description":"1 if CPU share weighting support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_set","description":"1 if CPU set selection support is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_forwarding","description":"1 if IPv4 forwarding is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bridge_nf_iptables","description":"1 if bridge netfilter iptables is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bridge_nf_ip6tables","description":"1 if bridge netfilter ip6tables is enabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"oom_kill_disable","description":"1 if Out-of-memory kill is disabled. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"logging_driver","description":"Logging driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cgroup_driver","description":"Control groups driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Operating system type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpus","description":"Number of CPUs","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"memory","description":"Total memory","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"http_proxy","description":"HTTP proxy","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"https_proxy","description":"HTTPS proxy","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"no_proxy","description":"Comma-separated list of domain extensions proxy should not be used for","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the docker host","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"server_version","description":"Server version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"root_dir","description":"Docker root directory","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_network_labels","description":"Docker network labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Label key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_networks","description":"Docker networks information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Network name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"Network driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"enable_ipv6","description":"1 if IPv6 is enabled on this network. 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"subnet","description":"Network subnet","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Network gateway","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_version","description":"Docker version information.","platforms":["darwin","linux"],"columns":[{"name":"version","description":"Docker version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"api_version","description":"API version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"min_api_version","description":"Minimum API version supported","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"git_commit","description":"Docker build git commit","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"go_version","description":"Go version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"Hardware architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Build time","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_volume_labels","description":"Docker volume labels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Label key","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"value","description":"Optional label value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"docker_volumes","description":"Docker volumes information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"driver","description":"Volume driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mount_point","description":"Mount point","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Volume type","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"drivers","description":"Details for in-use Windows device drivers. This does not display installed but unused drivers.","platforms":["windows"],"columns":[{"name":"device_id","description":"Device ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device_name","description":"Device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"image","description":"Path to driver image file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Driver description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"service","description":"Driver service name, if one exists","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"service_key","description":"Driver service registry key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Driver version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inf","description":"Associated inf file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"Device/driver class name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"provider","description":"Driver provider","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Device manufacturer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver_key","description":"Driver key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"date","description":"Driver date","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"signed","description":"Whether the driver is signed or not","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_metadata","description":"EC2 instance metadata.","platforms":["darwin","linux","windows"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"instance_type","description":"EC2 instance type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture of this EC2 instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"region","description":"AWS region in which this instance launched","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"availability_zone","description":"Availability zone in which this instance launched","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Private IPv4 DNS hostname of the first interface of this instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_ipv4","description":"Private IPv4 address of the first interface of this instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address for the first network interface of this EC2 instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"security_groups","description":"Comma separated list of security group names","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"iam_arn","description":"If there is an IAM role associated with the instance, contains instance profile ARN","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ami_id","description":"AMI ID used to launch this EC2 instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"reservation_id","description":"ID of the reservation","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"account_id","description":"AWS account ID which owns this EC2 instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_tags","description":"EC2 instance tag key value pairs.","platforms":["darwin","linux","windows"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"Tag key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"es_process_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"original_parent","description":"Original parent process ID in case of reparenting","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline_count","description":"Number of command line arguments","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective User ID of the process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective Group ID of the process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"signing_id","description":"Signature identifier of the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"team_id","description":"Team identifier of thd process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Codesigning hash of the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_binary","description":"Indicates if the binary is Apple signed binary (1) or not (0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of a process in case of an exit event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"child_pid","description":"Process ID of a child process in case of a fork event","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"codesigning_flags","description":"Codesigning flags matching one of these options, in a comma separated list: NOT_VALID, ADHOC, NOT_RUNTIME, INSTALLER. See kern/cs_blobs.h in XNU for descriptions.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"es_process_file_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filename","description":"The source or target filename for the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dest_filename","description":"Destination filename for the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"etc_hosts","description":"Line-parsed /etc/hosts.","platforms":["darwin","linux","windows"],"columns":[{"name":"address","description":"IP address mapping","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hostnames","description":"Raw hosts mapping","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"etc_protocols","description":"Line-parsed /etc/protocols.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Protocol name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"number","description":"Protocol number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"alias","description":"Protocol alias","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Comment with protocol description","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"etc_services","description":"Line-parsed /etc/services.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Service name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"port","description":"Service port number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Optional space separated list of other names for a service","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment for a service.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"event_taps","description":"Returns information about installed event taps.","platforms":["darwin"],"columns":[{"name":"enabled","description":"Is the Event Tap enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"event_tap_id","description":"Unique ID for the Tap","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"event_tapped","description":"The mask that identifies the set of events to be observed.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"process_being_tapped","description":"The process ID of the target application","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"tapping_process","description":"The process ID of the application that created the event tap.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"extended_attributes","description":"Returns the extended attributes for files (similar to Windows ADS).","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute file path","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the value generated from the extended attribute","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"The parsed information from the attribute","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"base64","description":"1 if the value is base64 encoded else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"fan_speed_sensors","description":"Fan speeds.","platforms":["darwin"],"columns":[{"name":"fan","description":"Fan number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Fan name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"actual","description":"Actual speed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimum speed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum speed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"target","description":"Target speed","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"file","description":"Interactive filesystem attributes and metadata.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"Absolute file path","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"directory","description":"Directory of file(s)","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device","description":"Device ID (optional)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"btime","description":"(B)irth or (cr)eate time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"symlink","description":"1 if the path is a symlink, otherwise 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"attributes","description":"File attrib string. See: https://ss64.com/nt/attrib.html","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"volume_serial","description":"Volume serial number","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"file_id","description":"file ID","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"file_version","description":"File version","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"product_version","description":"File product version","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"original_filename","description":"(Executable files only) Original filename","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"bsd_flags","description":"The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"file_events","description":"Track time/action changes to files specified in configuration data.","platforms":["darwin","linux"],"columns":[{"name":"target_path","description":"The path associated with the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file defined in the config","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"md5","description":"The MD5 of the file after change","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"The SHA1 of the file after change","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256","description":"The SHA256 of the file after change","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hashed","description":"1 if the file was hashed, 0 if not, -1 if hashing failed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"firefox_addons","description":"Firefox browser extensions, webapps, and addons.","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"The local user that owns the addon","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Addon display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Addon identifier","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"creator","description":"Addon-supported creator string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Extension, addon, webapp","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Addon-supplied version string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Addon-supplied description string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source_url","description":"URL that installed the addon","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"visible","description":"1 If the addon is shown in browser else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If the addon is active else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 If the addon is application-disabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"1 If the addon applies background updates else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"location","description":"Global, profile location","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper","description":"macOS Gatekeeper Details.","platforms":["darwin"],"columns":[{"name":"assessments_enabled","description":"1 If a Gatekeeper is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"dev_id_enabled","description":"1 If a Gatekeeper allows execution from identified developers else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of Gatekeeper's gke.bundle","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"opaque_version","description":"Version of Gatekeeper's gkopaque.bundle","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper_approved_apps","description":"Gatekeeper apps a user has allowed to run.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of executable allowed to run","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"requirement","description":"Code signing requirement language","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last change time","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"groups","description":"Local system groups.","platforms":["darwin","linux","windows"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","notes":"","hidden":true,"required":false,"index":true,"platforms":["windows","win32","cygwin"]},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"hardware_events","description":"Hardware (PCI/USB/HID) events from UDEV or IOKit.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"Remove, insert, change properties, etc","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Local device path assigned (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of hardware and hardware event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver claiming the device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Hardware device vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded Hardware vendor identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"Hardware device model","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded Hardware model identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial","description":"Device serial (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"revision","description":"Device revision (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of hardware event","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"hash","description":"Filesystem hash data.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"directory","description":"Must provide a path or directory","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided filesystem data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided filesystem data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided filesystem data","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"homebrew_packages","description":"The installed homebrew package database.","platforms":["darwin"],"columns":[{"name":"name","description":"Package name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Package install path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Current 'linked' version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"prefix","description":"Homebrew install prefix","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"hvci_status","description":"Retrieve HVCI info of the machine.","platforms":["windows"],"columns":[{"name":"version","description":"The version number of the Device Guard build.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"instance_identifier","description":"The instance ID of Device Guard.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vbs_status","description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"code_integrity_policy_enforcement_status","description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"umci_policy_status","description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ibridge_info","description":"Information about the Apple iBridge hardware controller.","platforms":["darwin"],"columns":[{"name":"boot_uuid","description":"Boot UUID of the iBridge controller","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"coprocessor_version","description":"The manufacturer and chip version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"The build version of the firmware","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"unique_chip_id","description":"Unique id of the iBridge controller","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ie_extensions","description":"Internet Explorer browser extensions.","platforms":["windows"],"columns":[{"name":"name","description":"Extension display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"registry_path","description":"Extension identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the executable","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executable","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"intel_me_info","description":"Intel ME/CSE Info.","platforms":["linux","windows"],"columns":[{"name":"version","description":"Intel ME version","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"interface_addresses","description":"Network interfaces and relevant metadata.","platforms":["darwin","linux","windows"],"columns":[{"name":"interface","description":"Interface name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mask","description":"Interface netmask","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"broadcast","description":"Broadcast address for the interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"point_to_point","description":"PtP address for the interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of address. One of dhcp, manual, auto, other, unknown","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]}]},{"name":"interface_details","description":"Detailed information and stats of network interfaces.","platforms":["darwin","linux","windows"],"columns":[{"name":"interface","description":"Interface name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC of interface (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Interface type (includes virtual)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Network MTU","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"metric","description":"Metric based on the speed of the interface","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags (netdevice) for the device","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipackets","description":"Input packets","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"opackets","description":"Output packets","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ibytes","description":"Input bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"obytes","description":"Output bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ierrors","description":"Input errors","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"oerrors","description":"Output errors","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"idrops","description":"Input drops","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"odrops","description":"Output drops","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"collisions","description":"Packet Collisions detected","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Time of last device modification (optional)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"link_speed","description":"Interface speed in Mb/s","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["linux","darwin"]},{"name":"pci_slot","description":"PCI slot number","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"description","description":"Short description of the object a one-line string.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"manufacturer","description":"Name of the network adapter's manufacturer.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"connection_id","description":"Name of the network connection as it appears in the Network Connections Control Panel program.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"connection_status","description":"State of the network adapter connection to the network.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"enabled","description":"Indicates whether the adapter is enabled or not.","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"physical_adapter","description":"Indicates whether the adapter is a physical or a logical adapter.","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"speed","description":"Estimate of the current bandwidth in bits per second.","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"service","description":"The name of the service the network adapter uses.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dhcp_enabled","description":"If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dhcp_lease_expires","description":"Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dhcp_lease_obtained","description":"Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dhcp_server","description":"IP address of the dynamic host configuration protocol (DHCP) server.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dns_domain","description":"Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dns_domain_suffix_search_order","description":"Array of DNS domain suffixes to be appended to the end of host names during name resolution.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dns_host_name","description":"Host name used to identify the local computer for authentication by some utilities.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"dns_server_search_order","description":"Array of server IP addresses to be used in querying for DNS servers.","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]}]},{"name":"interface_ipv6","description":"IPv6 configuration and stats of network interfaces.","platforms":["darwin","linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hop_limit","description":"Current Hop Limit","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"forwarding_enabled","description":"Enable IP forwarding","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"redirect_accept","description":"Accept ICMP redirect messages","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"rtadv_accept","description":"Accept ICMP Router Advertisement","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"iokit_devicetree","description":"The IOKit registry matching the DeviceTree plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Device node name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent device registry ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"device_path","description":"Device tree path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"service","description":"1 if the device conforms to IOService else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the device is in a busy state else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The device reference count","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"depth","description":"Device nested depth","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"iokit_registry","description":"The full IOKit registry without selecting a plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Default name of the node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent registry ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the node is in a busy state else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The node reference count","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"depth","description":"Node nested depth","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"iptables","description":"Linux IP packet filtering and NAT tool.","platforms":["linux"],"columns":[{"name":"filter_name","description":"Packet matching filter table name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"chain","description":"Size of module content.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policy","description":"Policy that applies for this rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"target","description":"Target that applies for this rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Protocol number identification.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"src_port","description":"Protocol source port(s).","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dst_port","description":"Protocol destination port(s).","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"src_ip","description":"Source IP address.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"src_mask","description":"Source IP address mask.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"iniface","description":"Input interface for the rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"iniface_mask","description":"Input interface mask for the rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dst_ip","description":"Destination IP address.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dst_mask","description":"Destination IP address mask.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"outiface","description":"Output interface for the rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"outiface_mask","description":"Output interface mask for the rule.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"match","description":"Matching rule that applies.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"packets","description":"Number of matching packets for this rule.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of matching bytes for this rule.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"kernel_extensions","description":"macOS's kernel extensions, both loaded and within the load search path.","platforms":["darwin"],"columns":[{"name":"idx","description":"Extension load tag or index","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"refs","description":"Reference count","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Bytes of wired memory used by extension","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension label","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"linked_against","description":"Indexes of extensions this extension is linked against","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Optional path to extension bundle","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"kernel_info","description":"Basic active kernel information.","platforms":["darwin","linux","windows"],"columns":[{"name":"version","description":"Kernel version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"arguments","description":"Kernel arguments","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Kernel path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device","description":"Kernel device identifier","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"kernel_modules","description":"Linux kernel modules both loaded and within the load search path.","platforms":["linux"],"columns":[{"name":"name","description":"Module name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"used_by","description":"Module reverse dependencies","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Kernel module status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"kernel_panics","description":"System kernel panic logs.","platforms":["darwin"],"columns":[{"name":"path","description":"Location of log file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Formatted time of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"registers","description":"A space delimited line of register:value pairs","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"frame_backtrace","description":"Backtrace of the crashed module","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"module_backtrace","description":"Modules appearing in the crashed module's backtrace","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dependencies","description":"Module dependencies existing in crashed module's backtrace","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name corresponding to crashed thread","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os_version","description":"Version of the operating system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Version of the system kernel","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"system_model","description":"Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"System uptime at kernel panic in nanoseconds","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_loaded","description":"Last loaded module before panic","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_unloaded","description":"Last unloaded module before panic","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"keychain_acls","description":"Applications that have ACL entries in the keychain.","platforms":["darwin"],"columns":[{"name":"keychain_path","description":"The path of the keychain","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authorizations","description":"A space delimited set of authorization attributes","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the authorized application","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"The description included with the ACL entry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"An optional label tag that may be included with the keychain entry","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"keychain_items","description":"Generic details about keychain items.","platforms":["darwin"],"columns":[{"name":"label","description":"Generic item name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional item description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional keychain comment","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"account","description":"Optional item account","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"created","description":"Date item was created","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"modified","description":"Date of last modification","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Keychain item type (class)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to keychain containing item","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"known_hosts","description":"A line-delimited known_hosts table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local user that owns the known_hosts file","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"parsed authorized keys line","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to known_hosts file","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"kva_speculative_info","description":"Display kernel virtual address and speculative execution information for the system.","platforms":["windows"],"columns":[{"name":"kva_shadow_enabled","description":"Kernel Virtual Address shadowing is enabled.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"kva_shadow_user_global","description":"User pages are marked as global.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"kva_shadow_pcid","description":"Kernel VA PCID flushing optimization is enabled.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"kva_shadow_inv_pcid","description":"Kernel VA INVPCID is enabled.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bp_mitigations","description":"Branch Prediction mitigations are enabled.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bp_system_pol_disabled","description":"Branch Predictions are disabled via system policy.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bp_microcode_disabled","description":"Branch Predictions are disabled due to lack of microcode update.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_spec_ctrl_supported","description":"SPEC_CTRL MSR supported by CPU Microcode.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ibrs_support_enabled","description":"Windows uses IBRS.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"stibp_support_enabled","description":"Windows uses STIBP.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_pred_cmd_supported","description":"PRED_CMD MSR supported by CPU Microcode.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"last","description":"System logins and logouts.","platforms":["darwin","linux"],"columns":[{"name":"username","description":"Entry username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tty","description":"Entry terminal","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Entry type, according to ut_type types (utmp.h)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type_name","description":"Entry type name, according to ut_type types (utmp.h)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"host","description":"Entry hostname","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"launchd","description":"LaunchAgents and LaunchDaemons from default search paths.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to daemon or agent plist","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"File name of plist (used by launchd)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"Daemon or agent service name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"program","description":"Path to target program","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"run_at_load","description":"Should the program run on launch load","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"keep_alive","description":"Should the process be restarted if killed","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"on_demand","description":"Deprecated key, replaced by keep_alive","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Skip loading this daemon or agent on boot","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Run this daemon or agent as this username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Run this daemon or agent as this group","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"stdout_path","description":"Pipe stdout to a target path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"stderr_path","description":"Pipe stderr to a target path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"start_interval","description":"Frequency to run in seconds","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"program_arguments","description":"Command line arguments passed to program","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"watch_paths","description":"Key that launches daemon or agent if path is modified","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"queue_directories","description":"Similar to watch_paths but only with non-empty directories","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inetd_compatibility","description":"Run this daemon or agent as it was launched from inetd","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"start_on_mount","description":"Run daemon or agent every time a filesystem is mounted","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"root_directory","description":"Key used to specify a directory to chroot to before launch","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"working_directory","description":"Key used to specify a directory to chdir to before launch","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"process_type","description":"Key describes the intended purpose of the job","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"launchd_overrides","description":"Override keys, per user, for LaunchDaemons and Agents.","platforms":["darwin"],"columns":[{"name":"label","description":"Daemon or agent service name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"Name of the override key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Overridden value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID applied to the override, 0 applies to all","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to daemon or agent plist","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"listening_ports","description":"Processes with listening (bound) network sockets/ports.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"port","description":"Transport layer port","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for bind","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path for UNIX domain sockets","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"load_average","description":"Displays information about the system wide load averages.","platforms":["darwin","linux"],"columns":[{"name":"period","description":"Period over which the average is calculated.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"average","description":"Load average over the specified period.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"location_services","description":"Reports the status of the Location Services feature of the OS.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 if Location Services are enabled, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"logged_in_users","description":"Users with an active shell on the system.","platforms":["darwin","linux","windows"],"columns":[{"name":"type","description":"Login type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"User login name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tty","description":"Device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"host","description":"Remote hostname","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time entry was made","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"sid","description":"The user's unique security identifier","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"registry_hive","description":"HKEY_USERS registry hive","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]}]},{"name":"logical_drives","description":"Details for logical drives on the system. A logical drive generally represents a single partition.","platforms":["windows"],"columns":[{"name":"device_id","description":"The drive id, usually the drive name, e.g., 'C:'.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Deprecated (always 'Unknown').","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"free_space","description":"The amount of free space, in bytes, of the drive (-1 on failure).","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"The total amount of space, in bytes, of the drive (-1 on failure).","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"file_system","description":"The file system of the drive.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"boot_partition","description":"True if Windows booted from this drive.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"logon_sessions","description":"Windows Logon Session.","platforms":["windows"],"columns":[{"name":"logon_id","description":"A locally unique identifier (LUID) that identifies a logon session.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"The account name of the security principal that owns the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_domain","description":"The name of the domain used to authenticate the owner of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authentication_package","description":"The authentication package used to authenticate the owner of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_type","description":"The logon method.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"session_id","description":"The Terminal Services session identifier.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_sid","description":"The user's security identifier (SID).","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_time","description":"The time the session owner logged on.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_server","description":"The name of the server used to authenticate the owner of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dns_domain_name","description":"The DNS name for the owner of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"upn","description":"The user principal name (UPN) for the owner of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_script","description":"The script used for logging on.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The home directory for the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"home_directory","description":"The home directory for the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"home_directory_drive","description":"The drive location of the home directory of the logon session.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_certificates","description":"LXD certificates information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the certificate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the certificate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fingerprint","description":"SHA256 hash of the certificate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"certificate","description":"Certificate content","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster","description":"LXD cluster information.","platforms":["linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether clustering enabled (1) or not (0) on this node","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"member_config_entity","description":"Type of configuration parameter for this node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"member_config_name","description":"Name of configuration parameter","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"member_config_key","description":"Config key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"member_config_value","description":"Config value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"member_config_description","description":"Config description","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster_members","description":"LXD cluster members information.","platforms":["linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"url","description":"URL of the node","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"database","description":"Whether the server is a database node (1) or not (0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the node (Online/Offline)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the node (Online/Offline)","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_images","description":"LXD images information.","platforms":["linux"],"columns":[{"name":"id","description":"Image ID","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"architecture","description":"Target architecture for the image","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os","description":"OS on which image is based","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"release","description":"OS release version on which the image is based","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Image description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Comma-separated list of image aliases","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filename","description":"Filename of the image file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of image in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"auto_update","description":"Whether the image auto-updates (1) or not (0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cached","description":"Whether image is cached (1) or not (0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"public","description":"Whether image is public (1) or not (0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of image creation","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"expires_at","description":"ISO time of image expiration","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uploaded_at","description":"ISO time of image upload","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_used_at","description":"ISO time for the most recent use of this image in terms of container spawn","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_source_server","description":"Server for image update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_source_protocol","description":"Protocol used for image information update and image import from source server","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_source_certificate","description":"Certificate for update source server","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_source_alias","description":"Alias of image at update source server","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_config","description":"LXD instance configuration information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"key","description":"Configuration parameter name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Configuration parameter value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_devices","description":"LXD instance devices information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"device","description":"Name of the device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"Device info param name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Device info param value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_instances","description":"LXD instances information.","platforms":["linux"],"columns":[{"name":"name","description":"Instance name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"status","description":"Instance state (running, stopped, etc.)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"stateful","description":"Whether the instance is stateful(1) or not(0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ephemeral","description":"Whether the instance is ephemeral(1) or not(0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of creation","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"base_image","description":"ID of image used to launch this instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Instance architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"os","description":"The OS of this instance","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Instance description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Instance's process ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"processes","description":"Number of processes running inside this instance","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_networks","description":"LXD network information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"managed","description":"1 if network created by LXD, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv4_address","description":"IPv4 address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"used_by","description":"URLs for containers using this network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes_received","description":"Number of bytes received on this network","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes_sent","description":"Number of bytes sent on this network","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"packets_received","description":"Number of packets received on this network","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"packets_sent","description":"Number of packets sent on this network","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"hwaddr","description":"Hardware address for this network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Network status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mtu","description":"MTU size","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"lxd_storage_pools","description":"LXD storage pool information.","platforms":["linux"],"columns":[{"name":"name","description":"Name of the storage pool","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"Storage driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Storage pool source","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the storage pool","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"space_used","description":"Storage space used in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"space_total","description":"Total available storage space in bytes for this storage pool","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inodes_used","description":"Number of inodes used","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inodes_total","description":"Total number of inodes available in this storage pool","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"magic","description":"Magic number recognition library table.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute path to target file","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"magic_db_files","description":"Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"data","description":"Magic number data from libmagic","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mime_type","description":"MIME type data from libmagic","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mime_encoding","description":"MIME encoding data from libmagic","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"managed_policies","description":"The managed configuration policies from AD, MDM, MCX, etc.","platforms":["darwin"],"columns":[{"name":"domain","description":"System or manager-chosen domain key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Optional UUID assigned to policy set","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy key name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Policy value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Policy applies only this user","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manual","description":"1 if policy was loaded manually, otherwise 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"md_devices","description":"Software RAID array settings.","platforms":["linux"],"columns":[{"name":"device_name","description":"md device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Current state of the array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"raid_level","description":"Current raid level of the array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"size of the array in blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"chunk_size","description":"chunk size in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"raid_disks","description":"Number of configured RAID disks in array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"nr_raid_disks","description":"Number of partitions or disk devices to comprise the array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"working_disks","description":"Number of working disks in array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"active_disks","description":"Number of active disks in array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"failed_disks","description":"Number of failed disks in array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"spare_disks","description":"Number of idle disks in array","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"superblock_state","description":"State of the superblock","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"superblock_version","description":"Version of the superblock","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"superblock_update_time","description":"Unix timestamp of last update","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"bitmap_on_mem","description":"Pages allocated in in-memory bitmap, if enabled","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bitmap_chunk_size","description":"Bitmap chunk size","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bitmap_external_file","description":"External referenced bitmap file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"recovery_progress","description":"Progress of the recovery activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"recovery_finish","description":"Estimated duration of recovery activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"recovery_speed","description":"Speed of recovery activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"resync_progress","description":"Progress of the resync activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"resync_finish","description":"Estimated duration of resync activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"resync_speed","description":"Speed of resync activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"reshape_progress","description":"Progress of the reshape activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"reshape_finish","description":"Estimated duration of reshape activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"reshape_speed","description":"Speed of reshape activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"check_array_progress","description":"Progress of the check array activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"check_array_finish","description":"Estimated duration of the check array activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"check_array_speed","description":"Speed of the check array activity","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"unused_devices","description":"Unused devices","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"other","description":"Other information associated with array from /proc/mdstat","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"md_drives","description":"Drive devices used for Software RAID.","platforms":["linux"],"columns":[{"name":"md_device_name","description":"md device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"drive_name","description":"Drive device name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"slot","description":"Slot position of disk","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the drive","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"md_personalities","description":"Software RAID setting supported by the kernel.","platforms":["linux"],"columns":[{"name":"name","description":"Name of personality supported by kernel","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"mdfind","description":"Run searches against the spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file returned from spotlight","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"query","description":"The query that was run to find the file","type":"text","notes":"","hidden":false,"required":true,"index":false}]},{"name":"mdls","description":"Query file metadata in the Spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the metadata key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Value stored in the metadata key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"valuetype","description":"CoreFoundation type of data stored in value","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"memory_array_mapped_addresses","description":"Data associated for address mapping of physical memory arrays.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_array_handle","description":"Handle of the memory array associated with this structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"partition_width","description":"Number of memory devices that form a single row of memory for the address partition of this structure","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_arrays","description":"Data associated with collection of memory devices that operate to form a memory address.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"location","description":"Physical location of the memory array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"use","description":"Function for which the array is used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_error_correction","description":"Primary hardware error correction or detection method supported","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"Maximum capacity of array in gigabytes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_error_info_handle","description":"Handle, or instance number, associated with any error that was detected for the array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"number_memory_devices","description":"Number of memory devices on array","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_device_mapped_addresses","description":"Data associated for address mapping of physical memory devices.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_device_handle","description":"Handle of the memory device structure associated with this structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_array_mapped_address_handle","description":"Handle of the memory array mapped address to which this device range is mapped to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"partition_row_position","description":"Identifies the position of the referenced memory device in a row of the address partition","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"interleave_position","description":"The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"interleave_data_depth","description":"The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_devices","description":"Physical memory device (type 17) information retrieved from SMBIOS.","platforms":["darwin","linux","windows"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure in SMBIOS","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"array_handle","description":"The memory array that the device is attached to","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Implementation form factor for this memory device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"total_width","description":"Total width, in bits, of this memory device, including any check or error-correction bits","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"data_width","description":"Data width, in bits, of this memory device","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of memory device in Megabyte","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"set","description":"Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"device_locator","description":"String number of the string that identifies the physically-labeled socket or board position where the memory device is located","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bank_locator","description":"String number of the string that identifies the physically-labeled bank where the memory device is located","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_type","description":"Type of memory used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_type_details","description":"Additional details for memory device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"max_speed","description":"Max speed of memory device in megatransfers per second (MT/s)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"configured_clock_speed","description":"Configured speed of memory device in megatransfers per second (MT/s)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Manufacturer ID string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Serial number of memory device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"asset_tag","description":"Manufacturer specific asset tag of memory device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"part_number","description":"Manufacturer specific serial number of memory device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"min_voltage","description":"Minimum operating voltage of device in millivolts","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"max_voltage","description":"Maximum operating voltage of device in millivolts","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"configured_voltage","description":"Configured operating voltage of device in millivolts","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_error_info","description":"Data associated with errors of a physical memory array.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"error_type","description":"type of error associated with current error status for array or device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"error_granularity","description":"Granularity to which the error can be resolved","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"error_operation","description":"Memory access operation that caused the error","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor_syndrome","description":"Vendor specific ECC syndrome or CRC data associated with the erroneous access","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_array_error_address","description":"32 bit physical address of the error based on the addressing of the bus to which the memory array is connected","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device_error_address","description":"32 bit physical address of the error relative to the start of the failing memory address, in bytes","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"error_resolution","description":"Range, in bytes, within which this error can be determined, when an error address is given","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_info","description":"Main memory information in bytes.","platforms":["linux"],"columns":[{"name":"memory_total","description":"Total amount of physical RAM, in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_free","description":"The amount of physical RAM, in bytes, left unused by the system","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"memory_available","description":"The amount of physical RAM, in bytes, available for starting new applications, without swapping","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"buffers","description":"The amount of physical RAM, in bytes, used for file buffers","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cached","description":"The amount of physical RAM, in bytes, used as cache memory","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_cached","description":"The amount of swap, in bytes, used as cache memory","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"The total amount of buffer or page cache memory, in bytes, that is in active use","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inactive","description":"The total amount of buffer or page cache memory, in bytes, that are free and available","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_total","description":"The total amount of swap available, in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_free","description":"The total amount of swap free, in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"memory_map","description":"OS memory region map.","platforms":["linux"],"columns":[{"name":"name","description":"Region name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"start","description":"Start address of memory region","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"end","description":"End address of memory region","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"mounts","description":"System mounted devices and filesystems (not process specific).","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Mounted device","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"device_alias","description":"Mounted device alias","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Mounted device path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Mounted device type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Block size in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Mounted device used blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks_free","description":"Mounted device free blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"blocks_available","description":"Mounted device available blocks","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Mounted device used inodes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inodes_free","description":"Mounted device free inodes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"Mounted device flags","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"msr","description":"Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.","platforms":["linux"],"columns":[{"name":"processor_number","description":"The processor number as reported in /proc/cpuinfo","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"turbo_disabled","description":"Whether the turbo feature is disabled.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"turbo_ratio_limit","description":"The turbo feature ratio limit.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_info","description":"Platform information.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"perf_ctl","description":"Performance setting for the processor.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"perf_status","description":"Performance status for the processor.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"feature_control","description":"Bitfield controlling enabled features.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"rapl_power_limit","description":"Run Time Average Power Limiting power limit.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"rapl_energy_status","description":"Run Time Average Power Limiting energy status.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"rapl_power_units","description":"Run Time Average Power Limiting power units.","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"nfs_shares","description":"NFS shares exported by the host.","platforms":["darwin"],"columns":[{"name":"share","description":"Filesystem path to the share","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"options","description":"Options string set on the export share","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"readonly","description":"1 if the share is exported readonly else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"npm_packages","description":"Node packages installed in a system.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Package display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Package-supplied description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"author","description":"Package-supplied author","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where node_modules are located","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"ntdomains","description":"Display basic NT domain information of a Windows machine.","platforms":["windows"],"columns":[{"name":"name","description":"The label by which the object is known.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"client_site_name","description":"The name of the site where the domain controller is configured.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dc_site_name","description":"The name of the site where the domain controller is located.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dns_forest_name","description":"The name of the root of the DNS tree.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"domain_controller_address","description":"The IP Address of the discovered domain controller..","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"domain_controller_name","description":"The name of the discovered domain controller.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"domain_name","description":"The name of the domain.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"The current status of the domain object.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ntfs_acl_permissions","description":"Retrieve NTFS ACL permission information for files and directories.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the file or directory.","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"type","description":"Type of access mode for the access control entry.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"principal","description":"User or group to which the ACE applies.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"access","description":"Specific permissions that indicate the rights described by the ACE.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inherited_from","description":"The inheritance policy of the ACE.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ntfs_journal_events","description":"Track time/action changes to files specified in configuration data.","platforms":["windows"],"columns":[{"name":"action","description":"Change action (Write, Delete, etc)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"The category that the event originated from","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"old_path","description":"Old path (renames only)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"record_timestamp","description":"Journal record timestamp","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"record_usn","description":"The update sequence number that identifies the journal record","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"node_ref_number","description":"The ordinal that associates a journal record with a filename","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"parent_ref_number","description":"The ordinal that associates a journal record with a filename's parent directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"The drive letter identifying the source journal","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"file_attributes","description":"File attributes","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"partial","description":"Set to 1 if either path or old_path only contains the file or folder name","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"nvram","description":"Apple NVRAM variable listing.","platforms":["darwin"],"columns":[{"name":"name","description":"Variable name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"type","description":"Data type (CFData, CFString, etc)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Raw variable data","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"oem_strings","description":"OEM defined strings retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the Type 11 structure","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"number","description":"The string index of the structure","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the OEM string","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"office_mru","description":"View recently opened Office documents.","platforms":["windows"],"columns":[{"name":"application","description":"Associated Office application","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Office application version number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"File path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"Most recent opened time file was opened","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"os_version","description":"A single row containing the operating system name and version.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Distribution or product name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Pretty, suitable for presentation, OS version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"major","description":"Major release version","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minor","description":"Minor release version","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"patch","description":"Optional patch release","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"build","description":"Optional build-specific or variant string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform","description":"OS Platform or ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_like","description":"Closely related platforms","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"codename","description":"OS version codename","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"OS Architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_date","description":"The install date of the OS.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"osquery_events","description":"Information about the event publishers and subscribers.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Event publisher or subscriber name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the associated publisher","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Either publisher or subscriber","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subscriptions","description":"Number of subscriptions the publisher received or subscriber used","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"events","description":"Number of events emitted or received since osquery started","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"refreshes","description":"Publisher only: number of runloop restarts","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"1 if the publisher or subscriber is active else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_extensions","description":"List of active osquery extensions.","platforms":["darwin","linux","windows"],"columns":[{"name":"uuid","description":"The transient ID assigned for communication","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension's name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension's version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sdk_version","description":"osquery SDK version used to build the extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the extension's Thrift connection or library path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"SDK extension type: core, extension, or module","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_flags","description":"Configurable flags that modify osquery's behavior.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Flag name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Flag type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Flag description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"default_value","description":"Flag default value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Flag value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"shell_only","description":"Is the flag shell only?","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_info","description":"Top level information about the running version of osquery.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread/handle) ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"instance_id","description":"Unique, long-lived ID per instance of osquery","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"osquery toolkit version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"config_hash","description":"Hash of the working configuration state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"config_valid","description":"1 if the config was loaded and considered valid, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"extensions","description":"osquery extensions status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"build_platform","description":"osquery toolkit build platform","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"build_distro","description":"osquery toolkit platform distribution name (os version)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"start_time","description":"UNIX time in seconds when the process started","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"watcher","description":"Process (or thread/handle) ID of optional watcher process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"platform_mask","description":"The osquery platform bitmask","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_packs","description":"Information about the current query packs that are loaded in osquery.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"The given name for this query pack","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"platform","description":"Platforms this query is supported on","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Minimum osquery version that this query will run on","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"shard","description":"Shard restriction limit, 1-100, 0 meaning no restriction","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"discovery_cache_hits","description":"The number of times that the discovery query used cached values since the last time the config was reloaded","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"discovery_executions","description":"The number of times that the discovery queries have been executed since the last time the config was reloaded","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_registry","description":"List the osquery registry plugins.","platforms":["darwin","linux","windows"],"columns":[{"name":"registry","description":"Name of the osquery registry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the plugin item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"owner_uuid","description":"Extension route UUID (0 for core)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"internal","description":"1 If the plugin is internal else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If this plugin is active else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"osquery_schedule","description":"Information about the current queries that are scheduled in osquery.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"The given name for this query","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"query","description":"The exact query to run","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"interval","description":"The interval in seconds to run this query, not an exact interval","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"executions","description":"Number of times the query was executed","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_executed","description":"UNIX time stamp in seconds of the last completed execution","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"denylisted","description":"1 if the query is denylisted else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"output_size","description":"Cumulative total number of bytes generated by the resultant rows of the query","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"wall_time","description":"Total wall time in seconds spent executing (deprecated), hidden=True","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"wall_time_ms","description":"Total wall time in milliseconds spent executing","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_wall_time_ms","description":"Wall time in milliseconds of the latest execution","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"user_time","description":"Total user time in milliseconds spent executing","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_user_time","description":"User time in milliseconds of the latest execution","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"system_time","description":"Total system time in milliseconds spent executing","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_system_time","description":"System time in milliseconds of the latest execution","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"average_memory","description":"Average of the bytes of resident memory left allocated after collecting results","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_memory","description":"Resident memory in bytes left allocated after collecting results of the latest execution","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"package_bom","description":"macOS package bill of materials (BOM) file list.","platforms":["darwin"],"columns":[{"name":"filepath","description":"Package file or directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Expected user of file or directory","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Expected group of file or directory","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Expected permissions","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Timestamp the file was installed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of package bom","type":"text","notes":"","hidden":false,"required":true,"index":false}]},{"name":"package_install_history","description":"macOS package install history.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Label packageIdentifiers","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Label date as UNIX timestamp","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Package display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package display version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Install source: usually the installer process name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"content_type","description":"Package content_type (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"package_receipts","description":"macOS package receipt details.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Package domain identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"package_filename","description":"Filename of original .pkg file","type":"text","notes":"","hidden":true,"required":false,"index":true},{"name":"version","description":"Installed package version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"location","description":"Optional relative install path on volume","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Timestamp of install time","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"installer_name","description":"Name of installer process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of receipt plist","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"password_policy","description":"Password Policies for macOS.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID for the policy, -1 for policies that are global","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"policy_identifier","description":"Policy Identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policy_content","description":"Policy content","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"policy_description","description":"Policy description","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"patches","description":"Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).","platforms":["windows"],"columns":[{"name":"csname","description":"The name of the host the patch is installed on.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hotfix_id","description":"The KB ID of the patch.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"caption","description":"Short description of the patch.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Fuller description of the patch.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fix_comments","description":"Additional comments about the patch.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"installed_by","description":"The system context in which the patch as installed.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"installed_on","description":"The date when the patch was installed.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"pci_devices","description":"PCI devices active on the host system.","platforms":["darwin","linux"],"columns":[{"name":"pci_slot","description":"PCI Device used slot","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pci_class","description":"PCI Device class","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"PCI Device used driver","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"PCI Device vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded PCI Device vendor identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"PCI Device model","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded PCI Device model identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pci_class_id","description":"PCI Device class ID in hex format","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"pci_subclass_id","description":"PCI Device subclass in hex format","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"pci_subclass","description":"PCI Device subclass","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"subsystem_vendor_id","description":"Vendor ID of PCI device subsystem","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"subsystem_vendor","description":"Vendor of PCI device subsystem","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"subsystem_model_id","description":"Model ID of PCI device subsystem","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"subsystem_model","description":"Device description of PCI device subsystem","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"physical_disk_performance","description":"Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the physical disk","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_read","description":"Average number of bytes transferred from the disk during read operations","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_write","description":"Average number of bytes transferred to the disk during write operations","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_read_queue_length","description":"Average number of read requests that were queued for the selected disk during the sample interval","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_write_queue_length","description":"Average number of write requests that were queued for the selected disk during the sample interval","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_read","description":"Average time, in seconds, of a read operation of data from the disk","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_write","description":"Average time, in seconds, of a write operation of data to the disk","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"current_disk_queue_length","description":"Number of requests outstanding on the disk at the time the performance data is collected","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"percent_disk_read_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read requests","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"percent_disk_write_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing write requests","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"percent_disk_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read or write requests","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"percent_idle_time","description":"Percentage of time during the sample interval that the disk was idle","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"pipes","description":"Named and Anonymous pipes.","platforms":["windows"],"columns":[{"name":"pid","description":"Process ID of the process to which the pipe belongs","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Name of the pipe","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"instances","description":"Number of instances of the named pipe","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"max_instances","description":"The maximum number of instances creatable for this pipe","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"platform_info","description":"Information about EFI/UEFI/ROM and platform/boot.","platforms":["darwin","linux","windows"],"columns":[{"name":"vendor","description":"Platform code vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Platform code version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"date","description":"Self-reported platform code update date","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"revision","description":"BIOS major and minor revision","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"extra","description":"Platform-specific additional information","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"firmware_type","description":"The type of firmware (uefi, bios, iboot, openfirmware, unknown).","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"Relative address of firmware mapping","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["linux","darwin"]},{"name":"size","description":"Size in bytes of firmware","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["linux","darwin"]},{"name":"volume_size","description":"(Optional) size of firmware volume","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["linux","darwin"]}]},{"name":"plist","description":"Read and parse a plist file.","platforms":["darwin"],"columns":[{"name":"key","description":"Preference top-level key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intermediate key path, includes lists/dicts","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"(required) read preferences from a plist","type":"text","notes":"","hidden":false,"required":true,"index":false}]},{"name":"portage_keywords","description":"A summary about portage configurations like keywords, mask and unmask.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"keyword","description":"The keyword applied to the package","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mask","description":"If the package is masked","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"unmask","description":"If the package is unmasked","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"portage_packages","description":"List of currently installed packages.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"slot","description":"The slot used by package","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Unix time when package was built","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"repository","description":"From which repository the ebuild was used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eapi","description":"The eapi for the ebuild","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the package","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"world","description":"If package is in the world file","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"portage_use","description":"List of enabled portage USE values for specific package.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"The version of the installed package","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"use","description":"USE flag which has been enabled for package","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"power_sensors","description":"Machine power (currents, voltages, wattages, etc) sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on macOS","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"category","description":"The sensor category: currents, voltage, wattage","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of power source","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Power in Watts","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"powershell_events","description":"Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received by the osquery event publisher","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the Powershell script event occurred","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_block_id","description":"The unique GUID of the powershell script to which this block belongs","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_block_count","description":"The total number of script blocks for this script","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"script_text","description":"The text content of the Powershell script","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_name","description":"The name of the Powershell script","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_path","description":"The path for the Powershell script","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cosine_similarity","description":"How similar the Powershell script is to a provided 'normal' character frequency","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"preferences","description":"macOS defaults and managed preferences.","platforms":["darwin"],"columns":[{"name":"domain","description":"Application ID usually in com.name.product format","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Preference top-level key","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"subkey","description":"Intemediate key path, includes lists/dicts","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"forced","description":"1 if the value is forced/managed, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"(optional) read preferences for a specific user","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"host","description":"'current' or 'any' host, where 'current' takes precedence","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"prefetch","description":"Prefetch files show metadata related to file execution.","platforms":["windows"],"columns":[{"name":"path","description":"Prefetch file path.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filename","description":"Executable filename.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hash","description":"Prefetch CRC hash.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Most recent time application was run.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"other_run_times","description":"Other execution times in prefetch file.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"run_count","description":"Number of times the application has been run.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Application file size.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"volume_creation","description":"Volume creation time.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"accessed_files_count","description":"Number of files accessed.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"accessed_directories_count","description":"Number of directories accessed.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"accessed_files","description":"Files accessed by application within ten seconds of launch.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"accessed_directories","description":"Directories accessed by application within ten seconds of launch.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_envs","description":"A key/value table of environment variables for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"key","description":"Environment variable name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_events","description":"Track time/action process executions.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"File mode permissions","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline_size","description":"Actual size (bytes) of command line arguments","type":"bigint","notes":"","hidden":true,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","notes":"","hidden":true,"required":false,"index":false},{"name":"env_size","description":"Actual size (bytes) of environment list","type":"bigint","notes":"","hidden":true,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID at process start","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID at process start","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID at process start","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID at process start","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID at process start","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"File owner user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"owner_gid","description":"File owner group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"atime","description":"File last access in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"File modification in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"File last metadata change in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"btime","description":"File creation in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"overflows","description":"List of structures that overflowed","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"parent","description":"Process parent's PID, or -1 if cannot be determined.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"status","description":"OpenBSM Attribute: Status of the process","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"fsuid","description":"Filesystem user ID at process start","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"suid","description":"Saved user ID at process start","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"fsgid","description":"Filesystem group ID at process start","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"sgid","description":"Saved group ID at process start","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"syscall","description":"Syscall name: fork, vfork, clone, execve, execveat","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"process_file_events","description":"A File Integrity Monitor implementation using the audit service.","platforms":["linux"],"columns":[{"name":"operation","description":"Operation type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ppid","description":"Parent process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"executable","description":"The executable path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"partial","description":"True if this is a partial event (i.e.: this process existed before we started osquery)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The current working directory of the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"The path associated with the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"dest_path","description":"The canonical path associated with the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"The uid of the process performing the action","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"The gid of the process performing the action","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID of the process using the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"process_memory_map","description":"Process memory mapped files and pseudo device/regions.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"start","description":"Virtual start address (hex)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"end","description":"Virtual end address (hex)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"permissions","description":"r=read, w=write, x=execute, p=private (cow)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset into mapped path","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"device","description":"MA:MI Major/minor device ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Mapped path inode, 0 means uninitialized (BSS)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to mapped file or mapped type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pseudo","description":"1 If path is a pseudo path, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_namespaces","description":"Linux namespaces for processes running on the host system.","platforms":["linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"cgroup_namespace","description":"cgroup namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ipc_namespace","description":"ipc namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mnt_namespace","description":"mnt namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"net namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_namespace","description":"pid namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user_namespace","description":"user namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uts_namespace","description":"uts namespace inode","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_open_files","description":"File descriptors for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"fd","description":"Process-specific file descriptor number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Filesystem path of descriptor","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_open_pipes","description":"Pipes and partner processes for each process.","platforms":["linux"],"columns":[{"name":"pid","description":"Process ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"fd","description":"File descriptor","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"Pipe open mode (r/w)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Pipe inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Pipe Type: named vs unnamed/anonymous","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"partner_pid","description":"Process ID of partner process sharing a particular pipe","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"partner_fd","description":"File descriptor of shared pipe at partner's end","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"partner_mode","description":"Mode of shared pipe at partner's end","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"process_open_sockets","description":"Processes which have open network sockets on the system.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"fd","description":"Socket file descriptor number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Socket local address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Socket remote address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Socket local port","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Socket remote port","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"For UNIX sockets (family=AF_UNIX), the domain path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"TCP socket state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"protection_type","description":"The protection type of the process","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"translated","description":"Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cgroup_path","description":"The full hierarchical path of the process's control group","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"programs","description":"Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.","platforms":["windows"],"columns":[{"name":"name","description":"Commonly used product name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Product version information.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_location","description":"The installation location directory of the product.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_source","description":"The installation source of the product.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"language","description":"The language of the product.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the product supplier.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uninstall_string","description":"Path and filename of the uninstaller.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Date that this product was installed on the system. ","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifying_number","description":"Product identification such as a serial number on software, or a die number on a hardware chip.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"prometheus_metrics","description":"Retrieve metrics from a Prometheus server.","platforms":["darwin","linux"],"columns":[{"name":"target_name","description":"Address of prometheus target","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"metric_name","description":"Name of collected Prometheus metric","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"metric_value","description":"Value of collected Prometheus metric","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"timestamp_ms","description":"Unix timestamp of collected data in MS","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"python_packages","description":"Python packages installed in a system.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Package display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where Python modules are located","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"quicklook_cache","description":"Files and thumbnails within macOS's Quicklook Cache.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"rowid","description":"Quicklook file rowid key","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"fs_id","description":"Quicklook file fs_id key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"volume_id","description":"Parsed volume ID from fs_id","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"inode","description":"Parsed file ID (inode) from fs_id","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Parsed version date field","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Parsed version size field","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"label","description":"Parsed version 'gen' field","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_hit_date","description":"Apple date format for last thumbnail cache hit","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"hit_count","description":"Number of cache hits on thumbnail","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"icon_mode","description":"Thumbnail icon mode","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"cache_path","description":"Path to cache data","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"registry","description":"All of the Windows registry hives.","platforms":["windows"],"columns":[{"name":"key","description":"Name of the key to search for","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Full path to the value","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Name of the registry value entry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the registry value, or 'subkey' if item is a subkey","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"data","description":"Data content of registry value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mtime","description":"timestamp of the most recent registry write","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"routes","description":"The active route table for the host system.","platforms":["darwin","linux","windows"],"columns":[{"name":"destination","description":"Destination IP address","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Netmask length","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Route gateway","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Route source","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags to describe route","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"interface","description":"Route local interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Maximum Transmission Unit for the route","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"metric","description":"Cost of route. Lowest is preferred","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of route","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hopcount","description":"Max hops expected","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["linux","darwin"]}]},{"name":"rpm_package_files","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"package","description":"RPM package name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"path","description":"File path within the package","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"username","description":"File default username from info DB","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"groupname","description":"File default groupname from info DB","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"File permissions mode from info DB","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size in bytes from RPM info DB","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 file digest from RPM info DB","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"rpm_packages","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"name","description":"RPM package name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"version","description":"Package version","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"release","description":"Package release","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"source","description":"Source RPM package name (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the package contents","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"epoch","description":"Package epoch value","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"install_time","description":"When the package was installed","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Package vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"package_group","description":"Package group","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"running_apps","description":"macOS applications currently running on the host system.","platforms":["darwin"],"columns":[{"name":"pid","description":"The pid of the application","type":"integer","notes":"","hidden":false,"required":false,"index":true},{"name":"bundle_identifier","description":"The bundle identifier of the application","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"is_active","description":"(DEPRECATED)","type":"integer","notes":"","hidden":true,"required":false,"index":false}]},{"name":"safari_extensions","description":"Safari browser extension details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the extension","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Extension display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension long version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Bundle SDK used to compile extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Optional developer identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional extension description text","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension XAR bundle","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"sandboxes","description":"macOS application sandboxes container details.","platforms":["darwin"],"columns":[{"name":"label","description":"UTI-format bundle or label ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"Sandbox owner","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Application sandboxings enabled on container","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"build_id","description":"Sandbox-specific identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"Application bundle used by the sandbox","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to sandbox container directory","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"scheduled_tasks","description":"Lists all of the tasks in the Windows task scheduler.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the scheduled task","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"action","description":"Actions executed by the scheduled task","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the executable to be run","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether or not the scheduled task is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the scheduled task","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hidden","description":"Whether or not the task is visible in the UI","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Timestamp the task last ran","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"next_run_time","description":"Timestamp the task is scheduled to run next","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"last_run_message","description":"Exit status message of the last task run","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_run_code","description":"Exit status code of the last task run","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"screenlock","description":"macOS screenlock status. Note: only fetches results for osquery's current logged-in user context. The user must also have recently logged in.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 If a password is required after sleep or the screensaver begins; else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"grace_period","description":"The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"seccomp_events","description":"A virtual table that tracks seccomp events.","platforms":["linux"],"columns":[{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID (loginuid) of the user who started the analyzed process","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the user who started the analyzed process","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the user who started the analyzed process","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ses","description":"Session ID of the session from which the analyzed process was invoked","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exe","description":"The path to the executable that was used to invoke the analyzed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sig","description":"Signal value sent to process by seccomp","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"Information about the CPU architecture","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"syscall","description":"Type of the system call","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"compat","description":"Is system call in compatibility mode","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ip","description":"Instruction pointer value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"code","description":"The seccomp action","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"secureboot","description":"Secure Boot UEFI Settings.","platforms":["linux","windows"],"columns":[{"name":"secure_boot","description":"Whether secure boot is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"setup_mode","description":"Whether setup mode is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"security_profile_info","description":"Information on the security profile of a given system by listing the system Account and Audit Policies. This table mimics the exported securitypolicy output from the secedit tool.","platforms":["windows"],"columns":[{"name":"minimum_password_age","description":"Determines the minimum number of days that a password must be used before the user can change it","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"maximum_password_age","description":"Determines the maximum number of days that a password can be used before the client requires the user to change it","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minimum_password_length","description":"Determines the least number of characters that can make up a password for a user account","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"password_complexity","description":"Determines whether passwords must meet a series of strong-password guidelines","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"password_history_size","description":"Number of unique new passwords that must be associated with a user account before an old password can be reused","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"lockout_bad_count","description":"Number of failed logon attempts after which a user account MUST be locked out","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"logon_to_change_password","description":"Determines if logon session is required to change the password","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"force_logoff_when_expire","description":"Determines whether SMB client sessions with the SMB server will be forcibly disconnected when the client's logon hours expire","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"new_administrator_name","description":"Determines the name of the Administrator account on the local computer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"new_guest_name","description":"Determines the name of the Guest account on the local computer","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"clear_text_password","description":"Determines whether passwords MUST be stored by using reversible encryption","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"lsa_anonymous_name_lookup","description":"Determines if an anonymous user is allowed to query the local LSA policy","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"enable_admin_account","description":"Determines whether the Administrator account on the local computer is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"enable_guest_account","description":"Determines whether the Guest account on the local computer is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_system_events","description":"Determines whether the operating system MUST audit System Change, System Startup, System Shutdown, Authentication Component Load, and Loss or Excess of Security events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_logon_events","description":"Determines whether the operating system MUST audit each instance of a user attempt to log on or log off this computer","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_object_access","description":"Determines whether the operating system MUST audit each instance of user attempts to access a non-Active Directory object that has its own SACL specified","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_privilege_use","description":"Determines whether the operating system MUST audit each instance of user attempts to exercise a user right","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_policy_change","description":"Determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_account_manage","description":"Determines whether the operating system MUST audit each event of account management on a computer","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_process_tracking","description":"Determines whether the operating system MUST audit process-related events","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_ds_access","description":"Determines whether the operating system MUST audit each instance of user attempts to access an Active Directory object that has its own system access control list (SACL) specified","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"audit_account_logon","description":"Determines whether the operating system MUST audit each time this computer validates the credentials of an account","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"selinux_events","description":"Track SELinux events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"Message","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"selinux_settings","description":"Track active SELinux settings.","platforms":["linux"],"columns":[{"name":"scope","description":"Where the key is located inside the SELinuxFS mount point.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"key","description":"Key or class name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Active value.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"services","description":"Lists all installed Windows services and their relevant data.","platforms":["windows"],"columns":[{"name":"name","description":"Service name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"service_type","description":"Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Service Display name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"the Process ID of the service","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"start_type","description":"Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"win32_exit_code","description":"The error code that the service uses to report an error that occurs when it is starting or stopping","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"service_exit_code","description":"The service-specific error code that the service returns when an error occurs while the service is starting or stopping","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Service Executable","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"module_path","description":"Path to ServiceDll","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Service Description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user_account","description":"The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\\UserName. If the account belongs to the built-in domain, the name can be of the form .\\UserName.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shadow","description":"Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.","platforms":["linux"],"columns":[{"name":"password_status","description":"Password status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hash_alg","description":"Password hashing algorithm","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Date of last password change (starting from UNIX epoch date)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimal number of days between password changes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum number of days between password changes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"warning","description":"Number of days before password expires to warn user about it","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Number of days after password expires until account is blocked","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"expire","description":"Number of days since UNIX epoch date until account is disabled","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"flag","description":"Reserved","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","notes":"","hidden":false,"required":false,"index":true}]},{"name":"shared_folders","description":"Folders available to others via SMB or AFP.","platforms":["darwin"],"columns":[{"name":"name","description":"The shared name of the folder as it appears to other users","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute path of shared folder on the local system","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shared_memory","description":"OS shared memory regions.","platforms":["linux"],"columns":[{"name":"shmid","description":"Shared memory segment ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"User ID of owning process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"creator_uid","description":"User ID of creator process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID to last use the segment","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"creator_pid","description":"Process ID that created the segment","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"atime","description":"Attached time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"dtime","description":"Detached time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Changed time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Memory segment permissions","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"attached","description":"Number of attached processes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Destination/attach status","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"locked","description":"1 if segment is locked else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shared_resources","description":"Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.","platforms":["windows"],"columns":[{"name":"description","description":"A textual description of the object","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"String that indicates the current status of the object.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"allow_maximum","description":"Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"maximum_allowed","description":"Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Alias given to a path set up as a share on a computer system running Windows.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Local path of the Windows share.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"type_name","description":"Human readable value for the 'type' column","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"sharing_preferences","description":"macOS Sharing preferences.","platforms":["darwin"],"columns":[{"name":"screen_sharing","description":"1 If screen sharing is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"file_sharing","description":"1 If file sharing is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"printer_sharing","description":"1 If printer sharing is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_login","description":"1 If remote login is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_management","description":"1 If remote management is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_apple_events","description":"1 If remote apple events are enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"internet_sharing","description":"1 If internet sharing is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bluetooth_sharing","description":"1 If bluetooth sharing is enabled for any user else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"disc_sharing","description":"1 If CD or DVD sharing is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"content_caching","description":"1 If content caching is enabled else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shell_history","description":"A line-delimited (command) table of per-user .*_history data.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"Shell history owner","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp. It could be absent, default value is 0.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"command","description":"Unparsed date/line/command history line","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"history_file","description":"Path to the .*_history for this user","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shellbags","description":"Shows directories accessed via Windows Explorer.","platforms":["windows"],"columns":[{"name":"sid","description":"User SID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Shellbags source Registry file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Directory name.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Directory Modified time.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"created_time","description":"Directory Created time.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"accessed_time","description":"Directory Accessed time.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Directory master file table entry.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Directory master file table sequence.","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"shimcache","description":"Application Compatibility Cache, contains artifacts of execution.","platforms":["windows"],"columns":[{"name":"entry","description":"Execution order.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the executed file.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"File Modified time.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"execution_flag","description":"Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"signature","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["darwin"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"hash_resources","description":"Set to 1 to also hash resources, or 0 otherwise. Default is 1","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"arch","description":"If applicable, the arch of the signed code","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"signed","description":"1 If the file is signed else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"The signing identifier sealed into the signature","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Hash of the application Code Directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"team_identifier","description":"The team signing identifier sealed into the signature","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"authority","description":"Certificate Common Name","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"sip_config","description":"Apple's System Integrity Protection (rootless) status.","platforms":["darwin"],"columns":[{"name":"config_flag","description":"The System Integrity Protection config flag","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this configuration is enabled, otherwise 0","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled_nvram","description":"1 if this configuration is enabled, otherwise 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"smbios_tables","description":"BIOS (DMI) structure common details and content.","platforms":["darwin","linux"],"columns":[{"name":"number","description":"Table entry number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Table entry type","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Table entry description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"handle","description":"Table entry handle","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"header_size","description":"Header size in bytes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Table entry size in bytes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table entry","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"smc_keys","description":"Apple's system management controller keys.","platforms":["darwin"],"columns":[{"name":"key","description":"4-character key","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"type","description":"SMC-reported type literal type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"size","description":"Reported size of data in bytes","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"A type-encoded representation of the key value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hidden","description":"1 if this key is normally hidden, otherwise 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"socket_events","description":"Track network socket opens and closes.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"The socket action (bind, listen, close)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Either 'succeeded', 'failed', 'in_progress' (connect() on non-blocking socket) or 'no_client' (null accept() on non-blocking socket)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"socket","description":"The local path (UNIX domain socket only)","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"success","description":"Deprecated. Use the 'status' column instead","type":"integer","notes":"","hidden":true,"required":false,"index":false}]},{"name":"ssh_configs","description":"A table of parsed ssh_configs.","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"The local owner of the ssh_config file","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"block","description":"The host or match block","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"option","description":"The option and value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ssh_config_file","description":"Path to the ssh_config file","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"startup_items","description":"Applications and binaries set as user/login startup items.","platforms":["darwin","linux","windows"],"columns":[{"name":"name","description":"Name of startup item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of startup item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"args","description":"Arguments provided to startup executable","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Startup Item or Login Item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Directory or plist containing startup item","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"status","description":"Startup status; either enabled or disabled","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"The user associated with the startup item","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"sudoers","description":"Rules for running commands as other users via sudo.","platforms":["darwin","linux"],"columns":[{"name":"source","description":"Source file containing the given rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"header","description":"Symbol for given rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"rule_details","description":"Rule definition","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"suid_bin","description":"suid binaries in common locations.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Binary path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Binary owner username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Binary owner group","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Binary permissions","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"syslog_events","description":"","platforms":["linux"],"columns":[{"name":"time","description":"Current unix epoch time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Time known to syslog","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"host","description":"Hostname configured for syslog","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"severity","description":"Syslog severity","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"facility","description":"Syslog facility","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tag","description":"The syslog tag","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"The syslog message","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"system_controls","description":"sysctl names, values, and settings information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Full sysctl MIB name","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"oid","description":"Control MIB","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"Subsystem ID, control type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"current_value","description":"Value of setting","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"config_value","description":"The MIB value set in /etc/sysctl.conf","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"field_name","description":"Specific attribute of opaque type","type":"text","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]}]},{"name":"system_extensions","description":"macOS (>= 10.15) system extension table.","platforms":["darwin"],"columns":[{"name":"path","description":"Original path of system extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"UUID","description":"Extension unique id","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"System extension state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"System extension version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"System extension category","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"System extension bundle path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"team","description":"Signing team ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mdm_managed","description":"1 if managed by MDM system extension payload configuration, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"system_info","description":"System information for identification.","platforms":["darwin","linux","windows"],"columns":[{"name":"hostname","description":"Network hostname including domain","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"CPU type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"CPU subtype","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_brand","description":"CPU brand string, contains vendor and model","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_physical_cores","description":"Number of physical CPU cores in to the system","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_logical_cores","description":"Number of logical CPU cores available to the system","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"cpu_microcode","description":"Microcode version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"physical_memory","description":"Total physical memory in bytes","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"hardware_vendor","description":"Hardware vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hardware model","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hardware_version","description":"Hardware version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hardware_serial","description":"Device serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"board_vendor","description":"Board vendor","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"board_model","description":"Board model","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"board_version","description":"Board version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"board_serial","description":"Board serial number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Friendly computer name (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Local hostname (optional)","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"systemd_units","description":"Track systemd units.","platforms":["linux"],"columns":[{"name":"id","description":"Unique unit identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Unit description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"load_state","description":"Reflects whether the unit definition was properly loaded","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"active_state","description":"The high-level unit activation state, i.e. generalization of SUB","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sub_state","description":"The low-level unit activation state, values depend on unit type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"following","description":"The name of another unit that this unit follows in state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"object_path","description":"The object path for this unit","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"job_id","description":"Next queued job id","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"job_type","description":"Job type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"job_path","description":"The object path for the job","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"fragment_path","description":"The unit file path this unit was read from, if there is any","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user","description":"The configured user, if any","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source_path","description":"Path to the (possibly generated) unit configuration file","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"temperature_sensors","description":"Machine's temperature sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on macOS","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"Name of temperature source","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"celsius","description":"Temperature in Celsius","type":"double","notes":"","hidden":false,"required":false,"index":false},{"name":"fahrenheit","description":"Temperature in Fahrenheit","type":"double","notes":"","hidden":false,"required":false,"index":false}]},{"name":"time","description":"Track current date and time in UTC.","platforms":["darwin","linux","windows"],"columns":[{"name":"weekday","description":"Current weekday in UTC","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"year","description":"Current year in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"month","description":"Current month in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"day","description":"Current day in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"hour","description":"Current hour in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Current minutes in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Current seconds in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"timezone","description":"Timezone for reported time (hardcoded to UTC)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_timezone","description":"Current local timezone in of the system","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"unix_time","description":"Current UNIX time in UTC","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"timestamp","description":"Current timestamp (log format) in UTC","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Current date and time (ISO format) in UTC","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"iso_8601","description":"Current time (ISO format) in UTC","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"win_timestamp","description":"Timestamp value in 100 nanosecond units","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]}]},{"name":"time_machine_backups","description":"Backups to drives using TimeMachine.","platforms":["darwin"],"columns":[{"name":"destination_id","description":"Time Machine destination ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"backup_date","description":"Backup Date","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"time_machine_destinations","description":"Locations backed up to using Time Machine.","platforms":["darwin"],"columns":[{"name":"alias","description":"Human readable name of drive","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"destination_id","description":"Time Machine destination ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"consistency_scan_date","description":"Consistency scan date","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"root_volume_uuid","description":"Root UUID of backup volume","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes_available","description":"Bytes available on volume","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"bytes_used","description":"Bytes used on volume","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"encryption","description":"Last known encrypted state","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"tpm_info","description":"A table that lists the TPM related information.","platforms":["windows"],"columns":[{"name":"activated","description":"TPM is activated","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"TPM is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"owned","description":"TPM is owned","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer_version","description":"TPM version","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer_id","description":"TPM manufacturers ID","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer_name","description":"TPM manufacturers name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"product_name","description":"Product name of the TPM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"physical_presence_version","description":"Version of the Physical Presence Interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"spec_version","description":"Trusted Computing Group specification that the TPM supports","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"ulimit_info","description":"System resource usage limits.","platforms":["darwin","linux"],"columns":[{"name":"type","description":"System resource to be limited","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"soft_limit","description":"Current limit value","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hard_limit","description":"Maximum limit value","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"unified_log","description":"Queries the OSLog framework for entries in the system log. The maximum number of rows returned is limited for performance issues. This table introduces a new idiom for extracting sequential data in batches using multiple queries, ordered by timestamp. To trigger it, the user should include the condition \"timestamp > -1\", and the table will handle pagination.","platforms":["darwin"],"columns":[{"name":"timestamp","description":"unix timestamp associated with the entry","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"storage","description":"the storage category for the entry","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"composed message","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"activity","description":"the activity ID associate with the entry","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"process","description":"the name of the process that made the entry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"the pid of the process that made the entry","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sender","description":"the name of the binary image that made the entry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tid","description":"the tid of the thread that made the entry","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"the category of the os_log_t used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"the subsystem of the os_log_t used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"level","description":"the severity level of the entry","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"max_rows","description":"the max number of rows returned (defaults to 100)","type":"integer","notes":"","hidden":true,"required":false,"index":false}]},{"name":"uptime","description":"Track time passed since last boot. Some systems track this as calendar time, some as runtime.","platforms":["darwin","linux","windows"],"columns":[{"name":"days","description":"Days of uptime","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"hours","description":"Hours of uptime","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Minutes of uptime","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Seconds of uptime","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"total_seconds","description":"Total uptime seconds","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"usb_devices","description":"USB devices that are actively plugged into the host system.","platforms":["darwin","linux"],"columns":[{"name":"usb_address","description":"USB Device used address","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"usb_port","description":"USB Device used port","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor","description":"USB Device vendor string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded USB Device vendor identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"USB Device version number","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"USB Device model string","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded USB Device model identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial","description":"USB Device serial connection","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"USB Device class","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"subclass","description":"USB Device subclass","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"USB Device protocol","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"removable","description":"1 If USB device is removable else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"user_events","description":"Track user events from the audit framework.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"The file description for the process socket","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Supplied path from event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"address","description":"The Internet protocol address or family ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"terminal","description":"The network protocol ID","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"user_groups","description":"Local system user group relationships.","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"gid","description":"Group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true}]},{"name":"user_interaction_events","description":"Track user interaction events from macOS' event tapping framework.","platforms":["darwin"],"columns":[{"name":"time","description":"Time","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"user_ssh_keys","description":"Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"The local user that owns the key file","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to key file","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"encrypted","description":"1 if key is encrypted, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"key_type","description":"The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"userassist","description":"UserAssist Registry Key tracks when a user executes an application from Windows Explorer.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of times the application has been executed.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"video_info","description":"Retrieve video card information of the machine.","platforms":["windows"],"columns":[{"name":"color_depth","description":"The amount of bits per pixel to represent color.","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"driver","description":"The driver of the device.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"driver_date","description":"The date listed on the installed driver.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"driver_version","description":"The version of the installed driver.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the gpu.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the gpu.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"series","description":"The series of the gpu.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"video_mode","description":"The current resolution of the display.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"virtual_memory_info","description":"Darwin Virtual Memory statistics.","platforms":["darwin"],"columns":[{"name":"free","description":"Total number of free pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"active","description":"Total number of active pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Total number of inactive pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"speculative","description":"Total number of speculative pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"throttled","description":"Total number of throttled pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"wired","description":"Total number of wired down pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"purgeable","description":"Total number of purgeable pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"faults","description":"Total number of calls to vm_faults.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"copy","description":"Total number of copy-on-write pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"zero_fill","description":"Total number of zero filled pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"reactivated","description":"Total number of reactivated pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"purged","description":"Total number of purged pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"file_backed","description":"Total number of file backed pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"anonymous","description":"Total number of anonymous pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uncompressed","description":"Total number of uncompressed pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"compressor","description":"The number of pages used to store compressed VM pages.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"decompressed","description":"The total number of pages that have been decompressed by the VM compressor.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"compressed","description":"The total number of pages that have been compressed by the VM compressor.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"page_ins","description":"The total number of requests for pages from a pager.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"page_outs","description":"Total number of pages paged out.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_ins","description":"The total number of compressed pages that have been swapped out to disk.","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"swap_outs","description":"The total number of compressed pages that have been swapped back in from disk.","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wifi_networks","description":"macOS known/remembered Wi-Fi networks list.","platforms":["darwin"],"columns":[{"name":"ssid","description":"SSID octets of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"last_connected","description":"Last time this network was connected to as a unix_time","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"passpoint","description":"1 if Passpoint is supported, 0 otherwise","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"possibly_hidden","description":"1 if network is possibly a hidden network, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"roaming","description":"1 if roaming is supported, 0 otherwise","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"roaming_profile","description":"Describe the roaming profile, usually one of Single, Dual or Multi","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"auto_login","description":"1 if auto login is enabled, 0 otherwise","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"temporarily_disabled","description":"1 if this network is temporarily disabled, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 if this network is disabled, 0 otherwise","type":"integer","notes":"","hidden":true,"required":false,"index":false},{"name":"add_reason","description":"Shows why this network was added, via menubar or command line or something else ","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"added_at","description":"Time this network was added as a unix_time","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"captive_portal","description":"1 if this network has a captive portal, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"captive_login_date","description":"Time this network logged in to a captive portal as unix_time","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"was_captive_network","description":"1 if this network was previously a captive network, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"auto_join","description":"1 if this network set to join automatically, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"personal_hotspot","description":"1 if this network is a personal hotspot, 0 otherwise","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wifi_status","description":"macOS current WiFi status.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"transmit_rate","description":"The current transmit rate","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mode","description":"The current operating mode for the Wi-Fi interface","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wifi_survey","description":"Scan for nearby WiFi networks.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"winbaseobj","description":"Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.","platforms":["windows"],"columns":[{"name":"session_id","description":"Terminal Services Session Id","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"object_name","description":"Object Name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"object_type","description":"Object Type","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_crashes","description":"Extracted information from Windows crash logs (Minidumps).","platforms":["windows"],"columns":[{"name":"datetime","description":"Timestamp (log format) of the crash","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"module","description":"Path of the crashed module within the process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the executable file for the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID of the crashed process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID of the crashed thread","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"version","description":"File version info of the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"process_uptime","description":"Uptime of the process in seconds","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Multiple stack frames from the stack trace","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_code","description":"The Windows exception code","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_message","description":"The NTSTATUS error message associated with the exception code","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"exception_address","description":"Address (in hex) where the exception occurred","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"registers","description":"The values of the system registers","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"command_line","description":"Command-line string passed to the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"current_directory","description":"Current working directory of the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Username of the user who ran the crashed process","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"machine_name","description":"Name of the machine where the crash happened","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"major_version","description":"Windows major version of the machine","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"minor_version","description":"Windows minor version of the machine","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"build_number","description":"Windows build number of the crashing machine","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of crash log","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Path of the log file","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_eventlog","description":"Table for querying all recorded Windows event logs.","platforms":["windows"],"columns":[{"name":"channel","description":"Source or channel of the event","type":"text","notes":"","hidden":false,"required":true,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"level","description":"Severity level associated with the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID which emitted the event record","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID which emitted the event record","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"time_range","description":"System time to selectively filter the events","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"timestamp","description":"Timestamp to selectively filter the events","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"xpath","description":"The custom query to filter events","type":"text","notes":"","hidden":true,"required":true,"index":false}]},{"name":"windows_events","description":"Windows Event logs.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"source","description":"Source or channel of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"level","description":"The severity level associated with the event","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"windows_firewall_rules","description":"Provides the list of Windows firewall rules.","platforms":["windows"],"columns":[{"name":"name","description":"Friendly name of the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"app_name","description":"Friendly name of the application to which the rule applies","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"action","description":"Action for the rule or default setting","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if the rule is enabled","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"grouping","description":"Group to which an individual rule belongs","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"direction","description":"Direction of traffic for which the rule applies","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"protocol","description":"IP protocol of the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_addresses","description":"Local addresses for the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_addresses","description":"Remote addresses for the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"local_ports","description":"Local ports for the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remote_ports","description":"Remote ports for the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"icmp_types_codes","description":"ICMP types and codes for the rule","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_domain","description":"1 if the rule profile type is domain","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_private","description":"1 if the rule profile type is private","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"profile_public","description":"1 if the rule profile type is public","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"service_name","description":"Service name property of the application","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_optional_features","description":"Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the feature","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"caption","description":"Caption of feature in settings UI","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"statename","description":"Installation state name. 'Enabled','Disabled','Absent'","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_security_center","description":"The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".","platforms":["windows"],"columns":[{"name":"firewall","description":"The health of the monitored Firewall (see windows_security_products)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"The health of the Windows Autoupdate feature","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"antivirus","description":"The health of the monitored Antivirus solution (see windows_security_products)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"antispyware","description":"Deprecated (always 'Good').","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"internet_settings","description":"The health of the Internet Settings","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"windows_security_center_service","description":"The health of the Windows Security Center Service","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user_account_control","description":"The health of the User Account Control (UAC) capability in Windows","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_security_products","description":"Enumeration of registered Windows security products.","platforms":["windows"],"columns":[{"name":"type","description":"Type of security product","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of product","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"State of protection","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state_timestamp","description":"Timestamp for the product state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"remediation_path","description":"Remediation path","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"signatures_up_to_date","description":"1 if product signatures are up to date, else 0","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"windows_update_history","description":"Provides the history of the windows update events.","platforms":["windows"],"columns":[{"name":"client_app_id","description":"Identifier of the client application that processed an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"date","description":"Date and the time an update was applied","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hresult","description":"HRESULT value that is returned from the operation on an update","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"operation","description":"Operation on an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"result_code","description":"Result of an operation on an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"server_selection","description":"Value that indicates which server provided an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"service_id","description":"Service identifier of an update service that is not a Windows update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"support_url","description":"Hyperlink to the language-specific support information for an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"title","description":"Title of an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_id","description":"Revision-independent identifier of an update","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"update_revision","description":"Revision number of an update","type":"bigint","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wmi_bios_info","description":"Lists important information from the system bios.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the Bios setting","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the Bios setting","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wmi_cli_event_consumers","description":"WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique name of a consumer.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"command_line_template","description":"Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"executable_path","description":"Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wmi_event_filters","description":"Lists WMI event filters.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier of an event filter.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"query","description":"Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"query_language","description":"Query language that the query is written in.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wmi_filter_consumer_binding","description":"Lists the relationship between event consumers and filters.","platforms":["windows"],"columns":[{"name":"consumer","description":"Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filter","description":"Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"wmi_script_event_consumers","description":"WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier for the event consumer. ","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"scripting_engine","description":"Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_file_name","description":"Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"script_text","description":"Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"xprotect_entries","description":"Database of the machine's XProtect signatures.","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"launch_type","description":"Launch services content type","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"identity","description":"XProtect identity (SHA1) of content","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filename","description":"Use this file name to match","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"filetype","description":"Use this file type to match","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"optional","description":"Match any of the identities/patterns for this XProtect name","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"uses_pattern","description":"Uses a match pattern instead of identity","type":"integer","notes":"","hidden":false,"required":false,"index":false}]},{"name":"xprotect_meta","description":"Database of the machine's XProtect browser-related signatures.","platforms":["darwin"],"columns":[{"name":"identifier","description":"Browser plugin or extension identifier","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"type","description":"Either plugin or extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Developer identity (SHA1) of extension","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"min_version","description":"The minimum allowed plugin version.","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"xprotect_reports","description":"Database of XProtect matches (if user generated/sent an XProtect report).","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"user_action","description":"Action taken by user after prompted","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Quarantine alert time","type":"text","notes":"","hidden":false,"required":false,"index":false}]},{"name":"yara","description":"Triggers one-off YARA query for files at the specified path. Requires one of `sig_group`, `sigfile`, or `sigrule`.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"The path scanned","type":"text","notes":"","hidden":false,"required":true,"index":true},{"name":"matches","description":"List of YARA matches","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"sig_group","description":"Signature group used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sigfile","description":"Signature file used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sigrule","description":"Signature strings used","type":"text","notes":"","hidden":true,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"sigurl","description":"Signature url","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"yara_events","description":"Track YARA matches for files specified in configuration data.","platforms":["darwin","linux","windows"],"columns":[{"name":"target_path","description":"The path scanned","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of the scan","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","notes":"","hidden":true,"required":false,"index":false}]},{"name":"ycloud_instance_metadata","description":"Yandex.Cloud instance metadata.","platforms":["darwin","linux","windows"],"columns":[{"name":"instance_id","description":"Unique identifier for the VM","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"folder_id","description":"Folder identifier for the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Hostname of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"serial_port_enabled","description":"Indicates if serial port is enabled for the VM","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"metadata_endpoint","description":"Endpoint used to fetch VM metadata","type":"text","notes":"","hidden":false,"required":false,"index":true}]},{"name":"yum_sources","description":"Current list of Yum repositories or software channels.","platforms":["linux"],"columns":[{"name":"name","description":"Repository name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"baseurl","description":"Repository base URL","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"mirrorlist","description":"Mirrorlist URL","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether the repository is used","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"gpgcheck","description":"Whether packages are GPG checked","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"gpgkey","description":"URL to GPG key","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"host_users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows"],"columns":[{"name":"uid","description":"User ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","notes":"","hidden":false,"required":false,"index":true},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"host_groups","description":"Local system groups.","platforms":["darwin","linux","windows"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","notes":"","hidden":true,"required":false,"index":true,"platforms":["windows","win32","cygwin"]},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]},{"name":"host_processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","notes":"","hidden":false,"required":false,"index":true},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","notes":"","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","notes":"","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","notes":"","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"protection_type","description":"The protection type of the process","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","notes":"","hidden":true,"required":false,"index":false,"platforms":["windows","win32","cygwin"]},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"translated","description":"Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1.","type":"integer","notes":"","hidden":false,"required":false,"index":false,"platforms":["darwin"]},{"name":"cgroup_path","description":"The full hierarchical path of the process's control group","type":"text","notes":"","hidden":true,"required":false,"index":false,"platforms":["linux"]}]}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/editor/osquery_tables.ts b/x-pack/plugins/osquery/public/editor/osquery_tables.ts index fbbdcac1834c0..fbfa20dc39ede 100644 --- a/x-pack/plugins/osquery/public/editor/osquery_tables.ts +++ b/x-pack/plugins/osquery/public/editor/osquery_tables.ts @@ -17,7 +17,7 @@ let osqueryTables: TablesJSON | null = null; export const getOsqueryTables = () => { if (!osqueryTables) { // eslint-disable-next-line @typescript-eslint/no-var-requires - osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.5.1.json')); + osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.7.0.json')); } return osqueryTables; diff --git a/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx index fb25e145176b5..6b2f34e6d85db 100644 --- a/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx @@ -48,8 +48,8 @@ import { convertECSMappingToArray, convertECSMappingToObject, } from '../../../common/schemas/common/utils'; -import ECSSchema from '../../common/schemas/ecs/v8.5.0.json'; -import osquerySchema from '../../common/schemas/osquery/v5.5.1.json'; +import ECSSchema from '../../common/schemas/ecs/v8.7.0.json'; +import osquerySchema from '../../common/schemas/osquery/v5.7.0.json'; import { FieldIcon } from '../../common/lib/kibana'; import { OsqueryIcon } from '../../components/osquery_icon'; diff --git a/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts b/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts index 553c4e9de10fd..9edc37cc38c9f 100644 --- a/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts +++ b/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts @@ -40,12 +40,19 @@ const RESTRICTED_FIELDS = [ run( async ({ flags }) => { - const schemaPath = path.resolve(`./public/common/schemas/ecs/`); + const schemaPath = path.resolve(`../../public/common/schemas/ecs/`); const schemaFile = path.join(schemaPath, flags.schema_version as string); const schemaData = await require(schemaFile); + const transformToLowerCase = (obj: Record) => + Object.fromEntries(Object.entries(obj).map(([key, val]) => [key.toLowerCase(), val])); + + const schemaDataWithLowerCaseFieldNames = schemaData.map((obj: Record) => + transformToLowerCase(obj) + ); + const filteredSchemaData = filter( - schemaData, + schemaDataWithLowerCaseFieldNames, (field) => !RESTRICTED_FIELDS.includes(field.field) ); const formattedSchema = map(filteredSchemaData, partialRight(pick, ECS_COLUMN_SCHEMA_FIELDS)); From 585d3f05285257ace03be84a9d555168cb6742fe Mon Sep 17 00:00:00 2001 From: Xavier Mouligneau Date: Tue, 7 Feb 2023 08:17:18 -0500 Subject: [PATCH 16/27] [RAM] Add integrated snooze component for security solution (#149752) ## Summary We wanted to avoid duplication of code so we created a more integrated component with API to snooze rule. we also added the information about snooze in the task runner so security folks can manage their legacy actions in the execution rule, it will looks like that ```ts import { isRuleSnoozed } from '@kbn/alerting-plugin/server'; if (actions.length && !isRuleSnoozed(options.rule)) { ... } ``` One way to integrated this new component in a EuiBasictable: ``` { id: 'ruleSnoozeNotify', name: ( {i18n.COLUMN_NOTIFY}   ), width: '14%', 'data-test-subj': 'rulesTableCell-rulesListNotify', render: (rule: Rule) => { return triggersActionsUi.getRulesListNotifyBadge({ rule: { id: rule.id, muteAll: rule.mute_all ?? false, activeSnoozes: rule.active_snoozes, isSnoozedUntil: rule.is_snoozed_until ? new Date(rule.is_snoozed_until) : null, snoozeSchedule: rule?.snooze_schedule ?? [], isEditable: hasCRUDPermissions, }, isLoading: loadingRuleIds.includes(rule.id) || isLoading, onRuleChanged: reFetchRules, }); }, } ``` I think Security solution folks might want/need to create a new io-ts schema for `snooze_schedule` something like that should work: ```ts import { IsoDateString } from '@kbn/securitysolution-io-ts-types'; import * as t from 'io-ts'; const RRuleRecord = t.intersection([ t.type({ dtstart: IsoDateString, tzid: t.string, }), t.partial({ freq: t.union([ t.literal(0), t.literal(1), t.literal(2), t.literal(3), t.literal(4), t.literal(5), t.literal(6), ]), until: t.string, count: t.number, interval: t.number, wkst: t.union([ t.literal('MO'), t.literal('TU'), t.literal('WE'), t.literal('TH'), t.literal('FR'), t.literal('SA'), t.literal('SU'), ]), byweekday: t.array(t.union([t.string, t.number])), bymonth: t.array(t.number), bysetpos: t.array(t.number), bymonthday: t.array(t.number), byyearday: t.array(t.number), byweekno: t.array(t.number), byhour: t.array(t.number), byminute: t.array(t.number), bysecond: t.array(t.number), }), ]); export const RuleSnoozeSchedule = t.intersection([ t.type({ duration: t.number, rRule: RRuleRecord, }), t.partial({ id: t.string, skipRecurrences: t.array(t.string), }), ]); ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../rules_list_notify_badge_sandbox.tsx | 22 +-- x-pack/plugins/alerting/common/rule.ts | 2 + .../server/task_runner/task_runner.ts | 4 + .../metric_threshold_executor.test.ts | 2 + .../utils/create_lifecycle_rule_type.test.ts | 2 + .../utils/rule_executor.test_helpers.ts | 2 + ...gacy_rules_notification_alert_type.test.ts | 2 + .../rule_preview/api/preview_rules/route.ts | 2 + .../rule_schema/model/rule_schemas.mock.ts | 2 + .../rule_types/es_query/rule_type.test.ts | 2 + .../index_threshold/rule_type.test.ts | 8 + .../public/application/sections/index.tsx | 4 +- .../components/rule_status_panel.tsx | 3 +- .../components/collapsed_item_actions.tsx | 2 +- .../components/notify_badge/helpers.tsx | 28 ++++ .../components/notify_badge/index.tsx | 18 +++ .../notify_badge.test.tsx} | 6 +- .../notify_badge.tsx} | 84 ++--------- .../notify_badge_with_api.stories.tsx | 137 ++++++++++++++++++ .../notify_badge/notify_badge_with_api.tsx | 88 +++++++++++ .../components/notify_badge/translations.tsx | 34 +++++ .../components/notify_badge/types.ts | 31 ++++ .../components/rule_snooze_modal.tsx | 2 +- .../components/rules_list_table.tsx | 2 +- .../common/get_rules_list_notify_badge.tsx | 8 +- .../triggers_actions_ui/public/plugin.ts | 8 +- .../triggers_actions_ui/public/types.ts | 5 +- .../group2/tests/alerting/alerts.ts | 94 +++++------- .../group2/tests/alerting/index.ts | 28 ++-- .../tests/alerting/group1/alerts_base.ts | 2 + 30 files changed, 460 insertions(+), 174 deletions(-) create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/helpers.tsx create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/index.tsx rename x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/{rules_list_notify_badge.test.tsx => notify_badge/notify_badge.test.tsx} (96%) rename x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/{rules_list_notify_badge.tsx => notify_badge/notify_badge.tsx} (76%) create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge_with_api.stories.tsx create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge_with_api.tsx create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/translations.tsx create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/types.ts diff --git a/x-pack/examples/triggers_actions_ui_example/public/components/rules_list_notify_badge_sandbox.tsx b/x-pack/examples/triggers_actions_ui_example/public/components/rules_list_notify_badge_sandbox.tsx index 86f929853dc8a..47b08acd88e31 100644 --- a/x-pack/examples/triggers_actions_ui_example/public/components/rules_list_notify_badge_sandbox.tsx +++ b/x-pack/examples/triggers_actions_ui_example/public/components/rules_list_notify_badge_sandbox.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { useState } from 'react'; +import React from 'react'; import { TriggersAndActionsUIPublicPluginStart, RuleTableItem, @@ -48,22 +48,14 @@ const mockRule: RuleTableItem = { }; export const RulesListNotifyBadgeSandbox = ({ triggersActionsUi }: SandboxProps) => { - const [isOpen, setIsOpen] = useState(false); - const [isLoading, setIsLoading] = useState(false); - + const RulesListNotifyBadge = triggersActionsUi.getRulesListNotifyBadge; return (
- {triggersActionsUi.getRulesListNotifyBadge({ - rule: mockRule, - isOpen, - isLoading, - onClick: () => setIsOpen(!isOpen), - onClose: () => setIsOpen(false), - onLoading: setIsLoading, - onRuleChanged: () => Promise.resolve(), - snoozeRule: () => Promise.resolve(), - unsnoozeRule: () => Promise.resolve(), - })} + Promise.resolve()} + />
); }; diff --git a/x-pack/plugins/alerting/common/rule.ts b/x-pack/plugins/alerting/common/rule.ts index 3bfddd79af10d..162778c8f5826 100644 --- a/x-pack/plugins/alerting/common/rule.ts +++ b/x-pack/plugins/alerting/common/rule.ts @@ -161,6 +161,8 @@ export type SanitizedRuleConfig = Pick< | 'updatedAt' | 'throttle' | 'notifyWhen' + | 'muteAll' + | 'snoozeSchedule' > & { producer: string; ruleTypeId: string; diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts index 808fe89baa7c8..489b633569333 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.ts @@ -257,6 +257,8 @@ export class TaskRunner< updatedAt, enabled, actions, + muteAll, + snoozeSchedule, } = rule; const { params: { alertId: ruleId, spaceId }, @@ -373,6 +375,8 @@ export class TaskRunner< updatedAt, throttle, notifyWhen, + muteAll, + snoozeSchedule, }, logger: this.logger, flappingSettings, diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts index 85059a2ee6233..a94521c22bde4 100644 --- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts +++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts @@ -115,6 +115,8 @@ const mockOptions = { producer: '', ruleTypeId: '', ruleTypeName: '', + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts index 92cbdb35240b5..7b312ccf5cef2 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts @@ -111,6 +111,7 @@ function createRule(shouldWriteAlerts: boolean = true) { createdAt, createdBy: 'createdBy', enabled: true, + muteAll: false, name: 'name', notifyWhen: 'onActionGroupChange', producer: 'producer', @@ -119,6 +120,7 @@ function createRule(shouldWriteAlerts: boolean = true) { schedule: { interval: '1m', }, + snoozeSchedule: [], tags: ['tags'], throttle: null, updatedAt: createdAt, diff --git a/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts b/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts index f2416b0cba677..d175852ef4eea 100644 --- a/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts +++ b/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts @@ -68,6 +68,8 @@ export const createDefaultAlertExecutorOptions = < notifyWhen: null, ruleTypeId: 'RULE_TYPE_ID', ruleTypeName: 'RULE_TYPE_NAME', + muteAll: false, + snoozeSchedule: [], }, params, spaceId: 'SPACE_ID', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts index de04cac5f1fee..ef6b05474ff47 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts @@ -66,6 +66,8 @@ describe('legacyRules_notification_alert_type', () => { updatedAt: new Date('2019-12-14T16:40:33.400Z'), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts index 6491aeb96f5d3..35c328a68f733 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts @@ -225,6 +225,8 @@ export const previewRulesRoute = async ( ruleTypeName, updatedAt: new Date(), updatedBy: username ?? 'preview-updated-by', + muteAll: false, + snoozeSchedule: [], }; let invocationStartTime; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts index 3dcc8b0389cc9..86966e8193158 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts @@ -215,6 +215,8 @@ export const getRuleConfigMock = (type: string = 'rule-type'): SanitizedRuleConf producer: 'sample producer', ruleTypeId: `${type}-id`, ruleTypeName: type, + muteAll: false, + snoozeSchedule: [], }); export const getCompleteRuleMock = (params: T): CompleteRule => ({ diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts index 825870a0a30c7..cc6c4414777ea 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts @@ -725,6 +725,8 @@ async function invokeExecutor({ updatedAt: new Date(), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, diff --git a/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts index c4e9078c90c28..3875f52dbfe52 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts @@ -216,6 +216,8 @@ describe('ruleType', () => { updatedAt: new Date(), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, @@ -280,6 +282,8 @@ describe('ruleType', () => { updatedAt: new Date(), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, @@ -344,6 +348,8 @@ describe('ruleType', () => { updatedAt: new Date(), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, @@ -407,6 +413,8 @@ describe('ruleType', () => { updatedAt: new Date(), throttle: null, notifyWhen: null, + muteAll: false, + snoozeSchedule: [], }, logger, flappingSettings: DEFAULT_FLAPPING_SETTINGS, diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/index.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/index.tsx index ea459a50c00ed..95ac26d587351 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/index.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/index.tsx @@ -46,8 +46,8 @@ export const RuleEventLogList = suspendedComponentWithProps( export const RulesList = suspendedComponentWithProps( lazy(() => import('./rules_list/components/rules_list')) ); -export const RulesListNotifyBadge = suspendedComponentWithProps( - lazy(() => import('./rules_list/components/rules_list_notify_badge')) +export const RulesListNotifyBadgeWithApi = suspendedComponentWithProps( + lazy(() => import('./rules_list/components/notify_badge')) ); export const RuleSnoozeModal = suspendedComponentWithProps( lazy(() => import('./rules_list/components/rule_snooze_modal')) diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_status_panel.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_status_panel.tsx index 126f371ab121a..ae5e4251b87e2 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_status_panel.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_status_panel.tsx @@ -21,11 +21,12 @@ import { EuiTitle, EuiHorizontalRule, } from '@elastic/eui'; -import { RuleStatusDropdown, RulesListNotifyBadge } from '../..'; +import { RuleStatusDropdown } from '../..'; import { ComponentOpts as RuleApis, withBulkRuleOperations, } from '../../common/components/with_bulk_rule_api_operations'; +import { RulesListNotifyBadge } from '../../rules_list/components/notify_badge'; export interface RuleStatusPanelProps { rule: any; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/collapsed_item_actions.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/collapsed_item_actions.tsx index 6eeb0100ae801..ba36bea2eac9d 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/collapsed_item_actions.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/collapsed_item_actions.tsx @@ -33,7 +33,7 @@ import { SNOOZE_FAILED_MESSAGE, SNOOZE_SUCCESS_MESSAGE, UNSNOOZE_SUCCESS_MESSAGE, -} from './rules_list_notify_badge'; +} from './notify_badge'; export type ComponentOpts = { item: RuleTableItem; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/helpers.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/helpers.tsx new file mode 100644 index 0000000000000..e307ba6dd4475 --- /dev/null +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/helpers.tsx @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RuleSnooze, RuleSnoozeSchedule } from '@kbn/alerting-plugin/common'; +import moment from 'moment'; + +export const isRuleSnoozed = (rule: { isSnoozedUntil?: Date | null; muteAll: boolean }) => + Boolean( + (rule.isSnoozedUntil && new Date(rule.isSnoozedUntil).getTime() > Date.now()) || rule.muteAll + ); + +export const getNextRuleSnoozeSchedule = (rule: { snoozeSchedule?: RuleSnooze }) => { + if (!rule.snoozeSchedule) return null; + // Disregard any snoozes without ids; these are non-scheduled snoozes + const explicitlyScheduledSnoozes = rule.snoozeSchedule.filter((s) => Boolean(s.id)); + if (explicitlyScheduledSnoozes.length === 0) return null; + const nextSchedule = explicitlyScheduledSnoozes.reduce( + (a: RuleSnoozeSchedule, b: RuleSnoozeSchedule) => { + if (moment(b.rRule.dtstart).isBefore(moment(a.rRule.dtstart))) return b; + return a; + } + ); + return nextSchedule; +}; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/index.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/index.tsx new file mode 100644 index 0000000000000..36962b35e999e --- /dev/null +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/index.tsx @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RulesListNotifyBadgeWithApi } from './notify_badge_with_api'; +export { RulesListNotifyBadge } from './notify_badge'; +export type { RulesListNotifyBadgePropsWithApi } from './types'; +export { + SNOOZE_SUCCESS_MESSAGE, + UNSNOOZE_SUCCESS_MESSAGE, + SNOOZE_FAILED_MESSAGE, +} from './translations'; + +// eslint-disable-next-line import/no-default-export +export { RulesListNotifyBadgeWithApi as default }; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.test.tsx similarity index 96% rename from x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.test.tsx rename to x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.test.tsx index ca22f042ca329..84c39f38136e9 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.test.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.test.tsx @@ -10,11 +10,11 @@ import React from 'react'; import { act } from 'react-dom/test-utils'; import moment from 'moment'; -import { RuleTableItem } from '../../../../types'; +import { RuleTableItem } from '../../../../../types'; import { mountWithIntl } from '@kbn/test-jest-helpers'; -import { RulesListNotifyBadge } from './rules_list_notify_badge'; +import { RulesListNotifyBadge } from './notify_badge'; -jest.mock('../../../../common/lib/kibana'); +jest.mock('../../../../../common/lib/kibana'); const onClick = jest.fn(); const onClose = jest.fn(); diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.tsx similarity index 76% rename from x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.tsx rename to x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.tsx index ee864a2667c3f..92b8820775891 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_notify_badge.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge.tsx @@ -17,67 +17,18 @@ import { EuiFlexItem, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { RuleSnooze, RuleSnoozeSchedule } from '@kbn/alerting-plugin/common'; -import { i18nAbbrMonthDayDate, i18nMonthDayDate } from '../../../lib/i18n_month_day_date'; -import { RuleTableItem, SnoozeSchedule } from '../../../../types'; -import { SnoozePanel, futureTimeToInterval } from './rule_snooze'; -import { useKibana } from '../../../../common/lib/kibana'; -import { isRuleSnoozed } from '../../../lib'; - -export const SNOOZE_SUCCESS_MESSAGE = i18n.translate( - 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.snoozeSuccess', - { - defaultMessage: 'Rule successfully snoozed', - } -); - -export const UNSNOOZE_SUCCESS_MESSAGE = i18n.translate( - 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.unsnoozeSuccess', - { - defaultMessage: 'Rule successfully unsnoozed', - } -); - -export const SNOOZE_FAILED_MESSAGE = i18n.translate( - 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.snoozeFailed', - { - defaultMessage: 'Unable to change rule snooze settings', - } -); - -export interface RulesListNotifyBadgeProps { - rule: RuleTableItem; - isOpen: boolean; - isLoading: boolean; - previousSnoozeInterval?: string | null; - onClick: React.MouseEventHandler; - onClose: () => void; - onLoading: (isLoading: boolean) => void; - onRuleChanged: () => void; - snoozeRule: (schedule: SnoozeSchedule, muteAll?: boolean) => Promise; - unsnoozeRule: (scheduleIds?: string[]) => Promise; - showTooltipInline?: boolean; - showOnHover?: boolean; -} - -const openSnoozePanelAriaLabel = i18n.translate( - 'xpack.triggersActionsUI.sections.rulesList.rulesListNotifyBadge.openSnoozePanel', - { defaultMessage: 'Open snooze panel' } -); - -const getNextRuleSnoozeSchedule = (rule: { snoozeSchedule?: RuleSnooze }) => { - if (!rule.snoozeSchedule) return null; - // Disregard any snoozes without ids; these are non-scheduled snoozes - const explicitlyScheduledSnoozes = rule.snoozeSchedule.filter((s) => Boolean(s.id)); - if (explicitlyScheduledSnoozes.length === 0) return null; - const nextSchedule = explicitlyScheduledSnoozes.reduce( - (a: RuleSnoozeSchedule, b: RuleSnoozeSchedule) => { - if (moment(b.rRule.dtstart).isBefore(moment(a.rRule.dtstart))) return b; - return a; - } - ); - return nextSchedule; -}; +import { useKibana } from '../../../../../common/lib/kibana'; +import { SnoozeSchedule } from '../../../../../types'; +import { i18nAbbrMonthDayDate, i18nMonthDayDate } from '../../../../lib/i18n_month_day_date'; +import { SnoozePanel, futureTimeToInterval } from '../rule_snooze'; +import { getNextRuleSnoozeSchedule, isRuleSnoozed } from './helpers'; +import { + OPEN_SNOOZE_PANEL_ARIA_LABEL, + SNOOZE_FAILED_MESSAGE, + SNOOZE_SUCCESS_MESSAGE, + UNSNOOZE_SUCCESS_MESSAGE, +} from './translations'; +import { RulesListNotifyBadgeProps } from './types'; export const RulesListNotifyBadge: React.FunctionComponent = (props) => { const { @@ -175,7 +126,7 @@ export const RulesListNotifyBadge: React.FunctionComponent {formattedSnoozeText} @@ -217,7 +168,7 @@ export const RulesListNotifyBadge: React.FunctionComponent action('onRuleChanged')(args), + }, +} as Meta; + +const Template: Story = (args) => { + return ; +}; + +export const DefaultRuleNotifyBadgeWithApi = Template.bind({}); + +const IndefinitelyDate = new Date(); +IndefinitelyDate.setDate(IndefinitelyDate.getDate() + 1); +export const IndefinitelyRuleNotifyBadgeWithApi = Template.bind({}); +IndefinitelyRuleNotifyBadgeWithApi.args = { + rule: { + ...rule, + muteAll: true, + isSnoozedUntil: IndefinitelyDate, + }, +}; + +export const ActiveSnoozesRuleNotifyBadgeWithApi = Template.bind({}); +const ActiveSnoozeDate = new Date(); +ActiveSnoozeDate.setDate(ActiveSnoozeDate.getDate() + 2); +ActiveSnoozesRuleNotifyBadgeWithApi.args = { + rule: { + ...rule, + activeSnoozes: ['24da3b26-bfa5-4317-b72f-4063dbea618e'], + isSnoozedUntil: ActiveSnoozeDate, + snoozeSchedule: [ + { + duration: 172800000, + rRule: { + tzid: 'America/New_York', + count: 1, + dtstart: ActiveSnoozeDate.toISOString(), + }, + id: '24da3b26-bfa5-4317-b72f-4063dbea618e', + }, + ], + }, +}; + +const SnoozeDate = new Date(); +export const ScheduleSnoozesRuleNotifyBadgeWithApi: Story = ( + args +) => { + return ( +
+ Open popover to see the next snoozes scheduled + +
+ ); +}; + +ScheduleSnoozesRuleNotifyBadgeWithApi.args = { + rule: { + ...rule, + snoozeSchedule: [ + { + duration: 172800000, + rRule: { + tzid: 'America/New_York', + count: 1, + dtstart: new Date(SnoozeDate.setDate(SnoozeDate.getDate() + 2)).toISOString(), + }, + id: '24da3b26-bfa5-4317-b72f-4063dbea618e', + }, + { + duration: 172800000, + rRule: { + tzid: 'America/New_York', + count: 1, + dtstart: new Date(SnoozeDate.setDate(SnoozeDate.getDate() + 2)).toISOString(), + }, + id: '24da3b26-bfa5-4317-b72f-4063dbea618e', + }, + ], + }, +}; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge_with_api.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge_with_api.tsx new file mode 100644 index 0000000000000..f64412369af21 --- /dev/null +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/notify_badge_with_api.tsx @@ -0,0 +1,88 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useCallback, useState } from 'react'; +import { useKibana } from '../../../../../common/lib/kibana'; +import { SnoozeSchedule } from '../../../../../types'; +import { + loadRule, + snoozeRule as snoozeRuleApi, + unsnoozeRule as unsnoozeRuleApi, +} from '../../../../lib/rule_api'; +import { RulesListNotifyBadge } from './notify_badge'; +import { RulesListNotifyBadgePropsWithApi } from './types'; + +export const RulesListNotifyBadgeWithApi: React.FunctionComponent< + RulesListNotifyBadgePropsWithApi +> = (props) => { + const { onRuleChanged, rule, isLoading, showTooltipInline, showOnHover } = props; + const { http } = useKibana().services; + const [currentlyOpenNotify, setCurrentlyOpenNotify] = useState(); + const [loadingSnoozeAction, setLoadingSnoozeAction] = useState(false); + const [ruleSnoozeInfo, setRuleSnoozeInfo] = + useState(rule); + + const onSnoozeRule = useCallback( + (snoozeSchedule: SnoozeSchedule) => { + return snoozeRuleApi({ http, id: ruleSnoozeInfo.id, snoozeSchedule }); + }, + [http, ruleSnoozeInfo.id] + ); + + const onUnsnoozeRule = useCallback( + (scheduleIds?: string[]) => { + return unsnoozeRuleApi({ http, id: ruleSnoozeInfo.id, scheduleIds }); + }, + [http, ruleSnoozeInfo.id] + ); + + const onRuleChangedCallback = useCallback(async () => { + const updatedRule = await loadRule({ + http, + ruleId: ruleSnoozeInfo.id, + }); + setLoadingSnoozeAction(false); + setRuleSnoozeInfo((prevRule) => ({ + ...prevRule, + activeSnoozes: updatedRule.activeSnoozes, + isSnoozedUntil: updatedRule.isSnoozedUntil, + muteAll: updatedRule.muteAll, + snoozeSchedule: updatedRule.snoozeSchedule, + })); + onRuleChanged(); + }, [http, ruleSnoozeInfo.id, onRuleChanged]); + + const openSnooze = useCallback(() => { + setCurrentlyOpenNotify(props.rule.id); + }, [props.rule.id]); + + const closeSnooze = useCallback(() => { + setCurrentlyOpenNotify(''); + }, []); + + const onLoading = useCallback((value: boolean) => { + if (value) { + setLoadingSnoozeAction(value); + } + }, []); + + return ( + + ); +}; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/translations.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/translations.tsx new file mode 100644 index 0000000000000..9b6a0f74ab461 --- /dev/null +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/translations.tsx @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const SNOOZE_SUCCESS_MESSAGE = i18n.translate( + 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.snoozeSuccess', + { + defaultMessage: 'Rule successfully snoozed', + } +); + +export const UNSNOOZE_SUCCESS_MESSAGE = i18n.translate( + 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.unsnoozeSuccess', + { + defaultMessage: 'Rule successfully unsnoozed', + } +); + +export const SNOOZE_FAILED_MESSAGE = i18n.translate( + 'xpack.triggersActionsUI.sections.rulesList.rulesListSnoozePanel.snoozeFailed', + { + defaultMessage: 'Unable to change rule snooze settings', + } +); + +export const OPEN_SNOOZE_PANEL_ARIA_LABEL = i18n.translate( + 'xpack.triggersActionsUI.sections.rulesList.rulesListNotifyBadge.openSnoozePanel', + { defaultMessage: 'Open snooze panel' } +); diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/types.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/types.ts new file mode 100644 index 0000000000000..b93e4d0d4677f --- /dev/null +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/notify_badge/types.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RuleTableItem, SnoozeSchedule } from '../../../../../types'; + +export interface RulesListNotifyBadgeProps { + rule: Pick< + RuleTableItem, + 'id' | 'activeSnoozes' | 'isSnoozedUntil' | 'muteAll' | 'isEditable' | 'snoozeSchedule' + >; + isOpen: boolean; + isLoading: boolean; + previousSnoozeInterval?: string | null; + onClick: React.MouseEventHandler; + onClose: () => void; + onLoading: (isLoading: boolean) => void; + onRuleChanged: () => void; + snoozeRule: (schedule: SnoozeSchedule, muteAll?: boolean) => Promise; + unsnoozeRule: (scheduleIds?: string[]) => Promise; + showTooltipInline?: boolean; + showOnHover?: boolean; +} + +export type RulesListNotifyBadgePropsWithApi = Pick< + RulesListNotifyBadgeProps, + 'rule' | 'isLoading' | 'onRuleChanged' | 'showOnHover' | 'showTooltipInline' +>; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rule_snooze_modal.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rule_snooze_modal.tsx index c4624e7ea8e61..5d9b13eaded68 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rule_snooze_modal.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rule_snooze_modal.tsx @@ -14,7 +14,7 @@ import { SNOOZE_FAILED_MESSAGE, SNOOZE_SUCCESS_MESSAGE, UNSNOOZE_SUCCESS_MESSAGE, -} from './rules_list_notify_badge'; +} from './notify_badge'; import { SnoozePanel, futureTimeToInterval } from './rule_snooze'; import { Rule, RuleTypeParams, SnoozeSchedule } from '../../../../types'; diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_table.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_table.tsx index 65eef52e45575..ad0ef22c812c5 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_table.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list_table.tsx @@ -60,7 +60,7 @@ import { getFormattedSuccessRatio } from '../../../lib/monitoring_utils'; import { hasAllPrivilege } from '../../../lib/capabilities'; import { RuleTagBadge } from './rule_tag_badge'; import { RuleStatusDropdown } from './rule_status_dropdown'; -import { RulesListNotifyBadge } from './rules_list_notify_badge'; +import { RulesListNotifyBadge } from './notify_badge'; import { RulesListTableStatusCell } from './rules_list_table_status_cell'; import { getIsExperimentalFeatureEnabled } from '../../../../common/get_experimental_features'; import { RulesListColumns, useRulesListColumnSelector } from './rules_list_column_selector'; diff --git a/x-pack/plugins/triggers_actions_ui/public/common/get_rules_list_notify_badge.tsx b/x-pack/plugins/triggers_actions_ui/public/common/get_rules_list_notify_badge.tsx index 31eea83e368de..5ab9318a307bb 100644 --- a/x-pack/plugins/triggers_actions_ui/public/common/get_rules_list_notify_badge.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/common/get_rules_list_notify_badge.tsx @@ -6,9 +6,9 @@ */ import React from 'react'; -import { RulesListNotifyBadge } from '../application/sections'; -import type { RulesListNotifyBadgeProps } from '../application/sections/rules_list/components/rules_list_notify_badge'; +import { RulesListNotifyBadgeWithApi } from '../application/sections'; +import type { RulesListNotifyBadgePropsWithApi } from '../application/sections/rules_list/components/notify_badge'; -export const getRulesListNotifyBadgeLazy = (props: RulesListNotifyBadgeProps) => { - return ; +export const getRulesListNotifyBadgeLazy = (props: RulesListNotifyBadgePropsWithApi) => { + return ; }; diff --git a/x-pack/plugins/triggers_actions_ui/public/plugin.ts b/x-pack/plugins/triggers_actions_ui/public/plugin.ts index bc15b85a28ec1..514de57900cc3 100644 --- a/x-pack/plugins/triggers_actions_ui/public/plugin.ts +++ b/x-pack/plugins/triggers_actions_ui/public/plugin.ts @@ -62,7 +62,7 @@ import type { RuleEventLogListProps, RuleEventLogListOptions, RulesListProps, - RulesListNotifyBadgeProps, + RulesListNotifyBadgePropsWithApi, AlertsTableConfigurationRegistry, CreateConnectorFlyoutProps, EditConnectorFlyoutProps, @@ -125,8 +125,8 @@ export interface TriggersAndActionsUIPublicPluginStart { ) => ReactElement>; getRulesList: (props: RulesListProps) => ReactElement; getRulesListNotifyBadge: ( - props: RulesListNotifyBadgeProps - ) => ReactElement; + props: RulesListNotifyBadgePropsWithApi + ) => ReactElement; getRuleDefinition: (props: RuleDefinitionProps) => ReactElement; getRuleStatusPanel: (props: RuleStatusPanelProps) => ReactElement; getAlertSummaryWidget: (props: AlertSummaryWidgetProps) => ReactElement; @@ -408,7 +408,7 @@ export class Plugin getRuleEventLogList: (props: RuleEventLogListProps) => { return getRuleEventLogListLazy(props); }, - getRulesListNotifyBadge: (props: RulesListNotifyBadgeProps) => { + getRulesListNotifyBadge: (props: RulesListNotifyBadgePropsWithApi) => { return getRulesListNotifyBadgeLazy(props); }, getRulesList: (props: RulesListProps) => { diff --git a/x-pack/plugins/triggers_actions_ui/public/types.ts b/x-pack/plugins/triggers_actions_ui/public/types.ts index b311ef1e8e390..b8157ee5af665 100644 --- a/x-pack/plugins/triggers_actions_ui/public/types.ts +++ b/x-pack/plugins/triggers_actions_ui/public/types.ts @@ -71,7 +71,6 @@ import type { import type { AlertSummaryTimeRange } from './application/sections/alert_summary_widget/types'; import type { CreateConnectorFlyoutProps } from './application/sections/action_connector_form/create_connector_flyout'; import type { EditConnectorFlyoutProps } from './application/sections/action_connector_form/edit_connector_flyout'; -import type { RulesListNotifyBadgeProps } from './application/sections/rules_list/components/rules_list_notify_badge'; import type { FieldBrowserOptions, CreateFieldComponent, @@ -81,6 +80,8 @@ import type { } from './application/sections/field_browser/types'; import { RulesListVisibleColumns } from './application/sections/rules_list/components/rules_list_column_selector'; import { TimelineItem } from './application/sections/alerts_table/bulk_actions/components/toolbar'; +import type { RulesListNotifyBadgePropsWithApi } from './application/sections/rules_list/components/notify_badge'; + // In Triggers and Actions we treat all `Alert`s as `SanitizedRule` // so the `Params` is a black-box of Record type SanitizedRule = Omit< @@ -122,7 +123,7 @@ export type { RulesListProps, CreateConnectorFlyoutProps, EditConnectorFlyoutProps, - RulesListNotifyBadgeProps, + RulesListNotifyBadgePropsWithApi, FieldBrowserProps, FieldBrowserOptions, CreateFieldComponent, diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts index 2bd37598fe1b2..60e6daee3d51d 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts @@ -57,6 +57,38 @@ export default function alertTests({ getService }: FtrProviderContext) { let alertUtils: AlertUtils; let indexRecordActionId: string; + const getAlertInfo = (alertId: string, actions: any) => ({ + id: alertId, + consumer: 'alertsFixture', + spaceId: space.id, + namespace: space.id, + name: 'abc', + enabled: true, + notifyWhen: 'onActiveAlert', + schedule: { + interval: '1m', + }, + tags: ['tag-A', 'tag-B'], + throttle: '1m', + createdBy: user.fullName, + updatedBy: user.fullName, + actions: actions.map((action: any) => { + /* eslint-disable @typescript-eslint/naming-convention */ + const { connector_type_id, group, id, params } = action; + return { + actionTypeId: connector_type_id, + group, + id, + params, + }; + }), + producer: 'alertsFixture', + ruleTypeId: 'test.always-firing', + ruleTypeName: 'Test: Always Firing', + muteAll: false, + snoozeSchedule: [], + }); + before(async () => { const { body: createdAction } = await supertest .post(`${getUrlPrefix(space.id)}/api/actions/connector`) @@ -144,35 +176,7 @@ export default function alertTests({ getService }: FtrProviderContext) { index: ES_TEST_INDEX_NAME, reference, }, - alertInfo: { - id: alertId, - consumer: 'alertsFixture', - spaceId: space.id, - namespace: space.id, - name: 'abc', - enabled: true, - notifyWhen: 'onActiveAlert', - schedule: { - interval: '1m', - }, - tags: ['tag-A', 'tag-B'], - throttle: '1m', - createdBy: user.fullName, - updatedBy: user.fullName, - actions: response.body.actions.map((action: any) => { - /* eslint-disable @typescript-eslint/naming-convention */ - const { connector_type_id, group, id, params } = action; - return { - actionTypeId: connector_type_id, - group, - id, - params, - }; - }), - producer: 'alertsFixture', - ruleTypeId: 'test.always-firing', - ruleTypeName: 'Test: Always Firing', - }, + alertInfo: getAlertInfo(alertId, response.body.actions), }); // @ts-expect-error _source: unknown expect(alertSearchResult.body.hits.hits[0]._source.alertInfo.createdAt).to.match( @@ -296,35 +300,7 @@ instanceStateValue: true index: ES_TEST_INDEX_NAME, reference, }, - alertInfo: { - id: alertId, - consumer: 'alertsFixture', - spaceId: space.id, - namespace: space.id, - name: 'abc', - enabled: true, - notifyWhen: 'onActiveAlert', - schedule: { - interval: '1m', - }, - tags: ['tag-A', 'tag-B'], - throttle: '1m', - createdBy: user.fullName, - updatedBy: user.fullName, - actions: response.body.actions.map((action: any) => { - /* eslint-disable @typescript-eslint/naming-convention */ - const { connector_type_id, group, id, params } = action; - return { - actionTypeId: connector_type_id, - group, - id, - params, - }; - }), - producer: 'alertsFixture', - ruleTypeId: 'test.always-firing', - ruleTypeName: 'Test: Always Firing', - }, + alertInfo: getAlertInfo(alertId, response.body.actions), }); // @ts-expect-error _source: unknown @@ -456,6 +432,8 @@ instanceStateValue: true producer: 'alertsFixture', ruleTypeId: 'test.always-firing', ruleTypeName: 'Test: Always Firing', + muteAll: false, + snoozeSchedule: [], }); // @ts-expect-error _source: unknown diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts index ea009fc24bbc6..bcaefee55b1e5 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts @@ -32,21 +32,21 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC await tearDown(getService); }); - loadTestFile(require.resolve('./mute_all')); - loadTestFile(require.resolve('./mute_instance')); - loadTestFile(require.resolve('./unmute_all')); - loadTestFile(require.resolve('./unmute_instance')); - loadTestFile(require.resolve('./update')); - loadTestFile(require.resolve('./update_api_key')); + // loadTestFile(require.resolve('./mute_all')); + // loadTestFile(require.resolve('./mute_instance')); + // loadTestFile(require.resolve('./unmute_all')); + // loadTestFile(require.resolve('./unmute_instance')); + // loadTestFile(require.resolve('./update')); + // loadTestFile(require.resolve('./update_api_key')); loadTestFile(require.resolve('./alerts')); - loadTestFile(require.resolve('./event_log')); - loadTestFile(require.resolve('./mustache_templates')); - loadTestFile(require.resolve('./health')); - loadTestFile(require.resolve('./excluded')); - loadTestFile(require.resolve('./snooze')); - loadTestFile(require.resolve('./global_execution_log')); - loadTestFile(require.resolve('./get_global_execution_kpi')); - loadTestFile(require.resolve('./get_action_error_log')); + // loadTestFile(require.resolve('./event_log')); + // loadTestFile(require.resolve('./mustache_templates')); + // loadTestFile(require.resolve('./health')); + // loadTestFile(require.resolve('./excluded')); + // loadTestFile(require.resolve('./snooze')); + // loadTestFile(require.resolve('./global_execution_log')); + // loadTestFile(require.resolve('./get_global_execution_kpi')); + // loadTestFile(require.resolve('./get_action_error_log')); }); }); } diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts index 868d3f24f50e2..8e0d7b27cfa4d 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts @@ -124,6 +124,8 @@ export function alertTests({ getService }: FtrProviderContext, space: Space) { producer: 'alertsFixture', ruleTypeId: 'test.always-firing', ruleTypeName: 'Test: Always Firing', + muteAll: false, + snoozeSchedule: [], }, }; if (expected.alertInfo.namespace === undefined) { From 0a0d34a71e6f36f0a4212c6e8e11b9aeb14db433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cau=C3=AA=20Marcondes?= <55978943+cauemarcondes@users.noreply.github.com> Date: Tue, 7 Feb 2023 08:49:29 -0500 Subject: [PATCH 17/27] [APM] adding storybook to generate trace waterfall from json (#150387) Screenshot 2023-02-06 at 4 09 24 PM --- .../waterfall_container.stories.tsx | 54 ++++++++++++++++++- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/apm/public/components/app/transaction_details/waterfall_with_summary/waterfall_container/waterfall_container.stories.tsx b/x-pack/plugins/apm/public/components/app/transaction_details/waterfall_with_summary/waterfall_container/waterfall_container.stories.tsx index e0f48f9bed781..5cdaa756d4fd0 100644 --- a/x-pack/plugins/apm/public/components/app/transaction_details/waterfall_with_summary/waterfall_container/waterfall_container.stories.tsx +++ b/x-pack/plugins/apm/public/components/app/transaction_details/waterfall_with_summary/waterfall_container/waterfall_container.stories.tsx @@ -4,11 +4,12 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { EuiFilePicker, EuiForm } from '@elastic/eui'; import { apm, dedot } from '@kbn/apm-synthtrace-client'; import { ProcessorEvent } from '@kbn/observability-plugin/common'; import { Meta, Story } from '@storybook/react'; import { noop } from 'lodash'; -import React, { ComponentProps } from 'react'; +import React, { ComponentProps, useState } from 'react'; import { WaterfallContainer } from '.'; import { WaterfallError, @@ -16,8 +17,9 @@ import { WaterfallTransaction, } from '../../../../../../common/waterfall/typings'; import { Transaction } from '../../../../../../typings/es_schemas/ui/transaction'; -import { getWaterfall } from './waterfall/waterfall_helpers/waterfall_helpers'; import { MockApmPluginStorybook } from '../../../../../context/apm_plugin/mock_apm_plugin_storybook'; +import { APIReturnType } from '../../../../../services/rest/create_call_apm_api'; +import { getWaterfall } from './waterfall/waterfall_helpers/waterfall_helpers'; type Args = ComponentProps; @@ -97,3 +99,51 @@ export const Example: Story = () => { /> ); }; +type TraceAPIResponse = APIReturnType<'GET /internal/apm/traces/{traceId}'>; + +export const WaterfallFromJSON: Story<{}> = () => { + const [json, setJson] = useState(); + + function renderWaterfall() { + if (!json) { + return null; + } + const waterfall = getWaterfall(JSON.parse(json) as TraceAPIResponse); + return ( + + ); + } + + return ( + + { + const item = event?.item(0); + + if (item) { + const f = new FileReader(); + f.onload = (onloadEvent) => { + const result = onloadEvent?.target?.result; + if (typeof result === 'string') { + setJson(result); + } + }; + f.readAsText(item); + } else { + setJson(undefined); + } + }} + /> + {renderWaterfall()} + + ); +}; From 0c54162f340edd4dd0219a91d1e8082fa0bacf94 Mon Sep 17 00:00:00 2001 From: Miriam <31922082+MiriamAparicio@users.noreply.github.com> Date: Tue, 7 Feb 2023 13:53:45 +0000 Subject: [PATCH 18/27] [APM] Added map and location metrics transactions mobile page (#150336) Closes https://github.com/elastic/kibana/issues/146873 image (comparison is not showing in screenshot, because of sythtrace data) --- .../app/mobile/service_overview/index.tsx | 152 +++++++++--------- .../service_overview/stats/location_stats.tsx | 14 +- .../app/mobile/transaction_overview/index.tsx | 35 ++++ .../use_filters_for_embeddable_charts.ts | 14 +- 4 files changed, 127 insertions(+), 88 deletions(-) diff --git a/x-pack/plugins/apm/public/components/app/mobile/service_overview/index.tsx b/x-pack/plugins/apm/public/components/app/mobile/service_overview/index.tsx index 6e0f786aaf731..6282c581e477f 100644 --- a/x-pack/plugins/apm/public/components/app/mobile/service_overview/index.tsx +++ b/x-pack/plugins/apm/public/components/app/mobile/service_overview/index.tsx @@ -52,7 +52,6 @@ export const chartHeight = 288; export function MobileServiceOverview() { const { serviceName } = useApmServiceContext(); const router = useApmRouter(); - const embeddableFilters = useFiltersForEmbeddableCharts(); const { query, @@ -65,9 +64,16 @@ export function MobileServiceOverview() { osVersion, appVersion, netConnectionType, + offset, + comparisonEnabled, }, } = useApmParams('/mobile-services/{serviceName}/overview'); + const embeddableFilters = useFiltersForEmbeddableCharts({ + serviceName, + environment, + }); + const kueryWithMobileFilters = getKueryWithMobileFilters({ device, osVersion, @@ -151,29 +157,33 @@ export function MobileServiceOverview() { - - - + + + - - - - - - + + + + + + - +

@@ -187,76 +197,68 @@ export function MobileServiceOverview() { {/* Device */} - - - + {/* NCT */} - - - + {/* OS version */} - - - + {/* App version */} - - - + diff --git a/x-pack/plugins/apm/public/components/app/mobile/service_overview/stats/location_stats.tsx b/x-pack/plugins/apm/public/components/app/mobile/service_overview/stats/location_stats.tsx index 74d55f233570a..ccded09c50e52 100644 --- a/x-pack/plugins/apm/public/components/app/mobile/service_overview/stats/location_stats.tsx +++ b/x-pack/plugins/apm/public/components/app/mobile/service_overview/stats/location_stats.tsx @@ -9,7 +9,6 @@ import { i18n } from '@kbn/i18n'; import { EuiIcon, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import React, { useCallback } from 'react'; import { useTheme } from '@kbn/observability-plugin/public'; -import { useAnyOfApmParams } from '../../../../../hooks/use_apm_params'; import { useFetcher, isPending } from '../../../../../hooks/use_fetcher'; import { CLIENT_GEO_COUNTRY_NAME } from '../../../../../../common/es_fields/apm'; import { NOT_AVAILABLE_LABEL } from '../../../../../../common/i18n'; @@ -50,18 +49,21 @@ export function MobileLocationStats({ start, end, kuery, + serviceName, + offset, + environment, + comparisonEnabled, }: { start: string; end: string; kuery: string; + serviceName: string; + offset?: string; + environment: string; + comparisonEnabled: boolean; }) { const euiTheme = useTheme(); - const { - path: { serviceName }, - query: { environment, offset, comparisonEnabled }, - } = useAnyOfApmParams('/mobile-services/{serviceName}/overview'); - const previousPeriodLabel = usePreviousPeriodLabel(); const locationField = CLIENT_GEO_COUNTRY_NAME; diff --git a/x-pack/plugins/apm/public/components/app/mobile/transaction_overview/index.tsx b/x-pack/plugins/apm/public/components/app/mobile/transaction_overview/index.tsx index 4d1ae6372668a..f6fc9556c0de2 100644 --- a/x-pack/plugins/apm/public/components/app/mobile/transaction_overview/index.tsx +++ b/x-pack/plugins/apm/public/components/app/mobile/transaction_overview/index.tsx @@ -10,6 +10,7 @@ import { EuiHorizontalRule, EuiPanel, EuiSpacer, + EuiFlexGroup, } from '@elastic/eui'; import React from 'react'; import { useHistory } from 'react-router-dom'; @@ -20,6 +21,9 @@ import { TransactionsTable } from '../../../shared/transactions_table'; import { replace } from '../../../shared/links/url_helpers'; import { getKueryWithMobileFilters } from '../../../../../common/utils/get_kuery_with_mobile_filters'; import { MobileTransactionCharts } from './transaction_charts'; +import { MobileLocationStats } from '../service_overview/stats/location_stats'; +import { useFiltersForEmbeddableCharts } from '../../../../hooks/use_filters_for_embeddable_charts'; +import { GeoMap } from '../service_overview/geo_map'; export function MobileTransactionOverview() { const { @@ -39,6 +43,11 @@ export function MobileTransactionOverview() { }, } = useApmParams('/mobile-services/{serviceName}/transactions'); + const embeddableFilters = useFiltersForEmbeddableCharts({ + serviceName, + environment, + }); + const kueryWithMobileFilters = getKueryWithMobileFilters({ device, osVersion, @@ -63,6 +72,32 @@ export function MobileTransactionOverview() { + + + + + + + + + + + + + [ From 1854c310a3367ed228b29c763fa61ed5a83374ac Mon Sep 17 00:00:00 2001 From: Dario Gieselaar Date: Tue, 7 Feb 2023 14:54:17 +0100 Subject: [PATCH 19/27] [Profiling] Improved differential flamegraph controls (#150254) Co-authored-by: boriskirov Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Closes https://github.com/elastic/prodfiler/issues/2639 --- x-pack/plugins/profiling/common/flamegraph.ts | 5 + .../flame_graphs_view/flame_graph_legend.tsx | 1 + .../components/flame_graphs_view/index.tsx | 206 ++++++++++---- .../flame_graphs_view/normalization_menu.tsx | 252 ++++++++++++++++++ .../public/components/flamegraph.tsx | 35 +-- .../components/functions_view/index.tsx | 2 +- .../primary_and_comparison_search_bar.tsx | 60 ++++- .../profiling_search_bar.tsx | 12 +- .../profiling/public/routing/index.tsx | 31 ++- .../utils/get_flamegraph_model/index.ts | 10 +- 10 files changed, 514 insertions(+), 100 deletions(-) create mode 100644 x-pack/plugins/profiling/public/components/flame_graphs_view/normalization_menu.tsx diff --git a/x-pack/plugins/profiling/common/flamegraph.ts b/x-pack/plugins/profiling/common/flamegraph.ts index eacd4a34322c5..2f6e0ae0188a8 100644 --- a/x-pack/plugins/profiling/common/flamegraph.ts +++ b/x-pack/plugins/profiling/common/flamegraph.ts @@ -15,6 +15,11 @@ export enum FlameGraphComparisonMode { Relative = 'relative', } +export enum FlameGraphNormalizationMode { + Scale = 'scale', + Time = 'time', +} + export interface BaseFlameGraph { Size: number; Edges: number[][]; diff --git a/x-pack/plugins/profiling/public/components/flame_graphs_view/flame_graph_legend.tsx b/x-pack/plugins/profiling/public/components/flame_graphs_view/flame_graph_legend.tsx index 7f63ecb9337f9..60d36ea833d92 100644 --- a/x-pack/plugins/profiling/public/components/flame_graphs_view/flame_graph_legend.tsx +++ b/x-pack/plugins/profiling/public/components/flame_graphs_view/flame_graph_legend.tsx @@ -52,6 +52,7 @@ export function FlameGraphLegend({ {legendItems.map(({ color, label }) => { return ( {label ? ( diff --git a/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx b/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx index 18abf1f3e66ae..3f418227fdc3f 100644 --- a/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx +++ b/x-pack/plugins/profiling/public/components/flame_graphs_view/index.tsx @@ -4,10 +4,20 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { EuiButtonGroup, EuiFlexGroup, EuiFlexItem, EuiPageHeaderContentProps } from '@elastic/eui'; +import { + EuiButtonGroup, + EuiFlexGroup, + EuiFlexItem, + EuiHorizontalRule, + EuiPageHeaderContentProps, + EuiPanel, + EuiSwitch, + EuiTitle, +} from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import React from 'react'; -import { FlameGraphComparisonMode } from '../../../common/flamegraph'; +import { pick } from 'lodash'; +import React, { useState } from 'react'; +import { FlameGraphComparisonMode, FlameGraphNormalizationMode } from '../../../common/flamegraph'; import { useProfilingParams } from '../../hooks/use_profiling_params'; import { useProfilingRouter } from '../../hooks/use_profiling_router'; import { useProfilingRoutePath } from '../../hooks/use_profiling_route_path'; @@ -19,6 +29,7 @@ import { FlameGraph } from '../flamegraph'; import { PrimaryAndComparisonSearchBar } from '../primary_and_comparison_search_bar'; import { ProfilingAppPageTemplate } from '../profiling_app_page_template'; import { RedirectTo } from '../redirect_to'; +import { FlameGraphNormalizationOptions, NormalizationMenu } from './normalization_menu'; export function FlameGraphsView({ children }: { children: React.ReactElement }) { const { @@ -39,6 +50,10 @@ export function FlameGraphsView({ children }: { children: React.ReactElement }) const comparisonMode = 'comparisonMode' in query ? query.comparisonMode : FlameGraphComparisonMode.Absolute; + const normalizationMode = 'normalizationMode' in query ? query.normalizationMode : undefined; + const baseline = 'baseline' in query ? query.baseline : undefined; + const comparison = 'comparison' in query ? query.comparison : undefined; + const { services: { fetchElasticFlamechart }, } = useProfilingDependencies(); @@ -100,17 +115,19 @@ export function FlameGraphsView({ children }: { children: React.ReactElement }) }), isSelected: isDifferentialView, href: profilingRouter.link('/flamegraphs/differential', { + // @ts-expect-error Code gets too complicated to satisfy TS constraints query: { ...query, comparisonRangeFrom: query.rangeFrom, comparisonRangeTo: query.rangeTo, comparisonKuery: query.kuery, - comparisonMode, }, }), }, ]; + const [showInformationWindow, setShowInformationWindow] = useState(false); + if (routePath === '/flamegraphs') { return ; } @@ -120,58 +137,129 @@ export function FlameGraphsView({ children }: { children: React.ReactElement }) {isDifferentialView ? ( - - - - - - { - if (!('comparisonRangeFrom' in query)) { - return; - } - - profilingRouter.push(routePath, { - path, - query: { - ...query, - comparisonMode: nextComparisonMode as FlameGraphComparisonMode, - }, - }); - }} - options={[ - { - id: FlameGraphComparisonMode.Absolute, - label: i18n.translate( - 'xpack.profiling.flameGraphsView.differentialFlameGraphComparisonModeAbsoluteButtonLabel', - { - defaultMessage: 'Abs', - } - ), - }, - { - id: FlameGraphComparisonMode.Relative, - label: i18n.translate( - 'xpack.profiling.flameGraphsView.differentialFlameGraphComparisonModeRelativeButtonLabel', - { - defaultMessage: 'Rel', - } - ), - }, - ]} - /> - - + + + + + + + + +

+ {i18n.translate( + 'xpack.profiling.flameGraphsView.differentialFlameGraphComparisonModeTitle', + { defaultMessage: 'Format' } + )} +

+ + + + { + if (!('comparisonRangeFrom' in query)) { + return; + } + + profilingRouter.push(routePath, { + path, + query: { + ...query, + ...(nextComparisonMode === FlameGraphComparisonMode.Absolute + ? { + comparisonMode: FlameGraphComparisonMode.Absolute, + normalizationMode: FlameGraphNormalizationMode.Time, + } + : { comparisonMode: FlameGraphComparisonMode.Relative }), + }, + }); + }} + options={[ + { + id: FlameGraphComparisonMode.Absolute, + label: i18n.translate( + 'xpack.profiling.flameGraphsView.differentialFlameGraphComparisonModeAbsoluteButtonLabel', + { + defaultMessage: 'Abs', + } + ), + }, + { + id: FlameGraphComparisonMode.Relative, + label: i18n.translate( + 'xpack.profiling.flameGraphsView.differentialFlameGraphComparisonModeRelativeButtonLabel', + { + defaultMessage: 'Rel', + } + ), + }, + ]} + /> + + + + {comparisonMode === FlameGraphComparisonMode.Absolute ? ( + + + + { + profilingRouter.push(routePath, { + path: routePath, + // @ts-expect-error Code gets too complicated to satisfy TS constraints + query: { + ...query, + ...pick(options, 'baseline', 'comparison'), + normalizationMode: options.mode, + }, + }); + }} + totalSeconds={ + (new Date(timeRange.end).getTime() - + new Date(timeRange.start).getTime()) / + 1000 + } + comparisonTotalSeconds={ + (new Date(comparisonTimeRange.end!).getTime() - + new Date(comparisonTimeRange.start!).getTime()) / + 1000 + } + options={ + (normalizationMode === FlameGraphNormalizationMode.Time + ? { mode: FlameGraphNormalizationMode.Time } + : { + mode: FlameGraphNormalizationMode.Scale, + baseline, + comparison, + }) as FlameGraphNormalizationOptions + } + /> + + + + ) : undefined} + + { + setShowInformationWindow((prev) => !prev); + }} + label={i18n.translate('xpack.profiling.flameGraph.showInformationWindow', { + defaultMessage: 'Show information window', + })} + /> + + + ) : null} @@ -181,6 +269,12 @@ export function FlameGraphsView({ children }: { children: React.ReactElement }) primaryFlamegraph={data?.primaryFlamegraph} comparisonFlamegraph={data?.comparisonFlamegraph} comparisonMode={comparisonMode} + baseline={baseline} + comparison={comparison} + showInformationWindow={showInformationWindow} + onInformationWindowClose={() => { + setShowInformationWindow(false); + }} /> {children} diff --git a/x-pack/plugins/profiling/public/components/flame_graphs_view/normalization_menu.tsx b/x-pack/plugins/profiling/public/components/flame_graphs_view/normalization_menu.tsx new file mode 100644 index 0000000000000..72bc72aa64e78 --- /dev/null +++ b/x-pack/plugins/profiling/public/components/flame_graphs_view/normalization_menu.tsx @@ -0,0 +1,252 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + EuiButton, + EuiButtonGroup, + EuiButtonIcon, + EuiFieldNumber, + EuiFlexGroup, + EuiFlexItem, + EuiFormControlLayout, + EuiFormLabel, + EuiHorizontalRule, + EuiIconTip, + EuiPopover, + EuiSpacer, + EuiTitle, + useEuiTheme, + useGeneratedHtmlId, +} from '@elastic/eui'; +import { css } from '@emotion/react'; +import { i18n } from '@kbn/i18n'; +import React, { useEffect, useState } from 'react'; +import { FlameGraphNormalizationMode } from '../../../common/flamegraph'; + +export type FlameGraphNormalizationOptions = + | { + mode: FlameGraphNormalizationMode.Scale; + baseline: number; + comparison: number; + } + | { mode: FlameGraphNormalizationMode.Time }; + +interface Props { + options: FlameGraphNormalizationOptions; + totalSeconds: number; + comparisonTotalSeconds: number; + onChange: (options: FlameGraphNormalizationOptions) => void; +} + +const SCALE_LABEL = i18n.translate('xpack.profiling.flameGraphNormalizationMenu.scale', { + defaultMessage: 'Scale factor', +}); + +const TIME_LABEL = i18n.translate('xpack.profiling.flameGraphNormalizationMenu.time', { + defaultMessage: 'Time', +}); + +const NORMALIZE_BY_LABEL = i18n.translate( + 'xpack.profiling.flameGraphNormalizationMenu.normalizeBy', + { + defaultMessage: 'Normalize by', + } +); + +function getScaleFactorsBasedOnTime({ + totalSeconds, + comparisonTotalSeconds, +}: { + totalSeconds: number; + comparisonTotalSeconds: number; +}) { + return { + baseline: 1, + comparison: totalSeconds / comparisonTotalSeconds, + }; +} + +export function NormalizationMenu(props: Props) { + const [isPopoverOpen, setIsPopoverOpen] = useState(false); + + const theme = useEuiTheme(); + + const baselineScaleFactorInputId = useGeneratedHtmlId({ prefix: 'baselineScaleFactor' }); + const comparisonScaleFactorInputId = useGeneratedHtmlId({ prefix: 'comparisonScaleFactor' }); + + const [options, setOptions] = useState(props.options); + + useEffect(() => { + setOptions(props.options); + // eslint-disable-next-line react-hooks/exhaustive-deps + }, [ + props.options.mode, + // @ts-expect-error can't refine because ESLint will complain + props.options.baseline, + // @ts-expect-error can't refine because ESLint will complain + props.options.comparison, + ]); + + const { baseline, comparison } = + options.mode === FlameGraphNormalizationMode.Time + ? getScaleFactorsBasedOnTime({ + comparisonTotalSeconds: props.comparisonTotalSeconds, + totalSeconds: props.totalSeconds, + }) + : { comparison: options.comparison, baseline: options.baseline }; + + return ( + { + setIsPopoverOpen((popoverOpen) => !popoverOpen); + }} + compressed + prepend={NORMALIZE_BY_LABEL} + append={ + + } + css={css` + .euiFormLabel { + max-width: none; + } + `} + > + + {props.options.mode === FlameGraphNormalizationMode.Scale ? SCALE_LABEL : TIME_LABEL} + + + } + isOpen={isPopoverOpen} + closePopover={() => setIsPopoverOpen(false)} + > + + + +

{NORMALIZE_BY_LABEL}

+ + + + + + + + { + setOptions((prevOptions) => ({ + ...prevOptions, + ...(id === FlameGraphNormalizationMode.Time + ? { mode: FlameGraphNormalizationMode.Time } + : { mode: FlameGraphNormalizationMode.Scale, baseline: 1, comparison: 1 }), + })); + }} + legend={i18n.translate('xpack.profiling.flameGraphNormalizationMode.selectModeLegend', { + defaultMessage: 'Select a normalization mode for the flamegraph', + })} + idSelected={options.mode} + options={[ + { + id: FlameGraphNormalizationMode.Scale, + label: SCALE_LABEL, + }, + { + id: FlameGraphNormalizationMode.Time, + label: TIME_LABEL, + }, + ]} + /> + + +
+ {i18n.translate('xpack.profiling.normalizationMenu.baseline', { + defaultMessage: 'Baseline', + })} +
+ + + {SCALE_LABEL}} + > + { + setOptions((prevOptions) => ({ ...prevOptions, baseline: e.target.valueAsNumber })); + }} + disabled={options.mode === FlameGraphNormalizationMode.Time} + /> + + + +
+ {i18n.translate('xpack.profiling.normalizationMenu.comparison', { + defaultMessage: 'Comparison', + })} +
+ + + {SCALE_LABEL}} + > + { + setOptions((prevOptions) => ({ + ...prevOptions, + comparison: e.target.valueAsNumber, + })); + }} + disabled={options.mode === FlameGraphNormalizationMode.Time} + /> + + + { + props.onChange(options); + setIsPopoverOpen(false); + }} + fullWidth + > + {i18n.translate('xpack.profiling.normalizationMenu.applyChanges', { + defaultMessage: 'Apply changes', + })} + + + ); +} diff --git a/x-pack/plugins/profiling/public/components/flamegraph.tsx b/x-pack/plugins/profiling/public/components/flamegraph.tsx index 82eded53e62b1..a1654c9bfbbd5 100644 --- a/x-pack/plugins/profiling/public/components/flamegraph.tsx +++ b/x-pack/plugins/profiling/public/components/flamegraph.tsx @@ -11,7 +11,6 @@ import { EuiFlexItem, EuiPanel, EuiSpacer, - EuiSwitch, EuiText, EuiTextColor, useEuiTheme, @@ -98,22 +97,18 @@ function FlameGraphTooltip({ label, countInclusive, countExclusive, - samples, totalSamples, comparisonCountInclusive, comparisonCountExclusive, - comparisonSamples, comparisonTotalSamples, }: { isRoot: boolean; - samples: number; label: string; countInclusive: number; countExclusive: number; totalSamples: number; comparisonCountInclusive?: number; comparisonCountExclusive?: number; - comparisonSamples?: number; comparisonTotalSamples?: number; }) { return ( @@ -179,6 +174,10 @@ export interface FlameGraphProps { comparisonMode: FlameGraphComparisonMode; primaryFlamegraph?: ElasticFlameGraph; comparisonFlamegraph?: ElasticFlameGraph; + baseline?: number; + comparison?: number; + showInformationWindow: boolean; + onInformationWindowClose: () => void; } export const FlameGraph: React.FC = ({ @@ -186,6 +185,10 @@ export const FlameGraph: React.FC = ({ comparisonMode, primaryFlamegraph, comparisonFlamegraph, + baseline, + comparison, + showInformationWindow, + onInformationWindowClose, }) => { const theme = useEuiTheme(); @@ -197,6 +200,8 @@ export const FlameGraph: React.FC = ({ colorDanger: theme.euiTheme.colors.danger, colorNeutral: theme.euiTheme.colors.lightShade, comparisonMode, + baseline, + comparison, }); }, [ primaryFlamegraph, @@ -205,6 +210,8 @@ export const FlameGraph: React.FC = ({ theme.euiTheme.colors.danger, theme.euiTheme.colors.lightShade, comparisonMode, + baseline, + comparison, ]); const chartTheme: PartialTheme = { @@ -235,21 +242,8 @@ export const FlameGraph: React.FC = ({ setHighlightedVmIndex(undefined); }, [columnarData.key]); - const [showInformationWindow, setShowInformationWindow] = useState(false); - return ( - - { - setShowInformationWindow((prev) => !prev); - }} - label={i18n.translate('xpack.profiling.flameGraph.showInformationWindow', { - defaultMessage: 'Show information window', - })} - /> - {columnarData.viewModel.label.length > 0 && ( @@ -273,7 +267,6 @@ export const FlameGraph: React.FC = ({ const valueIndex = props.values[0].valueAccessor as number; const label = primaryFlamegraph.Label[valueIndex]; - const samples = primaryFlamegraph.CountInclusive[valueIndex]; const countInclusive = primaryFlamegraph.CountInclusive[valueIndex]; const countExclusive = primaryFlamegraph.CountExclusive[valueIndex]; const nodeID = primaryFlamegraph.ID[valueIndex]; @@ -284,14 +277,12 @@ export const FlameGraph: React.FC = ({ ); }, @@ -315,7 +306,7 @@ export const FlameGraph: React.FC = ({ totalSeconds={primaryFlamegraph?.TotalSeconds ?? 0} totalSamples={totalSamples} onClose={() => { - setShowInformationWindow(false); + onInformationWindowClose(); }} /> diff --git a/x-pack/plugins/profiling/public/components/functions_view/index.tsx b/x-pack/plugins/profiling/public/components/functions_view/index.tsx index 1b7df44e68290..79973a63574a2 100644 --- a/x-pack/plugins/profiling/public/components/functions_view/index.tsx +++ b/x-pack/plugins/profiling/public/components/functions_view/index.tsx @@ -115,7 +115,7 @@ export function FunctionsView({ children }: { children: React.ReactElement }) { <> {isDifferentialView ? ( - + ) : null} diff --git a/x-pack/plugins/profiling/public/components/primary_and_comparison_search_bar.tsx b/x-pack/plugins/profiling/public/components/primary_and_comparison_search_bar.tsx index 7a8a09e845589..33f5f3e8850ff 100644 --- a/x-pack/plugins/profiling/public/components/primary_and_comparison_search_bar.tsx +++ b/x-pack/plugins/profiling/public/components/primary_and_comparison_search_bar.tsx @@ -4,7 +4,15 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import { + EuiButtonIcon, + EuiFlexGroup, + EuiFlexItem, + EuiSpacer, + EuiTitle, + EuiToolTip, +} from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; import { TypeOf } from '@kbn/typed-react-router-config'; import React from 'react'; import { useAnyOfProfilingParams } from '../hooks/use_profiling_params'; @@ -54,15 +62,63 @@ export function PrimaryAndComparisonSearchBar() { } return ( - + + +

+ {i18n.translate('xpack.profiling.comparisonSearch.baselineTitle', { + defaultMessage: 'Baseline flamegraph', + })} +

+ + + + + { + const next = { + ...query, + rangeFrom: comparisonRangeFrom, + rangeTo: comparisonRangeTo, + kuery: comparisonKuery, + comparisonRangeFrom: query.rangeFrom, + comparisonRangeTo: query.rangeTo, + comparisonKuery: query.kuery, + }; + + if (routePath === '/flamegraphs/differential') { + profilingRouter.push(routePath, { + path, + query: next as TypeOf['query'], + }); + } else { + profilingRouter.push(routePath, { + path, + query: next as TypeOf['query'], + }); + } + }} + /> + + + +

+ {i18n.translate('xpack.profiling.comparisonSearch.comparisonTitle', { + defaultMessage: 'Comparison flamegraph', + })} +

+ + { navigate({ kuery: String(next.query?.query || ''), diff --git a/x-pack/plugins/profiling/public/components/profiling_app_page_template/profiling_search_bar.tsx b/x-pack/plugins/profiling/public/components/profiling_app_page_template/profiling_search_bar.tsx index 210bb66be4067..bad6ce5e73cd7 100644 --- a/x-pack/plugins/profiling/public/components/profiling_app_page_template/profiling_search_bar.tsx +++ b/x-pack/plugins/profiling/public/components/profiling_app_page_template/profiling_search_bar.tsx @@ -4,13 +4,13 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import React, { useEffect, useState } from 'react'; -import { SearchBar } from '@kbn/unified-search-plugin/public'; import { DataView } from '@kbn/data-views-plugin/common'; -import { compact } from 'lodash'; import { Query, TimeRange } from '@kbn/es-query'; -import { useProfilingDependencies } from '../contexts/profiling_dependencies/use_profiling_dependencies'; +import { SearchBar } from '@kbn/unified-search-plugin/public'; +import { compact } from 'lodash'; +import React, { useEffect, useState } from 'react'; import { INDEX_EVENTS } from '../../../common'; +import { useProfilingDependencies } from '../contexts/profiling_dependencies/use_profiling_dependencies'; export function ProfilingSearchBar({ kuery, @@ -68,13 +68,13 @@ export function ProfilingSearchBar({ showDatePicker showFilterBar={false} showSaveQuery={false} - // showSubmitButton={showSubmitButton} - showSubmitButton={true} + submitButtonStyle={!showSubmitButton ? 'iconOnly' : 'auto'} query={searchBarQuery} dateRangeFrom={rangeFrom} dateRangeTo={rangeTo} indexPatterns={compact([dataView])} onRefresh={onRefresh} + displayStyle="inPage" /> ); } diff --git a/x-pack/plugins/profiling/public/routing/index.tsx b/x-pack/plugins/profiling/public/routing/index.tsx index 1ca3a597e4782..2c40a6d4ad352 100644 --- a/x-pack/plugins/profiling/public/routing/index.tsx +++ b/x-pack/plugins/profiling/public/routing/index.tsx @@ -11,7 +11,7 @@ import * as t from 'io-ts'; import React from 'react'; import { TopNFunctionSortField, topNFunctionSortFieldRt } from '../../common/functions'; import { StackTracesDisplayOption, TopNType } from '../../common/stack_traces'; -import { FlameGraphComparisonMode } from '../../common/flamegraph'; +import { FlameGraphComparisonMode, FlameGraphNormalizationMode } from '../../common/flamegraph'; import { FlameGraphsView } from '../components/flame_graphs_view'; import { FunctionsView } from '../components/functions_view'; import { RedirectTo } from '../components/redirect_to'; @@ -111,19 +111,30 @@ const routes = { ), params: t.type({ - query: t.type({ - comparisonRangeFrom: t.string, - comparisonRangeTo: t.string, - comparisonKuery: t.string, - comparisonMode: t.union([ - t.literal(FlameGraphComparisonMode.Absolute), - t.literal(FlameGraphComparisonMode.Relative), - ]), - }), + query: t.intersection([ + t.type({ + comparisonRangeFrom: t.string, + comparisonRangeTo: t.string, + comparisonKuery: t.string, + comparisonMode: t.union([ + t.literal(FlameGraphComparisonMode.Absolute), + t.literal(FlameGraphComparisonMode.Relative), + ]), + }), + t.partial({ + normalizationMode: t.union([ + t.literal(FlameGraphNormalizationMode.Scale), + t.literal(FlameGraphNormalizationMode.Time), + ]), + baseline: toNumberRt, + comparison: toNumberRt, + }), + ]), }), defaults: { query: { comparisonMode: FlameGraphComparisonMode.Absolute, + normalizationMode: FlameGraphNormalizationMode.Time, }, }, }, diff --git a/x-pack/plugins/profiling/public/utils/get_flamegraph_model/index.ts b/x-pack/plugins/profiling/public/utils/get_flamegraph_model/index.ts index 7609b724e0547..616965dba3b19 100644 --- a/x-pack/plugins/profiling/public/utils/get_flamegraph_model/index.ts +++ b/x-pack/plugins/profiling/public/utils/get_flamegraph_model/index.ts @@ -5,9 +5,9 @@ * 2.0. */ import { ColumnarViewModel } from '@elastic/charts'; -import d3 from 'd3'; -import { compact, sum, uniqueId, range } from 'lodash'; import { i18n } from '@kbn/i18n'; +import d3 from 'd3'; +import { compact, range, sum, uniqueId } from 'lodash'; import { createColumnarViewModel } from '../../../common/columnar_view_model'; import { ElasticFlameGraph, FlameGraphComparisonMode } from '../../../common/flamegraph'; import { FRAME_TYPE_COLOR_MAP, rgbToRGBA } from '../../../common/frame_type_colors'; @@ -31,6 +31,8 @@ export function getFlamegraphModel({ colorDanger, colorNeutral, comparisonMode, + comparison, + baseline, }: { primaryFlamegraph?: ElasticFlameGraph; comparisonFlamegraph?: ElasticFlameGraph; @@ -38,6 +40,8 @@ export function getFlamegraphModel({ colorDanger: string; colorNeutral: string; comparisonMode: FlameGraphComparisonMode; + baseline?: number; + comparison?: number; }): { key: string; viewModel: ColumnarViewModel; @@ -133,7 +137,7 @@ export function getFlamegraphModel({ const weightComparisonSide = comparisonMode === FlameGraphComparisonMode.Relative ? 1 - : primaryFlamegraph.TotalSeconds / comparisonFlamegraph.TotalSeconds; + : (comparison ?? 1) / (baseline ?? 1); primaryFlamegraph.ID.forEach((nodeID, index) => { const samples = primaryFlamegraph.CountInclusive[index]; From 7e9a9bcc9921e0790951c370626e3dccb4983373 Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Tue, 7 Feb 2023 13:56:48 +0000 Subject: [PATCH 20/27] [Fleet] Add ability to show FQDN of agents (#150239) ## Summary Closes #149059 Adds the `agent_features` agent policy field which is an array of feature flags + other arbitrary config values. As part of this allow the FQDN feature to be configured in the agent policy settings. Screenshot 2023-02-02 at 23 59 17 --- .../migrations/check_registered_types.test.ts | 2 +- .../plugins/fleet/common/openapi/bundled.json | 18 ++++ .../plugins/fleet/common/openapi/bundled.yaml | 12 +++ .../components/schemas/agent_policy.yaml | 12 +++ .../fleet/common/types/models/agent_policy.ts | 2 + .../agent_policy_advanced_fields/index.tsx | 87 +++++++++++++++++++ .../components/settings/index.tsx | 64 +++++--------- .../fleet/server/saved_objects/index.ts | 6 ++ .../full_agent_policy.test.ts.snap | 3 + .../agent_policies/full_agent_policy.test.ts | 45 ++++++++++ .../agent_policies/full_agent_policy.ts | 4 + .../fleet/server/types/models/agent_policy.ts | 8 ++ .../apis/agent_policy/agent_policy.ts | 62 +++++++++++++ 13 files changed, 280 insertions(+), 45 deletions(-) diff --git a/src/core/server/integration_tests/saved_objects/migrations/check_registered_types.test.ts b/src/core/server/integration_tests/saved_objects/migrations/check_registered_types.test.ts index 0357fb698318a..3bde565c75ce6 100644 --- a/src/core/server/integration_tests/saved_objects/migrations/check_registered_types.test.ts +++ b/src/core/server/integration_tests/saved_objects/migrations/check_registered_types.test.ts @@ -101,7 +101,7 @@ describe('checking migration metadata changes on all registered SO types', () => "index-pattern": "48e77ca393c254e93256f11a7cdc0232dd754c08", "infrastructure-monitoring-log-view": "e2c78c1076bd35e57d7c5fa1b410e5c126d12327", "infrastructure-ui-source": "7c8dbbc0a608911f1b683a944f4a65383f6153ed", - "ingest-agent-policies": "54d586fdafae83ba326e47d1a3727b0d9c910a12", + "ingest-agent-policies": "a94bd53b8f81ca883de8a75386db04e27dda973e", "ingest-download-sources": "1e69dabd6db5e320fe08c5bda8f35f29bafc6b54", "ingest-outputs": "29181ecfdc7723f544325ecef7266bccbc691a54", "ingest-package-policies": "0335a28af793ce25b4969d2156cfaf1dae2ef812", diff --git a/x-pack/plugins/fleet/common/openapi/bundled.json b/x-pack/plugins/fleet/common/openapi/bundled.json index 9b994df3afe33..9c4609e76adac 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.json +++ b/x-pack/plugins/fleet/common/openapi/bundled.json @@ -5807,6 +5807,24 @@ }, "agents": { "type": "number" + }, + "agent_features": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "name", + "enabled" + ] + } } }, "required": [ diff --git a/x-pack/plugins/fleet/common/openapi/bundled.yaml b/x-pack/plugins/fleet/common/openapi/bundled.yaml index 65bab73457170..74440cfaf2d4f 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.yaml +++ b/x-pack/plugins/fleet/common/openapi/bundled.yaml @@ -3704,6 +3704,18 @@ components: type: number agents: type: number + agent_features: + type: array + items: + type: object + properties: + name: + type: string + enabled: + type: boolean + required: + - name + - enabled required: - id - status diff --git a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy.yaml b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy.yaml index ab00144064760..76b6fba16c873 100644 --- a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy.yaml +++ b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy.yaml @@ -35,6 +35,18 @@ allOf: type: number agents: type: number + agent_features: + type: array + items: + type: object + properties: + name: + type: string + enabled: + type: boolean + required: + - name + - enabled required: - id - status diff --git a/x-pack/plugins/fleet/common/types/models/agent_policy.ts b/x-pack/plugins/fleet/common/types/models/agent_policy.ts index 4a2292a692172..cc0f0be82eae0 100644 --- a/x-pack/plugins/fleet/common/types/models/agent_policy.ts +++ b/x-pack/plugins/fleet/common/types/models/agent_policy.ts @@ -32,6 +32,7 @@ export interface NewAgentPolicy { download_source_id?: string | null; fleet_server_host_id?: string | null; schema_version?: string; + agent_features?: Array<{ name: string; enabled: boolean }>; } export interface AgentPolicy extends Omit { @@ -112,6 +113,7 @@ export interface FullAgentPolicy { logs: boolean; }; download: { sourceURI: string }; + features: Record; }; } diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx index 3d1e28cc4f1d8..396478451d6ee 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx @@ -20,6 +20,10 @@ import { EuiSuperSelect, EuiToolTip, EuiBadge, + EuiRadioGroup, + EuiText, + EuiFlexGroup, + EuiFlexItem, } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; @@ -517,6 +521,89 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent = /> + + +

+ } + description={ + + } + > + + + + + + + + + + + + + + + + + + + ), + }, + { + id: 'fqdn', + label: ( + + + + + + + + + + + + + + + ), + }, + ]} + idSelected={agentPolicy.agent_features?.length ? 'fqdn' : 'hostname'} + onChange={(id: string) => { + updateAgentPolicy({ + agent_features: id === 'hostname' ? [] : [{ name: 'fqdn', enabled: true }], + }); + }} + name="radio group" + /> + + {isEditing && 'id' in agentPolicy && !agentPolicy.is_managed ? ( + pick(agentPolicy, [ + 'name', + 'description', + 'namespace', + 'monitoring_enabled', + 'unenroll_timeout', + 'inactivity_timeout', + 'data_output_id', + 'monitoring_output_id', + 'download_source_id', + 'fleet_server_host_id', + 'agent_features', + ]); + const FormWrapper = styled.div` max-width: 800px; margin-right: auto; @@ -77,37 +92,10 @@ export const SettingsView = memo<{ agentPolicy: AgentPolicy }>( const submitUpdateAgentPolicy = async () => { setIsLoading(true); try { - const { - name, - description, - namespace, - // eslint-disable-next-line @typescript-eslint/naming-convention - monitoring_enabled, - // eslint-disable-next-line @typescript-eslint/naming-convention - unenroll_timeout, - // eslint-disable-next-line @typescript-eslint/naming-convention - inactivity_timeout, - // eslint-disable-next-line @typescript-eslint/naming-convention - data_output_id, - // eslint-disable-next-line @typescript-eslint/naming-convention - monitoring_output_id, - // eslint-disable-next-line @typescript-eslint/naming-convention - download_source_id, - // eslint-disable-next-line @typescript-eslint/naming-convention - fleet_server_host_id, - } = agentPolicy; - const { data, error } = await sendUpdateAgentPolicy(agentPolicy.id, { - name, - description, - namespace, - monitoring_enabled, - unenroll_timeout, - inactivity_timeout, - data_output_id, - monitoring_output_id, - download_source_id, - fleet_server_host_id, - }); + const { data, error } = await sendUpdateAgentPolicy( + agentPolicy.id, + pickAgentPolicyKeysToSend(agentPolicy) + ); if (data) { notifications.toasts.addSuccess( i18n.translate('xpack.fleet.editAgentPolicy.successNotificationTitle', { @@ -141,19 +129,7 @@ export const SettingsView = memo<{ agentPolicy: AgentPolicy }>( () => generateUpdateAgentPolicyDevToolsRequest( agentPolicy.id, - pick( - agentPolicy, - 'name', - 'description', - 'namespace', - 'monitoring_enabled', - 'unenroll_timeout', - 'inactivity_timeout', - 'data_output_id', - 'monitoring_output_id', - 'download_source_id', - 'fleet_server_host_id' - ) + pickAgentPolicyKeysToSend(agentPolicy) ), [agentPolicy] ); diff --git a/x-pack/plugins/fleet/server/saved_objects/index.ts b/x-pack/plugins/fleet/server/saved_objects/index.ts index 5ad423b2f1098..cd4ff53f86d46 100644 --- a/x-pack/plugins/fleet/server/saved_objects/index.ts +++ b/x-pack/plugins/fleet/server/saved_objects/index.ts @@ -113,6 +113,12 @@ const getSavedObjectTypes = ( monitoring_output_id: { type: 'keyword' }, download_source_id: { type: 'keyword' }, fleet_server_host_id: { type: 'keyword' }, + agent_features: { + properties: { + name: { type: 'keyword' }, + enabled: { type: 'boolean' }, + }, + }, }, }, migrations: { diff --git a/x-pack/plugins/fleet/server/services/agent_policies/__snapshots__/full_agent_policy.test.ts.snap b/x-pack/plugins/fleet/server/services/agent_policies/__snapshots__/full_agent_policy.test.ts.snap index e4aee6aa84597..030dd4d9ec36f 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/__snapshots__/full_agent_policy.test.ts.snap +++ b/x-pack/plugins/fleet/server/services/agent_policies/__snapshots__/full_agent_policy.test.ts.snap @@ -6,6 +6,7 @@ Object { "download": Object { "sourceURI": "http://default-registry.co", }, + "features": Object {}, "monitoring": Object { "enabled": true, "logs": false, @@ -71,6 +72,7 @@ Object { "download": Object { "sourceURI": "http://default-registry.co", }, + "features": Object {}, "monitoring": Object { "enabled": true, "logs": false, @@ -136,6 +138,7 @@ Object { "download": Object { "sourceURI": "http://default-registry.co", }, + "features": Object {}, "monitoring": Object { "enabled": true, "logs": false, diff --git a/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.test.ts b/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.test.ts index 352e831d12112..93c6b6dc891ea 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.test.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.test.ts @@ -388,6 +388,51 @@ describe('getFullAgentPolicy', () => { }, }); }); + + it('should add + transform agent features', async () => { + mockAgentPolicy({ + namespace: 'default', + revision: 1, + monitoring_enabled: ['metrics'], + agent_features: [ + { name: 'fqdn', enabled: true }, + { name: 'feature2', enabled: true }, + ], + }); + const agentPolicy = await getFullAgentPolicy(savedObjectsClientMock.create(), 'agent-policy'); + + expect(agentPolicy).toMatchObject({ + id: 'agent-policy', + outputs: { + default: { + type: 'elasticsearch', + hosts: ['http://127.0.0.1:9201'], + }, + }, + inputs: [], + revision: 1, + fleet: { + hosts: ['http://fleetserver:8220'], + }, + agent: { + monitoring: { + namespace: 'default', + use_output: 'default', + enabled: true, + logs: false, + metrics: true, + }, + features: { + fqdn: { + enabled: true, + }, + feature2: { + enabled: true, + }, + }, + }, + }); + }); }); describe('transformOutputToFullPolicyOutput', () => { diff --git a/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts index 262ad2d64a606..fe434c015e438 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts @@ -120,6 +120,10 @@ export async function getFullAgentPolicy( metrics: agentPolicy.monitoring_enabled.includes(dataTypes.Metrics), } : { enabled: false, logs: false, metrics: false }, + features: (agentPolicy.agent_features || []).reduce((acc, { name, ...featureConfig }) => { + acc[name] = featureConfig; + return acc; + }, {} as NonNullable['features']), }, }; diff --git a/x-pack/plugins/fleet/server/types/models/agent_policy.ts b/x-pack/plugins/fleet/server/types/models/agent_policy.ts index 750613abfd21a..f85bd93b1e870 100644 --- a/x-pack/plugins/fleet/server/types/models/agent_policy.ts +++ b/x-pack/plugins/fleet/server/types/models/agent_policy.ts @@ -39,6 +39,14 @@ export const AgentPolicyBaseSchema = { monitoring_output_id: schema.maybe(schema.nullable(schema.string())), download_source_id: schema.maybe(schema.nullable(schema.string())), fleet_server_host_id: schema.maybe(schema.nullable(schema.string())), + agent_features: schema.maybe( + schema.arrayOf( + schema.object({ + name: schema.string(), + enabled: schema.boolean(), + }) + ) + ), }; export const NewAgentPolicySchema = schema.object({ diff --git a/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts b/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts index c437197f9cafb..8df65c4152e1a 100644 --- a/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts +++ b/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts @@ -17,6 +17,7 @@ export default function (providerContext: FtrProviderContext) { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const kibanaServer = getService('kibanaServer'); + const es = getService('es'); describe('fleet_agent_policies', () => { skipIfNoDockerRegistry(providerContext); @@ -96,6 +97,67 @@ export default function (providerContext: FtrProviderContext) { expect(policy2.is_managed).to.equal(false); }); + it('does not allow arbitrary config in agent_features value', async () => { + await supertest + .post(`/api/fleet/agent_policies`) + .set('kbn-xsrf', 'xxxx') + .send({ + name: 'test-agent-features', + namespace: 'default', + agent_features: [ + { + name: 'fqdn', + enabled: true, + config: "I'm not allowed yet", + }, + ], + }) + .expect(400); + }); + + it('sets given agent_features value', async () => { + const { + body: { item: createdPolicy }, + } = await supertest + .post(`/api/fleet/agent_policies`) + .set('kbn-xsrf', 'xxxx') + .send({ + name: 'test-agent-features', + namespace: 'default', + agent_features: [ + { + name: 'fqdn', + enabled: true, + }, + ], + }) + .expect(200); + + const { body } = await supertest.get(`/api/fleet/agent_policies/${createdPolicy.id}`); + expect(body.item.agent_features).to.eql([ + { + name: 'fqdn', + enabled: true, + }, + ]); + + const policyDocRes = await es.search({ + index: '.fleet-policies', + query: { + term: { + policy_id: createdPolicy.id, + }, + }, + }); + + // @ts-expect-error + expect(policyDocRes?.hits?.hits[0]?._source?.data?.agent?.features).to.eql({ + fqdn: { + enabled: true, + }, + }); + }); + it('should return a 400 with an empty namespace', async () => { await supertest .post(`/api/fleet/agent_policies`) From 13d1f398ff313359c3a429153b15e60bc7646618 Mon Sep 17 00:00:00 2001 From: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com> Date: Tue, 7 Feb 2023 09:17:01 -0500 Subject: [PATCH 21/27] [Security Solution] Insight filter builder form as markdown plugin (#150363) ## Summary This pr expands upon the work done in https://github.com/elastic/kibana/pull/145240 to make use of the filters builder form from unified_search to serialize filters into a markdown compatible string, so that investigation guides, timeline notes or any other place where text is parsed as markdown can make use of standard kibana filters and view a count of the matching documents at a glance, and open the entire set in timeline as well. These are generally converted to timeline data providers to enable drag and drop query building, however this is not supported for filters of range type, so regular kibana filters are used in that case for now. ![Screenshot 2023-02-06 at 3 46 15 PM](https://user-images.githubusercontent.com/56408403/217081398-7e0d263f-cdb5-48eb-9328-f01a63af768e.png) ![Screenshot 2023-02-06 at 3 49 46 PM](https://user-images.githubusercontent.com/56408403/217082554-389edad5-89ff-4d86-bd31-c2085073b39a.png) ![Screenshot 2023-02-06 at 3 50 15 PM](https://user-images.githubusercontent.com/56408403/217082658-7ef8af2b-ba7f-4676-a775-e8c550adeee6.png) ![Screenshot 2023-02-06 at 3 50 54 PM](https://user-images.githubusercontent.com/56408403/217082770-9bacbd2a-fbee-4d1f-b6f5-b7d97ed2e3ca.png) ![Screenshot 2023-02-06 at 3 51 16 PM](https://user-images.githubusercontent.com/56408403/217082842-7494b1ac-6687-426e-8e85-6fec0afcc70e.png) ![Screenshot 2023-02-06 at 3 53 48 PM](https://user-images.githubusercontent.com/56408403/217083273-f9acfa30-a156-4146-86a2-5ebb84f4ecd0.png) ![Screenshot 2023-02-06 at 3 54 30 PM](https://user-images.githubusercontent.com/56408403/217083407-1a8af419-6c09-4558-9c18-11604cb7e796.png) ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --- .../unified_search/public/mocks/mocks.ts | 1 + src/plugins/unified_search/public/plugin.ts | 2 + src/plugins/unified_search/public/types.ts | 2 + .../cypress/e2e/timelines/notes_tab.cy.ts | 2 +- .../hover_actions/use_hover_actions.tsx | 2 +- .../markdown_editor/plugins/index.ts | 1 + .../plugins/insight/index.test.tsx | 2 +- .../markdown_editor/plugins/insight/index.tsx | 455 +++++++++++++++++- .../plugins/insight/replace_params_query.ts | 47 ++ .../use_insight_data_providers.test.ts | 97 ++-- .../insight/use_insight_data_providers.ts | 306 ++++++++---- .../plugins/insight/use_insight_query.test.ts | 1 + .../plugins/insight/use_insight_query.ts | 11 +- .../common/containers/sourcerer/index.tsx | 1 + .../public/common/lib/kuery/index.ts | 29 +- .../public/common/store/sourcerer/model.ts | 1 + .../components/controlled_combobox_input.tsx | 9 +- .../components/controlled_default_input.tsx | 15 +- .../components/edit_data_provider/helpers.tsx | 3 +- .../components/edit_data_provider/index.tsx | 7 +- .../timeline/data_providers/data_provider.ts | 6 +- .../timeline/data_providers/helpers.tsx | 9 +- .../data_providers/provider_badge.tsx | 3 +- .../data_providers/provider_item_actions.tsx | 5 +- .../data_providers/provider_item_badge.tsx | 3 +- .../timelines/components/timeline/events.ts | 3 +- .../components/timeline/helpers.test.tsx | 14 +- .../timelines/components/timeline/helpers.tsx | 88 +--- .../types/timeline/data_provider/index.ts | 4 +- 29 files changed, 868 insertions(+), 261 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/replace_params_query.ts diff --git a/src/plugins/unified_search/public/mocks/mocks.ts b/src/plugins/unified_search/public/mocks/mocks.ts index 8507de9798480..d6140fe0ccc99 100644 --- a/src/plugins/unified_search/public/mocks/mocks.ts +++ b/src/plugins/unified_search/public/mocks/mocks.ts @@ -36,6 +36,7 @@ const createStartContract = (): Start => { IndexPatternSelect: jest.fn(), SearchBar: jest.fn().mockReturnValue(null), AggregateQuerySearchBar: jest.fn().mockReturnValue(null), + FiltersBuilderLazy: jest.fn(), }, }; }; diff --git a/src/plugins/unified_search/public/plugin.ts b/src/plugins/unified_search/public/plugin.ts index 9149030602866..5aeef71e82d8b 100755 --- a/src/plugins/unified_search/public/plugin.ts +++ b/src/plugins/unified_search/public/plugin.ts @@ -24,6 +24,7 @@ import type { import { createFilterAction } from './actions/apply_filter_action'; import { createUpdateFilterReferencesAction } from './actions/update_filter_references_action'; import { ACTION_GLOBAL_APPLY_FILTER, UPDATE_FILTER_REFERENCES_ACTION } from './actions'; +import { FiltersBuilderLazy } from './filters_builder'; import './index.scss'; @@ -92,6 +93,7 @@ export class UnifiedSearchPublicPlugin IndexPatternSelect: createIndexPatternSelect(dataViews), SearchBar, AggregateQuerySearchBar: SearchBar, + FiltersBuilderLazy, }, autocomplete: autocompleteStart, }; diff --git a/src/plugins/unified_search/public/types.ts b/src/plugins/unified_search/public/types.ts index 5142cd323c136..557c31865a417 100755 --- a/src/plugins/unified_search/public/types.ts +++ b/src/plugins/unified_search/public/types.ts @@ -18,6 +18,7 @@ import { CoreStart, DocLinksStart } from '@kbn/core/public'; import { IStorageWrapper } from '@kbn/kibana-utils-plugin/public'; import { AutocompleteSetup, AutocompleteStart } from './autocomplete'; import type { IndexPatternSelectProps, StatefulSearchBarProps } from '.'; +import type { FiltersBuilderProps } from './filters_builder/filters_builder'; export interface UnifiedSearchSetupDependencies { uiActions: UiActionsSetup; @@ -46,6 +47,7 @@ export interface UnifiedSearchPublicPluginStartUi { AggregateQuerySearchBar: ( props: StatefulSearchBarProps ) => React.ReactElement; + FiltersBuilderLazy: React.ComponentType; } /** diff --git a/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts b/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts index c386abace9724..3a73d5b6c3a3e 100644 --- a/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts +++ b/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts @@ -93,7 +93,7 @@ describe('Timeline notes tab', () => { it('should render insight query from markdown', () => { addNotesToTimeline( - `!{insight{"description":"2 top level OR providers, 1 nested AND","label":"test insight", "providers": [[{ "field": "event.id", "value": "kibana.alert.original_event.id", "type": "parameter" }], [{ "field": "event.category", "value": "network", "type": "literal" }, {"field": "process.pid", "value": "process.pid", "type": "parameter"}]]}}` + `!{insight{"description":"2 top level OR providers, 1 nested AND","label":"test insight", "providers": [[{ "field": "event.id", "value": "kibana.alert.original_event.id", "queryType": "phrase", "excluded": "false" }], [{ "field": "event.category", "value": "network", "queryType": "phrase", "excluded": "false" }, {"field": "process.pid", "value": "process.pid", "queryType": "phrase", "excluded": "false"}]]}}` ); cy.get(MARKDOWN_INVESTIGATE_BUTTON).should('exist'); }); diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_actions.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_actions.tsx index 298b1e8650363..8da15356b1bcc 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_actions.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_actions.tsx @@ -83,7 +83,7 @@ export const useHoverActions = ({ const values = useMemo(() => { const val = dataProvider.queryMatch.value; - if (typeof val === 'number') { + if (typeof val === 'number' || typeof val === 'boolean') { return val.toString(); } diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/index.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/index.ts index 8a76223bb290c..a567ef103c361 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/index.ts @@ -23,6 +23,7 @@ export const { uiPlugins, parsingPlugins, processingPlugins } = { uiPlugins.push(timelineMarkdownPlugin.plugin); uiPlugins.push(osqueryMarkdownPlugin.plugin); +uiPlugins.push(insightMarkdownPlugin.plugin); parsingPlugins.push(insightMarkdownPlugin.parser); parsingPlugins.push(timelineMarkdownPlugin.parser); diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.test.tsx index 411c72d1d41af..def256d3efea6 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.test.tsx @@ -69,7 +69,7 @@ describe('insight component renderer', () => { label={'test label'} description={'test description'} providers={ - '[[{"field":"event.id","value":"kibana.alert.original_event.id","type":"parameter"}],[{"field":"event.category","value":"network","type":"literal"},{"field":"process.pid","value":"process.pid","type":"parameter"}]]' + '[[{"field":"event.id","value":"{{kibana.alert.original_event.id}}","queryType":"phrase", "excluded": "false"}],[{"field":"event.category","value":"network","queryType":"phrase", "excluded": "false"}},{"field":"process.pid","value":"process.pid","queryType":"phrase", "excluded": "false", "valueType":"number"}}]]' } /> diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.tsx b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.tsx index 3ed9a8ab41f26..f31d7707ab4ee 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.tsx @@ -5,23 +5,71 @@ * 2.0. */ +import { pickBy, isEmpty } from 'lodash'; import type { Plugin } from 'unified'; -import React, { useContext, useMemo } from 'react'; +import React, { useContext, useMemo, useCallback, useState } from 'react'; import type { RemarkTokenizer } from '@elastic/eui'; -import { EuiLoadingSpinner, EuiIcon } from '@elastic/eui'; +import { + EuiLoadingSpinner, + EuiIcon, + EuiSpacer, + EuiBetaBadge, + EuiCodeBlock, + EuiModalHeader, + EuiModalHeaderTitle, + EuiModalBody, + EuiModalFooter, + EuiButton, + EuiButtonEmpty, + EuiForm, + EuiFormRow, + EuiFieldText, + EuiSelect, + EuiFlexGroup, + EuiFlexItem, +} from '@elastic/eui'; +import numeral from '@elastic/numeral'; +import { css } from '@emotion/react'; +import type { EuiMarkdownEditorUiPluginEditorProps } from '@elastic/eui/src/components/markdown_editor/markdown_types'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import type { Filter } from '@kbn/es-query'; +import { + FILTERS, + isCombinedFilter, + isRangeFilter, + isPhraseFilter, + isPhrasesFilter, + isExistsFilter, + BooleanRelation, + FilterStateStore, +} from '@kbn/es-query'; +import type { PhraseFilterValue } from '@kbn/es-query/src/filters/build_filters'; +import { useForm, FormProvider, useController } from 'react-hook-form'; import { useAppToasts } from '../../../../hooks/use_app_toasts'; +import { useKibana } from '../../../../lib/kibana'; import { useInsightQuery } from './use_insight_query'; -import { useInsightDataProviders } from './use_insight_data_providers'; +import { useInsightDataProviders, type Provider } from './use_insight_data_providers'; import { BasicAlertDataContext } from '../../../event_details/investigation_guide_view'; import { InvestigateInTimelineButton } from '../../../event_details/table/investigate_in_timeline_button'; -import { getTimeRangeSettings } from '../../../../utils/default_date_settings'; +import { + getTimeRangeSettings, + parseDateWithDefault, + DEFAULT_FROM_MOMENT, + DEFAULT_TO_MOMENT, +} from '../../../../utils/default_date_settings'; import type { TimeRange } from '../../../../store/inputs/model'; +import { DEFAULT_TIMEPICKER_QUICK_RANGES } from '../../../../../../common/constants'; +import { useSourcererDataView } from '../../../../containers/sourcerer'; +import { SourcererScopeName } from '../../../../store/sourcerer/model'; interface InsightComponentProps { label?: string; description?: string; providers?: string; + relativeFrom?: string; + relativeTo?: string; } export const parser: Plugin = function () { @@ -95,8 +143,88 @@ export const parser: Plugin = function () { methods.splice(methods.indexOf('text'), 0, 'insight'); }; +const buildPrimitiveProvider = (filter: Filter): Provider => { + const field = filter.meta?.key ?? ''; + const excluded = filter.meta?.negate ?? false; + const queryType = filter.meta?.type ?? FILTERS.PHRASE; + const baseFilter = { + field, + excluded, + queryType, + }; + if (isRangeFilter(filter)) { + const gte = filter.query.range[field].gte; + const lt = filter.query.range[field].lt; + const value = JSON.stringify({ gte, lt }); + return { + ...baseFilter, + value, + queryType: filter.meta.type ?? FILTERS.RANGE, + }; + } else if (isPhrasesFilter(filter)) { + const typeOfParams: PhraseFilterValue = typeof filter.meta?.params[0]; + return { + ...baseFilter, + value: JSON.stringify(filter.meta?.params ?? []), + valueType: typeOfParams, + queryType: filter.meta.type ?? FILTERS.PHRASES, + }; + } else if (isExistsFilter(filter)) { + return { + ...baseFilter, + value: '', + queryType: filter.meta.type ?? FILTERS.EXISTS, + }; + } else if (isPhraseFilter(filter)) { + const valueType: PhraseFilterValue = typeof filter.meta?.params?.query; + return { + ...baseFilter, + value: filter.meta?.params?.query ?? '', + valueType, + queryType: filter.meta.type ?? FILTERS.PHRASE, + }; + } else { + return { + ...baseFilter, + value: '', + queryType: FILTERS.PHRASE, + }; + } +}; + +const filtersToInsightProviders = (filters: Filter[]): Provider[][] => { + const providers = []; + for (let index = 0; index < filters.length; index++) { + const filter = filters[index]; + if (isCombinedFilter(filter)) { + if (filter.meta.relation === BooleanRelation.AND) { + return filtersToInsightProviders(filter.meta?.params); + } else { + return filter.meta?.params.map((innerFilter) => { + if (isCombinedFilter(innerFilter)) { + return filtersToInsightProviders([innerFilter]).map(([provider]) => provider); + } else { + return [buildPrimitiveProvider(innerFilter)]; + } + }); + } + } else { + providers.push([buildPrimitiveProvider(filter)]); + } + } + return providers; +}; + +const resultFormat = '0,0.[000]a'; + // receives the configuration from the parser and renders -const InsightComponent = ({ label, description, providers }: InsightComponentProps) => { +const InsightComponent = ({ + label, + description, + providers, + relativeFrom, + relativeTo, +}: InsightComponentProps) => { const { addError } = useAppToasts(); let parsedProviders = []; try { @@ -111,15 +239,28 @@ const InsightComponent = ({ label, description, providers }: InsightComponentPro }); } const { data: alertData } = useContext(BasicAlertDataContext); - const dataProviders = useInsightDataProviders({ + const { dataProviders, filters } = useInsightDataProviders({ providers: parsedProviders, alertData, }); const { totalCount, isQueryLoading, oldestTimestamp, hasError } = useInsightQuery({ dataProviders, + filters, }); const timerange: TimeRange = useMemo(() => { - if (oldestTimestamp != null) { + if (relativeFrom && relativeTo) { + const fromStr = relativeFrom; + const toStr = relativeTo; + const from = parseDateWithDefault(fromStr, DEFAULT_FROM_MOMENT).toISOString(); + const to = parseDateWithDefault(toStr, DEFAULT_TO_MOMENT, true).toISOString(); + return { + kind: 'relative', + from, + to, + fromStr, + toStr, + }; + } else if (oldestTimestamp != null) { return { kind: 'absolute', from: oldestTimestamp, @@ -135,24 +276,300 @@ const InsightComponent = ({ label, description, providers }: InsightComponentPro toStr, }; } - }, [oldestTimestamp]); + }, [oldestTimestamp, relativeFrom, relativeTo]); if (isQueryLoading) { return ; } else { return ( - - - {` ${label} (${totalCount}) - ${description}`} - + <> + + + {` ${label} (${numeral(totalCount).format(resultFormat)})`} + +
{description}
+ ); } }; export { InsightComponent as renderer }; + +const InsightEditorComponent = ({ + node, + onSave, + onCancel, +}: EuiMarkdownEditorUiPluginEditorProps) => { + const isEditMode = node != null; + const { sourcererDataView, indexPattern } = useSourcererDataView(SourcererScopeName.default); + const { + unifiedSearch: { + ui: { FiltersBuilderLazy }, + }, + uiSettings, + } = useKibana().services; + const [providers, setProviders] = useState([[]]); + const dateRangeChoices = useMemo(() => { + const settings: Array<{ from: string; to: string; display: string }> = uiSettings.get( + DEFAULT_TIMEPICKER_QUICK_RANGES + ); + const emptyValue = { value: '0', text: '' }; + return [ + emptyValue, + ...settings.map(({ display }, index) => { + return { + value: String(index), + text: display, + }; + }), + ]; + }, [uiSettings]); + const kibanaDataProvider = useMemo(() => { + return { + ...sourcererDataView, + fields: sourcererDataView?.indexFields, + } as DataView; + }, [sourcererDataView]); + const formMethods = useForm<{ + label: string; + description: string; + relativeTimerange?: string; + }>({ + defaultValues: { + label: node?.label, + description: node?.description, + relativeTimerange: node?.relativeTimerange || '0', + }, + shouldUnregister: true, + }); + + const labelController = useController({ name: 'label', control: formMethods.control }); + const descriptionController = useController({ + name: 'description', + control: formMethods.control, + }); + const relativeTimerangeController = useController({ + name: 'relativeTimerange', + control: formMethods.control, + }); + + const getTimeRangeSelection = useCallback( + (selection?: string) => { + const selectedOption = dateRangeChoices.find((option) => { + return option.value === selection; + }); + if (selectedOption && selectedOption.value !== '0') { + const settingsIndex = Number(selectedOption.value); + const settings: Array<{ from: string; to: string; display: string }> = uiSettings.get( + DEFAULT_TIMEPICKER_QUICK_RANGES + ); + return { + relativeFrom: settings[settingsIndex].from, + relativeTo: settings[settingsIndex].to, + }; + } else { + return {}; + } + }, + [dateRangeChoices, uiSettings] + ); + + const onSubmit = useCallback(() => { + onSave( + `!{insight${JSON.stringify( + pickBy( + { + label: labelController.field.value, + description: descriptionController.field.value, + providers, + ...getTimeRangeSelection(relativeTimerangeController.field.value), + }, + (value) => !isEmpty(value) + ) + )}}`, + { + block: true, + } + ); + }, [ + onSave, + providers, + labelController.field.value, + descriptionController.field.value, + relativeTimerangeController.field.value, + getTimeRangeSelection, + ]); + + const onChange = useCallback((filters: Filter[]) => { + setProviders(filtersToInsightProviders(filters)); + }, []); + const selectOnChange = useCallback( + (event) => { + relativeTimerangeController.field.onChange(event.target.value); + }, + [relativeTimerangeController.field] + ); + const filtersStub = useMemo(() => { + const index = indexPattern && indexPattern.getName ? indexPattern.getName() : '*'; + return [ + { + $state: { + store: FilterStateStore.APP_STATE, + }, + meta: { + disabled: false, + negate: false, + alias: null, + index, + }, + }, + ]; + }, [indexPattern]); + return ( + <> + + + + + {isEditMode ? ( + + ) : ( + + )} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {i18n.translate('xpack.securitySolution.markdown.insight.modalCancelButtonLabel', { + defaultMessage: 'Cancel', + })} + + + {isEditMode ? ( + + ) : ( + + )} + + + + ); +}; + +const InsightEditor = React.memo(InsightEditorComponent); +const exampleInsight = `!{insight{ + "label": "Test action", + "description": "Click to investigate", + "providers": [ + [ + {"field": "event.id", "value": "{{kibana.alert.original_event.id}}", "queryType": "phrase", "excluded": "false"} + ], + [ + {"field": "event.action", "value": "", "queryType": "exists", "excluded": "false"}, + {"field": "process.pid", "value": "{{process.pid}}", "queryType": "phrase", "excluded":"false"} + ] + ] +}}`; + +export const plugin = { + name: 'insights', + button: { + label: 'Insights', + iconType: 'aggregate', + }, + helpText: ( +
+ + {exampleInsight} + + +
+ ), + editor: InsightEditor, +}; diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/replace_params_query.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/replace_params_query.ts new file mode 100644 index 0000000000000..72765e1fa2cab --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/replace_params_query.ts @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { each } from 'lodash'; +import type { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy'; + +export const replaceParamsQuery = ( + query: string | number | boolean, + data?: TimelineEventsDetailsItem[] | null +) => { + if (typeof query === 'number' || typeof query === 'boolean') { + return { + result: query, + skipped: true, + matchedBrackets: null, + }; + } + const regex = /\{{([^}]+)\}}/g; + const matchedBrackets = query.match(regex); + let resultQuery = query; + + if (matchedBrackets && data) { + each(matchedBrackets, (bracesText: string) => { + const field = bracesText.replace(/{{|}}/g, '').trim(); + if (resultQuery.includes(bracesText)) { + const foundField = data.find(({ field: alertField }) => alertField === field); + if (foundField && foundField.values) { + const { + values: [foundFieldValue], + } = foundField; + resultQuery = resultQuery.replace(bracesText, foundFieldValue); + } + } + }); + } + + const skipped = regex.test(resultQuery); + + return { + result: resultQuery, + skipped, + matchedBrackets, + }; +}; diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts index 8542c445b5d14..9ab25b00eabd3 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts @@ -5,10 +5,12 @@ * 2.0. */ import { renderHook } from '@testing-library/react-hooks'; -import type { DataProvider } from '@kbn/timelines-plugin/common'; import type { UseInsightDataProvidersProps, Provider } from './use_insight_data_providers'; import type { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy'; -import { useInsightDataProviders } from './use_insight_data_providers'; +import { + useInsightDataProviders, + type UseInsightDataProvidersResult, +} from './use_insight_data_providers'; import { mockAlertDetailsData } from '../../../event_details/__mocks__'; const mockAlertDetailsDataWithIsObject = mockAlertDetailsData.map((detail) => { @@ -18,115 +20,152 @@ const mockAlertDetailsDataWithIsObject = mockAlertDetailsData.map((detail) => { }; }) as TimelineEventsDetailsItem[]; -const nestedAndProvider = [ +const nestedAndProvider: Provider[][] = [ [ { field: 'event.id', - value: 'kibana.alert.rule.uuid', - type: 'parameter', + value: '{{kibana.alert.rule.uuid}}', + queryType: 'phrase', + excluded: false, }, ], [ { field: 'event.category', value: 'network', - type: 'literal', + queryType: 'phrase', + excluded: false, }, { field: 'process.pid', - value: 'process.pid', - type: 'parameter', + value: '{{process.pid}}', + queryType: 'phrase', + excluded: false, }, ], -] as Provider[][]; +]; const topLevelOnly = [ [ { field: 'event.id', - value: 'kibana.alert.rule.uuid', - type: 'parameter', + value: '{{kibana.alert.rule.uuid}}', + queryType: 'phrase', + excluded: false, }, ], [ { field: 'event.category', value: 'network', - type: 'literal', + queryType: 'phrase', + excluded: false, }, ], [ { field: 'process.pid', - value: 'process.pid', - type: 'parameter', + value: 1000, + valueType: 'number', + queryType: 'phrase', + excluded: false, }, ], -] as Provider[][]; +]; -const nonExistantField = [ +const nonExistantField: Provider[][] = [ [ { field: 'event.id', - value: 'kibana.alert.rule.parameters.threshold.field', - type: 'parameter', + value: '{{kibana.alert.rule.parameters.threshold.field}}', + excluded: false, + queryType: 'phrase', }, ], -] as Provider[][]; +]; + +const providerWithRange: Provider[][] = [ + [ + { + field: 'event.id', + value: '', + excluded: false, + queryType: 'exists', + }, + { + field: 'event.id', + value: '{"gte":0,"lt":100}', + excluded: false, + queryType: 'range', + }, + ], +]; describe('useInsightDataProviders', () => { it('should return 2 data providers, 1 with a nested provider ANDed to it', () => { - const { result } = renderHook(() => + const { result } = renderHook(() => useInsightDataProviders({ providers: nestedAndProvider, alertData: mockAlertDetailsDataWithIsObject, }) ); - const providers = result.current; + const { dataProviders: providers, filters } = result.current; const providersWithNonEmptyAnd = providers.filter((provider) => provider.and.length > 0); expect(providers.length).toBe(2); expect(providersWithNonEmptyAnd.length).toBe(1); + expect(filters.length).toBe(0); }); it('should return 3 data providers without any containing nested ANDs', () => { - const { result } = renderHook(() => + const { result } = renderHook(() => useInsightDataProviders({ providers: topLevelOnly, alertData: mockAlertDetailsDataWithIsObject, }) ); - const providers = result.current; + const { dataProviders: providers } = result.current; const providersWithNonEmptyAnd = providers.filter((provider) => provider.and.length > 0); expect(providers.length).toBe(3); expect(providersWithNonEmptyAnd.length).toBe(0); }); - it('should use a wildcard for a field not present in an alert', () => { - const { result } = renderHook(() => + it('should use the string literal if no field in the alert matches a bracketed value', () => { + const { result } = renderHook(() => useInsightDataProviders({ providers: nonExistantField, alertData: mockAlertDetailsDataWithIsObject, }) ); - const providers = result.current; + const { dataProviders: providers } = result.current; const { queryMatch: { value }, } = providers[0]; expect(providers.length).toBe(1); - expect(value).toBe('*'); + expect(value).toBe('{{kibana.alert.rule.parameters.threshold.field}}'); }); it('should use template data providers when called without alertData', () => { - const { result } = renderHook(() => + const { result } = renderHook(() => useInsightDataProviders({ providers: nestedAndProvider, }) ); - const providers = result.current; + const { dataProviders: providers } = result.current; const [first, second] = providers; const [nestedSecond] = second.and; expect(second.type).toBe('default'); expect(first.type).toBe('template'); expect(nestedSecond.type).toBe('template'); }); + + it('should return an empty array of dataProviders and populated filters if a provider contains a range type', () => { + const { result } = renderHook(() => + useInsightDataProviders({ + providers: providerWithRange, + }) + ); + const { dataProviders: providers, filters } = result.current; + expect(providers.length).toBe(0); + expect(filters.length > providers.length); + }); }); diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts index 5c5de496b04b5..97bd073bd8be3 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts @@ -6,109 +6,241 @@ */ import { useMemo } from 'react'; +import type { Filter } from '@kbn/es-query'; +import { FILTERS, BooleanRelation, FilterStateStore } from '@kbn/es-query'; import type { QueryOperator, DataProvider } from '@kbn/timelines-plugin/common'; import { DataProviderType } from '@kbn/timelines-plugin/common'; -import { IS_OPERATOR } from '../../../../../timelines/components/timeline/data_providers/data_provider'; +import { replaceParamsQuery } from './replace_params_query'; import type { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy'; +import { + EXISTS_OPERATOR, + IS_OPERATOR, + IS_ONE_OF_OPERATOR, +} from '../../../../../timelines/components/timeline/data_providers/data_provider'; export interface Provider { field: string; - value: string; - type: 'parameter' | 'value'; + excluded: boolean; + queryType: string; + value: string | number | boolean; + valueType?: string; } export interface UseInsightDataProvidersProps { providers: Provider[][]; alertData?: TimelineEventsDetailsItem[] | null; } +export interface UseInsightDataProvidersResult { + dataProviders: DataProvider[]; + filters: Filter[]; +} + +const dataProviderQueryType = (type: string): QueryOperator => { + if (type === FILTERS.EXISTS) { + return EXISTS_OPERATOR; + } else if (type === FILTERS.PHRASES) { + return IS_ONE_OF_OPERATOR; + } else { + return IS_OPERATOR; + } +}; + +const buildDataProviders = ( + providers: Provider[][], + alertData?: TimelineEventsDetailsItem[] | null +): DataProvider[] => { + return providers.map((innerProvider) => { + return innerProvider.reduce((prev, next, index): DataProvider => { + const { field, value, excluded, queryType } = next; + const { result, matchedBrackets } = replaceParamsQuery(value, alertData); + const isTemplate = !alertData && matchedBrackets; + if (index === 0) { + return { + and: [], + enabled: true, + id: JSON.stringify(field + value), + name: field, + excluded, + kqlQuery: '', + type: isTemplate ? DataProviderType.template : DataProviderType.default, + queryMatch: { + field, + value: result, + operator: dataProviderQueryType(queryType), + }, + }; + } else { + const newProvider = { + and: [], + enabled: true, + id: JSON.stringify(field + value), + name: field, + excluded, + kqlQuery: '', + type: isTemplate ? DataProviderType.template : DataProviderType.default, + queryMatch: { + field, + value: result, + operator: dataProviderQueryType(queryType), + }, + }; + prev.and.push(newProvider); + } + return prev; + }, {} as DataProvider); + }); +}; +const filterStub = { + $state: { + store: FilterStateStore.APP_STATE, + }, + meta: { + disabled: false, + negate: false, + alias: null, + index: undefined, + }, +}; +const buildPrimitiveFilter = (provider: Provider): Filter => { + const baseFilter = { + ...filterStub, + meta: { + ...filterStub.meta, + negate: provider.excluded, + type: provider.queryType, + }, + }; + if (provider.queryType === FILTERS.EXISTS) { + return { + ...baseFilter, + meta: { + ...baseFilter.meta, + params: undefined, + value: 'exists', + }, + query: { exists: { field: provider.field } }, + }; + } else if (provider.queryType === FILTERS.PHRASES) { + let values = JSON.parse(String(provider.value)); + if (provider.valueType === 'number') { + values = values.map(Number); + } else if (provider.valueType === 'boolean') { + values = values.map(Boolean); + } + return { + ...baseFilter, + meta: { + ...baseFilter.meta, + }, + query: { + bool: { + minimum_should_match: 1, + should: values?.map((param: string | number | boolean) => ({ + match_phrase: { [provider.field]: param }, + })), + }, + }, + }; + } else if (provider.queryType === FILTERS.PHRASE) { + return { + ...baseFilter, + meta: { + ...baseFilter.meta, + params: { query: provider.value }, + value: undefined, + }, + query: { match_phrase: { [provider.field]: provider.value ?? '' } }, + }; + } else if (provider.queryType === FILTERS.RANGE) { + let gte; + let lt; + try { + const input = JSON.parse(String(provider.value)); + gte = input.gte; + lt = input.lt; + } catch { + gte = ''; + lt = ''; + } + const params = { + gte, + lt, + }; + return { + ...baseFilter, + meta: { + ...baseFilter.meta, + params, + }, + query: { + range: { + [provider.field]: params, + }, + }, + }; + } else { + return baseFilter; + } +}; + +const buildFiltersFromInsightProviders = ( + providers: Provider[][], + alertData?: TimelineEventsDetailsItem[] | null +): Filter[] => { + const filters: Filter[] = []; + for (let index = 0; index < providers.length; index++) { + const provider = providers[index]; + if (provider.length > 1) { + // Only support 1 level of nesting currently + const innerProviders = provider.map((innerProvider) => { + return buildPrimitiveFilter(innerProvider); + }); + const combinedFilter = { + $state: { + store: FilterStateStore.APP_STATE, + }, + meta: { + type: FILTERS.COMBINED, + relation: BooleanRelation.AND, + params: innerProviders, + index: undefined, + disabled: false, + negate: false, + }, + }; + filters.push(combinedFilter); + } else { + const baseProvider = provider[0]; + + const baseFilter = buildPrimitiveFilter(baseProvider); + filters.push(baseFilter); + } + } + return filters; +}; + export const useInsightDataProviders = ({ providers, alertData, -}: UseInsightDataProvidersProps): DataProvider[] => { - function getFieldValue(fields: TimelineEventsDetailsItem[], fieldToFind: string) { - const alertField = fields.find((dataField) => dataField.field === fieldToFind); - return alertField?.values ? alertField.values[0] : '*'; - } +}: UseInsightDataProvidersProps): UseInsightDataProvidersResult => { + const providersContainRangeQuery = useMemo(() => { + return providers.some((innerProvider) => { + return innerProvider.some((provider) => provider.queryType === 'range'); + }); + }, [providers]); const dataProviders: DataProvider[] = useMemo(() => { - if (alertData) { - return providers.map((innerProvider) => { - return innerProvider.reduce((prev, next, index): DataProvider => { - const { field, value, type } = next; - if (index === 0) { - return { - and: [], - enabled: true, - id: JSON.stringify(field + value + type), - name: field, - excluded: false, - kqlQuery: '', - type: DataProviderType.default, - queryMatch: { - field, - value: type === 'parameter' ? getFieldValue(alertData, value) : value, - operator: IS_OPERATOR as QueryOperator, - }, - }; - } else { - const newProvider = { - and: [], - enabled: true, - id: JSON.stringify(field + value + type), - name: field, - excluded: false, - kqlQuery: '', - type: DataProviderType.default, - queryMatch: { - field, - value: type === 'parameter' ? getFieldValue(alertData, value) : value, - operator: IS_OPERATOR as QueryOperator, - }, - }; - prev.and.push(newProvider); - } - return prev; - }, {} as DataProvider); - }); + if (providersContainRangeQuery) { + return []; } else { - return providers.map((innerProvider) => { - return innerProvider.reduce((prev, next, index) => { - const { field, value, type } = next; - if (index === 0) { - return { - and: [], - enabled: true, - id: JSON.stringify(field + value + type), - name: field, - excluded: false, - kqlQuery: '', - type: type === 'parameter' ? DataProviderType.template : DataProviderType.default, - queryMatch: { - field, - value: type === 'parameter' ? `{${value}}` : value, - operator: IS_OPERATOR as QueryOperator, - }, - }; - } else { - const newProvider = { - and: [], - enabled: true, - id: JSON.stringify(field + value + type), - name: field, - excluded: false, - kqlQuery: '', - type: type === 'parameter' ? DataProviderType.template : DataProviderType.default, - queryMatch: { - field, - value: type === 'parameter' ? `{${value}}` : value, - operator: IS_OPERATOR as QueryOperator, - }, - }; - prev.and.push(newProvider); - } - return prev; - }, {} as DataProvider); - }); + return buildDataProviders(providers, alertData); + } + }, [alertData, providers, providersContainRangeQuery]); + const filters = useMemo(() => { + if (!providersContainRangeQuery) { + return []; + } else { + return buildFiltersFromInsightProviders(providers, alertData); } - }, [alertData, providers]); - return dataProviders; + }, [providersContainRangeQuery, providers, alertData]); + return { dataProviders, filters }; }; diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts index 74942f0f4ad38..eecab538e9c2b 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts @@ -33,6 +33,7 @@ describe('useInsightQuery', () => { () => useInsightQuery({ dataProviders: [mockProvider], + filters: [], }), { wrapper: TestProviders, diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts index e7836cd6cd3ad..7d8a09d134c8c 100644 --- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts +++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts @@ -6,6 +6,7 @@ */ import { useMemo, useState } from 'react'; +import type { Filter } from '@kbn/es-query'; import { getEsQueryConfig } from '@kbn/data-plugin/common'; import type { DataProvider } from '@kbn/timelines-plugin/common'; import { TimelineId } from '../../../../../../common/types/timeline'; @@ -17,6 +18,7 @@ import { SourcererScopeName } from '../../../../store/sourcerer/model'; export interface UseInsightQuery { dataProviders: DataProvider[]; + filters: Filter[]; } export interface UseInsightQueryResult { @@ -26,7 +28,10 @@ export interface UseInsightQueryResult { hasError: boolean; } -export const useInsightQuery = ({ dataProviders }: UseInsightQuery): UseInsightQueryResult => { +export const useInsightQuery = ({ + dataProviders, + filters, +}: UseInsightQuery): UseInsightQueryResult => { const { uiSettings } = useKibana().services; const esQueryConfig = useMemo(() => getEsQueryConfig(uiSettings), [uiSettings]); const { browserFields, selectedPatterns, indexPattern, dataViewId } = useSourcererDataView( @@ -41,7 +46,7 @@ export const useInsightQuery = ({ dataProviders }: UseInsightQuery): UseInsightQ dataProviders, indexPattern, browserFields, - filters: [], + filters, kqlQuery: { query: '', language: 'kuery', @@ -54,7 +59,7 @@ export const useInsightQuery = ({ dataProviders }: UseInsightQuery): UseInsightQ setHasError(true); return null; } - }, [browserFields, dataProviders, esQueryConfig, hasError, indexPattern]); + }, [browserFields, dataProviders, esQueryConfig, hasError, indexPattern, filters]); const [isQueryLoading, { events, totalCount }] = useTimelineEvents({ dataViewId, diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx index 5c6b108736844..1bf4b83608c66 100644 --- a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx +++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx @@ -446,6 +446,7 @@ export const useSourcererDataView = ( selectedPatterns, // if we have to do an update to data view, tell us which patterns are active ...(legacyPatterns.length > 0 ? { activePatterns: sourcererDataView.patternList } : {}), + sourcererDataView, }), [sourcererDataView, selectedPatterns, indicesExist, loading, legacyPatterns.length] ); diff --git a/x-pack/plugins/security_solution/public/common/lib/kuery/index.ts b/x-pack/plugins/security_solution/public/common/lib/kuery/index.ts index c7f287bcac608..e21a5a519fc51 100644 --- a/x-pack/plugins/security_solution/public/common/lib/kuery/index.ts +++ b/x-pack/plugins/security_solution/public/common/lib/kuery/index.ts @@ -18,6 +18,12 @@ import type { BrowserFields } from '../../../../common/search_strategy'; import type { DataProvider, DataProvidersAnd } from '../../../../common/types'; import { DataProviderType, EXISTS_OPERATOR } from '../../../../common/types'; +export type PrimitiveOrArrayOfPrimitives = + | string + | number + | boolean + | Array; + export interface CombineQueries { config: EsQueryConfig; dataProviders: DataProvider[]; @@ -29,8 +35,8 @@ export interface CombineQueries { } export const escapeQueryValue = ( - val: string | number | Array = '' -): string | number | Array => { + val: PrimitiveOrArrayOfPrimitives = '' +): PrimitiveOrArrayOfPrimitives => { if (isString(val)) { if (isEmpty(val)) { return '""'; @@ -68,12 +74,13 @@ export const convertKueryToElasticSearchQuery = ( } }; -const isNumber = (value: string | number | Array) => !isNaN(Number(value)); +export const isNumber = (value: PrimitiveOrArrayOfPrimitives): value is number => + !isNaN(Number(value)); -const convertDateFieldToQuery = (field: string, value: string | number | Array) => +export const convertDateFieldToQuery = (field: string, value: PrimitiveOrArrayOfPrimitives) => `${field}: ${isNumber(value) ? value : new Date(value.toString()).valueOf()}`; -const getBaseFields = memoizeOne((browserFields: BrowserFields): string[] => { +export const getBaseFields = memoizeOne((browserFields: BrowserFields): string[] => { const baseFields = get('base', browserFields); if (baseFields != null && baseFields.fields != null) { return Object.keys(baseFields.fields); @@ -81,7 +88,7 @@ const getBaseFields = memoizeOne((browserFields: BrowserFields): string[] => { return []; }); -const getBrowserFieldPath = (field: string, browserFields: BrowserFields) => { +export const getBrowserFieldPath = (field: string, browserFields: BrowserFields) => { const splitFields = field.split('.'); const baseFields = getBaseFields(browserFields); if (baseFields.includes(field)) { @@ -90,7 +97,7 @@ const getBrowserFieldPath = (field: string, browserFields: BrowserFields) => { return [splitFields[0], 'fields', field]; }; -const checkIfFieldTypeIsDate = (field: string, browserFields: BrowserFields) => { +export const checkIfFieldTypeIsDate = (field: string, browserFields: BrowserFields) => { const pathBrowserField = getBrowserFieldPath(field, browserFields); const browserField = get(pathBrowserField, browserFields); if (browserField != null && browserField.type === 'date') { @@ -99,9 +106,9 @@ const checkIfFieldTypeIsDate = (field: string, browserFields: BrowserFields) => return false; }; -const convertNestedFieldToQuery = ( +export const convertNestedFieldToQuery = ( field: string, - value: string | number | Array, + value: PrimitiveOrArrayOfPrimitives, browserFields: BrowserFields ) => { const pathBrowserField = getBrowserFieldPath(field, browserFields); @@ -111,7 +118,7 @@ const convertNestedFieldToQuery = ( return `${nestedPath}: { ${key}: ${browserField.type === 'date' ? `"${value}"` : value} }`; }; -const convertNestedFieldToExistQuery = (field: string, browserFields: BrowserFields) => { +export const convertNestedFieldToExistQuery = (field: string, browserFields: BrowserFields) => { const pathBrowserField = getBrowserFieldPath(field, browserFields); const browserField = get(pathBrowserField, browserFields); const nestedPath = browserField.subType.nested.path; @@ -119,7 +126,7 @@ const convertNestedFieldToExistQuery = (field: string, browserFields: BrowserFie return `${nestedPath}: { ${key}: * }`; }; -const checkIfFieldTypeIsNested = (field: string, browserFields: BrowserFields) => { +export const checkIfFieldTypeIsNested = (field: string, browserFields: BrowserFields) => { const pathBrowserField = getBrowserFieldPath(field, browserFields); const browserField = get(pathBrowserField, browserFields); if (browserField != null && browserField.subType && browserField.subType.nested) { diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts index e4d16f2079dba..71f78bbd29aaa 100644 --- a/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts +++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts @@ -93,6 +93,7 @@ export interface SelectedDataView { selectedPatterns: SourcererScope['selectedPatterns']; // active patterns when dataViewId == null activePatterns?: string[]; + sourcererDataView?: SourcererDataView | (Omit & { id: string | null }); } /** diff --git a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_combobox_input.tsx b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_combobox_input.tsx index 0be933113e99c..ca20e12aa3fe9 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_combobox_input.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_combobox_input.tsx @@ -10,12 +10,13 @@ import React, { useState, useEffect, useCallback } from 'react'; import type { EuiComboBoxOptionOption } from '@elastic/eui'; import { EuiComboBox } from '@elastic/eui'; -import { isStringOrNumberArray } from '../../timeline/helpers'; +import { isPrimitiveArray } from '../../timeline/helpers'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; import * as i18n from '../translations'; interface ControlledDataProviderInput { onChangeCallback: (value: string | number | string[]) => void; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; } export const ControlledComboboxInput = ({ @@ -71,9 +72,9 @@ export const ControlledComboboxInput = ({ }; export const convertValuesToComboboxValueArray = ( - values: string | number | Array + values: PrimitiveOrArrayOfPrimitives ): EuiComboBoxOptionOption[] => - isStringOrNumberArray(values) ? values.map((item) => ({ label: String(item) })) : []; + isPrimitiveArray(values) ? values.map((item) => ({ label: String(item) })) : []; export const convertComboboxValuesToStringArray = (values: EuiComboBoxOptionOption[]): string[] => values.map((item) => item.label); diff --git a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_default_input.tsx b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_default_input.tsx index 9734e1c51de1f..065ea950e46fe 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_default_input.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/components/controlled_default_input.tsx @@ -9,13 +9,14 @@ import React, { useState, useEffect, useCallback } from 'react'; import { EuiFieldText } from '@elastic/eui'; -import { isStringOrNumberArray } from '../../timeline/helpers'; +import { isPrimitiveArray } from '../../timeline/helpers'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; import { sanatizeValue } from '../helpers'; import * as i18n from '../translations'; interface ControlledDataProviderInput { onChangeCallback: (value: string | number | string[]) => void; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; } const VALUE_INPUT_CLASS_NAME = 'edit-data-provider-value'; @@ -24,7 +25,9 @@ export const ControlledDefaultInput = ({ value, onChangeCallback, }: ControlledDataProviderInput) => { - const [primitiveValue, setPrimitiveValue] = useState(getDefaultValue(value)); + const [primitiveValue, setPrimitiveValue] = useState( + getDefaultValue(value) + ); useEffect(() => { onChangeCallback(sanatizeValue(primitiveValue)); @@ -44,10 +47,8 @@ export const ControlledDefaultInput = ({ ); }; -export const getDefaultValue = ( - value: string | number | Array -): string | number => { - if (isStringOrNumberArray(value)) { +export const getDefaultValue = (value: PrimitiveOrArrayOfPrimitives): string | number | boolean => { + if (isPrimitiveArray(value)) { return value[0] ?? ''; } else return value; }; diff --git a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/helpers.tsx index c2ad001dde1a6..8380bedce65c3 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/helpers.tsx @@ -126,9 +126,8 @@ export const getExcludedFromSelection = (selectedOperator: EuiComboBoxOptionOpti }; /** Ensure that a value passed to ControlledDefaultInput is not an array */ -export const sanatizeValue = (value: string | number | unknown[]): string => { +export const sanatizeValue = (value: string | number | boolean | unknown[]): string => { if (Array.isArray(value)) { - // fun fact: value should never be an array return value.length ? `${value[0]}` : ''; } return `${value}`; diff --git a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/index.tsx index 29b78e73f7b96..271ee58d2c9f6 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/edit_data_provider/index.tsx @@ -21,6 +21,7 @@ import React, { useEffect, useMemo, useState, useCallback } from 'react'; import styled from 'styled-components'; import type { BrowserFields } from '../../../common/containers/source'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../common/lib/kuery'; import type { OnDataProviderEdited } from '../timeline/events'; import type { QueryOperator } from '../timeline/data_providers/data_provider'; import { DataProviderType } from '../timeline/data_providers/data_provider'; @@ -57,7 +58,7 @@ interface Props { operator: QueryOperator; providerId: string; timelineId: string; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; type?: DataProviderType; } @@ -92,9 +93,7 @@ export const StatefulEditDataProvider = React.memo( getInitialOperatorLabel(isExcluded, operator) ); - const [updatedValue, setUpdatedValue] = useState>( - value - ); + const [updatedValue, setUpdatedValue] = useState(value); const showComboBoxInput = useMemo( () => diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/data_provider.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/data_provider.ts index 204583c9eabaa..3ed66744c760f 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/data_provider.ts +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/data_provider.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; /** Represents the Timeline data providers */ /** The `is` operator in a KQL query */ @@ -27,8 +27,8 @@ export enum DataProviderType { export interface QueryMatch { field: string; displayField?: string; - value: string | number | Array; - displayValue?: string | number; + value: PrimitiveOrArrayOfPrimitives; + displayValue?: string | number | boolean; operator: QueryOperator; } diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/helpers.tsx index 03bd1d84c9708..5567e88cb05bc 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/helpers.tsx @@ -10,7 +10,8 @@ import type { DraggableLocation } from 'react-beautiful-dnd'; import type { Dispatch } from 'redux'; import { updateProviders } from '../../../store/timeline/actions'; -import { isStringOrNumberArray } from '../helpers'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; +import { isPrimitiveArray } from '../helpers'; import type { DataProvider, DataProvidersAnd } from './data_provider'; @@ -344,10 +345,8 @@ export const addContentToTimeline = ({ } }; -export const getDisplayValue = ( - value: string | number | Array -): string | number => { - if (isStringOrNumberArray(value)) { +export const getDisplayValue = (value: PrimitiveOrArrayOfPrimitives): string | number | boolean => { + if (isPrimitiveArray(value)) { if (value.length) { return `( ${value.join(' OR ')} )`; } diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_badge.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_badge.tsx index 951caa426e2c1..a1dd257a5f997 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_badge.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_badge.tsx @@ -11,6 +11,7 @@ import { isString } from 'lodash/fp'; import React, { useCallback, useMemo } from 'react'; import styled from 'styled-components'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; import { TimelineType } from '../../../../../common/types/timeline'; import { getEmptyString } from '../../../../common/components/empty_value'; import { ProviderContainer } from '../../../../common/components/drag_and_drop/provider_container'; @@ -103,7 +104,7 @@ interface ProviderBadgeProps { togglePopover: () => void; toggleType: () => void; displayValue: string; - val: string | number | Array; + val: PrimitiveOrArrayOfPrimitives; operator: QueryOperator; type: DataProviderType; timelineType: TimelineType; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_actions.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_actions.tsx index d37720f7218c2..f13935fc87ae1 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_actions.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_actions.tsx @@ -12,6 +12,7 @@ import React from 'react'; import styled from 'styled-components'; import { TimelineType } from '../../../../../common/types/timeline'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; import type { BrowserFields } from '../../../../common/containers/source'; import type { OnDataProviderEdited } from '../events'; @@ -48,7 +49,7 @@ interface OwnProps { toggleEnabledProvider: () => void; toggleExcludedProvider: () => void; toggleTypeProvider: () => void; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; type: DataProviderType; } @@ -80,7 +81,7 @@ interface GetProviderActionsProps { toggleEnabled: () => void; toggleExcluded: () => void; toggleType: () => void; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; type: DataProviderType; } diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_badge.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_badge.tsx index dfe598177bc55..90a0d3890b545 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_badge.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/provider_item_badge.tsx @@ -16,6 +16,7 @@ import { useShallowEqualSelector, } from '../../../../common/hooks/use_selector'; import { timelineSelectors } from '../../../store/timeline'; +import type { PrimitiveOrArrayOfPrimitives } from '../../../../common/lib/kuery'; import type { OnDataProviderEdited } from '../events'; import { ProviderBadge } from './provider_badge'; @@ -44,7 +45,7 @@ interface ProviderItemBadgeProps { toggleExcludedProvider: () => void; toggleTypeProvider: () => void; displayValue?: string; - val: string | number | Array; + val: PrimitiveOrArrayOfPrimitives; type?: DataProviderType; wrapperRef?: React.MutableRefObject; } diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts index 46ed0839a0e23..14046b853a235 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts @@ -5,6 +5,7 @@ * 2.0. */ +import type { PrimitiveOrArrayOfPrimitives } from '../../../common/lib/kuery'; import type { ColumnId } from './body/column_id'; import type { DataProvider, QueryOperator } from './data_providers/data_provider'; export type { @@ -36,7 +37,7 @@ export type OnDataProviderEdited = ({ id: string; operator: QueryOperator; providerId: string; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; type: DataProvider['type']; }) => void; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.test.tsx index c2df23cd69c4f..e5587921e9ff4 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.test.tsx @@ -16,7 +16,7 @@ import { buildIsOneOfQueryMatch, buildIsQueryMatch, handleIsOperator, - isStringOrNumberArray, + isPrimitiveArray, showGlobalFilters, } from './helpers'; @@ -274,27 +274,27 @@ describe('Build KQL Query', () => { describe('isStringOrNumberArray', () => { test('it returns false when value is not an array', () => { - expect(isStringOrNumberArray('just a string')).toBe(false); + expect(isPrimitiveArray('just a string')).toBe(false); }); test('it returns false when value is an array of mixed types', () => { - expect(isStringOrNumberArray(['mixed', 123, 'types'])).toBe(false); + expect(isPrimitiveArray(['mixed', 123, 'types'])).toBe(false); }); test('it returns false when value is an array of bad types', () => { const badValues = [undefined, null, {}] as unknown as string[]; - expect(isStringOrNumberArray(badValues)).toBe(false); + expect(isPrimitiveArray(badValues)).toBe(false); }); test('it returns true when value is an empty array', () => { - expect(isStringOrNumberArray([])).toBe(true); + expect(isPrimitiveArray([])).toBe(true); }); test('it returns true when value is an array of all strings', () => { - expect(isStringOrNumberArray(['all', 'string', 'values'])).toBe(true); + expect(isPrimitiveArray(['all', 'string', 'values'])).toBe(true); }); test('it returns true when value is an array of all numbers', () => { - expect(isStringOrNumberArray([123, 456, 789])).toBe(true); + expect(isPrimitiveArray([123, 456, 789])).toBe(true); }); describe('queryHandlerFunctions', () => { diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx index 1760693b4187d..7d7a72de7c049 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx @@ -5,8 +5,7 @@ * 2.0. */ -import { isEmpty, get } from 'lodash/fp'; -import memoizeOne from 'memoize-one'; +import { isEmpty } from 'lodash/fp'; import { elementOrChildrenHasFocus, @@ -18,7 +17,16 @@ import { import { assertUnreachable } from '../../../../common/utility_types'; import type { BrowserFields } from '../../../common/containers/source'; -import { escapeQueryValue } from '../../../common/lib/kuery'; +import { + escapeQueryValue, + isNumber, + convertDateFieldToQuery, + checkIfFieldTypeIsDate, + convertNestedFieldToQuery, + convertNestedFieldToExistQuery, + checkIfFieldTypeIsNested, + type PrimitiveOrArrayOfPrimitives, +} from '../../../common/lib/kuery'; import type { DataProvider, DataProvidersAnd } from './data_providers/data_provider'; import { DataProviderType, @@ -28,66 +36,6 @@ import { } from './data_providers/data_provider'; import { EVENTS_TABLE_CLASS_NAME } from './styles'; -const isNumber = (value: string | number): value is number => !isNaN(Number(value)); - -const convertDateFieldToQuery = (field: string, value: string | number) => - `${field}: ${isNumber(value) ? value : new Date(value).valueOf()}`; - -const getBaseFields = memoizeOne((browserFields: BrowserFields): string[] => { - const baseFields = get('base', browserFields); - if (baseFields != null && baseFields.fields != null) { - return Object.keys(baseFields.fields); - } - return []; -}); - -const getBrowserFieldPath = (field: string, browserFields: BrowserFields) => { - const splitFields = field.split('.'); - const baseFields = getBaseFields(browserFields); - if (baseFields.includes(field)) { - return ['base', 'fields', field]; - } - return [splitFields[0], 'fields', field]; -}; - -const checkIfFieldTypeIsDate = (field: string, browserFields: BrowserFields) => { - const pathBrowserField = getBrowserFieldPath(field, browserFields); - const browserField = get(pathBrowserField, browserFields); - if (browserField != null && browserField.type === 'date') { - return true; - } - return false; -}; - -const convertNestedFieldToQuery = ( - field: string, - value: string | number, - browserFields: BrowserFields -) => { - const pathBrowserField = getBrowserFieldPath(field, browserFields); - const browserField = get(pathBrowserField, browserFields); - const nestedPath = browserField.subType.nested.path; - const key = field.replace(`${nestedPath}.`, ''); - return `${nestedPath}: { ${key}: ${browserField.type === 'date' ? `"${value}"` : value} }`; -}; - -const convertNestedFieldToExistQuery = (field: string, browserFields: BrowserFields) => { - const pathBrowserField = getBrowserFieldPath(field, browserFields); - const browserField = get(pathBrowserField, browserFields); - const nestedPath = browserField.subType.nested.path; - const key = field.replace(`${nestedPath}.`, ''); - return `${nestedPath}: { ${key}: * }`; -}; - -const checkIfFieldTypeIsNested = (field: string, browserFields: BrowserFields) => { - const pathBrowserField = getBrowserFieldPath(field, browserFields); - const browserField = get(pathBrowserField, browserFields); - if (browserField != null && browserField.subType && browserField.subType.nested) { - return true; - } - return false; -}; - const buildQueryMatch = ( dataProvider: DataProvider | DataProvidersAnd, browserFields: BrowserFields @@ -265,7 +213,7 @@ export const resetKeyboardFocus = () => { interface OperatorHandler { field: string; isExcluded: string; - value: string | number | Array; + value: PrimitiveOrArrayOfPrimitives; } export const handleIsOperator = ({ @@ -280,7 +228,7 @@ export const handleIsOperator = ({ isFieldTypeNested: boolean; type?: DataProviderType; }) => { - if (!isStringOrNumberArray(value)) { + if (!isPrimitiveArray(value)) { return `${isExcluded}${ type !== DataProviderType.template ? buildIsQueryMatch({ browserFields, field, isFieldTypeNested, value }) @@ -292,7 +240,7 @@ export const handleIsOperator = ({ }; const handleIsOneOfOperator = ({ field, isExcluded, value }: OperatorHandler) => { - if (isStringOrNumberArray(value)) { + if (isPrimitiveArray(value)) { return `${isExcluded}${buildIsOneOfQueryMatch({ field, value })}`; } else { return `${isExcluded}${field} : ${JSON.stringify(value)}`; @@ -308,7 +256,7 @@ export const buildIsQueryMatch = ({ browserFields: BrowserFields; field: string; isFieldTypeNested: boolean; - value: string | number; + value: string | number | boolean; }): string => { if (isFieldTypeNested) { return convertNestedFieldToQuery(field, value, browserFields); @@ -338,17 +286,17 @@ export const buildIsOneOfQueryMatch = ({ value, }: { field: string; - value: Array; + value: Array; }): string => { const trimmedField = field.trim(); if (value.length) { return `${trimmedField} : (${value - .map((item) => (isNumber(item) ? Number(item) : `${escapeQueryValue(item.trim())}`)) + .map((item) => (isNumber(item) ? Number(item) : `${escapeQueryValue(String(item).trim())}`)) .join(' OR ')})`; } return `${trimmedField} : ''`; }; -export const isStringOrNumberArray = (value: unknown): value is Array => +export const isPrimitiveArray = (value: unknown): value is Array => Array.isArray(value) && (value.every((x) => typeof x === 'string') || value.every((x) => typeof x === 'number')); diff --git a/x-pack/plugins/timelines/common/types/timeline/data_provider/index.ts b/x-pack/plugins/timelines/common/types/timeline/data_provider/index.ts index 4aaa675137fc8..d9ef64c0ea1e3 100644 --- a/x-pack/plugins/timelines/common/types/timeline/data_provider/index.ts +++ b/x-pack/plugins/timelines/common/types/timeline/data_provider/index.ts @@ -27,8 +27,8 @@ export enum DataProviderType { export interface QueryMatch { field: string; displayField?: string; - value: string | number | Array; - displayValue?: string | number; + value: string | number | boolean | Array; + displayValue?: string | number | boolean; operator: QueryOperator; } From 9119a00a606b0116f7a2fda526ff14caf5825609 Mon Sep 17 00:00:00 2001 From: Julia Rechkunova Date: Tue, 7 Feb 2023 15:18:53 +0100 Subject: [PATCH 22/27] [Discover] Fix flaky adhoc test when removing a field (#150419) Closes https://github.com/elastic/kibana/issues/142721 Closes https://github.com/elastic/kibana/issues/150271 100x https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/1873 --- test/functional/page_objects/discover_page.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/functional/page_objects/discover_page.ts b/test/functional/page_objects/discover_page.ts index 0854bfe9b9c69..b33f6401db98f 100644 --- a/test/functional/page_objects/discover_page.ts +++ b/test/functional/page_objects/discover_page.ts @@ -406,7 +406,9 @@ export class DiscoverPageObject extends FtrService { public async removeField(field: string) { await this.clickFieldListItem(field); await this.testSubjects.click(`discoverFieldListPanelDelete-${field}`); - await this.testSubjects.existOrFail('runtimeFieldDeleteConfirmModal'); + await this.retry.waitFor('modal to open', async () => { + return await this.testSubjects.exists('runtimeFieldDeleteConfirmModal'); + }); await this.fieldEditor.confirmDelete(); } From b96d46c06b85c944d006a3582cfe3c56d1102e5f Mon Sep 17 00:00:00 2001 From: Dario Gieselaar Date: Tue, 7 Feb 2023 15:29:47 +0100 Subject: [PATCH 23/27] [APM] Service metrics/continuous rollups follow-up work (#150266) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Søren Louv-Jansen Closes https://github.com/elastic/kibana/issues/150265 --- .../src/lib/timerange.ts | 16 +- ...eate_service_summary_metrics_aggregator.ts | 43 ++ .../get_routing_transform.ts | 3 +- .../client/apm_synthtrace_es_client/index.ts | 5 + .../services_without_transactions.ts | 49 +++ .../es_client_indexer.test.ts.snap | 83 +++- .../src/test/es_client_indexer.test.ts | 2 +- .../server/collectors/management/schema.ts | 4 + .../server/collectors/management/types.ts | 1 + src/plugins/telemetry/schema/oss_plugins.json | 6 + x-pack/plugins/apm/common/data_source.ts | 3 +- x-pack/plugins/apm/common/document_type.ts | 6 + x-pack/plugins/apm/dev_docs/apm_queries.md | 32 +- .../app/settings/general_settings/index.tsx | 4 + .../time_range_metadata_context.tsx | 30 +- .../get_request_base.ts | 6 +- .../create_apm_event_client/index.ts | 69 ++- .../helpers/create_es_client/document_type.ts | 9 + .../lib/helpers/get_document_sources.ts | 155 +++++-- .../server/lib/helpers/transactions/index.ts | 6 +- .../apm/server/routes/default_api_types.ts | 2 +- .../get_service_transaction_stats.ts | 5 +- .../get_services/get_services_items.ts | 12 +- ...s => get_services_without_transactions.ts} | 30 +- .../get_services/merge_service_stats.test.ts | 8 +- .../get_services/merge_service_stats.ts | 17 +- ...service_transaction_detailed_statistics.ts | 13 +- .../get_services_detailed_statistics/index.ts | 4 +- .../apm/server/routes/services/route.ts | 6 +- .../routes/time_range_metadata/route.ts | 17 +- x-pack/plugins/observability/common/index.ts | 2 + .../observability/common/ui_settings_keys.ts | 2 + .../common/utils/get_inspect_response.ts | 2 +- .../observability/server/ui_settings.ts | 34 ++ ...chive_services_detailed_statistics.spec.ts | 298 +++++++++++++ .../services_detailed_statistics.spec.ts | 328 +++++--------- .../tests/services/top_services.spec.ts | 100 ++++- .../time_range_metadata.spec.ts | 404 ++++++++++++++++++ 38 files changed, 1462 insertions(+), 354 deletions(-) create mode 100644 packages/kbn-apm-synthtrace/src/lib/apm/aggregators/create_service_summary_metrics_aggregator.ts create mode 100644 packages/kbn-apm-synthtrace/src/scenarios/services_without_transactions.ts rename x-pack/plugins/apm/server/routes/services/get_services/{get_services_from_error_and_metric_documents.ts => get_services_without_transactions.ts} (77%) create mode 100644 x-pack/test/apm_api_integration/tests/services/archive_services_detailed_statistics.spec.ts create mode 100644 x-pack/test/apm_api_integration/tests/time_range_metadata/time_range_metadata.spec.ts diff --git a/packages/kbn-apm-synthtrace-client/src/lib/timerange.ts b/packages/kbn-apm-synthtrace-client/src/lib/timerange.ts index 18dd8178c32dc..2dd0659f9cc19 100644 --- a/packages/kbn-apm-synthtrace-client/src/lib/timerange.ts +++ b/packages/kbn-apm-synthtrace-client/src/lib/timerange.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +import type { Moment } from 'moment'; import { Interval } from './interval'; export class Timerange { @@ -20,9 +21,14 @@ export class Timerange { } } -export function timerange(from: Date | number, to: Date | number) { - return new Timerange( - from instanceof Date ? from : new Date(from), - to instanceof Date ? to : new Date(to) - ); +type DateLike = Date | number | Moment | string; + +function getDateFrom(date: DateLike): Date { + if (date instanceof Date) return date; + if (typeof date === 'number' || typeof date === 'string') return new Date(date); + return date.toDate(); +} + +export function timerange(from: Date | number | Moment, to: Date | number | Moment) { + return new Timerange(getDateFrom(from), getDateFrom(to)); } diff --git a/packages/kbn-apm-synthtrace/src/lib/apm/aggregators/create_service_summary_metrics_aggregator.ts b/packages/kbn-apm-synthtrace/src/lib/apm/aggregators/create_service_summary_metrics_aggregator.ts new file mode 100644 index 0000000000000..a83e7306e3941 --- /dev/null +++ b/packages/kbn-apm-synthtrace/src/lib/apm/aggregators/create_service_summary_metrics_aggregator.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import { ApmFields, hashKeysOf } from '@kbn/apm-synthtrace-client'; +import { identity, noop, pick } from 'lodash'; +import { createApmMetricAggregator } from './create_apm_metric_aggregator'; + +const KEY_FIELDS: Array = [ + 'agent.name', + 'service.environment', + 'service.name', + 'service.language.name', +]; + +export function createServiceSummaryMetricsAggregator(flushInterval: string) { + return createApmMetricAggregator( + { + filter: () => true, + getAggregateKey: (event) => { + // see https://github.com/elastic/apm-server/blob/main/x-pack/apm-server/aggregation/txmetrics/aggregator.go + return hashKeysOf(event, KEY_FIELDS); + }, + flushInterval, + init: (event) => { + const set = pick(event, KEY_FIELDS); + + return { + ...set, + 'metricset.name': 'service_summary', + 'metricset.interval': flushInterval, + 'processor.event': 'metric', + 'processor.name': 'metric', + }; + }, + }, + noop, + identity + ); +} diff --git a/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/get_routing_transform.ts b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/get_routing_transform.ts index 8c3f5ea3b25b4..aa1e421697707 100644 --- a/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/get_routing_transform.ts +++ b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/get_routing_transform.ts @@ -34,7 +34,8 @@ export function getRoutingTransform() { } else if ( metricsetName === 'transaction' || metricsetName === 'service_transaction' || - metricsetName === 'service_destination' + metricsetName === 'service_destination' || + metricsetName === 'service_summary' ) { index = `metrics-apm.${metricsetName}.${document['metricset.interval']!}-default`; } else { diff --git a/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/index.ts b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/index.ts index 58fab239eab40..21fd3a0ac7dcf 100644 --- a/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/index.ts +++ b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client/index.ts @@ -21,6 +21,7 @@ import { Logger } from '../../../utils/create_logger'; import { fork, sequential } from '../../../utils/stream_utils'; import { createBreakdownMetricsAggregator } from '../../aggregators/create_breakdown_metrics_aggregator'; import { createServiceMetricsAggregator } from '../../aggregators/create_service_metrics_aggregator'; +import { createServiceSummaryMetricsAggregator } from '../../aggregators/create_service_summary_metrics_aggregator'; import { createSpanMetricsAggregator } from '../../aggregators/create_span_metrics_aggregator'; import { createTransactionMetricsAggregator } from '../../aggregators/create_transaction_metrics_aggregator'; import { getApmServerMetadataTransform } from './get_apm_server_metadata_transform'; @@ -111,6 +112,7 @@ export class ApmSynthtraceEsClient { index: dataStreams, allow_no_indices: true, ignore_unavailable: true, + expand_wildcards: ['open', 'hidden'], }); } @@ -123,6 +125,9 @@ export class ApmSynthtraceEsClient { createServiceMetricsAggregator('1m'), createServiceMetricsAggregator('10m'), createServiceMetricsAggregator('60m'), + createServiceSummaryMetricsAggregator('1m'), + createServiceSummaryMetricsAggregator('10m'), + createServiceSummaryMetricsAggregator('60m'), createSpanMetricsAggregator('1m'), createSpanMetricsAggregator('10m'), createSpanMetricsAggregator('60m'), diff --git a/packages/kbn-apm-synthtrace/src/scenarios/services_without_transactions.ts b/packages/kbn-apm-synthtrace/src/scenarios/services_without_transactions.ts new file mode 100644 index 0000000000000..94e3ea20ba787 --- /dev/null +++ b/packages/kbn-apm-synthtrace/src/scenarios/services_without_transactions.ts @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import { apm, ApmFields } from '@kbn/apm-synthtrace-client'; +import { Scenario } from '../cli/scenario'; + +const scenario: Scenario = async ({ logger, scenarioOpts }) => { + return { + generate: ({ range }) => { + const withTx = apm + .service('service-with-transactions', 'production', 'java') + .instance('instance'); + + const withErrorsOnly = apm + .service('service-with-errors-only', 'production', 'java') + .instance('instance'); + + const withAppMetricsOnly = apm + .service('service-with-app-metrics-only', 'production', 'java') + .instance('instance'); + + return range + .interval('1m') + .rate(1) + .generator((timestamp) => { + return [ + withTx.transaction('GET /api').duration(100).timestamp(timestamp), + withErrorsOnly + .error({ + message: 'An unknown error occurred', + }) + .timestamp(timestamp), + withAppMetricsOnly + .appMetrics({ + 'system.memory.actual.free': 1, + 'system.memory.total': 2, + }) + .timestamp(timestamp), + ]; + }); + }, + }; +}; + +export default scenario; diff --git a/packages/kbn-apm-synthtrace/src/test/__snapshots__/es_client_indexer.test.ts.snap b/packages/kbn-apm-synthtrace/src/test/__snapshots__/es_client_indexer.test.ts.snap index 7178720ea0a02..74160ee85287a 100644 --- a/packages/kbn-apm-synthtrace/src/test/__snapshots__/es_client_indexer.test.ts.snap +++ b/packages/kbn-apm-synthtrace/src/test/__snapshots__/es_client_indexer.test.ts.snap @@ -1,6 +1,6 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`Synthtrace ES Client indexer indexes documents 1`] = ` +exports[`Synthtrace ES Client indexer indexes documents 2`] = ` Array [ Object { "@timestamp": "2022-01-01T00:00:00.000Z", @@ -68,6 +68,33 @@ Array [ "event": "metric", }, }, + Object { + "@timestamp": "2022-01-01T00:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T00:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T00:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, Object { "@timestamp": "2022-01-01T00:00:00.000Z", "metricset": Object { @@ -119,6 +146,24 @@ Array [ "event": "metric", }, }, + Object { + "@timestamp": "2022-01-01T00:30:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T00:30:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, Object { "@timestamp": "2022-01-01T00:30:00.000Z", "metricset": Object { @@ -200,6 +245,42 @@ Array [ "event": "metric", }, }, + Object { + "@timestamp": "2022-01-01T01:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T01:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T00:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, + Object { + "@timestamp": "2022-01-01T01:00:00.000Z", + "metricset": Object { + "name": "service_summary", + }, + "processor": Object { + "event": "metric", + }, + }, Object { "@timestamp": "2022-01-01T01:00:00.000Z", "metricset": Object { diff --git a/packages/kbn-apm-synthtrace/src/test/es_client_indexer.test.ts b/packages/kbn-apm-synthtrace/src/test/es_client_indexer.test.ts index 05ea68af97350..9b35b2d0bd29f 100644 --- a/packages/kbn-apm-synthtrace/src/test/es_client_indexer.test.ts +++ b/packages/kbn-apm-synthtrace/src/test/es_client_indexer.test.ts @@ -72,7 +72,7 @@ describe('Synthtrace ES Client indexer', () => { const events = await toArray(datasource); - expect(events.length).toBe(24); + expect(events.length).toMatchInlineSnapshot(`33`); const mapped = events.map((event) => pick(event, '@timestamp', 'processor.event', 'metricset.name') diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts index 0c61004477613..9525b7345a380 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts @@ -434,6 +434,10 @@ export const stackManagementSchema: MakeSchemaFrom = { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, }, + 'observability:apmEnableContinuousRollups': { + type: 'boolean', + _meta: { description: 'Non-default value of setting.' }, + }, 'observability:apmAgentExplorerView': { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts index c0d7e74bf0c45..245cb55368015 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts @@ -41,6 +41,7 @@ export interface UsageStats { 'observability:enableComparisonByDefault': boolean; 'observability:enableServiceGroups': boolean; 'observability:apmEnableServiceMetrics': boolean; + 'observability:apmEnableContinuousRollups': boolean; 'observability:apmAWSLambdaPriceFactor': string; 'observability:apmAWSLambdaRequestCostPerMillion': number; 'observability:enableInfrastructureHostsView': boolean; diff --git a/src/plugins/telemetry/schema/oss_plugins.json b/src/plugins/telemetry/schema/oss_plugins.json index 7b8d7ef9386c2..52fe7853bf471 100644 --- a/src/plugins/telemetry/schema/oss_plugins.json +++ b/src/plugins/telemetry/schema/oss_plugins.json @@ -8910,6 +8910,12 @@ "description": "Non-default value of setting." } }, + "observability:apmEnableContinuousRollups": { + "type": "boolean", + "_meta": { + "description": "Non-default value of setting." + } + }, "observability:apmAgentExplorerView": { "type": "boolean", "_meta": { diff --git a/x-pack/plugins/apm/common/data_source.ts b/x-pack/plugins/apm/common/data_source.ts index 54b7f10512566..b951677a8cb65 100644 --- a/x-pack/plugins/apm/common/data_source.ts +++ b/x-pack/plugins/apm/common/data_source.ts @@ -12,7 +12,8 @@ type AnyApmDocumentType = | ApmDocumentType.ServiceTransactionMetric | ApmDocumentType.TransactionMetric | ApmDocumentType.TransactionEvent - | ApmDocumentType.ServiceDestinationMetric; + | ApmDocumentType.ServiceDestinationMetric + | ApmDocumentType.ServiceSummaryMetric; export interface ApmDataSource< TDocumentType extends AnyApmDocumentType = AnyApmDocumentType diff --git a/x-pack/plugins/apm/common/document_type.ts b/x-pack/plugins/apm/common/document_type.ts index a737484b91760..4027e9d36ded2 100644 --- a/x-pack/plugins/apm/common/document_type.ts +++ b/x-pack/plugins/apm/common/document_type.ts @@ -10,4 +10,10 @@ export enum ApmDocumentType { ServiceTransactionMetric = 'serviceTransactionMetric', TransactionEvent = 'transactionEvent', ServiceDestinationMetric = 'serviceDestinationMetric', + ServiceSummaryMetric = 'serviceSummaryMetric', } + +export type ApmServiceTransactionDocumentType = + | ApmDocumentType.ServiceTransactionMetric + | ApmDocumentType.TransactionMetric + | ApmDocumentType.TransactionEvent; diff --git a/x-pack/plugins/apm/dev_docs/apm_queries.md b/x-pack/plugins/apm/dev_docs/apm_queries.md index 69f5953cce59c..acd20597389d9 100644 --- a/x-pack/plugins/apm/dev_docs/apm_queries.md +++ b/x-pack/plugins/apm/dev_docs/apm_queries.md @@ -224,38 +224,48 @@ GET apm-*-metric-*,metrics-apm*/_search?terminate_after=1000 # Transactions in service inventory page -Service metrics is an aggregated metric document that holds latency and throughput metrics pivoted by `service.name + service.environment + transaction.type` +Service transaction metrics are aggregated metric documents that hold latency and throughput metrics pivoted by `service.name`, `service.environment` and `transaction.type`. Additionally, `agent.name` and `service.language.name` are included as metadata. -The decision to use service metrics aggregation or not is determined in [getServiceInventorySearchSource](https://github.com/elastic/kibana/blob/5d585ea375be551a169a0bea49b011819b9ac669/x-pack/plugins/apm/server/lib/helpers/get_service_inventory_search_source.ts#L12) and [getSearchServiceMetrics](https://github.com/elastic/kibana/blob/5d585ea375be551a169a0bea49b011819b9ac669/x-pack/plugins/apm/server/lib/helpers/service_metrics/index.ts#L38) +We use the response from the `GET /internal/apm/time_range_metadata` endpoint to determine what data source is available. A data source is considered available if there is either data before the current time range, or, if there is no data at all before the current time range, if there is data within the current time range. This means that existing deployments will use transaction metrics right after upgrading (instead of using service transaction metrics and seeing a mostly blank screen), but also that new deployments immediately get the benefits of service transaction metrics, instead of falling all the way back to transaction events. A pre-aggregated document where `_doc_count` is the number of transaction events ``` { - "_doc_count": 627, + "_doc_count": 4, "@timestamp": "2021-09-01T10:00:00.000Z", "processor.event": "metric", - "metricset.name": "service", + "metricset.name": "service_transaction", + "metricset.interval": "1m", "service": { "environment": "production", "name": "web-go" }, "transaction": { "duration.summary": { - "sum": 376492831, - "value_count": 627 + "sum": 1000, + "value_count": 4 + }, + "duration.histogram": { + "counts": [ 4 ], + "values": [ 250 ] }, - "success_count": 476, - "failure_count": 151, "type": "request" + }, + "event": { + "success_count": { + "sum": 1, + "value_count": 2 + } } } ``` - `_doc_count` is the number of bucket counts -- `transaction.duration.summary` is an [aggregate_metric_double](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/aggregate-metric-double.html) field and holds an aggregated transaction duration summary, for service metrics -- `failure_count` holds an aggregated count of transactions with the outcome "failure" -- `success_count` holds an aggregated count of transactions with the outcome "success" +- `transaction.duration.summary` is an [aggregate_metric_double](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/aggregate-metric-double.html) field and holds an aggregated transaction duration summary, for service transaction metrics +- `event.success_count` holds an aggregate metric double that describes the _success rate_. E.g., in this example, the success rate is 50% (1/2). + +In addition to `service_transaction`, `service_summary` metrics are also generated. Every service outputs these, even when it does not record any transaction (that also means there is no transaction data on this metric). This means that we can use `service_summary` to display services without transactions, i.e. services that only have app/system metrics or errors. ### Latency diff --git a/x-pack/plugins/apm/public/components/app/settings/general_settings/index.tsx b/x-pack/plugins/apm/public/components/app/settings/general_settings/index.tsx index e250f1e09276b..670826e43cccc 100644 --- a/x-pack/plugins/apm/public/components/app/settings/general_settings/index.tsx +++ b/x-pack/plugins/apm/public/components/app/settings/general_settings/index.tsx @@ -17,6 +17,8 @@ import { enableInspectEsQueries, apmAWSLambdaPriceFactor, apmAWSLambdaRequestCostPerMillion, + apmEnableServiceMetrics, + apmEnableContinuousRollups, } from '@kbn/observability-plugin/common'; import { isEmpty } from 'lodash'; import React from 'react'; @@ -32,6 +34,8 @@ const apmSettingsKeys = [ apmLabsButton, apmAWSLambdaPriceFactor, apmAWSLambdaRequestCostPerMillion, + apmEnableServiceMetrics, + apmEnableContinuousRollups, ]; export function GeneralSettings() { diff --git a/x-pack/plugins/apm/public/context/time_range_metadata/time_range_metadata_context.tsx b/x-pack/plugins/apm/public/context/time_range_metadata/time_range_metadata_context.tsx index 8a549ee26d199..0bdb9418bf510 100644 --- a/x-pack/plugins/apm/public/context/time_range_metadata/time_range_metadata_context.tsx +++ b/x-pack/plugins/apm/public/context/time_range_metadata/time_range_metadata_context.tsx @@ -5,11 +5,16 @@ * 2.0. */ import React, { createContext } from 'react'; +import { + apmEnableServiceMetrics, + apmEnableContinuousRollups, +} from '@kbn/observability-plugin/common'; import { TimeRangeMetadata } from '../../../common/time_range_metadata'; import { useApmParams } from '../../hooks/use_apm_params'; import { useApmRoutePath } from '../../hooks/use_apm_route_path'; import { FetcherResult, useFetcher } from '../../hooks/use_fetcher'; import { useTimeRange } from '../../hooks/use_time_range'; +import { useApmPluginContext } from '../apm_plugin/use_apm_plugin_context'; export const TimeRangeMetadataContext = createContext< FetcherResult | undefined @@ -20,6 +25,10 @@ export function TimeRangeMetadataContextProvider({ }: { children: React.ReactElement; }) { + const { + core: { uiSettings }, + } = useApmPluginContext(); + const { query } = useApmParams('/*'); const kuery = 'kuery' in query ? query.kuery : ''; @@ -37,6 +46,16 @@ export function TimeRangeMetadataContextProvider({ const routePath = useApmRoutePath(); + const enableServiceTransactionMetrics = uiSettings.get( + apmEnableServiceMetrics, + true + ); + + const enableContinuousRollups = uiSettings.get( + apmEnableContinuousRollups, + true + ); + const isOperationView = routePath.startsWith('/dependencies/operation') || routePath.startsWith('/dependencies/operations'); @@ -50,11 +69,20 @@ export function TimeRangeMetadataContextProvider({ end, kuery, useSpanName: isOperationView, + enableServiceTransactionMetrics, + enableContinuousRollups, }, }, }); }, - [start, end, kuery, isOperationView] + [ + start, + end, + kuery, + isOperationView, + enableServiceTransactionMetrics, + enableContinuousRollups, + ] ); return ( diff --git a/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/get_request_base.ts b/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/get_request_base.ts index 5551736fc34b9..16e8b0edba21a 100644 --- a/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/get_request_base.ts +++ b/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/get_request_base.ts @@ -28,7 +28,11 @@ export function processorEventsToIndex( events: ProcessorEvent[], indices: ApmIndicesConfig ) { - return uniq(events.map((event) => indices[processorEventIndexMap[event]])); + return uniq( + events.flatMap((event) => + indices[processorEventIndexMap[event]].split(',').map((str) => str.trim()) + ) + ); } export function getRequestBase(options: { diff --git a/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/index.ts b/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/index.ts index b6cdfa80ff3f8..b06ab4ecb2c71 100644 --- a/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/index.ts +++ b/x-pack/plugins/apm/server/lib/helpers/create_es_client/create_apm_event_client/index.ts @@ -9,15 +9,17 @@ import type { EqlSearchRequest, FieldCapsRequest, FieldCapsResponse, + MsearchMultisearchBody, + MsearchMultisearchHeader, TermsEnumRequest, TermsEnumResponse, } from '@elastic/elasticsearch/lib/api/types'; -import { ValuesType } from 'utility-types'; import { ElasticsearchClient, KibanaRequest } from '@kbn/core/server'; import type { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types'; import { ProcessorEvent } from '@kbn/observability-plugin/common'; import { unwrapEsResponse } from '@kbn/observability-plugin/server'; import { compact, omit } from 'lodash'; +import { ValuesType } from 'utility-types'; import { ApmDataSource } from '../../../../../common/data_source'; import { APMError } from '../../../../../typings/es_schemas/ui/apm_error'; import { Metric } from '../../../../../typings/es_schemas/ui/metric'; @@ -31,8 +33,8 @@ import { getDebugTitle, } from '../call_async_with_debug'; import { cancelEsRequestOnAbort } from '../cancel_es_request_on_abort'; -import { processorEventsToIndex, getRequestBase } from './get_request_base'; import { ProcessorEventOfDocumentType } from '../document_type'; +import { getRequestBase, processorEventsToIndex } from './get_request_base'; export type APMEventESSearchRequest = Omit & { apm: { @@ -81,6 +83,10 @@ type TypedSearchResponse = TParams >; +interface TypedMSearchResponse { + responses: Array>; +} + export interface APMEventClientConfig { esClient: ElasticsearchClient; debug: boolean; @@ -163,7 +169,7 @@ export class APMEventClient { this.forceSyntheticSource && events.includes(ProcessorEvent.metric); const searchParams = { - ...omit(params, 'apm'), + ...omit(params, 'apm', 'body'), index, body: { ...params.body, @@ -193,12 +199,63 @@ export class APMEventClient { }); } + async msearch( + operationName: string, + ...allParams: TParams[] + ): Promise> { + const searches = allParams + .map((params) => { + const { index, filters } = getRequestBase({ + apm: params.apm, + indices: this.indices, + }); + + const searchParams: [MsearchMultisearchHeader, MsearchMultisearchBody] = + [ + { + index, + preference: 'any', + ...(this.includeFrozen ? { ignore_throttled: false } : {}), + ignore_unavailable: true, + expand_wildcards: ['open' as const, 'hidden' as const], + }, + { + ...omit(params, 'apm', 'body'), + ...params.body, + query: { + bool: { + filter: compact([params.body.query, ...filters]), + }, + }, + }, + ]; + + return searchParams; + }) + .flat(); + + return this.callAsyncWithDebug({ + cb: (opts) => + this.esClient.msearch( + { + searches, + }, + opts + ) as unknown as Promise<{ + body: TypedMSearchResponse; + }>, + operationName, + params: searches, + requestType: 'msearch', + }); + } + async eqlSearch(operationName: string, params: APMEventEqlSearchRequest) { const index = processorEventsToIndex(params.apm.events, this.indices); const requestParams = { - index, ...omit(params, 'apm'), + index, }; return this.callAsyncWithDebug({ @@ -216,8 +273,8 @@ export class APMEventClient { const index = processorEventsToIndex(params.apm.events, this.indices); const requestParams = { - index, ...omit(params, 'apm'), + index, }; return this.callAsyncWithDebug({ @@ -235,8 +292,8 @@ export class APMEventClient { const index = processorEventsToIndex(params.apm.events, this.indices); const requestParams = { - index: Array.isArray(index) ? index.join(',') : index, ...omit(params, 'apm'), + index: index.join(','), }; return this.callAsyncWithDebug({ diff --git a/x-pack/plugins/apm/server/lib/helpers/create_es_client/document_type.ts b/x-pack/plugins/apm/server/lib/helpers/create_es_client/document_type.ts index 70ca95147387c..2ebee7e23b8e7 100644 --- a/x-pack/plugins/apm/server/lib/helpers/create_es_client/document_type.ts +++ b/x-pack/plugins/apm/server/lib/helpers/create_es_client/document_type.ts @@ -51,6 +51,15 @@ const documentTypeConfigMap: Record< }), rollupIntervals: defaultRollupIntervals, }, + [ApmDocumentType.ServiceSummaryMetric]: { + processorEvent: ProcessorEvent.metric, + getQuery: (rollupInterval) => ({ + bool: { + filter: getDefaultFilter('service_summary', rollupInterval), + }, + }), + rollupIntervals: defaultRollupIntervals, + }, [ApmDocumentType.TransactionMetric]: { processorEvent: ProcessorEvent.metric, getQuery: (rollupInterval) => ({ diff --git a/x-pack/plugins/apm/server/lib/helpers/get_document_sources.ts b/x-pack/plugins/apm/server/lib/helpers/get_document_sources.ts index 8631e2c0ba8a4..2b66a0b581888 100644 --- a/x-pack/plugins/apm/server/lib/helpers/get_document_sources.ts +++ b/x-pack/plugins/apm/server/lib/helpers/get_document_sources.ts @@ -5,7 +5,6 @@ * 2.0. */ import { kqlQuery, rangeQuery } from '@kbn/observability-plugin/server'; -import { flatten } from 'lodash'; import { ApmDataSource } from '../../../common/data_source'; import { ApmDocumentType } from '../../../common/document_type'; import { RollupInterval } from '../../../common/rollup'; @@ -17,63 +16,131 @@ export async function getDocumentSources({ start, end, kuery, + enableServiceTransactionMetrics, + enableContinuousRollups, }: { apmEventClient: APMEventClient; start: number; end: number; kuery: string; + enableServiceTransactionMetrics: boolean; + enableContinuousRollups: boolean; }) { - const sources: Array = flatten( - await Promise.all( - [ - ApmDocumentType.ServiceTransactionMetric as const, - ApmDocumentType.TransactionMetric as const, - ].map(async (documentType) => { - const docTypeConfig = getConfigForDocumentType(documentType); - const allHasDocs = await Promise.all( - docTypeConfig.rollupIntervals.map(async (rollupInterval) => { - const response = await apmEventClient.search( - 'check_document_type_availability', - { - apm: { - sources: [ - { - documentType, - rollupInterval, - }, - ], - }, - body: { - track_total_hits: 1, - size: 0, - terminate_after: 1, - query: { - bool: { - filter: [...kqlQuery(kuery), ...rangeQuery(start, end)], - }, - }, - }, - } - ); + const currentRange = rangeQuery(start, end); + const diff = end - start; + const kql = kqlQuery(kuery); + const beforeRange = rangeQuery(start - diff, end - diff); - return { + const sourcesToCheck = [ + ...(enableServiceTransactionMetrics + ? [ApmDocumentType.ServiceTransactionMetric as const] + : []), + ApmDocumentType.TransactionMetric as const, + ].flatMap((documentType) => { + const docTypeConfig = getConfigForDocumentType(documentType); + + return ( + enableContinuousRollups + ? docTypeConfig.rollupIntervals + : [RollupInterval.OneMinute] + ).flatMap((rollupInterval) => { + const searchParams = { + apm: { + sources: [ + { documentType, rollupInterval, - hasDocs: response.hits.total.value > 0, - }; - }) - ); + }, + ], + }, + body: { + track_total_hits: 1, + size: 0, + terminate_after: 1, + }, + }; + + return { + documentType, + rollupInterval, + before: { + ...searchParams, + body: { + ...searchParams.body, + query: { + bool: { + filter: [...kql, ...beforeRange], + }, + }, + }, + }, + current: { + ...searchParams, + body: { + ...searchParams.body, + query: { + bool: { + filter: [...kql, ...currentRange], + }, + }, + }, + }, + }; + }); + }); + + const allSearches = sourcesToCheck.flatMap(({ before, current }) => [ + before, + current, + ]); + + const allResponses = ( + await apmEventClient.msearch('get_document_availability', ...allSearches) + ).responses; + + const checkedSources = sourcesToCheck.map((source, index) => { + const responseBefore = allResponses[index * 2]; + const responseAfter = allResponses[index * 2 + 1]; + const { documentType, rollupInterval } = source; + + const hasDataBefore = responseBefore.hits.total.value > 0; + const hasDataAfter = responseAfter.hits.total.value > 0; - return allHasDocs; - }) - ) + return { + documentType, + rollupInterval, + hasDataBefore, + hasDataAfter, + }; + }); + + const hasAnyDataBefore = checkedSources.some( + (source) => source.hasDataBefore ); - sources.push({ + const sources: Array = + checkedSources.map((source) => { + const { documentType, hasDataAfter, hasDataBefore, rollupInterval } = + source; + + const hasData = hasDataBefore || hasDataAfter; + + return { + documentType, + rollupInterval, + // If there is any data before, we require that data is available before + // this time range to mark this source as available. If we don't do that, + // users that upgrade to a version that starts generating service tx metrics + // will see a mostly empty screen for a while after upgrading. + // If we only check before, users with a new deployment will use raw transaction + // events. + hasDocs: hasAnyDataBefore ? hasDataBefore : hasData, + }; + }); + + return sources.concat({ documentType: ApmDocumentType.TransactionEvent, rollupInterval: RollupInterval.None, hasDocs: true, }); - - return sources; } diff --git a/x-pack/plugins/apm/server/lib/helpers/transactions/index.ts b/x-pack/plugins/apm/server/lib/helpers/transactions/index.ts index e4de7dfc9bf74..cf95500f25318 100644 --- a/x-pack/plugins/apm/server/lib/helpers/transactions/index.ts +++ b/x-pack/plugins/apm/server/lib/helpers/transactions/index.ts @@ -91,7 +91,11 @@ export async function getSearchTransactionsEvents({ } export function getDurationFieldForTransactions( - typeOrSearchAgggregatedTransactions: ApmDocumentType | boolean + typeOrSearchAgggregatedTransactions: + | ApmDocumentType.ServiceTransactionMetric + | ApmDocumentType.TransactionMetric + | ApmDocumentType.TransactionEvent + | boolean ) { let type: ApmDocumentType; if (typeOrSearchAgggregatedTransactions === true) { diff --git a/x-pack/plugins/apm/server/routes/default_api_types.ts b/x-pack/plugins/apm/server/routes/default_api_types.ts index 629fc9c56f70a..4b58ec7e4e9b9 100644 --- a/x-pack/plugins/apm/server/routes/default_api_types.ts +++ b/x-pack/plugins/apm/server/routes/default_api_types.ts @@ -22,7 +22,7 @@ export const probabilityRt = t.type({ }); export const kueryRt = t.type({ kuery: t.string }); -export const dataSourceRt = t.type({ +export const serviceTransactionDataSourceRt = t.type({ documentType: t.union([ t.literal(ApmDocumentType.ServiceTransactionMetric), t.literal(ApmDocumentType.TransactionMetric), diff --git a/x-pack/plugins/apm/server/routes/services/get_services/get_service_transaction_stats.ts b/x-pack/plugins/apm/server/routes/services/get_services/get_service_transaction_stats.ts index f4ede557dc745..88f2e55682868 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services/get_service_transaction_stats.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services/get_service_transaction_stats.ts @@ -41,7 +41,10 @@ interface AggregationParams { end: number; serviceGroup: ServiceGroup | null; randomSampler: RandomSampler; - documentType: ApmDocumentType; + documentType: + | ApmDocumentType.ServiceTransactionMetric + | ApmDocumentType.TransactionMetric + | ApmDocumentType.TransactionEvent; rollupInterval: RollupInterval; } diff --git a/x-pack/plugins/apm/server/routes/services/get_services/get_services_items.ts b/x-pack/plugins/apm/server/routes/services/get_services/get_services_items.ts index f2cbeddffa86d..5fddc6a3d6f5e 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services/get_services_items.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services/get_services_items.ts @@ -6,7 +6,7 @@ */ import { Logger } from '@kbn/logging'; -import { ApmDocumentType } from '../../../../common/document_type'; +import { ApmServiceTransactionDocumentType } from '../../../../common/document_type'; import { RollupInterval } from '../../../../common/rollup'; import { ServiceGroup } from '../../../../common/service_groups'; import { APMEventClient } from '../../../lib/helpers/create_es_client/create_apm_event_client'; @@ -15,7 +15,7 @@ import { MlClient } from '../../../lib/helpers/get_ml_client'; import { RandomSampler } from '../../../lib/helpers/get_random_sampler'; import { withApmSpan } from '../../../utils/with_apm_span'; import { getHealthStatuses } from './get_health_statuses'; -import { getServicesFromErrorAndMetricDocuments } from './get_services_from_error_and_metric_documents'; +import { getServicesWithoutTransactions } from './get_services_without_transactions'; import { getServicesAlerts } from './get_service_alerts'; import { getServiceTransactionStats } from './get_service_transaction_stats'; import { mergeServiceStats } from './merge_service_stats'; @@ -46,7 +46,7 @@ export async function getServicesItems({ end: number; serviceGroup: ServiceGroup | null; randomSampler: RandomSampler; - documentType: ApmDocumentType; + documentType: ApmServiceTransactionDocumentType; rollupInterval: RollupInterval; }) { return withApmSpan('get_services_items', async () => { @@ -64,7 +64,7 @@ export async function getServicesItems({ const [ { serviceStats, serviceOverflowCount }, - { services, maxServiceCountExceeded }, + { services: servicesWithoutTransactions, maxServiceCountExceeded }, healthStatuses, alertCounts, ] = await Promise.all([ @@ -72,7 +72,7 @@ export async function getServicesItems({ ...commonParams, apmEventClient, }), - getServicesFromErrorAndMetricDocuments({ + getServicesWithoutTransactions({ ...commonParams, apmEventClient, }), @@ -90,7 +90,7 @@ export async function getServicesItems({ items: mergeServiceStats({ serviceStats, - servicesFromErrorAndMetricDocuments: services, + servicesWithoutTransactions, healthStatuses, alertCounts, }) ?? [], diff --git a/x-pack/plugins/apm/server/routes/services/get_services/get_services_from_error_and_metric_documents.ts b/x-pack/plugins/apm/server/routes/services/get_services/get_services_without_transactions.ts similarity index 77% rename from x-pack/plugins/apm/server/routes/services/get_services/get_services_from_error_and_metric_documents.ts rename to x-pack/plugins/apm/server/routes/services/get_services/get_services_without_transactions.ts index 62830ace6a068..60d3bc0d7df18 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services/get_services_from_error_and_metric_documents.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services/get_services_without_transactions.ts @@ -18,8 +18,10 @@ import { serviceGroupQuery } from '../../../lib/service_group_query'; import { ServiceGroup } from '../../../../common/service_groups'; import { RandomSampler } from '../../../lib/helpers/get_random_sampler'; import { APMEventClient } from '../../../lib/helpers/create_es_client/create_apm_event_client'; +import { ApmDocumentType } from '../../../../common/document_type'; +import { RollupInterval } from '../../../../common/rollup'; -export async function getServicesFromErrorAndMetricDocuments({ +export async function getServicesWithoutTransactions({ environment, apmEventClient, maxNumServices, @@ -28,6 +30,8 @@ export async function getServicesFromErrorAndMetricDocuments({ end, serviceGroup, randomSampler, + documentType, + rollupInterval, }: { apmEventClient: APMEventClient; environment: string; @@ -37,13 +41,29 @@ export async function getServicesFromErrorAndMetricDocuments({ end: number; serviceGroup: ServiceGroup | null; randomSampler: RandomSampler; + documentType: ApmDocumentType; + rollupInterval: RollupInterval; }) { + const isServiceTransactionMetric = + documentType === ApmDocumentType.ServiceTransactionMetric; + const response = await apmEventClient.search( - 'get_services_from_error_and_metric_documents', + isServiceTransactionMetric + ? 'get_services_from_service_summary' + : 'get_services_from_error_and_metric_documents', { - apm: { - events: [ProcessorEvent.metric, ProcessorEvent.error], - }, + apm: isServiceTransactionMetric + ? { + sources: [ + { + documentType: ApmDocumentType.ServiceSummaryMetric, + rollupInterval, + }, + ], + } + : { + events: [ProcessorEvent.metric, ProcessorEvent.error], + }, body: { track_total_hits: false, size: 0, diff --git a/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.test.ts b/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.test.ts index d08e23ef4b49a..d06905d17bb18 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.test.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.test.ts @@ -40,7 +40,7 @@ describe('mergeServiceStats', () => { throughput: 4, }), ], - servicesFromErrorAndMetricDocuments: [ + servicesWithoutTransactions: [ { environments: ['production'], serviceName: 'opbeans-java', @@ -93,7 +93,7 @@ describe('mergeServiceStats', () => { environments: ['staging'], }), ], - servicesFromErrorAndMetricDocuments: [ + servicesWithoutTransactions: [ { environments: ['production'], serviceName: 'opbeans-java', @@ -142,7 +142,7 @@ describe('mergeServiceStats', () => { environments: ['staging'], }), ], - servicesFromErrorAndMetricDocuments: [], + servicesWithoutTransactions: [], healthStatuses: [ { healthStatus: ServiceHealthStatus.healthy, @@ -179,7 +179,7 @@ describe('mergeServiceStats', () => { environments: ['staging'], }), ], - servicesFromErrorAndMetricDocuments: [ + servicesWithoutTransactions: [ { environments: ['production'], serviceName: 'opbeans-java', diff --git a/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.ts b/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.ts index 10d22c730bf9d..a5c867b4f69dd 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services/merge_service_stats.ts @@ -9,30 +9,29 @@ import { asMutableArray } from '../../../../common/utils/as_mutable_array'; import { joinByKey } from '../../../../common/utils/join_by_key'; import { getServicesAlerts } from './get_service_alerts'; import { getHealthStatuses } from './get_health_statuses'; -import { getServicesFromErrorAndMetricDocuments } from './get_services_from_error_and_metric_documents'; +import { getServicesWithoutTransactions } from './get_services_without_transactions'; import { getServiceTransactionStats } from './get_service_transaction_stats'; export function mergeServiceStats({ serviceStats, - servicesFromErrorAndMetricDocuments, + servicesWithoutTransactions, healthStatuses, alertCounts, }: { serviceStats: Awaited< ReturnType >['serviceStats']; - servicesFromErrorAndMetricDocuments: Awaited< - ReturnType + servicesWithoutTransactions: Awaited< + ReturnType >['services']; healthStatuses: Awaited>; alertCounts: Awaited>; }) { const foundServiceNames = serviceStats.map(({ serviceName }) => serviceName); - const servicesWithOnlyMetricDocuments = - servicesFromErrorAndMetricDocuments.filter( - ({ serviceName }) => !foundServiceNames.includes(serviceName) - ); + const servicesWithOnlyMetricDocuments = servicesWithoutTransactions.filter( + ({ serviceName }) => !foundServiceNames.includes(serviceName) + ); const allServiceNames = foundServiceNames.concat( servicesWithOnlyMetricDocuments.map(({ serviceName }) => serviceName) @@ -47,7 +46,7 @@ export function mergeServiceStats({ return joinByKey( asMutableArray([ ...serviceStats, - ...servicesFromErrorAndMetricDocuments, + ...servicesWithoutTransactions, ...matchedHealthStatuses, ...alertCounts, ] as const), diff --git a/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/get_service_transaction_detailed_statistics.ts b/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/get_service_transaction_detailed_statistics.ts index 0ba8bfb7da922..a410036d4c52e 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/get_service_transaction_detailed_statistics.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/get_service_transaction_detailed_statistics.ts @@ -7,7 +7,7 @@ import { kqlQuery, rangeQuery } from '@kbn/observability-plugin/server'; import { keyBy } from 'lodash'; -import { ApmDocumentType } from '../../../../common/document_type'; +import { ApmServiceTransactionDocumentType } from '../../../../common/document_type'; import { SERVICE_NAME, TRANSACTION_TYPE, @@ -19,7 +19,7 @@ import { } from '../../../../common/transaction_types'; import { environmentQuery } from '../../../../common/utils/environment_query'; import { getOffsetInMs } from '../../../../common/utils/get_offset_in_ms'; -import { calculateThroughputWithRange } from '../../../lib/helpers/calculate_throughput'; +import { calculateThroughputWithInterval } from '../../../lib/helpers/calculate_throughput'; import { APMEventClient } from '../../../lib/helpers/create_es_client/create_apm_event_client'; import { RandomSampler } from '../../../lib/helpers/get_random_sampler'; import { getDurationFieldForTransactions } from '../../../lib/helpers/transactions'; @@ -46,7 +46,7 @@ export async function getServiceTransactionDetailedStats({ environment: string; kuery: string; apmEventClient: APMEventClient; - documentType: ApmDocumentType; + documentType: ApmServiceTransactionDocumentType; rollupInterval: RollupInterval; bucketSizeInSeconds: number; offset?: string; @@ -159,9 +159,8 @@ export async function getServiceTransactionDetailedStats({ throughput: topTransactionTypeBucket.timeseries.buckets.map( (dateBucket) => ({ x: dateBucket.key + offsetInMs, - y: calculateThroughputWithRange({ - start, - end, + y: calculateThroughputWithInterval({ + bucketSize: bucketSizeInSeconds, value: dateBucket.doc_count, }), }) @@ -189,7 +188,7 @@ export async function getServiceDetailedStatsPeriods({ environment: string; kuery: string; apmEventClient: APMEventClient; - documentType: ApmDocumentType; + documentType: ApmServiceTransactionDocumentType; rollupInterval: RollupInterval; bucketSizeInSeconds: number; offset?: string; diff --git a/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/index.ts b/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/index.ts index faa12d1defe1f..932d727ee6987 100644 --- a/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/index.ts +++ b/x-pack/plugins/apm/server/routes/services/get_services_detailed_statistics/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ApmDocumentType } from '../../../../common/document_type'; +import { ApmServiceTransactionDocumentType } from '../../../../common/document_type'; import { RollupInterval } from '../../../../common/rollup'; import { APMEventClient } from '../../../lib/helpers/create_es_client/create_apm_event_client'; import { RandomSampler } from '../../../lib/helpers/get_random_sampler'; @@ -28,7 +28,7 @@ export async function getServicesDetailedStatistics({ environment: string; kuery: string; apmEventClient: APMEventClient; - documentType: ApmDocumentType; + documentType: ApmServiceTransactionDocumentType; rollupInterval: RollupInterval; bucketSizeInSeconds: number; offset?: string; diff --git a/x-pack/plugins/apm/server/routes/services/route.ts b/x-pack/plugins/apm/server/routes/services/route.ts index 6fbc7744368db..d8647bf981e34 100644 --- a/x-pack/plugins/apm/server/routes/services/route.ts +++ b/x-pack/plugins/apm/server/routes/services/route.ts @@ -32,7 +32,7 @@ import { getSearchTransactionsEvents } from '../../lib/helpers/transactions'; import { withApmSpan } from '../../utils/with_apm_span'; import { createApmServerRoute } from '../apm_routes/create_apm_server_route'; import { - dataSourceRt, + serviceTransactionDataSourceRt, environmentRt, kueryRt, probabilityRt, @@ -64,7 +64,7 @@ const servicesRoute = createApmServerRoute({ t.partial({ serviceGroup: t.string }), t.intersection([ probabilityRt, - dataSourceRt, + serviceTransactionDataSourceRt, environmentRt, kueryRt, rangeRt, @@ -179,7 +179,7 @@ const servicesDetailedStatisticsRoute = createApmServerRoute({ environmentRt, kueryRt, rangeRt, - t.intersection([offsetRt, probabilityRt, dataSourceRt]), + t.intersection([offsetRt, probabilityRt, serviceTransactionDataSourceRt]), t.type({ bucketSizeInSeconds: toNumberRt, }), diff --git a/x-pack/plugins/apm/server/routes/time_range_metadata/route.ts b/x-pack/plugins/apm/server/routes/time_range_metadata/route.ts index 66cbebe5ec218..eaff14fd7c647 100644 --- a/x-pack/plugins/apm/server/routes/time_range_metadata/route.ts +++ b/x-pack/plugins/apm/server/routes/time_range_metadata/route.ts @@ -17,7 +17,11 @@ export const timeRangeMetadataRoute = createApmServerRoute({ endpoint: 'GET /internal/apm/time_range_metadata', params: t.type({ query: t.intersection([ - t.type({ useSpanName: toBooleanRt }), + t.type({ + useSpanName: toBooleanRt, + enableServiceTransactionMetrics: toBooleanRt, + enableContinuousRollups: toBooleanRt, + }), kueryRt, rangeRt, ]), @@ -29,7 +33,14 @@ export const timeRangeMetadataRoute = createApmServerRoute({ const apmEventClient = await getApmEventClient(resources); const { - query: { useSpanName, start, end, kuery }, + query: { + useSpanName, + start, + end, + kuery, + enableServiceTransactionMetrics, + enableContinuousRollups, + }, } = resources.params; const [isUsingServiceDestinationMetrics, sources] = await Promise.all([ @@ -45,6 +56,8 @@ export const timeRangeMetadataRoute = createApmServerRoute({ start, end, kuery, + enableServiceTransactionMetrics, + enableContinuousRollups, }), ]); diff --git a/x-pack/plugins/observability/common/index.ts b/x-pack/plugins/observability/common/index.ts index 0d3c846d3a314..c82d4fbe6faed 100644 --- a/x-pack/plugins/observability/common/index.ts +++ b/x-pack/plugins/observability/common/index.ts @@ -27,6 +27,8 @@ export { enableAgentExplorerView, apmAWSLambdaPriceFactor, apmAWSLambdaRequestCostPerMillion, + apmEnableServiceMetrics, + apmEnableContinuousRollups, enableCriticalPath, profilingElasticsearchPlugin, } from './ui_settings_keys'; diff --git a/x-pack/plugins/observability/common/ui_settings_keys.ts b/x-pack/plugins/observability/common/ui_settings_keys.ts index b4ddb17b7e9da..80f94c34a647a 100644 --- a/x-pack/plugins/observability/common/ui_settings_keys.ts +++ b/x-pack/plugins/observability/common/ui_settings_keys.ts @@ -22,4 +22,6 @@ export const enableAgentExplorerView = 'observability:apmAgentExplorerView'; export const apmAWSLambdaPriceFactor = 'observability:apmAWSLambdaPriceFactor'; export const apmAWSLambdaRequestCostPerMillion = 'observability:apmAWSLambdaRequestCostPerMillion'; export const enableCriticalPath = 'observability:apmEnableCriticalPath'; +export const apmEnableServiceMetrics = 'observability:apmEnableServiceMetrics'; +export const apmEnableContinuousRollups = 'observability:apmEnableContinuousRollups'; export const profilingElasticsearchPlugin = 'observability:profilingElasticsearchPlugin'; diff --git a/x-pack/plugins/observability/common/utils/get_inspect_response.ts b/x-pack/plugins/observability/common/utils/get_inspect_response.ts index 6af29c16d0457..7c5d8368bd192 100644 --- a/x-pack/plugins/observability/common/utils/get_inspect_response.ts +++ b/x-pack/plugins/observability/common/utils/get_inspect_response.ts @@ -150,7 +150,7 @@ export function getInspectResponse({ return { id, - json: esRequestParams.body, + json: esRequestParams.body ?? esRequestParams, name: id, response: { json: esError ? esError.originalError : esResponse, diff --git a/x-pack/plugins/observability/server/ui_settings.ts b/x-pack/plugins/observability/server/ui_settings.ts index 26a2ea3e8cc2c..3d1198dbe9aa5 100644 --- a/x-pack/plugins/observability/server/ui_settings.ts +++ b/x-pack/plugins/observability/server/ui_settings.ts @@ -23,11 +23,17 @@ import { enableAwsLambdaMetrics, apmAWSLambdaPriceFactor, apmAWSLambdaRequestCostPerMillion, + apmEnableServiceMetrics, + apmEnableContinuousRollups, enableCriticalPath, enableInfrastructureHostsView, profilingElasticsearchPlugin, } from '../common/ui_settings_keys'; +const betaLabel = i18n.translate('xpack.observability.uiSettings.betaLabel', { + defaultMessage: 'beta', +}); + const technicalPreviewLabel = i18n.translate( 'xpack.observability.uiSettings.technicalPreviewLabel', { defaultMessage: 'technical preview' } @@ -287,6 +293,34 @@ export const uiSettings: Record = { value: 0.2, schema: schema.number({ min: 0 }), }, + [apmEnableServiceMetrics]: { + category: [observabilityFeatureId], + name: i18n.translate('xpack.observability.apmEnableServiceMetrics', { + defaultMessage: 'Service transaction metrics', + }), + value: true, + description: i18n.translate('xpack.observability.apmEnableServiceMetricsDescription', { + defaultMessage: + '{betaLabel} Enables the usage of service transaction metrics, which are low cardinality metrics that can be used by certain views like the service inventory for faster loading times.', + values: { betaLabel: `[${betaLabel}]` }, + }), + schema: schema.boolean(), + requiresPageReload: true, + }, + [apmEnableContinuousRollups]: { + category: [observabilityFeatureId], + name: i18n.translate('xpack.observability.apmEnableContinuousRollups', { + defaultMessage: 'Continuous rollups', + }), + value: true, + description: i18n.translate('xpack.observability.apmEnableContinuousRollupsDescription', { + defaultMessage: + '{betaLabel} When continuous rollups is enabled, the UI will select metrics with the appropriate resolution. On larger time ranges, lower resolution metrics will be used, which will improve loading times.', + values: { betaLabel: `[${betaLabel}]` }, + }), + schema: schema.boolean(), + requiresPageReload: true, + }, [enableCriticalPath]: { category: [observabilityFeatureId], name: i18n.translate('xpack.observability.enableCriticalPath', { diff --git a/x-pack/test/apm_api_integration/tests/services/archive_services_detailed_statistics.spec.ts b/x-pack/test/apm_api_integration/tests/services/archive_services_detailed_statistics.spec.ts new file mode 100644 index 0000000000000..92553c9f3e076 --- /dev/null +++ b/x-pack/test/apm_api_integration/tests/services/archive_services_detailed_statistics.spec.ts @@ -0,0 +1,298 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import expect from '@kbn/expect'; +import moment from 'moment'; +import { APIReturnType } from '@kbn/apm-plugin/public/services/rest/create_call_apm_api'; +import { isFiniteNumber } from '@kbn/apm-plugin/common/utils/is_finite_number'; +import { ApmDocumentType } from '@kbn/apm-plugin/common/document_type'; +import { RollupInterval } from '@kbn/apm-plugin/common/rollup'; +import archives_metadata from '../../common/fixtures/es_archiver/archives_metadata'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { ApmApiError } from '../../common/apm_api_supertest'; + +type ServicesDetailedStatisticsReturn = + APIReturnType<'POST /internal/apm/services/detailed_statistics'>; + +export default function ApiTest({ getService }: FtrProviderContext) { + const registry = getService('registry'); + + const apmApiClient = getService('apmApiClient'); + + const archiveName = 'apm_8.0.0'; + const metadata = archives_metadata[archiveName]; + const { start, end } = metadata; + const serviceNames = ['opbeans-java', 'opbeans-go']; + + registry.when( + 'Services detailed statistics when data is not loaded', + { config: 'basic', archives: [] }, + () => { + it('handles the empty state', async () => { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'ENVIRONMENT_ALL', + kuery: '', + offset: '1d', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + + expect(response.status).to.be(200); + expect(response.body.currentPeriod).to.be.empty(); + expect(response.body.previousPeriod).to.be.empty(); + }); + } + ); + + registry.when( + 'Services detailed statistics when data is loaded', + { config: 'basic', archives: [archiveName] }, + () => { + let servicesDetailedStatistics: ServicesDetailedStatisticsReturn; + before(async () => { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'ENVIRONMENT_ALL', + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + _inspect: true, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + + expect(response.status).to.be(200); + servicesDetailedStatistics = response.body; + }); + + it('returns current period data', async () => { + expect(servicesDetailedStatistics.currentPeriod).not.to.be.empty(); + }); + + it("doesn't returns previous period data", async () => { + expect(servicesDetailedStatistics.previousPeriod).to.be.empty(); + }); + + it('returns current data for requested service names', () => { + serviceNames.forEach((serviceName) => { + expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); + }); + }); + it('returns correct statistics', () => { + const statistics = servicesDetailedStatistics.currentPeriod[serviceNames[0]]; + + expect(statistics.latency.length).to.be.greaterThan(0); + expect(statistics.throughput.length).to.be.greaterThan(0); + expect(statistics.transactionErrorRate.length).to.be.greaterThan(0); + + // latency + const nonNullLantencyDataPoints = statistics.latency.filter(({ y }) => isFiniteNumber(y)); + expect(nonNullLantencyDataPoints.length).to.be.greaterThan(0); + + // throughput + const nonNullThroughputDataPoints = statistics.throughput.filter(({ y }) => + isFiniteNumber(y) + ); + expect(nonNullThroughputDataPoints.length).to.be.greaterThan(0); + + // transaction erro rate + const nonNullTransactionErrorRateDataPoints = statistics.transactionErrorRate.filter( + ({ y }) => isFiniteNumber(y) + ); + expect(nonNullTransactionErrorRateDataPoints.length).to.be.greaterThan(0); + }); + + it('returns empty when empty service names is passed', async () => { + try { + await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'ENVIRONMENT_ALL', + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + }, + body: { + serviceNames: JSON.stringify([]), + }, + }, + }); + expect().fail('Expected API call to throw an error'); + } catch (error: unknown) { + const apiError = error as ApmApiError; + expect(apiError.res.status).eql(400); + + expect(apiError.res.body.message).eql('serviceNames cannot be empty'); + } + }); + + it('filters by environment', async () => { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'production', + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + expect(response.status).to.be(200); + expect(Object.keys(response.body.currentPeriod).length).to.be(1); + expect(response.body.currentPeriod['opbeans-java']).not.to.be.empty(); + }); + it('filters by kuery', async () => { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'ENVIRONMENT_ALL', + kuery: 'transaction.type : "invalid_transaction_type"', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + expect(response.status).to.be(200); + expect(Object.keys(response.body.currentPeriod)).to.be.empty(); + }); + } + ); + + registry.when( + 'Services detailed statistics with time comparison', + { config: 'basic', archives: [archiveName] }, + () => { + let servicesDetailedStatistics: ServicesDetailedStatisticsReturn; + before(async () => { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start: moment(end).subtract(15, 'minutes').toISOString(), + end, + offset: '15m', + environment: 'ENVIRONMENT_ALL', + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + + expect(response.status).to.be(200); + servicesDetailedStatistics = response.body; + }); + it('returns current period data', async () => { + expect(servicesDetailedStatistics.currentPeriod).not.to.be.empty(); + }); + it('returns previous period data', async () => { + expect(servicesDetailedStatistics.previousPeriod).not.to.be.empty(); + }); + it('returns current data for requested service names', () => { + serviceNames.forEach((serviceName) => { + expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); + }); + }); + it('returns previous data for requested service names', () => { + serviceNames.forEach((serviceName) => { + expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); + }); + }); + it('returns correct statistics', () => { + const currentPeriodStatistics = servicesDetailedStatistics.currentPeriod[serviceNames[0]]; + const previousPeriodStatistics = servicesDetailedStatistics.previousPeriod[serviceNames[0]]; + + expect(currentPeriodStatistics.latency.length).to.be.greaterThan(0); + expect(currentPeriodStatistics.throughput.length).to.be.greaterThan(0); + expect(currentPeriodStatistics.transactionErrorRate.length).to.be.greaterThan(0); + + // latency + const nonNullCurrentPeriodLantencyDataPoints = currentPeriodStatistics.latency.filter( + ({ y }) => isFiniteNumber(y) + ); + expect(nonNullCurrentPeriodLantencyDataPoints.length).to.be.greaterThan(0); + + // throughput + const nonNullCurrentPeriodThroughputDataPoints = currentPeriodStatistics.throughput.filter( + ({ y }) => isFiniteNumber(y) + ); + expect(nonNullCurrentPeriodThroughputDataPoints.length).to.be.greaterThan(0); + + // transaction erro rate + const nonNullCurrentPeriodTransactionErrorRateDataPoints = + currentPeriodStatistics.transactionErrorRate.filter(({ y }) => isFiniteNumber(y)); + expect(nonNullCurrentPeriodTransactionErrorRateDataPoints.length).to.be.greaterThan(0); + + expect(previousPeriodStatistics.latency.length).to.be.greaterThan(0); + expect(previousPeriodStatistics.throughput.length).to.be.greaterThan(0); + expect(previousPeriodStatistics.transactionErrorRate.length).to.be.greaterThan(0); + + // latency + const nonNullPreviousPeriodLantencyDataPoints = previousPeriodStatistics.latency.filter( + ({ y }) => isFiniteNumber(y) + ); + expect(nonNullPreviousPeriodLantencyDataPoints.length).to.be.greaterThan(0); + + // throughput + const nonNullPreviousPeriodThroughputDataPoints = + previousPeriodStatistics.throughput.filter(({ y }) => isFiniteNumber(y)); + expect(nonNullPreviousPeriodThroughputDataPoints.length).to.be.greaterThan(0); + + // transaction erro rate + const nonNullPreviousPeriodTransactionErrorRateDataPoints = + previousPeriodStatistics.transactionErrorRate.filter(({ y }) => isFiniteNumber(y)); + expect(nonNullPreviousPeriodTransactionErrorRateDataPoints.length).to.be.greaterThan(0); + }); + } + ); +} diff --git a/x-pack/test/apm_api_integration/tests/services/services_detailed_statistics.spec.ts b/x-pack/test/apm_api_integration/tests/services/services_detailed_statistics.spec.ts index 92553c9f3e076..782434a7c6aa5 100644 --- a/x-pack/test/apm_api_integration/tests/services/services_detailed_statistics.spec.ts +++ b/x-pack/test/apm_api_integration/tests/services/services_detailed_statistics.spec.ts @@ -5,14 +5,15 @@ * 2.0. */ import expect from '@kbn/expect'; -import moment from 'moment'; -import { APIReturnType } from '@kbn/apm-plugin/public/services/rest/create_call_apm_api'; -import { isFiniteNumber } from '@kbn/apm-plugin/common/utils/is_finite_number'; +import { + APIClientRequestParamsOf, + APIReturnType, +} from '@kbn/apm-plugin/public/services/rest/create_call_apm_api'; import { ApmDocumentType } from '@kbn/apm-plugin/common/document_type'; import { RollupInterval } from '@kbn/apm-plugin/common/rollup'; -import archives_metadata from '../../common/fixtures/es_archiver/archives_metadata'; +import { apm, timerange } from '@kbn/apm-synthtrace-client'; +import { uniq, map } from 'lodash'; import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { ApmApiError } from '../../common/apm_api_supertest'; type ServicesDetailedStatisticsReturn = APIReturnType<'POST /internal/apm/services/detailed_statistics'>; @@ -22,13 +23,15 @@ export default function ApiTest({ getService }: FtrProviderContext) { const apmApiClient = getService('apmApiClient'); - const archiveName = 'apm_8.0.0'; - const metadata = archives_metadata[archiveName]; - const { start, end } = metadata; - const serviceNames = ['opbeans-java', 'opbeans-go']; + const synthtrace = getService('synthtraceEsClient'); + + const start = '2021-01-01T00:00:00.000Z'; + const end = '2021-01-01T00:59:59.999Z'; + + const serviceNames = ['my-service']; registry.when( - 'Services detailed statistics when data is not loaded', + 'Services detailed statistics when data is generated', { config: 'basic', archives: [] }, () => { it('handles the empty state', async () => { @@ -40,11 +43,11 @@ export default function ApiTest({ getService }: FtrProviderContext) { end, environment: 'ENVIRONMENT_ALL', kuery: '', - offset: '1d', probability: 1, documentType: ApmDocumentType.TransactionMetric, rollupInterval: RollupInterval.OneMinute, bucketSizeInSeconds: 60, + _inspect: true, }, body: { serviceNames: JSON.stringify(serviceNames), @@ -59,239 +62,126 @@ export default function ApiTest({ getService }: FtrProviderContext) { } ); + async function getStats( + overrides?: Partial< + APIClientRequestParamsOf<'POST /internal/apm/services/detailed_statistics'>['params']['query'] + > + ) { + const response = await apmApiClient.readUser({ + endpoint: `POST /internal/apm/services/detailed_statistics`, + params: { + query: { + start, + end, + environment: 'ENVIRONMENT_ALL', + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + bucketSizeInSeconds: 60, + ...overrides, + }, + body: { + serviceNames: JSON.stringify(serviceNames), + }, + }, + }); + + return response.body; + } + registry.when( - 'Services detailed statistics when data is loaded', - { config: 'basic', archives: [archiveName] }, + 'Services detailed statistics when data is generated', + { config: 'basic', archives: [] }, () => { let servicesDetailedStatistics: ServicesDetailedStatisticsReturn; - before(async () => { - const response = await apmApiClient.readUser({ - endpoint: `POST /internal/apm/services/detailed_statistics`, - params: { - query: { - start, - end, - environment: 'ENVIRONMENT_ALL', - kuery: '', - probability: 1, - documentType: ApmDocumentType.TransactionMetric, - rollupInterval: RollupInterval.OneMinute, - bucketSizeInSeconds: 60, - _inspect: true, - }, - body: { - serviceNames: JSON.stringify(serviceNames), - }, - }, - }); - expect(response.status).to.be(200); - servicesDetailedStatistics = response.body; - }); + const instance = apm.service('my-service', 'production', 'java').instance('instance'); - it('returns current period data', async () => { - expect(servicesDetailedStatistics.currentPeriod).not.to.be.empty(); - }); + const EXPECTED_TPM = 5; + const EXPECTED_LATENCY = 1000; + const EXPECTED_FAILURE_RATE = 0.25; - it("doesn't returns previous period data", async () => { - expect(servicesDetailedStatistics.previousPeriod).to.be.empty(); - }); + before(async () => { + const interval = timerange(new Date(start).getTime(), new Date(end).getTime() - 1).interval( + '1m' + ); - it('returns current data for requested service names', () => { - serviceNames.forEach((serviceName) => { - expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); - }); + await synthtrace.index([ + interval.rate(3).generator((timestamp) => { + return instance + .transaction('GET /api') + .duration(EXPECTED_LATENCY) + .outcome('success') + .timestamp(timestamp); + }), + interval.rate(1).generator((timestamp) => { + return instance + .transaction('GET /api') + .duration(EXPECTED_LATENCY) + .outcome('failure') + .timestamp(timestamp); + }), + interval.rate(1).generator((timestamp) => { + return instance + .transaction('GET /api') + .duration(EXPECTED_LATENCY) + .outcome('unknown') + .timestamp(timestamp); + }), + ]); }); - it('returns correct statistics', () => { - const statistics = servicesDetailedStatistics.currentPeriod[serviceNames[0]]; - expect(statistics.latency.length).to.be.greaterThan(0); - expect(statistics.throughput.length).to.be.greaterThan(0); - expect(statistics.transactionErrorRate.length).to.be.greaterThan(0); + after(() => synthtrace.clean()); - // latency - const nonNullLantencyDataPoints = statistics.latency.filter(({ y }) => isFiniteNumber(y)); - expect(nonNullLantencyDataPoints.length).to.be.greaterThan(0); + function checkStats() { + const stats = servicesDetailedStatistics.currentPeriod['my-service']; - // throughput - const nonNullThroughputDataPoints = statistics.throughput.filter(({ y }) => - isFiniteNumber(y) - ); - expect(nonNullThroughputDataPoints.length).to.be.greaterThan(0); + expect(stats).not.empty(); - // transaction erro rate - const nonNullTransactionErrorRateDataPoints = statistics.transactionErrorRate.filter( - ({ y }) => isFiniteNumber(y) - ); - expect(nonNullTransactionErrorRateDataPoints.length).to.be.greaterThan(0); - }); + expect(uniq(map(stats.throughput, 'y'))).eql([EXPECTED_TPM], 'tpm'); - it('returns empty when empty service names is passed', async () => { - try { - await apmApiClient.readUser({ - endpoint: `POST /internal/apm/services/detailed_statistics`, - params: { - query: { - start, - end, - environment: 'ENVIRONMENT_ALL', - kuery: '', - probability: 1, - documentType: ApmDocumentType.TransactionMetric, - rollupInterval: RollupInterval.OneMinute, - bucketSizeInSeconds: 60, - }, - body: { - serviceNames: JSON.stringify([]), - }, - }, - }); - expect().fail('Expected API call to throw an error'); - } catch (error: unknown) { - const apiError = error as ApmApiError; - expect(apiError.res.status).eql(400); + expect(uniq(map(stats.latency, 'y'))).eql([EXPECTED_LATENCY * 1000], 'latency'); - expect(apiError.res.body.message).eql('serviceNames cannot be empty'); - } - }); + expect(uniq(map(stats.transactionErrorRate, 'y'))).eql( + [EXPECTED_FAILURE_RATE], + 'errorRate' + ); + } - it('filters by environment', async () => { - const response = await apmApiClient.readUser({ - endpoint: `POST /internal/apm/services/detailed_statistics`, - params: { - query: { - start, - end, - environment: 'production', - kuery: '', - probability: 1, - documentType: ApmDocumentType.TransactionMetric, - rollupInterval: RollupInterval.OneMinute, - bucketSizeInSeconds: 60, - }, - body: { - serviceNames: JSON.stringify(serviceNames), - }, - }, + describe('and transaction metrics are used', () => { + before(async () => { + servicesDetailedStatistics = await getStats(); }); - expect(response.status).to.be(200); - expect(Object.keys(response.body.currentPeriod).length).to.be(1); - expect(response.body.currentPeriod['opbeans-java']).not.to.be.empty(); - }); - it('filters by kuery', async () => { - const response = await apmApiClient.readUser({ - endpoint: `POST /internal/apm/services/detailed_statistics`, - params: { - query: { - start, - end, - environment: 'ENVIRONMENT_ALL', - kuery: 'transaction.type : "invalid_transaction_type"', - probability: 1, - documentType: ApmDocumentType.TransactionMetric, - rollupInterval: RollupInterval.OneMinute, - bucketSizeInSeconds: 60, - }, - body: { - serviceNames: JSON.stringify(serviceNames), - }, - }, + + it('returns the expected statistics', () => { + checkStats(); }); - expect(response.status).to.be(200); - expect(Object.keys(response.body.currentPeriod)).to.be.empty(); }); - } - ); - registry.when( - 'Services detailed statistics with time comparison', - { config: 'basic', archives: [archiveName] }, - () => { - let servicesDetailedStatistics: ServicesDetailedStatisticsReturn; - before(async () => { - const response = await apmApiClient.readUser({ - endpoint: `POST /internal/apm/services/detailed_statistics`, - params: { - query: { - start: moment(end).subtract(15, 'minutes').toISOString(), - end, - offset: '15m', - environment: 'ENVIRONMENT_ALL', - kuery: '', - probability: 1, - documentType: ApmDocumentType.TransactionMetric, - rollupInterval: RollupInterval.OneMinute, - bucketSizeInSeconds: 60, - }, - body: { - serviceNames: JSON.stringify(serviceNames), - }, - }, + describe('and service transaction metrics are used', () => { + before(async () => { + servicesDetailedStatistics = await getStats({ + documentType: ApmDocumentType.ServiceTransactionMetric, + }); }); - expect(response.status).to.be(200); - servicesDetailedStatistics = response.body; - }); - it('returns current period data', async () => { - expect(servicesDetailedStatistics.currentPeriod).not.to.be.empty(); - }); - it('returns previous period data', async () => { - expect(servicesDetailedStatistics.previousPeriod).not.to.be.empty(); - }); - it('returns current data for requested service names', () => { - serviceNames.forEach((serviceName) => { - expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); + it('returns the expected statistics', () => { + checkStats(); }); }); - it('returns previous data for requested service names', () => { - serviceNames.forEach((serviceName) => { - expect(servicesDetailedStatistics.currentPeriod[serviceName]).not.to.be.empty(); - }); - }); - it('returns correct statistics', () => { - const currentPeriodStatistics = servicesDetailedStatistics.currentPeriod[serviceNames[0]]; - const previousPeriodStatistics = servicesDetailedStatistics.previousPeriod[serviceNames[0]]; - - expect(currentPeriodStatistics.latency.length).to.be.greaterThan(0); - expect(currentPeriodStatistics.throughput.length).to.be.greaterThan(0); - expect(currentPeriodStatistics.transactionErrorRate.length).to.be.greaterThan(0); - - // latency - const nonNullCurrentPeriodLantencyDataPoints = currentPeriodStatistics.latency.filter( - ({ y }) => isFiniteNumber(y) - ); - expect(nonNullCurrentPeriodLantencyDataPoints.length).to.be.greaterThan(0); - - // throughput - const nonNullCurrentPeriodThroughputDataPoints = currentPeriodStatistics.throughput.filter( - ({ y }) => isFiniteNumber(y) - ); - expect(nonNullCurrentPeriodThroughputDataPoints.length).to.be.greaterThan(0); - // transaction erro rate - const nonNullCurrentPeriodTransactionErrorRateDataPoints = - currentPeriodStatistics.transactionErrorRate.filter(({ y }) => isFiniteNumber(y)); - expect(nonNullCurrentPeriodTransactionErrorRateDataPoints.length).to.be.greaterThan(0); - - expect(previousPeriodStatistics.latency.length).to.be.greaterThan(0); - expect(previousPeriodStatistics.throughput.length).to.be.greaterThan(0); - expect(previousPeriodStatistics.transactionErrorRate.length).to.be.greaterThan(0); - - // latency - const nonNullPreviousPeriodLantencyDataPoints = previousPeriodStatistics.latency.filter( - ({ y }) => isFiniteNumber(y) - ); - expect(nonNullPreviousPeriodLantencyDataPoints.length).to.be.greaterThan(0); - - // throughput - const nonNullPreviousPeriodThroughputDataPoints = - previousPeriodStatistics.throughput.filter(({ y }) => isFiniteNumber(y)); - expect(nonNullPreviousPeriodThroughputDataPoints.length).to.be.greaterThan(0); + describe('and rolled up data is used', () => { + before(async () => { + servicesDetailedStatistics = await getStats({ + rollupInterval: RollupInterval.TenMinutes, + bucketSizeInSeconds: 600, + }); + }); - // transaction erro rate - const nonNullPreviousPeriodTransactionErrorRateDataPoints = - previousPeriodStatistics.transactionErrorRate.filter(({ y }) => isFiniteNumber(y)); - expect(nonNullPreviousPeriodTransactionErrorRateDataPoints.length).to.be.greaterThan(0); + it('returns the expected statistics', () => { + checkStats(); + }); }); } ); diff --git a/x-pack/test/apm_api_integration/tests/services/top_services.spec.ts b/x-pack/test/apm_api_integration/tests/services/top_services.spec.ts index cbaada163857e..91534921de4d5 100644 --- a/x-pack/test/apm_api_integration/tests/services/top_services.spec.ts +++ b/x-pack/test/apm_api_integration/tests/services/top_services.spec.ts @@ -31,7 +31,7 @@ export default function ApiTest({ getService }: FtrProviderContext) { const archiveEnd = archiveRange.end; const start = '2021-10-01T00:00:00.000Z'; - const end = '2021-10-01T00:05:00.000Z'; + const end = '2021-10-01T01:00:00.000Z'; registry.when( 'APM Services Overview with a basic license when data is not generated', @@ -105,6 +105,29 @@ export default function ApiTest({ getService }: FtrProviderContext) { }, }; + function checkStats() { + const multipleEnvService = response.body.items.find( + (item) => item.serviceName === 'multiple-env-service' + ); + + const totalRps = config.multiple.prod.rps + config.multiple.dev.rps; + + expect(multipleEnvService).to.eql({ + serviceName: 'multiple-env-service', + transactionType: 'request', + environments: ['production', 'development'], + agentName: 'go', + latency: + 1000 * + ((config.multiple.prod.duration * config.multiple.prod.rps + + config.multiple.dev.duration * config.multiple.dev.rps) / + totalRps), + throughput: totalRps * 60, + transactionErrorRate: + config.multiple.dev.rps / (config.multiple.prod.rps + config.multiple.dev.rps), + }); + } + before(async () => { return synthtrace.index([ transactionInterval @@ -179,26 +202,7 @@ export default function ApiTest({ getService }: FtrProviderContext) { }); it('returns the correct statistics', () => { - const multipleEnvService = response.body.items.find( - (item) => item.serviceName === 'multiple-env-service' - ); - - const totalRps = config.multiple.prod.rps + config.multiple.dev.rps; - - expect(multipleEnvService).to.eql({ - serviceName: 'multiple-env-service', - transactionType: 'request', - environments: ['production', 'development'], - agentName: 'go', - latency: - 1000 * - ((config.multiple.prod.duration * config.multiple.prod.rps + - config.multiple.dev.duration * config.multiple.dev.rps) / - totalRps), - throughput: totalRps * 60, - transactionErrorRate: - config.multiple.dev.rps / (config.multiple.prod.rps + config.multiple.dev.rps), - }); + checkStats(); }); it('returns services without transaction data', () => { @@ -310,6 +314,60 @@ export default function ApiTest({ getService }: FtrProviderContext) { expect(multipleEnvService?.transactionType).to.eql('rpc'); }); }); + + describe('when using service transaction metrics', () => { + before(async () => { + response = await apmApiClient.readUser({ + endpoint: 'GET /internal/apm/services', + params: { + query: { + start, + end, + environment: ENVIRONMENT_ALL.value, + kuery: '', + probability: 1, + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.OneMinute, + }, + }, + }); + }); + + it('returns services without transaction data', () => { + const serviceNames = response.body.items.map((item) => item.serviceName); + + expect(serviceNames).to.contain('metric-only-service'); + + expect(serviceNames).to.contain('error-only-service'); + }); + + it('returns the correct statistics', () => { + checkStats(); + }); + }); + + describe('when using rolled up data', () => { + before(async () => { + response = await apmApiClient.readUser({ + endpoint: 'GET /internal/apm/services', + params: { + query: { + start, + end, + environment: ENVIRONMENT_ALL.value, + kuery: '', + probability: 1, + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + }, + }, + }); + }); + + it('returns the correct statistics', () => { + checkStats(); + }); + }); } ); diff --git a/x-pack/test/apm_api_integration/tests/time_range_metadata/time_range_metadata.spec.ts b/x-pack/test/apm_api_integration/tests/time_range_metadata/time_range_metadata.spec.ts new file mode 100644 index 0000000000000..fa1230bb8dcf0 --- /dev/null +++ b/x-pack/test/apm_api_integration/tests/time_range_metadata/time_range_metadata.spec.ts @@ -0,0 +1,404 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { apm, timerange } from '@kbn/apm-synthtrace-client'; +import expect from '@kbn/expect'; +import { APIClientRequestParamsOf } from '@kbn/apm-plugin/public/services/rest/create_call_apm_api'; +import { omit, sortBy } from 'lodash'; +import moment, { Moment } from 'moment'; +import { ApmDocumentType } from '@kbn/apm-plugin/common/document_type'; +import { RollupInterval } from '@kbn/apm-plugin/common/rollup'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; + +export default function ApiTest({ getService }: FtrProviderContext) { + const registry = getService('registry'); + const apmApiClient = getService('apmApiClient'); + const synthtraceEsClient = getService('synthtraceEsClient'); + + const esClient = getService('es'); + + const start = moment('2022-01-01T00:00:00.000Z'); + const end = moment('2022-01-02T00:00:00.000Z').subtract(1, 'millisecond'); + + async function getTimeRangeMedata( + overrides: Partial< + Omit< + APIClientRequestParamsOf<'GET /internal/apm/time_range_metadata'>['params']['query'], + 'start' | 'end' + > + > & { start: Moment; end: Moment } + ) { + const response = await apmApiClient.readUser({ + endpoint: 'GET /internal/apm/time_range_metadata', + params: { + query: { + start: overrides.start.toISOString(), + end: overrides.end.toISOString(), + enableContinuousRollups: true, + enableServiceTransactionMetrics: true, + useSpanName: false, + kuery: '', + ...omit(overrides, 'start', 'end'), + }, + }, + }); + + return { + ...response.body, + sources: sortBy(response.body.sources, ['documentType', 'rollupInterval']), + }; + } + + registry.when('Time range metadata without data', { config: 'basic', archives: [] }, () => { + it('handles empty state', async () => { + const response = await getTimeRangeMedata({ + start, + end, + }); + + expect(response.isUsingServiceDestinationMetrics).to.eql(false); + expect(response.sources.filter((source) => source.hasDocs)).to.eql([ + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + ]); + }); + }); + + registry.when( + 'Time range metadata when generating data', + { config: 'basic', archives: [] }, + () => { + before(() => { + const instance = apm.service('my-service', 'production', 'java').instance('instance'); + + return synthtraceEsClient.index( + timerange(moment(start).subtract(1, 'day'), end) + .interval('1m') + .rate(1) + .generator((timestamp) => { + return instance.transaction('GET /api').duration(100).timestamp(timestamp); + }) + ); + }); + + after(() => { + return synthtraceEsClient.clean(); + }); + + describe('with default settings', () => { + it('returns all available document sources', async () => { + const response = await getTimeRangeMedata({ + start, + end, + }); + + expect(response.sources).to.eql([ + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + ]); + }); + }); + + describe('with continuous rollups disabled', () => { + it('returns only 1m intervals', async () => { + const response = await getTimeRangeMedata({ + start, + end, + enableContinuousRollups: false, + }); + + expect(response.sources).to.eql([ + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + ]); + }); + }); + + describe('with service metrics disabled', () => { + it('only returns tx metrics and events as available sources', async () => { + const response = await getTimeRangeMedata({ + start, + end, + enableServiceTransactionMetrics: false, + }); + + expect(response.sources).to.eql([ + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + ]); + }); + }); + + describe('when data is available before the time range', () => { + it('marks all those sources as available', async () => { + const response = await getTimeRangeMedata({ + start: moment(start).add(12, 'hours'), + end: moment(end).add(12, 'hours'), + }); + + expect(response.sources).to.eql([ + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + ]); + }); + }); + + describe('when data is not available before the time range, but is within the time range', () => { + it('marks those sources as available', async () => { + const response = await getTimeRangeMedata({ + start: moment(start).add(6, 'hours'), + end: moment(end).add(6, 'hours'), + }); + + expect(response.sources).to.eql([ + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.ServiceTransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionEvent, + rollupInterval: RollupInterval.None, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + ]); + }); + }); + + describe('when service metrics are only available in the current time range', () => { + before(async () => { + await esClient.deleteByQuery({ + index: 'metrics-apm*', + query: { + bool: { + filter: [ + { + terms: { + 'metricset.name': ['service_transaction', 'service_summary'], + }, + }, + { + range: { + '@timestamp': { + lte: start.toISOString(), + }, + }, + }, + ], + }, + }, + refresh: true, + expand_wildcards: ['open', 'hidden'], + }); + }); + + it('marks service transaction metrics as unavailable', async () => { + const response = await getTimeRangeMedata({ + start, + end, + }); + + expect( + response.sources.filter( + (source) => + source.documentType === ApmDocumentType.ServiceTransactionMetric && + source.hasDocs === false + ).length + ).to.eql(3); + + expect( + response.sources.filter( + (source) => + source.documentType === ApmDocumentType.TransactionMetric && source.hasDocs === true + ).length + ).to.eql(3); + }); + }); + + describe('after deleting a specific data set', () => { + before(async () => { + await esClient.deleteByQuery({ + index: 'metrics-apm*', + query: { + bool: { + filter: [ + { + terms: { + 'metricset.name': ['transaction'], + }, + }, + { + term: { + 'metricset.interval': '1m', + }, + }, + ], + }, + }, + refresh: true, + expand_wildcards: ['open', 'hidden'], + }); + }); + + it('marks that data source as unavailable', async () => { + const response = await getTimeRangeMedata({ + start, + end, + }); + + expect( + response.sources.filter( + (source) => source.documentType === ApmDocumentType.TransactionMetric + ) + ).to.eql([ + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.TenMinutes, + hasDocs: true, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.OneMinute, + hasDocs: false, + }, + { + documentType: ApmDocumentType.TransactionMetric, + rollupInterval: RollupInterval.SixtyMinutes, + hasDocs: true, + }, + ]); + }); + }); + + after(() => synthtraceEsClient.clean()); + } + ); +} From 0958c59f0b33a0ba913f761fc5d544fa11a8b4b1 Mon Sep 17 00:00:00 2001 From: Nathan Reese Date: Tue, 7 Feb 2023 07:31:21 -0700 Subject: [PATCH 24/27] [Maps] fix Kibana maps should not override the sort field if not provided by the user (#150400) Fixes https://github.com/elastic/kibana/issues/150184 PR updates vector tile search request body generation to only populate `sort` property when its provided. PR also cleans up some `any` types with types from elasticsearch client. --- .../maps/common/mvt_request_body.test.ts | 44 ++++++++++++++++- .../plugins/maps/common/mvt_request_body.ts | 49 ++++++++++++------- x-pack/plugins/maps/server/mvt/mvt_routes.ts | 13 +++-- 3 files changed, 84 insertions(+), 22 deletions(-) diff --git a/x-pack/plugins/maps/common/mvt_request_body.test.ts b/x-pack/plugins/maps/common/mvt_request_body.test.ts index fd67cdeed3e8b..eef26cb526ad4 100644 --- a/x-pack/plugins/maps/common/mvt_request_body.test.ts +++ b/x-pack/plugins/maps/common/mvt_request_body.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { decodeMvtResponseBody, encodeMvtResponseBody, @@ -23,7 +24,7 @@ describe('decodeMvtResponseBody', () => { stored_fields: ['geopoint'], runtime_mappings: { 'day of week': { - type: 'keyword', + type: 'keyword' as estypes.MappingRuntimeFieldType, script: { source: "ZonedDateTime input = doc['ISSUE_DATE'].value;\nString output = input.format(DateTimeFormatter.ofPattern('e')) + ' ' + input.format(DateTimeFormatter.ofPattern('E'));\nemit(output);", @@ -64,7 +65,7 @@ describe('decodeMvtResponseBody', () => { _source: false, runtime_mappings: { price_as_number: { - type: 'keyword', + type: 'keyword' as estypes.MappingRuntimeFieldType, script: { source: runtimeFieldScript, }, @@ -124,4 +125,43 @@ describe('getHitsTileRequest', () => { }); expect(path).toEqual('/my%20index/_mvt/my%20location/0/0/0'); }); + + describe('sort', () => { + test(`Should include sort`, () => { + const searchRequest = { + size: 10000, + runtime_mappings: {}, + query: {}, + sort: ['timestamp'], + }; + const { body } = getHitsTileRequest({ + encodedRequestBody: encodeMvtResponseBody(searchRequest), + geometryFieldName: 'my location', + hasLabels: true, + index: 'my index', + x: 0, + y: 0, + z: 0, + }); + expect(body).toHaveProperty('sort'); + }); + + test(`Should not include sort when sort not provided`, () => { + const searchRequest = { + size: 10000, + runtime_mappings: {}, + query: {}, + }; + const { body } = getHitsTileRequest({ + encodedRequestBody: encodeMvtResponseBody(searchRequest), + geometryFieldName: 'my location', + hasLabels: true, + index: 'my index', + x: 0, + y: 0, + z: 0, + }); + expect(body).not.toHaveProperty('sort'); + }); + }); }); diff --git a/x-pack/plugins/maps/common/mvt_request_body.ts b/x-pack/plugins/maps/common/mvt_request_body.ts index f876caefe0312..72b78786e5046 100644 --- a/x-pack/plugins/maps/common/mvt_request_body.ts +++ b/x-pack/plugins/maps/common/mvt_request_body.ts @@ -6,13 +6,16 @@ */ import rison from '@kbn/rison'; +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { RENDER_AS } from './constants'; -export function decodeMvtResponseBody(encodedRequestBody: string): object { - return rison.decode(decodeURIComponent(encodedRequestBody).replace('%25', '%')) as object; +export function decodeMvtResponseBody(encodedRequestBody: string): estypes.SearchRequest['body'] { + return rison.decode( + decodeURIComponent(encodedRequestBody).replace('%25', '%') + ) as estypes.SearchRequest['body']; } -export function encodeMvtResponseBody(unencodedRequestBody: object): string { +export function encodeMvtResponseBody(unencodedRequestBody: estypes.SearchRequest['body']): string { // URL encoding replaces unsafe ASCII characters with a '%' followed by two hexadecimal digits // encodeURIComponent does not encode '%' // This causes preexisting '%' to break decoding because they are not valid URL encoding @@ -41,7 +44,10 @@ export function getAggsTileRequest({ y: number; z: number; }) { - const requestBody = decodeMvtResponseBody(encodedRequestBody) as any; + const requestBody = decodeMvtResponseBody(encodedRequestBody); + if (!requestBody) { + throw new Error('Required requestBody parameter not provided'); + } return { path: `/${encodeURIComponent(index)}/_mvt/${encodeURIComponent( geometryFieldName @@ -58,7 +64,7 @@ export function getAggsTileRequest({ fields: requestBody.fields ? requestBody.fields : [], runtime_mappings: requestBody.runtime_mappings, with_labels: hasLabels, - }, + } as estypes.SearchMvtRequest['body'], }; } @@ -79,21 +85,30 @@ export function getHitsTileRequest({ y: number; z: number; }) { - const requestBody = decodeMvtResponseBody(encodedRequestBody) as any; + const requestBody = decodeMvtResponseBody(encodedRequestBody); + if (!requestBody) { + throw new Error('Required requestBody parameter not provided'); + } + const tileRequestBody = { + grid_precision: 0, // no aggs + exact_bounds: true, + extent: 4096, // full resolution, + query: requestBody.query, + runtime_mappings: requestBody.runtime_mappings, + track_total_hits: typeof requestBody.size === 'number' ? requestBody.size + 1 : false, + with_labels: hasLabels, + } as estypes.SearchMvtRequest['body']; + if (requestBody.fields) { + // @ts-expect-error SearchRequest['body'].fields and SearchMvtRequest['body'].fields types do not allign, even though they do in implemenation + tileRequestBody.fields = requestBody.fields; + } + if (requestBody.sort) { + tileRequestBody!.sort = requestBody.sort; + } return { path: `/${encodeURIComponent(index)}/_mvt/${encodeURIComponent( geometryFieldName )}/${z}/${x}/${y}`, - body: { - grid_precision: 0, // no aggs - exact_bounds: true, - extent: 4096, // full resolution, - query: requestBody.query, - fields: requestBody.fields ? requestBody.fields : [], - runtime_mappings: requestBody.runtime_mappings, - sort: requestBody.sort ? requestBody.sort : [], - track_total_hits: typeof requestBody.size === 'number' ? requestBody.size + 1 : false, - with_labels: hasLabels, - }, + body: tileRequestBody, }; } diff --git a/x-pack/plugins/maps/server/mvt/mvt_routes.ts b/x-pack/plugins/maps/server/mvt/mvt_routes.ts index 6fd7374fb69c1..96f6bafadabfd 100644 --- a/x-pack/plugins/maps/server/mvt/mvt_routes.ts +++ b/x-pack/plugins/maps/server/mvt/mvt_routes.ts @@ -13,6 +13,7 @@ import { CoreStart, KibanaRequest, KibanaResponseFactory, Logger } from '@kbn/co import { IRouter } from '@kbn/core/server'; import type { DataRequestHandlerContext } from '@kbn/data-plugin/server'; import { errors } from '@elastic/elasticsearch'; +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { MVT_GETTILE_API_PATH, API_ROOT_PATH, @@ -61,7 +62,10 @@ export function initMVTRoutes({ const y = parseInt((params as any).y, 10) as number; const z = parseInt((params as any).z, 10) as number; - let tileRequest: { path: string; body: object } | undefined; + let tileRequest: { path: string; body: estypes.SearchMvtRequest['body'] } = { + path: '', + body: {}, + }; try { tileRequest = getHitsTileRequest({ encodedRequestBody: query.requestBody as string, @@ -123,7 +127,10 @@ export function initMVTRoutes({ const y = parseInt((params as any).y, 10) as number; const z = parseInt((params as any).z, 10) as number; - let tileRequest: { path: string; body: object } | undefined; + let tileRequest: { path: string; body: estypes.SearchMvtRequest['body'] } = { + path: '', + body: {}, + }; try { tileRequest = getAggsTileRequest({ encodedRequestBody: query.requestBody as string, @@ -168,7 +175,7 @@ async function getTile({ path, }: { abortController: AbortController; - body: object; + body: estypes.SearchMvtRequest['body']; context: DataRequestHandlerContext; core: CoreStart; executionContext: KibanaExecutionContext; From 1e445059d798cdfdc0496eccf48cb35b8b7559ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20Haro?= Date: Tue, 7 Feb 2023 15:50:14 +0100 Subject: [PATCH 25/27] Unskip `saved_object_tagging` FTRs (#149962) Resolves https://github.com/elastic/kibana/issues/88639 --- .../functional/tests/visualize_integration.ts | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts b/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts index d7160a590185d..a7a03a58ba0cf 100644 --- a/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts +++ b/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts @@ -94,7 +94,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await listingTable.searchForItemWithName('tag:(tag-1)', { escape: false }); await listingTable.expectItemsCount('visualize', 2); const itemNames = await listingTable.getAllSelectableItemsNames(); - expect(itemNames).to.eql(['Visualization 1 (tag-1)', 'Visualization 3 (tag-1 + tag-3)']); + expect(itemNames.sort()).to.eql([ + 'Visualization 1 (tag-1)', + 'Visualization 3 (tag-1 + tag-3)', + ]); }); it('allows to filter by selecting a tag in the filter menu', async () => { @@ -102,7 +105,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await listingTable.expectItemsCount('visualize', 2); const itemNames = await listingTable.getAllSelectableItemsNames(); - expect(itemNames).to.eql(['Visualization 1 (tag-1)', 'Visualization 3 (tag-1 + tag-3)']); + expect(itemNames.sort()).to.eql([ + 'Visualization 1 (tag-1)', + 'Visualization 3 (tag-1 + tag-3)', + ]); }); it('allows to filter by multiple tags', async () => { @@ -110,7 +116,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await listingTable.expectItemsCount('visualize', 2); const itemNames = await listingTable.getAllSelectableItemsNames(); - expect(itemNames).to.eql(['Visualization 2 (tag-2)', 'Visualization 3 (tag-1 + tag-3)']); + expect(itemNames.sort()).to.eql([ + 'Visualization 2 (tag-2)', + 'Visualization 3 (tag-1 + tag-3)', + ]); }); }); @@ -181,8 +190,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); }); - // FLAKY: https://github.com/elastic/kibana/issues/88639 - describe.skip('editing', () => { + describe('editing', () => { before(async () => { await PageObjects.visualize.gotoVisualizationLandingPage(); await PageObjects.visualize.deleteAllVisualizations(); From 0d630d97cd39970538a1d3beeff3f484ace997a7 Mon Sep 17 00:00:00 2001 From: Dominique Clarke Date: Tue, 7 Feb 2023 09:54:02 -0500 Subject: [PATCH 26/27] [Synthetics] push pending monitors to bottom of list (#149899) ## Summary Resolves https://github.com/elastic/kibana/issues/149429 Screen Shot 2023-02-06 at 10 03 02 AM ### Testing 1. Create a monitor that will remain in pending state. Ideally, the monitors name should be first alphabetically, so you can have a valid test that the monitor is pushed to the end despite its alphabetical placement. You can ensure it will remain in pending state by doing one of the following: create a private location without attaching it to an elastic-agent or connecting to the dev synthetics service and choosing the staging location. 2. Navigate to Overview. Ensure the pending monitor is pushed to the last in the list --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../synthetics_overview_status.ts | 19 +- .../overview/overview/overview_alerts.tsx | 10 +- .../overview_errors/overview_errors.tsx | 12 +- .../use_monitors_sorted_by_status.test.tsx | 28 +++ .../hooks/use_monitors_sorted_by_status.tsx | 13 +- .../status_rule/status_rule_executor.ts | 52 +++-- .../server/queries/query_monitor_status.ts | 58 ++++- .../routes/status/current_status.test.ts | 205 +++++++++++++++++- .../server/routes/status/current_status.ts | 14 +- .../get_all_monitors.test.ts | 41 +++- .../synthetics_monitor/get_all_monitors.ts | 10 +- 11 files changed, 409 insertions(+), 53 deletions(-) diff --git a/x-pack/plugins/synthetics/common/runtime_types/monitor_management/synthetics_overview_status.ts b/x-pack/plugins/synthetics/common/runtime_types/monitor_management/synthetics_overview_status.ts index a519036240b50..046f030b4d712 100644 --- a/x-pack/plugins/synthetics/common/runtime_types/monitor_management/synthetics_overview_status.ts +++ b/x-pack/plugins/synthetics/common/runtime_types/monitor_management/synthetics_overview_status.ts @@ -11,12 +11,25 @@ import { PingType } from '..'; export const OverviewStatusMetaDataCodec = t.interface({ monitorQueryId: t.string, configId: t.string, + status: t.string, location: t.string, timestamp: t.string, - status: t.string, ping: PingType, }); +export const OverviewPendingStatusMetaDataCodec = t.intersection([ + t.interface({ + monitorQueryId: t.string, + configId: t.string, + status: t.string, + location: t.string, + }), + t.partial({ + timestamp: t.string, + ping: PingType, + }), +]); + export const OverviewStatusCodec = t.interface({ allMonitorsCount: t.number, disabledMonitorsCount: t.number, @@ -27,8 +40,9 @@ export const OverviewStatusCodec = t.interface({ disabledCount: t.number, upConfigs: t.record(t.string, OverviewStatusMetaDataCodec), downConfigs: t.record(t.string, OverviewStatusMetaDataCodec), + pendingConfigs: t.record(t.string, OverviewPendingStatusMetaDataCodec), + enabledMonitorQueryIds: t.array(t.string), allIds: t.array(t.string), - enabledIds: t.array(t.string), }); export const OverviewStatusStateCodec = t.intersection([ @@ -41,3 +55,4 @@ export const OverviewStatusStateCodec = t.intersection([ export type OverviewStatus = t.TypeOf; export type OverviewStatusState = t.TypeOf; export type OverviewStatusMetaData = t.TypeOf; +export type OverviewPendingStatusMetaData = t.TypeOf; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_alerts.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_alerts.tsx index 6592fa7bb071c..13629e2e64c54 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_alerts.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_alerts.tsx @@ -61,7 +61,10 @@ export const OverviewAlerts = () => { selectedMetricField: RECORDS_FIELD, reportDefinitions: { 'kibana.alert.rule.category': ['Synthetics monitor status'], - 'monitor.id': status?.enabledIds.length > 0 ? status?.enabledIds : ['false-id'], + 'monitor.id': + status?.enabledMonitorQueryIds.length > 0 + ? status?.enabledMonitorQueryIds + : ['false-id'], }, filters: [{ field: 'kibana.alert.status', values: ['active', 'recovered'] }], color: theme.eui.euiColorVis1, @@ -83,7 +86,10 @@ export const OverviewAlerts = () => { }, reportDefinitions: { 'kibana.alert.rule.category': ['Synthetics monitor status'], - 'monitor.id': status?.enabledIds.length > 0 ? status?.enabledIds : ['false-id'], + 'monitor.id': + status?.enabledMonitorQueryIds.length > 0 + ? status?.enabledMonitorQueryIds + : ['false-id'], }, dataType: 'alerts', selectedMetricField: RECORDS_FIELD, diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_errors/overview_errors.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_errors/overview_errors.tsx index 94d937bdec241..636da377442fa 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_errors/overview_errors.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/overview_errors/overview_errors.tsx @@ -40,10 +40,18 @@ export function OverviewErrors() { ) : ( - + - + diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.test.tsx index fbc5122146454..16fdc7cd5a497 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.test.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.test.tsx @@ -101,6 +101,13 @@ describe('useMonitorsSortedByStatus', () => { location: location2, isEnabled: true, }, + { + configId: 'test-monitor-4', + id: 'test-monitor-4', + name: 'Test monitor 4', + location: location1, + isEnabled: true, + }, ], }, error: null, @@ -143,6 +150,13 @@ describe('useMonitorsSortedByStatus', () => { location: location1.label, }, }, + pendingConfigs: { + [`test-monitor-4-${location1.label}`]: { + configId: 'test-monitor-4', + monitorQueryId: 'test-monitor-4', + location: location1.label, + }, + }, }, }, }} @@ -200,6 +214,13 @@ describe('useMonitorsSortedByStatus', () => { location: location1, isEnabled: false, }, + { + configId: 'test-monitor-4', + id: 'test-monitor-4', + name: 'Test monitor 4', + location: location1, + isEnabled: true, + }, ], downMonitors: { 'test-monitor-1': ['US Central'], @@ -259,6 +280,13 @@ describe('useMonitorsSortedByStatus', () => { location: location1, isEnabled: false, }, + { + configId: 'test-monitor-4', + id: 'test-monitor-4', + name: 'Test monitor 4', + location: location1, + isEnabled: true, + }, ], downMonitors: { 'test-monitor-1': ['US Central'], diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.tsx index 76c2d270a09a7..2148b7e5eeb30 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_monitors_sorted_by_status.tsx @@ -31,10 +31,11 @@ export function useMonitorsSortedByStatus() { down: [], up: [], disabled: [], + pending: [], }; } - const { downConfigs } = status; + const { downConfigs, pendingConfigs } = status; const downMonitorMap: Record = {}; Object.values(downConfigs).forEach(({ location, configId }) => { if (downMonitorMap[configId]) { @@ -47,6 +48,7 @@ export function useMonitorsSortedByStatus() { const orderedDownMonitors: MonitorOverviewItem[] = []; const orderedUpMonitors: MonitorOverviewItem[] = []; const orderedDisabledMonitors: MonitorOverviewItem[] = []; + const orderedPendingMonitors: MonitorOverviewItem[] = []; monitors.forEach((monitor) => { const monitorLocation = locationNames[monitor.location.id]; @@ -57,6 +59,8 @@ export function useMonitorsSortedByStatus() { downMonitorMap[monitor.configId].includes(monitorLocation) ) { orderedDownMonitors.push(monitor); + } else if (pendingConfigs?.[`${monitor.configId}-${locationNames[monitor.location.id]}`]) { + orderedPendingMonitors.push(monitor); } else { orderedUpMonitors.push(monitor); } @@ -67,6 +71,7 @@ export function useMonitorsSortedByStatus() { down: orderedDownMonitors, up: orderedUpMonitors, disabled: orderedDisabledMonitors, + pending: orderedPendingMonitors, }; }, [monitors, locationNames, downMonitors, status]); @@ -96,7 +101,11 @@ export function useMonitorsSortedByStatus() { : [...monitorsSortedByStatus.up, ...monitorsSortedByStatus.down]; return { - monitorsSortedByStatus: [...upAndDownMonitors, ...monitorsSortedByStatus.disabled], + monitorsSortedByStatus: [ + ...upAndDownMonitors, + ...monitorsSortedByStatus.disabled, + ...monitorsSortedByStatus.pending, + ], downMonitors: downMonitors.current, }; }, [downMonitors, monitorsSortedByStatus, sortOrder, statusFilter]); diff --git a/x-pack/plugins/synthetics/server/alert_rules/status_rule/status_rule_executor.ts b/x-pack/plugins/synthetics/server/alert_rules/status_rule/status_rule_executor.ts index ba5327d200b46..1e28763c60a2b 100644 --- a/x-pack/plugins/synthetics/server/alert_rules/status_rule/status_rule_executor.ts +++ b/x-pack/plugins/synthetics/server/alert_rules/status_rule/status_rule_executor.ts @@ -93,24 +93,43 @@ export class StatusRuleExecutor { search: `attributes.${AlertConfigKey.STATUS_ENABLED}: true`, }); - const { allIds, enabledIds, listOfLocations, monitorLocationMap, projectMonitorsCount } = - await processMonitors( - this.monitors, - this.server, - this.soClient, - this.syntheticsMonitorClient - ); + const { + allIds, + enabledMonitorQueryIds, + listOfLocations, + monitorLocationMap, + projectMonitorsCount, + monitorQueryIdToConfigIdMap, + } = await processMonitors( + this.monitors, + this.server, + this.soClient, + this.syntheticsMonitorClient + ); - return { enabledIds, listOfLocations, allIds, monitorLocationMap, projectMonitorsCount }; + return { + enabledMonitorQueryIds, + listOfLocations, + allIds, + monitorLocationMap, + projectMonitorsCount, + monitorQueryIdToConfigIdMap, + }; } async getDownChecks( prevDownConfigs: OverviewStatus['downConfigs'] = {} ): Promise { - const { listOfLocations, enabledIds, allIds, monitorLocationMap, projectMonitorsCount } = - await this.getMonitors(); + const { + listOfLocations, + enabledMonitorQueryIds, + allIds, + monitorLocationMap, + projectMonitorsCount, + monitorQueryIdToConfigIdMap, + } = await this.getMonitors(); - if (enabledIds.length > 0) { + if (enabledMonitorQueryIds.length > 0) { const currentStatus = await queryMonitorStatus( this.esClient, listOfLocations, @@ -118,8 +137,9 @@ export class StatusRuleExecutor { to: 'now', from: this.previousStartedAt?.toISOString() ?? 'now-1m', }, - enabledIds, - monitorLocationMap + enabledMonitorQueryIds, + monitorLocationMap, + monitorQueryIdToConfigIdMap ); const downConfigs = currentStatus.downConfigs; @@ -138,18 +158,20 @@ export class StatusRuleExecutor { staleDownConfigs, projectMonitorsCount, allMonitorsCount: allIds.length, - disabledMonitorsCount: allIds.length - enabledIds.length, + disabledMonitorsCount: allIds.length - enabledMonitorQueryIds.length, + allIds, }; } const staleDownConfigs = this.markDeletedConfigs(prevDownConfigs); return { downConfigs: { ...prevDownConfigs }, upConfigs: {}, + pendingConfigs: {}, staleDownConfigs, down: 0, up: 0, pending: 0, - enabledIds, + enabledMonitorQueryIds, allMonitorsCount: allIds.length, disabledMonitorsCount: allIds.length, projectMonitorsCount, diff --git a/x-pack/plugins/synthetics/server/queries/query_monitor_status.ts b/x-pack/plugins/synthetics/server/queries/query_monitor_status.ts index 41f18f5ddd8c6..fef2eaa7be319 100644 --- a/x-pack/plugins/synthetics/server/queries/query_monitor_status.ts +++ b/x-pack/plugins/synthetics/server/queries/query_monitor_status.ts @@ -4,12 +4,16 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - -import { intersection } from 'lodash'; +import { cloneDeep, intersection } from 'lodash'; import { SearchRequest } from '@elastic/elasticsearch/lib/api/types'; import { SUMMARY_FILTER } from '../../common/constants/client_defaults'; import { UptimeEsClient } from '../legacy_uptime/lib/lib'; -import { OverviewStatus, OverviewStatusMetaData, Ping } from '../../common/runtime_types'; +import { + OverviewStatus, + OverviewStatusMetaData, + OverviewPendingStatusMetaData, + Ping, +} from '../../common/runtime_types'; const DEFAULT_MAX_ES_BUCKET_SIZE = 10000; @@ -17,17 +21,23 @@ export async function queryMonitorStatus( esClient: UptimeEsClient, listOfLocations: string[], range: { from: string | number; to: string }, - ids: string[], - monitorLocationsMap: Record + monitorQueryIds: string[], + monitorLocationsMap: Record, + monitorQueryIdToConfigIdMap: Record ): Promise< Omit< OverviewStatus, - 'disabledCount' | 'allMonitorsCount' | 'disabledMonitorsCount' | 'projectMonitorsCount' + | 'disabledCount' + | 'allMonitorsCount' + | 'disabledMonitorsCount' + | 'projectMonitorsCount' + | 'allIds' > > { const idSize = Math.trunc(DEFAULT_MAX_ES_BUCKET_SIZE / listOfLocations.length || 1); - const pageCount = Math.ceil(ids.length / idSize); + const pageCount = Math.ceil(monitorQueryIds.length / idSize); const promises: Array> = []; + const monitorsWithoutData = new Map(Object.entries(cloneDeep(monitorLocationsMap))); for (let i = 0; i < pageCount; i++) { const params: SearchRequest = { size: 0, @@ -47,7 +57,7 @@ export async function queryMonitorStatus( }, { terms: { - 'monitor.id': (ids as string[]).slice(i * idSize, i * idSize + idSize), + 'monitor.id': (monitorQueryIds as string[]).slice(i * idSize, i * idSize + idSize), }, }, ...(listOfLocations.length > 0 @@ -114,6 +124,7 @@ export async function queryMonitorStatus( let pending = 0; const upConfigs: Record = {}; const downConfigs: Record = {}; + const pendingConfigs: Record = {}; for await (const response of promises) { response.body.aggregations?.id.buckets.forEach( @@ -162,6 +173,14 @@ export async function queryMonitorStatus( status: 'up', }; } + const monitorsMissingData = monitorsWithoutData.get(monitorQueryId) || []; + monitorsWithoutData.set( + monitorQueryId, + monitorsMissingData?.filter((loc) => loc !== monLocation) + ); + if (!monitorsWithoutData.get(monitorQueryId)?.length) { + monitorsWithoutData.delete(monitorQueryId); + } } else { pending += 1; } @@ -169,5 +188,26 @@ export async function queryMonitorStatus( } ); } - return { up, down, pending, upConfigs, downConfigs, enabledIds: ids, allIds: ids }; + + // identify the remaining monitos without data, to determine pending monitors + for (const [queryId, locs] of monitorsWithoutData) { + locs.forEach((loc) => { + pendingConfigs[`${monitorQueryIdToConfigIdMap[queryId]}-${loc}`] = { + configId: `${monitorQueryIdToConfigIdMap[queryId]}`, + monitorQueryId: queryId, + status: 'unknown', + location: loc, + }; + }); + } + + return { + up, + down, + pending, + upConfigs, + downConfigs, + pendingConfigs, + enabledMonitorQueryIds: monitorQueryIds, + }; } diff --git a/x-pack/plugins/synthetics/server/routes/status/current_status.test.ts b/x-pack/plugins/synthetics/server/routes/status/current_status.test.ts index b86d611edf32f..484c556339d74 100644 --- a/x-pack/plugins/synthetics/server/routes/status/current_status.test.ts +++ b/x-pack/plugins/synthetics/server/routes/status/current_status.test.ts @@ -172,13 +172,16 @@ describe('current status route', () => { ['Europe - Germany', 'Asia/Pacific - Japan'], { from: 140000, to: 'now' }, ['id1', 'id2'], - { id1: ['Asia/Pacific - Japan'], id2: ['Europe - Germany', 'Asia/Pacific - Japan'] } + { id1: ['Asia/Pacific - Japan'], id2: ['Europe - Germany', 'Asia/Pacific - Japan'] }, + { + id1: 'id1', + id2: 'id2', + } ) ).toEqual({ pending: 0, down: 1, - enabledIds: ['id1', 'id2'], - allIds: ['id1', 'id2'], + enabledMonitorQueryIds: ['id1', 'id2'], up: 2, upConfigs: { 'id1-Asia/Pacific - Japan': { @@ -208,6 +211,7 @@ describe('current status route', () => { timestamp: expect.any(String), }, }, + pendingConfigs: {}, }); }); @@ -333,13 +337,16 @@ describe('current status route', () => { [...concernedLocations, ...times(9997).map((n) => 'Europe - Germany' + n)], { from: 2500, to: 'now' }, ['id1', 'id2'], - { id1: [concernedLocations[0]], id2: [concernedLocations[1], concernedLocations[2]] } + { id1: [concernedLocations[0]], id2: [concernedLocations[1], concernedLocations[2]] }, + { + id1: 'id1', + id2: 'id2', + } ) ).toEqual({ pending: 0, down: 1, - enabledIds: ['id1', 'id2'], - allIds: ['id1', 'id2'], + enabledMonitorQueryIds: ['id1', 'id2'], up: 2, upConfigs: { 'id1-Asia/Pacific - Japan': { @@ -369,6 +376,7 @@ describe('current status route', () => { timestamp: expect.any(String), }, }, + pendingConfigs: {}, }); expect(esClient.search).toHaveBeenCalledTimes(2); // These assertions are to ensure that we are paginating through the IDs we use for filtering @@ -381,6 +389,191 @@ describe('current status route', () => { esClient.search.mock.calls[1][0].body.query.bool.filter[2].terms['monitor.id'] ).toEqual(['id2']); }); + + it('handles pending configs', async () => { + const { esClient, uptimeEsClient } = getUptimeESMockClient(); + esClient.search.mockResponseOnce( + getEsResponse([ + { + key: 'id1', + location: { + buckets: [ + { + key: 'Asia/Pacific - Japan', + status: { + hits: { + hits: [ + { + _source: { + '@timestamp': '2022-09-15T16:08:16.724Z', + monitor: { + status: 'up', + id: 'id1', + }, + summary: { + up: 1, + down: 0, + }, + config_id: 'id1', + observer: { + geo: { + name: 'Asia/Pacific - Japan', + }, + }, + }, + }, + ], + }, + }, + }, + ], + }, + }, + { + key: 'id2', + location: { + buckets: [ + { + key: 'Asia/Pacific - Japan', + status: { + hits: { + hits: [ + { + _source: { + '@timestamp': '2022-09-15T16:09:16.724Z', + monitor: { + status: 'up', + id: 'id2', + }, + summary: { + up: 1, + down: 0, + }, + config_id: 'id2', + observer: { + geo: { + name: 'Asia/Pacific - Japan', + }, + }, + }, + }, + ], + }, + }, + }, + { + key: 'Europe - Germany', + status: { + hits: { + hits: [ + { + _source: { + '@timestamp': '2022-09-15T16:19:16.724Z', + monitor: { + status: 'down', + id: 'id2', + }, + summary: { + down: 1, + up: 0, + }, + config_id: 'id2', + observer: { + geo: { + name: 'Europe - Germany', + }, + }, + }, + }, + ], + }, + }, + }, + ], + }, + }, + ]) + ); + expect( + await queryMonitorStatus( + uptimeEsClient, + ['Europe - Germany', 'Asia/Pacific - Japan'], + { from: 140000, to: 'now' }, + ['id1', 'id2', 'project-monitor-id', 'id4'], + { + id1: ['Asia/Pacific - Japan'], + id2: ['Europe - Germany', 'Asia/Pacific - Japan'], + 'project-monitor-id': ['Europe - Germany', 'Asia/Pacific - Japan'], + id4: ['Europe - Germany', 'Asia/Pacific - Japan'], + }, + { + id1: 'id1', + id2: 'id2', + 'project-monitor-id': 'id3', + id4: 'id4', + } + ) + ).toEqual({ + pending: 0, + down: 1, + enabledMonitorQueryIds: ['id1', 'id2', 'project-monitor-id', 'id4'], + up: 2, + upConfigs: { + 'id1-Asia/Pacific - Japan': { + configId: 'id1', + monitorQueryId: 'id1', + location: 'Asia/Pacific - Japan', + status: 'up', + ping: expect.any(Object), + timestamp: expect.any(String), + }, + 'id2-Asia/Pacific - Japan': { + configId: 'id2', + monitorQueryId: 'id2', + location: 'Asia/Pacific - Japan', + status: 'up', + ping: expect.any(Object), + timestamp: expect.any(String), + }, + }, + downConfigs: { + 'id2-Europe - Germany': { + configId: 'id2', + monitorQueryId: 'id2', + location: 'Europe - Germany', + status: 'down', + ping: expect.any(Object), + timestamp: expect.any(String), + }, + }, + pendingConfigs: { + 'id3-Asia/Pacific - Japan': { + configId: 'id3', + location: 'Asia/Pacific - Japan', + monitorQueryId: 'project-monitor-id', + status: 'unknown', + }, + 'id3-Europe - Germany': { + configId: 'id3', + location: 'Europe - Germany', + monitorQueryId: 'project-monitor-id', + status: 'unknown', + }, + 'id4-Asia/Pacific - Japan': { + configId: 'id4', + location: 'Asia/Pacific - Japan', + monitorQueryId: 'id4', + status: 'unknown', + }, + 'id4-Europe - Germany': { + configId: 'id4', + location: 'Europe - Germany', + monitorQueryId: 'id4', + status: 'unknown', + }, + }, + }); + }); }); }); diff --git a/x-pack/plugins/synthetics/server/routes/status/current_status.ts b/x-pack/plugins/synthetics/server/routes/status/current_status.ts index 94e3ba8729836..a07a250cd65bf 100644 --- a/x-pack/plugins/synthetics/server/routes/status/current_status.ts +++ b/x-pack/plugins/synthetics/server/routes/status/current_status.ts @@ -67,20 +67,22 @@ export async function getStatus( ConfigKey.ENABLED, ConfigKey.LOCATIONS, ConfigKey.MONITOR_QUERY_ID, + ConfigKey.CONFIG_ID, ConfigKey.SCHEDULE, ConfigKey.MONITOR_SOURCE_TYPE, ], }); const { + enabledMonitorQueryIds, allIds, - enabledIds, disabledCount, maxPeriod, listOfLocations, monitorLocationMap, disabledMonitorsCount, projectMonitorsCount, + monitorQueryIdToConfigIdMap, } = await processMonitors(allMonitors, server, soClient, syntheticsMonitorClient); // Account for locations filter @@ -90,12 +92,13 @@ export async function getStatus( ? intersection(listOfLocations, queryLocationsArray) : listOfLocations; - const { up, down, pending, upConfigs, downConfigs } = await queryMonitorStatus( + const { up, down, pending, upConfigs, downConfigs, pendingConfigs } = await queryMonitorStatus( uptimeEsClient, listOfLocationAfterFilter, { from: maxPeriod, to: 'now' }, - enabledIds, - monitorLocationMap + enabledMonitorQueryIds, + monitorLocationMap, + monitorQueryIdToConfigIdMap ); return { @@ -103,13 +106,14 @@ export async function getStatus( allMonitorsCount: allMonitors.length, disabledMonitorsCount, projectMonitorsCount, - enabledIds, + enabledMonitorQueryIds, disabledCount, up, down, pending, upConfigs, downConfigs, + pendingConfigs, }; } diff --git a/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.test.ts b/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.test.ts index cdb6e2f520fc8..33eb5bfcc0d7e 100644 --- a/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.test.ts +++ b/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.test.ts @@ -50,12 +50,15 @@ describe('processMonitors', () => { allIds: [ 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775', - '5e203f47-1261-4978-a915-cc3315d90fb1', + 'test-project-id-default', ], disabledCount: 2, disabledMonitorsCount: 1, projectMonitorsCount: 1, - enabledIds: ['aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775'], + enabledMonitorQueryIds: [ + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + '7f796001-a795-4c0b-afdb-3ce74edea775', + ], listOfLocations: ['US Central QA', 'US Central Staging', 'North America - US Central'], maxPeriod: 600000, monitorLocationMap: { @@ -66,6 +69,11 @@ describe('processMonitors', () => { ], 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': ['US Central QA', 'US Central Staging'], }, + monitorQueryIdToConfigIdMap: { + '7f796001-a795-4c0b-afdb-3ce74edea775': '7f796001-a795-4c0b-afdb-3ce74edea775', + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + 'test-project-id-default': '5e203f47-1261-4978-a915-cc3315d90fb1', + }, }); }); @@ -77,12 +85,15 @@ describe('processMonitors', () => { allIds: [ 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775', - '5e203f47-1261-4978-a915-cc3315d90fb1', + 'test-project-id-default', ], disabledCount: 2, disabledMonitorsCount: 1, projectMonitorsCount: 1, - enabledIds: ['aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775'], + enabledMonitorQueryIds: [ + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + '7f796001-a795-4c0b-afdb-3ce74edea775', + ], listOfLocations: [ 'US Central Staging', 'us_central_qa', @@ -98,6 +109,11 @@ describe('processMonitors', () => { ], 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': ['US Central Staging', 'us_central_qa'], }, + monitorQueryIdToConfigIdMap: { + '7f796001-a795-4c0b-afdb-3ce74edea775': '7f796001-a795-4c0b-afdb-3ce74edea775', + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + 'test-project-id-default': '5e203f47-1261-4978-a915-cc3315d90fb1', + }, }); }); @@ -147,12 +163,15 @@ describe('processMonitors', () => { allIds: [ 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775', - '5e203f47-1261-4978-a915-cc3315d90fb1', + 'test-project-id-default', ], disabledCount: 2, disabledMonitorsCount: 1, projectMonitorsCount: 1, - enabledIds: ['aa925d91-40b0-4f8f-b695-bb9b53cd4e22', '7f796001-a795-4c0b-afdb-3ce74edea775'], + enabledMonitorQueryIds: [ + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + '7f796001-a795-4c0b-afdb-3ce74edea775', + ], listOfLocations: ['US Central Staging', 'US Central QA', 'North America - US Central'], maxPeriod: 600000, monitorLocationMap: { @@ -163,6 +182,11 @@ describe('processMonitors', () => { ], 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': ['US Central Staging', 'US Central QA'], }, + monitorQueryIdToConfigIdMap: { + '7f796001-a795-4c0b-afdb-3ce74edea775': '7f796001-a795-4c0b-afdb-3ce74edea775', + 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22': 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + 'test-project-id-default': '5e203f47-1261-4978-a915-cc3315d90fb1', + }, }); }); }); @@ -179,6 +203,7 @@ const testMonitors: any = [ { isServiceManaged: true, id: 'us_central_staging', label: 'US Central Staging' }, ], id: 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', + config_id: 'aa925d91-40b0-4f8f-b695-bb9b53cd4e22', }, references: [], migrationVersion: { 'synthetics-monitor': '8.6.0' }, @@ -201,6 +226,7 @@ const testMonitors: any = [ { isServiceManaged: true, id: 'us_central_staging', label: 'US Central Staging' }, ], id: '7f796001-a795-4c0b-afdb-3ce74edea775', + config_id: '7f796001-a795-4c0b-afdb-3ce74edea775', }, references: [], migrationVersion: { 'synthetics-monitor': '8.6.0' }, @@ -221,7 +247,8 @@ const testMonitors: any = [ { id: 'us_central_qa', label: 'US Central QA', isServiceManaged: true }, { id: 'us_central_staging', label: 'US Central Staging', isServiceManaged: true }, ], - id: '5e203f47-1261-4978-a915-cc3315d90fb1', + id: 'test-project-id-default', + config_id: '5e203f47-1261-4978-a915-cc3315d90fb1', origin: 'project', }, references: [], diff --git a/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.ts b/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.ts index 4bb52d9090906..12fe8209e1bb7 100644 --- a/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.ts +++ b/x-pack/plugins/synthetics/server/saved_objects/synthetics_monitor/get_all_monitors.ts @@ -73,7 +73,7 @@ export const processMonitors = async ( * latest ping for all enabled monitors. */ - const enabledIds: string[] = []; + const enabledMonitorQueryIds: string[] = []; let disabledCount = 0; let disabledMonitorsCount = 0; let maxPeriod = 0; @@ -81,6 +81,7 @@ export const processMonitors = async ( const allIds: string[] = []; let listOfLocationsSet = new Set(); const monitorLocationMap: Record = {}; + const monitorQueryIdToConfigIdMap: Record = {}; let allLocations: ServiceLocation[] | null = null; @@ -105,13 +106,15 @@ export const processMonitors = async ( projectMonitorsCount += attrs?.[ConfigKey.MONITOR_SOURCE_TYPE] === SourceType.PROJECT ? 1 : 0; + monitorQueryIdToConfigIdMap[attrs[ConfigKey.MONITOR_QUERY_ID]] = attrs[ConfigKey.CONFIG_ID]; + if (attrs[ConfigKey.ENABLED] === false) { disabledCount += attrs[ConfigKey.LOCATIONS].length; disabledMonitorsCount += 1; } else { const missingLabels = new Set(); - enabledIds.push(attrs[ConfigKey.MONITOR_QUERY_ID]); + enabledMonitorQueryIds.push(attrs[ConfigKey.MONITOR_QUERY_ID]); const monLocs = new Set([ ...(attrs[ConfigKey.LOCATIONS] .filter((loc) => { @@ -140,11 +143,12 @@ export const processMonitors = async ( return { maxPeriod, allIds, - enabledIds, + enabledMonitorQueryIds, disabledCount, monitorLocationMap, disabledMonitorsCount, projectMonitorsCount, listOfLocations: [...listOfLocationsSet], + monitorQueryIdToConfigIdMap, }; }; From c967f77b0f3a3f80a4ac4103614120966022da96 Mon Sep 17 00:00:00 2001 From: Wonseop Kim Date: Tue, 7 Feb 2023 23:58:10 +0900 Subject: [PATCH 27/27] Remove a unnecessary argument (#150268) ## Summary Function '_getFilePath' defined at line 19 takes only 1 argument, but 2 were provided. This patch removes the unnecessary argument. ### Checklist N/A Co-authored-by: Jon --- src/cli_plugin/install/download.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cli_plugin/install/download.js b/src/cli_plugin/install/download.js index ab2ed9f86357b..8dc039cd6305d 100644 --- a/src/cli_plugin/install/download.js +++ b/src/cli_plugin/install/download.js @@ -41,7 +41,7 @@ export function _downloadSingle(settings, logger, sourceUrl) { _checkFilePathDeprecation(sourceUrl, logger); downloadPromise = downloadLocalFile( logger, - _getFilePath(urlInfo.path, sourceUrl), + _getFilePath(urlInfo.path), settings.tempArchiveFile ); } else if (/^https?/.test(urlInfo.protocol)) {