diff --git a/x-pack/plugins/security_solution/common/endpoint/service/authz/index.ts b/x-pack/plugins/security_solution/common/endpoint/service/authz/index.ts index 83c1627a91825..03d14a0945184 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/authz/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/authz/index.ts @@ -6,5 +6,3 @@ */ export { getEndpointAuthzInitialState, calculateEndpointAuthz } from './authz'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -export { getEndpointAuthzInitialStateMock } from './mocks'; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/creation.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/creation.ts new file mode 100644 index 0000000000000..781718652246d --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/creation.ts @@ -0,0 +1,57 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameCreationEvent: Ecs = { + _id: 'BcjPcG0BOpWiDweSou3g', + user: { + id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], + domain: ['Anvi-Acer'], + name: ['Arun'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['6.1'], + }, + ip: ['10.178.85.222'], + name: ['HD-obe-8bf77f54'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['creation_event'], + category: ['process'], + type: ['process_start'], + kind: ['event'], + }, + timestamp: '1569555712000', + process: { + hash: { + md5: ['62d06d7235b37895b68de56687895743'], + sha1: ['12563599116157778a22600d2a163d8112aed845'], + sha256: ['d4c97ed46046893141652e2ec0056a698f6445109949d7fcabbce331146889ee'], + }, + pid: [441684], + ppid: [8], + name: ['Microsoft.Photos.exe'], + executable: [ + 'C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe', + ], + args: [ + 'C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe', + '-ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mca', + ], + }, + endgame: { + process_name: ['Microsoft.Photos.exe'], + pid: [441684], + parent_process_name: ['svchost.exe'], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/dns.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/dns.ts new file mode 100644 index 0000000000000..bd5061dd3bd6a --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/dns.ts @@ -0,0 +1,59 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameDnsRequest: Ecs = { + _id: 'S8jPcG0BOpWiDweSou3g', + user: { + id: ['S-1-5-18'], + domain: ['NT AUTHORITY'], + name: ['SYSTEM'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['6.1'], + }, + ip: ['10.178.85.222'], + name: ['HD-obe-8bf77f54'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['request_event'], + category: ['network'], + kind: ['event'], + }, + message: [ + 'DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5 ', + ], + timestamp: '1569555712000', + dns: { + question: { + name: ['update.googleapis.com'], + type: ['A'], + }, + resolved_ip: ['10.100.197.67'], + }, + network: { + protocol: ['dns'], + }, + process: { + pid: [443192], + name: ['GoogleUpdate.exe'], + executable: ['C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe'], + }, + winlog: { + event_id: [3008], + }, + endgame: { + process_name: ['GoogleUpdate.exe'], + pid: [443192], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/file_events.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/file_events.ts new file mode 100644 index 0000000000000..696d51b2e11fa --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/file_events.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameFileCreateEvent: Ecs = { + _id: '98jPcG0BOpWiDweSouzg', + user: { + id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], + domain: ['Anvi-Acer'], + name: ['Arun'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['6.1'], + }, + ip: ['10.178.85.222'], + name: ['HD-obe-8bf77f54'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['file_create_event'], + category: ['file'], + kind: ['event'], + }, + timestamp: '1569555712000', + endgame: { + process_name: ['chrome.exe'], + pid: [11620], + file_path: [ + 'C:\\Users\\Arun\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\63d78c21-e593-4484-b7a9-db33cd522ddc.tmp', + ], + }, +}; + +export const demoEndgameFileDeleteEvent: Ecs = { + _id: 'OMjPcG0BOpWiDweSeuW9', + user: { + id: ['S-1-5-18'], + domain: ['NT AUTHORITY'], + name: ['SYSTEM'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['10.0'], + }, + ip: ['10.134.159.150'], + name: ['HD-v1s-d2118419'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['file_delete_event'], + category: ['file'], + kind: ['event'], + }, + timestamp: '1569555704000', + endgame: { + pid: [1084], + file_name: ['tmp000002f6'], + file_path: ['C:\\Windows\\TEMP\\tmp00000404\\tmp000002f6'], + process_name: ['AmSvc.exe'], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/ipv4.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/ipv4.ts new file mode 100644 index 0000000000000..c7d9655acb956 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/ipv4.ts @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameIpv4ConnectionAcceptEvent: Ecs = { + _id: 'LsjPcG0BOpWiDweSCNfu', + user: { + id: ['S-1-5-18'], + domain: ['NT AUTHORITY'], + name: ['SYSTEM'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['10.0'], + }, + ip: ['10.43.255.177'], + name: ['HD-gqf-0af7b4fe'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['ipv4_connection_accept_event'], + category: ['network'], + kind: ['event'], + }, + timestamp: '1569555676000', + network: { + community_id: ['1:network-community_id'], + transport: ['tcp'], + }, + process: { + pid: [1084], + name: ['AmSvc.exe'], + executable: ['C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe'], + }, + source: { + ip: ['127.0.0.1'], + port: [49306], + }, + destination: { + port: [49305], + ip: ['127.0.0.1'], + }, + endgame: { + pid: [1084], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/termination.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/termination.ts new file mode 100644 index 0000000000000..adab55d27c697 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/termination.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameTerminationEvent: Ecs = { + _id: '2MjPcG0BOpWiDweSoutC', + user: { + id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], + domain: ['Anvi-Acer'], + name: ['Arun'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['6.1'], + }, + ip: ['10.178.85.222'], + name: ['HD-obe-8bf77f54'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['termination_event'], + category: ['process'], + kind: ['event'], + }, + timestamp: '1569555712000', + process: { + hash: { + md5: ['bd4401441a21bf1abce6404f4231db4d'], + sha1: ['797255e72d5ed5c058d4785950eba7abaa057653'], + sha256: ['87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776'], + }, + pid: [442384], + ppid: [8], + name: ['RuntimeBroker.exe'], + executable: ['C:\\Windows\\System32\\RuntimeBroker.exe'], + }, + endgame: { + pid: [442384], + process_name: ['RuntimeBroker.exe'], + exit_code: [0], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/user_logon.ts b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/user_logon.ts new file mode 100644 index 0000000000000..ebc3cdcf1afe6 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endgame_ecs/user_logon.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndgameUserLogon: Ecs = { + _id: 'QsjPcG0BOpWiDweSeuRE', + user: { + id: ['S-1-5-18'], + domain: ['NT AUTHORITY'], + name: ['SYSTEM'], + }, + host: { + os: { + platform: ['windows'], + name: ['Windows'], + version: ['10.0'], + }, + ip: ['10.134.159.150'], + name: ['HD-v1s-d2118419'], + }, + event: { + module: ['endgame'], + dataset: ['esensor'], + action: ['user_logon'], + category: ['authentication'], + type: ['authentication_success'], + kind: ['event'], + }, + message: [ + 'An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN-Q3DOP1UKA81$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t5\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1b0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', + ], + timestamp: '1569555704000', + process: { + pid: [432], + name: ['C:\\Windows\\System32\\services.exe'], + executable: ['C:\\Windows\\System32\\services.exe'], + }, + winlog: { + event_id: [4624], + }, + endgame: { + target_logon_id: ['0x3e7'], + pid: [432], + process_name: ['C:\\Windows\\System32\\services.exe'], + logon_type: [5], + subject_user_name: ['WIN-Q3DOP1UKA81$'], + subject_logon_id: ['0x3e7'], + target_user_name: ['SYSTEM'], + target_domain_name: ['NT AUTHORITY'], + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endpoint/library_load_event.ts b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/library_load_event.ts new file mode 100644 index 0000000000000..039115624ab91 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/library_load_event.ts @@ -0,0 +1,63 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndpointLibraryLoadEvent: Ecs = { + file: { + path: ['C:\\Windows\\System32\\bcrypt.dll'], + hash: { + md5: ['00439016776de367bad087d739a03797'], + sha1: ['2c4ba5c1482987d50a182bad915f52cd6611ee63'], + sha256: ['e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd'], + }, + name: ['bcrypt.dll'], + }, + host: { + os: { + full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + name: ['Windows'], + version: ['1809 (10.0.17763.1697)'], + family: ['windows'], + kernel: ['1809 (10.0.17763.1697)'], + platform: ['windows'], + }, + mac: ['aa:bb:cc:dd:ee:ff'], + name: ['win2019-endpoint-1'], + architecture: ['x86_64'], + ip: ['10.1.2.3'], + id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + }, + event: { + category: ['library'], + kind: ['event'], + created: ['2021-02-05T21:27:23.921Z'], + module: ['endpoint'], + action: ['load'], + type: ['start'], + id: ['LzzWB9jjGmCwGMvk++++Da5H'], + dataset: ['endpoint.events.library'], + }, + process: { + name: ['sshd.exe'], + pid: [9644], + entity_id: [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTk2NDQtMTMyNTcwMzQwNDEuNzgyMTczODAw', + ], + executable: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], + }, + agent: { + type: ['endpoint'], + }, + user: { + name: ['SYSTEM'], + domain: ['NT AUTHORITY'], + }, + message: ['Endpoint DLL load event'], + timestamp: '2021-02-05T21:27:23.921Z', + _id: 'IAUYdHcBGrBB52F2zo8Q', +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endpoint/process_execution_malware_prevention_alert.ts b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/process_execution_malware_prevention_alert.ts new file mode 100644 index 0000000000000..1a3657e867261 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/process_execution_malware_prevention_alert.ts @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndpointProcessExecutionMalwarePreventionAlert: Ecs = { + process: { + hash: { + md5: ['177afc1eb0be88eb9983fb74111260c4'], + sha256: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb'], + sha1: ['f573b85e9beb32121f1949217947b2adc6749e3d'], + }, + entity_id: [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTY5MjAtMTMyNDg5OTk2OTAuNDgzMzA3NzAw', + ], + executable: [ + 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', + ], + name: [ + 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', + ], + pid: [6920], + args: [ + 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', + ], + }, + host: { + os: { + full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1518)'], + name: ['Windows'], + version: ['1809 (10.0.17763.1518)'], + platform: ['windows'], + family: ['windows'], + kernel: ['1809 (10.0.17763.1518)'], + }, + mac: ['aa:bb:cc:dd:ee:ff'], + architecture: ['x86_64'], + ip: ['10.1.2.3'], + id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + name: ['win2019-endpoint-1'], + }, + file: { + mtime: ['2020-11-04T21:40:51.494Z'], + path: [ + 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', + ], + owner: ['sean'], + hash: { + md5: ['177afc1eb0be88eb9983fb74111260c4'], + sha256: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb'], + sha1: ['f573b85e9beb32121f1949217947b2adc6749e3d'], + }, + name: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe'], + extension: ['exe'], + size: [1604112], + }, + event: { + category: ['malware', 'intrusion_detection', 'process'], + outcome: ['success'], + severity: [73], + code: ['malicious_file'], + action: ['execution'], + id: ['LsuMZVr+sdhvehVM++++Gp2Y'], + kind: ['alert'], + created: ['2020-11-04T21:41:30.533Z'], + module: ['endpoint'], + type: ['info', 'start', 'denied'], + dataset: ['endpoint.alerts'], + }, + agent: { + type: ['endpoint'], + }, + timestamp: '2020-11-04T21:41:30.533Z', + message: ['Malware Prevention Alert'], + _id: '0dA2lXUBn9bLIbfPkY7d', +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/endpoint/registry_modification_event.ts b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/registry_modification_event.ts new file mode 100644 index 0000000000000..2f34360b46443 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/endpoint/registry_modification_event.ts @@ -0,0 +1,64 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Ecs } from '../../../../common/ecs'; + +export const demoEndpointRegistryModificationEvent: Ecs = { + host: { + os: { + full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], + name: ['Windows'], + version: ['1809 (10.0.17763.1697)'], + family: ['windows'], + kernel: ['1809 (10.0.17763.1697)'], + platform: ['windows'], + }, + mac: ['aa:bb:cc:dd:ee:ff'], + name: ['win2019-endpoint-1'], + architecture: ['x86_64'], + ip: ['10.1.2.3'], + id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], + }, + event: { + category: ['registry'], + kind: ['event'], + created: ['2021-02-04T13:44:31.559Z'], + module: ['endpoint'], + action: ['modification'], + type: ['change'], + id: ['LzzWB9jjGmCwGMvk++++CbOn'], + dataset: ['endpoint.events.registry'], + }, + process: { + name: ['GoogleUpdate.exe'], + pid: [7408], + entity_id: [ + 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTc0MDgtMTMyNTY5MTk4NDguODY4NTI0ODAw', + ], + executable: ['C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe'], + }, + registry: { + hive: ['HKLM'], + key: [ + 'SOFTWARE\\WOW6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState', + ], + path: [ + 'HKLM\\SOFTWARE\\WOW6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue', + ], + value: ['StateValue'], + }, + agent: { + type: ['endpoint'], + }, + user: { + name: ['SYSTEM'], + domain: ['NT AUTHORITY'], + }, + message: ['Endpoint registry event'], + timestamp: '2021-02-04T13:44:31.559Z', + _id: '4cxLbXcBGrBB52F2uOfF', +}; diff --git a/x-pack/plugins/security_solution/public/common/demo_data/netflow.ts b/x-pack/plugins/security_solution/public/common/demo_data/netflow.ts new file mode 100644 index 0000000000000..51f281a4b056b --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/netflow.ts @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ONE_MILLISECOND_AS_NANOSECONDS } from '../../timelines/components/formatted_duration/helpers'; +import type { Ecs } from '../../../common/ecs'; + +/** Returns mock data for testing the Netflow component */ +export const getDemoNetflowData = (): Ecs => ({ + destination: { + bytes: [40], + geo: { + city_name: ['New York'], + continent_name: ['North America'], + country_iso_code: ['US'], + country_name: ['United States'], + region_name: ['New York'], + }, + ip: ['10.1.2.3'], + packets: [1], + port: [80], + }, + event: { + action: ['network_flow'], + category: ['network_traffic'], + duration: [ONE_MILLISECOND_AS_NANOSECONDS], + end: ['2018-11-12T19:03:25.936Z'], + start: ['2018-11-12T19:03:25.836Z'], + }, + _id: 'abcd', + network: { + bytes: [100], + community_id: ['we.live.in.a'], + direction: ['outgoing'], + packets: [3], + protocol: ['http'], + transport: ['tcp'], + }, + process: { + name: ['rat'], + }, + source: { + bytes: [60], + geo: { + city_name: ['Atlanta'], + continent_name: ['North America'], + country_iso_code: ['US'], + country_name: ['United States'], + region_name: ['Georgia'], + }, + ip: ['192.168.1.2'], + packets: [2], + port: [9987], + }, + timestamp: '2018-11-12T19:03:25.936Z', + tls: { + client_certificate: { + fingerprint: { + sha1: ['tls.client_certificate.fingerprint.sha1-value'], + }, + }, + fingerprints: { + ja3: { + hash: ['tls.fingerprints.ja3.hash-value'], + }, + }, + server_certificate: { + fingerprint: { + sha1: ['tls.server_certificate.fingerprint.sha1-value'], + }, + }, + }, + user: { + name: ['first.last'], + }, +}); diff --git a/x-pack/plugins/security_solution/public/common/demo_data/timeline.ts b/x-pack/plugins/security_solution/public/common/demo_data/timeline.ts new file mode 100644 index 0000000000000..90a4c2221d16c --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/demo_data/timeline.ts @@ -0,0 +1,1117 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { TimelineItem } from '../../../common/search_strategy/timeline'; + +export const demoTimelineData: TimelineItem[] = [ + { + _id: '1', + data: [ + { field: '@timestamp', value: ['2018-11-05T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'event.action', value: ['Action'] }, + { field: 'host.name', value: ['apache'] }, + { field: 'source.ip', value: ['192.168.0.1'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['john.dee'] }, + ], + ecs: { + _id: '1', + timestamp: '2018-11-05T19:03:25.937Z', + host: { name: ['apache'], ip: ['192.168.0.1'] }, + event: { + id: ['1'], + action: ['Action'], + category: ['Access'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.1'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['1'], name: ['john.dee'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '3', + data: [ + { field: '@timestamp', value: ['2018-11-07T19:03:25.937Z'] }, + { field: 'event.severity', value: ['1'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['nginx'] }, + { field: 'source.ip', value: ['192.168.0.3'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['evan.davis'] }, + ], + ecs: { + _id: '3', + timestamp: '2018-11-07T19:03:25.937Z', + host: { name: ['nginx'], ip: ['192.168.0.1'] }, + event: { + id: ['3'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [1], + }, + source: { ip: ['192.168.0.3'], port: [443] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['3'], name: ['evan.davis'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '4', + data: [ + { field: '@timestamp', value: ['2018-11-08T19:03:25.937Z'] }, + { field: 'event.severity', value: ['1'] }, + { field: 'event.category', value: ['Attempted Administrator Privilege Gain'] }, + { field: 'host.name', value: ['suricata'] }, + { field: 'source.ip', value: ['192.168.0.3'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jenny.jones'] }, + ], + ecs: { + _id: '4', + timestamp: '2018-11-08T19:03:25.937Z', + host: { name: ['suricata'], ip: ['192.168.0.1'] }, + event: { + id: ['4'], + category: ['Attempted Administrator Privilege Gain'], + type: ['Alert'], + module: ['suricata'], + severity: [1], + }, + source: { ip: ['192.168.0.3'], port: [53] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + suricata: { + eve: { + flow_id: [4], + proto: [''], + alert: { + signature: [ + 'ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)', + ], + signature_id: [4], + }, + }, + }, + user: { id: ['4'], name: ['jenny.jones'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '5', + data: [ + { field: '@timestamp', value: ['2018-11-09T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.3'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['becky.davis'] }, + ], + ecs: { + _id: '5', + timestamp: '2018-11-09T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['5'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.3'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['5'], name: ['becky.davis'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '6', + data: [ + { field: '@timestamp', value: ['2018-11-10T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['braden.davis'] }, + { field: 'source.ip', value: ['192.168.0.6'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + ], + ecs: { + _id: '6', + timestamp: '2018-11-10T19:03:25.937Z', + host: { name: ['braden.davis'], ip: ['192.168.0.1'] }, + event: { + id: ['6'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.6'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '8', + data: [ + { field: '@timestamp', value: ['2018-11-12T19:03:25.937Z'] }, + { field: 'event.severity', value: ['2'] }, + { field: 'event.category', value: ['Web Application Attack'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.8'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '8', + timestamp: '2018-11-12T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['8'], + category: ['Web Application Attack'], + type: ['Alert'], + module: ['suricata'], + severity: [2], + }, + suricata: { + eve: { + flow_id: [8], + proto: [''], + alert: { + signature: ['ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie'], + signature_id: [8], + }, + }, + }, + source: { ip: ['192.168.0.8'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['8'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '7', + data: [ + { field: '@timestamp', value: ['2018-11-11T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.7'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '7', + timestamp: '2018-11-11T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['7'], + category: ['Access'], + type: ['HTTP Request'], + module: ['apache'], + severity: [3], + }, + source: { ip: ['192.168.0.7'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['7'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '9', + data: [ + { field: '@timestamp', value: ['2018-11-13T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.9'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '9', + timestamp: '2018-11-13T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['9'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.9'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['9'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '10', + data: [ + { field: '@timestamp', value: ['2018-11-14T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.10'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '10', + timestamp: '2018-11-14T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['10'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.10'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['10'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '11', + data: [ + { field: '@timestamp', value: ['2018-11-15T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.11'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '11', + timestamp: '2018-11-15T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['11'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.11'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['11'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '12', + data: [ + { field: '@timestamp', value: ['2018-11-16T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.12'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['jone.doe'] }, + ], + ecs: { + _id: '12', + timestamp: '2018-11-16T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['12'], + category: ['Access'], + type: ['HTTP Request'], + module: ['nginx'], + severity: [3], + }, + source: { ip: ['192.168.0.12'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['12'], name: ['jone.doe'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '2', + data: [ + { field: '@timestamp', value: ['2018-11-06T19:03:25.937Z'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Authentication'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.2'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['joe.bob'] }, + ], + ecs: { + _id: '2', + timestamp: '2018-11-06T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['2'], + category: ['Authentication'], + type: ['Authentication Success'], + module: ['authlog'], + severity: [3], + }, + source: { ip: ['192.168.0.2'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['1'], name: ['joe.bob'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '13', + data: [ + { field: '@timestamp', value: ['2018-13-12T19:03:25.937Z'] }, + { field: 'event.severity', value: ['1'] }, + { field: 'event.category', value: ['Web Application Attack'] }, + { field: 'host.name', value: ['joe.computer'] }, + { field: 'source.ip', value: ['192.168.0.8'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + ], + ecs: { + _id: '13', + timestamp: '2018-13-12T19:03:25.937Z', + host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, + event: { + id: ['13'], + category: ['Web Application Attack'], + type: ['Alert'], + module: ['suricata'], + severity: [1], + }, + suricata: { + eve: { + flow_id: [13], + proto: [''], + alert: { + signature: ['ET WEB_SERVER Possible Attempt in HTTP Cookie'], + signature_id: [13], + }, + }, + }, + source: { ip: ['192.168.0.8'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '14', + data: [ + { field: '@timestamp', value: ['2019-03-07T05:06:51.000Z'] }, + { field: 'host.name', value: ['zeek-franfurt'] }, + { field: 'source.ip', value: ['192.168.26.101'] }, + { field: 'destination.ip', value: ['192.168.238.205'] }, + ], + ecs: { + _id: '14', + timestamp: '2019-03-07T05:06:51.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.connection'], + }, + host: { + id: ['37c81253e0fc4c46839c19b981be5177'], + name: ['zeek-franfurt'], + ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'], + }, + source: { ip: ['185.176.26.101'], port: [44059] }, + destination: { ip: ['207.154.238.205'], port: [11568] }, + geo: { region_name: ['New York'], country_iso_code: ['US'] }, + network: { transport: ['tcp'] }, + zeek: { + session_id: ['C8DRTq362Fios6hw16'], + connection: { + local_resp: [false], + local_orig: [false], + missed_bytes: [0], + state: ['REJ'], + history: ['Sr'], + }, + }, + }, + }, + { + _id: '15', + data: [ + { field: '@timestamp', value: ['2019-03-07T00:51:28.000Z'] }, + { field: 'host.name', value: ['suricata-zeek-singapore'] }, + { field: 'source.ip', value: ['192.168.35.240'] }, + { field: 'destination.ip', value: ['192.168.67.3'] }, + ], + ecs: { + _id: '15', + timestamp: '2019-03-07T00:51:28.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.dns'], + }, + host: { + id: ['af3fddf15f1d47979ce817ba0df10c6e'], + name: ['suricata-zeek-singapore'], + ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], + }, + source: { ip: ['206.189.35.240'], port: [57475] }, + destination: { ip: ['67.207.67.3'], port: [53] }, + geo: { region_name: ['New York'], country_iso_code: ['US'] }, + network: { transport: ['udp'] }, + zeek: { + session_id: ['CyIrMA1L1JtLqdIuol'], + dns: { + AA: [false], + RD: [false], + trans_id: [65252], + RA: [false], + TC: [false], + }, + }, + }, + }, + { + _id: '16', + data: [ + { field: '@timestamp', value: ['2019-03-05T07:00:20.000Z'] }, + { field: 'host.name', value: ['suricata-zeek-singapore'] }, + { field: 'source.ip', value: ['192.168.35.240'] }, + { field: 'destination.ip', value: ['192.168.164.26'] }, + ], + ecs: { + _id: '16', + timestamp: '2019-03-05T07:00:20.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.http'], + }, + host: { + id: ['af3fddf15f1d47979ce817ba0df10c6e'], + name: ['suricata-zeek-singapore'], + ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], + }, + source: { ip: ['206.189.35.240'], port: [36220] }, + destination: { ip: ['192.241.164.26'], port: [80] }, + geo: { region_name: ['New York'], country_iso_code: ['US'] }, + http: { + version: ['1.1'], + request: { body: { bytes: [0] } }, + response: { status_code: [302], body: { bytes: [154] } }, + }, + zeek: { + session_id: ['CZLkpC22NquQJOpkwe'], + + http: { + resp_mime_types: ['text/html'], + trans_depth: ['3'], + status_msg: ['Moved Temporarily'], + resp_fuids: ['FzeujEPP7GTHmYPsc'], + tags: [], + }, + }, + }, + }, + { + _id: '17', + data: [ + { field: '@timestamp', value: ['2019-02-28T22:36:28.000Z'] }, + { field: 'host.name', value: ['zeek-franfurt'] }, + { field: 'source.ip', value: ['192.168.77.171'] }, + ], + ecs: { + _id: '17', + timestamp: '2019-02-28T22:36:28.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.notice'], + }, + host: { + id: ['37c81253e0fc4c46839c19b981be5177'], + name: ['zeek-franfurt'], + ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'], + }, + source: { ip: ['8.42.77.171'] }, + zeek: { + notice: { + suppress_for: [3600], + msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'], + note: ['Scan::Port_Scan'], + sub: ['remote'], + dst: ['207.154.238.205'], + dropped: [false], + peer_descr: ['bro'], + }, + }, + }, + }, + { + _id: '18', + data: [ + { field: '@timestamp', value: ['2019-02-22T21:12:13.000Z'] }, + { field: 'host.name', value: ['zeek-sensor-amsterdam'] }, + { field: 'source.ip', value: ['192.168.66.184'] }, + { field: 'destination.ip', value: ['192.168.95.15'] }, + ], + ecs: { + _id: '18', + timestamp: '2019-02-22T21:12:13.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.ssl'], + }, + host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'] }, + source: { ip: ['188.166.66.184'], port: [34514] }, + destination: { ip: ['91.189.95.15'], port: [443] }, + geo: { region_name: ['England'], country_iso_code: ['GB'] }, + zeek: { + session_id: ['CmTxzt2OVXZLkGDaRe'], + ssl: { + cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'], + established: [false], + resumed: [false], + version: ['TLSv12'], + }, + }, + }, + }, + { + _id: '19', + data: [ + { field: '@timestamp', value: ['2019-03-03T04:26:38.000Z'] }, + { field: 'host.name', value: ['suricata-zeek-singapore'] }, + ], + ecs: { + _id: '19', + timestamp: '2019-03-03T04:26:38.000Z', + event: { + module: ['zeek'], + dataset: ['zeek.files'], + }, + host: { + id: ['af3fddf15f1d47979ce817ba0df10c6e'], + name: ['suricata-zeek-singapore'], + ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], + }, + zeek: { + session_id: ['Cu0n232QMyvNtzb75j'], + files: { + session_ids: ['Cu0n232QMyvNtzb75j'], + timedout: [false], + local_orig: [false], + tx_host: ['5.101.111.50'], + source: ['HTTP'], + is_orig: [false], + overflow_bytes: [0], + sha1: ['fa5195a5dfacc9d1c68d43600f0e0262cad14dde'], + duration: [0], + depth: [0], + analyzers: ['MD5', 'SHA1'], + mime_type: ['text/plain'], + rx_host: ['206.189.35.240'], + total_bytes: [88722], + fuid: ['FePz1uVEVCZ3I0FQi'], + seen_bytes: [1198], + missing_bytes: [0], + md5: ['f7653f1951693021daa9e6be61226e32'], + }, + }, + }, + }, + { + _id: '20', + data: [ + { field: '@timestamp', value: ['2019-03-13T05:42:11.815Z'] }, + { field: 'event.category', value: ['audit-rule'] }, + { field: 'host.name', value: ['zeek-sanfran'] }, + { field: 'process.args', value: ['gpgconf', '--list-dirs', 'agent-socket'] }, + ], + ecs: { + _id: '20', + timestamp: '2019-03-13T05:42:11.815Z', + event: { + action: ['executed'], + module: ['auditd'], + category: ['audit-rule'], + }, + host: { + id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'], + name: ['zeek-sanfran'], + ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'], + }, + user: { name: ['alice'] }, + process: { + pid: [5402], + name: ['gpgconf'], + ppid: [5401], + args: ['gpgconf', '--list-dirs', 'agent-socket'], + executable: ['/usr/bin/gpgconf'], + title: ['gpgconf --list-dirs agent-socket'], + working_directory: ['/'], + }, + }, + }, + { + _id: '21', + data: [ + { field: '@timestamp', value: ['2019-03-14T22:30:25.527Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'source.ip', value: ['192.168.77.171'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '21', + timestamp: '2019-03-14T22:30:25.527Z', + event: { + action: ['logged-in'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['14'], + data: { terminal: ['/dev/pts/0'], op: ['login'] }, + summary: { + actor: { primary: ['alice'], secondary: ['alice'] }, + object: { primary: ['/dev/pts/0'], secondary: ['8.42.77.171'], type: ['user-session'] }, + how: ['/usr/sbin/sshd'], + }, + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + source: { ip: ['8.42.77.171'] }, + user: { name: ['root'] }, + process: { + pid: [17471], + executable: ['/usr/sbin/sshd'], + }, + }, + }, + { + _id: '22', + data: [ + { field: '@timestamp', value: ['2019-03-13T03:35:21.614Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['suricata-bangalore'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '22', + timestamp: '2019-03-13T03:35:21.614Z', + event: { + action: ['disposed-credentials'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['340'], + data: { acct: ['alice'], terminal: ['ssh'], op: ['PAM:setcred'] }, + summary: { + actor: { primary: ['alice'], secondary: ['alice'] }, + object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] }, + how: ['/usr/sbin/sshd'], + }, + }, + host: { + id: ['0a63559c1acf4c419d979c4b4d8b83ff'], + name: ['suricata-bangalore'], + ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], + }, + user: { name: ['root'] }, + process: { + pid: [21202], + executable: ['/usr/sbin/sshd'], + }, + }, + }, + { + _id: '23', + data: [ + { field: '@timestamp', value: ['2019-03-13T03:35:21.614Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['suricata-bangalore'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '23', + timestamp: '2019-03-13T03:35:21.614Z', + event: { + action: ['ended-session'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['340'], + data: { acct: ['alice'], terminal: ['ssh'], op: ['PAM:session_close'] }, + summary: { + actor: { primary: ['alice'], secondary: ['alice'] }, + object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] }, + how: ['/usr/sbin/sshd'], + }, + }, + host: { + id: ['0a63559c1acf4c419d979c4b4d8b83ff'], + name: ['suricata-bangalore'], + ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], + }, + user: { name: ['root'] }, + process: { + pid: [21202], + executable: ['/usr/sbin/sshd'], + }, + }, + }, + { + _id: '24', + data: [ + { field: '@timestamp', value: ['2019-03-18T23:17:01.645Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '24', + timestamp: '2019-03-18T23:17:01.645Z', + event: { + action: ['acquired-credentials'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['unset'], + data: { acct: ['root'], terminal: ['cron'], op: ['PAM:setcred'] }, + summary: { + actor: { primary: ['unset'], secondary: ['root'] }, + object: { primary: ['cron'], type: ['user-session'] }, + how: ['/usr/sbin/cron'], + }, + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + user: { name: ['root'] }, + process: { + pid: [9592], + executable: ['/usr/sbin/cron'], + }, + }, + }, + { + _id: '25', + data: [ + { field: '@timestamp', value: ['2019-03-19T01:17:01.336Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['siem-kibana'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '25', + timestamp: '2019-03-19T01:17:01.336Z', + event: { + action: ['started-session'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['2908'], + data: { acct: ['root'], terminal: ['cron'], op: ['PAM:session_open'] }, + summary: { + actor: { primary: ['root'], secondary: ['root'] }, + object: { primary: ['cron'], type: ['user-session'] }, + how: ['/usr/sbin/cron'], + }, + }, + host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'] }, + user: { name: ['root'] }, + process: { + pid: [725], + executable: ['/usr/sbin/cron'], + }, + }, + }, + { + _id: '26', + data: [ + { field: '@timestamp', value: ['2019-03-13T03:34:08.890Z'] }, + { field: 'event.category', value: ['user-login'] }, + { field: 'host.name', value: ['suricata-bangalore'] }, + { field: 'user.name', value: ['alice'] }, + ], + ecs: { + _id: '26', + timestamp: '2019-03-13T03:34:08.890Z', + event: { + action: ['was-authorized'], + module: ['auditd'], + category: ['user-login'], + }, + auditd: { + result: ['success'], + session: ['338'], + data: { terminal: ['/dev/pts/0'] }, + summary: { + actor: { primary: ['root'], secondary: ['alice'] }, + object: { primary: ['/dev/pts/0'], type: ['user-session'] }, + how: ['/sbin/pam_tally2'], + }, + }, + host: { + id: ['0a63559c1acf4c419d979c4b4d8b83ff'], + name: ['suricata-bangalore'], + ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], + }, + user: { name: ['alice'] }, + process: { + pid: [21170], + executable: ['/sbin/pam_tally2'], + }, + }, + }, + { + _id: '27', + data: [ + { field: '@timestamp', value: ['2019-03-22T19:13:11.026Z'] }, + { field: 'event.action', value: ['connected-to'] }, + { field: 'event.category', value: ['audit-rule'] }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'destination.ip', value: ['192.168.216.34'] }, + { field: 'user.name', value: ['alice'] }, + ], + ecs: { + _id: '27', + timestamp: '2019-03-22T19:13:11.026Z', + event: { + action: ['connected-to'], + module: ['auditd'], + category: ['audit-rule'], + }, + auditd: { + result: ['success'], + session: ['246'], + summary: { + actor: { primary: ['alice'], secondary: ['alice'] }, + object: { primary: ['192.168.216.34'], secondary: ['80'], type: ['socket'] }, + how: ['/usr/bin/wget'], + }, + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + destination: { ip: ['192.168.216.34'], port: [80] }, + user: { name: ['alice'] }, + process: { + pid: [1490], + name: ['wget'], + ppid: [1476], + executable: ['/usr/bin/wget'], + title: ['wget www.example.com'], + }, + }, + }, + { + _id: '28', + data: [ + { field: '@timestamp', value: ['2019-03-26T22:12:18.609Z'] }, + { field: 'event.action', value: ['opened-file'] }, + { field: 'event.category', value: ['audit-rule'] }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'user.name', value: ['root'] }, + ], + ecs: { + _id: '28', + timestamp: '2019-03-26T22:12:18.609Z', + event: { + action: ['opened-file'], + module: ['auditd'], + category: ['audit-rule'], + }, + auditd: { + result: ['success'], + session: ['242'], + summary: { + actor: { primary: ['unset'], secondary: ['root'] }, + object: { primary: ['/proc/15990/attr/current'], type: ['file'] }, + how: ['/lib/systemd/systemd-journald'], + }, + }, + file: { + path: ['/proc/15990/attr/current'], + device: ['00:00'], + inode: ['27672309'], + uid: ['0'], + owner: ['root'], + gid: ['0'], + group: ['root'], + mode: ['0666'], + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + + user: { name: ['root'] }, + process: { + pid: [27244], + name: ['systemd-journal'], + ppid: [1], + executable: ['/lib/systemd/systemd-journald'], + title: ['/lib/systemd/systemd-journald'], + working_directory: ['/'], + }, + }, + }, + { + _id: '29', + data: [ + { field: '@timestamp', value: ['2019-04-08T21:18:57.000Z'] }, + { field: 'event.action', value: ['user_login'] }, + { field: 'event.category', value: null }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'user.name', value: ['Braden'] }, + ], + ecs: { + _id: '29', + event: { + action: ['user_login'], + dataset: ['login'], + kind: ['event'], + module: ['system'], + outcome: ['failure'], + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + source: { + ip: ['128.199.212.120'], + }, + user: { + name: ['Braden'], + }, + process: { + pid: [6278], + }, + }, + }, + { + _id: '30', + data: [ + { field: '@timestamp', value: ['2019-04-08T22:27:14.814Z'] }, + { field: 'event.action', value: ['process_started'] }, + { field: 'event.category', value: null }, + { field: 'host.name', value: ['zeek-london'] }, + { field: 'user.name', value: ['Evan'] }, + ], + ecs: { + _id: '30', + event: { + action: ['process_started'], + dataset: ['login'], + kind: ['event'], + module: ['system'], + outcome: ['failure'], + }, + host: { + id: ['7c21f5ed03b04d0299569d221fe18bbc'], + name: ['zeek-london'], + ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], + }, + source: { + ip: ['128.199.212.120'], + }, + user: { + name: ['Evan'], + }, + process: { + pid: [6278], + }, + }, + }, + { + _id: '31', + data: [ + { field: '@timestamp', value: ['2018-11-05T19:03:25.937Z'] }, + { field: 'message', value: ['I am a log file message'] }, + { field: 'event.severity', value: ['3'] }, + { field: 'event.category', value: ['Access'] }, + { field: 'event.action', value: ['Action'] }, + { field: 'host.name', value: ['apache'] }, + { field: 'source.ip', value: ['192.168.0.1'] }, + { field: 'destination.ip', value: ['192.168.0.3'] }, + { field: 'destination.bytes', value: ['123456'] }, + { field: 'user.name', value: ['john.dee'] }, + ], + ecs: { + _id: '1', + timestamp: '2018-11-05T19:03:25.937Z', + host: { name: ['apache'], ip: ['192.168.0.1'] }, + event: { + id: ['1'], + action: ['Action'], + category: ['Access'], + module: ['nginx'], + severity: [3], + }, + message: ['I am a log file message'], + source: { ip: ['192.168.0.1'], port: [80] }, + destination: { ip: ['192.168.0.3'], port: [6343] }, + user: { id: ['1'], name: ['john.dee'] }, + geo: { region_name: ['xx'], country_iso_code: ['xx'] }, + }, + }, + { + _id: '32', + data: [], + ecs: { + _id: 'BuBP4W0BOpWiDweSoYSg', + timestamp: '2019-10-18T23:59:15.091Z', + threat: { + enrichments: [ + { + indicator: { + provider: ['indicator_provider'], + reference: ['https://example.com'], + }, + matched: { + atomic: ['192.168.1.1'], + field: ['source.ip'], + type: ['ip'], + }, + feed: { + name: ['feed_name'], + }, + }, + ], + }, + }, + }, +]; diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts index 28be68fb6af63..b7a9e0cd4593a 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts @@ -7,56 +7,17 @@ import type { Ecs } from '../../../common/ecs'; -export const mockEndgameDnsRequest: Ecs = { - _id: 'S8jPcG0BOpWiDweSou3g', - user: { - id: ['S-1-5-18'], - domain: ['NT AUTHORITY'], - name: ['SYSTEM'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['6.1'], - }, - ip: ['10.178.85.222'], - name: ['HD-obe-8bf77f54'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['request_event'], - category: ['network'], - kind: ['event'], - }, - message: [ - 'DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5 ', - ], - timestamp: '1569555712000', - dns: { - question: { - name: ['update.googleapis.com'], - type: ['A'], - }, - resolved_ip: ['10.100.197.67'], - }, - network: { - protocol: ['dns'], - }, - process: { - pid: [443192], - name: ['GoogleUpdate.exe'], - executable: ['C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe'], - }, - winlog: { - event_id: [3008], - }, - endgame: { - process_name: ['GoogleUpdate.exe'], - pid: [443192], - }, -}; +// these "mocks" are used by browser bundles so they were moved out of the mocks and are +// re-exported here for convenience and internal bwc +export { demoEndgameCreationEvent as mockEndgameCreationEvent } from '../demo_data/endgame_ecs/creation'; +export { demoEndgameDnsRequest as mockEndgameDnsRequest } from '../demo_data/endgame_ecs/dns'; +export { + demoEndgameFileCreateEvent as mockEndgameFileCreateEvent, + demoEndgameFileDeleteEvent as mockEndgameFileDeleteEvent, +} from '../demo_data/endgame_ecs/file_events'; +export { demoEndgameIpv4ConnectionAcceptEvent as mockEndgameIpv4ConnectionAcceptEvent } from '../demo_data/endgame_ecs/ipv4'; +export { demoEndgameTerminationEvent as mockEndgameTerminationEvent } from '../demo_data/endgame_ecs/termination'; +export { demoEndgameUserLogon as mockEndgameUserLogon } from '../demo_data/endgame_ecs/user_logon'; export const mockEndpointNetworkLookupRequestedEvent: Ecs = { host: { @@ -173,39 +134,6 @@ export const mockEndpointNetworkLookupResultEvent: Ecs = { _id: 'skNzOncBPmkOXwyN9VbT', }; -export const mockEndgameFileCreateEvent: Ecs = { - _id: '98jPcG0BOpWiDweSouzg', - user: { - id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], - domain: ['Anvi-Acer'], - name: ['Arun'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['6.1'], - }, - ip: ['10.178.85.222'], - name: ['HD-obe-8bf77f54'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['file_create_event'], - category: ['file'], - kind: ['event'], - }, - timestamp: '1569555712000', - endgame: { - process_name: ['chrome.exe'], - pid: [11620], - file_path: [ - 'C:\\Users\\Arun\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\63d78c21-e593-4484-b7a9-db33cd522ddc.tmp', - ], - }, -}; - export const mockEndpointFileCreationEvent: Ecs = { file: { path: ['C:\\Windows\\TEMP\\E38FD162-B6E6-4799-B52D-F590BACBAE94\\WimProvider.dll'], @@ -259,38 +187,6 @@ export const mockEndpointFileCreationEvent: Ecs = { _id: 'eSdbOncBLJMagDUQ3YFs', }; -export const mockEndgameFileDeleteEvent: Ecs = { - _id: 'OMjPcG0BOpWiDweSeuW9', - user: { - id: ['S-1-5-18'], - domain: ['NT AUTHORITY'], - name: ['SYSTEM'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['10.0'], - }, - ip: ['10.134.159.150'], - name: ['HD-v1s-d2118419'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['file_delete_event'], - category: ['file'], - kind: ['event'], - }, - timestamp: '1569555704000', - endgame: { - pid: [1084], - file_name: ['tmp000002f6'], - file_path: ['C:\\Windows\\TEMP\\tmp00000404\\tmp000002f6'], - process_name: ['AmSvc.exe'], - }, -}; - export const mockEndpointFileDeletionEvent: Ecs = { file: { path: ['C:\\Windows\\SoftwareDistribution\\Download\\Install\\AM_Delta_Patch_1.329.2793.0.exe'], @@ -1222,52 +1118,6 @@ export const mockEndpointProcessForkEvent: Ecs = { _id: 'KXomX3cBGrBB52F2S9XY', }; -export const mockEndgameIpv4ConnectionAcceptEvent: Ecs = { - _id: 'LsjPcG0BOpWiDweSCNfu', - user: { - id: ['S-1-5-18'], - domain: ['NT AUTHORITY'], - name: ['SYSTEM'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['10.0'], - }, - ip: ['10.43.255.177'], - name: ['HD-gqf-0af7b4fe'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['ipv4_connection_accept_event'], - category: ['network'], - kind: ['event'], - }, - timestamp: '1569555676000', - network: { - community_id: ['1:network-community_id'], - transport: ['tcp'], - }, - process: { - pid: [1084], - name: ['AmSvc.exe'], - executable: ['C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe'], - }, - source: { - ip: ['127.0.0.1'], - port: [49306], - }, - destination: { - port: [49305], - ip: ['127.0.0.1'], - }, - endgame: { - pid: [1084], - }, -}; - export const mockEndgameIpv6ConnectionAcceptEvent: Ecs = { _id: '-8SucG0BOpWiDweS0wrq', user: { @@ -1545,54 +1395,6 @@ export const mockEndpointDisconnectReceivedEvent: Ecs = { _id: 'uUN0OncBPmkOXwyNOGPV', }; -export const mockEndgameUserLogon: Ecs = { - _id: 'QsjPcG0BOpWiDweSeuRE', - user: { - id: ['S-1-5-18'], - domain: ['NT AUTHORITY'], - name: ['SYSTEM'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['10.0'], - }, - ip: ['10.134.159.150'], - name: ['HD-v1s-d2118419'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['user_logon'], - category: ['authentication'], - type: ['authentication_success'], - kind: ['event'], - }, - message: [ - 'An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN-Q3DOP1UKA81$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t5\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1b0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', - ], - timestamp: '1569555704000', - process: { - pid: [432], - name: ['C:\\Windows\\System32\\services.exe'], - executable: ['C:\\Windows\\System32\\services.exe'], - }, - winlog: { - event_id: [4624], - }, - endgame: { - target_logon_id: ['0x3e7'], - pid: [432], - process_name: ['C:\\Windows\\System32\\services.exe'], - logon_type: [5], - subject_user_name: ['WIN-Q3DOP1UKA81$'], - subject_logon_id: ['0x3e7'], - target_user_name: ['SYSTEM'], - target_domain_name: ['NT AUTHORITY'], - }, -}; - export const mockEndpointSecurityLogOnSuccessEvent: Ecs = { host: { os: { @@ -1853,55 +1655,6 @@ export const mockEndpointSecurityLogOffEvent: Ecs = { _id: 'ZesLQXcBPmkOXwyNdT1a', }; -export const mockEndgameCreationEvent: Ecs = { - _id: 'BcjPcG0BOpWiDweSou3g', - user: { - id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], - domain: ['Anvi-Acer'], - name: ['Arun'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['6.1'], - }, - ip: ['10.178.85.222'], - name: ['HD-obe-8bf77f54'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['creation_event'], - category: ['process'], - type: ['process_start'], - kind: ['event'], - }, - timestamp: '1569555712000', - process: { - hash: { - md5: ['62d06d7235b37895b68de56687895743'], - sha1: ['12563599116157778a22600d2a163d8112aed845'], - sha256: ['d4c97ed46046893141652e2ec0056a698f6445109949d7fcabbce331146889ee'], - }, - pid: [441684], - ppid: [8], - name: ['Microsoft.Photos.exe'], - executable: [ - 'C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe', - ], - args: [ - 'C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe', - '-ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mca', - ], - }, - endgame: { - process_name: ['Microsoft.Photos.exe'], - pid: [441684], - parent_process_name: ['svchost.exe'], - }, -}; - export const mockEndpointProcessStartEvent: Ecs = { process: { hash: { @@ -1954,48 +1707,6 @@ export const mockEndpointProcessStartEvent: Ecs = { _id: 't5KSO3cB8l64wN2iQ8V9', }; -export const mockEndgameTerminationEvent: Ecs = { - _id: '2MjPcG0BOpWiDweSoutC', - user: { - id: ['S-1-5-21-3573271228-3407584681-1597858646-1002'], - domain: ['Anvi-Acer'], - name: ['Arun'], - }, - host: { - os: { - platform: ['windows'], - name: ['Windows'], - version: ['6.1'], - }, - ip: ['10.178.85.222'], - name: ['HD-obe-8bf77f54'], - }, - event: { - module: ['endgame'], - dataset: ['esensor'], - action: ['termination_event'], - category: ['process'], - kind: ['event'], - }, - timestamp: '1569555712000', - process: { - hash: { - md5: ['bd4401441a21bf1abce6404f4231db4d'], - sha1: ['797255e72d5ed5c058d4785950eba7abaa057653'], - sha256: ['87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776'], - }, - pid: [442384], - ppid: [8], - name: ['RuntimeBroker.exe'], - executable: ['C:\\Windows\\System32\\RuntimeBroker.exe'], - }, - endgame: { - pid: [442384], - process_name: ['RuntimeBroker.exe'], - exit_code: [0], - }, -}; - export const mockEndpointProcessEndEvent: Ecs = { process: { hash: { diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts index bcc024ad057fd..3ba5aab6a6dd8 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts @@ -6,1116 +6,11 @@ */ import type { Ecs } from '../../../common/ecs'; -import type { TimelineItem } from '../../../common/search_strategy/timeline'; -export const mockTimelineData: TimelineItem[] = [ - { - _id: '1', - data: [ - { field: '@timestamp', value: ['2018-11-05T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'event.action', value: ['Action'] }, - { field: 'host.name', value: ['apache'] }, - { field: 'source.ip', value: ['192.168.0.1'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['john.dee'] }, - ], - ecs: { - _id: '1', - timestamp: '2018-11-05T19:03:25.937Z', - host: { name: ['apache'], ip: ['192.168.0.1'] }, - event: { - id: ['1'], - action: ['Action'], - category: ['Access'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.1'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['1'], name: ['john.dee'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '3', - data: [ - { field: '@timestamp', value: ['2018-11-07T19:03:25.937Z'] }, - { field: 'event.severity', value: ['1'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['nginx'] }, - { field: 'source.ip', value: ['192.168.0.3'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['evan.davis'] }, - ], - ecs: { - _id: '3', - timestamp: '2018-11-07T19:03:25.937Z', - host: { name: ['nginx'], ip: ['192.168.0.1'] }, - event: { - id: ['3'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [1], - }, - source: { ip: ['192.168.0.3'], port: [443] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['3'], name: ['evan.davis'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '4', - data: [ - { field: '@timestamp', value: ['2018-11-08T19:03:25.937Z'] }, - { field: 'event.severity', value: ['1'] }, - { field: 'event.category', value: ['Attempted Administrator Privilege Gain'] }, - { field: 'host.name', value: ['suricata'] }, - { field: 'source.ip', value: ['192.168.0.3'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jenny.jones'] }, - ], - ecs: { - _id: '4', - timestamp: '2018-11-08T19:03:25.937Z', - host: { name: ['suricata'], ip: ['192.168.0.1'] }, - event: { - id: ['4'], - category: ['Attempted Administrator Privilege Gain'], - type: ['Alert'], - module: ['suricata'], - severity: [1], - }, - source: { ip: ['192.168.0.3'], port: [53] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - suricata: { - eve: { - flow_id: [4], - proto: [''], - alert: { - signature: [ - 'ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)', - ], - signature_id: [4], - }, - }, - }, - user: { id: ['4'], name: ['jenny.jones'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '5', - data: [ - { field: '@timestamp', value: ['2018-11-09T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.3'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['becky.davis'] }, - ], - ecs: { - _id: '5', - timestamp: '2018-11-09T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['5'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.3'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['5'], name: ['becky.davis'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '6', - data: [ - { field: '@timestamp', value: ['2018-11-10T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['braden.davis'] }, - { field: 'source.ip', value: ['192.168.0.6'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - ], - ecs: { - _id: '6', - timestamp: '2018-11-10T19:03:25.937Z', - host: { name: ['braden.davis'], ip: ['192.168.0.1'] }, - event: { - id: ['6'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.6'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '8', - data: [ - { field: '@timestamp', value: ['2018-11-12T19:03:25.937Z'] }, - { field: 'event.severity', value: ['2'] }, - { field: 'event.category', value: ['Web Application Attack'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.8'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '8', - timestamp: '2018-11-12T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['8'], - category: ['Web Application Attack'], - type: ['Alert'], - module: ['suricata'], - severity: [2], - }, - suricata: { - eve: { - flow_id: [8], - proto: [''], - alert: { - signature: ['ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie'], - signature_id: [8], - }, - }, - }, - source: { ip: ['192.168.0.8'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['8'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '7', - data: [ - { field: '@timestamp', value: ['2018-11-11T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.7'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '7', - timestamp: '2018-11-11T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['7'], - category: ['Access'], - type: ['HTTP Request'], - module: ['apache'], - severity: [3], - }, - source: { ip: ['192.168.0.7'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['7'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '9', - data: [ - { field: '@timestamp', value: ['2018-11-13T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.9'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '9', - timestamp: '2018-11-13T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['9'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.9'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['9'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '10', - data: [ - { field: '@timestamp', value: ['2018-11-14T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.10'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '10', - timestamp: '2018-11-14T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['10'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.10'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['10'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '11', - data: [ - { field: '@timestamp', value: ['2018-11-15T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.11'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '11', - timestamp: '2018-11-15T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['11'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.11'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['11'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '12', - data: [ - { field: '@timestamp', value: ['2018-11-16T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.12'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['jone.doe'] }, - ], - ecs: { - _id: '12', - timestamp: '2018-11-16T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['12'], - category: ['Access'], - type: ['HTTP Request'], - module: ['nginx'], - severity: [3], - }, - source: { ip: ['192.168.0.12'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['12'], name: ['jone.doe'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '2', - data: [ - { field: '@timestamp', value: ['2018-11-06T19:03:25.937Z'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Authentication'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.2'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['joe.bob'] }, - ], - ecs: { - _id: '2', - timestamp: '2018-11-06T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['2'], - category: ['Authentication'], - type: ['Authentication Success'], - module: ['authlog'], - severity: [3], - }, - source: { ip: ['192.168.0.2'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['1'], name: ['joe.bob'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '13', - data: [ - { field: '@timestamp', value: ['2018-13-12T19:03:25.937Z'] }, - { field: 'event.severity', value: ['1'] }, - { field: 'event.category', value: ['Web Application Attack'] }, - { field: 'host.name', value: ['joe.computer'] }, - { field: 'source.ip', value: ['192.168.0.8'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - ], - ecs: { - _id: '13', - timestamp: '2018-13-12T19:03:25.937Z', - host: { name: ['joe.computer'], ip: ['192.168.0.1'] }, - event: { - id: ['13'], - category: ['Web Application Attack'], - type: ['Alert'], - module: ['suricata'], - severity: [1], - }, - suricata: { - eve: { - flow_id: [13], - proto: [''], - alert: { - signature: ['ET WEB_SERVER Possible Attempt in HTTP Cookie'], - signature_id: [13], - }, - }, - }, - source: { ip: ['192.168.0.8'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '14', - data: [ - { field: '@timestamp', value: ['2019-03-07T05:06:51.000Z'] }, - { field: 'host.name', value: ['zeek-franfurt'] }, - { field: 'source.ip', value: ['192.168.26.101'] }, - { field: 'destination.ip', value: ['192.168.238.205'] }, - ], - ecs: { - _id: '14', - timestamp: '2019-03-07T05:06:51.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.connection'], - }, - host: { - id: ['37c81253e0fc4c46839c19b981be5177'], - name: ['zeek-franfurt'], - ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'], - }, - source: { ip: ['185.176.26.101'], port: [44059] }, - destination: { ip: ['207.154.238.205'], port: [11568] }, - geo: { region_name: ['New York'], country_iso_code: ['US'] }, - network: { transport: ['tcp'] }, - zeek: { - session_id: ['C8DRTq362Fios6hw16'], - connection: { - local_resp: [false], - local_orig: [false], - missed_bytes: [0], - state: ['REJ'], - history: ['Sr'], - }, - }, - }, - }, - { - _id: '15', - data: [ - { field: '@timestamp', value: ['2019-03-07T00:51:28.000Z'] }, - { field: 'host.name', value: ['suricata-zeek-singapore'] }, - { field: 'source.ip', value: ['192.168.35.240'] }, - { field: 'destination.ip', value: ['192.168.67.3'] }, - ], - ecs: { - _id: '15', - timestamp: '2019-03-07T00:51:28.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.dns'], - }, - host: { - id: ['af3fddf15f1d47979ce817ba0df10c6e'], - name: ['suricata-zeek-singapore'], - ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], - }, - source: { ip: ['206.189.35.240'], port: [57475] }, - destination: { ip: ['67.207.67.3'], port: [53] }, - geo: { region_name: ['New York'], country_iso_code: ['US'] }, - network: { transport: ['udp'] }, - zeek: { - session_id: ['CyIrMA1L1JtLqdIuol'], - dns: { - AA: [false], - RD: [false], - trans_id: [65252], - RA: [false], - TC: [false], - }, - }, - }, - }, - { - _id: '16', - data: [ - { field: '@timestamp', value: ['2019-03-05T07:00:20.000Z'] }, - { field: 'host.name', value: ['suricata-zeek-singapore'] }, - { field: 'source.ip', value: ['192.168.35.240'] }, - { field: 'destination.ip', value: ['192.168.164.26'] }, - ], - ecs: { - _id: '16', - timestamp: '2019-03-05T07:00:20.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.http'], - }, - host: { - id: ['af3fddf15f1d47979ce817ba0df10c6e'], - name: ['suricata-zeek-singapore'], - ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], - }, - source: { ip: ['206.189.35.240'], port: [36220] }, - destination: { ip: ['192.241.164.26'], port: [80] }, - geo: { region_name: ['New York'], country_iso_code: ['US'] }, - http: { - version: ['1.1'], - request: { body: { bytes: [0] } }, - response: { status_code: [302], body: { bytes: [154] } }, - }, - zeek: { - session_id: ['CZLkpC22NquQJOpkwe'], - - http: { - resp_mime_types: ['text/html'], - trans_depth: ['3'], - status_msg: ['Moved Temporarily'], - resp_fuids: ['FzeujEPP7GTHmYPsc'], - tags: [], - }, - }, - }, - }, - { - _id: '17', - data: [ - { field: '@timestamp', value: ['2019-02-28T22:36:28.000Z'] }, - { field: 'host.name', value: ['zeek-franfurt'] }, - { field: 'source.ip', value: ['192.168.77.171'] }, - ], - ecs: { - _id: '17', - timestamp: '2019-02-28T22:36:28.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.notice'], - }, - host: { - id: ['37c81253e0fc4c46839c19b981be5177'], - name: ['zeek-franfurt'], - ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'], - }, - source: { ip: ['8.42.77.171'] }, - zeek: { - notice: { - suppress_for: [3600], - msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'], - note: ['Scan::Port_Scan'], - sub: ['remote'], - dst: ['207.154.238.205'], - dropped: [false], - peer_descr: ['bro'], - }, - }, - }, - }, - { - _id: '18', - data: [ - { field: '@timestamp', value: ['2019-02-22T21:12:13.000Z'] }, - { field: 'host.name', value: ['zeek-sensor-amsterdam'] }, - { field: 'source.ip', value: ['192.168.66.184'] }, - { field: 'destination.ip', value: ['192.168.95.15'] }, - ], - ecs: { - _id: '18', - timestamp: '2019-02-22T21:12:13.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.ssl'], - }, - host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'] }, - source: { ip: ['188.166.66.184'], port: [34514] }, - destination: { ip: ['91.189.95.15'], port: [443] }, - geo: { region_name: ['England'], country_iso_code: ['GB'] }, - zeek: { - session_id: ['CmTxzt2OVXZLkGDaRe'], - ssl: { - cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'], - established: [false], - resumed: [false], - version: ['TLSv12'], - }, - }, - }, - }, - { - _id: '19', - data: [ - { field: '@timestamp', value: ['2019-03-03T04:26:38.000Z'] }, - { field: 'host.name', value: ['suricata-zeek-singapore'] }, - ], - ecs: { - _id: '19', - timestamp: '2019-03-03T04:26:38.000Z', - event: { - module: ['zeek'], - dataset: ['zeek.files'], - }, - host: { - id: ['af3fddf15f1d47979ce817ba0df10c6e'], - name: ['suricata-zeek-singapore'], - ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'], - }, - zeek: { - session_id: ['Cu0n232QMyvNtzb75j'], - files: { - session_ids: ['Cu0n232QMyvNtzb75j'], - timedout: [false], - local_orig: [false], - tx_host: ['5.101.111.50'], - source: ['HTTP'], - is_orig: [false], - overflow_bytes: [0], - sha1: ['fa5195a5dfacc9d1c68d43600f0e0262cad14dde'], - duration: [0], - depth: [0], - analyzers: ['MD5', 'SHA1'], - mime_type: ['text/plain'], - rx_host: ['206.189.35.240'], - total_bytes: [88722], - fuid: ['FePz1uVEVCZ3I0FQi'], - seen_bytes: [1198], - missing_bytes: [0], - md5: ['f7653f1951693021daa9e6be61226e32'], - }, - }, - }, - }, - { - _id: '20', - data: [ - { field: '@timestamp', value: ['2019-03-13T05:42:11.815Z'] }, - { field: 'event.category', value: ['audit-rule'] }, - { field: 'host.name', value: ['zeek-sanfran'] }, - { field: 'process.args', value: ['gpgconf', '--list-dirs', 'agent-socket'] }, - ], - ecs: { - _id: '20', - timestamp: '2019-03-13T05:42:11.815Z', - event: { - action: ['executed'], - module: ['auditd'], - category: ['audit-rule'], - }, - host: { - id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'], - name: ['zeek-sanfran'], - ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'], - }, - user: { name: ['alice'] }, - process: { - pid: [5402], - name: ['gpgconf'], - ppid: [5401], - args: ['gpgconf', '--list-dirs', 'agent-socket'], - executable: ['/usr/bin/gpgconf'], - title: ['gpgconf --list-dirs agent-socket'], - working_directory: ['/'], - }, - }, - }, - { - _id: '21', - data: [ - { field: '@timestamp', value: ['2019-03-14T22:30:25.527Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'source.ip', value: ['192.168.77.171'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '21', - timestamp: '2019-03-14T22:30:25.527Z', - event: { - action: ['logged-in'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['14'], - data: { terminal: ['/dev/pts/0'], op: ['login'] }, - summary: { - actor: { primary: ['alice'], secondary: ['alice'] }, - object: { primary: ['/dev/pts/0'], secondary: ['8.42.77.171'], type: ['user-session'] }, - how: ['/usr/sbin/sshd'], - }, - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - source: { ip: ['8.42.77.171'] }, - user: { name: ['root'] }, - process: { - pid: [17471], - executable: ['/usr/sbin/sshd'], - }, - }, - }, - { - _id: '22', - data: [ - { field: '@timestamp', value: ['2019-03-13T03:35:21.614Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['suricata-bangalore'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '22', - timestamp: '2019-03-13T03:35:21.614Z', - event: { - action: ['disposed-credentials'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['340'], - data: { acct: ['alice'], terminal: ['ssh'], op: ['PAM:setcred'] }, - summary: { - actor: { primary: ['alice'], secondary: ['alice'] }, - object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] }, - how: ['/usr/sbin/sshd'], - }, - }, - host: { - id: ['0a63559c1acf4c419d979c4b4d8b83ff'], - name: ['suricata-bangalore'], - ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], - }, - user: { name: ['root'] }, - process: { - pid: [21202], - executable: ['/usr/sbin/sshd'], - }, - }, - }, - { - _id: '23', - data: [ - { field: '@timestamp', value: ['2019-03-13T03:35:21.614Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['suricata-bangalore'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '23', - timestamp: '2019-03-13T03:35:21.614Z', - event: { - action: ['ended-session'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['340'], - data: { acct: ['alice'], terminal: ['ssh'], op: ['PAM:session_close'] }, - summary: { - actor: { primary: ['alice'], secondary: ['alice'] }, - object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] }, - how: ['/usr/sbin/sshd'], - }, - }, - host: { - id: ['0a63559c1acf4c419d979c4b4d8b83ff'], - name: ['suricata-bangalore'], - ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], - }, - user: { name: ['root'] }, - process: { - pid: [21202], - executable: ['/usr/sbin/sshd'], - }, - }, - }, - { - _id: '24', - data: [ - { field: '@timestamp', value: ['2019-03-18T23:17:01.645Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '24', - timestamp: '2019-03-18T23:17:01.645Z', - event: { - action: ['acquired-credentials'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['unset'], - data: { acct: ['root'], terminal: ['cron'], op: ['PAM:setcred'] }, - summary: { - actor: { primary: ['unset'], secondary: ['root'] }, - object: { primary: ['cron'], type: ['user-session'] }, - how: ['/usr/sbin/cron'], - }, - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - user: { name: ['root'] }, - process: { - pid: [9592], - executable: ['/usr/sbin/cron'], - }, - }, - }, - { - _id: '25', - data: [ - { field: '@timestamp', value: ['2019-03-19T01:17:01.336Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['siem-kibana'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '25', - timestamp: '2019-03-19T01:17:01.336Z', - event: { - action: ['started-session'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['2908'], - data: { acct: ['root'], terminal: ['cron'], op: ['PAM:session_open'] }, - summary: { - actor: { primary: ['root'], secondary: ['root'] }, - object: { primary: ['cron'], type: ['user-session'] }, - how: ['/usr/sbin/cron'], - }, - }, - host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'] }, - user: { name: ['root'] }, - process: { - pid: [725], - executable: ['/usr/sbin/cron'], - }, - }, - }, - { - _id: '26', - data: [ - { field: '@timestamp', value: ['2019-03-13T03:34:08.890Z'] }, - { field: 'event.category', value: ['user-login'] }, - { field: 'host.name', value: ['suricata-bangalore'] }, - { field: 'user.name', value: ['alice'] }, - ], - ecs: { - _id: '26', - timestamp: '2019-03-13T03:34:08.890Z', - event: { - action: ['was-authorized'], - module: ['auditd'], - category: ['user-login'], - }, - auditd: { - result: ['success'], - session: ['338'], - data: { terminal: ['/dev/pts/0'] }, - summary: { - actor: { primary: ['root'], secondary: ['alice'] }, - object: { primary: ['/dev/pts/0'], type: ['user-session'] }, - how: ['/sbin/pam_tally2'], - }, - }, - host: { - id: ['0a63559c1acf4c419d979c4b4d8b83ff'], - name: ['suricata-bangalore'], - ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'], - }, - user: { name: ['alice'] }, - process: { - pid: [21170], - executable: ['/sbin/pam_tally2'], - }, - }, - }, - { - _id: '27', - data: [ - { field: '@timestamp', value: ['2019-03-22T19:13:11.026Z'] }, - { field: 'event.action', value: ['connected-to'] }, - { field: 'event.category', value: ['audit-rule'] }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'destination.ip', value: ['192.168.216.34'] }, - { field: 'user.name', value: ['alice'] }, - ], - ecs: { - _id: '27', - timestamp: '2019-03-22T19:13:11.026Z', - event: { - action: ['connected-to'], - module: ['auditd'], - category: ['audit-rule'], - }, - auditd: { - result: ['success'], - session: ['246'], - summary: { - actor: { primary: ['alice'], secondary: ['alice'] }, - object: { primary: ['192.168.216.34'], secondary: ['80'], type: ['socket'] }, - how: ['/usr/bin/wget'], - }, - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - destination: { ip: ['192.168.216.34'], port: [80] }, - user: { name: ['alice'] }, - process: { - pid: [1490], - name: ['wget'], - ppid: [1476], - executable: ['/usr/bin/wget'], - title: ['wget www.example.com'], - }, - }, - }, - { - _id: '28', - data: [ - { field: '@timestamp', value: ['2019-03-26T22:12:18.609Z'] }, - { field: 'event.action', value: ['opened-file'] }, - { field: 'event.category', value: ['audit-rule'] }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'user.name', value: ['root'] }, - ], - ecs: { - _id: '28', - timestamp: '2019-03-26T22:12:18.609Z', - event: { - action: ['opened-file'], - module: ['auditd'], - category: ['audit-rule'], - }, - auditd: { - result: ['success'], - session: ['242'], - summary: { - actor: { primary: ['unset'], secondary: ['root'] }, - object: { primary: ['/proc/15990/attr/current'], type: ['file'] }, - how: ['/lib/systemd/systemd-journald'], - }, - }, - file: { - path: ['/proc/15990/attr/current'], - device: ['00:00'], - inode: ['27672309'], - uid: ['0'], - owner: ['root'], - gid: ['0'], - group: ['root'], - mode: ['0666'], - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - - user: { name: ['root'] }, - process: { - pid: [27244], - name: ['systemd-journal'], - ppid: [1], - executable: ['/lib/systemd/systemd-journald'], - title: ['/lib/systemd/systemd-journald'], - working_directory: ['/'], - }, - }, - }, - { - _id: '29', - data: [ - { field: '@timestamp', value: ['2019-04-08T21:18:57.000Z'] }, - { field: 'event.action', value: ['user_login'] }, - { field: 'event.category', value: null }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'user.name', value: ['Braden'] }, - ], - ecs: { - _id: '29', - event: { - action: ['user_login'], - dataset: ['login'], - kind: ['event'], - module: ['system'], - outcome: ['failure'], - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - source: { - ip: ['128.199.212.120'], - }, - user: { - name: ['Braden'], - }, - process: { - pid: [6278], - }, - }, - }, - { - _id: '30', - data: [ - { field: '@timestamp', value: ['2019-04-08T22:27:14.814Z'] }, - { field: 'event.action', value: ['process_started'] }, - { field: 'event.category', value: null }, - { field: 'host.name', value: ['zeek-london'] }, - { field: 'user.name', value: ['Evan'] }, - ], - ecs: { - _id: '30', - event: { - action: ['process_started'], - dataset: ['login'], - kind: ['event'], - module: ['system'], - outcome: ['failure'], - }, - host: { - id: ['7c21f5ed03b04d0299569d221fe18bbc'], - name: ['zeek-london'], - ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'], - }, - source: { - ip: ['128.199.212.120'], - }, - user: { - name: ['Evan'], - }, - process: { - pid: [6278], - }, - }, - }, - { - _id: '31', - data: [ - { field: '@timestamp', value: ['2018-11-05T19:03:25.937Z'] }, - { field: 'message', value: ['I am a log file message'] }, - { field: 'event.severity', value: ['3'] }, - { field: 'event.category', value: ['Access'] }, - { field: 'event.action', value: ['Action'] }, - { field: 'host.name', value: ['apache'] }, - { field: 'source.ip', value: ['192.168.0.1'] }, - { field: 'destination.ip', value: ['192.168.0.3'] }, - { field: 'destination.bytes', value: ['123456'] }, - { field: 'user.name', value: ['john.dee'] }, - ], - ecs: { - _id: '1', - timestamp: '2018-11-05T19:03:25.937Z', - host: { name: ['apache'], ip: ['192.168.0.1'] }, - event: { - id: ['1'], - action: ['Action'], - category: ['Access'], - module: ['nginx'], - severity: [3], - }, - message: ['I am a log file message'], - source: { ip: ['192.168.0.1'], port: [80] }, - destination: { ip: ['192.168.0.3'], port: [6343] }, - user: { id: ['1'], name: ['john.dee'] }, - geo: { region_name: ['xx'], country_iso_code: ['xx'] }, - }, - }, - { - _id: '32', - data: [], - ecs: { - _id: 'BuBP4W0BOpWiDweSoYSg', - timestamp: '2019-10-18T23:59:15.091Z', - threat: { - enrichments: [ - { - indicator: { - provider: ['indicator_provider'], - reference: ['https://example.com'], - }, - matched: { - atomic: ['192.168.1.1'], - field: ['source.ip'], - type: ['ip'], - }, - feed: { - name: ['feed_name'], - }, - }, - ], - }, - }, - }, -]; +export { demoTimelineData as mockTimelineData } from '../demo_data/timeline'; +export { demoEndpointRegistryModificationEvent as mockEndpointRegistryModificationEvent } from '../demo_data/endpoint/registry_modification_event'; +export { demoEndpointLibraryLoadEvent as mockEndpointLibraryLoadEvent } from '../demo_data/endpoint/library_load_event'; +export { demoEndpointProcessExecutionMalwarePreventionAlert as mockEndpointProcessExecutionMalwarePreventionAlert } from '../demo_data/endpoint/process_execution_malware_prevention_alert'; export const mockFimFileCreatedEvent: Ecs = { _id: 'WuBP4W0BOpWiDweSoYSg', @@ -1329,186 +224,3 @@ export const mockDnsEvent: Ecs = { ip: ['10.9.9.9'], }, }; - -export const mockEndpointProcessExecutionMalwarePreventionAlert: Ecs = { - process: { - hash: { - md5: ['177afc1eb0be88eb9983fb74111260c4'], - sha256: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb'], - sha1: ['f573b85e9beb32121f1949217947b2adc6749e3d'], - }, - entity_id: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTY5MjAtMTMyNDg5OTk2OTAuNDgzMzA3NzAw', - ], - executable: [ - 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', - ], - name: [ - 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', - ], - pid: [6920], - args: [ - 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', - ], - }, - host: { - os: { - full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1518)'], - name: ['Windows'], - version: ['1809 (10.0.17763.1518)'], - platform: ['windows'], - family: ['windows'], - kernel: ['1809 (10.0.17763.1518)'], - }, - mac: ['aa:bb:cc:dd:ee:ff'], - architecture: ['x86_64'], - ip: ['10.1.2.3'], - id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - name: ['win2019-endpoint-1'], - }, - file: { - mtime: ['2020-11-04T21:40:51.494Z'], - path: [ - 'C:\\Users\\sean\\Downloads\\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe', - ], - owner: ['sean'], - hash: { - md5: ['177afc1eb0be88eb9983fb74111260c4'], - sha256: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb'], - sha1: ['f573b85e9beb32121f1949217947b2adc6749e3d'], - }, - name: ['3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe'], - extension: ['exe'], - size: [1604112], - }, - event: { - category: ['malware', 'intrusion_detection', 'process'], - outcome: ['success'], - severity: [73], - code: ['malicious_file'], - action: ['execution'], - id: ['LsuMZVr+sdhvehVM++++Gp2Y'], - kind: ['alert'], - created: ['2020-11-04T21:41:30.533Z'], - module: ['endpoint'], - type: ['info', 'start', 'denied'], - dataset: ['endpoint.alerts'], - }, - agent: { - type: ['endpoint'], - }, - timestamp: '2020-11-04T21:41:30.533Z', - message: ['Malware Prevention Alert'], - _id: '0dA2lXUBn9bLIbfPkY7d', -}; - -export const mockEndpointLibraryLoadEvent: Ecs = { - file: { - path: ['C:\\Windows\\System32\\bcrypt.dll'], - hash: { - md5: ['00439016776de367bad087d739a03797'], - sha1: ['2c4ba5c1482987d50a182bad915f52cd6611ee63'], - sha256: ['e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd'], - }, - name: ['bcrypt.dll'], - }, - host: { - os: { - full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - name: ['Windows'], - version: ['1809 (10.0.17763.1697)'], - family: ['windows'], - kernel: ['1809 (10.0.17763.1697)'], - platform: ['windows'], - }, - mac: ['aa:bb:cc:dd:ee:ff'], - name: ['win2019-endpoint-1'], - architecture: ['x86_64'], - ip: ['10.1.2.3'], - id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - }, - event: { - category: ['library'], - kind: ['event'], - created: ['2021-02-05T21:27:23.921Z'], - module: ['endpoint'], - action: ['load'], - type: ['start'], - id: ['LzzWB9jjGmCwGMvk++++Da5H'], - dataset: ['endpoint.events.library'], - }, - process: { - name: ['sshd.exe'], - pid: [9644], - entity_id: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTk2NDQtMTMyNTcwMzQwNDEuNzgyMTczODAw', - ], - executable: ['C:\\Program Files\\OpenSSH-Win64\\sshd.exe'], - }, - agent: { - type: ['endpoint'], - }, - user: { - name: ['SYSTEM'], - domain: ['NT AUTHORITY'], - }, - message: ['Endpoint DLL load event'], - timestamp: '2021-02-05T21:27:23.921Z', - _id: 'IAUYdHcBGrBB52F2zo8Q', -}; - -export const mockEndpointRegistryModificationEvent: Ecs = { - host: { - os: { - full: ['Windows Server 2019 Datacenter 1809 (10.0.17763.1697)'], - name: ['Windows'], - version: ['1809 (10.0.17763.1697)'], - family: ['windows'], - kernel: ['1809 (10.0.17763.1697)'], - platform: ['windows'], - }, - mac: ['aa:bb:cc:dd:ee:ff'], - name: ['win2019-endpoint-1'], - architecture: ['x86_64'], - ip: ['10.1.2.3'], - id: ['d8ad572e-d224-4044-a57d-f5a84c0dfe5d'], - }, - event: { - category: ['registry'], - kind: ['event'], - created: ['2021-02-04T13:44:31.559Z'], - module: ['endpoint'], - action: ['modification'], - type: ['change'], - id: ['LzzWB9jjGmCwGMvk++++CbOn'], - dataset: ['endpoint.events.registry'], - }, - process: { - name: ['GoogleUpdate.exe'], - pid: [7408], - entity_id: [ - 'MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTc0MDgtMTMyNTY5MTk4NDguODY4NTI0ODAw', - ], - executable: ['C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe'], - }, - registry: { - hive: ['HKLM'], - key: [ - 'SOFTWARE\\WOW6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState', - ], - path: [ - 'HKLM\\SOFTWARE\\WOW6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue', - ], - value: ['StateValue'], - }, - agent: { - type: ['endpoint'], - }, - user: { - name: ['SYSTEM'], - domain: ['NT AUTHORITY'], - }, - message: ['Endpoint registry event'], - timestamp: '2021-02-04T13:44:31.559Z', - _id: '4cxLbXcBGrBB52F2uOfF', -}; diff --git a/x-pack/plugins/security_solution/public/common/mock/netflow.ts b/x-pack/plugins/security_solution/public/common/mock/netflow.ts index bc7d1c8a0dbd3..055760a2182c7 100644 --- a/x-pack/plugins/security_solution/public/common/mock/netflow.ts +++ b/x-pack/plugins/security_solution/public/common/mock/netflow.ts @@ -5,75 +5,4 @@ * 2.0. */ -import { ONE_MILLISECOND_AS_NANOSECONDS } from '../../timelines/components/formatted_duration/helpers'; -import type { Ecs } from '../../../common/ecs'; - -/** Returns mock data for testing the Netflow component */ -export const getMockNetflowData = (): Ecs => ({ - destination: { - bytes: [40], - geo: { - city_name: ['New York'], - continent_name: ['North America'], - country_iso_code: ['US'], - country_name: ['United States'], - region_name: ['New York'], - }, - ip: ['10.1.2.3'], - packets: [1], - port: [80], - }, - event: { - action: ['network_flow'], - category: ['network_traffic'], - duration: [ONE_MILLISECOND_AS_NANOSECONDS], - end: ['2018-11-12T19:03:25.936Z'], - start: ['2018-11-12T19:03:25.836Z'], - }, - _id: 'abcd', - network: { - bytes: [100], - community_id: ['we.live.in.a'], - direction: ['outgoing'], - packets: [3], - protocol: ['http'], - transport: ['tcp'], - }, - process: { - name: ['rat'], - }, - source: { - bytes: [60], - geo: { - city_name: ['Atlanta'], - continent_name: ['North America'], - country_iso_code: ['US'], - country_name: ['United States'], - region_name: ['Georgia'], - }, - ip: ['192.168.1.2'], - packets: [2], - port: [9987], - }, - timestamp: '2018-11-12T19:03:25.936Z', - tls: { - client_certificate: { - fingerprint: { - sha1: ['tls.client_certificate.fingerprint.sha1-value'], - }, - }, - fingerprints: { - ja3: { - hash: ['tls.fingerprints.ja3.hash-value'], - }, - }, - server_certificate: { - fingerprint: { - sha1: ['tls.server_certificate.fingerprint.sha1-value'], - }, - }, - }, - user: { - name: ['first.last'], - }, -}); +export { getDemoNetflowData as getMockNetflowData } from '../demo_data/netflow'; diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/index.tsx b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/index.tsx index c98f5616b1750..8da9e0e05d075 100644 --- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/index.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/index.tsx @@ -25,6 +25,3 @@ export const EndpointsContainer = memo(() => { }); EndpointsContainer.displayName = 'EndpointsContainer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -export { endpointListFleetApisHttpMock } from './mocks'; -export type { EndpointListFleetApisHttpMockInterface } from './mocks'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/alerts.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/alerts.tsx index 7183aa8e85d7e..8acf2e42e845b 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/alerts.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/alerts.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndpointProcessExecutionMalwarePreventionAlert } from '../../../../common/mock/mock_timeline_data'; +import { demoEndpointProcessExecutionMalwarePreventionAlert } from '../../../../common/demo_data/endpoint/process_execution_malware_prevention_alert'; import { createEndpointAlertsRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; import { WAS_PREVENTED_FROM_EXECUTING_A_MALICIOUS_PROCESS } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -25,7 +24,7 @@ const AlertsExampleComponent: React.FC = () => { return ( <> {alertsRowRenderer.renderRow({ - data: mockEndpointProcessExecutionMalwarePreventionAlert, + data: demoEndpointProcessExecutionMalwarePreventionAlert, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd.tsx index d85f0537fe720..40272e89bf789 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockTimelineData } from '../../../../common/mock/mock_timeline_data'; +import { demoTimelineData } from '../../../../common/demo_data/timeline'; import { createGenericAuditRowRenderer } from '../../timeline/body/renderers/auditd/generic_row_renderer'; import { CONNECTED_USING } from '../../timeline/body/renderers/auditd/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const AuditdExampleComponent: React.FC = () => { return ( <> {auditdRowRenderer.renderRow({ - data: mockTimelineData[26].ecs, + data: demoTimelineData[26].ecs, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd_file.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd_file.tsx index b55e667a6e43f..b5a5cc70e0dc0 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd_file.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/auditd_file.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockTimelineData } from '../../../../common/mock/mock_timeline_data'; +import { demoTimelineData } from '../../../../common/demo_data/timeline'; import { createGenericFileRowRenderer } from '../../timeline/body/renderers/auditd/generic_row_renderer'; import { OPENED_FILE, USING } from '../../timeline/body/renderers/auditd/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const AuditdFileExampleComponent: React.FC = () => { return ( <> {auditdFileRowRenderer.renderRow({ - data: mockTimelineData[27].ecs, + data: demoTimelineData[27].ecs, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/library.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/library.tsx index c45555f9c31ac..db1727661d15d 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/library.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/library.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndpointLibraryLoadEvent } from '../../../../common/mock/mock_timeline_data'; +import { demoEndpointLibraryLoadEvent } from '../../../../common/demo_data/endpoint/library_load_event'; import { createEndpointLibraryRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; import { LOADED_LIBRARY } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const LibraryExampleComponent: React.FC = () => { return ( <> {libraryRowRenderer.renderRow({ - data: mockEndpointLibraryLoadEvent, + data: demoEndpointLibraryLoadEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/netflow.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/netflow.tsx index 06321441a34d7..553bf4874dac0 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/netflow.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/netflow.tsx @@ -7,15 +7,14 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { getMockNetflowData } from '../../../../common/mock/netflow'; +import { getDemoNetflowData } from '../../../../common/demo_data/netflow'; import { netflowRowRenderer } from '../../timeline/body/renderers/netflow/netflow_row_renderer'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const NetflowExampleComponent: React.FC = () => ( <> {netflowRowRenderer.renderRow({ - data: getMockNetflowData(), + data: getDemoNetflowData(), isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/registry.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/registry.tsx index f4d39a6870e80..093abf2d1aa63 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/registry.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/registry.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndpointRegistryModificationEvent } from '../../../../common/mock/mock_timeline_data'; +import { demoEndpointRegistryModificationEvent } from '../../../../common/demo_data/endpoint/registry_modification_event'; import { createEndpointRegistryRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; import { MODIFIED_REGISTRY_KEY } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const RegistryExampleComponent: React.FC = () => { return ( <> {registryRowRenderer.renderRow({ - data: mockEndpointRegistryModificationEvent, + data: demoEndpointRegistryModificationEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/suricata.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/suricata.tsx index 613f6c632ad0c..b385de92859e8 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/suricata.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/suricata.tsx @@ -7,15 +7,14 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockTimelineData } from '../../../../common/mock/mock_timeline_data'; +import { demoTimelineData } from '../../../../common/demo_data/timeline'; import { suricataRowRenderer } from '../../timeline/body/renderers/suricata/suricata_row_renderer'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const SuricataExampleComponent: React.FC = () => ( <> {suricataRowRenderer.renderRow({ - data: mockTimelineData[2].ecs, + data: demoTimelineData[2].ecs, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system.tsx index 2018f46865219..bdf3e33af8426 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system.tsx @@ -9,8 +9,7 @@ import React from 'react'; import { TERMINATED_PROCESS } from '../../timeline/body/renderers/system/translations'; import { createGenericSystemRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameTerminationEvent } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameTerminationEvent } from '../../../../common/demo_data/endgame_ecs/termination'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const SystemExampleComponent: React.FC = () => { @@ -22,7 +21,7 @@ const SystemExampleComponent: React.FC = () => { return ( <> {systemRowRenderer.renderRow({ - data: mockEndgameTerminationEvent, + data: demoEndgameTerminationEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_dns.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_dns.tsx index aba609a8e5385..7f64a2faa66a7 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_dns.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_dns.tsx @@ -8,8 +8,7 @@ import React from 'react'; import { createDnsRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameDnsRequest } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameDnsRequest } from '../../../../common/demo_data/endgame_ecs/dns'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const SystemDnsExampleComponent: React.FC = () => { @@ -18,7 +17,7 @@ const SystemDnsExampleComponent: React.FC = () => { return ( <> {systemDnsRowRenderer.renderRow({ - data: mockEndgameDnsRequest, + data: demoEndgameDnsRequest, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_endgame_process.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_endgame_process.tsx index c7c369c01ed1f..d8c3ee2964a61 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_endgame_process.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_endgame_process.tsx @@ -8,8 +8,7 @@ import React from 'react'; import { createEndgameProcessRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameCreationEvent } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameCreationEvent } from '../../../../common/demo_data/endgame_ecs/creation'; import { PROCESS_STARTED } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const SystemEndgameProcessExampleComponent: React.FC = () => { return ( <> {systemEndgameProcessRowRenderer.renderRow({ - data: mockEndgameCreationEvent, + data: demoEndgameCreationEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_file.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_file.tsx index 72903035b2e12..0e24e7228ff3f 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_file.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_file.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameFileDeleteEvent } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameFileDeleteEvent } from '../../../../common/demo_data/endgame_ecs/file_events'; import { createGenericFileRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; import { DELETED_FILE } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const SystemFileExampleComponent: React.FC = () => { return ( <> {systemFileRowRenderer.renderRow({ - data: mockEndgameFileDeleteEvent, + data: demoEndgameFileDeleteEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_fim.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_fim.tsx index 74a02902fb78a..9890b3b2f0c18 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_fim.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_fim.tsx @@ -7,8 +7,7 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameFileCreateEvent } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameFileCreateEvent } from '../../../../common/demo_data/endgame_ecs/file_events'; import { createFimRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; import { CREATED_FILE } from '../../timeline/body/renderers/system/translations'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; @@ -22,7 +21,7 @@ const SystemFimExampleComponent: React.FC = () => { return ( <> {systemFimRowRenderer.renderRow({ - data: mockEndgameFileCreateEvent, + data: demoEndgameFileCreateEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_security_event.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_security_event.tsx index aecf23ff08346..d5380d34f3a0b 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_security_event.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_security_event.tsx @@ -8,8 +8,7 @@ import React from 'react'; import { createSecurityEventRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameUserLogon } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameUserLogon } from '../../../../common/demo_data/endgame_ecs/user_logon'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const SystemSecurityEventExampleComponent: React.FC = () => { @@ -20,7 +19,7 @@ const SystemSecurityEventExampleComponent: React.FC = () => { return ( <> {systemSecurityEventRowRenderer.renderRow({ - data: mockEndgameUserLogon, + data: demoEndgameUserLogon, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_socket.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_socket.tsx index 015a571ae6f5b..5e57336e827ee 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_socket.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/system_socket.tsx @@ -9,8 +9,7 @@ import React from 'react'; import { ACCEPTED_A_CONNECTION_VIA } from '../../timeline/body/renderers/system/translations'; import { createSocketRowRenderer } from '../../timeline/body/renderers/system/generic_row_renderer'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockEndgameIpv4ConnectionAcceptEvent } from '../../../../common/mock/mock_endgame_ecs_data'; +import { demoEndgameIpv4ConnectionAcceptEvent } from '../../../../common/demo_data/endgame_ecs/ipv4'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const SystemSocketExampleComponent: React.FC = () => { @@ -21,7 +20,7 @@ const SystemSocketExampleComponent: React.FC = () => { return ( <> {systemSocketRowRenderer.renderRow({ - data: mockEndgameIpv4ConnectionAcceptEvent, + data: demoEndgameIpv4ConnectionAcceptEvent, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/threat_match.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/threat_match.tsx index ba3ca74147f29..3c96fd22fc6ed 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/threat_match.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/threat_match.tsx @@ -7,15 +7,14 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockTimelineData } from '../../../../common/mock/mock_timeline_data'; +import { demoTimelineData } from '../../../../common/demo_data/timeline'; import { threatMatchRowRenderer } from '../../timeline/body/renderers/cti/threat_match_row_renderer'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const ThreatMatchExampleComponent: React.FC = () => ( <> {threatMatchRowRenderer.renderRow({ - data: mockTimelineData[31].ecs, + data: demoTimelineData[31].ecs, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/zeek.tsx b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/zeek.tsx index ab8cab5e3d697..714faad3b815d 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/zeek.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/zeek.tsx @@ -7,15 +7,14 @@ import React from 'react'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -import { mockTimelineData } from '../../../../common/mock/mock_timeline_data'; +import { demoTimelineData } from '../../../../common/demo_data/timeline'; import { zeekRowRenderer } from '../../timeline/body/renderers/zeek/zeek_row_renderer'; import { ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID } from '../constants'; const ZeekExampleComponent: React.FC = () => ( <> {zeekRowRenderer.renderRow({ - data: mockTimelineData[13].ecs, + data: demoTimelineData[13].ecs, isDraggable: false, timelineId: ROW_RENDERER_BROWSER_EXAMPLE_TIMELINE_ID, })} diff --git a/x-pack/plugins/security_solution/server/endpoint/mocks.ts b/x-pack/plugins/security_solution/server/endpoint/mocks.ts index 01759c01df53b..8b9623b51b24c 100644 --- a/x-pack/plugins/security_solution/server/endpoint/mocks.ts +++ b/x-pack/plugins/security_solution/server/endpoint/mocks.ts @@ -45,7 +45,7 @@ import { createEndpointMetadataServiceTestContextMock } from './services/metadat import type { EndpointAuthz } from '../../common/endpoint/types/authz'; import { EndpointFleetServicesFactory } from './services/fleet'; import { createLicenseServiceMock } from '../../common/license/mocks'; -import { createFeatureUsageServiceMock } from './services/feature_usage'; +import { createFeatureUsageServiceMock } from './services/feature_usage/mocks'; /** * Creates a mocked EndpointAppContext. diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts index 5746e1e93f9bb..6eb04c9833e27 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts @@ -62,7 +62,7 @@ import { EndpointHostNotFoundError } from '../../services/metadata'; import { FleetAgentGenerator } from '../../../../common/endpoint/data_generators/fleet_agent_generator'; import { createMockAgentClient, createMockPackageService } from '@kbn/fleet-plugin/server/mocks'; import type { TransformGetTransformStatsResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { getEndpointAuthzInitialStateMock } from '../../../../common/endpoint/service/authz'; +import { getEndpointAuthzInitialStateMock } from '../../../../common/endpoint/service/authz/mocks'; class IndexNotFoundException extends Error { meta: { body: { error: { type: string } } }; diff --git a/x-pack/plugins/security_solution/server/endpoint/services/feature_usage/index.ts b/x-pack/plugins/security_solution/server/endpoint/services/feature_usage/index.ts index d65ea404f298d..5c880f67847ed 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/feature_usage/index.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/feature_usage/index.ts @@ -7,7 +7,5 @@ import { FeatureUsageService } from './service'; export type { FeatureKeys } from './service'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -export { createFeatureUsageServiceMock, createMockPolicyData } from './mocks'; export const featureUsageService = new FeatureUsageService(); diff --git a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts index c93b8035aea8f..0c6611acb77e0 100644 --- a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts +++ b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts @@ -43,7 +43,7 @@ import { Manifest } from '../endpoint/lib/artifacts'; import type { NewPackagePolicy } from '@kbn/fleet-plugin/common/types/models'; import type { ManifestSchema } from '../../common/endpoint/schema/manifest'; import type { DeletePackagePoliciesResponse } from '@kbn/fleet-plugin/common'; -import { createMockPolicyData } from '../endpoint/services/feature_usage'; +import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks'; import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants'; describe('ingest_integration tests ', () => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts index 0ac0a67a761ef..282759546197f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts @@ -32,7 +32,7 @@ import type { SecuritySolutionRequestHandlerContext, } from '../../../../types'; -import { getEndpointAuthzInitialStateMock } from '../../../../../common/endpoint/service/authz'; +import { getEndpointAuthzInitialStateMock } from '../../../../../common/endpoint/service/authz/mocks'; import type { EndpointAuthz } from '../../../../../common/endpoint/types/authz'; export const createMockClients = () => {