From 419b28f77300844c2387ede9e6b7a8393f18691d Mon Sep 17 00:00:00 2001 From: Uri Weisman <68195305+uri-weisman@users.noreply.github.com> Date: Mon, 13 Apr 2026 19:33:21 +0300 Subject: [PATCH] Update entities schema to support integrations data (#262242) (cherry picked from commit 1270467a2b81d39d05db63cf527ae7a6c7322c76) --- .../common/constants.ts | 1 - .../fetch_entity_relationships_graph.test.ts | 17 +- .../graph/fetch_entity_relationships_graph.ts | 60 +- .../domain/definitions/common_fields.ts | 109 ++- .../common/domain/definitions/entity.gen.ts | 59 +- .../domain/definitions/entity.schema.yaml | 98 ++- ...logs_extraction_query_builder.test.ts.snap | 201 ++++- ...logs_extraction_query_builder.test.ts.snap | 804 ++++++++++++++++-- .../test/scout/api/fixtures/helpers.ts | 11 + .../scout/api/tests/history_snapshot.spec.ts | 27 +- .../scout/api/tests/logs_extraction.spec.ts | 80 ++ .../es_archives/entity_store_v2/data.json | 106 ++- .../es_archives/entity_store_v2/mappings.json | 70 +- .../es_archives/entity_store_v2/data.json | 98 ++- .../es_archives/entity_store_v2/mappings.json | 70 +- 15 files changed, 1507 insertions(+), 304 deletions(-) diff --git a/x-pack/solutions/security/packages/kbn-cloud-security-posture/common/constants.ts b/x-pack/solutions/security/packages/kbn-cloud-security-posture/common/constants.ts index 90b8f83b93932..6626377ca44bf 100644 --- a/x-pack/solutions/security/packages/kbn-cloud-security-posture/common/constants.ts +++ b/x-pack/solutions/security/packages/kbn-cloud-security-posture/common/constants.ts @@ -161,7 +161,6 @@ export const GRAPH_TARGET_ENTITY_FIELDS = [ 'service.target.entity.id', 'entity.target.id', ] as const; - /** * Raw source fields used to compute actor EUIDs in entity store v2. * These mirror the identity fields from Entity Store definitions. diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.test.ts b/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.test.ts index 06f67ee7591ce..59ab03e3f08eb 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.test.ts +++ b/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.test.ts @@ -69,6 +69,7 @@ describe('fetchEntityRelationships', () => { // Verify query uses v2 index and LOOKUP JOIN expect(query).toContain(`FROM ${indexName}`); expect(query).toContain(`LOOKUP JOIN ${indexName} ON entity.id`); + expect(query).toContain('`entity.relationships.owns.ids`'); }); it('should return empty result when entities index is not in lookup mode', async () => { @@ -151,11 +152,22 @@ describe('fetchEntityRelationships', () => { 'entity.id': ['entity-1', 'entity-2', 'entity-3'], }, }); - // Verify it queries for entities that have these IDs in their relationships (all fields) + const ids = ['entity-1', 'entity-2', 'entity-3']; + + // Relationship bags: match `entity.relationships..ids`; resolution uses resolved_to path ENTITY_RELATIONSHIP_FIELDS.forEach((field) => { + if (field === 'resolution.resolved_to') { + expect(filterArg.bool.should).toContainEqual({ + terms: { + 'entity.relationships.resolution.resolved_to': ids, + }, + }); + return; + } + expect(filterArg.bool.should).toContainEqual({ terms: { - [`entity.relationships.${field}`]: ['entity-1', 'entity-2', 'entity-3'], + [`entity.relationships.${field}.ids`]: ids, }, }); }); @@ -311,6 +323,7 @@ describe('fetchEntityRelationships', () => { const query = esqlCallArgs[0].query; // Verify doc data fields are generated + expect(query).toContain('_rel_targets_owns'); expect(query).toContain('actorsDocData'); expect(query).toContain('targetsDocData'); expect(query).toContain('availableInEntityStore'); diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.ts b/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.ts index e06e1cdaef5ec..59f03ff1dcd3d 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.ts +++ b/x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_entity_relationships_graph.ts @@ -27,6 +27,22 @@ interface BuildRelationshipsEsqlQueryParams { relationshipFields: readonly string[]; } +const RESOLUTION_RELATIONSHIP_FIELD = 'resolution.resolved_to' as const; + +/** + * ECS relationship leaves store canonical target EUIDs under `entity.relationships..ids` + * and raw dimensions under `entity.relationships..raw_identifiers.*` (dynamic bag). + * Resolution still uses `entity.relationships.resolution.resolved_to`. + */ +const buildRelationshipTargetsEval = (field: string): string => { + const col = `\`_rel_targets_${field}\``; + if (field === RESOLUTION_RELATIONSHIP_FIELD) { + return `${col} = COALESCE(\`entity.relationships.resolution.resolved_to\`, [""])`; + } + + return `${col} = COALESCE(\`entity.relationships.${field}.ids\`, [""])`; +}; + /** * Builds ES|QL query for fetching entity relationships from the generic entities index. * Uses FORK to expand each relationship field and aggregates results. @@ -38,20 +54,16 @@ const buildRelationshipsEsqlQuery = ({ indexName, relationshipFields, }: BuildRelationshipsEsqlQueryParams): string => { - // Build COALESCE statements for each relationship field - const coalesceStatements = relationshipFields - .map( - (field) => - `| EVAL entity.relationships.${field} = COALESCE(entity.relationships.${field}, [""])` - ) - .join('\n'); + const targetsEval = relationshipFields + .map((field) => buildRelationshipTargetsEval(field)) + .join(',\n '); - // Build FORK branches for each relationship field + // Build FORK branches: expand flattened targets per relationship leaf const forkBranches = relationshipFields - .map( - (field) => - ` (MV_EXPAND entity.relationships.${field} | EVAL relationship = "${field}" | EVAL _target_id = entity.relationships.${field} | DROP entity.relationships.*)` - ) + .map((field) => { + const col = `\`_rel_targets_${field}\``; + return ` (MV_EXPAND ${col} | EVAL relationship = "${field}" | EVAL _target_id = TO_STRING(${col}) | DROP entity.relationships.*, ${col})`; + }) .join('\n'); // Store source entity fields before LOOKUP JOIN as they get overwritten by target entity fields @@ -79,7 +91,8 @@ const buildRelationshipsEsqlQuery = ({ | RENAME entity.EngineMetadata.Type = _source_engine_metadata_type`; return `FROM ${indexName} -${coalesceStatements} +| EVAL + ${targetsEval} | FORK ${forkBranches} | WHERE _target_id != "" @@ -193,12 +206,21 @@ const buildRelationshipDslFilter = (entityIds: EntityId[]) => { // Extract just the IDs for the terms query const ids = entityIds.map((entity) => entity.id); - // Build terms queries for each relationship field - const relationshipQueries = ENTITY_RELATIONSHIP_FIELDS.map((field) => ({ - terms: { - [`entity.relationships.${field}`]: ids, - }, - })); + const relationshipQueries = ENTITY_RELATIONSHIP_FIELDS.map((field) => { + if (field === RESOLUTION_RELATIONSHIP_FIELD) { + return { + terms: { + 'entity.relationships.resolution.resolved_to': ids, + }, + }; + } + + return { + terms: { + [`entity.relationships.${field}.ids`]: ids, + }, + }; + }); return { bool: { diff --git a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts index 8f9049523c8ff..63cfc28f344a2 100644 --- a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts +++ b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts @@ -9,6 +9,31 @@ import type { Condition } from '@kbn/streamlang'; import type { EntityType, EntityField, FieldEvaluation } from './entity_schema'; import { collectValues, newestValue, oldestValue } from './field_retention_operations'; +/** + * Dotted ECS paths collected into `entity.relationships.*.raw_identifiers.`. + * Keep `EntityRelationship.raw_identifiers` in `entity.schema.yaml` in sync (same paths plus + * `entity.id` on the schema for target hints; ingest maps canonical EUIDs via `.entity.id` → `ids`). + */ +export const ENTITY_RELATIONSHIP_IDENTIFIER_FIELDS = [ + 'host.id', + 'user.id', + 'user.email', + 'host.name', + 'user.name', + 'service.name', +] as const; + +const ENTITY_RELATIONSHIP_COLLECT_LEAVES = [ + 'administers', + 'communicates_with', + 'depends_on', + 'owns_inferred', + 'accesses_infrequently', + 'accesses_frequently', + 'owns', + 'supervises', +] as const; + export const ENTITY_ID_FIELD = 'entity.id'; export const ENTITY_SOURCE_FIELD = 'entity.source'; // Copied from x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_definitions/entity_descriptions/common.ts @@ -82,6 +107,30 @@ export const getEntityFieldsDescriptions = (rootField?: EntityType) => { mapping: { type: 'boolean' }, allowAPIUpdate: true, }), + newestValue({ + source: `${prefix}.attributes.storage_class`, + destination: 'entity.attributes.storage_class', + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }), + collectValues({ + source: `${prefix}.attributes.permissions`, + destination: 'entity.attributes.permissions', + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }), + collectValues({ + source: `${prefix}.attributes.known_redirects`, + destination: 'entity.attributes.known_redirects', + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }), + newestValue({ + source: `${prefix}.attributes.oauth_consent_restriction`, + destination: 'entity.attributes.oauth_consent_restriction', + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }), // LIFECYCLE ------------------------------------------------------------ oldestValue({ @@ -121,48 +170,24 @@ export const getEntityFieldsDescriptions = (rootField?: EntityType) => { }), // RELATIONSHIPS ------------------------------------------------------------ - collectValues({ - source: `${prefix}.relationships.communicates_with`, - destination: 'entity.relationships.communicates_with', - mapping: { type: 'keyword' }, - fieldHistoryLength: 50, - allowAPIUpdate: true, - }), - collectValues({ - source: `${prefix}.relationships.depends_on`, - destination: 'entity.relationships.depends_on', - mapping: { type: 'keyword' }, - allowAPIUpdate: true, - }), - collectValues({ - source: `${prefix}.relationships.owns_inferred`, - destination: 'entity.relationships.owns_inferred', - mapping: { type: 'keyword' }, - }), - collectValues({ - source: `${prefix}.relationships.accesses_infrequently`, - destination: 'entity.relationships.accesses_infrequently', - mapping: { type: 'keyword' }, - allowAPIUpdate: true, - }), - collectValues({ - source: `${prefix}.relationships.accesses_frequently`, - destination: 'entity.relationships.accesses_frequently', - mapping: { type: 'keyword' }, - allowAPIUpdate: true, - }), - collectValues({ - source: `${prefix}.relationships.owns`, - destination: 'entity.relationships.owns', - mapping: { type: 'keyword' }, - allowAPIUpdate: true, - }), - collectValues({ - source: `${prefix}.relationships.supervises`, - destination: 'entity.relationships.supervises', - mapping: { type: 'keyword' }, - allowAPIUpdate: true, - }), + // Source logs use flat `host.entity.relationships..`; the entity index + // stores raw bags under `raw_identifiers` and canonical EUIDs under `ids`. + ...ENTITY_RELATIONSHIP_COLLECT_LEAVES.flatMap((relationship) => [ + ...ENTITY_RELATIONSHIP_IDENTIFIER_FIELDS.map((idField) => + collectValues({ + source: `${prefix}.relationships.${relationship}.${idField}`, + destination: `entity.relationships.${relationship}.raw_identifiers.${idField}`, + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }) + ), + collectValues({ + source: `${prefix}.relationships.${relationship}.entity.id`, + destination: `entity.relationships.${relationship}.ids`, + mapping: { type: 'keyword' }, + allowAPIUpdate: true, + }), + ]), newestValue({ source: `${prefix}.relationships.resolution.resolved_to`, destination: 'entity.relationships.resolution.resolved_to', diff --git a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts index 3c7ed30aa2b9e..20ea8bf761139 100644 --- a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts +++ b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts @@ -16,6 +16,34 @@ import { z } from '@kbn/zod/v4'; +/** + * One relationship direction: `raw_identifiers` holds ECS-style dotted keys → keyword arrays (aligned with ENTITY_RELATIONSHIP_IDENTIFIER_FIELDS plus entity.id), and canonical target EUIDs under `ids`. + */ +export type EntityRelationship = z.infer; +export const EntityRelationship = z + .object({ + /** + * Raw identifier dimensions for graph / resolution hints. Keys match the entity store relationship identifier field set (see ENTITY_RELATIONSHIP_IDENTIFIER_FIELDS in code). + */ + raw_identifiers: z + .object({ + 'entity.id': z.array(z.string()).optional(), + 'host.id': z.array(z.string()).optional(), + 'host.name': z.array(z.string()).optional(), + 'user.email': z.array(z.string()).optional(), + 'user.id': z.array(z.string()).optional(), + 'user.name': z.array(z.string()).optional(), + 'service.name': z.array(z.string()).optional(), + }) + .strict() + .optional(), + /** + * Target entity EUIDs for this relationship; used for graph LOOKUP JOIN and DSL filters. + */ + ids: z.array(z.string()).optional(), + }) + .strict(); + export type EngineMetadata = z.infer; export const EngineMetadata = z .object({ @@ -48,6 +76,22 @@ export const EntityField = z asset: z.boolean().optional(), managed: z.boolean().optional(), mfa_enabled: z.boolean().optional(), + /** + * Storage tier or class assigned to a storage resource (e.g. hot, warm, cold, standard, archive). + */ + storage_class: z.string().optional(), + /** + * Action-level permissions granted to this entity (not roles or groups). + */ + permissions: z.array(z.string()).optional(), + /** + * Known redirect URIs or URLs (e.g. OAuth application callbacks). + */ + known_redirects: z.array(z.string()).optional(), + /** + * OAuth consent restriction (e.g. admin_only, verified_only, unrestricted). + */ + oauth_consent_restriction: z.string().optional(), }) .strict() .optional(), @@ -74,13 +118,14 @@ export const EntityField = z .optional(), relationships: z .object({ - communicates_with: z.array(z.string()).optional(), - depends_on: z.array(z.string()).optional(), - owns: z.array(z.string()).optional(), - accesses_frequently: z.array(z.string()).optional(), - accesses_infrequently: z.array(z.string()).optional(), - owns_inferred: z.array(z.string()).optional(), - supervises: z.array(z.string()).optional(), + administers: EntityRelationship.optional(), + communicates_with: EntityRelationship.optional(), + depends_on: EntityRelationship.optional(), + owns_inferred: EntityRelationship.optional(), + accesses_infrequently: EntityRelationship.optional(), + accesses_frequently: EntityRelationship.optional(), + owns: EntityRelationship.optional(), + supervises: EntityRelationship.optional(), resolution: z .object({ /** diff --git a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml index 0ac7e5190cf68..d0ed67fbc8f7c 100644 --- a/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml +++ b/x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml @@ -8,6 +8,52 @@ info: paths: {} components: schemas: + EntityRelationship: + type: object + additionalProperties: false + description: >- + One relationship direction: a dynamic `raw_identifiers` object (ECS-style dotted keys → + string arrays, no enumerated sub-properties) and canonical target EUIDs under `ids`. + properties: + raw_identifiers: + type: object + additionalProperties: false + properties: + entity.id: + type: array + items: + type: string + host.id: + type: array + items: + type: string + host.name: + type: array + items: + type: string + user.email: + type: array + items: + type: string + user.id: + type: array + items: + type: string + user.name: + type: array + items: + type: string + service.name: + type: array + items: + type: string + ids: + type: array + items: + type: string + description: >- + Target entity EUIDs for this relationship; used for graph LOOKUP JOIN and DSL filters. + EngineMetadata: type: object additionalProperties: false @@ -52,6 +98,22 @@ components: type: boolean mfa_enabled: type: boolean + storage_class: + type: string + description: Storage tier or class assigned to a storage resource (e.g. hot, warm, cold, standard, archive). + permissions: + type: array + items: + type: string + description: Action-level permissions granted to this entity (not roles or groups). + known_redirects: + type: array + items: + type: string + description: Known redirect URIs or URLs (e.g. OAuth application callbacks). + oauth_consent_restriction: + type: string + description: OAuth consent restriction (e.g. admin_only, verified_only, unrestricted). behaviors: type: object additionalProperties: false @@ -83,34 +145,22 @@ components: type: object additionalProperties: false properties: + administers: + $ref: '#/components/schemas/EntityRelationship' communicates_with: - type: array - items: - type: string + $ref: '#/components/schemas/EntityRelationship' depends_on: - type: array - items: - type: string - owns: - type: array - items: - type: string - accesses_frequently: - type: array - items: - type: string - accesses_infrequently: - type: array - items: - type: string + $ref: '#/components/schemas/EntityRelationship' owns_inferred: - type: array - items: - type: string + $ref: '#/components/schemas/EntityRelationship' + accesses_infrequently: + $ref: '#/components/schemas/EntityRelationship' + accesses_frequently: + $ref: '#/components/schemas/EntityRelationship' + owns: + $ref: '#/components/schemas/EntityRelationship' supervises: - type: array - items: - type: string + $ref: '#/components/schemas/EntityRelationship' resolution: type: object additionalProperties: false diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/ccs_logs_extraction_query_builder.test.ts.snap b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/ccs_logs_extraction_query_builder.test.ts.snap index 1d0d032fb0fb2..3595a871e3710 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/ccs_logs_extraction_query_builder.test.ts.snap +++ b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/ccs_logs_extraction_query_builder.test.ts.snap @@ -86,18 +86,71 @@ FROM remote:metrics-* entity.attributes.asset = LAST(TO_BOOLEAN(host.entity.attributes.asset), @timestamp) WHERE host.entity.attributes.asset IS NOT NULL, entity.attributes.managed = LAST(TO_BOOLEAN(host.entity.attributes.managed), @timestamp) WHERE host.entity.attributes.managed IS NOT NULL, entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(host.entity.attributes.mfa_enabled), @timestamp) WHERE host.entity.attributes.mfa_enabled IS NOT NULL, + entity.attributes.storage_class = LAST(TO_STRING(host.entity.attributes.storage_class), @timestamp) WHERE host.entity.attributes.storage_class IS NOT NULL, + entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.permissions), 10)) WHERE host.entity.attributes.permissions IS NOT NULL, + entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.known_redirects), 10)) WHERE host.entity.attributes.known_redirects IS NOT NULL, + entity.attributes.oauth_consent_restriction = LAST(TO_STRING(host.entity.attributes.oauth_consent_restriction), @timestamp) WHERE host.entity.attributes.oauth_consent_restriction IS NOT NULL, entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_activity = LAST(TO_DATETIME(host.entity.lifecycle.last_activity), @timestamp) WHERE host.entity.lifecycle.last_activity IS NOT NULL, entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.rule_names), 100)) WHERE host.entity.behaviors.rule_names IS NOT NULL, entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.anomaly_job_ids), 100)) WHERE host.entity.behaviors.anomaly_job_ids IS NOT NULL, - entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with), 50)) WHERE host.entity.relationships.communicates_with IS NOT NULL, - entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on), 10)) WHERE host.entity.relationships.depends_on IS NOT NULL, - entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred), 10)) WHERE host.entity.relationships.owns_inferred IS NOT NULL, - entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently), 10)) WHERE host.entity.relationships.accesses_infrequently IS NOT NULL, - entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently), 10)) WHERE host.entity.relationships.accesses_frequently IS NOT NULL, - entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns), 10)) WHERE host.entity.relationships.owns IS NOT NULL, - entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises), 10)) WHERE host.entity.relationships.supervises IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.id), 10)) WHERE host.entity.relationships.administers.host.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.id), 10)) WHERE host.entity.relationships.administers.user.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.email), 10)) WHERE host.entity.relationships.administers.user.email IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.name), 10)) WHERE host.entity.relationships.administers.host.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.name), 10)) WHERE host.entity.relationships.administers.user.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.service.name), 10)) WHERE host.entity.relationships.administers.service.name IS NOT NULL, + entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.entity.id), 10)) WHERE host.entity.relationships.administers.entity.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.id), 10)) WHERE host.entity.relationships.communicates_with.host.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.id), 10)) WHERE host.entity.relationships.communicates_with.user.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.email), 10)) WHERE host.entity.relationships.communicates_with.user.email IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.name), 10)) WHERE host.entity.relationships.communicates_with.host.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.name), 10)) WHERE host.entity.relationships.communicates_with.user.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.service.name), 10)) WHERE host.entity.relationships.communicates_with.service.name IS NOT NULL, + entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.entity.id), 10)) WHERE host.entity.relationships.communicates_with.entity.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.id), 10)) WHERE host.entity.relationships.depends_on.host.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.id), 10)) WHERE host.entity.relationships.depends_on.user.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.email), 10)) WHERE host.entity.relationships.depends_on.user.email IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.name), 10)) WHERE host.entity.relationships.depends_on.host.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.name), 10)) WHERE host.entity.relationships.depends_on.user.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.service.name), 10)) WHERE host.entity.relationships.depends_on.service.name IS NOT NULL, + entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.entity.id), 10)) WHERE host.entity.relationships.depends_on.entity.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.id), 10)) WHERE host.entity.relationships.owns_inferred.host.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.id), 10)) WHERE host.entity.relationships.owns_inferred.user.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.email), 10)) WHERE host.entity.relationships.owns_inferred.user.email IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.name), 10)) WHERE host.entity.relationships.owns_inferred.host.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.name), 10)) WHERE host.entity.relationships.owns_inferred.user.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.service.name), 10)) WHERE host.entity.relationships.owns_inferred.service.name IS NOT NULL, + entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.entity.id), 10)) WHERE host.entity.relationships.owns_inferred.entity.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.id), 10)) WHERE host.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.id), 10)) WHERE host.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.email), 10)) WHERE host.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.name), 10)) WHERE host.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.name), 10)) WHERE host.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.service.name), 10)) WHERE host.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE host.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.id), 10)) WHERE host.entity.relationships.accesses_frequently.host.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.id), 10)) WHERE host.entity.relationships.accesses_frequently.user.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.email), 10)) WHERE host.entity.relationships.accesses_frequently.user.email IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.name), 10)) WHERE host.entity.relationships.accesses_frequently.host.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.name), 10)) WHERE host.entity.relationships.accesses_frequently.user.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.service.name), 10)) WHERE host.entity.relationships.accesses_frequently.service.name IS NOT NULL, + entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.entity.id), 10)) WHERE host.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.id), 10)) WHERE host.entity.relationships.owns.host.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.id), 10)) WHERE host.entity.relationships.owns.user.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.email), 10)) WHERE host.entity.relationships.owns.user.email IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.name), 10)) WHERE host.entity.relationships.owns.host.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.name), 10)) WHERE host.entity.relationships.owns.user.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.service.name), 10)) WHERE host.entity.relationships.owns.service.name IS NOT NULL, + entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.entity.id), 10)) WHERE host.entity.relationships.owns.entity.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.id), 10)) WHERE host.entity.relationships.supervises.host.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.id), 10)) WHERE host.entity.relationships.supervises.user.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.email), 10)) WHERE host.entity.relationships.supervises.user.email IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.name), 10)) WHERE host.entity.relationships.supervises.host.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.name), 10)) WHERE host.entity.relationships.supervises.user.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.service.name), 10)) WHERE host.entity.relationships.supervises.service.name IS NOT NULL, + entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.entity.id), 10)) WHERE host.entity.relationships.supervises.entity.id IS NOT NULL, entity.relationships.resolution.resolved_to = LAST(TO_STRING(host.entity.relationships.resolution.resolved_to), @timestamp) WHERE host.entity.relationships.resolution.resolved_to IS NOT NULL, entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(host.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_level IS NOT NULL, entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(host.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -181,18 +234,71 @@ true, CASE((user.email IS NOT NULL AND user.email != \\"\\" AND entity.namespace entity.attributes.asset = LAST(TO_BOOLEAN(user.entity.attributes.asset), @timestamp) WHERE user.entity.attributes.asset IS NOT NULL, entity.attributes.managed = LAST(TO_BOOLEAN(user.entity.attributes.managed), @timestamp) WHERE user.entity.attributes.managed IS NOT NULL, entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(user.entity.attributes.mfa_enabled), @timestamp) WHERE user.entity.attributes.mfa_enabled IS NOT NULL, + entity.attributes.storage_class = LAST(TO_STRING(user.entity.attributes.storage_class), @timestamp) WHERE user.entity.attributes.storage_class IS NOT NULL, + entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(user.entity.attributes.permissions), 10)) WHERE user.entity.attributes.permissions IS NOT NULL, + entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(user.entity.attributes.known_redirects), 10)) WHERE user.entity.attributes.known_redirects IS NOT NULL, + entity.attributes.oauth_consent_restriction = LAST(TO_STRING(user.entity.attributes.oauth_consent_restriction), @timestamp) WHERE user.entity.attributes.oauth_consent_restriction IS NOT NULL, entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_activity = LAST(TO_DATETIME(user.entity.lifecycle.last_activity), @timestamp) WHERE user.entity.lifecycle.last_activity IS NOT NULL, entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(user.entity.behaviors.rule_names), 100)) WHERE user.entity.behaviors.rule_names IS NOT NULL, entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(user.entity.behaviors.anomaly_job_ids), 100)) WHERE user.entity.behaviors.anomaly_job_ids IS NOT NULL, - entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with), 50)) WHERE user.entity.relationships.communicates_with IS NOT NULL, - entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on), 10)) WHERE user.entity.relationships.depends_on IS NOT NULL, - entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred), 10)) WHERE user.entity.relationships.owns_inferred IS NOT NULL, - entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently), 10)) WHERE user.entity.relationships.accesses_infrequently IS NOT NULL, - entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently), 10)) WHERE user.entity.relationships.accesses_frequently IS NOT NULL, - entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns), 10)) WHERE user.entity.relationships.owns IS NOT NULL, - entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises), 10)) WHERE user.entity.relationships.supervises IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.host.id), 10)) WHERE user.entity.relationships.administers.host.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.id), 10)) WHERE user.entity.relationships.administers.user.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.email), 10)) WHERE user.entity.relationships.administers.user.email IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.host.name), 10)) WHERE user.entity.relationships.administers.host.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.name), 10)) WHERE user.entity.relationships.administers.user.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.service.name), 10)) WHERE user.entity.relationships.administers.service.name IS NOT NULL, + entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.entity.id), 10)) WHERE user.entity.relationships.administers.entity.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.host.id), 10)) WHERE user.entity.relationships.communicates_with.host.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.id), 10)) WHERE user.entity.relationships.communicates_with.user.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.email), 10)) WHERE user.entity.relationships.communicates_with.user.email IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.host.name), 10)) WHERE user.entity.relationships.communicates_with.host.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.name), 10)) WHERE user.entity.relationships.communicates_with.user.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.service.name), 10)) WHERE user.entity.relationships.communicates_with.service.name IS NOT NULL, + entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.entity.id), 10)) WHERE user.entity.relationships.communicates_with.entity.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.host.id), 10)) WHERE user.entity.relationships.depends_on.host.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.id), 10)) WHERE user.entity.relationships.depends_on.user.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.email), 10)) WHERE user.entity.relationships.depends_on.user.email IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.host.name), 10)) WHERE user.entity.relationships.depends_on.host.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.name), 10)) WHERE user.entity.relationships.depends_on.user.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.service.name), 10)) WHERE user.entity.relationships.depends_on.service.name IS NOT NULL, + entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.entity.id), 10)) WHERE user.entity.relationships.depends_on.entity.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.host.id), 10)) WHERE user.entity.relationships.owns_inferred.host.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.id), 10)) WHERE user.entity.relationships.owns_inferred.user.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.email), 10)) WHERE user.entity.relationships.owns_inferred.user.email IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.host.name), 10)) WHERE user.entity.relationships.owns_inferred.host.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.name), 10)) WHERE user.entity.relationships.owns_inferred.user.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.service.name), 10)) WHERE user.entity.relationships.owns_inferred.service.name IS NOT NULL, + entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.entity.id), 10)) WHERE user.entity.relationships.owns_inferred.entity.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.host.id), 10)) WHERE user.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.id), 10)) WHERE user.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.email), 10)) WHERE user.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.host.name), 10)) WHERE user.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.name), 10)) WHERE user.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.service.name), 10)) WHERE user.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE user.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.host.id), 10)) WHERE user.entity.relationships.accesses_frequently.host.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.id), 10)) WHERE user.entity.relationships.accesses_frequently.user.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.email), 10)) WHERE user.entity.relationships.accesses_frequently.user.email IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.host.name), 10)) WHERE user.entity.relationships.accesses_frequently.host.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.name), 10)) WHERE user.entity.relationships.accesses_frequently.user.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.service.name), 10)) WHERE user.entity.relationships.accesses_frequently.service.name IS NOT NULL, + entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.entity.id), 10)) WHERE user.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.host.id), 10)) WHERE user.entity.relationships.owns.host.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.id), 10)) WHERE user.entity.relationships.owns.user.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.email), 10)) WHERE user.entity.relationships.owns.user.email IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.host.name), 10)) WHERE user.entity.relationships.owns.host.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.name), 10)) WHERE user.entity.relationships.owns.user.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.service.name), 10)) WHERE user.entity.relationships.owns.service.name IS NOT NULL, + entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.entity.id), 10)) WHERE user.entity.relationships.owns.entity.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.host.id), 10)) WHERE user.entity.relationships.supervises.host.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.id), 10)) WHERE user.entity.relationships.supervises.user.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.email), 10)) WHERE user.entity.relationships.supervises.user.email IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.host.name), 10)) WHERE user.entity.relationships.supervises.host.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.name), 10)) WHERE user.entity.relationships.supervises.user.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.service.name), 10)) WHERE user.entity.relationships.supervises.service.name IS NOT NULL, + entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.entity.id), 10)) WHERE user.entity.relationships.supervises.entity.id IS NOT NULL, entity.relationships.resolution.resolved_to = LAST(TO_STRING(user.entity.relationships.resolution.resolved_to), @timestamp) WHERE user.entity.relationships.resolution.resolved_to IS NOT NULL, entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(user.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE user.entity.relationships.resolution.risk.calculated_level IS NOT NULL, entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(user.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE user.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -250,18 +356,71 @@ FROM remote_cluster:logs-* entity.attributes.asset = LAST(TO_BOOLEAN(entity.attributes.asset), @timestamp) WHERE entity.attributes.asset IS NOT NULL, entity.attributes.managed = LAST(TO_BOOLEAN(entity.attributes.managed), @timestamp) WHERE entity.attributes.managed IS NOT NULL, entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(entity.attributes.mfa_enabled), @timestamp) WHERE entity.attributes.mfa_enabled IS NOT NULL, + entity.attributes.storage_class = LAST(TO_STRING(entity.attributes.storage_class), @timestamp) WHERE entity.attributes.storage_class IS NOT NULL, + entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(entity.attributes.permissions), 10)) WHERE entity.attributes.permissions IS NOT NULL, + entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(entity.attributes.known_redirects), 10)) WHERE entity.attributes.known_redirects IS NOT NULL, + entity.attributes.oauth_consent_restriction = LAST(TO_STRING(entity.attributes.oauth_consent_restriction), @timestamp) WHERE entity.attributes.oauth_consent_restriction IS NOT NULL, entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, entity.lifecycle.last_activity = LAST(TO_DATETIME(entity.lifecycle.last_activity), @timestamp) WHERE entity.lifecycle.last_activity IS NOT NULL, entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(entity.behaviors.rule_names), 100)) WHERE entity.behaviors.rule_names IS NOT NULL, entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(entity.behaviors.anomaly_job_ids), 100)) WHERE entity.behaviors.anomaly_job_ids IS NOT NULL, - entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with), 50)) WHERE entity.relationships.communicates_with IS NOT NULL, - entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on), 10)) WHERE entity.relationships.depends_on IS NOT NULL, - entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred), 10)) WHERE entity.relationships.owns_inferred IS NOT NULL, - entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently), 10)) WHERE entity.relationships.accesses_infrequently IS NOT NULL, - entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently), 10)) WHERE entity.relationships.accesses_frequently IS NOT NULL, - entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns), 10)) WHERE entity.relationships.owns IS NOT NULL, - entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises), 10)) WHERE entity.relationships.supervises IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.host.id), 10)) WHERE entity.relationships.administers.host.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.id), 10)) WHERE entity.relationships.administers.user.id IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.email), 10)) WHERE entity.relationships.administers.user.email IS NOT NULL, + entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.host.name), 10)) WHERE entity.relationships.administers.host.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.name), 10)) WHERE entity.relationships.administers.user.name IS NOT NULL, + entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.service.name), 10)) WHERE entity.relationships.administers.service.name IS NOT NULL, + entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.entity.id), 10)) WHERE entity.relationships.administers.entity.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.host.id), 10)) WHERE entity.relationships.communicates_with.host.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.id), 10)) WHERE entity.relationships.communicates_with.user.id IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.email), 10)) WHERE entity.relationships.communicates_with.user.email IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.host.name), 10)) WHERE entity.relationships.communicates_with.host.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.name), 10)) WHERE entity.relationships.communicates_with.user.name IS NOT NULL, + entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.service.name), 10)) WHERE entity.relationships.communicates_with.service.name IS NOT NULL, + entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.entity.id), 10)) WHERE entity.relationships.communicates_with.entity.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.host.id), 10)) WHERE entity.relationships.depends_on.host.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.id), 10)) WHERE entity.relationships.depends_on.user.id IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.email), 10)) WHERE entity.relationships.depends_on.user.email IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.host.name), 10)) WHERE entity.relationships.depends_on.host.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.name), 10)) WHERE entity.relationships.depends_on.user.name IS NOT NULL, + entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.service.name), 10)) WHERE entity.relationships.depends_on.service.name IS NOT NULL, + entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.entity.id), 10)) WHERE entity.relationships.depends_on.entity.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.host.id), 10)) WHERE entity.relationships.owns_inferred.host.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.id), 10)) WHERE entity.relationships.owns_inferred.user.id IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.email), 10)) WHERE entity.relationships.owns_inferred.user.email IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.host.name), 10)) WHERE entity.relationships.owns_inferred.host.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.name), 10)) WHERE entity.relationships.owns_inferred.user.name IS NOT NULL, + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.service.name), 10)) WHERE entity.relationships.owns_inferred.service.name IS NOT NULL, + entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.entity.id), 10)) WHERE entity.relationships.owns_inferred.entity.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.host.id), 10)) WHERE entity.relationships.accesses_infrequently.host.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.id), 10)) WHERE entity.relationships.accesses_infrequently.user.id IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.email), 10)) WHERE entity.relationships.accesses_infrequently.user.email IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.host.name), 10)) WHERE entity.relationships.accesses_infrequently.host.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.name), 10)) WHERE entity.relationships.accesses_infrequently.user.name IS NOT NULL, + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.service.name), 10)) WHERE entity.relationships.accesses_infrequently.service.name IS NOT NULL, + entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.entity.id), 10)) WHERE entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.host.id), 10)) WHERE entity.relationships.accesses_frequently.host.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.id), 10)) WHERE entity.relationships.accesses_frequently.user.id IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.email), 10)) WHERE entity.relationships.accesses_frequently.user.email IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.host.name), 10)) WHERE entity.relationships.accesses_frequently.host.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.name), 10)) WHERE entity.relationships.accesses_frequently.user.name IS NOT NULL, + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.service.name), 10)) WHERE entity.relationships.accesses_frequently.service.name IS NOT NULL, + entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.entity.id), 10)) WHERE entity.relationships.accesses_frequently.entity.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.host.id), 10)) WHERE entity.relationships.owns.host.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.id), 10)) WHERE entity.relationships.owns.user.id IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.email), 10)) WHERE entity.relationships.owns.user.email IS NOT NULL, + entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.host.name), 10)) WHERE entity.relationships.owns.host.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.name), 10)) WHERE entity.relationships.owns.user.name IS NOT NULL, + entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.service.name), 10)) WHERE entity.relationships.owns.service.name IS NOT NULL, + entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.entity.id), 10)) WHERE entity.relationships.owns.entity.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.host.id), 10)) WHERE entity.relationships.supervises.host.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.id), 10)) WHERE entity.relationships.supervises.user.id IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.email), 10)) WHERE entity.relationships.supervises.user.email IS NOT NULL, + entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.host.name), 10)) WHERE entity.relationships.supervises.host.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.name), 10)) WHERE entity.relationships.supervises.user.name IS NOT NULL, + entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.service.name), 10)) WHERE entity.relationships.supervises.service.name IS NOT NULL, + entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.entity.id), 10)) WHERE entity.relationships.supervises.entity.id IS NOT NULL, entity.relationships.resolution.resolved_to = LAST(TO_STRING(entity.relationships.resolution.resolved_to), @timestamp) WHERE entity.relationships.resolution.resolved_to IS NOT NULL, entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE entity.relationships.resolution.risk.calculated_level IS NOT NULL, entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE entity.relationships.resolution.risk.calculated_score IS NOT NULL, diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/logs_extraction_query_builder.test.ts.snap b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/logs_extraction_query_builder.test.ts.snap index 36144c31db8e3..a0e6398cf4338 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/logs_extraction_query_builder.test.ts.snap +++ b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/__snapshots__/logs_extraction_query_builder.test.ts.snap @@ -29,18 +29,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for generic e recent.entity.attributes.asset = LAST(TO_BOOLEAN(entity.attributes.asset), @timestamp) WHERE entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(entity.attributes.managed), @timestamp) WHERE entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(entity.attributes.mfa_enabled), @timestamp) WHERE entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(entity.attributes.storage_class), @timestamp) WHERE entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(entity.attributes.permissions), 10)) WHERE entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(entity.attributes.known_redirects), 10)) WHERE entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(entity.attributes.oauth_consent_restriction), @timestamp) WHERE entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(entity.lifecycle.last_activity), @timestamp) WHERE entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(entity.behaviors.rule_names), 100)) WHERE entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(entity.behaviors.anomaly_job_ids), 100)) WHERE entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with), 50)) WHERE entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on), 10)) WHERE entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred), 10)) WHERE entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently), 10)) WHERE entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently), 10)) WHERE entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns), 10)) WHERE entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises), 10)) WHERE entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.host.id), 10)) WHERE entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.id), 10)) WHERE entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.email), 10)) WHERE entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.host.name), 10)) WHERE entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.user.name), 10)) WHERE entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.service.name), 10)) WHERE entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.administers.entity.id), 10)) WHERE entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.host.id), 10)) WHERE entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.id), 10)) WHERE entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.email), 10)) WHERE entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.host.name), 10)) WHERE entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.user.name), 10)) WHERE entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.service.name), 10)) WHERE entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.communicates_with.entity.id), 10)) WHERE entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.host.id), 10)) WHERE entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.id), 10)) WHERE entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.email), 10)) WHERE entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.host.name), 10)) WHERE entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.user.name), 10)) WHERE entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.service.name), 10)) WHERE entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.depends_on.entity.id), 10)) WHERE entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.host.id), 10)) WHERE entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.id), 10)) WHERE entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.email), 10)) WHERE entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.host.name), 10)) WHERE entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.user.name), 10)) WHERE entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.service.name), 10)) WHERE entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns_inferred.entity.id), 10)) WHERE entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.host.id), 10)) WHERE entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.id), 10)) WHERE entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.email), 10)) WHERE entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.host.name), 10)) WHERE entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.user.name), 10)) WHERE entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.service.name), 10)) WHERE entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_infrequently.entity.id), 10)) WHERE entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.host.id), 10)) WHERE entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.id), 10)) WHERE entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.email), 10)) WHERE entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.host.name), 10)) WHERE entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.user.name), 10)) WHERE entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.service.name), 10)) WHERE entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.accesses_frequently.entity.id), 10)) WHERE entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.host.id), 10)) WHERE entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.id), 10)) WHERE entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.email), 10)) WHERE entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.host.name), 10)) WHERE entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.user.name), 10)) WHERE entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.service.name), 10)) WHERE entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.owns.entity.id), 10)) WHERE entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.host.id), 10)) WHERE entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.id), 10)) WHERE entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.email), 10)) WHERE entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.host.name), 10)) WHERE entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.user.name), 10)) WHERE entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.service.name), 10)) WHERE entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(entity.relationships.supervises.entity.id), 10)) WHERE entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(entity.relationships.resolution.resolved_to), @timestamp) WHERE entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -101,18 +154,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for generic e entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), @@ -256,18 +362,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host enti recent.entity.attributes.asset = LAST(TO_BOOLEAN(host.entity.attributes.asset), @timestamp) WHERE host.entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(host.entity.attributes.managed), @timestamp) WHERE host.entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(host.entity.attributes.mfa_enabled), @timestamp) WHERE host.entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(host.entity.attributes.storage_class), @timestamp) WHERE host.entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.permissions), 10)) WHERE host.entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.known_redirects), 10)) WHERE host.entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(host.entity.attributes.oauth_consent_restriction), @timestamp) WHERE host.entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(host.entity.lifecycle.last_activity), @timestamp) WHERE host.entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.rule_names), 100)) WHERE host.entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.anomaly_job_ids), 100)) WHERE host.entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with), 50)) WHERE host.entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on), 10)) WHERE host.entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred), 10)) WHERE host.entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently), 10)) WHERE host.entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently), 10)) WHERE host.entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns), 10)) WHERE host.entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises), 10)) WHERE host.entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.id), 10)) WHERE host.entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.id), 10)) WHERE host.entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.email), 10)) WHERE host.entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.name), 10)) WHERE host.entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.name), 10)) WHERE host.entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.service.name), 10)) WHERE host.entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.entity.id), 10)) WHERE host.entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.id), 10)) WHERE host.entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.id), 10)) WHERE host.entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.email), 10)) WHERE host.entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.name), 10)) WHERE host.entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.name), 10)) WHERE host.entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.service.name), 10)) WHERE host.entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.entity.id), 10)) WHERE host.entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.id), 10)) WHERE host.entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.id), 10)) WHERE host.entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.email), 10)) WHERE host.entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.name), 10)) WHERE host.entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.name), 10)) WHERE host.entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.service.name), 10)) WHERE host.entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.entity.id), 10)) WHERE host.entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.id), 10)) WHERE host.entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.id), 10)) WHERE host.entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.email), 10)) WHERE host.entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.name), 10)) WHERE host.entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.name), 10)) WHERE host.entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.service.name), 10)) WHERE host.entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.entity.id), 10)) WHERE host.entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.id), 10)) WHERE host.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.id), 10)) WHERE host.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.email), 10)) WHERE host.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.name), 10)) WHERE host.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.name), 10)) WHERE host.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.service.name), 10)) WHERE host.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE host.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.id), 10)) WHERE host.entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.id), 10)) WHERE host.entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.email), 10)) WHERE host.entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.name), 10)) WHERE host.entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.name), 10)) WHERE host.entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.service.name), 10)) WHERE host.entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.entity.id), 10)) WHERE host.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.id), 10)) WHERE host.entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.id), 10)) WHERE host.entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.email), 10)) WHERE host.entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.name), 10)) WHERE host.entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.name), 10)) WHERE host.entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.service.name), 10)) WHERE host.entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.entity.id), 10)) WHERE host.entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.id), 10)) WHERE host.entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.id), 10)) WHERE host.entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.email), 10)) WHERE host.entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.name), 10)) WHERE host.entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.name), 10)) WHERE host.entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.service.name), 10)) WHERE host.entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.entity.id), 10)) WHERE host.entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(host.entity.relationships.resolution.resolved_to), @timestamp) WHERE host.entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(host.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(host.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -345,18 +504,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host enti entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), @@ -465,18 +677,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host with recent.entity.attributes.asset = LAST(TO_BOOLEAN(host.entity.attributes.asset), @timestamp) WHERE host.entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(host.entity.attributes.managed), @timestamp) WHERE host.entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(host.entity.attributes.mfa_enabled), @timestamp) WHERE host.entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(host.entity.attributes.storage_class), @timestamp) WHERE host.entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.permissions), 10)) WHERE host.entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.known_redirects), 10)) WHERE host.entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(host.entity.attributes.oauth_consent_restriction), @timestamp) WHERE host.entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(host.entity.lifecycle.last_activity), @timestamp) WHERE host.entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.rule_names), 100)) WHERE host.entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.anomaly_job_ids), 100)) WHERE host.entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with), 50)) WHERE host.entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on), 10)) WHERE host.entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred), 10)) WHERE host.entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently), 10)) WHERE host.entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently), 10)) WHERE host.entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns), 10)) WHERE host.entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises), 10)) WHERE host.entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.id), 10)) WHERE host.entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.id), 10)) WHERE host.entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.email), 10)) WHERE host.entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.name), 10)) WHERE host.entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.name), 10)) WHERE host.entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.service.name), 10)) WHERE host.entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.entity.id), 10)) WHERE host.entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.id), 10)) WHERE host.entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.id), 10)) WHERE host.entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.email), 10)) WHERE host.entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.name), 10)) WHERE host.entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.name), 10)) WHERE host.entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.service.name), 10)) WHERE host.entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.entity.id), 10)) WHERE host.entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.id), 10)) WHERE host.entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.id), 10)) WHERE host.entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.email), 10)) WHERE host.entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.name), 10)) WHERE host.entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.name), 10)) WHERE host.entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.service.name), 10)) WHERE host.entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.entity.id), 10)) WHERE host.entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.id), 10)) WHERE host.entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.id), 10)) WHERE host.entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.email), 10)) WHERE host.entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.name), 10)) WHERE host.entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.name), 10)) WHERE host.entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.service.name), 10)) WHERE host.entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.entity.id), 10)) WHERE host.entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.id), 10)) WHERE host.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.id), 10)) WHERE host.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.email), 10)) WHERE host.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.name), 10)) WHERE host.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.name), 10)) WHERE host.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.service.name), 10)) WHERE host.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE host.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.id), 10)) WHERE host.entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.id), 10)) WHERE host.entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.email), 10)) WHERE host.entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.name), 10)) WHERE host.entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.name), 10)) WHERE host.entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.service.name), 10)) WHERE host.entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.entity.id), 10)) WHERE host.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.id), 10)) WHERE host.entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.id), 10)) WHERE host.entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.email), 10)) WHERE host.entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.name), 10)) WHERE host.entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.name), 10)) WHERE host.entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.service.name), 10)) WHERE host.entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.entity.id), 10)) WHERE host.entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.id), 10)) WHERE host.entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.id), 10)) WHERE host.entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.email), 10)) WHERE host.entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.name), 10)) WHERE host.entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.name), 10)) WHERE host.entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.service.name), 10)) WHERE host.entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.entity.id), 10)) WHERE host.entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(host.entity.relationships.resolution.resolved_to), @timestamp) WHERE host.entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(host.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(host.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -557,18 +822,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host with entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), @@ -677,18 +995,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host with recent.entity.attributes.asset = LAST(TO_BOOLEAN(host.entity.attributes.asset), @timestamp) WHERE host.entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(host.entity.attributes.managed), @timestamp) WHERE host.entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(host.entity.attributes.mfa_enabled), @timestamp) WHERE host.entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(host.entity.attributes.storage_class), @timestamp) WHERE host.entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.permissions), 10)) WHERE host.entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(host.entity.attributes.known_redirects), 10)) WHERE host.entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(host.entity.attributes.oauth_consent_restriction), @timestamp) WHERE host.entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(host.entity.lifecycle.last_activity), @timestamp) WHERE host.entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.rule_names), 100)) WHERE host.entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(host.entity.behaviors.anomaly_job_ids), 100)) WHERE host.entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with), 50)) WHERE host.entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on), 10)) WHERE host.entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred), 10)) WHERE host.entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently), 10)) WHERE host.entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently), 10)) WHERE host.entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns), 10)) WHERE host.entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises), 10)) WHERE host.entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.id), 10)) WHERE host.entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.id), 10)) WHERE host.entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.email), 10)) WHERE host.entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.host.name), 10)) WHERE host.entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.user.name), 10)) WHERE host.entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.service.name), 10)) WHERE host.entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.administers.entity.id), 10)) WHERE host.entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.id), 10)) WHERE host.entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.id), 10)) WHERE host.entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.email), 10)) WHERE host.entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.host.name), 10)) WHERE host.entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.user.name), 10)) WHERE host.entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.service.name), 10)) WHERE host.entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.communicates_with.entity.id), 10)) WHERE host.entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.id), 10)) WHERE host.entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.id), 10)) WHERE host.entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.email), 10)) WHERE host.entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.host.name), 10)) WHERE host.entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.user.name), 10)) WHERE host.entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.service.name), 10)) WHERE host.entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.depends_on.entity.id), 10)) WHERE host.entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.id), 10)) WHERE host.entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.id), 10)) WHERE host.entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.email), 10)) WHERE host.entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.host.name), 10)) WHERE host.entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.user.name), 10)) WHERE host.entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.service.name), 10)) WHERE host.entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns_inferred.entity.id), 10)) WHERE host.entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.id), 10)) WHERE host.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.id), 10)) WHERE host.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.email), 10)) WHERE host.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.host.name), 10)) WHERE host.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.user.name), 10)) WHERE host.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.service.name), 10)) WHERE host.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE host.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.id), 10)) WHERE host.entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.id), 10)) WHERE host.entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.email), 10)) WHERE host.entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.host.name), 10)) WHERE host.entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.user.name), 10)) WHERE host.entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.service.name), 10)) WHERE host.entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.accesses_frequently.entity.id), 10)) WHERE host.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.id), 10)) WHERE host.entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.id), 10)) WHERE host.entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.email), 10)) WHERE host.entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.host.name), 10)) WHERE host.entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.user.name), 10)) WHERE host.entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.service.name), 10)) WHERE host.entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.owns.entity.id), 10)) WHERE host.entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.id), 10)) WHERE host.entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.id), 10)) WHERE host.entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.email), 10)) WHERE host.entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.host.name), 10)) WHERE host.entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.user.name), 10)) WHERE host.entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.service.name), 10)) WHERE host.entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(host.entity.relationships.supervises.entity.id), 10)) WHERE host.entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(host.entity.relationships.resolution.resolved_to), @timestamp) WHERE host.entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(host.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(host.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE host.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -769,18 +1140,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for host with entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), @@ -856,18 +1280,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for service e recent.entity.attributes.asset = LAST(TO_BOOLEAN(service.entity.attributes.asset), @timestamp) WHERE service.entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(service.entity.attributes.managed), @timestamp) WHERE service.entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(service.entity.attributes.mfa_enabled), @timestamp) WHERE service.entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(service.entity.attributes.storage_class), @timestamp) WHERE service.entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(service.entity.attributes.permissions), 10)) WHERE service.entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(service.entity.attributes.known_redirects), 10)) WHERE service.entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(service.entity.attributes.oauth_consent_restriction), @timestamp) WHERE service.entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(service.entity.lifecycle.last_activity), @timestamp) WHERE service.entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(service.entity.behaviors.rule_names), 100)) WHERE service.entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(service.entity.behaviors.anomaly_job_ids), 100)) WHERE service.entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with), 50)) WHERE service.entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on), 10)) WHERE service.entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred), 10)) WHERE service.entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently), 10)) WHERE service.entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently), 10)) WHERE service.entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns), 10)) WHERE service.entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises), 10)) WHERE service.entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.host.id), 10)) WHERE service.entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.user.id), 10)) WHERE service.entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.user.email), 10)) WHERE service.entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.host.name), 10)) WHERE service.entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.user.name), 10)) WHERE service.entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.service.name), 10)) WHERE service.entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.administers.entity.id), 10)) WHERE service.entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.host.id), 10)) WHERE service.entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.user.id), 10)) WHERE service.entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.user.email), 10)) WHERE service.entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.host.name), 10)) WHERE service.entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.user.name), 10)) WHERE service.entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.service.name), 10)) WHERE service.entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.communicates_with.entity.id), 10)) WHERE service.entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.host.id), 10)) WHERE service.entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.user.id), 10)) WHERE service.entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.user.email), 10)) WHERE service.entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.host.name), 10)) WHERE service.entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.user.name), 10)) WHERE service.entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.service.name), 10)) WHERE service.entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.depends_on.entity.id), 10)) WHERE service.entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.host.id), 10)) WHERE service.entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.user.id), 10)) WHERE service.entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.user.email), 10)) WHERE service.entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.host.name), 10)) WHERE service.entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.user.name), 10)) WHERE service.entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.service.name), 10)) WHERE service.entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns_inferred.entity.id), 10)) WHERE service.entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.host.id), 10)) WHERE service.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.user.id), 10)) WHERE service.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.user.email), 10)) WHERE service.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.host.name), 10)) WHERE service.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.user.name), 10)) WHERE service.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.service.name), 10)) WHERE service.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE service.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.host.id), 10)) WHERE service.entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.user.id), 10)) WHERE service.entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.user.email), 10)) WHERE service.entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.host.name), 10)) WHERE service.entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.user.name), 10)) WHERE service.entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.service.name), 10)) WHERE service.entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.accesses_frequently.entity.id), 10)) WHERE service.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.host.id), 10)) WHERE service.entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.user.id), 10)) WHERE service.entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.user.email), 10)) WHERE service.entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.host.name), 10)) WHERE service.entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.user.name), 10)) WHERE service.entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.service.name), 10)) WHERE service.entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.owns.entity.id), 10)) WHERE service.entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.host.id), 10)) WHERE service.entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.user.id), 10)) WHERE service.entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.user.email), 10)) WHERE service.entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.host.name), 10)) WHERE service.entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.user.name), 10)) WHERE service.entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.service.name), 10)) WHERE service.entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(service.entity.relationships.supervises.entity.id), 10)) WHERE service.entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(service.entity.relationships.resolution.resolved_to), @timestamp) WHERE service.entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(service.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE service.entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(service.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE service.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -914,18 +1391,71 @@ exports[`buildLogsExtractionEsqlQuery generates the expected query for service e entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), @@ -1010,18 +1540,71 @@ true, CASE((user.email IS NOT NULL AND user.email != \\"\\" AND entity.namespace recent.entity.attributes.asset = LAST(TO_BOOLEAN(user.entity.attributes.asset), @timestamp) WHERE user.entity.attributes.asset IS NOT NULL, recent.entity.attributes.managed = LAST(TO_BOOLEAN(user.entity.attributes.managed), @timestamp) WHERE user.entity.attributes.managed IS NOT NULL, recent.entity.attributes.mfa_enabled = LAST(TO_BOOLEAN(user.entity.attributes.mfa_enabled), @timestamp) WHERE user.entity.attributes.mfa_enabled IS NOT NULL, + recent.entity.attributes.storage_class = LAST(TO_STRING(user.entity.attributes.storage_class), @timestamp) WHERE user.entity.attributes.storage_class IS NOT NULL, + recent.entity.attributes.permissions = MV_DEDUPE(TOP(TO_STRING(user.entity.attributes.permissions), 10)) WHERE user.entity.attributes.permissions IS NOT NULL, + recent.entity.attributes.known_redirects = MV_DEDUPE(TOP(TO_STRING(user.entity.attributes.known_redirects), 10)) WHERE user.entity.attributes.known_redirects IS NOT NULL, + recent.entity.attributes.oauth_consent_restriction = LAST(TO_STRING(user.entity.attributes.oauth_consent_restriction), @timestamp) WHERE user.entity.attributes.oauth_consent_restriction IS NOT NULL, recent.entity.lifecycle.first_seen = FIRST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_seen = LAST(TO_DATETIME(@timestamp), @timestamp) WHERE @timestamp IS NOT NULL, recent.entity.lifecycle.last_activity = LAST(TO_DATETIME(user.entity.lifecycle.last_activity), @timestamp) WHERE user.entity.lifecycle.last_activity IS NOT NULL, recent.entity.behaviors.rule_names = MV_DEDUPE(TOP(TO_STRING(user.entity.behaviors.rule_names), 100)) WHERE user.entity.behaviors.rule_names IS NOT NULL, recent.entity.behaviors.anomaly_job_ids = MV_DEDUPE(TOP(TO_STRING(user.entity.behaviors.anomaly_job_ids), 100)) WHERE user.entity.behaviors.anomaly_job_ids IS NOT NULL, - recent.entity.relationships.communicates_with = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with), 50)) WHERE user.entity.relationships.communicates_with IS NOT NULL, - recent.entity.relationships.depends_on = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on), 10)) WHERE user.entity.relationships.depends_on IS NOT NULL, - recent.entity.relationships.owns_inferred = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred), 10)) WHERE user.entity.relationships.owns_inferred IS NOT NULL, - recent.entity.relationships.accesses_infrequently = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently), 10)) WHERE user.entity.relationships.accesses_infrequently IS NOT NULL, - recent.entity.relationships.accesses_frequently = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently), 10)) WHERE user.entity.relationships.accesses_frequently IS NOT NULL, - recent.entity.relationships.owns = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns), 10)) WHERE user.entity.relationships.owns IS NOT NULL, - recent.entity.relationships.supervises = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises), 10)) WHERE user.entity.relationships.supervises IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.host.id), 10)) WHERE user.entity.relationships.administers.host.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.id), 10)) WHERE user.entity.relationships.administers.user.id IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.email), 10)) WHERE user.entity.relationships.administers.user.email IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.host.name), 10)) WHERE user.entity.relationships.administers.host.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.user.name), 10)) WHERE user.entity.relationships.administers.user.name IS NOT NULL, + recent.entity.relationships.administers.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.service.name), 10)) WHERE user.entity.relationships.administers.service.name IS NOT NULL, + recent.entity.relationships.administers.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.administers.entity.id), 10)) WHERE user.entity.relationships.administers.entity.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.host.id), 10)) WHERE user.entity.relationships.communicates_with.host.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.id), 10)) WHERE user.entity.relationships.communicates_with.user.id IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.email), 10)) WHERE user.entity.relationships.communicates_with.user.email IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.host.name), 10)) WHERE user.entity.relationships.communicates_with.host.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.user.name), 10)) WHERE user.entity.relationships.communicates_with.user.name IS NOT NULL, + recent.entity.relationships.communicates_with.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.service.name), 10)) WHERE user.entity.relationships.communicates_with.service.name IS NOT NULL, + recent.entity.relationships.communicates_with.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.communicates_with.entity.id), 10)) WHERE user.entity.relationships.communicates_with.entity.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.host.id), 10)) WHERE user.entity.relationships.depends_on.host.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.id), 10)) WHERE user.entity.relationships.depends_on.user.id IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.email), 10)) WHERE user.entity.relationships.depends_on.user.email IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.host.name), 10)) WHERE user.entity.relationships.depends_on.host.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.user.name), 10)) WHERE user.entity.relationships.depends_on.user.name IS NOT NULL, + recent.entity.relationships.depends_on.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.service.name), 10)) WHERE user.entity.relationships.depends_on.service.name IS NOT NULL, + recent.entity.relationships.depends_on.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.depends_on.entity.id), 10)) WHERE user.entity.relationships.depends_on.entity.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.host.id), 10)) WHERE user.entity.relationships.owns_inferred.host.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.id), 10)) WHERE user.entity.relationships.owns_inferred.user.id IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.email), 10)) WHERE user.entity.relationships.owns_inferred.user.email IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.host.name), 10)) WHERE user.entity.relationships.owns_inferred.host.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.user.name), 10)) WHERE user.entity.relationships.owns_inferred.user.name IS NOT NULL, + recent.entity.relationships.owns_inferred.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.service.name), 10)) WHERE user.entity.relationships.owns_inferred.service.name IS NOT NULL, + recent.entity.relationships.owns_inferred.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns_inferred.entity.id), 10)) WHERE user.entity.relationships.owns_inferred.entity.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.host.id), 10)) WHERE user.entity.relationships.accesses_infrequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.id), 10)) WHERE user.entity.relationships.accesses_infrequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.email), 10)) WHERE user.entity.relationships.accesses_infrequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.host.name), 10)) WHERE user.entity.relationships.accesses_infrequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.user.name), 10)) WHERE user.entity.relationships.accesses_infrequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.service.name), 10)) WHERE user.entity.relationships.accesses_infrequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_infrequently.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_infrequently.entity.id), 10)) WHERE user.entity.relationships.accesses_infrequently.entity.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.host.id), 10)) WHERE user.entity.relationships.accesses_frequently.host.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.id), 10)) WHERE user.entity.relationships.accesses_frequently.user.id IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.email), 10)) WHERE user.entity.relationships.accesses_frequently.user.email IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.host.name), 10)) WHERE user.entity.relationships.accesses_frequently.host.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.user.name), 10)) WHERE user.entity.relationships.accesses_frequently.user.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.service.name), 10)) WHERE user.entity.relationships.accesses_frequently.service.name IS NOT NULL, + recent.entity.relationships.accesses_frequently.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.accesses_frequently.entity.id), 10)) WHERE user.entity.relationships.accesses_frequently.entity.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.host.id), 10)) WHERE user.entity.relationships.owns.host.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.id), 10)) WHERE user.entity.relationships.owns.user.id IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.email), 10)) WHERE user.entity.relationships.owns.user.email IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.host.name), 10)) WHERE user.entity.relationships.owns.host.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.user.name), 10)) WHERE user.entity.relationships.owns.user.name IS NOT NULL, + recent.entity.relationships.owns.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.service.name), 10)) WHERE user.entity.relationships.owns.service.name IS NOT NULL, + recent.entity.relationships.owns.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.owns.entity.id), 10)) WHERE user.entity.relationships.owns.entity.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.host.id), 10)) WHERE user.entity.relationships.supervises.host.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.id = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.id), 10)) WHERE user.entity.relationships.supervises.user.id IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.email = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.email), 10)) WHERE user.entity.relationships.supervises.user.email IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.host.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.host.name), 10)) WHERE user.entity.relationships.supervises.host.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.user.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.user.name), 10)) WHERE user.entity.relationships.supervises.user.name IS NOT NULL, + recent.entity.relationships.supervises.raw_identifiers.service.name = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.service.name), 10)) WHERE user.entity.relationships.supervises.service.name IS NOT NULL, + recent.entity.relationships.supervises.ids = MV_DEDUPE(TOP(TO_STRING(user.entity.relationships.supervises.entity.id), 10)) WHERE user.entity.relationships.supervises.entity.id IS NOT NULL, recent.entity.relationships.resolution.resolved_to = LAST(TO_STRING(user.entity.relationships.resolution.resolved_to), @timestamp) WHERE user.entity.relationships.resolution.resolved_to IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_level = LAST(TO_STRING(user.entity.relationships.resolution.risk.calculated_level), @timestamp) WHERE user.entity.relationships.resolution.risk.calculated_level IS NOT NULL, recent.entity.relationships.resolution.risk.calculated_score = LAST(TO_DOUBLE(user.entity.relationships.resolution.risk.calculated_score), @timestamp) WHERE user.entity.relationships.resolution.risk.calculated_score IS NOT NULL, @@ -1081,18 +1664,71 @@ true, CASE((user.email IS NOT NULL AND user.email != \\"\\" AND entity.namespace entity.attributes.asset = COALESCE(recent.entity.attributes.asset, entity.attributes.asset), entity.attributes.managed = COALESCE(recent.entity.attributes.managed, entity.attributes.managed), entity.attributes.mfa_enabled = COALESCE(recent.entity.attributes.mfa_enabled, entity.attributes.mfa_enabled), + entity.attributes.storage_class = COALESCE(recent.entity.attributes.storage_class, entity.attributes.storage_class), + entity.attributes.permissions = MV_SLICE(MV_UNION(recent.entity.attributes.permissions, entity.attributes.permissions), 0, 9), + entity.attributes.known_redirects = MV_SLICE(MV_UNION(recent.entity.attributes.known_redirects, entity.attributes.known_redirects), 0, 9), + entity.attributes.oauth_consent_restriction = COALESCE(recent.entity.attributes.oauth_consent_restriction, entity.attributes.oauth_consent_restriction), entity.lifecycle.first_seen = COALESCE(entity.lifecycle.first_seen, recent.entity.lifecycle.first_seen), entity.lifecycle.last_seen = COALESCE(recent.entity.lifecycle.last_seen, entity.lifecycle.last_seen), entity.lifecycle.last_activity = COALESCE(recent.entity.lifecycle.last_activity, entity.lifecycle.last_activity), entity.behaviors.rule_names = MV_SLICE(MV_UNION(recent.entity.behaviors.rule_names, entity.behaviors.rule_names), 0, 99), entity.behaviors.anomaly_job_ids = MV_SLICE(MV_UNION(recent.entity.behaviors.anomaly_job_ids, entity.behaviors.anomaly_job_ids), 0, 99), - entity.relationships.communicates_with = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with, entity.relationships.communicates_with), 0, 49), - entity.relationships.depends_on = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on, entity.relationships.depends_on), 0, 9), - entity.relationships.owns_inferred = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred, entity.relationships.owns_inferred), 0, 9), - entity.relationships.accesses_infrequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently, entity.relationships.accesses_infrequently), 0, 9), - entity.relationships.accesses_frequently = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently, entity.relationships.accesses_frequently), 0, 9), - entity.relationships.owns = MV_SLICE(MV_UNION(recent.entity.relationships.owns, entity.relationships.owns), 0, 9), - entity.relationships.supervises = MV_SLICE(MV_UNION(recent.entity.relationships.supervises, entity.relationships.supervises), 0, 9), + entity.relationships.administers.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.id, entity.relationships.administers.raw_identifiers.host.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.id, entity.relationships.administers.raw_identifiers.user.id), 0, 9), + entity.relationships.administers.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.email, entity.relationships.administers.raw_identifiers.user.email), 0, 9), + entity.relationships.administers.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.host.name, entity.relationships.administers.raw_identifiers.host.name), 0, 9), + entity.relationships.administers.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.user.name, entity.relationships.administers.raw_identifiers.user.name), 0, 9), + entity.relationships.administers.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.administers.raw_identifiers.service.name, entity.relationships.administers.raw_identifiers.service.name), 0, 9), + entity.relationships.administers.ids = MV_SLICE(MV_UNION(recent.entity.relationships.administers.ids, entity.relationships.administers.ids), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.id, entity.relationships.communicates_with.raw_identifiers.host.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.id, entity.relationships.communicates_with.raw_identifiers.user.id), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.email, entity.relationships.communicates_with.raw_identifiers.user.email), 0, 9), + entity.relationships.communicates_with.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.host.name, entity.relationships.communicates_with.raw_identifiers.host.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.user.name, entity.relationships.communicates_with.raw_identifiers.user.name), 0, 9), + entity.relationships.communicates_with.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.raw_identifiers.service.name, entity.relationships.communicates_with.raw_identifiers.service.name), 0, 9), + entity.relationships.communicates_with.ids = MV_SLICE(MV_UNION(recent.entity.relationships.communicates_with.ids, entity.relationships.communicates_with.ids), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.id, entity.relationships.depends_on.raw_identifiers.host.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.id, entity.relationships.depends_on.raw_identifiers.user.id), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.email, entity.relationships.depends_on.raw_identifiers.user.email), 0, 9), + entity.relationships.depends_on.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.host.name, entity.relationships.depends_on.raw_identifiers.host.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.user.name, entity.relationships.depends_on.raw_identifiers.user.name), 0, 9), + entity.relationships.depends_on.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.raw_identifiers.service.name, entity.relationships.depends_on.raw_identifiers.service.name), 0, 9), + entity.relationships.depends_on.ids = MV_SLICE(MV_UNION(recent.entity.relationships.depends_on.ids, entity.relationships.depends_on.ids), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.id, entity.relationships.owns_inferred.raw_identifiers.host.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.id, entity.relationships.owns_inferred.raw_identifiers.user.id), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.email, entity.relationships.owns_inferred.raw_identifiers.user.email), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.host.name, entity.relationships.owns_inferred.raw_identifiers.host.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.user.name, entity.relationships.owns_inferred.raw_identifiers.user.name), 0, 9), + entity.relationships.owns_inferred.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.raw_identifiers.service.name, entity.relationships.owns_inferred.raw_identifiers.service.name), 0, 9), + entity.relationships.owns_inferred.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns_inferred.ids, entity.relationships.owns_inferred.ids), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.id, entity.relationships.accesses_infrequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.id, entity.relationships.accesses_infrequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.email, entity.relationships.accesses_infrequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.host.name, entity.relationships.accesses_infrequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.user.name, entity.relationships.accesses_infrequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_infrequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.raw_identifiers.service.name, entity.relationships.accesses_infrequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_infrequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_infrequently.ids, entity.relationships.accesses_infrequently.ids), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.id, entity.relationships.accesses_frequently.raw_identifiers.host.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.id, entity.relationships.accesses_frequently.raw_identifiers.user.id), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.email, entity.relationships.accesses_frequently.raw_identifiers.user.email), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.host.name, entity.relationships.accesses_frequently.raw_identifiers.host.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.user.name, entity.relationships.accesses_frequently.raw_identifiers.user.name), 0, 9), + entity.relationships.accesses_frequently.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.raw_identifiers.service.name, entity.relationships.accesses_frequently.raw_identifiers.service.name), 0, 9), + entity.relationships.accesses_frequently.ids = MV_SLICE(MV_UNION(recent.entity.relationships.accesses_frequently.ids, entity.relationships.accesses_frequently.ids), 0, 9), + entity.relationships.owns.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.id, entity.relationships.owns.raw_identifiers.host.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.id, entity.relationships.owns.raw_identifiers.user.id), 0, 9), + entity.relationships.owns.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.email, entity.relationships.owns.raw_identifiers.user.email), 0, 9), + entity.relationships.owns.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.host.name, entity.relationships.owns.raw_identifiers.host.name), 0, 9), + entity.relationships.owns.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.user.name, entity.relationships.owns.raw_identifiers.user.name), 0, 9), + entity.relationships.owns.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.owns.raw_identifiers.service.name, entity.relationships.owns.raw_identifiers.service.name), 0, 9), + entity.relationships.owns.ids = MV_SLICE(MV_UNION(recent.entity.relationships.owns.ids, entity.relationships.owns.ids), 0, 9), + entity.relationships.supervises.raw_identifiers.host.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.id, entity.relationships.supervises.raw_identifiers.host.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.id = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.id, entity.relationships.supervises.raw_identifiers.user.id), 0, 9), + entity.relationships.supervises.raw_identifiers.user.email = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.email, entity.relationships.supervises.raw_identifiers.user.email), 0, 9), + entity.relationships.supervises.raw_identifiers.host.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.host.name, entity.relationships.supervises.raw_identifiers.host.name), 0, 9), + entity.relationships.supervises.raw_identifiers.user.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.user.name, entity.relationships.supervises.raw_identifiers.user.name), 0, 9), + entity.relationships.supervises.raw_identifiers.service.name = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.raw_identifiers.service.name, entity.relationships.supervises.raw_identifiers.service.name), 0, 9), + entity.relationships.supervises.ids = MV_SLICE(MV_UNION(recent.entity.relationships.supervises.ids, entity.relationships.supervises.ids), 0, 9), entity.relationships.resolution.resolved_to = COALESCE(recent.entity.relationships.resolution.resolved_to, entity.relationships.resolution.resolved_to), entity.relationships.resolution.risk.calculated_level = COALESCE(recent.entity.relationships.resolution.risk.calculated_level, entity.relationships.resolution.risk.calculated_level), entity.relationships.resolution.risk.calculated_score = COALESCE(recent.entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_score), diff --git a/x-pack/solutions/security/plugins/entity_store/test/scout/api/fixtures/helpers.ts b/x-pack/solutions/security/plugins/entity_store/test/scout/api/fixtures/helpers.ts index fd0a29ea2af73..be81a250e4179 100644 --- a/x-pack/solutions/security/plugins/entity_store/test/scout/api/fixtures/helpers.ts +++ b/x-pack/solutions/security/plugins/entity_store/test/scout/api/fixtures/helpers.ts @@ -17,6 +17,17 @@ import { UPDATES_INDEX, } from './constants'; +/** + * Normalizes values that may be stored as a single keyword or as keyword[] after + * log extraction (e.g. `entity.relationships.*` bags). + */ +export const normalizeKeywordList = (value: unknown): string[] => { + if (value == null) { + return []; + } + return Array.isArray(value) ? value.map((v) => String(v)) : [String(value)]; +}; + /** * Deletes all Entity Store data indices: latest, updates, and history snapshots. * Call in afterAll / afterEach to prevent stale data from leaking between diff --git a/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/history_snapshot.spec.ts b/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/history_snapshot.spec.ts index cffc0340ea259..d9423de487f7a 100644 --- a/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/history_snapshot.spec.ts +++ b/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/history_snapshot.spec.ts @@ -15,7 +15,11 @@ import { LATEST_ALIAS, } from '../fixtures/constants'; import { FF_ENABLE_ENTITY_STORE_V2 } from '../../../../common'; -import { clearEntityStoreIndices, forceLogExtraction } from '../fixtures/helpers'; +import { + clearEntityStoreIndices, + forceLogExtraction, + normalizeKeywordList, +} from '../fixtures/helpers'; apiTest.describe('Entity Store History Snapshot', { tag: ENTITY_STORE_TAGS }, () => { let defaultHeaders: Record; @@ -100,9 +104,9 @@ apiTest.describe('Entity Store History Snapshot', { tag: ENTITY_STORE_TAGS }, () const entityIdsWithBehaviors = ['host:host-123', 'host:server-01'] as const; const expectedBehaviorsInHistory = [ - { rule_names: ['rule-a', 'rule-b'], anomaly_job_ids: 'job-1' }, - { rule_names: 'rule-c', anomaly_job_ids: ['job-2', 'job-3'] }, - ]; + { rule_names: ['rule-a', 'rule-b'], anomaly_job_ids: ['job-1'] }, + { rule_names: ['rule-c'], anomaly_job_ids: ['job-2', 'job-3'] }, + ] as const; const historySearchResult = await esClient.search({ index: historyIndex, @@ -135,7 +139,13 @@ apiTest.describe('Entity Store History Snapshot', { tag: ENTITY_STORE_TAGS }, () ); expect(historyHit).toBeDefined(); const historyEntity = historyHit!._source!.entity as Record; - expect(historyEntity.behaviors).toStrictEqual(expectedBehavior); + const historyBehaviors = historyEntity.behaviors as Record | undefined; + expect(normalizeKeywordList(historyBehaviors?.rule_names)).toStrictEqual( + expectedBehavior.rule_names + ); + expect(normalizeKeywordList(historyBehaviors?.anomaly_job_ids)).toStrictEqual( + expectedBehavior.anomaly_job_ids + ); const latestHit = latestHits.find( (h) => (h._source!.entity as Record)?.id === entityId @@ -143,10 +153,9 @@ apiTest.describe('Entity Store History Snapshot', { tag: ENTITY_STORE_TAGS }, () expect(latestHit).toBeDefined(); expect(latestHit!._source!['@timestamp']).toBeDefined(); const latestEntity = latestHit!._source!.entity as Record; - expect(latestEntity.behaviors).toStrictEqual({ - rule_names: [], - anomaly_job_ids: [], - }); + const latestBehaviors = latestEntity.behaviors as Record | undefined; + expect(normalizeKeywordList(latestBehaviors?.rule_names)).toStrictEqual([]); + expect(normalizeKeywordList(latestBehaviors?.anomaly_job_ids)).toStrictEqual([]); expect((latestEntity.lifecycle as Record)?.last_activity).toBeDefined(); } } diff --git a/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/logs_extraction.spec.ts b/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/logs_extraction.spec.ts index 44fa2f28a8849..a2a36b8569e74 100644 --- a/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/logs_extraction.spec.ts +++ b/x-pack/solutions/security/plugins/entity_store/test/scout/api/tests/logs_extraction.spec.ts @@ -29,6 +29,7 @@ import { clearEntityStoreIndices, forceLogExtraction, ingestDoc, + normalizeKeywordList, searchDocById, } from '../fixtures/helpers'; @@ -1083,4 +1084,83 @@ apiTest.describe('Entity Store Main logs extraction', { tag: ENTITY_STORE_TAGS } } } ); + + apiTest( + 'Should merge entity.relationships.* identifier from host.entity on source documents', + async ({ apiClient, esClient }) => { + const fromIso = '2026-04-10T09:00:00Z'; + const toIso = '2026-04-10T11:00:00Z'; + const ts = '2026-04-10T10:00:00Z'; + const hostName = 'relationship-bag-smoke-host'; + const entityId = `host:${hostName}`; + + await ingestDoc(esClient, { + '@timestamp': ts, + host: { + name: hostName, + entity: { + relationships: { + owns: { + user: { + email: ['owner-rel-test@example.com'], + id: ['00u_rel_test'], + }, + host: { + name: ['asset-rel-01'], + }, + }, + supervises: { + user: { + email: ['supervisee@example.com'], + name: ['supervisor_login'], + }, + }, + }, + }, + }, + }); + + const extractionResponse = await forceLogExtraction( + apiClient, + internalHeaders, + 'host', + fromIso, + toIso + ); + expect(extractionResponse.statusCode).toBe(200); + expect(extractionResponse.body).toMatchObject({ + success: true, + count: 1, + }); + + const hitResponse = await searchDocById(esClient, entityId); + expect(hitResponse.hits.hits).toHaveLength(1); + const source = hitResponse.hits.hits[0]._source as Record; + const entity = source.entity as Record; + expect(entity).toBeDefined(); + + const relationships = entity.relationships as Record | undefined; + expect(relationships).toBeDefined(); + + const owns = relationships!.owns as Record | undefined; + expect(owns).toBeDefined(); + const ownsRawIdentifiers = owns!.raw_identifiers as Record | undefined; + expect(ownsRawIdentifiers).toBeDefined(); + const ownsUser = ownsRawIdentifiers!.user as Record | undefined; + const ownsHost = ownsRawIdentifiers!.host as Record | undefined; + expect(normalizeKeywordList(ownsUser?.email)).toStrictEqual(['owner-rel-test@example.com']); + expect(normalizeKeywordList(ownsUser?.id)).toStrictEqual(['00u_rel_test']); + expect(normalizeKeywordList(ownsHost?.name)).toStrictEqual(['asset-rel-01']); + + const supervises = relationships!.supervises as Record | undefined; + expect(supervises).toBeDefined(); + const supervisesRawIdentifiers = supervises!.raw_identifiers as + | Record + | undefined; + expect(supervisesRawIdentifiers).toBeDefined(); + const supervisesUser = supervisesRawIdentifiers!.user as Record | undefined; + expect(normalizeKeywordList(supervisesUser?.email)).toStrictEqual(['supervisee@example.com']); + expect(normalizeKeywordList(supervisesUser?.name)).toStrictEqual(['supervisor_login']); + } + ); }); diff --git a/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/data.json b/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/data.json index 6e3c906f9cc61..7e6589d0ea1c0 100644 --- a/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/data.json +++ b/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/data.json @@ -513,10 +513,12 @@ "sub_type": "AWS IAM User", "type": "Identity", "relationships": { - "owns": [ - "host:relationships-target-host-1", - "host:relationships-target-host-2" - ] + "owns": { + "ids": [ + "host:relationships-target-host-1", + "host:relationships-target-host-2" + ] + } } }, "event": { @@ -679,14 +681,18 @@ "sub_type": "GCP Service Account", "type": "Service Account", "relationships": { - "owns": [ - "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", - "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" - ], - "communicates_with": [ - "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", - "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" - ] + "owns": { + "ids": [ + "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", + "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" + ] + }, + "communicates_with": { + "ids": [ + "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", + "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" + ] + } } }, "event": { @@ -861,10 +867,12 @@ "sub_type": "GCP Compute Instance", "type": "Host", "relationships": { - "communicates_with": [ - "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", - "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" - ] + "communicates_with": { + "ids": [ + "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", + "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" + ] + } } }, "event": { @@ -949,11 +957,13 @@ "sub_type": "AWS IAM User", "type": "Identity", "relationships": { - "owns": [ - "host:rel-hierarchy-host-1", - "service:Hierarchy Service 1", - "user:rel-hierarchy-identity-1@gcp" - ] + "owns": { + "ids": [ + "host:rel-hierarchy-host-1", + "service:Hierarchy Service 1", + "user:rel-hierarchy-identity-1@gcp" + ] + } } }, "event": { @@ -995,10 +1005,12 @@ "sub_type": "AWS EC2 Instance", "type": "Host", "relationships": { - "communicates_with": [ - "rel-hierarchy-storage-1", - "rel-hierarchy-storage-2" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-storage-1", + "rel-hierarchy-storage-2" + ] + } } }, "event": { @@ -1041,10 +1053,12 @@ "sub_type": "AWS Lambda Function", "type": "Service", "relationships": { - "communicates_with": [ - "rel-hierarchy-database-1", - "rel-hierarchy-database-2" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-database-1", + "rel-hierarchy-database-2" + ] + } } }, "event": { @@ -1086,16 +1100,22 @@ "sub_type": "AWS IAM Role", "type": "Identity", "relationships": { - "communicates_with": [ - "rel-hierarchy-network-1", - "rel-hierarchy-network-2" - ], - "supervises": [ - "user:rel-hierarchy-delegate-1@gcp" - ], - "depends_on": [ - "user:rel-hierarchy-delegate-1@gcp" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-network-1", + "rel-hierarchy-network-2" + ] + }, + "supervises": { + "ids": [ + "user:rel-hierarchy-delegate-1@gcp" + ] + }, + "depends_on": { + "ids": [ + "user:rel-hierarchy-delegate-1@gcp" + ] + } } }, "event": { @@ -1392,9 +1412,11 @@ "sub_type": "AWS Lambda Function", "type": "Service", "relationships": { - "communicates_with": [ - "user:rel-hierarchy-identity-1@gcp" - ] + "communicates_with": { + "ids": [ + "user:rel-hierarchy-identity-1@gcp" + ] + } } }, "event": { diff --git a/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/mappings.json b/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/mappings.json index 19e6180481db5..e3441c04cd7c8 100644 --- a/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/mappings.json +++ b/x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store_v2/mappings.json @@ -420,22 +420,70 @@ "relationships": { "properties": { "accesses_frequently": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "accesses_infrequently": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "communicates_with": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "depends_on": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "owns": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "owns_inferred": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "resolution": { "properties": { @@ -445,7 +493,15 @@ } }, "supervises": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } } } } diff --git a/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/data.json b/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/data.json index 62a4c460e7d94..ce31d6b542f11 100644 --- a/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/data.json +++ b/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/data.json @@ -486,10 +486,12 @@ "sub_type": "AWS IAM User", "type": "Identity", "relationships": { - "owns": [ - "host:relationships-target-host-1", - "host:relationships-target-host-2" - ] + "owns": { + "ids": [ + "host:relationships-target-host-1", + "host:relationships-target-host-2" + ] + } } }, "event": { @@ -695,15 +697,19 @@ "sub_type": "GCP Service Account", "type": "Service Account", "relationships": { - "owns": [ - "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", - "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1", - "host:projects/my-gcp-project/zones/us-west1-a/instances/db-server-prod-1" - ], - "communicates_with": [ - "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", - "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" - ] + "owns": { + "ids": [ + "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", + "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1", + "host:projects/my-gcp-project/zones/us-west1-a/instances/db-server-prod-1" + ] + }, + "communicates_with": { + "ids": [ + "host:projects/my-gcp-project/zones/us-central1-a/instances/web-server-prod-1", + "host:projects/my-gcp-project/zones/us-east1-b/instances/api-gateway-prod-1" + ] + } } }, "event": { @@ -992,11 +998,13 @@ "sub_type": "AWS IAM User", "type": "Identity", "relationships": { - "owns": [ - "host:rel-hierarchy-host-1", - "service:Hierarchy Service 1", - "user:rel-hierarchy-identity-1@gcp" - ] + "owns": { + "ids": [ + "host:rel-hierarchy-host-1", + "service:Hierarchy Service 1", + "user:rel-hierarchy-identity-1@gcp" + ] + } } }, "event": { @@ -1038,10 +1046,12 @@ "sub_type": "AWS EC2 Instance", "type": "Host", "relationships": { - "communicates_with": [ - "rel-hierarchy-storage-1", - "rel-hierarchy-storage-2" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-storage-1", + "rel-hierarchy-storage-2" + ] + } } }, "event": { @@ -1083,10 +1093,12 @@ "sub_type": "AWS Lambda Function", "type": "Service", "relationships": { - "communicates_with": [ - "rel-hierarchy-database-1", - "rel-hierarchy-database-2" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-database-1", + "rel-hierarchy-database-2" + ] + } } }, "event": { @@ -1128,16 +1140,22 @@ "sub_type": "AWS IAM Role", "type": "Identity", "relationships": { - "communicates_with": [ - "rel-hierarchy-network-1", - "rel-hierarchy-network-2" - ], - "supervises": [ - "user:rel-hierarchy-delegate-1@gcp" - ], - "depends_on": [ - "user:rel-hierarchy-delegate-1@gcp" - ] + "communicates_with": { + "ids": [ + "rel-hierarchy-network-1", + "rel-hierarchy-network-2" + ] + }, + "supervises": { + "ids": [ + "user:rel-hierarchy-delegate-1@gcp" + ] + }, + "depends_on": { + "ids": [ + "user:rel-hierarchy-delegate-1@gcp" + ] + } } }, "event": { @@ -1428,9 +1446,11 @@ "sub_type": "AWS Lambda Function", "type": "Service", "relationships": { - "communicates_with": [ - "user:rel-hierarchy-identity-1@gcp" - ] + "communicates_with": { + "ids": [ + "user:rel-hierarchy-identity-1@gcp" + ] + } } }, "event": { diff --git a/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/mappings.json b/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/mappings.json index 404ad52f87249..898b588d7e4b6 100644 --- a/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/mappings.json +++ b/x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2/mappings.json @@ -420,22 +420,70 @@ "relationships": { "properties": { "accesses_frequently": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "accesses_infrequently": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "communicates_with": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "depends_on": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "owns": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "owns_inferred": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } }, "resolution": { "properties": { @@ -445,7 +493,15 @@ } }, "supervises": { - "type": "keyword" + "properties": { + "raw_identifiers": { + "type": "object", + "dynamic": true + }, + "ids": { + "type": "keyword" + } + } } } }