diff --git a/x-pack/plugins/siem/public/components/field_renderers/field_renderers.test.tsx b/x-pack/plugins/siem/public/components/field_renderers/field_renderers.test.tsx
index 80ed955556652..b96953af4a043 100644
--- a/x-pack/plugins/siem/public/components/field_renderers/field_renderers.test.tsx
+++ b/x-pack/plugins/siem/public/components/field_renderers/field_renderers.test.tsx
@@ -114,9 +114,7 @@ describe('Field Renderers', () => {
};
test('it renders correctly against snapshot', () => {
const wrapper = shallow(
-
- {hostNameRenderer(mockData.complete.source!.host!, '10.10.10.10')}
-
+ {hostNameRenderer(mockData.complete.host, '10.10.10.10')}
);
expect(toJson(wrapper)).toMatchSnapshot();
@@ -124,9 +122,7 @@ describe('Field Renderers', () => {
test('it renders emptyTagValue when non-matching IP is provided', () => {
const wrapper = mount(
-
- {hostNameRenderer(mockData.complete.source!.host!, '10.10.10.11')}
-
+ {hostNameRenderer(mockData.complete.host, '10.10.10.11')}
);
expect(wrapper.text()).toEqual(getEmptyValue());
});
@@ -163,9 +159,7 @@ describe('Field Renderers', () => {
};
test('it renders correctly against snapshot', () => {
const wrapper = shallow(
-
- {hostNameRenderer(mockData.complete.source!.host!, '10.10.10.10')}
-
+ {hostNameRenderer(mockData.complete.host, '10.10.10.10')}
);
expect(toJson(wrapper)).toMatchSnapshot();
@@ -173,9 +167,7 @@ describe('Field Renderers', () => {
test('it renders emptyTagValue when non-matching IP is provided', () => {
const wrapper = mount(
-
- {hostNameRenderer(mockData.complete.source!.host!, '10.10.10.11')}
-
+ {hostNameRenderer(mockData.complete.host, '10.10.10.11')}
);
expect(wrapper.text()).toEqual(getEmptyValue());
});
diff --git a/x-pack/plugins/siem/public/components/page/network/ip_overview/index.tsx b/x-pack/plugins/siem/public/components/page/network/ip_overview/index.tsx
index b34dcfb8fdb77..ed81b0e9aa639 100644
--- a/x-pack/plugins/siem/public/components/page/network/ip_overview/index.tsx
+++ b/x-pack/plugins/siem/public/components/page/network/ip_overview/index.tsx
@@ -73,11 +73,11 @@ export const IpOverview = pure(({ ip, data, loading, flowTarget
[
{
title: i18n.HOST_ID,
- description: typeData ? hostIdRenderer(typeData.host, ip) : getEmptyTagValue(),
+ description: typeData ? hostIdRenderer(data.host, ip) : getEmptyTagValue(),
},
{
title: i18n.HOST_NAME,
- description: typeData ? hostNameRenderer(typeData.host, ip) : getEmptyTagValue(),
+ description: typeData ? hostNameRenderer(data.host, ip) : getEmptyTagValue(),
},
],
[
diff --git a/x-pack/plugins/siem/public/components/page/network/ip_overview/mock.ts b/x-pack/plugins/siem/public/components/page/network/ip_overview/mock.ts
index c5a39a8732b2d..8995e58e505dc 100644
--- a/x-pack/plugins/siem/public/components/page/network/ip_overview/mock.ts
+++ b/x-pack/plugins/siem/public/components/page/network/ip_overview/mock.ts
@@ -24,19 +24,6 @@ export const mockData: Readonly> = {
region_iso_code: ['US-NY'],
region_name: ['New York'],
},
- host: {
- os: {
- kernel: ['4.14.50-v7+'],
- name: ['Raspbian GNU/Linux'],
- family: [''],
- version: ['9 (stretch)'],
- platform: ['raspbian'],
- },
- name: ['raspberrypi'],
- id: ['b19a781f683541a7a25ee345133aa399'],
- ip: ['10.10.10.10'],
- architecture: ['armv7l'],
- },
},
destination: {
firstSeen: '2019-02-07T17:19:41.648Z',
@@ -54,19 +41,19 @@ export const mockData: Readonly> = {
region_iso_code: ['US-NY'],
region_name: ['New York'],
},
- host: {
- os: {
- kernel: ['4.14.50-v7+'],
- name: ['Raspbian GNU/Linux'],
- family: [''],
- version: ['9 (stretch)'],
- platform: ['raspbian'],
- },
- name: ['raspberrypi'],
- id: ['b19a781f683541a7a25ee345133aa399'],
- ip: ['10.10.10.10'],
- architecture: ['armv7l'],
+ },
+ host: {
+ os: {
+ kernel: ['4.14.50-v7+'],
+ name: ['Raspbian GNU/Linux'],
+ family: [''],
+ version: ['9 (stretch)'],
+ platform: ['raspbian'],
},
+ name: ['raspberrypi'],
+ id: ['b19a781f683541a7a25ee345133aa399'],
+ ip: ['10.10.10.10'],
+ architecture: ['armv7l'],
},
},
};
diff --git a/x-pack/plugins/siem/public/containers/ip_overview/index.gql_query.ts b/x-pack/plugins/siem/public/containers/ip_overview/index.gql_query.ts
index a42302bea1c02..0ad415657e387 100644
--- a/x-pack/plugins/siem/public/containers/ip_overview/index.gql_query.ts
+++ b/x-pack/plugins/siem/public/containers/ip_overview/index.gql_query.ts
@@ -36,20 +36,6 @@ export const ipOverviewQuery = gql`
region_iso_code
region_name
}
- host {
- architecture
- id
- ip
- mac
- name
- os {
- family
- name
- platform
- version
- }
- type
- }
}
destination {
firstSeen
@@ -71,20 +57,20 @@ export const ipOverviewQuery = gql`
region_iso_code
region_name
}
- host {
- architecture
- id
- ip
- mac
+ }
+ host {
+ architecture
+ id
+ ip
+ mac
+ name
+ os {
+ family
name
- os {
- family
- name
- platform
- version
- }
- type
+ platform
+ version
}
+ type
}
}
}
diff --git a/x-pack/plugins/siem/public/containers/ip_overview/index.tsx b/x-pack/plugins/siem/public/containers/ip_overview/index.tsx
index cb04a5caf3bc6..fe500482fac54 100644
--- a/x-pack/plugins/siem/public/containers/ip_overview/index.tsx
+++ b/x-pack/plugins/siem/public/containers/ip_overview/index.tsx
@@ -44,7 +44,7 @@ export const IpOverviewQuery = pure(
}}
>
{({ data, loading }) => {
- const init: IpOverviewData = {};
+ const init: IpOverviewData = { host: {} };
const ipOverviewData: IpOverviewData = getOr(init, 'source.IpOverview', data);
return children({
id,
diff --git a/x-pack/plugins/siem/public/graphql/introspection.json b/x-pack/plugins/siem/public/graphql/introspection.json
index 5845dc23341b5..cd7157f7d2f60 100644
--- a/x-pack/plugins/siem/public/graphql/introspection.json
+++ b/x-pack/plugins/siem/public/graphql/introspection.json
@@ -5814,6 +5814,18 @@
"isDeprecated": false,
"deprecationReason": null
},
+ {
+ "name": "host",
+ "description": "",
+ "args": [],
+ "type": {
+ "kind": "NON_NULL",
+ "name": null,
+ "ofType": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }
+ },
+ "isDeprecated": false,
+ "deprecationReason": null
+ },
{
"name": "server",
"description": "",
@@ -5869,18 +5881,6 @@
"isDeprecated": false,
"deprecationReason": null
},
- {
- "name": "host",
- "description": "",
- "args": [],
- "type": {
- "kind": "NON_NULL",
- "name": null,
- "ofType": { "kind": "OBJECT", "name": "HostEcsFields", "ofType": null }
- },
- "isDeprecated": false,
- "deprecationReason": null
- },
{
"name": "geo",
"description": "",
diff --git a/x-pack/plugins/siem/public/graphql/types.ts b/x-pack/plugins/siem/public/graphql/types.ts
index c6b80a51dae37..a3242a114c99a 100644
--- a/x-pack/plugins/siem/public/graphql/types.ts
+++ b/x-pack/plugins/siem/public/graphql/types.ts
@@ -904,6 +904,8 @@ export interface IpOverviewData {
destination?: Overview | null;
+ host: HostEcsFields;
+
server?: Overview | null;
source?: Overview | null;
@@ -916,8 +918,6 @@ export interface Overview {
autonomousSystem: AutonomousSystem;
- host: HostEcsFields;
-
geo: GeoEcsFields;
}
@@ -2767,6 +2767,8 @@ export namespace GetIpOverviewQuery {
source?: _Source | null;
destination?: Destination | null;
+
+ host: Host;
};
export type _Source = {
@@ -2779,8 +2781,6 @@ export namespace GetIpOverviewQuery {
autonomousSystem: AutonomousSystem;
geo: Geo;
-
- host: Host;
};
export type AutonomousSystem = {
@@ -2819,36 +2819,6 @@ export namespace GetIpOverviewQuery {
lon?: ToNumberArray | null;
};
- export type Host = {
- __typename?: 'HostEcsFields';
-
- architecture?: ToStringArray | null;
-
- id?: ToStringArray | null;
-
- ip?: ToStringArray | null;
-
- mac?: ToStringArray | null;
-
- name?: ToStringArray | null;
-
- os?: Os | null;
-
- type?: ToStringArray | null;
- };
-
- export type Os = {
- __typename?: 'OsEcsFields';
-
- family?: ToStringArray | null;
-
- name?: ToStringArray | null;
-
- platform?: ToStringArray | null;
-
- version?: ToStringArray | null;
- };
-
export type Destination = {
__typename?: 'Overview';
@@ -2859,8 +2829,6 @@ export namespace GetIpOverviewQuery {
autonomousSystem: _AutonomousSystem;
geo: _Geo;
-
- host: _Host;
};
export type _AutonomousSystem = {
@@ -2899,7 +2867,7 @@ export namespace GetIpOverviewQuery {
lon?: ToNumberArray | null;
};
- export type _Host = {
+ export type Host = {
__typename?: 'HostEcsFields';
architecture?: ToStringArray | null;
@@ -2912,12 +2880,12 @@ export namespace GetIpOverviewQuery {
name?: ToStringArray | null;
- os?: _Os | null;
+ os?: Os | null;
type?: ToStringArray | null;
};
- export type _Os = {
+ export type Os = {
__typename?: 'OsEcsFields';
family?: ToStringArray | null;
diff --git a/x-pack/plugins/siem/server/graphql/ip_details/schema.gql.ts b/x-pack/plugins/siem/server/graphql/ip_details/schema.gql.ts
index f21c5b6456506..61f36c06b5f9c 100644
--- a/x-pack/plugins/siem/server/graphql/ip_details/schema.gql.ts
+++ b/x-pack/plugins/siem/server/graphql/ip_details/schema.gql.ts
@@ -17,13 +17,13 @@ const ipOverviewSchema = gql`
firstSeen: Date
lastSeen: Date
autonomousSystem: AutonomousSystem!
- host: HostEcsFields!
geo: GeoEcsFields!
}
type IpOverviewData {
client: Overview
destination: Overview
+ host: HostEcsFields!
server: Overview
source: Overview
}
diff --git a/x-pack/plugins/siem/server/graphql/types.ts b/x-pack/plugins/siem/server/graphql/types.ts
index bc90d5bf7f89b..a007aba5e4717 100644
--- a/x-pack/plugins/siem/server/graphql/types.ts
+++ b/x-pack/plugins/siem/server/graphql/types.ts
@@ -933,6 +933,8 @@ export interface IpOverviewData {
destination?: Overview | null;
+ host: HostEcsFields;
+
server?: Overview | null;
source?: Overview | null;
@@ -945,8 +947,6 @@ export interface Overview {
autonomousSystem: AutonomousSystem;
- host: HostEcsFields;
-
geo: GeoEcsFields;
}
@@ -5300,6 +5300,8 @@ export namespace IpOverviewDataResolvers {
destination?: DestinationResolver;
+ host?: HostResolver;
+
server?: ServerResolver;
source?: SourceResolver;
@@ -5315,6 +5317,11 @@ export namespace IpOverviewDataResolvers {
Parent = IpOverviewData,
Context = SiemContext
> = Resolver;
+ export type HostResolver<
+ R = HostEcsFields,
+ Parent = IpOverviewData,
+ Context = SiemContext
+ > = Resolver;
export type ServerResolver<
R = Overview | null,
Parent = IpOverviewData,
@@ -5335,8 +5342,6 @@ export namespace OverviewResolvers {
autonomousSystem?: AutonomousSystemResolver;
- host?: HostResolver;
-
geo?: GeoResolver;
}
@@ -5355,11 +5360,6 @@ export namespace OverviewResolvers {
Parent = Overview,
Context = SiemContext
> = Resolver;
- export type HostResolver = Resolver<
- R,
- Parent,
- Context
- >;
export type GeoResolver = Resolver<
R,
Parent,
diff --git a/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.test.ts b/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.test.ts
index 65bf71e5dd13d..09eed2af8a980 100644
--- a/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.test.ts
+++ b/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.test.ts
@@ -5,11 +5,17 @@
*/
import { FlowTarget } from '../../graphql/types';
-import { formatDomainsEdges, getIpOverviewAgg, getUsersEdges } from './elasticsearch_adapter';
+import {
+ formatDomainsEdges,
+ getIpOverviewAgg,
+ getIpOverviewHostAgg,
+ getUsersEdges,
+} from './elasticsearch_adapter';
import {
formattedDestination,
formattedEmptySource,
+ formattedHost,
formattedSource,
mockDomainsResponseBuckets,
mockFormattedDestination,
@@ -30,20 +36,25 @@ describe('elasticsearch_adapter', () => {
});
test('will return a source correctly', () => {
- const destination = getIpOverviewAgg(FlowTarget.source, responseAggs.aggregations.source!);
- expect(destination).toEqual(formattedSource);
+ const source = getIpOverviewAgg(FlowTarget.source, responseAggs.aggregations.source!);
+ expect(source).toEqual(formattedSource);
+ });
+
+ test('will return a host correctly', () => {
+ const host = getIpOverviewHostAgg(responseAggs.aggregations.host);
+ expect(host).toEqual(formattedHost);
});
test('will return an empty source correctly', () => {
- const destination = getIpOverviewAgg(FlowTarget.source, {});
- expect(destination).toEqual(formattedEmptySource);
+ const source = getIpOverviewAgg(FlowTarget.source, {});
+ expect(source).toEqual(formattedEmptySource);
});
});
describe('#getDomains', () => {
test('will return a source correctly', () => {
- const destination = formatDomainsEdges(mockDomainsResponseBuckets, FlowTarget.source);
- expect(destination).toEqual(mockFormattedSource);
+ const source = formatDomainsEdges(mockDomainsResponseBuckets, FlowTarget.source);
+ expect(source).toEqual(mockFormattedSource);
});
test('will return a destination correctly', () => {
diff --git a/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.ts b/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.ts
index b98b786247b6a..1c78af9118edf 100644
--- a/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.ts
+++ b/x-pack/plugins/siem/server/lib/ip_details/elasticsearch_adapter.ts
@@ -39,6 +39,7 @@ import {
IpDetailsAdapter,
IpOverviewHit,
OverviewHit,
+ OverviewHostHit,
TlsBuckets,
UsersBucketsItem,
} from './types';
@@ -62,6 +63,7 @@ export class ElasticsearchIpOverviewAdapter implements IpDetailsAdapter {
return {
...getIpOverviewAgg('source', getOr({}, 'aggregations.source', response)),
...getIpOverviewAgg('destination', getOr({}, 'aggregations.destination', response)),
+ ...getIpOverviewHostAgg(getOr({}, 'aggregations.host', response)),
};
}
@@ -184,11 +186,6 @@ export const getIpOverviewAgg = (type: string, overviewHit: OverviewHit | {}) =>
`geo.results.hits.hits[0]._source.${type}.geo`,
overviewHit
);
- const hostFields: HostEcsFields | null = getOr(
- null,
- `host.results.hits.hits[0]._source.host`,
- overviewHit
- );
return {
[type]: {
@@ -197,9 +194,6 @@ export const getIpOverviewAgg = (type: string, overviewHit: OverviewHit | {}) =>
autonomousSystem: {
...autonomousSystem,
},
- host: {
- ...hostFields,
- },
geo: {
...geoFields,
},
@@ -207,6 +201,20 @@ export const getIpOverviewAgg = (type: string, overviewHit: OverviewHit | {}) =>
};
};
+export const getIpOverviewHostAgg = (overviewHostHit: OverviewHostHit | {}) => {
+ const hostFields: HostEcsFields | null = getOr(
+ null,
+ `host.results.hits.hits[0]._source.host`,
+ overviewHostHit
+ );
+
+ return {
+ host: {
+ ...hostFields,
+ },
+ };
+};
+
const getDomainsEdges = (
response: DatabaseSearchResponse,
options: DomainsRequestOptions
diff --git a/x-pack/plugins/siem/server/lib/ip_details/mock.ts b/x-pack/plugins/siem/server/lib/ip_details/mock.ts
index a33d41d7e2484..b3429be2efbd2 100644
--- a/x-pack/plugins/siem/server/lib/ip_details/mock.ts
+++ b/x-pack/plugins/siem/server/lib/ip_details/mock.ts
@@ -52,46 +52,6 @@ export const responseAggs: IpOverviewHit = {
value: 1551388820000,
value_as_string: '2019-02-28T21:20:20.000Z',
},
- host: {
- doc_count: 882307,
- results: {
- hits: {
- total: {
- value: 882307,
- relation: 'eq',
- },
- max_score: null,
- hits: [
- {
- _index: 'packetbeat-8.0.0-2019.02.19-000001',
- _type: '_doc',
- _id: 'vX5Py2kBCQofM5eX2OEu',
- _score: null,
- _source: {
- host: {
- hostname: 'suricata-bangalore',
- os: {
- kernel: '4.15.0-45-generic',
- codename: 'bionic',
- name: 'Ubuntu',
- family: 'debian',
- version: '18.04.2 LTS (Bionic Beaver)',
- platform: 'ubuntu',
- },
- containerized: false,
- ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
- name: 'suricata-bangalore',
- id: '0a63559c1acf4c419d979c4b4d8b83ff',
- mac: ['ee:0b:1b:29:80:bd'],
- architecture: 'x86_64',
- },
- },
- sort: [1553894200003],
- },
- ],
- },
- },
- },
autonomous_system: {
doc_count: 0,
results: {
@@ -152,59 +112,62 @@ export const responseAggs: IpOverviewHit = {
value: 1551388804322,
value_as_string: '2019-02-28T21:20:04.322Z',
},
+ autonomous_system: {
+ doc_count: 0,
+ results: {
+ hits: {
+ total: {
+ value: 0,
+ relation: 'eq',
+ },
+ max_score: null,
+ hits: [],
+ },
+ },
+ },
+ },
+ host: {
+ doc_count: 1588091,
host: {
- doc_count: 1002234,
+ doc_count: 1588091,
results: {
hits: {
total: {
- value: 1002234,
+ value: 1588091,
relation: 'eq',
},
max_score: null,
hits: [
{
- _index: 'packetbeat-8.0.0-2019.02.19-000001',
+ _index: 'filebeat-8.0.0-2019.05.20-000004',
_type: '_doc',
- _id: 'vn5Py2kBCQofM5eX2OEu',
+ _id: 'NU9dD2sB9v5HJNSHMMRc',
_score: null,
_source: {
host: {
- hostname: 'suricata-bangalore',
+ hostname: 'suricata-iowa',
os: {
- kernel: '4.15.0-45-generic',
+ kernel: '4.15.0-1032-gcp',
codename: 'bionic',
name: 'Ubuntu',
family: 'debian',
version: '18.04.2 LTS (Bionic Beaver)',
platform: 'ubuntu',
},
- ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
+ ip: ['10.128.0.4', 'fe80::4001:aff:fe80:4'],
containerized: false,
- name: 'suricata-bangalore',
- id: '0a63559c1acf4c419d979c4b4d8b83ff',
- mac: ['ee:0b:1b:29:80:bd'],
+ name: 'suricata-iowa',
+ id: 'be1f3d767896212736b880e846876dcb',
+ mac: ['42:01:0a:80:00:04'],
architecture: 'x86_64',
},
},
- sort: [1553894200003],
+ sort: [1559330892000],
},
],
},
},
},
- autonomous_system: {
- doc_count: 0,
- results: {
- hits: {
- total: {
- value: 0,
- relation: 'eq',
- },
- max_score: null,
- hits: [],
- },
- },
- },
},
},
_shards: {
@@ -230,23 +193,6 @@ export const formattedDestination = {
firstSeen: '2019-02-28T21:20:20.000Z',
lastSeen: '2019-03-29T22:56:20.003Z',
autonomousSystem: {},
- host: {
- hostname: 'suricata-bangalore',
- os: {
- kernel: '4.15.0-45-generic',
- codename: 'bionic',
- name: 'Ubuntu',
- family: 'debian',
- version: '18.04.2 LTS (Bionic Beaver)',
- platform: 'ubuntu',
- },
- containerized: false,
- ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
- name: 'suricata-bangalore',
- id: '0a63559c1acf4c419d979c4b4d8b83ff',
- mac: ['ee:0b:1b:29:80:bd'],
- architecture: 'x86_64',
- },
geo: {
continent_name: 'Asia',
region_iso_code: 'IN-KA',
@@ -266,23 +212,6 @@ export const formattedSource = {
firstSeen: '2019-02-28T21:20:04.322Z',
lastSeen: '2019-03-29T22:56:20.003Z',
autonomousSystem: {},
- host: {
- hostname: 'suricata-bangalore',
- os: {
- kernel: '4.15.0-45-generic',
- codename: 'bionic',
- name: 'Ubuntu',
- family: 'debian',
- version: '18.04.2 LTS (Bionic Beaver)',
- platform: 'ubuntu',
- },
- containerized: false,
- ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
- name: 'suricata-bangalore',
- id: '0a63559c1acf4c419d979c4b4d8b83ff',
- mac: ['ee:0b:1b:29:80:bd'],
- architecture: 'x86_64',
- },
geo: {
continent_name: 'Asia',
region_iso_code: 'IN-KA',
@@ -297,12 +226,31 @@ export const formattedSource = {
},
};
+export const formattedHost = {
+ host: {
+ hostname: 'suricata-iowa',
+ os: {
+ kernel: '4.15.0-1032-gcp',
+ codename: 'bionic',
+ name: 'Ubuntu',
+ family: 'debian',
+ version: '18.04.2 LTS (Bionic Beaver)',
+ platform: 'ubuntu',
+ },
+ ip: ['10.128.0.4', 'fe80::4001:aff:fe80:4'],
+ containerized: false,
+ name: 'suricata-iowa',
+ id: 'be1f3d767896212736b880e846876dcb',
+ mac: ['42:01:0a:80:00:04'],
+ architecture: 'x86_64',
+ },
+};
+
export const formattedEmptySource = {
source: {
firstSeen: null,
lastSeen: null,
autonomousSystem: {},
- host: {},
geo: {},
},
};
diff --git a/x-pack/plugins/siem/server/lib/ip_details/query_overview.dsl.ts b/x-pack/plugins/siem/server/lib/ip_details/query_overview.dsl.ts
index 16b001f74a892..78f70c7cfbde4 100644
--- a/x-pack/plugins/siem/server/lib/ip_details/query_overview.dsl.ts
+++ b/x-pack/plugins/siem/server/lib/ip_details/query_overview.dsl.ts
@@ -45,17 +45,17 @@ const getAggs = (type: string, ip: string) => {
},
},
},
- host: {
+ geo: {
filter: {
exists: {
- field: 'host',
+ field: `${type}.geo`,
},
},
aggs: {
results: {
top_hits: {
size: 1,
- _source: ['host'],
+ _source: [`${type}.geo`],
sort: [
{
'@timestamp': 'desc',
@@ -65,17 +65,31 @@ const getAggs = (type: string, ip: string) => {
},
},
},
- geo: {
+ },
+ },
+ };
+};
+
+const getHostAggs = (ip: string) => {
+ return {
+ host: {
+ filter: {
+ term: {
+ 'host.ip': ip,
+ },
+ },
+ aggs: {
+ host: {
filter: {
exists: {
- field: `${type}.geo`,
+ field: 'host',
},
},
aggs: {
results: {
top_hits: {
size: 1,
- _source: [`${type}.geo`],
+ _source: ['host'],
sort: [
{
'@timestamp': 'desc',
@@ -99,6 +113,7 @@ export const buildOverviewQuery = ({ defaultIndex, ip }: IpOverviewRequestOption
aggs: {
...getAggs('source', ip),
...getAggs('destination', ip),
+ ...getHostAggs(ip),
},
query: {
bool: {
diff --git a/x-pack/plugins/siem/server/lib/ip_details/types.ts b/x-pack/plugins/siem/server/lib/ip_details/types.ts
index 241d6ee233032..e6e5e7c1caa67 100644
--- a/x-pack/plugins/siem/server/lib/ip_details/types.ts
+++ b/x-pack/plugins/siem/server/lib/ip_details/types.ts
@@ -57,7 +57,6 @@ export interface OverviewHit {
};
doc_count: number;
geo: ResultHit