diff --git a/x-pack/legacy/plugins/siem/public/components/bytes/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/bytes/index.test.tsx
new file mode 100644
index 00000000000000..a660475e7e5e6b
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/public/components/bytes/index.test.tsx
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { mount } from 'enzyme';
+import * as React from 'react';
+
+import { TestProviders } from '../../mock';
+import { PreferenceFormattedBytes } from '../formatted_bytes';
+
+import { Bytes } from '.';
+
+describe('Bytes', () => {
+ test('it renders the expected formatted bytes', () => {
+ const wrapper = mount(
+
+
+
+ );
+ expect(
+ wrapper
+ .find(PreferenceFormattedBytes)
+ .first()
+ .text()
+ ).toEqual('1.177MB');
+ });
+});
diff --git a/x-pack/legacy/plugins/siem/public/components/bytes/index.tsx b/x-pack/legacy/plugins/siem/public/components/bytes/index.tsx
new file mode 100644
index 00000000000000..4ae8a76653633d
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/public/components/bytes/index.tsx
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import * as React from 'react';
+
+import { DefaultDraggable } from '../draggables';
+import { PreferenceFormattedBytes } from '../formatted_bytes';
+
+export const BYTES_FORMAT = 'bytes';
+
+/**
+ * Renders draggable text containing the value of a field representing a
+ * duration of time, (e.g. `event.duration`)
+ */
+export const Bytes = React.memo<{
+ contextId: string;
+ eventId: string;
+ fieldName: string;
+ value?: string | null;
+}>(({ contextId, eventId, fieldName, value }) => (
+
+
+
+));
+
+Bytes.displayName = 'Bytes';
diff --git a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
index 59727fe3c7a4e4..d53025bd15cb17 100644
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
@@ -16,6 +16,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -30,6 +31,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -44,6 +46,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -58,6 +61,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -76,6 +80,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -88,6 +93,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -100,6 +106,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -116,6 +123,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -134,6 +142,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -148,6 +157,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -162,6 +172,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -176,6 +187,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -194,6 +206,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -208,6 +221,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -226,6 +240,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -240,6 +255,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -254,6 +270,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -272,6 +289,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -286,6 +304,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -300,6 +319,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -314,6 +334,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -328,6 +349,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -346,6 +368,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -365,6 +388,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -379,6 +403,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
diff --git a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/draggable_wrapper.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/draggable_wrapper.test.tsx.snap
index 156af359273b8d..e64d607654dce4 100644
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/draggable_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/draggable_wrapper.test.tsx.snap
@@ -16,6 +16,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -30,6 +31,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -44,6 +46,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -58,6 +61,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -76,6 +80,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -88,6 +93,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -100,6 +106,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -116,6 +123,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -134,6 +142,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -148,6 +157,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -162,6 +172,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -176,6 +187,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -194,6 +206,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -208,6 +221,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -226,6 +240,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -240,6 +255,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -254,6 +270,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -272,6 +289,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -286,6 +304,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -300,6 +319,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -314,6 +334,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -328,6 +349,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -346,6 +368,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -365,6 +388,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -379,6 +403,7 @@ exports[`DraggableWrapper rendering it renders against the snapshot 1`] = `
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
diff --git a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/droppable_wrapper.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/droppable_wrapper.test.tsx.snap
index 170145db677402..1c9613e75a3522 100644
--- a/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/droppable_wrapper.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/drag_and_drop/__snapshots__/droppable_wrapper.test.tsx.snap
@@ -16,6 +16,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -30,6 +31,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -44,6 +46,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -58,6 +61,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -76,6 +80,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -88,6 +93,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -100,6 +106,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -116,6 +123,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -134,6 +142,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -148,6 +157,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -162,6 +172,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -176,6 +187,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -194,6 +206,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -208,6 +221,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -226,6 +240,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -240,6 +255,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -254,6 +270,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -272,6 +289,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -286,6 +304,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -300,6 +319,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -314,6 +334,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -328,6 +349,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -346,6 +368,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -365,6 +388,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -379,6 +403,7 @@ exports[`DroppableWrapper rendering it renders against the snapshot 1`] = `
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
diff --git a/x-pack/legacy/plugins/siem/public/components/event_details/__snapshots__/event_details.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/event_details/__snapshots__/event_details.test.tsx.snap
index 1b6fe9e3a4f957..af0b6cea7dcc81 100644
--- a/x-pack/legacy/plugins/siem/public/components/event_details/__snapshots__/event_details.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/event_details/__snapshots__/event_details.test.tsx.snap
@@ -12,6 +12,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -26,6 +27,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -40,6 +42,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -54,6 +57,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -72,6 +76,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -84,6 +89,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -96,6 +102,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -112,6 +119,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -130,6 +138,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -144,6 +153,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -158,6 +168,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -172,6 +183,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -190,6 +202,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -204,6 +217,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -222,6 +236,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -236,6 +251,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -250,6 +266,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -268,6 +285,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -282,6 +300,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -296,6 +315,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -310,6 +330,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -324,6 +345,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -342,6 +364,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -361,6 +384,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -375,6 +399,7 @@ exports[`EventDetails rendering should match snapshot 1`] = `
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -467,6 +492,17 @@ Can be one or multiple IPv4 or IPv6 addresses.",
"type": "ip",
"width": 180,
},
+ Object {
+ "aggregatable": true,
+ "category": "destination",
+ "columnHeaderType": "not-filtered",
+ "description": "Bytes sent from the source to the destination",
+ "example": "123",
+ "format": "bytes",
+ "id": "destination.bytes",
+ "type": "number",
+ "width": 180,
+ },
Object {
"aggregatable": true,
"category": "user",
diff --git a/x-pack/legacy/plugins/siem/public/components/event_details/columns.tsx b/x-pack/legacy/plugins/siem/public/components/event_details/columns.tsx
index d22c5e1255a647..c2675c21e1454a 100644
--- a/x-pack/legacy/plugins/siem/public/components/event_details/columns.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/event_details/columns.tsx
@@ -202,6 +202,7 @@ export const getColumns = ({
{
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a0',
searchable: true,
@@ -86,6 +87,7 @@ describe('helpers', () => {
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.ephemeral_id',
searchable: true,
@@ -96,6 +98,7 @@ describe('helpers', () => {
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -125,6 +128,7 @@ describe('helpers', () => {
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a0',
searchable: true,
@@ -145,6 +149,7 @@ describe('helpers', () => {
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.ephemeral_id',
searchable: true,
@@ -155,6 +160,7 @@ describe('helpers', () => {
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -205,6 +211,7 @@ describe('helpers', () => {
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.ephemeral_id',
searchable: true,
@@ -216,6 +223,7 @@ describe('helpers', () => {
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.id',
searchable: true,
@@ -231,6 +239,7 @@ describe('helpers', () => {
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'cloud.account.id',
searchable: true,
@@ -245,6 +254,7 @@ describe('helpers', () => {
category: 'container',
description: 'Unique container id.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.id',
searchable: true,
@@ -272,6 +282,7 @@ describe('helpers', () => {
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -282,6 +293,7 @@ describe('helpers', () => {
category: 'client',
description: 'Client domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.domain',
searchable: true,
@@ -292,6 +304,7 @@ describe('helpers', () => {
category: 'client',
description: 'Country ISO code.',
example: 'CA',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.geo.country_iso_code',
searchable: true,
@@ -318,6 +331,7 @@ describe('helpers', () => {
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -329,6 +343,7 @@ describe('helpers', () => {
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: '@timestamp',
searchable: true,
@@ -339,6 +354,7 @@ describe('helpers', () => {
category: 'client',
description: 'Client domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.domain',
searchable: true,
diff --git a/x-pack/legacy/plugins/siem/public/components/source_destination/country_flag.tsx b/x-pack/legacy/plugins/siem/public/components/source_destination/country_flag.tsx
index 704484947c4571..730d4f4e9f3382 100644
--- a/x-pack/legacy/plugins/siem/public/components/source_destination/country_flag.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/source_destination/country_flag.tsx
@@ -13,7 +13,7 @@ import { pure } from 'recompose';
* Example: `US` -> 🇺🇸
*/
export const getFlag = (countryCode: string): string | null =>
- countryCode.length === 2
+ countryCode && countryCode.length === 2
? countryCode
.toUpperCase()
.replace(/./g, c => String.fromCharCode(55356, 56741 + c.charCodeAt(0)))
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/__snapshots__/timeline.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/timeline/__snapshots__/timeline.test.tsx.snap
index 8747ef80944737..f2e097a10b7b6f 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/__snapshots__/timeline.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/__snapshots__/timeline.test.tsx.snap
@@ -11,6 +11,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -25,6 +26,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -39,6 +41,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -53,6 +56,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -71,6 +75,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -83,6 +88,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -95,6 +101,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -111,6 +118,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -129,6 +137,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -143,6 +152,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -157,6 +167,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -171,6 +182,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -189,6 +201,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -203,6 +216,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -221,6 +235,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -235,6 +250,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -249,6 +265,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -267,6 +284,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -281,6 +299,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -295,6 +314,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -309,6 +329,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -323,6 +344,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -341,6 +363,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -360,6 +383,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -374,6 +398,7 @@ exports[`Timeline rendering renders correctly against snapshot 1`] = `
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -466,6 +491,17 @@ Can be one or multiple IPv4 or IPv6 addresses.",
"type": "ip",
"width": 180,
},
+ Object {
+ "aggregatable": true,
+ "category": "destination",
+ "columnHeaderType": "not-filtered",
+ "description": "Bytes sent from the source to the destination",
+ "example": "123",
+ "format": "bytes",
+ "id": "destination.bytes",
+ "type": "number",
+ "width": 180,
+ },
Object {
"aggregatable": true,
"category": "user",
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
index 8aa88f06d921b1..3e1c286f5fcb83 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
@@ -12,6 +12,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but \`agent.id\` does not.",
"example": "8a4f500f",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -26,6 +27,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -40,6 +42,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.",
"example": "8a4f500d",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -54,6 +57,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "agent",
"description": "Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.",
"example": "foo",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -72,6 +76,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -84,6 +89,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -96,6 +102,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "auditd",
"description": null,
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
],
@@ -112,6 +119,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "base",
"description": "Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.",
"example": "2016-05-23T08:05:34.853Z",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -130,6 +138,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -144,6 +153,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Bytes sent from the client to the server.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -158,6 +168,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Client domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -172,6 +183,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "client",
"description": "Country ISO code.",
"example": "CA",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -190,6 +202,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "cloud",
"description": "The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.",
"example": "666777888999",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -204,6 +217,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "cloud",
"description": "Availability zone in which this host is running.",
"example": "us-east-1c",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -222,6 +236,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Unique container id.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -236,6 +251,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Name of the image the container was built on.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -250,6 +266,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "container",
"description": "Container image tag.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -268,6 +285,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the \`.address\` field. Then it should be duplicated to \`.ip\` or \`.domain\`, depending on which one it is.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -282,6 +300,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Bytes sent from the destination to the source.",
"example": "184",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -296,6 +315,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Destination domain.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -310,6 +330,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -324,6 +345,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "destination",
"description": "Port of the destination.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -342,6 +364,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "event",
"description": "event.end contains the date when the event ended or when the activity was last observed.",
"example": null,
+ "format": "",
"indexes": Array [
"auditbeat-*",
"filebeat-*",
@@ -361,6 +384,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "source",
"description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
@@ -375,6 +399,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
"category": "source",
"description": "Port of the source.",
"example": "",
+ "format": "",
"indexes": Array [
"auditbeat",
"filebeat",
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/column_header.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/column_header.tsx
index f2fc7834e9ba30..1de227a9a675b3 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/column_header.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/column_headers/column_header.tsx
@@ -10,13 +10,14 @@ export type ColumnHeaderType = 'not-filtered' | 'text-filter';
/** The specification of a column header */
export interface ColumnHeader {
+ aggregatable?: boolean;
category?: string;
columnHeaderType: ColumnHeaderType;
description?: string;
example?: string;
+ format?: string;
id: ColumnId;
placeholder?: string;
type?: string;
- aggregatable?: boolean;
width: number;
}
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/data_driven_columns/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/timeline/body/data_driven_columns/__snapshots__/index.test.tsx.snap
index 127c1c5aeb2a88..e5e911e6616185 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/data_driven_columns/__snapshots__/index.test.tsx.snap
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/data_driven_columns/__snapshots__/index.test.tsx.snap
@@ -103,6 +103,12 @@ exports[`Columns it renders the expected columns 1`] = `
"192.168.0.3",
],
},
+ Object {
+ "field": "destination.bytes",
+ "value": Array [
+ "123456",
+ ],
+ },
Object {
"field": "user.name",
"value": Array [
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx
index 3ab89b22cde1da..d887f6fd8b9a05 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx
@@ -10,6 +10,7 @@ import { pure } from 'recompose';
import { isNumber } from 'lodash/fp';
import { EuiToolTip, EuiFlexItem, EuiFlexGroup } from '@elastic/eui';
import { Duration, EVENT_DURATION_FIELD_NAME } from '../../../duration';
+import { Bytes, BYTES_FORMAT } from '../../../bytes';
import { getOrEmptyTagFromValue } from '../../../empty_value';
import { FormattedDate } from '../../../formatted_date';
@@ -19,12 +20,13 @@ import { Port, PORT_NAMES } from '../../../port';
import { DATE_FIELD_TYPE, IP_FIELD_TYPE, MESSAGE_FIELD_NAME } from './constants';
export const FormattedFieldValue = pure<{
- eventId: string;
contextId: string;
+ eventId: string;
+ fieldFormat?: string;
fieldName: string;
fieldType: string;
value: string | number | undefined | null;
-}>(({ eventId, contextId, fieldName, fieldType, value }) => {
+}>(({ eventId, contextId, fieldFormat, fieldName, fieldType, value }) => {
if (fieldType === IP_FIELD_TYPE) {
return (
);
+ } else if (fieldFormat === BYTES_FORMAT) {
+ return (
+
+ );
} else if (fieldName === MESSAGE_FIELD_NAME && value != null && value !== '') {
return (
{
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['john.dee'] },
];
expect(deleted).toEqual(expected);
@@ -42,6 +43,7 @@ describe('helpers', () => {
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['john.dee'] },
];
expect(deleted).toEqual(expected);
@@ -85,6 +87,7 @@ describe('helpers', () => {
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: null },
];
expect(getValues('user.name', nullValue)).toBeUndefined();
@@ -99,6 +102,7 @@ describe('helpers', () => {
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: undefined },
];
expect(getValues('user.name', nullValue)).toBeUndefined();
@@ -113,6 +117,7 @@ describe('helpers', () => {
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name' },
];
expect(getValues('user.name', nullValue)).toBeUndefined();
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.test.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.test.tsx
index 054597dcf01fa1..072dafb15515a8 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.test.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.test.tsx
@@ -81,6 +81,21 @@ describe('plain_column_renderer', () => {
expect(wrapper.text()).toEqual('192.168.0.3');
});
+ test('should return the value of destination.bytes if destination.bytes has a valid value', () => {
+ const column = plainColumnRenderer.renderColumn({
+ columnName: 'destination.bytes',
+ eventId: _id,
+ values: getValues('destination.bytes', mockDatum),
+ field: defaultHeaders.find(h => h.id === 'destination.bytes')!,
+ });
+ const wrapper = mount(
+
+ {column}
+
+ );
+ expect(wrapper.text()).toEqual('120.563KB');
+ });
+
test('should return the value of event.action if event has a valid value', () => {
const column = plainColumnRenderer.renderColumn({
columnName: 'event.action',
diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.tsx
index f7ad4c3164bb3f..e0a22b66eb511d 100644
--- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/plain_column_renderer.tsx
@@ -70,10 +70,10 @@ export const plainColumnRenderer: ColumnRenderer = {
// since ip fields may contain multiple IP addresses, return a FormattedIp here to avoid a "draggable of draggables"
return (
@@ -89,8 +89,9 @@ export const plainColumnRenderer: ColumnRenderer = {
key={`timeline-draggable-column-${columnName}-for-event-${eventId}-${field.id}--${value}`}
>
) : (
{
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
+ format: '',
id: '@timestamp',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: '@timestamp',
@@ -33,6 +34,7 @@ describe('stateful_body', () => {
columnHeaderType: 'not-filtered',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
id: 'source.ip',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'source.ip',
@@ -47,6 +49,7 @@ describe('stateful_body', () => {
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
id: 'destination.ip',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.ip',
diff --git a/x-pack/legacy/plugins/siem/public/containers/source/index.gql_query.ts b/x-pack/legacy/plugins/siem/public/containers/source/index.gql_query.ts
index d5a5ea18fb4ea1..1f9ba09167e1e9 100644
--- a/x-pack/legacy/plugins/siem/public/containers/source/index.gql_query.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/source/index.gql_query.ts
@@ -21,6 +21,7 @@ export const sourceQuery = gql`
searchable
type
aggregatable
+ format
}
}
}
diff --git a/x-pack/legacy/plugins/siem/public/containers/source/index.tsx b/x-pack/legacy/plugins/siem/public/containers/source/index.tsx
index bab4e29651cc86..18b2641a160082 100644
--- a/x-pack/legacy/plugins/siem/public/containers/source/index.tsx
+++ b/x-pack/legacy/plugins/siem/public/containers/source/index.tsx
@@ -22,11 +22,12 @@ export interface BrowserField {
category: string;
description: string | null;
example: string | number | null;
+ fields: Readonly>>;
+ format: string;
indexes: string[];
name: string;
searchable: boolean;
type: string;
- fields: Readonly>>;
}
export type BrowserFields = Readonly>>;
diff --git a/x-pack/legacy/plugins/siem/public/containers/source/mock.ts b/x-pack/legacy/plugins/siem/public/containers/source/mock.ts
index c55145a4aac52c..e66f54ac6eb352 100644
--- a/x-pack/legacy/plugins/siem/public/containers/source/mock.ts
+++ b/x-pack/legacy/plugins/siem/public/containers/source/mock.ts
@@ -57,6 +57,7 @@ export const mocksSource = [
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: '@timestamp',
searchable: true,
@@ -68,6 +69,7 @@ export const mocksSource = [
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.ephemeral_id',
searchable: true,
@@ -78,6 +80,7 @@ export const mocksSource = [
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -89,6 +92,7 @@ export const mocksSource = [
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.id',
searchable: true,
@@ -100,6 +104,7 @@ export const mocksSource = [
description:
'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
example: 'foo',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.name',
searchable: true,
@@ -110,6 +115,7 @@ export const mocksSource = [
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a0',
searchable: true,
@@ -120,6 +126,7 @@ export const mocksSource = [
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a1',
searchable: true,
@@ -130,6 +137,7 @@ export const mocksSource = [
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a2',
searchable: true,
@@ -141,6 +149,7 @@ export const mocksSource = [
description:
'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.address',
searchable: true,
@@ -151,6 +160,7 @@ export const mocksSource = [
category: 'client',
description: 'Bytes sent from the client to the server.',
example: '184',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.bytes',
searchable: true,
@@ -161,6 +171,7 @@ export const mocksSource = [
category: 'client',
description: 'Client domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.domain',
searchable: true,
@@ -171,6 +182,7 @@ export const mocksSource = [
category: 'client',
description: 'Country ISO code.',
example: 'CA',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.geo.country_iso_code',
searchable: true,
@@ -182,6 +194,7 @@ export const mocksSource = [
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'cloud.account.id',
searchable: true,
@@ -192,6 +205,7 @@ export const mocksSource = [
category: 'cloud',
description: 'Availability zone in which this host is running.',
example: 'us-east-1c',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'cloud.availability_zone',
searchable: true,
@@ -202,6 +216,7 @@ export const mocksSource = [
category: 'container',
description: 'Unique container id.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.id',
searchable: true,
@@ -212,6 +227,7 @@ export const mocksSource = [
category: 'container',
description: 'Name of the image the container was built on.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.image.name',
searchable: true,
@@ -222,6 +238,7 @@ export const mocksSource = [
category: 'container',
description: 'Container image tag.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.image.tag',
searchable: true,
@@ -233,6 +250,7 @@ export const mocksSource = [
description:
'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.address',
searchable: true,
@@ -243,6 +261,7 @@ export const mocksSource = [
category: 'destination',
description: 'Bytes sent from the destination to the source.',
example: '184',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.bytes',
searchable: true,
@@ -253,6 +272,7 @@ export const mocksSource = [
category: 'destination',
description: 'Destination domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.domain',
searchable: true,
@@ -265,6 +285,7 @@ export const mocksSource = [
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.ip',
searchable: true,
@@ -275,6 +296,7 @@ export const mocksSource = [
category: 'destination',
description: 'Port of the destination.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.port',
searchable: true,
@@ -286,6 +308,7 @@ export const mocksSource = [
description:
'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'source.ip',
searchable: true,
@@ -296,6 +319,7 @@ export const mocksSource = [
category: 'source',
description: 'Port of the source.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'source.port',
searchable: true,
@@ -307,6 +331,7 @@ export const mocksSource = [
description:
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
+ format: '',
indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
name: 'event.end',
searchable: true,
@@ -357,6 +382,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.ephemeral_id',
searchable: true,
@@ -367,6 +393,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'agent',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.hostname',
searchable: true,
@@ -378,6 +405,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
example: '8a4f500d',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.id',
searchable: true,
@@ -389,6 +417,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
example: 'foo',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'agent.name',
searchable: true,
@@ -403,6 +432,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a0',
searchable: true,
@@ -413,6 +443,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a1',
searchable: true,
@@ -423,6 +454,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'auditd',
description: null,
example: null,
+ format: '',
indexes: ['auditbeat'],
name: 'auditd.data.a2',
searchable: true,
@@ -438,6 +470,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
example: '2016-05-23T08:05:34.853Z',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: '@timestamp',
searchable: true,
@@ -453,6 +486,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.address',
searchable: true,
@@ -463,6 +497,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'client',
description: 'Bytes sent from the client to the server.',
example: '184',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.bytes',
searchable: true,
@@ -473,6 +508,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'client',
description: 'Client domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.domain',
searchable: true,
@@ -483,6 +519,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'client',
description: 'Country ISO code.',
example: 'CA',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'client.geo.country_iso_code',
searchable: true,
@@ -498,6 +535,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
example: '666777888999',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'cloud.account.id',
searchable: true,
@@ -508,6 +546,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'cloud',
description: 'Availability zone in which this host is running.',
example: 'us-east-1c',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'cloud.availability_zone',
searchable: true,
@@ -522,6 +561,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'container',
description: 'Unique container id.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.id',
searchable: true,
@@ -532,6 +572,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'container',
description: 'Name of the image the container was built on.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.image.name',
searchable: true,
@@ -542,6 +583,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'container',
description: 'Container image tag.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'container.image.tag',
searchable: true,
@@ -557,6 +599,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.address',
searchable: true,
@@ -567,6 +610,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'destination',
description: 'Bytes sent from the destination to the source.',
example: '184',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.bytes',
searchable: true,
@@ -577,6 +621,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'destination',
description: 'Destination domain.',
example: null,
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.domain',
searchable: true,
@@ -588,6 +633,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.ip',
searchable: true,
@@ -598,6 +644,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'destination',
description: 'Port of the destination.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'destination.port',
searchable: true,
@@ -612,6 +659,7 @@ export const mockBrowserFields: BrowserFields = {
description:
'event.end contains the date when the event ended or when the activity was last observed.',
example: null,
+ format: '',
indexes: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
name: 'event.end',
searchable: true,
@@ -627,6 +675,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'source',
description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'source.ip',
searchable: true,
@@ -637,6 +686,7 @@ export const mockBrowserFields: BrowserFields = {
category: 'source',
description: 'Port of the source.',
example: '',
+ format: '',
indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: 'source.port',
searchable: true,
diff --git a/x-pack/legacy/plugins/siem/public/graphql/introspection.json b/x-pack/legacy/plugins/siem/public/graphql/introspection.json
index fe0187f93d2a51..a2636c2a59d0a3 100644
--- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json
+++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json
@@ -2335,6 +2335,14 @@
"type": { "kind": "SCALAR", "name": "String", "ofType": null },
"isDeprecated": false,
"deprecationReason": null
+ },
+ {
+ "name": "format",
+ "description": "",
+ "args": [],
+ "type": { "kind": "SCALAR", "name": "String", "ofType": null },
+ "isDeprecated": false,
+ "deprecationReason": null
}
],
"inputFields": null,
diff --git a/x-pack/legacy/plugins/siem/public/graphql/types.ts b/x-pack/legacy/plugins/siem/public/graphql/types.ts
index 49eb6ef8fd68a5..0ce592e2674515 100644
--- a/x-pack/legacy/plugins/siem/public/graphql/types.ts
+++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts
@@ -197,6 +197,8 @@ export interface IndexField {
aggregatable: boolean;
/** Description of the field */
description?: string | null;
+
+ format?: string | null;
}
export interface AuthenticationsData {
@@ -3564,6 +3566,8 @@ export namespace SourceQuery {
type: string;
aggregatable: boolean;
+
+ format?: string | null;
};
}
diff --git a/x-pack/legacy/plugins/siem/public/mock/header.ts b/x-pack/legacy/plugins/siem/public/mock/header.ts
index fd88b86c21b591..387e16ebeb3d6a 100644
--- a/x-pack/legacy/plugins/siem/public/mock/header.ts
+++ b/x-pack/legacy/plugins/siem/public/mock/header.ts
@@ -87,6 +87,17 @@ export const defaultHeaders: ColumnHeader[] = [
aggregatable: true,
width: DEFAULT_COLUMN_MIN_WIDTH,
},
+ {
+ aggregatable: true,
+ category: 'destination',
+ columnHeaderType: defaultColumnHeaderType,
+ description: 'Bytes sent from the source to the destination',
+ example: '123',
+ format: 'bytes',
+ id: 'destination.bytes',
+ type: 'number',
+ width: DEFAULT_COLUMN_MIN_WIDTH,
+ },
{
category: 'user',
columnHeaderType: defaultColumnHeaderType,
diff --git a/x-pack/legacy/plugins/siem/public/mock/mock_timeline_data.ts b/x-pack/legacy/plugins/siem/public/mock/mock_timeline_data.ts
index 60112095caa034..997e3d2704cec6 100644
--- a/x-pack/legacy/plugins/siem/public/mock/mock_timeline_data.ts
+++ b/x-pack/legacy/plugins/siem/public/mock/mock_timeline_data.ts
@@ -17,6 +17,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['john.dee'] },
],
ecs: {
@@ -45,6 +46,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['nginx'] },
{ field: 'source.ip', value: ['192.168.0.3'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['evan.davis'] },
],
ecs: {
@@ -73,6 +75,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['suricata'] },
{ field: 'source.ip', value: ['192.168.0.3'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jenny.jones'] },
],
ecs: {
@@ -113,6 +116,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.3'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['becky.davis'] },
],
ecs: {
@@ -141,6 +145,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['braden.davis'] },
{ field: 'source.ip', value: ['192.168.0.6'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
],
ecs: {
_id: '6',
@@ -167,6 +172,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.8'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -205,6 +211,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.7'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -233,6 +240,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.9'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -261,6 +269,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.10'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -289,6 +298,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.11'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -317,6 +327,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.12'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['jone.doe'] },
],
ecs: {
@@ -345,6 +356,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.2'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['joe.bob'] },
],
ecs: {
@@ -373,6 +385,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['joe.computer'] },
{ field: 'source.ip', value: ['192.168.0.8'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
],
ecs: {
_id: '13',
@@ -1359,6 +1372,7 @@ export const mockTimelineData: TimelineItem[] = [
{ field: 'host.name', value: ['apache'] },
{ field: 'source.ip', value: ['192.168.0.1'] },
{ field: 'destination.ip', value: ['192.168.0.3'] },
+ { field: 'destination.bytes', value: ['123456'] },
{ field: 'user.name', value: ['john.dee'] },
],
ecs: {
diff --git a/x-pack/legacy/plugins/siem/server/graphql/source_status/schema.gql.ts b/x-pack/legacy/plugins/siem/server/graphql/source_status/schema.gql.ts
index 3b1b610dd41dc0..e484b60f8f3643 100644
--- a/x-pack/legacy/plugins/siem/server/graphql/source_status/schema.gql.ts
+++ b/x-pack/legacy/plugins/siem/server/graphql/source_status/schema.gql.ts
@@ -25,6 +25,7 @@ export const sourceStatusSchema = gql`
aggregatable: Boolean!
"Description of the field"
description: String
+ format: String
}
extend type SourceStatus {
diff --git a/x-pack/legacy/plugins/siem/server/graphql/types.ts b/x-pack/legacy/plugins/siem/server/graphql/types.ts
index b0c43011b2b211..b35a5c34386d0e 100644
--- a/x-pack/legacy/plugins/siem/server/graphql/types.ts
+++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts
@@ -226,6 +226,8 @@ export interface IndexField {
aggregatable: boolean;
/** Description of the field */
description?: string | null;
+
+ format?: string | null;
}
export interface AuthenticationsData {
@@ -3005,6 +3007,8 @@ export namespace IndexFieldResolvers {
aggregatable?: AggregatableResolver;
/** Description of the field */
description?: DescriptionResolver;
+
+ format?: FormatResolver;
}
export type CategoryResolver = Resolver<
@@ -3047,6 +3051,11 @@ export namespace IndexFieldResolvers {
Parent = IndexField,
Context = SiemContext
> = Resolver;
+ export type FormatResolver<
+ R = string | null,
+ Parent = IndexField,
+ Context = SiemContext
+ > = Resolver;
}
export namespace AuthenticationsDataResolvers {
diff --git a/x-pack/legacy/plugins/siem/server/lib/framework/types.ts b/x-pack/legacy/plugins/siem/server/lib/framework/types.ts
index 4870a5189597e2..fcce88b2a7aa06 100644
--- a/x-pack/legacy/plugins/siem/server/lib/framework/types.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/framework/types.ts
@@ -118,12 +118,12 @@ export interface MappingResponse {
}
interface FrameworkIndexFieldDescriptor {
- name: string;
- type: string;
- searchable: boolean;
aggregatable: boolean;
- readFromDocValues: boolean;
esTypes: string[];
+ name: string;
+ readFromDocValues: boolean;
+ searchable: boolean;
+ type: string;
}
export interface FrameworkIndexPatternsService {
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
index 25508500ed199e..2be7724f4097fe 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
@@ -123,6 +123,7 @@ describe('Schema Beat', () => {
'client.bytes': {
description: 'Bytes sent from the client to the server.',
example: 184,
+ format: 'bytes',
name: 'bytes',
type: 'long',
},
@@ -303,6 +304,7 @@ describe('Schema Beat', () => {
'client.bytes': {
description: 'Bytes sent from the client to the server.',
example: 184,
+ format: 'bytes',
name: 'bytes',
type: 'long',
},
@@ -483,6 +485,7 @@ describe('Schema Beat', () => {
'client.bytes': {
description: 'Bytes sent from the client to the server.',
example: 184,
+ format: 'bytes',
name: 'bytes',
type: 'long',
},
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
index 8c55b768e39e19..aaa171c6befd9c 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
@@ -30,7 +30,7 @@ export const convertSchemaToAssociativeArray = (schema: Schema): OutputSchema =>
return accumulator;
}, {});
-const paramsToPick = ['description', 'example', 'name', 'type'];
+const paramsToPick = ['description', 'example', 'name', 'type', 'format'];
const onlyStringOrNumber = (fields: object) =>
Object.keys(fields).reduce((acc, item) => {
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
index 97ca4d6f2b35df..f34519da34ee8a 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
@@ -85,6 +85,7 @@ export interface RequiredSchemaField {
example: string | number;
name: string;
type: string;
+ format: string;
fields: Readonly>>;
}