"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.totalFieldsLimit = exports.riskScoreFieldMap = exports.mappingComponentName = exports.ilmPolicyName = exports.ilmPolicy = exports.getTransformOptions = exports.getLatestTransformId = exports.getIndexPatternDataStream = void 0; var _risk_engine = require("../../../common/risk_engine"); /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ const ilmPolicy = { _meta: { managed: true }, phases: { hot: { actions: { rollover: { max_age: '30d', max_primary_shard_size: '50gb' } } } } }; exports.ilmPolicy = ilmPolicy; const commonRiskFields = { id_field: { type: 'keyword', array: false, required: false }, id_value: { type: 'keyword', array: false, required: false }, calculated_level: { type: 'keyword', array: false, required: false }, calculated_score: { type: 'float', array: false, required: false }, calculated_score_norm: { type: 'float', array: false, required: false }, category_1_score: { type: 'float', array: false, required: false }, category_1_count: { type: 'long', array: false, required: false }, inputs: { type: 'object', array: true, required: false }, 'inputs.id': { type: 'keyword', array: false, required: false }, 'inputs.index': { type: 'keyword', array: false, required: false }, 'inputs.category': { type: 'keyword', array: false, required: false }, 'inputs.description': { type: 'keyword', array: false, required: false }, 'inputs.risk_score': { type: 'float', array: false, required: false }, 'inputs.timestamp': { type: 'date', array: false, required: false }, notes: { type: 'keyword', array: false, required: false } }; const buildIdentityRiskFields = identifierType => Object.keys(commonRiskFields).reduce((fieldMap, key) => { const identifierKey = `${identifierType}.risk.${key}`; fieldMap[identifierKey] = commonRiskFields[key]; return fieldMap; }, {}); const riskScoreFieldMap = { '@timestamp': { type: 'date', array: false, required: false }, 'host.name': { type: 'keyword', array: false, required: false }, 'host.risk': { type: 'object', array: false, required: false }, ...buildIdentityRiskFields(_risk_engine.RiskScoreEntity.host), 'user.name': { type: 'keyword', array: false, required: false }, 'user.risk': { type: 'object', array: false, required: false }, ...buildIdentityRiskFields(_risk_engine.RiskScoreEntity.user) }; exports.riskScoreFieldMap = riskScoreFieldMap; const ilmPolicyName = '.risk-score-ilm-policy'; exports.ilmPolicyName = ilmPolicyName; const mappingComponentName = '.risk-score-mappings'; exports.mappingComponentName = mappingComponentName; const totalFieldsLimit = 1000; exports.totalFieldsLimit = totalFieldsLimit; const getIndexPatternDataStream = namespace => ({ template: `.${_risk_engine.riskScoreBaseIndexName}.${_risk_engine.riskScoreBaseIndexName}-${namespace}-index-template`, alias: `${_risk_engine.riskScoreBaseIndexName}.${_risk_engine.riskScoreBaseIndexName}-${namespace}` }); exports.getIndexPatternDataStream = getIndexPatternDataStream; const getLatestTransformId = namespace => `risk_score_latest_transform_${namespace}`; exports.getLatestTransformId = getLatestTransformId; const getTransformOptions = ({ dest, source }) => ({ dest: { index: dest }, frequency: '1h', latest: { sort: '@timestamp', unique_key: [`host.name`, `user.name`] }, source: { index: source }, sync: { time: { delay: '2s', field: '@timestamp' } } }); exports.getTransformOptions = getTransformOptions;