Add entity definitions for user, service, and generic entity types (#249637)

closes #246849

Author: orouz

x-pack/solutions/security/plugins/entity_store/server/domain/definitions/generic.ts

@@ -0,0 +1,104 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { newestValue } from './field_retention_operations';
+import type { EntityDefinitionWithoutId } from './entity_schema';
+import { getCommonFieldDescriptions, getEntityFieldsDescriptions } from './common_fields';
+
+export const GENERIC_IDENTITY_FIELD = 'entity.id';
+
+export const genericEntityDefinition: EntityDefinitionWithoutId = {
+  type: 'generic',
+  name: `Security 'generic' Entity Store Definition`,
+  identityFields: [{ field: GENERIC_IDENTITY_FIELD, mapping: { type: 'keyword' } }],
+  indexPatterns: [],
+  fields: [
+    ...getEntityFieldsDescriptions(),
+
+    newestValue({ source: 'cloud.account.id' }),
+    newestValue({ source: 'cloud.account.name' }),
+    newestValue({ source: 'cloud.availability_zone' }),
+    newestValue({ source: 'cloud.instance.id' }),
+    newestValue({ source: 'cloud.instance.name' }),
+    newestValue({ source: 'cloud.machine.type' }),
+    newestValue({ source: 'cloud.project.id' }),
+    newestValue({ source: 'cloud.project.name' }),
+    newestValue({ source: 'cloud.provider' }),
+    newestValue({ source: 'cloud.region' }),
+    newestValue({ source: 'cloud.service.name' }),
+
+    newestValue({ source: 'host.architecture' }),
+    newestValue({ source: 'host.boot.id' }),
+    newestValue({ source: 'host.cpu.usage' }),
+    newestValue({ source: 'host.disk.read.bytes' }),
+    newestValue({ source: 'host.disk.write.bytes' }),
+    newestValue({ source: 'host.domain' }),
+    newestValue({ source: 'host.hostname' }),
+    newestValue({ source: 'host.id' }),
+    newestValue({ source: 'host.mac' }),
+    newestValue({ source: 'host.name' }),
+    newestValue({ source: 'host.network.egress.bytes' }),
+    newestValue({ source: 'host.network.egress.packets' }),
+    newestValue({ source: 'host.network.ingress.bytes' }),
+    newestValue({ source: 'host.network.ingress.packets' }),
+    newestValue({ source: 'host.pid_ns_ino' }),
+    newestValue({ source: 'host.type' }),
+    newestValue({ source: 'host.uptime' }),
+    newestValue({
+      source: 'host.ip',
+      mapping: {
+        type: 'ip',
+      },
+    }),
+
+    newestValue({ source: 'user.domain' }),
+    newestValue({ source: 'user.email' }),
+    newestValue({ source: 'user.roles' }),
+    newestValue({ source: 'user.hash' }),
+    newestValue({ source: 'user.id' }),
+    newestValue({
+      source: 'user.name',
+      mapping: {
+        type: 'keyword',
+        fields: {
+          text: {
+            type: 'match_only_text',
+          },
+        },
+      },
+    }),
+    newestValue({
+      source: 'user.full_name',
+      mapping: {
+        type: 'keyword',
+        fields: {
+          text: {
+            type: 'match_only_text',
+          },
+        },
+      },
+    }),
+
+    newestValue({ source: 'orchestrator.api_version' }),
+    newestValue({ source: 'orchestrator.cluster.id' }),
+    newestValue({ source: 'orchestrator.cluster.name' }),
+    newestValue({ source: 'orchestrator.cluster.url' }),
+    newestValue({ source: 'orchestrator.cluster.version' }),
+    newestValue({ source: 'orchestrator.namespace' }),
+    newestValue({ source: 'orchestrator.organization' }),
+    newestValue({ source: 'orchestrator.resource.annotation' }),
+    newestValue({ source: 'orchestrator.resource.id' }),
+    newestValue({ source: 'orchestrator.resource.ip' }),
+    newestValue({ source: 'orchestrator.resource.label' }),
+    newestValue({ source: 'orchestrator.resource.name' }),
+    newestValue({ source: 'orchestrator.resource.parent.type' }),
+    newestValue({ source: 'orchestrator.resource.type' }),
+    newestValue({ source: 'orchestrator.type' }),
+
+    ...getCommonFieldDescriptions('entity'),
+  ],
+};

x-pack/solutions/security/plugins/entity_store/server/domain/definitions/host.ts

@@ -13,7 +13,7 @@ export const HOST_IDENTITY_FIELD = 'host.name';
 
 // Mostly copied from x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_definitions/entity_descriptions/host.ts
 
-export const hostEntityDescription: EntityDefinitionWithoutId = {
+export const hostEntityDefinition: EntityDefinitionWithoutId = {
   type: 'host',
   name: `Security 'host' Entity Store Definition`,
   identityFields: [{ field: HOST_IDENTITY_FIELD, mapping: { type: 'keyword' } }],

x-pack/solutions/security/plugins/entity_store/server/domain/definitions/registry.ts

@@ -6,17 +6,20 @@
  */
 
 import assert from 'node:assert';
-import { hostEntityDescription } from './host';
+
 import type { EntityType } from './entity_schema';
 import { type EntityDefinitionWithoutId, type ManagedEntityDefinition } from './entity_schema';
 import { getEntityDefinitionId } from '../assets/latest_index';
+import { hostEntityDefinition } from './host';
+import { userEntityDefinition } from './user';
+import { serviceEntityDefinition } from './service';
+import { genericEntityDefinition } from './generic';
 
 const entitiesDescriptionRegistry = {
-  host: hostEntityDescription,
-  // TODO: add other entity descriptions
-  user: hostEntityDescription,
-  service: hostEntityDescription,
-  generic: hostEntityDescription,
+  host: hostEntityDefinition,
+  user: userEntityDefinition,
+  service: serviceEntityDefinition,
+  generic: genericEntityDefinition,
 } as const satisfies Record<EntityType, EntityDefinitionWithoutId>;
 
 interface EntityDefinitionParams {

x-pack/solutions/security/plugins/entity_store/server/domain/definitions/service.ts

@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getCommonFieldDescriptions, getEntityFieldsDescriptions } from './common_fields';
+import type { EntityDefinitionWithoutId } from './entity_schema';
+import { collectValues as collect, newestValue } from './field_retention_operations';
+
+export const SERVICE_IDENTITY_FIELD = 'service.name';
+
+export const serviceEntityDefinition: EntityDefinitionWithoutId = {
+  type: 'service',
+  name: `Security 'service' Entity Store Definition`,
+  identityFields: [{ field: SERVICE_IDENTITY_FIELD, mapping: { type: 'keyword' } }],
+  indexPatterns: [],
+  fields: [
+    collect({ source: 'service.address' }),
+    collect({ source: 'service.environment' }),
+    collect({ source: 'service.ephemeral_id' }),
+    collect({ source: 'service.id' }),
+    collect({ source: 'service.node.name' }),
+    collect({ source: 'service.node.roles' }),
+    collect({ source: 'service.node.role' }),
+    newestValue({ source: 'service.state' }),
+    collect({ source: 'service.type' }),
+    newestValue({ source: 'service.version' }),
+    ...getCommonFieldDescriptions('service'),
+    ...getEntityFieldsDescriptions('service'),
+
+    collect({
+      source: `service.entity.relationships.Communicates_with`,
+      destination: 'entity.relationships.Communicates_with',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+    collect({
+      source: `service.entity.relationships.Depends_on`,
+      destination: 'entity.relationships.Depends_on',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+    collect({
+      source: `service.entity.relationships.Dependent_of`,
+      destination: 'entity.relationships.Dependent_of',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+  ],
+};

x-pack/solutions/security/plugins/entity_store/server/domain/definitions/user.ts

@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getCommonFieldDescriptions, getEntityFieldsDescriptions } from './common_fields';
+import type { EntityDefinitionWithoutId } from './entity_schema';
+import { collectValues as collect } from './field_retention_operations';
+
+export const USER_IDENTITY_FIELD = 'user.name';
+
+export const userEntityDefinition: EntityDefinitionWithoutId = {
+  type: 'user',
+  name: `Security 'user' Entity Store Definition`,
+  identityFields: [
+    {
+      field: USER_IDENTITY_FIELD,
+      mapping: {
+        type: 'keyword',
+        fields: { text: { type: 'match_only_text' } },
+      },
+    },
+  ],
+  indexPatterns: [],
+  fields: [
+    collect({ source: 'user.domain' }),
+    collect({ source: 'user.email' }),
+    collect({
+      source: 'user.full_name',
+      mapping: {
+        type: 'keyword',
+        fields: {
+          text: {
+            type: 'match_only_text',
+          },
+        },
+      },
+    }),
+    collect({ source: 'user.hash' }),
+    collect({ source: 'user.id' }),
+    collect({ source: 'user.roles' }),
+    ...getCommonFieldDescriptions('user'),
+    ...getEntityFieldsDescriptions('user'),
+
+    collect({
+      source: `user.entity.relationships.Accesses_frequently`,
+      destination: 'entity.relationships.Accesses_frequently',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+    collect({
+      source: `user.entity.relationships.Owns`,
+      destination: 'entity.relationships.Owns',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+
+    collect({
+      source: `user.entity.relationships.Supervises`,
+      destination: 'entity.relationships.Supervises',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+    collect({
+      source: `user.entity.relationships.Supervised_by`,
+      destination: 'entity.relationships.Supervised_by',
+      mapping: { type: 'keyword' },
+      allowAPIUpdate: true,
+    }),
+  ],
+};