Security entity store host os fields (#197326)

## Summary Adds the `host.os.name` and `host.os.type` ECS fields to Security's entity store definition. These fields, much like other `host.*` fields, are collected up to a maximum number of 10 distinct values. --------- Co-authored-by: Elastic Machine <[email protected]>
elastic · Oct 24, 2024 · a1a5db9 · a1a5db9
1 parent db0a898
commit a1a5db9
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/...n/server/lib/entity_analytics/entity_store/united_entity_definitions/entity_types/host.ts b/...n/server/lib/entity_analytics/entity_store/united_entity_definitions/entity_types/host.ts
@@ -18,6 +18,8 @@ export const getHostUnitedDefinition: UnitedDefinitionBuilder = (fieldHistoryLen
       collect({ field: 'host.domain' }),
       collect({ field: 'host.hostname' }),
       collect({ field: 'host.id' }),
+      collect({ field: 'host.os.name' }),
+      collect({ field: 'host.os.type' }),
       collect({
         field: 'host.ip',
         mapping: {

diff --git a/...lib/entity_analytics/entity_store/united_entity_definitions/get_united_definition.test.ts b/...lib/entity_analytics/entity_store/united_entity_definitions/get_united_definition.test.ts
@@ -59,6 +59,12 @@ describe('getUnitedEntityDefinition', () => {
             "host.name": Object {
               "type": "keyword",
             },
+            "host.os.name": Object {
+              "type": "keyword",
+            },
+            "host.os.type": Object {
+              "type": "keyword",
+            },
             "host.risk.calculated_level": Object {
               "type": "keyword",
             },
@@ -95,6 +101,16 @@ describe('getUnitedEntityDefinition', () => {
               "maxLength": 10,
               "operation": "collect_values",
             },
+            Object {
+              "field": "host.os.name",
+              "maxLength": 10,
+              "operation": "collect_values",
+            },
+            Object {
+              "field": "host.os.type",
+              "maxLength": 10,
+              "operation": "collect_values",
+            },
             Object {
               "field": "host.ip",
               "maxLength": 10,
@@ -184,6 +200,22 @@ describe('getUnitedEntityDefinition', () => {
               "destination": "host.id",
               "source": "host.id",
             },
+            Object {
+              "aggregation": Object {
+                "limit": 10,
+                "type": "terms",
+              },
+              "destination": "host.os.name",
+              "source": "host.os.name",
+            },
+            Object {
+              "aggregation": Object {
+                "limit": 10,
+                "type": "terms",
+              },
+              "destination": "host.os.type",
+              "source": "host.os.type",
+            },
             Object {
               "aggregation": Object {
                 "limit": 10,