peteharverson
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts‎
Lines changed: 20 additions & 18 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts‎
Lines changed: 20 additions & 18 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts‎
Lines changed: 310 additions & 0 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts‎
Lines changed: 310 additions & 0 deletions
@@ -8,6 +8,8 @@
 import type { EntityType, EntityField } from './entity_schema';
 import { oldestValue, newestValue } from './field_retention_operations';
 
+export const ENTITY_ID_FIELD = 'entity.id';
+
 // Copied from x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_definitions/entity_descriptions/common.ts
 
 export const getCommonFieldDescriptions = (
@@ -53,57 +55,57 @@ export const getEntityFieldsDescriptions = (rootField?: EntityType) => {
     newestValue({ source: `${prefix}.url`, destination: 'entity.url' }),
 
     newestValue({
-      source: `${prefix}.attributes.Privileged`,
-      destination: 'entity.attributes.Privileged',
+      source: `${prefix}.attributes.privileged`,
+      destination: 'entity.attributes.privileged',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
     newestValue({
-      source: `${prefix}.attributes.Asset`,
-      destination: 'entity.attributes.Asset',
+      source: `${prefix}.attributes.asset`,
+      destination: 'entity.attributes.asset',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
     newestValue({
-      source: `${prefix}.attributes.Managed`,
-      destination: 'entity.attributes.Managed',
+      source: `${prefix}.attributes.managed`,
+      destination: 'entity.attributes.managed',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
     newestValue({
-      source: `${prefix}.attributes.Mfa_enabled`,
-      destination: 'entity.attributes.Mfa_enabled',
+      source: `${prefix}.attributes.mfa_enabled`,
+      destination: 'entity.attributes.mfa_enabled',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
 
     /* Lifecycle fields should not allow update via the API */
     newestValue({
-      source: `${prefix}.lifecycle.First_seen`,
-      destination: 'entity.lifecycle.First_seen',
+      source: `${prefix}.lifecycle.first_seen`,
+      destination: 'entity.lifecycle.first_seen',
       mapping: { type: 'date' },
     }),
     newestValue({
-      source: `${prefix}.lifecycle.Last_activity`,
-      destination: 'entity.lifecycle.Last_activity',
+      source: `${prefix}.lifecycle.last_activity`,
+      destination: 'entity.lifecycle.last_activity',
       mapping: { type: 'date' },
     }),
 
     newestValue({
-      source: `${prefix}.behaviors.Brute_force_victim`,
-      destination: 'entity.behaviors.Brute_force_victim',
+      source: `${prefix}.behaviors.brute_force_victim`,
+      destination: 'entity.behaviors.brute_force_victim',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
     newestValue({
-      source: `${prefix}.behaviors.New_country_login`,
-      destination: 'entity.behaviors.New_country_login',
+      source: `${prefix}.behaviors.new_country_login`,
+      destination: 'entity.behaviors.new_country_login',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
     newestValue({
-      source: `${prefix}.behaviors.Used_usb_device`,
-      destination: 'entity.behaviors.Used_usb_device',
+      source: `${prefix}.behaviors.used_usb_device`,
+      destination: 'entity.behaviors.used_usb_device',
       mapping: { type: 'boolean' },
       allowAPIUpdate: true,
     }),
 
@@ -0,0 +1,310 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Common Entities Schemas
+ *   version: 1
+ */
+
+import { z } from '@kbn/zod';
+
+export type EngineMetadata = z.infer<typeof EngineMetadata>;
+export const EngineMetadata = z
+  .object({
+    Type: z.string(),
+  })
+  .strict();
+
+export type EntityRiskLevels = z.infer<typeof EntityRiskLevels>;
+export const EntityRiskLevels = z.enum(['Unknown', 'Low', 'Moderate', 'High', 'Critical']);
+export type EntityRiskLevelsEnum = typeof EntityRiskLevels.enum;
+export const EntityRiskLevelsEnum = EntityRiskLevels.enum;
+
+export type EntityField = z.infer<typeof EntityField>;
+export const EntityField = z
+  .object({
+    id: z.string(),
+    name: z.string().optional(),
+    type: z.string().optional(),
+    sub_type: z.string().optional(),
+    source: z.string().optional(),
+    EngineMetadata: EngineMetadata.optional(),
+    attributes: z
+      .object({
+        privileged: z.boolean().optional(),
+        asset: z.boolean().optional(),
+        managed: z.boolean().optional(),
+        mfa_enabled: z.boolean().optional(),
+      })
+      .strict()
+      .optional(),
+    behaviors: z
+      .object({
+        brute_force_victim: z.boolean().optional(),
+        new_country_login: z.boolean().optional(),
+        used_usb_device: z.boolean().optional(),
+      })
+      .strict()
+      .optional(),
+    lifecycle: z
+      .object({
+        first_seen: z.string().datetime().optional(),
+        last_activity: z.string().datetime().optional(),
+      })
+      .strict()
+      .optional(),
+    relationships: z
+      .object({
+        communicates_with: z.array(z.string()).optional(),
+        depends_on: z.array(z.string()).optional(),
+        dependent_of: z.array(z.string()).optional(),
+        owns: z.array(z.string()).optional(),
+        owned_by: z.array(z.string()).optional(),
+        accesses_frequently: z.array(z.string()).optional(),
+        accessed_frequently_by: z.array(z.string()).optional(),
+        supervises: z.array(z.string()).optional(),
+        supervised_by: z.array(z.string()).optional(),
+      })
+      .strict()
+      .optional(),
+    risk: z
+      .object({
+        /**
+         * Lexical description of the entity's risk.
+         */
+        calculated_level: EntityRiskLevels.optional(),
+        /**
+         * The raw numeric value of the given entity's risk score.
+         */
+        calculated_score: z.number().optional(),
+        /**
+         * The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
+         */
+        calculated_score_norm: z.number().min(0).max(100).optional(),
+      })
+      .strict()
+      .optional(),
+  })
+  .strict();
+
+/**
+ * The criticality level of the asset.
+ */
+export type AssetCriticalityLevel = z.infer<typeof AssetCriticalityLevel>;
+export const AssetCriticalityLevel = z.enum([
+  'low_impact',
+  'medium_impact',
+  'high_impact',
+  'extreme_impact',
+]);
+export type AssetCriticalityLevelEnum = typeof AssetCriticalityLevel.enum;
+export const AssetCriticalityLevelEnum = AssetCriticalityLevel.enum;
+
+export type Asset = z.infer<typeof Asset>;
+export const Asset = z
+  .object({
+    id: z.string().optional(),
+    name: z.string().optional(),
+    owner: z.string().optional(),
+    serial_number: z.string().optional(),
+    model: z.string().optional(),
+    vendor: z.string().optional(),
+    environment: z.string().optional(),
+    criticality: AssetCriticalityLevel.optional(),
+    business_unit: z.string().optional(),
+  })
+  .strict();
+
+/**
+ * A generic representation of a document contributing to a Risk Score.
+ */
+export type RiskScoreInput = z.infer<typeof RiskScoreInput>;
+export const RiskScoreInput = z.object({
+  /**
+   * The unique identifier (`_id`) of the original source document
+   */
+  id: z.string(),
+  /**
+   * The unique index (`_index`) of the original source document
+   */
+  index: z.string(),
+  /**
+   * The risk category of the risk input document.
+   */
+  category: z.string(),
+  /**
+   * A human-readable description of the risk input document.
+   */
+  description: z.string(),
+  /**
+   * The weighted risk score of the risk input document.
+   */
+  risk_score: z.number().min(0).max(100).optional(),
+  /**
+   * The @timestamp of the risk input document.
+   */
+  timestamp: z.string().optional(),
+  contribution_score: z.number().optional(),
+});
+
+export type EntityRiskScoreRecord = z.infer<typeof EntityRiskScoreRecord>;
+export const EntityRiskScoreRecord = z.object({
+  /**
+   * The time at which the risk score was calculated.
+   */
+  '@timestamp': z.string().datetime(),
+  /**
+   * The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored.
+   */
+  id_field: z.string(),
+  /**
+   * The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored.
+   */
+  id_value: z.string(),
+  /**
+   * Lexical description of the entity's risk.
+   */
+  calculated_level: EntityRiskLevels,
+  /**
+   * The raw numeric value of the given entity's risk score.
+   */
+  calculated_score: z.number(),
+  /**
+   * The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
+   */
+  calculated_score_norm: z.number().min(0).max(100),
+  /**
+   * The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts.
+   */
+  category_1_score: z.number(),
+  /**
+   * The number of risk input documents that contributed to the Category 1 score (`category_1_score`).
+   */
+  category_1_count: z.number().int(),
+  /**
+   * A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
+   */
+  inputs: z.array(RiskScoreInput),
+  category_2_score: z.number().optional(),
+  category_2_count: z.number().int().optional(),
+  notes: z.array(z.string()),
+  criticality_modifier: z.number().optional(),
+  criticality_level: AssetCriticalityLevel.optional(),
+  /**
+   * A list of modifiers that were applied to the risk score calculation.
+   */
+  modifiers: z
+    .array(
+      z.object({
+        type: z.string(),
+        subtype: z.string().optional(),
+        modifier_value: z.number().optional(),
+        contribution: z.number(),
+        metadata: z.object({}).catchall(z.unknown()).optional(),
+      })
+    )
+    .optional(),
+});
+
+export type UserEntity = z.infer<typeof UserEntity>;
+export const UserEntity = z
+  .object({
+    '@timestamp': z.string().datetime().optional(),
+    entity: EntityField,
+    user: z
+      .object({
+        full_name: z.array(z.string()).optional(),
+        domain: z.array(z.string()).optional(),
+        roles: z.array(z.string()).optional(),
+        name: z.string(),
+        id: z.array(z.string()).optional(),
+        email: z.array(z.string()).optional(),
+        hash: z.array(z.string()).optional(),
+        risk: EntityRiskScoreRecord.optional(),
+      })
+      .strict()
+      .optional(),
+    asset: Asset.optional(),
+    event: z
+      .object({
+        ingested: z.string().datetime().optional(),
+      })
+      .strict()
+      .optional(),
+  })
+  .strict();
+
+export type HostEntity = z.infer<typeof HostEntity>;
+export const HostEntity = z
+  .object({
+    '@timestamp': z.string().datetime().optional(),
+    entity: EntityField,
+    host: z
+      .object({
+        hostname: z.array(z.string()).optional(),
+        domain: z.array(z.string()).optional(),
+        ip: z.array(z.string()).optional(),
+        name: z.string(),
+        id: z.array(z.string()).optional(),
+        type: z.array(z.string()).optional(),
+        mac: z.array(z.string()).optional(),
+        architecture: z.array(z.string()).optional(),
+        risk: EntityRiskScoreRecord.optional(),
+        entity: EntityField.optional(),
+      })
+      .strict()
+      .optional(),
+    asset: Asset.optional(),
+    event: z
+      .object({
+        ingested: z.string().datetime().optional(),
+      })
+      .strict()
+      .optional(),
+  })
+  .strict();
+
+export type ServiceEntity = z.infer<typeof ServiceEntity>;
+export const ServiceEntity = z
+  .object({
+    '@timestamp': z.string().datetime().optional(),
+    entity: EntityField,
+    service: z
+      .object({
+        name: z.string(),
+        risk: EntityRiskScoreRecord.optional(),
+        entity: EntityField.optional(),
+      })
+      .strict()
+      .optional(),
+    asset: Asset.optional(),
+    event: z
+      .object({
+        ingested: z.string().datetime().optional(),
+      })
+      .strict()
+      .optional(),
+  })
+  .strict();
+
+export type GenericEntity = z.infer<typeof GenericEntity>;
+export const GenericEntity = z
+  .object({
+    '@timestamp': z.string().datetime().optional(),
+    entity: EntityField,
+    asset: Asset.optional(),
+  })
+  .strict();
+
+export const EntityInternal = z.union([UserEntity, HostEntity, ServiceEntity, GenericEntity]);
+
+export type Entity = z.infer<typeof EntityInternal>;
+export const Entity = EntityInternal as z.ZodType<Entity>;