[Security Solution][Resolver] Allow a configurable entity_id field

x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts

@@ -23,6 +23,77 @@ export const validateTree = {
   }),
 };
 
+// {
+//   id: ["host.id", "process.pid"]
+//   parent: ["host.id", "process.parent.pid"]
+// }
+
+// {
+//   id_definition: [
+//     {
+//       entity_id_field: "name",
+//       parent_id_field: "name_parent",
+//     },
+//     {
+//       entity_id_field: "age",
+//       parent_id_field: "age_parent",
+//     }
+//   ],
+//   id: [
+//     {
+//       "name": "Jon",
+//       "age": "50",
+//     },
+//     {
+//       "name": "Mike",
+//       "age": "~30",
+//     }
+//   ],
+//   levels: 10,
+//   limit: 50,
+// }
+
+// toID(): string
+
+/**
+ * Used to validate GET requests for a complete resolver tree.
+ */
+export const validateTree2 = {
+  body: schema.object({
+    // optional
+    // if the ancestry field below is specified ignore these fields
+    levels: schema.maybe(
+      schema.object({
+        ancestors: schema.number({ min: 0, max: 1000 }),
+        descendants: schema.number({ min: 0, max: 1000 }),
+      })
+    ),
+    // levels supersedes limit if it is defined
+    descendants: schema.number({ defaultValue: 1000, min: 0, max: 10000 }),
+    ancestors: schema.number({ defaultValue: 1000, min: 0, max: 10000 }),
+    timerange: schema.object({
+      start: schema.string(),
+      end: schema.string(),
+    }),
+    schema: schema.object({
+      // the ancestry field is optional
+      ancestry: schema.maybe(schema.string()),
+      // TODO set a limit on the array size
+      edges: schema.arrayOf(
+        schema.object({
+          id: schema.string(),
+          parentID: schema.string(),
+        }),
+        { minSize: 1 }
+      ),
+    }),
+    // TODO would be great if we could enforce that the keys are the same as those defined in the userFieldsDef.relationship
+    // somehow
+    nodes: schema.arrayOf(schema.mapOf(schema.string(), schema.any()), { minSize: 1 }),
+    indexPatterns: schema.arrayOf(schema.string(), { minSize: 1 }),
+  }),
+};
+
 /**
  * Used to validate POST requests for `/resolver/events` api.
  */

x-pack/plugins/security_solution/server/endpoint/routes/resolver.ts

@@ -13,17 +13,28 @@ import {
   validateAncestry,
   validateAlerts,
   validateEntities,
+  validateTree2,
 } from '../../../common/endpoint/schema/resolver';
 import { handleChildren } from './resolver/children';
 import { handleAncestry } from './resolver/ancestry';
 import { handleTree } from './resolver/tree';
+import { handleTree as handleTree2 } from './resolver/new_tree/tree_route';
 import { handleAlerts } from './resolver/alerts';
 import { handleEntities } from './resolver/entity';
 import { handleEvents } from './resolver/events';
 
 export function registerResolverRoutes(router: IRouter, endpointAppContext: EndpointAppContext) {
   const log = endpointAppContext.logFactory.get('resolver');
 
+  router.post(
+    {
+      path: '/api/endpoint/resolver/tree',
+      validate: validateTree2,
+      options: { authRequired: true },
+    },
+    handleTree2(log)
+  );
+
   router.post(
     {
       path: '/api/endpoint/resolver/events',

x-pack/plugins/security_solution/server/endpoint/routes/resolver/new_tree/queries/descendants.ts

@@ -0,0 +1,147 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SearchResponse } from 'elasticsearch';
+import { ApiResponse } from '@elastic/elasticsearch';
+import { IScopedClusterClient } from 'src/core/server';
+import { JsonObject, JsonValue } from '../../../../../../../../../src/plugins/kibana_utils/common';
+import { UniqueID } from './unique_id';
+
+interface Timerange {
+  start: string;
+  end: string;
+}
+
+type Nodes = Array<Map<string, string>>;
+
+interface DescendantsParams {
+  uniqueID: UniqueID;
+  indexPatterns: string | string[];
+  timerange: Timerange;
+  size: number;
+}
+
+/**
+ * Builds a query for retrieving descendants of a node.
+ */
+export class DescendantsQuery {
+  private readonly uniqueID: UniqueID;
+  private readonly indexPatterns: string | string[];
+  private readonly timerange: Timerange;
+  private readonly size: number;
+  constructor({ uniqueID, indexPatterns, timerange, size }: DescendantsParams) {
+    this.uniqueID = uniqueID;
+    this.indexPatterns = indexPatterns;
+    this.timerange = timerange;
+    this.size = size;
+  }
+
+  private query(shouldClauses: JsonValue[]): JsonObject {
+    return {
+      // TODO look into switching this to doc_values
+      _source: this.uniqueID.sourceFilter,
+      size: 0,
+      query: {
+        bool: {
+          filter: [
+            {
+              range: {
+                '@timestamp': {
+                  gte: this.timerange.start,
+                  lte: this.timerange.end,
+                  // TODO this is what the search_strategy uses, need to double check
+                  format: 'strict_date_optional_time',
+                },
+              },
+            },
+            {
+              bool: {
+                should: shouldClauses,
+              },
+            },
+            ...this.uniqueID.buildConstraints(),
+            {
+              term: { 'event.category': 'process' },
+            },
+            {
+              term: { 'event.kind': 'event' },
+            },
+          ],
+        },
+      },
+      aggs: this.uniqueID.buildAggregations(this.size),
+    };
+  }
+
+  private queryWithAncestryArray(nodes: Nodes): JsonObject {
+    return {
+      // TODO look into switching this to doc_values
+      _source: this.uniqueID.sourceFilter,
+      size: 0,
+      query: {
+        bool: {
+          filter: [
+            {
+              range: {
+                '@timestamp': {
+                  gte: this.timerange.start,
+                  lte: this.timerange.end,
+                  // TODO this is what the search_strategy uses, need to double check
+                  format: 'strict_date_optional_time',
+                },
+              },
+            },
+            ...this.uniqueID.buildDescendantsAncestryQueryFilters(nodes),
+            ...this.uniqueID.buildConstraints(),
+            {
+              term: { 'event.category': 'process' },
+            },
+            {
+              term: { 'event.kind': 'event' },
+            },
+          ],
+        },
+      },
+      aggs: this.uniqueID.buildAncestryAggregations(this.size),
+    };
+  }
+
+  private async searchChunked(client: IScopedClusterClient, nodes: Nodes): Promise<unknown> {
+    const filters = this.uniqueID.buildDescendantsQueryFilters(nodes);
+    const searches = [];
+    // this is the max number of bool clauses an elasticsearch query can contain is 1024 so let's
+    // make sure we're less than that
+    const chunkSize = 1000;
+    for (let i = 0; i < filters.length; i += chunkSize) {
+      const chunkedFilters = filters.slice(i, i + chunkSize);
+      searches.push(
+        client.asCurrentUser.search<SearchResponse<unknown>>({
+          body: this.query(chunkedFilters),
+          index: this.indexPatterns,
+        })
+      );
+    }
+    const results: Array<ApiResponse<SearchResponse<unknown>>> = await Promise.all(searches);
+    return results.reduce((allResults: unknown[], resultChunk) => {
+      allResults.push(...this.uniqueID.getNodesFromAggs(resultChunk));
+      return allResults;
+    }, []);
+  }
+
+  private async searchWithAncestryArray(
+    client: IScopedClusterClient,
+    nodes: Nodes
+  ): Promise<unknown> {}
+
+  /**
+   * TODO get rid of the unknowns
+   */
+  async search(client: IScopedClusterClient, nodes: Nodes): Promise<unknown> {
+    if (this.uniqueID.idSchema.ancestry) {
+      return this.searchWithAncestryArray(client, nodes);
+    }
+    return this.searchChunked(client, nodes);
+  }
+}