-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Resolver] Allow a configurable entity_id field #81679
Merged
jonathan-buttner
merged 40 commits into
elastic:master
from
jonathan-buttner:resolver-multi-fields
Nov 24, 2020
Merged
Changes from 7 commits
Commits
Show all changes
40 commits
Select commit
Hold shift + click to select a range
58c6ada
Trying to flesh out new tree route
jonathan-buttner 3139b65
Working on the descendants query
jonathan-buttner b561c3d
Almost working descendants
jonathan-buttner 8506512
Possible solution for aggs
jonathan-buttner cf548c6
Working aggregations extraction
jonathan-buttner da4af52
Working on the ancestry array for descendants
jonathan-buttner a9c87d0
Making changes to the unique id for ancestr
jonathan-buttner 023f119
Implementing ancestry funcitonality
jonathan-buttner dd04e44
Deleting the multiple edges
jonathan-buttner 109c09f
Fleshing out the descendants loop for levels
jonathan-buttner 43423a0
Writing tests for ancestors and descendants
jonathan-buttner 0d45d15
Fixing type errors and writing more tests
jonathan-buttner 7e2ac9e
Renaming validation variable and deprecating old tree routes
jonathan-buttner c05c795
Renaming tree integration test file
jonathan-buttner 893eb46
Merge branch 'master' of github.com:elastic/kibana into resolver-mult…
jonathan-buttner cf2d772
Adding some integration tests
jonathan-buttner 1663428
Fixing ancestry to handle multiple nodes in the request and writing m…
jonathan-buttner dd4e0dd
Adding more tests
jonathan-buttner a4d3ba3
Merge branch 'master' of github.com:elastic/kibana into resolver-mult…
jonathan-buttner 837e164
Renaming new tree to handler file
jonathan-buttner bf113ac
Renaming new tree directory
jonathan-buttner 34cf33e
Adding more unit tests
jonathan-buttner 63dadd3
Using doc value fields and working on types
jonathan-buttner ea5d217
Adding comments and more tests
jonathan-buttner 549b920
Fixing timestamp test issue
jonathan-buttner 76f8644
Adding more comments
jonathan-buttner b4fd18e
Merge branch 'master' of github.com:elastic/kibana into resolver-mult…
jonathan-buttner 400331c
Fixing timestamp test issue take 2
jonathan-buttner e8ec0a0
Merge branch 'master' of github.com:elastic/kibana into resolver-mult…
jonathan-buttner 619088c
Adding id, parent, and name fields to the top level response
jonathan-buttner 0660d81
Merge branch 'master' into resolver-multi-fields
kibanamachine e13bf88
Merge branch 'master' into resolver-multi-fields
kibanamachine d62acac
Merge branch 'master' of github.com:elastic/kibana into resolver-mult…
jonathan-buttner 7da1579
Merge branch 'resolver-multi-fields' of github.com:jonathan-buttner/k…
jonathan-buttner 9e9abf6
Fixing generator start and end time generation
jonathan-buttner aaad8c4
Adding more comments
jonathan-buttner 1610a48
Revert "Fixing generator start and end time generation"
jonathan-buttner 0694636
Adding test for time
jonathan-buttner a6aa4b1
Merge branch 'master' into resolver-multi-fields
kibanamachine d182ca3
Merge branch 'master' into resolver-multi-fields
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
147 changes: 147 additions & 0 deletions
147
...plugins/security_solution/server/endpoint/routes/resolver/new_tree/queries/descendants.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
import { SearchResponse } from 'elasticsearch'; | ||
import { ApiResponse } from '@elastic/elasticsearch'; | ||
import { IScopedClusterClient } from 'src/core/server'; | ||
import { JsonObject, JsonValue } from '../../../../../../../../../src/plugins/kibana_utils/common'; | ||
import { UniqueID } from './unique_id'; | ||
|
||
interface Timerange { | ||
start: string; | ||
end: string; | ||
} | ||
|
||
type Nodes = Array<Map<string, string>>; | ||
|
||
interface DescendantsParams { | ||
uniqueID: UniqueID; | ||
indexPatterns: string | string[]; | ||
timerange: Timerange; | ||
size: number; | ||
} | ||
|
||
/** | ||
* Builds a query for retrieving descendants of a node. | ||
*/ | ||
export class DescendantsQuery { | ||
private readonly uniqueID: UniqueID; | ||
private readonly indexPatterns: string | string[]; | ||
private readonly timerange: Timerange; | ||
private readonly size: number; | ||
constructor({ uniqueID, indexPatterns, timerange, size }: DescendantsParams) { | ||
this.uniqueID = uniqueID; | ||
this.indexPatterns = indexPatterns; | ||
this.timerange = timerange; | ||
this.size = size; | ||
} | ||
|
||
private query(shouldClauses: JsonValue[]): JsonObject { | ||
return { | ||
// TODO look into switching this to doc_values | ||
_source: this.uniqueID.sourceFilter, | ||
size: 0, | ||
query: { | ||
bool: { | ||
filter: [ | ||
{ | ||
range: { | ||
'@timestamp': { | ||
gte: this.timerange.start, | ||
lte: this.timerange.end, | ||
// TODO this is what the search_strategy uses, need to double check | ||
format: 'strict_date_optional_time', | ||
}, | ||
}, | ||
}, | ||
{ | ||
bool: { | ||
should: shouldClauses, | ||
}, | ||
}, | ||
...this.uniqueID.buildConstraints(), | ||
{ | ||
term: { 'event.category': 'process' }, | ||
}, | ||
{ | ||
term: { 'event.kind': 'event' }, | ||
}, | ||
], | ||
}, | ||
}, | ||
aggs: this.uniqueID.buildAggregations(this.size), | ||
}; | ||
} | ||
|
||
private queryWithAncestryArray(nodes: Nodes): JsonObject { | ||
return { | ||
// TODO look into switching this to doc_values | ||
_source: this.uniqueID.sourceFilter, | ||
size: 0, | ||
query: { | ||
bool: { | ||
filter: [ | ||
{ | ||
range: { | ||
'@timestamp': { | ||
gte: this.timerange.start, | ||
lte: this.timerange.end, | ||
// TODO this is what the search_strategy uses, need to double check | ||
format: 'strict_date_optional_time', | ||
}, | ||
}, | ||
}, | ||
...this.uniqueID.buildDescendantsAncestryQueryFilters(nodes), | ||
...this.uniqueID.buildConstraints(), | ||
{ | ||
term: { 'event.category': 'process' }, | ||
}, | ||
{ | ||
term: { 'event.kind': 'event' }, | ||
}, | ||
], | ||
}, | ||
}, | ||
aggs: this.uniqueID.buildAncestryAggregations(this.size), | ||
}; | ||
} | ||
|
||
private async searchChunked(client: IScopedClusterClient, nodes: Nodes): Promise<unknown> { | ||
const filters = this.uniqueID.buildDescendantsQueryFilters(nodes); | ||
const searches = []; | ||
// this is the max number of bool clauses an elasticsearch query can contain is 1024 so let's | ||
// make sure we're less than that | ||
const chunkSize = 1000; | ||
for (let i = 0; i < filters.length; i += chunkSize) { | ||
const chunkedFilters = filters.slice(i, i + chunkSize); | ||
searches.push( | ||
client.asCurrentUser.search<SearchResponse<unknown>>({ | ||
body: this.query(chunkedFilters), | ||
index: this.indexPatterns, | ||
}) | ||
); | ||
} | ||
const results: Array<ApiResponse<SearchResponse<unknown>>> = await Promise.all(searches); | ||
return results.reduce((allResults: unknown[], resultChunk) => { | ||
allResults.push(...this.uniqueID.getNodesFromAggs(resultChunk)); | ||
return allResults; | ||
}, []); | ||
} | ||
|
||
private async searchWithAncestryArray( | ||
client: IScopedClusterClient, | ||
nodes: Nodes | ||
): Promise<unknown> {} | ||
|
||
/** | ||
* TODO get rid of the unknowns | ||
*/ | ||
async search(client: IScopedClusterClient, nodes: Nodes): Promise<unknown> { | ||
if (this.uniqueID.idSchema.ancestry) { | ||
return this.searchWithAncestryArray(client, nodes); | ||
} | ||
return this.searchChunked(client, nodes); | ||
} | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once we transition the front end over to this api we'll be able to remove all the deprecated routes and their code.