From 8d8db9c601add28d856138a97dca3cb0a00f5008 Mon Sep 17 00:00:00 2001 From: Patryk Kopycinski Date: Thu, 5 Nov 2020 21:50:48 +0100 Subject: [PATCH] [Security Solution] Fix DNS Network table query --- .../components/paginated_table/helpers.ts | 5 ++- .../network/containers/network_dns/index.tsx | 4 +- .../factory/network/dns/index.ts | 5 +-- .../network/dns/query.dns_network.dsl.ts | 39 ++++++++++++------- .../apis/security_solution/network_dns.ts | 5 +-- 5 files changed, 33 insertions(+), 25 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts b/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts index 8fde81adc922a7..9685a260d2a1ac 100644 --- a/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts @@ -8,13 +8,14 @@ import { PaginationInputPaginated } from '../../../graphql/types'; export const generateTablePaginationOptions = ( activePage: number, - limit: number + limit: number, + isBucketSort?: boolean ): PaginationInputPaginated => { const cursorStart = activePage * limit; return { activePage, cursorStart, fakePossibleCount: 4 <= activePage && activePage > 0 ? limit * (activePage + 2) : limit * 5, - querySize: limit + cursorStart, + querySize: isBucketSort ? limit : limit + cursorStart, }; }; diff --git a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx index 92a8f8c49dfc62..7c46f4bcbc3098 100644 --- a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx +++ b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx @@ -80,7 +80,7 @@ export const useNetworkDns = ({ factoryQueryType: NetworkQueries.dns, filterQuery: createFilter(filterQuery), isPtrIncluded, - pagination: generateTablePaginationOptions(activePage, limit), + pagination: generateTablePaginationOptions(activePage, limit, true), sort, timerange: { interval: '12h', @@ -196,7 +196,7 @@ export const useNetworkDns = ({ isPtrIncluded, factoryQueryType: NetworkQueries.dns, filterQuery: createFilter(filterQuery), - pagination: generateTablePaginationOptions(activePage, limit), + pagination: generateTablePaginationOptions(activePage, limit, true), sort, timerange: { interval: '12h', diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts index ca7743126df4c1..758731b6745448 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts @@ -33,11 +33,10 @@ export const networkDns: SecuritySolutionFactory = { options: NetworkDnsRequestOptions, response: IEsSearchResponse ): Promise => { - const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination; + const { activePage, fakePossibleCount } = options.pagination; const totalCount = getOr(0, 'aggregations.dns_count.value', response.rawResponse); - const networkDnsEdges: NetworkDnsEdges[] = getDnsEdges(response); + const edges: NetworkDnsEdges[] = getDnsEdges(response); const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount; - const edges = networkDnsEdges.splice(cursorStart, querySize - cursorStart); const inspect = { dsl: [inspectStringifyObject(buildDnsQuery(options))], }; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts index 85b9051189bfe9..8fd81d5d14157a 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts @@ -15,25 +15,30 @@ import { } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; +const HUGE_QUERY_SIZE = 1000000; + type QueryOrder = - | { _count: Direction } - | { _key: Direction } - | { unique_domains: Direction } - | { dns_bytes_in: Direction } - | { dns_bytes_out: Direction }; + | { _count: { order: Direction } } + | { _key: { order: Direction } } + | { unique_domains: { order: Direction } } + | { dns_bytes_in: { order: Direction } } + | { dns_bytes_out: { order: Direction } }; const getQueryOrder = (sort: SortField): QueryOrder => { switch (sort.field) { case NetworkDnsFields.queryCount: - return { _count: sort.direction }; + return { + _count: { + order: sort.direction, + }, + }; case NetworkDnsFields.dnsName: - return { _key: sort.direction }; + return { _key: { order: sort.direction } }; case NetworkDnsFields.uniqueDomains: - return { unique_domains: sort.direction }; + return { unique_domains: { order: sort.direction } }; case NetworkDnsFields.dnsBytesIn: - return { dns_bytes_in: sort.direction }; + return { dns_bytes_in: { order: sort.direction } }; case NetworkDnsFields.dnsBytesOut: - return { dns_bytes_out: sort.direction }; } assertUnreachable(sort.field); }; @@ -67,7 +72,7 @@ export const buildDnsQuery = ({ filterQuery, isPtrIncluded, sort, - pagination: { querySize }, + pagination: { cursorStart, querySize }, stackByField = 'dns.question.registered_domain', timerange: { from, to }, }: NetworkDnsRequestOptions) => { @@ -95,12 +100,16 @@ export const buildDnsQuery = ({ dns_name_query_count: { terms: { field: stackByField, - size: querySize, - order: { - ...getQueryOrder(sort), - }, + size: HUGE_QUERY_SIZE, }, aggs: { + bucket_sort: { + bucket_sort: { + sort: [getQueryOrder(sort), { _key: { order: 'asc' } }], + from: cursorStart, + size: querySize, + }, + }, unique_domains: { cardinality: { field: 'dns.question.name', diff --git a/x-pack/test/api_integration/apis/security_solution/network_dns.ts b/x-pack/test/api_integration/apis/security_solution/network_dns.ts index 966b8184965d14..9b7a39a2797730 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_dns.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_dns.ts @@ -18,8 +18,7 @@ export default function ({ getService }: FtrProviderContext) { const esArchiver = getService('esArchiver'); const supertest = getService('supertest'); - // Failing: See https://github.com/elastic/kibana/issues/82207 - describe.skip('Network DNS', () => { + describe('Network DNS', () => { describe('With packetbeat', () => { before(() => esArchiver.load('packetbeat/dns')); after(() => esArchiver.unload('packetbeat/dns')); @@ -59,7 +58,7 @@ export default function ({ getService }: FtrProviderContext) { expect(networkDns.edges.length).to.be(10); expect(networkDns.totalCount).to.be(44); expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be( - 'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,crowbird.com,d1oxlq5h9kq8q5.cloudfront.net' + 'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,d1oxlq5h9kq8q5.cloudfront.net,d3epxf4t8a32oh.cloudfront.net' ); expect(networkDns.pageInfo.fakeTotalCount).to.equal(30); });