-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolver simulator and click through tests #73310
Merged
Merged
Changes from all commits
Commits
Show all changes
32 commits
Select commit
Hold shift + click to select a range
d784a03
resolver simulator and click through tests
d63bca7
cleanup
1d180ea
comments and code org
56aa8f2
comments
3691bf0
moving files
c34148b
moving files
562e672
comments and refactorin
22cc9ee
fix custom matcher type
4f1d990
rename side effect simulator
544c076
type issues
4349552
comments
ec6f28a
fix comments
6a86e70
use weak map for content rects in side effect simulator
9458e3c
dunno what i did there
4bd17ed
cleanup
a72c164
comments. file name
0a7d1bd
comments
7916e1d
comments
c99fd73
oops
38cd660
comment fixed
a6f18fa
more comments
73047b6
spelling
bcd96e2
spelling again
036891d
WIP
acfa50a
Revert "WIP"
02c68f9
change things:
12ef066
fix types
6f29db4
fix?
2ca8d4b
Merge branch 'master' into resolver-simulator
elasticmachine 9602cc5
fixup
6f79a42
Merge branch 'resolver-simulator' of github.com:oatkiller/kibana into…
dd1453b
Merge branch 'master' into resolver-simulator
elasticmachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
70 changes: 70 additions & 0 deletions
70
x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { KibanaReactContextValue } from '../../../../../../src/plugins/kibana_react/public'; | ||
import { StartServices } from '../../types'; | ||
import { DataAccessLayer } from '../types'; | ||
import { | ||
ResolverRelatedEvents, | ||
ResolverTree, | ||
ResolverEntityIndex, | ||
} from '../../../common/endpoint/types'; | ||
import { DEFAULT_INDEX_KEY as defaultIndexKey } from '../../../common/constants'; | ||
|
||
/** | ||
* The data access layer for resolver. All communication with the Kibana server is done through this object. This object is provided to Resolver. In tests, a mock data access layer can be used instead. | ||
*/ | ||
export function dataAccessLayerFactory( | ||
context: KibanaReactContextValue<StartServices> | ||
): DataAccessLayer { | ||
const dataAccessLayer: DataAccessLayer = { | ||
/** | ||
* Used to get non-process related events for a node. | ||
*/ | ||
async relatedEvents(entityID: string): Promise<ResolverRelatedEvents> { | ||
return context.services.http.get(`/api/endpoint/resolver/${entityID}/events`, { | ||
query: { events: 100 }, | ||
}); | ||
}, | ||
/** | ||
* Used to get descendant and ancestor process events for a node. | ||
*/ | ||
async resolverTree(entityID: string, signal: AbortSignal): Promise<ResolverTree> { | ||
return context.services.http.get(`/api/endpoint/resolver/${entityID}`, { | ||
signal, | ||
}); | ||
}, | ||
|
||
/** | ||
* Used to get the default index pattern from the SIEM application. | ||
*/ | ||
indexPatterns(): string[] { | ||
return context.services.uiSettings.get(defaultIndexKey); | ||
}, | ||
|
||
/** | ||
* Used to get the entity_id for an _id. | ||
*/ | ||
async entities({ | ||
_id, | ||
indices, | ||
signal, | ||
}: { | ||
_id: string; | ||
indices: string[]; | ||
signal: AbortSignal; | ||
}): Promise<ResolverEntityIndex> { | ||
return context.services.http.get('/api/endpoint/resolver/entity', { | ||
signal, | ||
query: { | ||
_id, | ||
indices, | ||
}, | ||
}); | ||
}, | ||
}; | ||
return dataAccessLayer; | ||
} |
96 changes: 96 additions & 0 deletions
96
...ns/security_solution/public/resolver/data_access_layer/mocks/one_ancestor_two_children.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { | ||
ResolverRelatedEvents, | ||
ResolverTree, | ||
ResolverEntityIndex, | ||
} from '../../../../common/endpoint/types'; | ||
import { mockEndpointEvent } from '../../store/mocks/endpoint_event'; | ||
import { mockTreeWithNoAncestorsAnd2Children } from '../../store/mocks/resolver_tree'; | ||
import { DataAccessLayer } from '../../types'; | ||
|
||
interface Metadata { | ||
/** | ||
* The `_id` of the document being analyzed. | ||
*/ | ||
databaseDocumentID: string; | ||
/** | ||
* A record of entityIDs to be used in tests assertions. | ||
*/ | ||
entityIDs: { | ||
/** | ||
* The entityID of the node related to the document being analyzed. | ||
*/ | ||
origin: 'origin'; | ||
/** | ||
* The entityID of the first child of the origin. | ||
*/ | ||
firstChild: 'firstChild'; | ||
/** | ||
* The entityID of the second child of the origin. | ||
*/ | ||
secondChild: 'secondChild'; | ||
}; | ||
} | ||
|
||
/** | ||
* A simple mock dataAccessLayer possible that returns a tree with 0 ancestors and 2 direct children. 1 related event is returned. The parameter to `entities` is ignored. | ||
*/ | ||
export function oneAncestorTwoChildren(): { dataAccessLayer: DataAccessLayer; metadata: Metadata } { | ||
const metadata: Metadata = { | ||
databaseDocumentID: '_id', | ||
entityIDs: { origin: 'origin', firstChild: 'firstChild', secondChild: 'secondChild' }, | ||
}; | ||
return { | ||
metadata, | ||
dataAccessLayer: { | ||
/** | ||
* Fetch related events for an entity ID | ||
*/ | ||
relatedEvents(entityID: string): Promise<ResolverRelatedEvents> { | ||
return Promise.resolve({ | ||
entityID, | ||
events: [ | ||
mockEndpointEvent({ | ||
entityID, | ||
name: 'event', | ||
timestamp: 0, | ||
}), | ||
], | ||
nextEvent: null, | ||
}); | ||
}, | ||
|
||
/** | ||
* Fetch a ResolverTree for a entityID | ||
*/ | ||
resolverTree(): Promise<ResolverTree> { | ||
return Promise.resolve( | ||
mockTreeWithNoAncestorsAnd2Children({ | ||
originID: metadata.entityIDs.origin, | ||
firstChildID: metadata.entityIDs.firstChild, | ||
secondChildID: metadata.entityIDs.secondChild, | ||
}) | ||
); | ||
}, | ||
|
||
/** | ||
* Get an array of index patterns that contain events. | ||
*/ | ||
indexPatterns(): string[] { | ||
return ['index pattern']; | ||
}, | ||
|
||
/** | ||
* Get entities matching a document. | ||
*/ | ||
entities(): Promise<ResolverEntityIndex> { | ||
return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]); | ||
}, | ||
}, | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@james-elastic seems like these values are wrong (and wont work in the UI) in 7.9. not a 100% but we should look into it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change you're proposing is correct. The data that is sent by the endpoint looks like this:
Endpoint process event
The fields that are defined in the mapping are
user.id
,user.name
, anduser.domain
: https://github.com/elastic/endpoint-package/blob/master/schemas/v1/process/process.yaml#L1260There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oatkiller @jonathan-buttner Should pull this (and the other user fix) out into its own PR to get it in the BC today?