Skip to content

Commit

Permalink
Update endpoint event and alert types (#69292)
Browse files Browse the repository at this point in the history 
* start redoing types

* finish redoing types

* fix bad test

* rework tests

* fix more types

* fix test

* Fix endpoints test and render error

* add deletePolicyStream to alerts api tests

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Paul Tavares <paul.tavares@elastic.co>
  • Loading branch information
@marshallmain @elasticmachine @paul-tavares
3 people authored Jun 18, 2020
1 parent f4b0d5c commit 4a26f56
Show file tree
Hide file tree
Showing 20 changed files with 456 additions and 300 deletions.
12 changes: 7 additions & 5 deletions x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ describe('data generator', () => {
const metadata = generator.generateHostMetadata(timestamp);
expect(metadata['@timestamp']).toEqual(timestamp);
expect(metadata.event.created).toEqual(timestamp);
expect(metadata.endpoint).not.toBeNull();
expect(metadata.Endpoint).not.toBeNull();
expect(metadata.agent).not.toBeNull();
expect(metadata.host).not.toBeNull();
});
Expand All @@ -57,18 +57,18 @@ describe('data generator', () => {
const hostPolicyResponse = generator.generatePolicyResponse(timestamp);
expect(hostPolicyResponse['@timestamp']).toEqual(timestamp);
expect(hostPolicyResponse.event.created).toEqual(timestamp);
expect(hostPolicyResponse.endpoint).not.toBeNull();
expect(hostPolicyResponse.Endpoint).not.toBeNull();
expect(hostPolicyResponse.agent).not.toBeNull();
expect(hostPolicyResponse.host).not.toBeNull();
expect(hostPolicyResponse.endpoint.policy.applied).not.toBeNull();
expect(hostPolicyResponse.Endpoint.policy.applied).not.toBeNull();
});

it('creates alert event documents', () => {
const timestamp = new Date().getTime();
const alert = generator.generateAlert(timestamp);
expect(alert['@timestamp']).toEqual(timestamp);
expect(alert.event.action).not.toBeNull();
expect(alert.endpoint).not.toBeNull();
expect(alert.Endpoint).not.toBeNull();
expect(alert.agent).not.toBeNull();
expect(alert.host).not.toBeNull();
expect(alert.process.entity_id).not.toBeNull();
Expand Down Expand Up @@ -364,7 +364,9 @@ describe('data generator', () => {
it('creates full resolver tree', () => {
const alertAncestors = 3;
const generations = 2;
const events = [...generator.fullResolverTreeGenerator(alertAncestors, generations)];
const events = [
...generator.fullResolverTreeGenerator({ ancestors: alertAncestors, generations }),
];
const rootNode = buildResolverTree(events);
const visitedEvents = countResolverEvents(rootNode, alertAncestors + generations);
expect(visitedEvents).toEqual(events.length);
Expand Down
189 changes: 90 additions & 99 deletions x-pack/plugins/security_solution/common/endpoint/generate_data.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import {
EndpointEvent,
Host,
HostMetadata,
HostOS,
OSFields,
HostPolicyResponse,
HostPolicyResponseActionStatus,
PolicyData,
Expand All @@ -28,38 +28,46 @@ interface EventOptions {
processName?: string;
}

const Windows: HostOS[] = [
const Windows: OSFields[] = [
{
name: 'windows 10.0',
full: 'Windows 10',
version: '10.0',
variant: 'Windows Pro',
Ext: {
variant: 'Windows Pro',
},
},
{
name: 'windows 10.0',
full: 'Windows Server 2016',
version: '10.0',
variant: 'Windows Server',
Ext: {
variant: 'Windows Server',
},
},
{
name: 'windows 6.2',
full: 'Windows Server 2012',
version: '6.2',
variant: 'Windows Server',
Ext: {
variant: 'Windows Server',
},
},
{
name: 'windows 6.3',
full: 'Windows Server 2012R2',
version: '6.3',
variant: 'Windows Server Release 2',
Ext: {
variant: 'Windows Server Release 2',
},
},
];

const Linux: HostOS[] = [];
const Linux: OSFields[] = [];

const Mac: HostOS[] = [];
const Mac: OSFields[] = [];

const OS: HostOS[] = [...Windows, ...Mac, ...Linux];
const OS: OSFields[] = [...Windows, ...Mac, ...Linux];

const APPLIED_POLICIES: Array<{
name: string;
Expand Down Expand Up @@ -186,7 +194,7 @@ interface HostInfo {
type: string;
};
host: Host;
endpoint: {
Endpoint: {
policy: {
applied: {
id: string;
Expand Down Expand Up @@ -283,8 +291,8 @@ export class EndpointDocGenerator {
* Creates new random policy id for the host to simulate new policy application
*/
public updatePolicyId() {
this.commonInfo.endpoint.policy.applied.id = this.randomChoice(APPLIED_POLICIES).id;
this.commonInfo.endpoint.policy.applied.status = this.randomChoice([
this.commonInfo.Endpoint.policy.applied = this.randomChoice(APPLIED_POLICIES);
this.commonInfo.Endpoint.policy.applied.status = this.randomChoice([
HostPolicyResponseActionStatus.success,
HostPolicyResponseActionStatus.failure,
HostPolicyResponseActionStatus.warning,
Expand All @@ -310,7 +318,7 @@ export class EndpointDocGenerator {
mac: this.randomArray(3, () => this.randomMac()),
os: this.randomChoice(OS),
},
endpoint: {
Endpoint: {
policy: {
applied: this.randomChoice(APPLIED_POLICIES),
},
Expand Down Expand Up @@ -371,77 +379,88 @@ export class EndpointDocGenerator {
sha1: 'fake file sha1',
sha256: 'fake file sha256',
},
code_signature: {
trusted: false,
subject_name: 'bad signer',
},
malware_classification: {
identifier: 'endpointpe',
score: 1,
threshold: 0.66,
version: '3.0.33',
Ext: {
code_signature: [
{
trusted: false,
subject_name: 'bad signer',
},
],
malware_classification: {
identifier: 'endpointpe',
score: 1,
threshold: 0.66,
version: '3.0.33',
},
temp_file_path: 'C:/temp/fake_malware.exe',
},
temp_file_path: 'C:/temp/fake_malware.exe',
},
process: {
pid: 2,
name: 'malware writer',
start: ts,
uptime: 0,
user: 'SYSTEM',
entity_id: entityID,
executable: 'C:/malware.exe',
parent: parentEntityID ? { entity_id: parentEntityID, pid: 1 } : undefined,
token: {
domain: 'NT AUTHORITY',
integrity_level: 16384,
integrity_level_name: 'system',
privileges: [
{
description: 'Replace a process level token',
enabled: false,
name: 'SeAssignPrimaryTokenPrivilege',
},
],
sid: 'S-1-5-18',
type: 'tokenPrimary',
user: 'SYSTEM',
},
code_signature: {
trusted: false,
subject_name: 'bad signer',
},
hash: {
md5: 'fake md5',
sha1: 'fake sha1',
sha256: 'fake sha256',
},
Ext: {
code_signature: [
{
trusted: false,
subject_name: 'bad signer',
},
],
user: 'SYSTEM',
token: {
domain: 'NT AUTHORITY',
integrity_level: 16384,
integrity_level_name: 'system',
privileges: [
{
description: 'Replace a process level token',
enabled: false,
name: 'SeAssignPrimaryTokenPrivilege',
},
],
sid: 'S-1-5-18',
type: 'tokenPrimary',
user: 'SYSTEM',
},
},
},
dll: [
{
pe: {
architecture: 'x64',
imphash: 'c30d230b81c734e82e86e2e2fe01cd01',
},
code_signature: {
subject_name: 'Cybereason Inc',
trusted: true,
},
compile_time: 1534424710,

hash: {
md5: '1f2d082566b0fc5f2c238a5180db7451',
sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
},
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
mapped_address: 5362483200,
mapped_size: 0,

path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
Ext: {
compile_time: 1534424710,
mapped_address: 5362483200,
mapped_size: 0,
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
},
},
],
};
Expand Down Expand Up @@ -561,28 +580,9 @@ export class EndpointDocGenerator {
* @param percentTerminated - percent of nodes which will have process termination events
* @param alwaysGenMaxChildrenPerNode - flag to always return the max children per node instead of it being a random number of children
*/
public *alertsGenerator(
numAlerts: number,
alertAncestors?: number,
childGenerations?: number,
maxChildrenPerNode?: number,
relatedEventsPerNode?: number,
relatedAlertsPerNode?: number,
percentNodesWithRelated?: number,
percentTerminated?: number,
alwaysGenMaxChildrenPerNode?: boolean
) {
public *alertsGenerator(numAlerts: number, options: TreeOptions = {}) {
for (let i = 0; i < numAlerts; i++) {
yield* this.fullResolverTreeGenerator(
alertAncestors,
childGenerations,
maxChildrenPerNode,
relatedEventsPerNode,
relatedAlertsPerNode,
percentNodesWithRelated,
percentTerminated,
alwaysGenMaxChildrenPerNode
);
yield* this.fullResolverTreeGenerator(options);
}
}

Expand All @@ -600,35 +600,26 @@ export class EndpointDocGenerator {
* @param percentTerminated - percent of nodes which will have process termination events
* @param alwaysGenMaxChildrenPerNode - flag to always return the max children per node instead of it being a random number of children
*/
public *fullResolverTreeGenerator(
alertAncestors?: number,
childGenerations?: number,
maxChildrenPerNode?: number,
relatedEventsPerNode?: RelatedEventInfo[] | number,
relatedAlertsPerNode?: number,
percentNodesWithRelated?: number,
percentTerminated?: number,
alwaysGenMaxChildrenPerNode?: boolean
) {
public *fullResolverTreeGenerator(options: TreeOptions = {}) {
const ancestry = this.createAlertEventAncestry(
alertAncestors,
relatedEventsPerNode,
percentNodesWithRelated,
percentTerminated
options.ancestors,
options.relatedEvents,
options.percentWithRelated,
options.percentTerminated
);
for (let i = 0; i < ancestry.length; i++) {
yield ancestry[i];
}
// ancestry will always have at least 2 elements, and the last element will be the alert
yield* this.descendantsTreeGenerator(
ancestry[ancestry.length - 1],
childGenerations,
maxChildrenPerNode,
relatedEventsPerNode,
relatedAlertsPerNode,
percentNodesWithRelated,
percentTerminated,
alwaysGenMaxChildrenPerNode
options.generations,
options.children,
options.relatedEvents,
options.relatedAlerts,
options.percentWithRelated,
options.percentTerminated,
options.alwaysGenMaxChildrenPerNode
);
}

Expand Down Expand Up @@ -940,7 +931,7 @@ export class EndpointDocGenerator {
host: {
id: this.commonInfo.host.id,
},
endpoint: {
Endpoint: {
policy: {
applied: {
actions: [
Expand Down Expand Up @@ -1045,7 +1036,7 @@ export class EndpointDocGenerator {
status: HostPolicyResponseActionStatus.success,
},
],
id: this.commonInfo.endpoint.policy.applied.id,
id: this.commonInfo.Endpoint.policy.applied.id,
response: {
configurations: {
events: {
Expand Down Expand Up @@ -1086,9 +1077,9 @@ export class EndpointDocGenerator {
],
},
},
status: this.commonInfo.endpoint.policy.applied.status,
status: this.commonInfo.Endpoint.policy.applied.status,
version: policyVersion,
name: this.commonInfo.endpoint.policy.applied.name,
name: this.commonInfo.Endpoint.policy.applied.name,
},
},
},
Expand Down
Loading

0 comments on commit 4a26f56

Please sign in to comment.