-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Create new events api #78326
Conversation
await esArchiver.unload('endpoint/resolver/api_feature'); | ||
}); | ||
describe('event routes', () => { | ||
describe('related events route', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes look worse than they are. This block was wrapped in the above describe
block and intended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*indented
expect(body.events).be.empty(); | ||
expect(body.entityID).to.eql(entityID); | ||
expect(body.nextEvent).to.eql(null); | ||
describe('endpoint events', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, wrapped in the outer describe block and indented.
.expect(200); | ||
expect(body.entityID).to.eql(entityID); | ||
expect(body.nextEvent).to.eql(null); | ||
describe('kql events route', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are all new. Once the frontend is switched over to use this route the above tests will be removed.
@@ -0,0 +1,89 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file was really a move: event.ts -> related_events.ts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The files moved to their related_events.ts
counterparts are essentially deprecated
right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's correct. I wanted the events.ts
file to have the new implementation since that name seemed most appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet, good to know. Thanks. We can probably @deprecated
these files
@@ -4,86 +4,59 @@ | |||
* you may not use this file except in compliance with the Elastic License. | |||
*/ | |||
import { SearchResponse } from 'elasticsearch'; | |||
import { IScopedClusterClient } from 'kibana/server'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really a new file for the new /resolver/events
route. It does not use the base class like the other queries that are tied to a particular entity_id.
): RequestHandler< | ||
TypeOf<typeof validateEvents.params>, | ||
unknown, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No params are used for the new events route.
@@ -0,0 +1,41 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file was a move from resolver/events -> resolver/related_events
.set('kbn-xsrf', 'xxx') | ||
.send({ | ||
filter: `event.id:"${tree.origin.relatedEvents[0]?.event?.id}"`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Get a specific event using the event.id
field.
{ | ||
term: { 'agent.id': endpointID }, | ||
}, | ||
...kqlQuery, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we prefer that this new /events
route filters out event.category:process
like the previous route or includes them by default and leaves it up to the passed in kql filter to do it?
In the current state, to find non-process events for a specific entity_id we'd pass something like this: process.entity_id:"1234" and not event.category:"process"
as the filter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer this. Better to surface everything and let the filtering logic be decided on the front end
Pinging @elastic/endpoint-data-visibility-team (Team:Endpoint Data Visibility) |
|
||
export function registerResolverRoutes(router: IRouter, endpointAppContext: EndpointAppContext) { | ||
const log = endpointAppContext.logFactory.get('resolver'); | ||
|
||
// this route will be removed in favor of the one below |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can just tag all these as @deprecated
. Easier to do a find all and remove later on
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah good call 👍
@@ -276,6 +276,14 @@ export interface SafeResolverRelatedEvents { | |||
nextEvent: string | null; | |||
} | |||
|
|||
/** | |||
* Response structure for the events route. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When nextEvent
is null it means there are no more events, right? Maybe should add that to comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'll add it 👍
import { EndpointAppContext } from '../../types'; | ||
import { EventsQuery } from './queries/events'; | ||
import { createEvents } from './utils/node'; | ||
import { PaginationBuilder } from './utils/pagination'; | ||
|
||
export function handleEvents( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❔ Just noticed this needs a doc comment
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]distributable file count
History
To update your PR or re-run it, just comment with: |
* Creating new events route * Trying to get github to recognize the indent change * Using paginated name for events api return type * Updating comment * Updating comment * Adding deprecated comments * Adding more comments Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Creating new events route * Trying to get github to recognize the indent change * Using paginated name for events api return type * Updating comment * Updating comment * Adding deprecated comments * Adding more comments Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR creates a new
/resolver/events
api that is not tied to anentity_id
. Instead it can take a filter as a kql string to filter the results from ES. This will allow a request to retrieve events for a specificentity_id
,event.id
, or any other kql filter.Once the frontend is switched over to use this route the older
resolver/{id}/events
route will be removed.