[Security Solution] Create new events api #78326
Conversation
jonathan-buttner
added
v8.0.0
release_note:skip
| await esArchiver.unload('endpoint/resolver/api_feature'); | ||
| }); | ||
| describe('event routes', () => { | ||
| describe('related events route', () => { |
There was a problem hiding this comment.
These changes look worse than they are. This block was wrapped in the above describe block and intended.
| expect(body.events).be.empty(); | ||
| expect(body.entityID).to.eql(entityID); | ||
| expect(body.nextEvent).to.eql(null); | ||
| describe('endpoint events', () => { |
There was a problem hiding this comment.
Same as above, wrapped in the outer describe block and indented.
| .expect(200); | ||
| expect(body.entityID).to.eql(entityID); | ||
| expect(body.nextEvent).to.eql(null); | ||
| describe('kql events route', () => { |
There was a problem hiding this comment.
These are all new. Once the frontend is switched over to use this route the above tests will be removed.
| @@ -0,0 +1,89 @@ | |||
| /* | |||
There was a problem hiding this comment.
This file was really a move: event.ts -> related_events.ts
There was a problem hiding this comment.
The files moved to their related_events.ts counterparts are essentially deprecated right?
There was a problem hiding this comment.
That's correct. I wanted the events.ts file to have the new implementation since that name seemed most appropriate.
There was a problem hiding this comment.
Sweet, good to know. Thanks. We can probably @deprecated these files
| @@ -4,86 +4,59 @@ | |||
| * you may not use this file except in compliance with the Elastic License. | |||
| */ | |||
| import { SearchResponse } from 'elasticsearch'; | |||
| import { IScopedClusterClient } from 'kibana/server'; | |||
There was a problem hiding this comment.
This is really a new file for the new /resolver/events route. It does not use the base class like the other queries that are tied to a particular entity_id.
| ): RequestHandler< | ||
| TypeOf<typeof validateEvents.params>, | ||
| unknown, |
There was a problem hiding this comment.
No params are used for the new events route.
| @@ -0,0 +1,41 @@ | |||
| /* | |||
There was a problem hiding this comment.
This file was a move from resolver/events -> resolver/related_events
jonathan-buttner
requested review from
kqualters-elastic,
oatkiller,
michaelolo24 and
bkimmel
| .set('kbn-xsrf', 'xxx') | ||
| .send({ | ||
| filter: `event.id:"${tree.origin.relatedEvents[0]?.event?.id}"`, |
There was a problem hiding this comment.
Get a specific event using the event.id field.
| { | ||
| term: { 'agent.id': endpointID }, | ||
| }, | ||
| ...kqlQuery, |
There was a problem hiding this comment.
Do we prefer that this new /events route filters out event.category:process like the previous route or includes them by default and leaves it up to the passed in kql filter to do it?
In the current state, to find non-process events for a specific entity_id we'd pass something like this: process.entity_id:"1234" and not event.category:"process" as the filter
There was a problem hiding this comment.
I prefer this. Better to surface everything and let the filtering logic be decided on the front end
|
Pinging @elastic/endpoint-data-visibility-team (Team:Endpoint Data Visibility) |
|
|
||
| export function registerResolverRoutes(router: IRouter, endpointAppContext: EndpointAppContext) { | ||
| const log = endpointAppContext.logFactory.get('resolver'); | ||
|
|
||
| // this route will be removed in favor of the one below |
There was a problem hiding this comment.
We can just tag all these as @deprecated. Easier to do a find all and remove later on
There was a problem hiding this comment.
Yeah good call 👍
| @@ -276,6 +276,14 @@ export interface SafeResolverRelatedEvents { | |||
| nextEvent: string | null; | |||
| } | |||
|
|
|||
| /** | |||
| * Response structure for the events route. | |||
There was a problem hiding this comment.
When nextEvent is null it means there are no more events, right? Maybe should add that to comment.
There was a problem hiding this comment.
Yeah I'll add it 👍
| import { EndpointAppContext } from '../../types'; | ||
| import { EventsQuery } from './queries/events'; | ||
| import { createEvents } from './utils/node'; | ||
| import { PaginationBuilder } from './utils/pagination'; | ||
|
|
||
| export function handleEvents( |
There was a problem hiding this comment.
❔ Just noticed this needs a doc comment
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]distributable file count
History
To update your PR or re-run it, just comment with: |
* Creating new events route * Trying to get github to recognize the indent change * Using paginated name for events api return type * Updating comment * Updating comment * Adding deprecated comments * Adding more comments Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Creating new events route * Trying to get github to recognize the indent change * Using paginated name for events api return type * Updating comment * Updating comment * Adding deprecated comments * Adding more comments Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR creates a new
/resolver/eventsapi that is not tied to anentity_id. Instead it can take a filter as a kql string to filter the results from ES. This will allow a request to retrieve events for a specificentity_id,event.id, or any other kql filter.Once the frontend is switched over to use this route the older
resolver/{id}/eventsroute will be removed.