elastic · kqualters-elastic · Mar 18, 2020 · Mar 2, 2020 · Mar 2, 2020 · Mar 3, 2020
diff --git a/x-pack/plugins/endpoint/common/types.ts b/x-pack/plugins/endpoint/common/types.ts
@@ -31,9 +31,9 @@ export enum Direction {
 
 export class EndpointAppConstants {
   static BASE_API_URL = '/api/endpoint';
-  static ALERT_INDEX_NAME = 'my-index';
   static ENDPOINT_INDEX_NAME = 'endpoint-agent*';
-  static EVENT_INDEX_NAME = 'endpoint-events-*';
+  static ALERT_INDEX_NAME = 'events-endpoint-1';
+  static EVENT_INDEX_NAME = 'events-endpoint-*';
   static DEFAULT_TOTAL_HITS = 10000;
   /**
    * Legacy events are stored in indices with endgame-* prefix
@@ -315,23 +315,34 @@ export interface EndpointEvent {
     category: string;
     type: string;
     id: string;
+    kind: string;
   };
   endpoint: {
     process: {
       entity_id: string;
-      parent: {
+      parent?: {
         entity_id: string;
       };
+      name: string;
     };
   };
   agent: {
     id: string;
     type: string;
   };
+  process: {
+    name: string;
+  };
 }
 
 export type ResolverEvent = EndpointEvent | LegacyEndpointEvent;
 
+export function isLegacyEvent(
+  event: EndpointEvent | LegacyEndpointEvent
+): event is LegacyEndpointEvent {
+  return (event as LegacyEndpointEvent).endgame !== undefined;
+}
+
 /**
  * The PageId type is used for the payload when firing userNavigatedToPage actions
  */

diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/details/overview/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/details/overview/index.tsx
@@ -4,91 +4,95 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import React, { memo, useMemo } from 'react';
+import styled from 'styled-components';
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { EuiSpacer, EuiTitle, EuiText, EuiHealth, EuiTabbedContent } from '@elastic/eui';
 import { useAlertListSelector } from '../../hooks/use_alerts_selector';
 import * as selectors from '../../../../store/alerts/selectors';
+import { ResolverEvent } from '../../../../../../../common/types';
 import { MetadataPanel } from './metadata_panel';
 import { FormattedDate } from '../../formatted_date';
 import { AlertDetailResolver } from '../../resolver';
 
-export const AlertDetailsOverview = memo(() => {
-  const alertDetailsData = useAlertListSelector(selectors.selectedAlertDetailsData);
-  if (alertDetailsData === undefined) {
-    return null;
-  }
-  const selectedAlertIsLegacyEndpointEvent = useAlertListSelector(
-    selectors.selectedAlertIsLegacyEndpointEvent
-  );
+export const AlertDetailsOverview = styled(
+  memo(({ className }: { className?: string }) => {
+    const alertDetailsData = useAlertListSelector(selectors.selectedAlertDetailsData);
+    if (alertDetailsData === undefined) {
+      return null;
+    }
 
-  const tabs = useMemo(() => {
-    return [
-      {
-        id: 'overviewMetadata',
-        name: i18n.translate(
-          'xpack.endpoint.application.endpoint.alertDetails.overview.tabs.overview',
-          {
-            defaultMessage: 'Overview',
-          }
-        ),
-        content: (
-          <>
-            <EuiSpacer />
-            <MetadataPanel />
-          </>
-        ),
-      },
-      {
-        id: 'overviewResolver',
-        name: i18n.translate(
-          'xpack.endpoint.application.endpoint.alertDetails.overview.tabs.resolver',
-          {
-            defaultMessage: 'Resolver',
-          }
-        ),
-        content: (
-          <>
-            <EuiSpacer />
-            {selectedAlertIsLegacyEndpointEvent && <AlertDetailResolver />}
-          </>
-        ),
-      },
-    ];
-  }, [selectedAlertIsLegacyEndpointEvent]);
+    const tabs = useMemo(() => {
+      return [
+        {
+          id: 'overviewMetadata',
+          name: i18n.translate(
+            'xpack.endpoint.application.endpoint.alertDetails.overview.tabs.overview',
+            {
+              defaultMessage: 'Overview',
+            }
+          ),
+          content: (
+            <>
+              <EuiSpacer />
+              <MetadataPanel />
+            </>
+          ),
+        },
+        {
+          id: 'overviewResolver',
+          name: i18n.translate(
+            'xpack.endpoint.application.endpoint.alertDetails.overview.tabs.resolver',
+            {
+              defaultMessage: 'Resolver',
+            }
+          ),
+          content: (
+            <>
+              <EuiSpacer />
+              <AlertDetailResolver selectedEvent={(alertDetailsData as unknown) as ResolverEvent} />
+            </>
+          ),
+        },
+      ];
+    }, [alertDetailsData]);
 
-  return (
-    <>
-      <section className="details-overview-summary">
-        <EuiTitle size="s">
-          <h3>
-            <FormattedMessage
-              id="xpack.endpoint.application.endpoint.alertDetails.overview.title"
-              defaultMessage="Detected Malicious File"
-            />
-          </h3>
-        </EuiTitle>
-        <EuiSpacer />
-        <EuiText>
-          <p>
-            <FormattedMessage
-              id="xpack.endpoint.application.endpoint.alertDetails.overview.summary"
-              defaultMessage="MalwareScore detected the opening of a document on {hostname} on {date}"
-              values={{
-                hostname: alertDetailsData.host.hostname,
-                date: <FormattedDate timestamp={alertDetailsData['@timestamp']} />,
-              }}
-            />
-          </p>
-        </EuiText>
-        <EuiSpacer />
-        <EuiText>
-          Endpoint Status: <EuiHealth color="success">Online</EuiHealth>
-        </EuiText>
-        <EuiText>Alert Status: Open</EuiText>
-        <EuiSpacer />
-      </section>
-      <EuiTabbedContent tabs={tabs} initialSelectedTab={tabs[0]} />
-    </>
-  );
-});
+    return (
+      <>
+        <section className="details-overview-summary">
+          <EuiTitle size="s">
+            <h3>
+              <FormattedMessage
+                id="xpack.endpoint.application.endpoint.alertDetails.overview.title"
+                defaultMessage="Detected Malicious File"
+              />
+            </h3>
+          </EuiTitle>
+          <EuiSpacer />
+          <EuiText>
+            <p>
+              <FormattedMessage
+                id="xpack.endpoint.application.endpoint.alertDetails.overview.summary"
+                defaultMessage="MalwareScore detected the opening of a document on {hostname} on {date}"
+                values={{
+                  hostname: alertDetailsData.host.hostname,
+                  date: <FormattedDate timestamp={alertDetailsData['@timestamp']} />,
+                }}
+              />
+            </p>
+          </EuiText>
+          <EuiSpacer />
+          <EuiText>
+            Endpoint Status: <EuiHealth color="success">Online</EuiHealth>
+          </EuiText>
+          <EuiText>Alert Status: Open</EuiText>
+          <EuiSpacer />
+        </section>
+        <EuiTabbedContent tabs={tabs} initialSelectedTab={tabs[0]} className={className} />
+      </>
+    );
+  })
+)`
+  height: 100%;
+  width: 100%;
+`;
diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/resolver.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/resolver.tsx
@@ -10,12 +10,12 @@ import { Provider } from 'react-redux';
 import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
 import { Resolver } from '../../../../embeddables/resolver/view';
 import { EndpointPluginServices } from '../../../../plugin';
-import { LegacyEndpointEvent } from '../../../../../common/types';
+import { ResolverEvent } from '../../../../../common/types';
 import { storeFactory } from '../../../../embeddables/resolver/store';
 
 export const AlertDetailResolver = styled(
   React.memo(
-    ({ className, selectedEvent }: { className?: string; selectedEvent?: LegacyEndpointEvent }) => {
+    ({ className, selectedEvent }: { className?: string; selectedEvent?: ResolverEvent }) => {
       const context = useKibana<EndpointPluginServices>();
       const { store } = storeFactory(context);
 
@@ -33,4 +33,6 @@ export const AlertDetailResolver = styled(
   width: 100%;
   display: flex;
   flex-grow: 1;
+  // ugly demo hack until can play nice with eui
+  min-height: 1000px;
 `;
diff --git a/x-pack/plugins/endpoint/public/embeddables/resolver/models/indexed_process_tree.ts b/x-pack/plugins/endpoint/public/embeddables/resolver/models/indexed_process_tree.ts
@@ -6,15 +6,15 @@
 
 import { uniquePidForProcess, uniqueParentPidForProcess } from './process_event';
 import { IndexedProcessTree } from '../types';
-import { LegacyEndpointEvent } from '../../../../common/types';
+import { ResolverEvent } from '../../../../common/types';
 import { levelOrder as baseLevelOrder } from '../lib/tree_sequencers';
 
 /**
  * Create a new IndexedProcessTree from an array of ProcessEvents
  */
-export function factory(processes: LegacyEndpointEvent[]): IndexedProcessTree {
-  const idToChildren = new Map<number | undefined, LegacyEndpointEvent[]>();
-  const idToValue = new Map<number, LegacyEndpointEvent>();
+export function factory(processes: ResolverEvent[]): IndexedProcessTree {
+  const idToChildren = new Map<string | undefined, ResolverEvent[]>();
+  const idToValue = new Map<string, ResolverEvent>();
 
   for (const process of processes) {
     idToValue.set(uniquePidForProcess(process), process);
@@ -36,10 +36,7 @@ export function factory(processes: LegacyEndpointEvent[]): IndexedProcessTree {
 /**
  * Returns an array with any children `ProcessEvent`s of the passed in `process`
  */
-export function children(
-  tree: IndexedProcessTree,
-  process: LegacyEndpointEvent
-): LegacyEndpointEvent[] {
+export function children(tree: IndexedProcessTree, process: ResolverEvent): ResolverEvent[] {
   const id = uniquePidForProcess(process);
   const processChildren = tree.idToChildren.get(id);
   return processChildren === undefined ? [] : processChildren;
@@ -50,8 +47,8 @@ export function children(
  */
 export function parent(
   tree: IndexedProcessTree,
-  childProcess: LegacyEndpointEvent
-): LegacyEndpointEvent | undefined {
+  childProcess: ResolverEvent
+): ResolverEvent | undefined {
   const uniqueParentPid = uniqueParentPidForProcess(childProcess);
   if (uniqueParentPid === undefined) {
     return undefined;
@@ -74,7 +71,7 @@ export function root(tree: IndexedProcessTree) {
   if (size(tree) === 0) {
     return null;
   }
-  let current: LegacyEndpointEvent = tree.idToProcess.values().next().value;
+  let current: ResolverEvent = tree.idToProcess.values().next().value;
   while (parent(tree, current) !== undefined) {
     current = parent(tree, current)!;
   }

diff --git a/x-pack/plugins/endpoint/public/embeddables/resolver/models/process_event.ts b/x-pack/plugins/endpoint/public/embeddables/resolver/models/process_event.ts
@@ -4,50 +4,77 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { LegacyEndpointEvent } from '../../../../common/types';
+import { isLegacyEvent, ResolverEvent } from '../../../../common/types';
 
 /**
  * Returns true if the process's eventType is either 'processCreated' or 'processRan'.
  * Resolver will only render 'graphable' process events.
  */
-export function isGraphableProcess(passedEvent: LegacyEndpointEvent) {
+export function isGraphableProcess(passedEvent: ResolverEvent) {
   return eventType(passedEvent) === 'processCreated' || eventType(passedEvent) === 'processRan';
 }
 
 /**
  * Returns a custom event type for a process event based on the event's metadata.
  */
-export function eventType(passedEvent: LegacyEndpointEvent) {
-  const {
-    endgame: { event_type_full: type, event_subtype_full: subType },
-  } = passedEvent;
+export function eventType(passedEvent: ResolverEvent) {
+  if (isLegacyEvent(passedEvent)) {
+    const {
+      endgame: { event_type_full: type, event_subtype_full: subType },
+    } = passedEvent;
 
-  if (type === 'process_event') {
-    if (subType === 'creation_event' || subType === 'fork_event' || subType === 'exec_event') {
-      return 'processCreated';
-    } else if (subType === 'already_running') {
-      return 'processRan';
-    } else if (subType === 'termination_event') {
-      return 'processTerminated';
-    } else {
-      return 'unknownProcessEvent';
+    if (type === 'process_event') {
+      if (subType === 'creation_event' || subType === 'fork_event' || subType === 'exec_event') {
+        return 'processCreated';
+      } else if (subType === 'already_running') {
+        return 'processRan';
+      } else if (subType === 'termination_event') {
+        return 'processTerminated';
+      } else {
+        return 'unknownProcessEvent';
+      }
+    } else if (type === 'alert_event') {
+      return 'processCausedAlert';
+    }
+    return 'unknownEvent';
+  } else {
+    const {
+      event: { type, category, kind },
+    } = passedEvent;
+    if (category === 'process') {
+      if (type === 'start' || type === 'change') {
+        return 'processCreated';
+      } else if (type === 'info') {
+        return 'processRan';
+      } else if (type === 'end') {
+        return 'processTerminated';
+      } else {
+        return 'unknownProcessEvent';
+      }
+    } else if (kind === 'alert') {
+      return 'processCausedAlert';
     }
-  } else if (type === 'alert_event') {
-    return 'processCausedAlert';
   }
-  return 'unknownEvent';
 }
 
 /**
  * Returns the process event's pid
  */
-export function uniquePidForProcess(event: LegacyEndpointEvent) {
-  return event.endgame.unique_pid;
+export function uniquePidForProcess(event: ResolverEvent) {
+  if (isLegacyEvent(event)) {
+    return String(event.endgame.unique_pid);
+  } else {
+    return event.endpoint.process.entity_id;
+  }
 }
 
 /**
  * Returns the process event's parent pid
  */
-export function uniqueParentPidForProcess(event: LegacyEndpointEvent) {
-  return event.endgame.unique_ppid;
+export function uniqueParentPidForProcess(event: ResolverEvent) {
+  if (isLegacyEvent(event)) {
+    return String(event.endgame.unique_ppid);
+  } else {
+    return event.endpoint.process.parent?.entity_id;
+  }
 }