From 609a849baa255cff6311e8b1a4c210c190b54982 Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Mon, 23 Nov 2020 10:16:28 -0500
Subject: [PATCH 1/5] Refactoring entity route to return schema

---
 .../common/endpoint/types/index.ts            |   6 +-
 .../server/endpoint/routes/resolver/entity.ts | 136 +++++++++++-------
 .../apis/resolver/entity.ts                   |   8 +-
 3 files changed, 98 insertions(+), 52 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts
index e7d060b463aba..72388858c1691 100644
--- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts
@@ -823,7 +823,11 @@ export interface SafeLegacyEndpointEvent {
 /**
  * The response body for the resolver '/entity' index API
  */
-export type ResolverEntityIndex = Array<{ entity_id: string }>;
+export type ResolverEntityIndex = Array<{
+  name: string;
+  schema: { id: string; parent: string; ancestry?: string };
+  id: string;
+}>;
 
 /**
  * Takes a @kbn/config-schema 'schema' type and returns a type that represents valid inputs.
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
index 510bb6c545558..2d90137785236 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
@@ -3,11 +3,62 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { RequestHandler } from 'kibana/server';
+import _ from 'lodash';
+import { RequestHandler, SearchResponse } from 'kibana/server';
 import { TypeOf } from '@kbn/config-schema';
+import { ApiResponse } from '@elastic/elasticsearch';
 import { validateEntities } from '../../../../common/endpoint/schema/resolver';
 import { ResolverEntityIndex } from '../../../../common/endpoint/types';
 
+interface SupportedSchema {
+  name: string;
+  constraint: { field: string; value: string };
+  schema: {
+    id: string;
+    parent: string;
+    ancestry?: string;
+  };
+}
+
+/**
+ * This structure defines the preset supported schemas for a resolver graph. We'll probably want convert this
+ * implementation to something similar to how row renderers is implemented.
+ */
+const supportedSchemas: SupportedSchema[] = [
+  {
+    name: 'endpoint',
+    constraint: {
+      field: 'agent.type',
+      value: 'endpoint',
+    },
+    schema: {
+      id: 'process.entity_id',
+      parent: 'process.parent.entity_id',
+      ancestry: 'process.Ext.ancestry',
+    },
+  },
+  {
+    name: 'winlogbeat',
+    constraint: {
+      field: 'agent.type',
+      value: 'winlogbeat',
+    },
+    schema: {
+      id: 'process.entity_id',
+      parent: 'process.parent.entity_id',
+    },
+  },
+];
+
+function getFieldAsString(doc: unknown, field: string): string | undefined {
+  const value = _.get(doc, field);
+  if (value === undefined) {
+    return undefined;
+  }
+
+  return String(value);
+}
+
 /**
  * This is used to get an 'entity_id' which is an internal-to-Resolver concept, from an `_id`, which
  * is the artificial ID generated by ES for each document.
@@ -18,61 +69,46 @@ export function handleEntities(): RequestHandler<unknown, TypeOf<typeof validate
       query: { _id, indices },
     } = request;
 
-    /**
-     * A safe type for the response based on the semantics of the query.
-     * We specify _source, asking for `process.entity_id` and we only
-     * accept documents that have it.
-     * Also, we only request 1 document.
-     */
-    interface ExpectedQueryResponse {
-      hits: {
-        hits:
-          | []
-          | [
+    const queryResponse: ApiResponse<
+      SearchResponse<unknown>
+    > = await context.core.elasticsearch.client.asCurrentUser.search({
+      ignore_unavailable: true,
+      index: indices,
+      body: {
+        // only return 1 match at most
+        size: 1,
+        query: {
+          bool: {
+            filter: [
               {
-                _source: {
-                  process?: {
-                    entity_id?: string;
-                  };
-                };
-              }
-            ];
-      };
-    }
-
-    const queryResponse: ExpectedQueryResponse = await context.core.elasticsearch.legacy.client.callAsCurrentUser(
-      'search',
-      {
-        ignoreUnavailable: true,
-        index: indices,
-        body: {
-          // only return process.entity_id
-          _source: 'process.entity_id',
-          // only return 1 match at most
-          size: 1,
-          query: {
-            bool: {
-              filter: [
-                {
-                  // only return documents with the matching _id
-                  ids: {
-                    values: _id,
-                  },
+                // only return documents with the matching _id
+                ids: {
+                  values: _id,
                 },
-              ],
-            },
+              },
+            ],
           },
         },
-      }
-    );
+      },
+    });
 
     const responseBody: ResolverEntityIndex = [];
-    for (const hit of queryResponse.hits.hits) {
-      // check that the field is defined and that is not an empty string
-      if (hit._source.process?.entity_id) {
-        responseBody.push({
-          entity_id: hit._source.process.entity_id,
-        });
+    for (const hit of queryResponse.body.hits.hits) {
+      for (const supportedSchema of supportedSchemas) {
+        const fieldValue = getFieldAsString(hit._source, supportedSchema.constraint.field);
+        const id = getFieldAsString(hit._source, supportedSchema.schema.id);
+        // check that the constraint and id fields are defined and that the id field is not an empty string
+        if (
+          fieldValue?.toLowerCase() === supportedSchema.constraint.value.toLowerCase() &&
+          id !== undefined &&
+          id !== ''
+        ) {
+          responseBody.push({
+            name: supportedSchema.name,
+            schema: supportedSchema.schema,
+            id,
+          });
+        }
       }
     }
     return response.ok({ body: responseBody });
diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
index 7fbba4e04798d..1edde8230f8ac 100644
--- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
+++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
@@ -29,8 +29,14 @@ export default function ({ getService }: FtrProviderContext) {
       );
       expect(body).eql([
         {
+          name: 'endpoint',
+          schema: {
+            id: 'process.entity_id',
+            parent: 'process.parent.entity_id',
+            ancestry: 'process.Ext.ancestry',
+          },
           // this value is from the es archive
-          entity_id:
+          id:
             'MTIwNWY1NWQtODRkYS00MzkxLWIyNWQtYTNkNGJmNDBmY2E1LTc1NTItMTMyNDM1NDY1MTQuNjI0MjgxMDA=',
         },
       ]);

From 463dccd306962574f42c88027eae4327c1c00684 Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Mon, 23 Nov 2020 10:33:16 -0500
Subject: [PATCH 2/5] Refactoring frontend middleware to pick off id field from
 entity route

---
 .../mocks/no_ancestors_two_children.ts               | 12 +++++++++++-
 ...ors_two_children_in_index_called_awesome_index.ts | 12 +++++++++++-
 ...ldren_with_related_events_and_cursor_on_origin.ts | 12 +++++++++++-
 ...ors_two_children_with_related_events_on_origin.ts | 12 +++++++++++-
 .../mocks/one_node_with_paginated_related_events.ts  | 12 +++++++++++-
 .../store/middleware/resolver_tree_fetcher.ts        |  2 +-
 6 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
index 09625e5726b1d..6db37df0cba87 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
@@ -99,7 +99,17 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
        * Get entities matching a document.
        */
       entities(): Promise<ResolverEntityIndex> {
-        return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]);
+        return Promise.resolve([
+          {
+            name: 'endpoint',
+            schema: {
+              id: 'process.entity_id',
+              parent: 'process.parent.entity_id',
+              ancestry: 'process.Ext.ancestry',
+            },
+            id: metadata.entityIDs.origin,
+          },
+        ]);
       },
     },
   };
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
index 3bbe4bcf51060..e641d753b5294 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
@@ -115,7 +115,17 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
       entities({ indices }): Promise<ResolverEntityIndex> {
         // Only return values if the `indices` array contains exactly `'awesome_index'`
         if (indices.length === 1 && indices[0] === 'awesome_index') {
-          return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]);
+          return Promise.resolve([
+            {
+              name: 'endpoint',
+              schema: {
+                id: 'process.entity_id',
+                parent: 'process.parent.entity_id',
+                ancestry: 'process.Ext.ancestry',
+              },
+              id: metadata.entityIDs.origin,
+            },
+          ]);
         }
         return Promise.resolve([]);
       },
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
index 7682165ac5e94..313dff190f05a 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
@@ -140,7 +140,17 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOriginWithOneAfterCurso
        * Get entities matching a document.
        */
       async entities(): Promise<ResolverEntityIndex> {
-        return [{ entity_id: metadata.entityIDs.origin }];
+        return [
+          {
+            name: 'endpoint',
+            schema: {
+              id: 'process.entity_id',
+              parent: 'process.parent.entity_id',
+              ancestry: 'process.Ext.ancestry',
+            },
+            id: metadata.entityIDs.origin,
+          },
+        ];
       },
     },
   };
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
index 837d824db8748..591236759d15e 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
@@ -112,7 +112,17 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
        * Get entities matching a document.
        */
       async entities(): Promise<ResolverEntityIndex> {
-        return [{ entity_id: metadata.entityIDs.origin }];
+        return [
+          {
+            name: 'endpoint',
+            schema: {
+              id: 'process.entity_id',
+              parent: 'process.parent.entity_id',
+              ancestry: 'process.Ext.ancestry',
+            },
+            id: metadata.entityIDs.origin,
+          },
+        ];
       },
     },
   };
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
index 01477ff16868e..b967454b2eac3 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
@@ -103,7 +103,17 @@ export function oneNodeWithPaginatedEvents(): {
        * Get entities matching a document.
        */
       async entities(): Promise<ResolverEntityIndex> {
-        return [{ entity_id: metadata.entityIDs.origin }];
+        return [
+          {
+            name: 'endpoint',
+            schema: {
+              id: 'process.entity_id',
+              parent: 'process.parent.entity_id',
+              ancestry: 'process.Ext.ancestry',
+            },
+            id: metadata.entityIDs.origin,
+          },
+        ];
       },
     },
   };
diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts
index ef4ca2380ebf4..aecdd6b92a463 100644
--- a/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts
+++ b/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts
@@ -56,7 +56,7 @@ export function ResolverTreeFetcher(
           });
           return;
         }
-        const entityIDToFetch = matchingEntities[0].entity_id;
+        const entityIDToFetch = matchingEntities[0].id;
         result = await dataAccessLayer.resolverTree(
           entityIDToFetch,
           lastRequestAbortController.signal

From 898389628281c7030850bc4d5ff7c35697c9b699 Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Tue, 24 Nov 2020 12:55:40 -0500
Subject: [PATCH 3/5] Refactoring schema and adding name and comments

---
 .../common/endpoint/types/index.ts            | 35 ++++++++++++++++++-
 .../server/endpoint/routes/resolver/entity.ts | 21 +++++++----
 .../resolver/tree/queries/descendants.ts      |  8 ++---
 .../routes/resolver/tree/queries/lifecycle.ts |  8 ++---
 .../routes/resolver/tree/queries/stats.ts     |  8 ++---
 .../routes/resolver/tree/utils/fetch.test.ts  |  9 +++--
 .../routes/resolver/tree/utils/fetch.ts       | 25 +++++++------
 .../routes/resolver/tree/utils/index.ts       | 27 ++------------
 .../apis/resolver/entity.ts                   |  1 +
 .../apis/resolver/tree.ts                     | 12 ++++---
 10 files changed, 93 insertions(+), 61 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts
index 39f3ac99ac2bc..d6be83d7cbbe3 100644
--- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts
@@ -870,12 +870,45 @@ export interface SafeLegacyEndpointEvent {
   }>;
 }
 
+/**
+ * The fields to use to identify nodes within a resolver tree.
+ */
+export interface ResolverSchema {
+  /**
+   * the ancestry field should be set to a field that contains an order array representing
+   * the ancestors of a node.
+   */
+  ancestry?: string;
+  /**
+   * id represents the field to use as the unique ID for a node.
+   */
+  id: string;
+  /**
+   * field to use for the name of the node
+   */
+  name?: string;
+  /**
+   * parent represents the field that is the edge between two nodes.
+   */
+  parent: string;
+}
+
 /**
  * The response body for the resolver '/entity' index API
  */
 export type ResolverEntityIndex = Array<{
+  /**
+   * A name for the schema that is being used (e.g. endpoint, winlogbeat, etc)
+   */
   name: string;
-  schema: { id: string; parent: string; ancestry?: string };
+  /**
+   * The schema to pass to the /tree api and other backend requests, based on the contents of the document found using
+   * the _id
+   */
+  schema: ResolverSchema;
+  /**
+   * Unique ID value for the requested document using the `_id` field passed to the /entity route
+   */
   id: string;
 }>;
 
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
index 2d90137785236..c731692e6fb89 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
@@ -8,16 +8,23 @@ import { RequestHandler, SearchResponse } from 'kibana/server';
 import { TypeOf } from '@kbn/config-schema';
 import { ApiResponse } from '@elastic/elasticsearch';
 import { validateEntities } from '../../../../common/endpoint/schema/resolver';
-import { ResolverEntityIndex } from '../../../../common/endpoint/types';
+import { ResolverEntityIndex, ResolverSchema } from '../../../../common/endpoint/types';
 
 interface SupportedSchema {
+  /**
+   * A name for the schema being used
+   */
   name: string;
+
+  /**
+   * A constraint to search for in the documented returned by Elasticsearch
+   */
   constraint: { field: string; value: string };
-  schema: {
-    id: string;
-    parent: string;
-    ancestry?: string;
-  };
+
+  /**
+   * Schema to return to the frontend so that it can be passed in to call to the /tree API
+   */
+  schema: ResolverSchema;
 }
 
 /**
@@ -35,6 +42,7 @@ const supportedSchemas: SupportedSchema[] = [
       id: 'process.entity_id',
       parent: 'process.parent.entity_id',
       ancestry: 'process.Ext.ancestry',
+      name: 'process.name',
     },
   },
   {
@@ -46,6 +54,7 @@ const supportedSchemas: SupportedSchema[] = [
     schema: {
       id: 'process.entity_id',
       parent: 'process.parent.entity_id',
+      name: 'process.name',
     },
   },
 ];
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
index 405429cc24191..3baf3a8667529 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
@@ -6,12 +6,12 @@
 import { SearchResponse } from 'elasticsearch';
 import { ApiResponse } from '@elastic/elasticsearch';
 import { IScopedClusterClient } from 'src/core/server';
-import { FieldsObject } from '../../../../../../common/endpoint/types';
+import { FieldsObject, ResolverSchema } from '../../../../../../common/endpoint/types';
 import { JsonObject, JsonValue } from '../../../../../../../../../src/plugins/kibana_utils/common';
-import { NodeID, Schema, Timerange, docValueFields } from '../utils/index';
+import { NodeID, Timerange, docValueFields } from '../utils/index';
 
 interface DescendantsParams {
-  schema: Schema;
+  schema: ResolverSchema;
   indexPatterns: string | string[];
   timerange: Timerange;
 }
@@ -20,7 +20,7 @@ interface DescendantsParams {
  * Builds a query for retrieving descendants of a node.
  */
 export class DescendantsQuery {
-  private readonly schema: Schema;
+  private readonly schema: ResolverSchema;
   private readonly indexPatterns: string | string[];
   private readonly timerange: Timerange;
   private readonly docValueFields: JsonValue[];
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/lifecycle.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/lifecycle.ts
index 606a4538ba88c..5253806be66ba 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/lifecycle.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/lifecycle.ts
@@ -6,12 +6,12 @@
 import { SearchResponse } from 'elasticsearch';
 import { ApiResponse } from '@elastic/elasticsearch';
 import { IScopedClusterClient } from 'src/core/server';
-import { FieldsObject } from '../../../../../../common/endpoint/types';
+import { FieldsObject, ResolverSchema } from '../../../../../../common/endpoint/types';
 import { JsonObject, JsonValue } from '../../../../../../../../../src/plugins/kibana_utils/common';
-import { NodeID, Schema, Timerange, docValueFields } from '../utils/index';
+import { NodeID, Timerange, docValueFields } from '../utils/index';
 
 interface LifecycleParams {
-  schema: Schema;
+  schema: ResolverSchema;
   indexPatterns: string | string[];
   timerange: Timerange;
 }
@@ -20,7 +20,7 @@ interface LifecycleParams {
  * Builds a query for retrieving descendants of a node.
  */
 export class LifecycleQuery {
-  private readonly schema: Schema;
+  private readonly schema: ResolverSchema;
   private readonly indexPatterns: string | string[];
   private readonly timerange: Timerange;
   private readonly docValueFields: JsonValue[];
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts
index 33dcdce8987f5..117cc3647dd0e 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts
@@ -7,8 +7,8 @@ import { SearchResponse } from 'elasticsearch';
 import { ApiResponse } from '@elastic/elasticsearch';
 import { IScopedClusterClient } from 'src/core/server';
 import { JsonObject } from '../../../../../../../../../src/plugins/kibana_utils/common';
-import { EventStats } from '../../../../../../common/endpoint/types';
-import { NodeID, Schema, Timerange } from '../utils/index';
+import { EventStats, ResolverSchema } from '../../../../../../common/endpoint/types';
+import { NodeID, Timerange } from '../utils/index';
 
 interface AggBucket {
   key: string;
@@ -26,7 +26,7 @@ interface CategoriesAgg extends AggBucket {
 }
 
 interface StatsParams {
-  schema: Schema;
+  schema: ResolverSchema;
   indexPatterns: string | string[];
   timerange: Timerange;
 }
@@ -35,7 +35,7 @@ interface StatsParams {
  * Builds a query for retrieving descendants of a node.
  */
 export class StatsQuery {
-  private readonly schema: Schema;
+  private readonly schema: ResolverSchema;
   private readonly indexPatterns: string | string[];
   private readonly timerange: Timerange;
   constructor({ schema, indexPatterns, timerange }: StatsParams) {
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.test.ts
index 8105f1125d01d..d5e0af9dea239 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.test.ts
@@ -18,14 +18,17 @@ import { DescendantsQuery } from '../queries/descendants';
 import { StatsQuery } from '../queries/stats';
 import { IScopedClusterClient } from 'src/core/server';
 import { elasticsearchServiceMock } from 'src/core/server/mocks';
-import { FieldsObject, ResolverNode } from '../../../../../../common/endpoint/types';
-import { Schema } from './index';
+import {
+  FieldsObject,
+  ResolverNode,
+  ResolverSchema,
+} from '../../../../../../common/endpoint/types';
 
 jest.mock('../queries/descendants');
 jest.mock('../queries/lifecycle');
 jest.mock('../queries/stats');
 
-function formatResponse(results: FieldsObject[], schema: Schema): ResolverNode[] {
+function formatResponse(results: FieldsObject[], schema: ResolverSchema): ResolverNode[] {
   return results.map((node) => {
     return {
       id: getIDField(node, schema) ?? '',
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts
index eaecad6c47970..356357082d6ee 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts
@@ -8,9 +8,14 @@ import {
   firstNonNullValue,
   values,
 } from '../../../../../../common/endpoint/models/ecs_safety_helpers';
-import { ECSField, ResolverNode, FieldsObject } from '../../../../../../common/endpoint/types';
+import {
+  ECSField,
+  ResolverNode,
+  FieldsObject,
+  ResolverSchema,
+} from '../../../../../../common/endpoint/types';
 import { DescendantsQuery } from '../queries/descendants';
-import { Schema, NodeID } from './index';
+import { NodeID } from './index';
 import { LifecycleQuery } from '../queries/lifecycle';
 import { StatsQuery } from '../queries/stats';
 
@@ -26,7 +31,7 @@ export interface TreeOptions {
     from: string;
     to: string;
   };
-  schema: Schema;
+  schema: ResolverSchema;
   nodes: NodeID[];
   indexPatterns: string[];
 }
@@ -98,7 +103,7 @@ export class Fetcher {
 
   private static getNextAncestorsToFind(
     results: FieldsObject[],
-    schema: Schema,
+    schema: ResolverSchema,
     levelsLeft: number
   ): NodeID[] {
     const nodesByID = results.reduce((accMap: Map<NodeID, FieldsObject>, result: FieldsObject) => {
@@ -216,7 +221,7 @@ export class Fetcher {
 export function getLeafNodes(
   results: FieldsObject[],
   nodes: Array<string | number>,
-  schema: Schema
+  schema: ResolverSchema
 ): NodeID[] {
   let largestAncestryArray = 0;
   const nodesToQueryNext: Map<number, Set<NodeID>> = new Map();
@@ -269,7 +274,7 @@ export function getLeafNodes(
  * @param obj the doc value fields retrieved from a document returned by Elasticsearch
  * @param schema the schema used for identifying connections between documents
  */
-export function getIDField(obj: FieldsObject, schema: Schema): NodeID | undefined {
+export function getIDField(obj: FieldsObject, schema: ResolverSchema): NodeID | undefined {
   const id: ECSField<NodeID> = obj[schema.id];
   return firstNonNullValue(id);
 }
@@ -281,7 +286,7 @@ export function getIDField(obj: FieldsObject, schema: Schema): NodeID | undefine
  * @param obj the doc value fields retrieved from a document returned by Elasticsearch
  * @param schema the schema used for identifying connections between documents
  */
-export function getNameField(obj: FieldsObject, schema: Schema): string | undefined {
+export function getNameField(obj: FieldsObject, schema: ResolverSchema): string | undefined {
   if (!schema.name) {
     return undefined;
   }
@@ -297,12 +302,12 @@ export function getNameField(obj: FieldsObject, schema: Schema): string | undefi
  * @param obj the doc value fields retrieved from a document returned by Elasticsearch
  * @param schema the schema used for identifying connections between documents
  */
-export function getParentField(obj: FieldsObject, schema: Schema): NodeID | undefined {
+export function getParentField(obj: FieldsObject, schema: ResolverSchema): NodeID | undefined {
   const parent: ECSField<NodeID> = obj[schema.parent];
   return firstNonNullValue(parent);
 }
 
-function getAncestryField(obj: FieldsObject, schema: Schema): NodeID[] | undefined {
+function getAncestryField(obj: FieldsObject, schema: ResolverSchema): NodeID[] | undefined {
   if (!schema.ancestry) {
     return undefined;
   }
@@ -324,7 +329,7 @@ function getAncestryField(obj: FieldsObject, schema: Schema): NodeID[] | undefin
  * @param obj the doc value fields retrieved from a document returned by Elasticsearch
  * @param schema the schema used for identifying connections between documents
  */
-export function getAncestryAsArray(obj: FieldsObject, schema: Schema): NodeID[] {
+export function getAncestryAsArray(obj: FieldsObject, schema: ResolverSchema): NodeID[] {
   const ancestry = getAncestryField(obj, schema);
   if (!ancestry || ancestry.length <= 0) {
     const parentField = getParentField(obj, schema);
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/index.ts
index 21a49e268310b..be08b4390a69c 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/index.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/index.ts
@@ -4,6 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { ResolverSchema } from '../../../../../../common/endpoint/types';
+
 /**
  * Represents a time range filter
  */
@@ -17,29 +19,6 @@ export interface Timerange {
  */
 export type NodeID = string | number;
 
-/**
- * The fields to use to identify nodes within a resolver tree.
- */
-export interface Schema {
-  /**
-   * the ancestry field should be set to a field that contains an order array representing
-   * the ancestors of a node.
-   */
-  ancestry?: string;
-  /**
-   * id represents the field to use as the unique ID for a node.
-   */
-  id: string;
-  /**
-   * field to use for the name of the node
-   */
-  name?: string;
-  /**
-   * parent represents the field that is the edge between two nodes.
-   */
-  parent: string;
-}
-
 /**
  * Returns the doc value fields filter to use in queries to limit the number of fields returned in the
  * query response.
@@ -49,7 +28,7 @@ export interface Schema {
  * @param schema is the node schema information describing how relationships are formed between nodes
  *  in the resolver graph.
  */
-export function docValueFields(schema: Schema): Array<{ field: string }> {
+export function docValueFields(schema: ResolverSchema): Array<{ field: string }> {
   const filter = [{ field: '@timestamp' }, { field: schema.id }, { field: schema.parent }];
   if (schema.ancestry) {
     filter.push({ field: schema.ancestry });
diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
index 1edde8230f8ac..2607b934e7df2 100644
--- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
+++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity.ts
@@ -34,6 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
             id: 'process.entity_id',
             parent: 'process.parent.entity_id',
             ancestry: 'process.Ext.ancestry',
+            name: 'process.name',
           },
           // this value is from the es archive
           id:
diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts
index 646a666629ac9..7a1210c6b762f 100644
--- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts
+++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts
@@ -5,8 +5,10 @@
  */
 import expect from '@kbn/expect';
 import { getNameField } from '../../../../plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch';
-import { Schema } from '../../../../plugins/security_solution/server/endpoint/routes/resolver/tree/utils';
-import { ResolverNode } from '../../../../plugins/security_solution/common/endpoint/types';
+import {
+  ResolverNode,
+  ResolverSchema,
+} from '../../../../plugins/security_solution/common/endpoint/types';
 import {
   parentEntityIDSafeVersion,
   timestampSafeVersion,
@@ -44,18 +46,18 @@ export default function ({ getService }: FtrProviderContext) {
     ancestryArraySize: 2,
   };
 
-  const schemaWithAncestry: Schema = {
+  const schemaWithAncestry: ResolverSchema = {
     ancestry: 'process.Ext.ancestry',
     id: 'process.entity_id',
     parent: 'process.parent.entity_id',
   };
 
-  const schemaWithoutAncestry: Schema = {
+  const schemaWithoutAncestry: ResolverSchema = {
     id: 'process.entity_id',
     parent: 'process.parent.entity_id',
   };
 
-  const schemaWithName: Schema = {
+  const schemaWithName: ResolverSchema = {
     id: 'process.entity_id',
     parent: 'process.parent.entity_id',
     name: 'process.name',

From 162a659df400d2a28c7215b8407bcd4bbfdfa91e Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Tue, 24 Nov 2020 13:06:48 -0500
Subject: [PATCH 4/5] Adding name to schema mocks

---
 .../data_access_layer/mocks/no_ancestors_two_children.ts         | 1 +
 .../no_ancestors_two_children_in_index_called_awesome_index.ts   | 1 +
 ...tors_two_children_with_related_events_and_cursor_on_origin.ts | 1 +
 .../no_ancestors_two_children_with_related_events_on_origin.ts   | 1 +
 .../mocks/one_node_with_paginated_related_events.ts              | 1 +
 5 files changed, 5 insertions(+)

diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
index 6db37df0cba87..472fdc79d1f02 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
@@ -106,6 +106,7 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
               id: 'process.entity_id',
               parent: 'process.parent.entity_id',
               ancestry: 'process.Ext.ancestry',
+              name: 'process.name',
             },
             id: metadata.entityIDs.origin,
           },
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
index e641d753b5294..b085738d3fd2e 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
@@ -122,6 +122,7 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
                 id: 'process.entity_id',
                 parent: 'process.parent.entity_id',
                 ancestry: 'process.Ext.ancestry',
+                name: 'process.name',
               },
               id: metadata.entityIDs.origin,
             },
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
index 313dff190f05a..43704db358d7e 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_and_cursor_on_origin.ts
@@ -147,6 +147,7 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOriginWithOneAfterCurso
               id: 'process.entity_id',
               parent: 'process.parent.entity_id',
               ancestry: 'process.Ext.ancestry',
+              name: 'process.name',
             },
             id: metadata.entityIDs.origin,
           },
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
index 591236759d15e..c4d538d2eed94 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
@@ -119,6 +119,7 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
               id: 'process.entity_id',
               parent: 'process.parent.entity_id',
               ancestry: 'process.Ext.ancestry',
+              name: 'process.name',
             },
             id: metadata.entityIDs.origin,
           },
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
index b967454b2eac3..7849776ed1378 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
@@ -110,6 +110,7 @@ export function oneNodeWithPaginatedEvents(): {
               id: 'process.entity_id',
               parent: 'process.parent.entity_id',
               ancestry: 'process.Ext.ancestry',
+              name: 'process.name',
             },
             id: metadata.entityIDs.origin,
           },

From c4157a3ac65ffe8db007c7fb4e4d7984710a53eb Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Tue, 24 Nov 2020 13:39:52 -0500
Subject: [PATCH 5/5] Fixing type issue

---
 .../apis/resolver/common.ts                   | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts
index b4e98d7d4b95e..3cc833c6a2475 100644
--- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts
+++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts
@@ -6,16 +6,14 @@
 import _ from 'lodash';
 import expect from '@kbn/expect';
 import { firstNonNullValue } from '../../../../plugins/security_solution/common/endpoint/models/ecs_safety_helpers';
-import {
-  NodeID,
-  Schema,
-} from '../../../../plugins/security_solution/server/endpoint/routes/resolver/tree/utils';
+import { NodeID } from '../../../../plugins/security_solution/server/endpoint/routes/resolver/tree/utils';
 import {
   SafeResolverChildNode,
   SafeResolverLifecycleNode,
   SafeResolverEvent,
   ResolverNodeStats,
   ResolverNode,
+  ResolverSchema,
 } from '../../../../plugins/security_solution/common/endpoint/types';
 import {
   parentEntityIDSafeVersion,
@@ -41,7 +39,7 @@ const createLevels = ({
   descendantsByParent: Map<NodeID, Map<NodeID, ResolverNode>>;
   levels: Array<Map<NodeID, ResolverNode>>;
   currentNodes: Map<NodeID, ResolverNode> | undefined;
-  schema: Schema;
+  schema: ResolverSchema;
 }): Array<Map<NodeID, ResolverNode>> => {
   if (!currentNodes || currentNodes.size === 0) {
     return levels;
@@ -98,7 +96,7 @@ export interface APIResponse {
  * @param node a resolver node
  * @param schema the schema that was used to retrieve this resolver node
  */
-export const getID = (node: ResolverNode | undefined, schema: Schema): NodeID => {
+export const getID = (node: ResolverNode | undefined, schema: ResolverSchema): NodeID => {
   const id = firstNonNullValue(node?.data[schema.id]);
   if (!id) {
     throw new Error(`Unable to find id ${schema.id} in node: ${JSON.stringify(node)}`);
@@ -106,7 +104,10 @@ export const getID = (node: ResolverNode | undefined, schema: Schema): NodeID =>
   return id;
 };
 
-const getParentInternal = (node: ResolverNode | undefined, schema: Schema): NodeID | undefined => {
+const getParentInternal = (
+  node: ResolverNode | undefined,
+  schema: ResolverSchema
+): NodeID | undefined => {
   if (node) {
     return firstNonNullValue(node?.data[schema.parent]);
   }
@@ -119,7 +120,7 @@ const getParentInternal = (node: ResolverNode | undefined, schema: Schema): Node
  * @param node a resolver node
  * @param schema the schema that was used to retrieve this resolver node
  */
-export const getParent = (node: ResolverNode | undefined, schema: Schema): NodeID => {
+export const getParent = (node: ResolverNode | undefined, schema: ResolverSchema): NodeID => {
   const parent = getParentInternal(node, schema);
   if (!parent) {
     throw new Error(`Unable to find parent ${schema.parent} in node: ${JSON.stringify(node)}`);
@@ -138,7 +139,7 @@ export const getParent = (node: ResolverNode | undefined, schema: Schema): NodeI
 const createTreeFromResponse = (
   treeExpectations: TreeExpectation[],
   nodes: ResolverNode[],
-  schema: Schema
+  schema: ResolverSchema
 ) => {
   const nodesByID = new Map<NodeID, ResolverNode>();
   const nodesByParent = new Map<NodeID, Map<NodeID, ResolverNode>>();
@@ -206,7 +207,7 @@ const verifyAncestry = ({
   genTree,
 }: {
   responseTrees: APIResponse;
-  schema: Schema;
+  schema: ResolverSchema;
   genTree: Tree;
 }) => {
   const allGenNodes = new Map<string, TreeNode>([
@@ -277,7 +278,7 @@ const verifyChildren = ({
   genTree,
 }: {
   responseTrees: APIResponse;
-  schema: Schema;
+  schema: ResolverSchema;
   genTree: Tree;
 }) => {
   const allGenNodes = new Map<string, TreeNode>([
@@ -358,7 +359,7 @@ export const verifyTree = ({
 }: {
   expectations: TreeExpectation[];
   response: ResolverNode[];
-  schema: Schema;
+  schema: ResolverSchema;
   genTree: Tree;
   relatedEventsCategories?: RelatedEventInfo[];
 }) => {