From 12a09b8aba83efe2f78aadd0113159abb323f129 Mon Sep 17 00:00:00 2001 From: Konrad Szwarc Date: Wed, 15 Nov 2023 15:47:47 +0100 Subject: [PATCH] [EDR Workflows] Limit Live Query look back (#171207) closes https://github.com/elastic/kibana/issues/169666 Add additional filtering of action results by specifying time range. --- .../search_strategy/osquery/actions/index.ts | 1 + .../search_strategy/osquery/results/index.ts | 1 + .../action_results/action_results_summary.tsx | 5 +++- .../action_results/use_action_results.ts | 3 +++ .../public/live_queries/form/index.tsx | 2 ++ .../osquery/public/results/results_table.tsx | 2 ++ .../osquery/public/results/use_all_results.ts | 3 +++ .../public/routes/saved_queries/edit/tabs.tsx | 1 + .../results/query.action_results.dsl.ts | 26 ++++++++++++++----- .../factory/results/query.all_results.dsl.ts | 21 ++++++++++++--- .../server/search_strategy/osquery/index.ts | 1 + 11 files changed, 54 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/osquery/common/search_strategy/osquery/actions/index.ts b/x-pack/plugins/osquery/common/search_strategy/osquery/actions/index.ts index 283ae46269422..7fd4ea5d31b2c 100644 --- a/x-pack/plugins/osquery/common/search_strategy/osquery/actions/index.ts +++ b/x-pack/plugins/osquery/common/search_strategy/osquery/actions/index.ts @@ -82,4 +82,5 @@ export interface ActionResultsStrategyResponse export interface ActionResultsRequestOptions extends RequestOptionsPaginated { actionId: string; + startDate?: string; } diff --git a/x-pack/plugins/osquery/common/search_strategy/osquery/results/index.ts b/x-pack/plugins/osquery/common/search_strategy/osquery/results/index.ts index d7777e389dde8..c55577fb27354 100644 --- a/x-pack/plugins/osquery/common/search_strategy/osquery/results/index.ts +++ b/x-pack/plugins/osquery/common/search_strategy/osquery/results/index.ts @@ -21,5 +21,6 @@ export interface ResultsStrategyResponse extends IEsSearchResponse { export interface ResultsRequestOptions extends Omit { actionId: string; agentId?: string; + startDate?: string; sort: SortField[]; } diff --git a/x-pack/plugins/osquery/public/action_results/action_results_summary.tsx b/x-pack/plugins/osquery/public/action_results/action_results_summary.tsx index 9bdd9bc5a4528..6b9581249a075 100644 --- a/x-pack/plugins/osquery/public/action_results/action_results_summary.tsx +++ b/x-pack/plugins/osquery/public/action_results/action_results_summary.tsx @@ -16,6 +16,7 @@ import { useActionResultsPrivileges } from './use_action_privileges'; interface ActionResultsSummaryProps { actionId: string; + startDate?: string; expirationDate?: string; agentIds?: string[]; error?: string; @@ -32,6 +33,7 @@ const ActionResultsSummaryComponent: React.FC = ({ expirationDate, agentIds, error, + startDate, }) => { const [pageIndex] = useState(0); const [pageSize] = useState(50); @@ -46,6 +48,7 @@ const ActionResultsSummaryComponent: React.FC = ({ data: { aggregations, edges }, } = useActionResults({ actionId, + startDate, activePage: pageIndex, agentIds, limit: pageSize, @@ -158,7 +161,7 @@ const ActionResultsSummaryComponent: React.FC = ({ setIsLive(() => { if (!agentIds?.length || expired || error) return false; - return !!(aggregations.totalResponded !== agentIds?.length); + return aggregations.totalResponded !== agentIds?.length; }); }, [agentIds?.length, aggregations.totalResponded, error, expired]); diff --git a/x-pack/plugins/osquery/public/action_results/use_action_results.ts b/x-pack/plugins/osquery/public/action_results/use_action_results.ts index ef7dbad151d20..8c20e4ed1c602 100644 --- a/x-pack/plugins/osquery/public/action_results/use_action_results.ts +++ b/x-pack/plugins/osquery/public/action_results/use_action_results.ts @@ -34,6 +34,7 @@ export interface ResultsArgs { export interface UseActionResults { actionId: string; activePage: number; + startDate?: string; agentIds?: string[]; direction: Direction; limit: number; @@ -51,6 +52,7 @@ export const useActionResults = ({ limit, sortField, kuery, + startDate, skip = false, isLive = false, }: UseActionResults) => { @@ -64,6 +66,7 @@ export const useActionResults = ({ data.search.search( { actionId, + startDate, factoryQueryType: OsqueryQueries.actionResults, kuery, pagination: generateTablePaginationOptions(activePage, limit), diff --git a/x-pack/plugins/osquery/public/live_queries/form/index.tsx b/x-pack/plugins/osquery/public/live_queries/form/index.tsx index 9f4f225868a03..287c8b25b45b1 100644 --- a/x-pack/plugins/osquery/public/live_queries/form/index.tsx +++ b/x-pack/plugins/osquery/public/live_queries/form/index.tsx @@ -222,6 +222,7 @@ const LiveQueryFormComponent: React.FC = ({ singleQueryDetails?.action_id ? ( = ({ singleQueryDetails?.action_id, singleQueryDetails?.expiration, singleQueryDetails?.agents, + liveQueryDetails, serializedData.ecs_mapping, liveQueryActionId, ] diff --git a/x-pack/plugins/osquery/public/results/results_table.tsx b/x-pack/plugins/osquery/public/results/results_table.tsx index c74ca9d607dc1..48a3e7f355a18 100644 --- a/x-pack/plugins/osquery/public/results/results_table.tsx +++ b/x-pack/plugins/osquery/public/results/results_table.tsx @@ -92,6 +92,7 @@ const ResultsTableComponent: React.FC = ({ data: { aggregations }, } = useActionResults({ actionId, + startDate, activePage: 0, agentIds, limit: 0, @@ -140,6 +141,7 @@ const ResultsTableComponent: React.FC = ({ const { data: allResultsData, isLoading } = useAllResults({ actionId, + startDate, activePage: pagination.pageIndex, limit: pagination.pageSize, isLive, diff --git a/x-pack/plugins/osquery/public/results/use_all_results.ts b/x-pack/plugins/osquery/public/results/use_all_results.ts index 09f18cfd2d17c..8dca0d1ba4a87 100644 --- a/x-pack/plugins/osquery/public/results/use_all_results.ts +++ b/x-pack/plugins/osquery/public/results/use_all_results.ts @@ -33,6 +33,7 @@ export interface ResultsArgs { interface UseAllResults { actionId: string; activePage: number; + startDate?: string; limit: number; sort: Array<{ field: string; direction: Direction }>; kuery?: string; @@ -43,6 +44,7 @@ interface UseAllResults { export const useAllResults = ({ actionId, activePage, + startDate, limit, sort, kuery, @@ -59,6 +61,7 @@ export const useAllResults = ({ data.search.search( { actionId, + startDate, factoryQueryType: OsqueryQueries.results, kuery, pagination: generateTablePaginationOptions(activePage, limit), diff --git a/x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx b/x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx index e73dc404370cb..c55bebcd9056b 100644 --- a/x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx +++ b/x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx @@ -63,6 +63,7 @@ const ResultTabsComponent: React.FC = ({ 'data-test-subj': 'osquery-status-tab', content: ( { - const actionIdQuery = `action_id: ${actionId}`; - let filter = actionIdQuery; + let filter = `action_id: ${actionId}`; if (!isEmpty(kuery)) { filter = filter + ` AND ${kuery}`; } - const filterQuery = getQueryFilter({ filter }); + const timeRangeFilter = + startDate && !isEmpty(startDate) + ? [ + { + range: { + started_at: { + gte: startDate, + lte: moment(startDate).clone().add(30, 'minutes').toISOString(), + }, + }, + }, + ] + : []; - const dslQuery = { + const filterQuery = [...timeRangeFilter, getQueryFilter({ filter })]; + + return { allow_no_indices: true, index: componentTemplateExists ? `${ACTION_RESPONSES_INDEX}-default*` @@ -84,6 +98,4 @@ export const buildActionResultsQuery = ({ ], }, }; - - return dslQuery; }; diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts index 2c8d408672275..8a4bc5d110d14 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts @@ -7,6 +7,7 @@ import type { ISearchRequestParams } from '@kbn/data-plugin/common'; import { isEmpty } from 'lodash'; +import moment from 'moment/moment'; import { getQueryFilter } from '../../../../utils/build_query'; import { OSQUERY_INTEGRATION_NAME } from '../../../../../common'; import type { ResultsRequestOptions } from '../../../../../common/search_strategy'; @@ -16,6 +17,7 @@ export const buildResultsQuery = ({ agentId, kuery, sort, + startDate, pagination: { activePage, querySize }, }: ResultsRequestOptions): ISearchRequestParams => { const actionIdQuery = `action_id: ${actionId}`; @@ -25,9 +27,22 @@ export const buildResultsQuery = ({ filter = filter + ` AND ${kuery}`; } - const filterQuery = getQueryFilter({ filter }); + const timeRangeFilter = + startDate && !isEmpty(startDate) + ? [ + { + range: { + '@timestamp': { + gte: startDate, + lte: moment(startDate).clone().add(30, 'minutes').toISOString(), + }, + }, + }, + ] + : []; + const filterQuery = [...timeRangeFilter, getQueryFilter({ filter })]; - const dslQuery = { + return { allow_no_indices: true, index: `logs-${OSQUERY_INTEGRATION_NAME}.result*`, ignore_unavailable: true, @@ -58,6 +73,4 @@ export const buildResultsQuery = ({ })) ?? [], }, }; - - return dslQuery; }; diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts index af14d84fa3637..898f53b17c552 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts @@ -45,6 +45,7 @@ export const osquerySearchStrategyProvider = ( ...('pagination' in request ? { pagination: request.pagination } : {}), ...('sort' in request ? { sort: request.sort } : {}), ...('actionId' in request ? { actionId: request.actionId } : {}), + ...('startDate' in request ? { startDate: request.startDate } : {}), ...('agentId' in request ? { agentId: request.agentId } : {}), } as StrategyRequestType;