[Security Solution][Analyzer] Make all analyzer apis have time range …

…as optional (elastic#142536)
kibanamachine · Oct 4, 2022 · 890bf74 · 890bf74
1 parent f5f60b6
commit 890bf74
Show file tree

Hide file tree

Showing 15 changed files with 98 additions and 121 deletions.
diff --git a/x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts b/x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts
@@ -58,10 +58,12 @@ export const validateEvents = {
     afterEvent: schema.maybe(schema.string()),
   }),
   body: schema.object({
-    timeRange: schema.object({
-      from: schema.string(),
-      to: schema.string(),
-    }),
+    timeRange: schema.maybe(
+      schema.object({
+        from: schema.string(),
+        to: schema.string(),
+      })
+    ),
     indexPatterns: schema.arrayOf(schema.string()),
     filter: schema.maybe(schema.string()),
     entityType: schema.maybe(schema.string()),

diff --git a/x-pack/plugins/security_solution/cypress/e2e/detection_alerts/resolver.cy.ts b/x-pack/plugins/security_solution/cypress/e2e/detection_alerts/resolver.cy.ts
@@ -28,12 +28,12 @@ describe('Analyze events view for alerts', () => {
     waitForAlertsToPopulate();
   });
 
-  it('should render analyzer when button is clicked', () => {
+  it('should render when button is clicked', () => {
     openAnalyzerForFirstAlertInTimeline();
     cy.get(ANALYZER_NODE).first().should('be.visible');
   });
 
-  it(`should render an analyzer view and display
+  it(`should display
    a toast indicating the date range of found events when a time range has 0 events in it`, () => {
     const dateContainingZeroEvents = 'Jul 27, 2022 @ 00:00:00.000';
     setStartDate(dateContainingZeroEvents);

diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts
@@ -17,6 +17,17 @@ import type {
   ResolverSchema,
 } from '../../../common/endpoint/types';
 
+function getRangeFilter(timeRange: TimeRange | undefined) {
+  return timeRange
+    ? {
+        timeRange: {
+          from: timeRange.from,
+          to: timeRange.to,
+        },
+      }
+    : [];
+}
+
 /**
  * The data access layer for resolver. All communication with the Kibana server is done through this object. This object is provided to Resolver. In tests, a mock data access layer can be used instead.
  */
@@ -34,7 +45,7 @@ export function dataAccessLayerFactory(
       indexPatterns,
     }: {
       entityID: string;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<ResolverRelatedEvents> {
       const response: ResolverPaginatedEvents = await context.services.http.post(
@@ -43,10 +54,7 @@ export function dataAccessLayerFactory(
           query: {},
           body: JSON.stringify({
             indexPatterns,
-            timeRange: {
-              from: timeRange.from,
-              to: timeRange.to,
-            },
+            ...getRangeFilter(timeRange),
             filter: JSON.stringify({
               bool: {
                 filter: [
@@ -76,16 +84,13 @@ export function dataAccessLayerFactory(
       entityID: string;
       category: string;
       after?: string;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<ResolverPaginatedEvents> {
       const commonFields = {
         query: { afterEvent: after, limit: 25 },
         body: {
-          timeRange: {
-            from: timeRange.from,
-            to: timeRange.to,
-          },
+          ...getRangeFilter(timeRange),
           indexPatterns,
         },
       };
@@ -127,30 +132,28 @@ export function dataAccessLayerFactory(
       limit,
     }: {
       ids: string[];
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
       limit: number;
     }): Promise<SafeResolverEvent[]> {
-      const response: ResolverPaginatedEvents = await context.services.http.post(
-        '/api/endpoint/resolver/events',
-        {
-          query: { limit },
-          body: JSON.stringify({
-            timeRange: {
-              from: timeRange.from,
-              to: timeRange.to,
+      const query = {
+        query: { limit },
+        body: JSON.stringify({
+          indexPatterns,
+          ...getRangeFilter(timeRange),
+          filter: JSON.stringify({
+            bool: {
+              filter: [
+                { terms: { 'process.entity_id': ids } },
+                { term: { 'event.category': 'process' } },
+              ],
             },
-            indexPatterns,
-            filter: JSON.stringify({
-              bool: {
-                filter: [
-                  { terms: { 'process.entity_id': ids } },
-                  { term: { 'event.category': 'process' } },
-                ],
-              },
-            }),
           }),
-        }
+        }),
+      };
+      const response: ResolverPaginatedEvents = await context.services.http.post(
+        '/api/endpoint/resolver/events',
+        query
       );
       return response.events;
     },
@@ -172,7 +175,7 @@ export function dataAccessLayerFactory(
       eventTimestamp: string;
       eventID?: string | number;
       winlogRecordID: string;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<SafeResolverEvent | null> {
       /** @description - eventID isn't provided by winlog. This can be removed once runtime fields are available */
@@ -200,10 +203,7 @@ export function dataAccessLayerFactory(
             query: { limit: 1 },
             body: JSON.stringify({
               indexPatterns,
-              timeRange: {
-                from: timeRange.from,
-                to: timeRange.to,
-              },
+              ...getRangeFilter(timeRange),
               filter: JSON.stringify(filter),
             }),
           }
@@ -217,10 +217,7 @@ export function dataAccessLayerFactory(
             query: { limit: 1 },
             body: JSON.stringify({
               indexPatterns,
-              timeRange: {
-                from: timeRange.from,
-                to: timeRange.to,
-              },
+              ...getRangeFilter(timeRange),
               entityType: 'alertDetail',
               eventID,
             }),
@@ -250,7 +247,7 @@ export function dataAccessLayerFactory(
     }: {
       dataId: string;
       schema: ResolverSchema;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indices: string[];
       ancestors: number;
       descendants: number;

diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/generator_tree.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/generator_tree.ts
@@ -63,7 +63,7 @@ export function generateTreeWithDAL(
       indexPatterns,
     }: {
       entityID: string;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<ResolverRelatedEvents> {
       const node = allNodes.get(entityID);
@@ -88,7 +88,7 @@ export function generateTreeWithDAL(
       entityID: string;
       category: string;
       after?: string;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<{ events: SafeResolverEvent[]; nextEvent: string | null }> {
       const node = allNodes.get(entityID);
@@ -119,7 +119,7 @@ export function generateTreeWithDAL(
       eventCategory: string[];
       eventTimestamp: string;
       eventID?: string | number;
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
     }): Promise<SafeResolverEvent | null> {
       return null;
@@ -135,7 +135,7 @@ export function generateTreeWithDAL(
       limit,
     }: {
       ids: string[];
-      timeRange: TimeRange;
+      timeRange?: TimeRange;
       indexPatterns: string[];
       limit: number;
     }): Promise<SafeResolverEvent[]> {

diff --git a/...ns/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts b/...ns/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
@@ -59,7 +59,7 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
         indexPatterns,
       }: {
         entityID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<ResolverRelatedEvents> {
         return Promise.resolve({
@@ -83,7 +83,7 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
         entityID: string;
         category: string;
         after?: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<{
         events: SafeResolverEvent[];
@@ -110,7 +110,7 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
         eventTimestamp: string;
         eventID?: string | number;
         winlogRecordID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<SafeResolverEvent | null> {
         return null;

diff --git a/...solver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts b/...solver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
@@ -64,7 +64,7 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
         indexPatterns,
       }: {
         entityID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<ResolverRelatedEvents> {
         return Promise.resolve({
@@ -90,7 +90,7 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
         entityID: string;
         category: string;
         after?: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<{
         events: SafeResolverEvent[];
@@ -121,7 +121,7 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
         eventTimestamp: string;
         eventID?: string | number;
         winlogRecordID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<SafeResolverEvent | null> {
         return mockEndpointEvent({

diff --git a/...solver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts b/...solver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
@@ -67,7 +67,7 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
         indexPatterns,
       }: {
         entityID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<ResolverRelatedEvents> {
         /**
@@ -97,7 +97,7 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
         entityID: string;
         category: string;
         after?: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<{ events: SafeResolverEvent[]; nextEvent: string | null }> {
         const events =
@@ -129,7 +129,7 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
         eventTimestamp: string;
         eventID?: string | number;
         winlogRecordID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<SafeResolverEvent | null> {
         return relatedEvents.events.find((event) => eventModel.eventID(event) === eventID) ?? null;

diff --git a/...olution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts b/...olution/public/resolver/data_access_layer/mocks/one_node_with_paginated_related_events.ts
@@ -58,7 +58,7 @@ export function oneNodeWithPaginatedEvents(): {
         indexPatterns,
       }: {
         entityID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<ResolverRelatedEvents> {
         /**
@@ -86,7 +86,7 @@ export function oneNodeWithPaginatedEvents(): {
         entityID: string;
         category: string;
         after?: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<{ events: SafeResolverEvent[]; nextEvent: string | null }> {
         let events: SafeResolverEvent[] = [];
@@ -121,7 +121,7 @@ export function oneNodeWithPaginatedEvents(): {
         eventTimestamp: string;
         eventID?: string | number;
         winlogRecordID: string;
-        timeRange: TimeRange;
+        timeRange?: TimeRange;
         indexPatterns: string[];
       }): Promise<SafeResolverEvent | null> {
         return mockTree.events.find((event) => eventModel.eventID(event) === eventID) ?? null;

diff --git a/...ugins/security_solution/public/resolver/store/middleware/current_related_event_fetcher.ts b/...ugins/security_solution/public/resolver/store/middleware/current_related_event_fetcher.ts
@@ -48,8 +48,9 @@ export function CurrentRelatedEventFetcher(
       api.dispatch({
         type: 'appRequestedCurrentRelatedEventData',
       });
-      const timeRangeFilters = selectors.timeRangeFilters(state);
-
+      const detectedBounds = selectors.detectedBounds(state);
+      const timeRangeFilters =
+        detectedBounds !== undefined ? undefined : selectors.timeRangeFilters(state);
       let result: SafeResolverEvent | null = null;
       try {
         result = await dataAccessLayer.event({

diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/node_data_fetcher.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/node_data_fetcher.ts
@@ -60,7 +60,9 @@ export function NodeDataFetcher(
 
     let results: SafeResolverEvent[] | undefined;
     try {
-      const timeRangeFilters = selectors.timeRangeFilters(state);
+      const detectedBounds = selectors.detectedBounds(state);
+      const timeRangeFilters =
+        detectedBounds !== undefined ? undefined : selectors.timeRangeFilters(state);
       results = await dataAccessLayer.nodeData({
         ids: Array.from(newIDsToRequest),
         timeRange: timeRangeFilters,

diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/related_events_fetcher.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/related_events_fetcher.ts
@@ -30,7 +30,9 @@ export function RelatedEventsFetcher(
     const indices = selectors.eventIndices(state);
 
     const oldParams = last;
-    const timeRangeFilters = selectors.timeRangeFilters(state);
+    const detectedBounds = selectors.detectedBounds(state);
+    const timeRangeFilters =
+      detectedBounds !== undefined ? undefined : selectors.timeRangeFilters(state);
     // Update this each time before fetching data (or even if we don't fetch data) so that subsequent actions that call this (concurrently) will have up to date info.
     last = newParams;
 

diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts
@@ -93,9 +93,9 @@ export function ResolverTreeFetcher(
             descendants: descendantsRequestAmount(),
           });
           if (unboundedTree.length > 0) {
-            const timestamps = unboundedTree.map((event) =>
-              firstNonNullValue(event.data['@timestamp'])
-            );
+            const timestamps = unboundedTree
+              .map((event) => firstNonNullValue(event.data['@timestamp']))
+              .sort();
             const oldestTimestamp = timestamps[0];
             const newestTimestamp = timestamps.slice(-1);
             api.dispatch({