Skip to content

Commit

Permalink
Revert "[8.x] [Cloud Security] Bug fix - show origin event's wit…
Browse files Browse the repository at this point in the history
…h primar…"

This reverts commit bed0eaa.
  • Loading branch information
kfirpeled authored Dec 17, 2024
1 parent bed0eaa commit b7197e3
Show file tree
Hide file tree
Showing 18 changed files with 145 additions and 483 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,7 @@ export const graphRequestSchema = schema.object({
nodesLimit: schema.maybe(schema.number()),
showUnknownTarget: schema.maybe(schema.boolean()),
query: schema.object({
originEventIds: schema.arrayOf(
schema.object({ id: schema.string(), isAlert: schema.boolean() })
),
eventIds: schema.arrayOf(schema.string()),
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -126,46 +126,21 @@ const useGraphPopovers = (
};

interface GraphInvestigationProps {
/**
* The initial state to use for the graph investigation view.
*/
initialState: {
/**
* The data view to use for the graph investigation view.
*/
dataView: DataView;

/**
* The origin events for the graph investigation view.
*/
originEventIds: Array<{
/**
* The ID of the origin event.
*/
id: string;

/**
* A flag indicating whether the origin event is an alert or not.
*/
isAlert: boolean;
}>;

/**
* The initial timerange for the graph investigation view.
*/
timeRange: TimeRange;
};
dataView: DataView;
eventIds: string[];
timestamp: string | null;
}

/**
* Graph investigation view allows the user to expand nodes and view related entities.
*/
export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
({
initialState: { dataView, originEventIds, timeRange: initialTimeRange },
}: GraphInvestigationProps) => {
({ dataView, eventIds, timestamp = new Date().toISOString() }: GraphInvestigationProps) => {
const [searchFilters, setSearchFilters] = useState<Filter[]>(() => []);
const [timeRange, setTimeRange] = useState<TimeRange>(initialTimeRange);
const [timeRange, setTimeRange] = useState<TimeRange>({
from: `${timestamp}||-30m`,
to: `${timestamp}||+30m`,
});

const {
services: { uiSettings },
Expand All @@ -178,7 +153,7 @@ export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
[...searchFilters],
getEsQueryConfig(uiSettings as Parameters<typeof getEsQueryConfig>[0])
),
[dataView, searchFilters, uiSettings]
[searchFilters, dataView, uiSettings]
);

const { nodeExpandPopover, openPopoverCallback } = useGraphPopovers(
Expand All @@ -191,7 +166,7 @@ export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
const { data, refresh, isFetching } = useFetchGraphData({
req: {
query: {
originEventIds,
eventIds,
esQuery: query,
start: timeRange.from,
end: timeRange.to,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ describe('useFetchGraphData', () => {
return useFetchGraphData({
req: {
query: {
originEventIds: [],
eventIds: [],
start: '2021-09-01T00:00:00.000Z',
end: '2021-09-01T23:59:59.999Z',
},
Expand All @@ -52,7 +52,7 @@ describe('useFetchGraphData', () => {
return useFetchGraphData({
req: {
query: {
originEventIds: [],
eventIds: [],
start: '2021-09-01T00:00:00.000Z',
end: '2021-09-01T23:59:59.999Z',
},
Expand All @@ -75,7 +75,7 @@ describe('useFetchGraphData', () => {
return useFetchGraphData({
req: {
query: {
originEventIds: [],
eventIds: [],
start: '2021-09-01T00:00:00.000Z',
end: '2021-09-01T23:59:59.999Z',
},
Expand All @@ -98,7 +98,7 @@ describe('useFetchGraphData', () => {
return useFetchGraphData({
req: {
query: {
originEventIds: [],
eventIds: [],
start: '2021-09-01T00:00:00.000Z',
end: '2021-09-01T23:59:59.999Z',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,13 +81,13 @@ export const useFetchGraphData = ({
options,
}: UseFetchGraphDataParams): UseFetchGraphDataResult => {
const queryClient = useQueryClient();
const { esQuery, originEventIds, start, end } = req.query;
const { esQuery, eventIds, start, end } = req.query;
const {
services: { http },
} = useKibana();
const QUERY_KEY = useMemo(
() => ['useFetchGraphData', originEventIds, start, end, esQuery],
[end, esQuery, originEventIds, start]
() => ['useFetchGraphData', eventIds, start, end, esQuery],
[end, esQuery, eventIds, start]
);

const { isLoading, isError, data, isFetching } = useQuery<GraphResponse>(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ export const defineGraphRoute = (router: CspRouter) =>
const cspContext = await context.csp;

const { nodesLimit, showUnknownTarget = false } = request.body;
const { originEventIds, start, end, esQuery } = request.body.query as GraphRequest['query'];
const { eventIds, start, end, esQuery } = request.body.query as GraphRequest['query'];
const spaceId = (await cspContext.spaces?.spacesService?.getActiveSpace(request))?.id;

try {
Expand All @@ -53,7 +53,7 @@ export const defineGraphRoute = (router: CspRouter) =>
esClient: cspContext.esClient,
},
query: {
originEventIds,
eventIds,
spaceId,
start,
end,
Expand Down
53 changes: 16 additions & 37 deletions x-pack/plugins/cloud_security_posture/server/routes/graph/v1.ts
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,7 @@ interface GraphEdge {
action: string;
targetIds: string[] | string;
eventOutcome: string;
isOrigin: boolean;
isOriginAlert: boolean;
isAlert: boolean;
}

interface LabelEdges {
Expand All @@ -47,15 +46,10 @@ interface GraphContextServices {
esClient: IScopedClusterClient;
}

interface OriginEventId {
id: string;
isAlert: boolean;
}

interface GetGraphParams {
services: GraphContextServices;
query: {
originEventIds: OriginEventId[];
eventIds: string[];
spaceId?: string;
start: string | number;
end: string | number;
Expand All @@ -67,21 +61,19 @@ interface GetGraphParams {

export const getGraph = async ({
services: { esClient, logger },
query: { originEventIds, spaceId = 'default', start, end, esQuery },
query: { eventIds, spaceId = 'default', start, end, esQuery },
showUnknownTarget,
nodesLimit,
}: GetGraphParams): Promise<Pick<GraphResponse, 'nodes' | 'edges' | 'messages'>> => {
logger.trace(
`Fetching graph for [originEventIds: ${originEventIds.join(', ')}] in [spaceId: ${spaceId}]`
);
logger.trace(`Fetching graph for [eventIds: ${eventIds.join(', ')}] in [spaceId: ${spaceId}]`);

const results = await fetchGraph({
esClient,
showUnknownTarget,
logger,
start,
end,
originEventIds,
eventIds,
esQuery,
});

Expand Down Expand Up @@ -140,29 +132,23 @@ const fetchGraph = async ({
logger,
start,
end,
originEventIds,
eventIds,
showUnknownTarget,
esQuery,
}: {
esClient: IScopedClusterClient;
logger: Logger;
start: string | number;
end: string | number;
originEventIds: OriginEventId[];
eventIds: string[];
showUnknownTarget: boolean;
esQuery?: EsQuery;
}): Promise<EsqlToRecords<GraphEdge>> => {
const originAlertIds = originEventIds.filter((originEventId) => originEventId.isAlert);
const query = `from logs-*
| WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
| EVAL isOrigin = ${
originEventIds.length > 0
? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
: 'false'
}
| EVAL isOriginAlert = isOrigin AND ${
originAlertIds.length > 0
? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
| EVAL isAlert = ${
eventIds.length > 0
? `event.id in (${eventIds.map((_id, idx) => `?al_id${idx}`).join(', ')})`
: 'false'
}
| STATS badge = COUNT(*),
Expand All @@ -173,26 +159,19 @@ const fetchGraph = async ({
action = event.action,
targetIds = target.entity.id,
eventOutcome = event.outcome,
isOrigin,
isOriginAlert
isAlert
| LIMIT 1000
| SORT isOrigin DESC`;
| SORT isAlert DESC`;

logger.trace(`Executing query [${query}]`);

const eventIds = originEventIds.map((originEventId) => originEventId.id);
return await esClient.asCurrentUser.helpers
.esql({
columnar: false,
filter: buildDslFilter(eventIds, showUnknownTarget, start, end, esQuery),
query,
// @ts-ignore - types are not up to date
params: [
...originEventIds.map((originEventId, idx) => ({ [`og_id${idx}`]: originEventId.id })),
...originEventIds
.filter((originEventId) => originEventId.isAlert)
.map((originEventId, idx) => ({ [`og_alrt_id${idx}`]: originEventId.id })),
],
params: [...eventIds.map((id, idx) => ({ [`al_id${idx}`]: id }))],
})
.toRecords<GraphEdge>();
};
Expand Down Expand Up @@ -259,7 +238,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
break;
}

const { ips, hosts, users, actorIds, action, targetIds, isOriginAlert, eventOutcome } = record;
const { ips, hosts, users, actorIds, action, targetIds, isAlert, eventOutcome } = record;
const actorIdsArray = castArray(actorIds);
const targetIdsArray = castArray(targetIds);
const unknownTargets: string[] = [];
Expand All @@ -278,7 +257,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
nodesMap[id] = {
id,
label: unknownTargets.includes(id) ? 'Unknown' : undefined,
color: isOriginAlert ? 'danger' : 'primary',
color: isAlert ? 'danger' : 'primary',
...determineEntityNodeShape(
id,
castArray(ips ?? []),
Expand All @@ -301,7 +280,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
const labelNode: LabelNodeDataModel = {
id: edgeId + `label(${action})outcome(${eventOutcome})`,
label: action,
color: isOriginAlert ? 'danger' : eventOutcome === 'failed' ? 'warning' : 'primary',
color: isAlert ? 'danger' : eventOutcome === 'failed' ? 'warning' : 'primary',
shape: 'label',
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,20 +29,12 @@ export const GraphVisualization: React.FC = memo(() => {
const dataView = useGetScopedSourcererDataView({
sourcererScope: SourcererScopeName.default,
});
const { getFieldsData, dataAsNestedObject, dataFormattedForFieldBrowser } =
useDocumentDetailsContext();
const {
eventIds,
timestamp = new Date().toISOString(),
isAlert,
} = useGraphPreview({
const { getFieldsData, dataAsNestedObject } = useDocumentDetailsContext();
const { eventIds, timestamp } = useGraphPreview({
getFieldsData,
ecsData: dataAsNestedObject,
dataFormattedForFieldBrowser,
});

const originEventIds = eventIds.map((id) => ({ id, isAlert }));

return (
<div
data-test-subj={GRAPH_VISUALIZATION_TEST_ID}
Expand All @@ -54,16 +46,7 @@ export const GraphVisualization: React.FC = memo(() => {
>
{dataView && (
<React.Suspense fallback={<EuiLoadingSpinner />}>
<GraphInvestigationLazy
initialState={{
dataView,
originEventIds,
timeRange: {
from: `${timestamp}||-30m`,
to: `${timestamp}||+30m`,
},
}}
/>
<GraphInvestigationLazy dataView={dataView} eventIds={eventIds} timestamp={timestamp} />
</React.Suspense>
)}
</div>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,7 @@ const graphVisualizationButton: EuiButtonGroupOptionProps = {
* Visualize view displayed in the document details expandable flyout left section
*/
export const VisualizeTab = memo(() => {
const { scopeId, getFieldsData, dataAsNestedObject, dataFormattedForFieldBrowser } =
useDocumentDetailsContext();
const { scopeId, getFieldsData, dataAsNestedObject } = useDocumentDetailsContext();
const { openPreviewPanel } = useExpandableFlyoutApi();
const panels = useExpandableFlyoutState();
const [activeVisualizationId, setActiveVisualizationId] = useState(
Expand Down Expand Up @@ -124,7 +123,6 @@ export const VisualizeTab = memo(() => {
const { hasGraphRepresentation } = useGraphPreview({
getFieldsData,
ecsData: dataAsNestedObject,
dataFormattedForFieldBrowser,
});

const isGraphFeatureEnabled = useIsExperimentalFeatureEnabled(
Expand Down
Loading

0 comments on commit b7197e3

Please sign in to comment.