mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
[Security Solution] Fix DNS Network table query (#82778)
This commit is contained in:
Patryk Kopyciński
GitHub
parent
8ff92f2b40
commit
915f718c6e
6 changed files with 60 additions and 29 deletions
|
|
@ -8,13 +8,14 @@ import { PaginationInputPaginated } from '../../../graphql/types';
|
|||
|
||||
export const generateTablePaginationOptions = (
|
||||
activePage: number,
|
||||
limit: number
|
||||
limit: number,
|
||||
isBucketSort?: boolean
|
||||
): PaginationInputPaginated => {
|
||||
const cursorStart = activePage * limit;
|
||||
return {
|
||||
activePage,
|
||||
cursorStart,
|
||||
fakePossibleCount: 4 <= activePage && activePage > 0 ? limit * (activePage + 2) : limit * 5,
|
||||
querySize: limit + cursorStart,
|
||||
querySize: isBucketSort ? limit : limit + cursorStart,
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ export const useNetworkDns = ({
|
|||
factoryQueryType: NetworkQueries.dns,
|
||||
filterQuery: createFilter(filterQuery),
|
||||
isPtrIncluded,
|
||||
pagination: generateTablePaginationOptions(activePage, limit),
|
||||
pagination: generateTablePaginationOptions(activePage, limit, true),
|
||||
sort,
|
||||
timerange: {
|
||||
interval: '12h',
|
||||
|
|
@ -193,7 +193,7 @@ export const useNetworkDns = ({
|
|||
isPtrIncluded,
|
||||
factoryQueryType: NetworkQueries.dns,
|
||||
filterQuery: createFilter(filterQuery),
|
||||
pagination: generateTablePaginationOptions(activePage, limit),
|
||||
pagination: generateTablePaginationOptions(activePage, limit, true),
|
||||
sort,
|
||||
timerange: {
|
||||
interval: '12h',
|
||||
|
|
|
|||
|
|
@ -146,10 +146,23 @@ export const formattedSearchStrategyResponse = {
|
|||
dns_name_query_count: {
|
||||
terms: {
|
||||
field: 'dns.question.registered_domain',
|
||||
size: 10,
|
||||
order: { unique_domains: 'desc' },
|
||||
size: 1000000,
|
||||
},
|
||||
aggs: {
|
||||
bucket_sort: {
|
||||
bucket_sort: {
|
||||
sort: [
|
||||
{
|
||||
unique_domains: {
|
||||
order: 'desc',
|
||||
},
|
||||
},
|
||||
{ _key: { order: 'asc' } },
|
||||
],
|
||||
from: 0,
|
||||
size: 10,
|
||||
},
|
||||
},
|
||||
unique_domains: { cardinality: { field: 'dns.question.name' } },
|
||||
dns_bytes_in: { sum: { field: 'source.bytes' } },
|
||||
dns_bytes_out: { sum: { field: 'destination.bytes' } },
|
||||
|
|
@ -204,10 +217,23 @@ export const expectedDsl = {
|
|||
dns_name_query_count: {
|
||||
terms: {
|
||||
field: 'dns.question.registered_domain',
|
||||
size: 10,
|
||||
order: { unique_domains: 'desc' },
|
||||
size: 1000000,
|
||||
},
|
||||
aggs: {
|
||||
bucket_sort: {
|
||||
bucket_sort: {
|
||||
sort: [
|
||||
{
|
||||
unique_domains: {
|
||||
order: 'desc',
|
||||
},
|
||||
},
|
||||
{ _key: { order: 'asc' } },
|
||||
],
|
||||
from: 0,
|
||||
size: 10,
|
||||
},
|
||||
},
|
||||
unique_domains: { cardinality: { field: 'dns.question.name' } },
|
||||
dns_bytes_in: { sum: { field: 'source.bytes' } },
|
||||
dns_bytes_out: { sum: { field: 'destination.bytes' } },
|
||||
|
|
|
|||
|
|
@ -33,11 +33,10 @@ export const networkDns: SecuritySolutionFactory<NetworkQueries.dns> = {
|
|||
options: NetworkDnsRequestOptions,
|
||||
response: IEsSearchResponse<unknown>
|
||||
): Promise<NetworkDnsStrategyResponse> => {
|
||||
const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination;
|
||||
const { activePage, fakePossibleCount } = options.pagination;
|
||||
const totalCount = getOr(0, 'aggregations.dns_count.value', response.rawResponse);
|
||||
const networkDnsEdges: NetworkDnsEdges[] = getDnsEdges(response);
|
||||
const edges: NetworkDnsEdges[] = getDnsEdges(response);
|
||||
const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount;
|
||||
const edges = networkDnsEdges.splice(cursorStart, querySize - cursorStart);
|
||||
const inspect = {
|
||||
dsl: [inspectStringifyObject(buildDnsQuery(options))],
|
||||
};
|
||||
|
|
|
|||
|
|
@ -15,25 +15,27 @@ import {
|
|||
} from '../../../../../../common/search_strategy';
|
||||
import { createQueryFilterClauses } from '../../../../../utils/build_query';
|
||||
|
||||
const HUGE_QUERY_SIZE = 1000000;
|
||||
|
||||
type QueryOrder =
|
||||
| { _count: Direction }
|
||||
| { _key: Direction }
|
||||
| { unique_domains: Direction }
|
||||
| { dns_bytes_in: Direction }
|
||||
| { dns_bytes_out: Direction };
|
||||
| { _count: { order: Direction } }
|
||||
| { _key: { order: Direction } }
|
||||
| { unique_domains: { order: Direction } }
|
||||
| { dns_bytes_in: { order: Direction } }
|
||||
| { dns_bytes_out: { order: Direction } };
|
||||
|
||||
const getQueryOrder = (sort: SortField<NetworkDnsFields>): QueryOrder => {
|
||||
switch (sort.field) {
|
||||
case NetworkDnsFields.queryCount:
|
||||
return { _count: sort.direction };
|
||||
return { _count: { order: sort.direction } };
|
||||
case NetworkDnsFields.dnsName:
|
||||
return { _key: sort.direction };
|
||||
return { _key: { order: sort.direction } };
|
||||
case NetworkDnsFields.uniqueDomains:
|
||||
return { unique_domains: sort.direction };
|
||||
return { unique_domains: { order: sort.direction } };
|
||||
case NetworkDnsFields.dnsBytesIn:
|
||||
return { dns_bytes_in: sort.direction };
|
||||
return { dns_bytes_in: { order: sort.direction } };
|
||||
case NetworkDnsFields.dnsBytesOut:
|
||||
return { dns_bytes_out: sort.direction };
|
||||
return { dns_bytes_out: { order: sort.direction } };
|
||||
}
|
||||
assertUnreachable(sort.field);
|
||||
};
|
||||
|
|
@ -67,7 +69,7 @@ export const buildDnsQuery = ({
|
|||
filterQuery,
|
||||
isPtrIncluded,
|
||||
sort,
|
||||
pagination: { querySize },
|
||||
pagination: { cursorStart, querySize },
|
||||
stackByField = 'dns.question.registered_domain',
|
||||
timerange: { from, to },
|
||||
}: NetworkDnsRequestOptions) => {
|
||||
|
|
@ -95,12 +97,16 @@ export const buildDnsQuery = ({
|
|||
dns_name_query_count: {
|
||||
terms: {
|
||||
field: stackByField,
|
||||
size: querySize,
|
||||
order: {
|
||||
...getQueryOrder(sort),
|
||||
},
|
||||
size: HUGE_QUERY_SIZE,
|
||||
},
|
||||
aggs: {
|
||||
bucket_sort: {
|
||||
bucket_sort: {
|
||||
sort: [getQueryOrder(sort), { _key: { order: 'asc' } }],
|
||||
from: cursorStart,
|
||||
size: querySize,
|
||||
},
|
||||
},
|
||||
unique_domains: {
|
||||
cardinality: {
|
||||
field: 'dns.question.name',
|
||||
|
|
|
|||
|
|
@ -18,8 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
|
|||
const esArchiver = getService('esArchiver');
|
||||
const supertest = getService('supertest');
|
||||
|
||||
// Failing: See https://github.com/elastic/kibana/issues/82207
|
||||
describe.skip('Network DNS', () => {
|
||||
describe('Network DNS', () => {
|
||||
describe('With packetbeat', () => {
|
||||
before(() => esArchiver.load('packetbeat/dns'));
|
||||
after(() => esArchiver.unload('packetbeat/dns'));
|
||||
|
|
@ -59,7 +58,7 @@ export default function ({ getService }: FtrProviderContext) {
|
|||
expect(networkDns.edges.length).to.be(10);
|
||||
expect(networkDns.totalCount).to.be(44);
|
||||
expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be(
|
||||
'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,crowbird.com,d1oxlq5h9kq8q5.cloudfront.net'
|
||||
'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,d1oxlq5h9kq8q5.cloudfront.net,d3epxf4t8a32oh.cloudfront.net'
|
||||
);
|
||||
expect(networkDns.pageInfo.fakeTotalCount).to.equal(30);
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue