[8.6] [Session View] fix session table to include event.actions fork, exec, end (#142922)

* fix session table to include event.actions fork, exec, end * change literals property to constants * add casting to avoid type widening
2025-04-24 17:59:23 -04:00 · 2022-10-12 20:56:26 -04:00 · 2022-10-12 20:56:26 -04:00 · e1363b6714
commit e1363b6714
parent 4f3558a89c
3 changed files with 32 additions and 4 deletions
--- a/x-pack/plugins/security_solution/public/common/components/sessions_viewer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/sessions_viewer/index.tsx
@ -7,6 +7,8 @@

 import React, { useMemo } from 'react';
 import type { Filter } from '@kbn/es-query';
+import { EVENT_ACTION } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import { ENTRY_SESSION_ENTITY_ID_PROPERTY, EventAction } from '@kbn/session-view-plugin/public';
 import type { SessionsComponentsProps } from './types';
 import type { ESBoolQuery } from '../../../../common/typed_json';
 import { StatefulEventsViewer } from '../events_viewer';
@ -18,7 +20,6 @@ import { SourcererScopeName } from '../../store/sourcerer/model';
 import { getDefaultControlColumn } from '../../../timelines/components/timeline/body/control_columns';
 import { useLicense } from '../../hooks/use_license';
 import { TimelineId } from '../../../../common/types/timeline';
-
 export const TEST_ID = 'security_solution:sessions_viewer:sessions_view';

 export const defaultSessionsFilter: Required<Pick<Filter, 'meta' | 'query'>> = {
@ -26,8 +27,22 @@ export const defaultSessionsFilter: Required<Pick<Filter, 'meta' | 'query'>> = {
    bool: {
      filter: [
        {
-          exists: {
-            field: 'process.entry_leader.entity_id', // to exclude any records which have no entry_leader.entity_id
+          bool: {
+            // show sessions table results by filtering events where event.action is fork, exec, or end
+            should: [
+              { term: { [EVENT_ACTION]: EventAction.exec } },
+              { term: { [EVENT_ACTION]: EventAction.fork } },
+              { term: { [EVENT_ACTION]: EventAction.end } },
+            ],
+          },
+        },
+        {
+          bool: {
+            filter: {
+              exists: {
+                field: ENTRY_SESSION_ENTITY_ID_PROPERTY, // to exclude any records which have no entry_leader.entity_id
+              },
+            },
          },
        },
      ],
@ -36,7 +51,7 @@ export const defaultSessionsFilter: Required<Pick<Filter, 'meta' | 'query'>> = {
  meta: {
    alias: null,
    disabled: false,
-    key: 'process.entry_leader.entity_id',
+    key: ENTRY_SESSION_ENTITY_ID_PROPERTY,
    negate: false,
    params: {},
    type: 'string',
--- a/x-pack/plugins/session_view/common/index.ts
+++ b/x-pack/plugins/session_view/common/index.ts
@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ENTRY_SESSION_ENTITY_ID_PROPERTY } from './constants';
+import { EventAction } from './types/process_tree';
+export { ENTRY_SESSION_ENTITY_ID_PROPERTY, EventAction };
--- a/x-pack/plugins/session_view/public/index.ts
+++ b/x-pack/plugins/session_view/public/index.ts
@ -5,9 +5,12 @@
 * 2.0.
 */

+import { ENTRY_SESSION_ENTITY_ID_PROPERTY } from '../common/constants';
+import { EventAction } from '../common/types/process_tree';
 import { SessionViewPlugin } from './plugin';

 export type { SessionViewStart } from './types';
+export { ENTRY_SESSION_ENTITY_ID_PROPERTY, EventAction };

 export function plugin() {
  return new SessionViewPlugin();