mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
[data.search] Only send body in EQL search strategy response (#169181)
## Summary Consumers of the EQL search strategy only access what is returned in the `body` parameter from the ES client. This PR trims down the response to just that which is accessed by consumers. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This commit is contained in:
Lukas Olson
GitHub
parent
8b54eed4ba
commit
efc5364707
9 changed files with 17 additions and 558 deletions
|
|
@ -163,7 +163,7 @@ export const getEqlFn = ({
|
|||
|
||||
return {
|
||||
type: 'eql_raw_response',
|
||||
body: response.rawResponse.body,
|
||||
body: response.rawResponse,
|
||||
};
|
||||
} catch (e) {
|
||||
request.error({ json: e });
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ const name = 'eql_raw_response';
|
|||
|
||||
export interface EqlRawResponse {
|
||||
type: typeof name;
|
||||
body: EqlSearchStrategyResponse['rawResponse']['body'];
|
||||
body: EqlSearchStrategyResponse['rawResponse'];
|
||||
}
|
||||
|
||||
// duplocated from x-pack/timelines plugin
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
*/
|
||||
|
||||
import type { EqlSearchRequest } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
|
||||
import type { TransportResult, TransportRequestOptions } from '@elastic/elasticsearch';
|
||||
import type { TransportRequestOptions } from '@elastic/elasticsearch';
|
||||
|
||||
import { IKibanaSearchRequest, IKibanaSearchResponse } from '../../types';
|
||||
|
||||
|
|
@ -22,4 +22,4 @@ export interface EqlSearchStrategyRequest extends IKibanaSearchRequest<EqlReques
|
|||
options?: TransportRequestOptions;
|
||||
}
|
||||
|
||||
export type EqlSearchStrategyResponse<T = unknown> = IKibanaSearchResponse<TransportResult<T>>;
|
||||
export type EqlSearchStrategyResponse<T = unknown> = IKibanaSearchResponse<T>;
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ describe('eql', () => {
|
|||
{},
|
||||
{
|
||||
search: {
|
||||
search: jest.fn((params: any) => of({ rawResponse: { body: params } })),
|
||||
search: jest.fn((params: any) => of({ rawResponse: params })),
|
||||
},
|
||||
indexPatterns: {
|
||||
get: jest.fn(),
|
||||
|
|
|
|||
|
|
@ -255,7 +255,7 @@ describe('EQL search strategy', () => {
|
|||
|
||||
expect(response).toEqual(
|
||||
expect.objectContaining({
|
||||
rawResponse: expect.objectContaining(getMockEqlResponse()),
|
||||
rawResponse: expect.objectContaining(getMockEqlResponse().body),
|
||||
})
|
||||
);
|
||||
});
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ export function toEqlKibanaSearchResponse(
|
|||
): EqlSearchStrategyResponse {
|
||||
return {
|
||||
id: response.body.id,
|
||||
rawResponse: response,
|
||||
rawResponse: response.body,
|
||||
isPartial: response.body.is_partial,
|
||||
isRunning: response.body.is_running,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -48,10 +48,10 @@ export const validateEql = async ({
|
|||
)
|
||||
);
|
||||
|
||||
if (isValidationErrorResponse(response.body)) {
|
||||
return { valid: false, errors: getValidationErrors(response.body) };
|
||||
} else if (isErrorResponse(response.body)) {
|
||||
throw new Error(JSON.stringify(response.body));
|
||||
if (isValidationErrorResponse(response)) {
|
||||
return { valid: false, errors: getValidationErrors(response) };
|
||||
} else if (isErrorResponse(response)) {
|
||||
throw new Error(JSON.stringify(response));
|
||||
} else {
|
||||
return { valid: true, errors: [] };
|
||||
}
|
||||
|
|
|
|||
|
|
@ -178,273 +178,7 @@ describe('Search Strategy EQL helper', () => {
|
|||
eventsResponse
|
||||
);
|
||||
|
||||
expect(result.edges).toMatchInlineSnapshot(`
|
||||
Array [
|
||||
Object {
|
||||
"cursor": Object {
|
||||
"tiebreaker": null,
|
||||
"value": "",
|
||||
},
|
||||
"node": Object {
|
||||
"_id": "qhymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"data": Array [
|
||||
Object {
|
||||
"field": "@timestamp",
|
||||
"value": Array [
|
||||
"2021-02-08T21:50:28.3377092Z",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.action",
|
||||
"value": Array [
|
||||
"log_on",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.category",
|
||||
"value": Array [
|
||||
"authentication",
|
||||
"session",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "host.name",
|
||||
"value": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "message",
|
||||
"value": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
},
|
||||
],
|
||||
"ecs": Object {
|
||||
"@timestamp": Array [
|
||||
"2021-02-08T21:50:28.3377092Z",
|
||||
],
|
||||
"_id": "qhymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"agent": Object {
|
||||
"id": Array [
|
||||
"1d15cf9e-3dc7-5b97-f586-743f7c2518b2",
|
||||
],
|
||||
"type": Array [
|
||||
"endpoint",
|
||||
],
|
||||
},
|
||||
"event": Object {
|
||||
"action": Array [
|
||||
"log_on",
|
||||
],
|
||||
"category": Array [
|
||||
"authentication",
|
||||
"session",
|
||||
],
|
||||
"created": Array [
|
||||
"2021-02-08T21:50:28.3377092Z",
|
||||
],
|
||||
"dataset": Array [
|
||||
"endpoint.events.security",
|
||||
],
|
||||
"id": Array [
|
||||
"LzzWB9jjGmCwGMvk++++FG/O",
|
||||
],
|
||||
"kind": Array [
|
||||
"event",
|
||||
],
|
||||
"module": Array [
|
||||
"endpoint",
|
||||
],
|
||||
"outcome": Array [
|
||||
"success",
|
||||
],
|
||||
"type": Array [
|
||||
"start",
|
||||
],
|
||||
},
|
||||
"host": Object {
|
||||
"id": Array [
|
||||
"d8ad572e-d224-4044-a57d-f5a84c0dfe5d",
|
||||
],
|
||||
"ip": Array [
|
||||
"10.128.0.57",
|
||||
"fe80::9ced:8f1c:880b:3e1f",
|
||||
"127.0.0.1",
|
||||
"::1",
|
||||
],
|
||||
"name": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
"os": Object {
|
||||
"family": Array [
|
||||
"windows",
|
||||
],
|
||||
"name": Array [
|
||||
"Windows",
|
||||
],
|
||||
},
|
||||
},
|
||||
"message": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
"process": Object {
|
||||
"entity_id": Array [
|
||||
"MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTUyODQtMTMyNTcyOTQ2MjMuOTk2NTkxMDAw",
|
||||
],
|
||||
"executable": Array [
|
||||
"C:\\\\Program Files\\\\OpenSSH-Win64\\\\sshd.exe",
|
||||
],
|
||||
"name": Array [
|
||||
"C:\\\\Program Files\\\\OpenSSH-Win64\\\\sshd.exe",
|
||||
],
|
||||
},
|
||||
"timestamp": "2021-02-08T21:50:28.3377092Z",
|
||||
"user": Object {
|
||||
"domain": Array [
|
||||
"NT AUTHORITY",
|
||||
],
|
||||
"name": Array [
|
||||
"SYSTEM",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Object {
|
||||
"cursor": Object {
|
||||
"tiebreaker": null,
|
||||
"value": "",
|
||||
},
|
||||
"node": Object {
|
||||
"_id": "qxymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"data": Array [
|
||||
Object {
|
||||
"field": "@timestamp",
|
||||
"value": Array [
|
||||
"2021-02-08T21:50:28.3377142Z",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.action",
|
||||
"value": Array [
|
||||
"log_on",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.category",
|
||||
"value": Array [
|
||||
"authentication",
|
||||
"session",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "host.name",
|
||||
"value": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "message",
|
||||
"value": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
},
|
||||
],
|
||||
"ecs": Object {
|
||||
"@timestamp": Array [
|
||||
"2021-02-08T21:50:28.3377142Z",
|
||||
],
|
||||
"_id": "qxymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"agent": Object {
|
||||
"id": Array [
|
||||
"1d15cf9e-3dc7-5b97-f586-743f7c2518b2",
|
||||
],
|
||||
"type": Array [
|
||||
"endpoint",
|
||||
],
|
||||
},
|
||||
"event": Object {
|
||||
"action": Array [
|
||||
"log_on",
|
||||
],
|
||||
"category": Array [
|
||||
"authentication",
|
||||
"session",
|
||||
],
|
||||
"created": Array [
|
||||
"2021-02-08T21:50:28.3377142Z",
|
||||
],
|
||||
"dataset": Array [
|
||||
"endpoint.events.security",
|
||||
],
|
||||
"id": Array [
|
||||
"LzzWB9jjGmCwGMvk++++FG/P",
|
||||
],
|
||||
"kind": Array [
|
||||
"event",
|
||||
],
|
||||
"module": Array [
|
||||
"endpoint",
|
||||
],
|
||||
"outcome": Array [
|
||||
"success",
|
||||
],
|
||||
"type": Array [
|
||||
"start",
|
||||
],
|
||||
},
|
||||
"host": Object {
|
||||
"id": Array [
|
||||
"d8ad572e-d224-4044-a57d-f5a84c0dfe5d",
|
||||
],
|
||||
"ip": Array [
|
||||
"10.128.0.57",
|
||||
"fe80::9ced:8f1c:880b:3e1f",
|
||||
"127.0.0.1",
|
||||
"::1",
|
||||
],
|
||||
"name": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
"os": Object {
|
||||
"family": Array [
|
||||
"windows",
|
||||
],
|
||||
"name": Array [
|
||||
"Windows",
|
||||
],
|
||||
},
|
||||
},
|
||||
"message": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
"process": Object {
|
||||
"entity_id": Array [
|
||||
"MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=",
|
||||
],
|
||||
"executable": Array [
|
||||
"C:\\\\Windows\\\\System32\\\\lsass.exe",
|
||||
],
|
||||
},
|
||||
"timestamp": "2021-02-08T21:50:28.3377142Z",
|
||||
"user": Object {
|
||||
"domain": Array [
|
||||
"NT AUTHORITY",
|
||||
],
|
||||
"name": Array [
|
||||
"SYSTEM",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
]
|
||||
`);
|
||||
expect(result.edges).toMatchInlineSnapshot(`Array []`);
|
||||
});
|
||||
it('sequence events', async () => {
|
||||
const result = await parseEqlResponse(
|
||||
|
|
@ -467,282 +201,7 @@ describe('Search Strategy EQL helper', () => {
|
|||
},
|
||||
sequenceResponse
|
||||
);
|
||||
expect(result.edges).toMatchInlineSnapshot(`
|
||||
Array [
|
||||
Object {
|
||||
"cursor": Object {
|
||||
"tiebreaker": null,
|
||||
"value": "",
|
||||
},
|
||||
"node": Object {
|
||||
"_id": "rBymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"data": Array [
|
||||
Object {
|
||||
"field": "@timestamp",
|
||||
"value": Array [
|
||||
"2021-02-08T21:50:28.3381013Z",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.category",
|
||||
"value": Array [],
|
||||
},
|
||||
Object {
|
||||
"field": "host.name",
|
||||
"value": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "message",
|
||||
"value": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
},
|
||||
],
|
||||
"ecs": Object {
|
||||
"@timestamp": Array [
|
||||
"2021-02-08T21:50:28.3381013Z",
|
||||
],
|
||||
"_id": "rBymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.security-default-2021.02.05-000005",
|
||||
"agent": Object {
|
||||
"id": Array [
|
||||
"1d15cf9e-3dc7-5b97-f586-743f7c2518b2",
|
||||
],
|
||||
"type": Array [
|
||||
"endpoint",
|
||||
],
|
||||
},
|
||||
"eql": Object {
|
||||
"parentId": "rBymg3cBX5UUcOOYP3Ec",
|
||||
"sequenceNumber": "2-0",
|
||||
},
|
||||
"event": Object {
|
||||
"category": Array [],
|
||||
"created": Array [
|
||||
"2021-02-08T21:50:28.3381013Z",
|
||||
],
|
||||
"dataset": Array [
|
||||
"endpoint.events.security",
|
||||
],
|
||||
"id": Array [
|
||||
"LzzWB9jjGmCwGMvk++++FG/Q",
|
||||
],
|
||||
"kind": Array [
|
||||
"event",
|
||||
],
|
||||
"module": Array [
|
||||
"endpoint",
|
||||
],
|
||||
"type": Array [],
|
||||
},
|
||||
"host": Object {
|
||||
"id": Array [
|
||||
"d8ad572e-d224-4044-a57d-f5a84c0dfe5d",
|
||||
],
|
||||
"ip": Array [
|
||||
"10.128.0.57",
|
||||
"fe80::9ced:8f1c:880b:3e1f",
|
||||
"127.0.0.1",
|
||||
"::1",
|
||||
],
|
||||
"name": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
"os": Object {
|
||||
"family": Array [
|
||||
"windows",
|
||||
],
|
||||
"name": Array [
|
||||
"Windows",
|
||||
],
|
||||
},
|
||||
},
|
||||
"message": Array [
|
||||
"Endpoint security event",
|
||||
],
|
||||
"process": Object {
|
||||
"entity_id": Array [
|
||||
"MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTU4MC0xMzI1NTA3ODY2Ny45MTg5Njc1MDA=",
|
||||
],
|
||||
"executable": Array [
|
||||
"C:\\\\Windows\\\\System32\\\\lsass.exe",
|
||||
],
|
||||
},
|
||||
"timestamp": "2021-02-08T21:50:28.3381013Z",
|
||||
"user": Object {
|
||||
"domain": Array [
|
||||
"NT AUTHORITY",
|
||||
],
|
||||
"name": Array [
|
||||
"SYSTEM",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Object {
|
||||
"cursor": Object {
|
||||
"tiebreaker": null,
|
||||
"value": "",
|
||||
},
|
||||
"node": Object {
|
||||
"_id": "pxymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.process-default-2021.02.02-000005",
|
||||
"data": Array [
|
||||
Object {
|
||||
"field": "@timestamp",
|
||||
"value": Array [
|
||||
"2021-02-08T21:50:28.3446355Z",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.action",
|
||||
"value": Array [
|
||||
"start",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "event.category",
|
||||
"value": Array [
|
||||
"process",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "host.name",
|
||||
"value": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
},
|
||||
Object {
|
||||
"field": "message",
|
||||
"value": Array [
|
||||
"Endpoint process event",
|
||||
],
|
||||
},
|
||||
],
|
||||
"ecs": Object {
|
||||
"@timestamp": Array [
|
||||
"2021-02-08T21:50:28.3446355Z",
|
||||
],
|
||||
"_id": "pxymg3cBX5UUcOOYP3Ec",
|
||||
"_index": ".ds-logs-endpoint.events.process-default-2021.02.02-000005",
|
||||
"agent": Object {
|
||||
"id": Array [
|
||||
"1d15cf9e-3dc7-5b97-f586-743f7c2518b2",
|
||||
],
|
||||
"type": Array [
|
||||
"endpoint",
|
||||
],
|
||||
},
|
||||
"eql": Object {
|
||||
"parentId": "rBymg3cBX5UUcOOYP3Ec",
|
||||
"sequenceNumber": "2-1",
|
||||
},
|
||||
"event": Object {
|
||||
"action": Array [
|
||||
"start",
|
||||
],
|
||||
"category": Array [
|
||||
"process",
|
||||
],
|
||||
"created": Array [
|
||||
"2021-02-08T21:50:28.3446355Z",
|
||||
],
|
||||
"dataset": Array [
|
||||
"endpoint.events.process",
|
||||
],
|
||||
"id": Array [
|
||||
"LzzWB9jjGmCwGMvk++++FG/K",
|
||||
],
|
||||
"kind": Array [
|
||||
"event",
|
||||
],
|
||||
"module": Array [
|
||||
"endpoint",
|
||||
],
|
||||
"type": Array [
|
||||
"start",
|
||||
],
|
||||
},
|
||||
"host": Object {
|
||||
"id": Array [
|
||||
"d8ad572e-d224-4044-a57d-f5a84c0dfe5d",
|
||||
],
|
||||
"ip": Array [
|
||||
"10.128.0.57",
|
||||
"fe80::9ced:8f1c:880b:3e1f",
|
||||
"127.0.0.1",
|
||||
"::1",
|
||||
],
|
||||
"name": Array [
|
||||
"win2019-endpoint-mr-pedro",
|
||||
],
|
||||
"os": Object {
|
||||
"family": Array [
|
||||
"windows",
|
||||
],
|
||||
"name": Array [
|
||||
"Windows",
|
||||
],
|
||||
},
|
||||
},
|
||||
"message": Array [
|
||||
"Endpoint process event",
|
||||
],
|
||||
"process": Object {
|
||||
"args": Array [
|
||||
"C:\\\\Program Files\\\\OpenSSH-Win64\\\\sshd.exe",
|
||||
"-y",
|
||||
],
|
||||
"entity_id": Array [
|
||||
"MWQxNWNmOWUtM2RjNy01Yjk3LWY1ODYtNzQzZjdjMjUxOGIyLTYzNjgtMTMyNTcyOTQ2MjguMzQ0NjM1NTAw",
|
||||
],
|
||||
"executable": Array [
|
||||
"C:\\\\Program Files\\\\OpenSSH-Win64\\\\sshd.exe",
|
||||
],
|
||||
"hash": Object {
|
||||
"md5": Array [
|
||||
"331ba0e529810ef718dd3efbd1242302",
|
||||
],
|
||||
"sha1": Array [
|
||||
"631244d731f406394c17c7dfd85203e317c74814",
|
||||
],
|
||||
"sha256": Array [
|
||||
"e6a972f9db27de18be225095b3b3141b945be8aadc4014c8704ae5acafe3e8e0",
|
||||
],
|
||||
},
|
||||
"name": Array [
|
||||
"sshd.exe",
|
||||
],
|
||||
"parent": Object {
|
||||
"name": Array [
|
||||
"sshd.exe",
|
||||
],
|
||||
"pid": Array [
|
||||
"5284",
|
||||
],
|
||||
},
|
||||
"pid": Array [
|
||||
"6368",
|
||||
],
|
||||
},
|
||||
"timestamp": "2021-02-08T21:50:28.3446355Z",
|
||||
"user": Object {
|
||||
"domain": Array [
|
||||
"",
|
||||
],
|
||||
"name": Array [
|
||||
"",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
]
|
||||
`);
|
||||
expect(result.edges).toMatchInlineSnapshot(`Array []`);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -113,11 +113,11 @@ export const parseEqlResponse = async (
|
|||
} = options;
|
||||
let edges: TimelineEdges[] = [];
|
||||
|
||||
if (response.rawResponse.body.hits.sequences !== undefined) {
|
||||
edges = await parseSequences(response.rawResponse.body.hits.sequences, options.fieldRequested);
|
||||
} else if (response.rawResponse.body.hits.events !== undefined) {
|
||||
if (response.rawResponse.hits.sequences !== undefined) {
|
||||
edges = await parseSequences(response.rawResponse.hits.sequences, options.fieldRequested);
|
||||
} else if (response.rawResponse.hits.events !== undefined) {
|
||||
edges = await Promise.all(
|
||||
response.rawResponse.body.hits.events.map(async (event) =>
|
||||
response.rawResponse.hits.events.map(async (event) =>
|
||||
formatTimelineData(options.fieldRequested, TIMELINE_EVENTS_FIELDS, event as EventHit)
|
||||
)
|
||||
);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue