## Summary
This PR adds logs-cloud_defend.process as a source to load process
events in SessionView. _(note: I have plans to optimize sessionview so
it only pulls from the index that the session leader came from)._
The cloud-defend service (WIP) implements a technique to reduce process
event volume by squishing the 3 lifecycle **event.action** s (fork,
exec, end) into a single event. SessionView has been updated to handle
these new merged events.
Much of the information across a fork, exec and end event does not
change, so given a short window, the cloud-defend service buffers the
events, and merges the values from event.action and event.type into an
array of the values from each event.
In most cases an SSH session leader process (e.g bash) will have two
events. One event containing event.action: ['fork', 'exec'] (2
merged events), and one final event with event.action: 'end' when the
user exits the session.
The nice thing about the above is that in the majority of situations
processes are short lived, and so most events should contain all three
actions [fork, exec, end]. In our tests, this has provided roughly a 50%
savings in process event volume. It should also be noted that any rules
using event.action or event.type should be unaffected by this change, as
the query languages don't care if it's comparing a single value, or an
array of values.
A minor change has also been made in the process analyzer feature to
handle the merging of event.type
e.g event.type = ['start', 'end']
cc @kqualters-elastic if you know of any other places I need to update.
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* Fetch output events in process_events_route and show output button accordingly
* Add unit tests for rendering output button
* Update process event route fetch process with output
* tty output POC
output poc stuff
oh baby, tty output search working nice.
output poc work
primitive playback mechanism added, xterm render callback improved. infinite pagination working
minor css tweaks
* stash restore
* stash restore
* refactor
* code shuffle/refactor
* cleanup/refactor
* component renamed
* search improved
* new route to get total bytes of io added. it will hide tty player button if no output, so removes the need for a feature flag
* some jest test coverage added
* basic jest test coverage added to tty_player
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* removed search addon. i've commited a modified version of it
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* tweaks to mock data
* tests added for tty_search_bar
* translations added for aria labels in session_view component
* mocking of window.matchMedia moved to beforeAll
* lint fix
* fixed build error
* event action name updated. lint fixes
* fix for ftr tests
* addresses jacks comments
Co-authored-by: mitodrummer <karlgodard@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* aggregate and count routes added for kubernetes_security plugins.
includes FTR e2e tests. some e2e tests also created for session view plugin.
* naming fixes
Co-authored-by: mitodrummer <karlgodard@elastic.co>
