Merge/restyle nodes table

x-pack/plugins/security_solution/common/endpoint/generate_data.ts

@@ -26,6 +26,9 @@ interface EventOptions {
   eventType?: string;
   eventCategory?: string | string[];
   processName?: string;
+  pid?: number;
+  parentPid?: number;
+  extensions?: object;
 }
 
 const Windows: HostOS[] = [
@@ -446,12 +449,36 @@ export class EndpointDocGenerator {
    * @param options - Allows event field values to be specified
    */
   public generateEvent(options: EventOptions = {}): EndpointEvent {
+    const processName = options.processName ? options.processName : randomProcessName();
+    const detailRecordForEventType =
+      options.extensions ||
+      ((eventCategory) => {
+        if (eventCategory === 'registry') {
+          return { registry: { key: `HKLM/Windows/Software/${this.randomString(5)}` } };
+        }
+        if (eventCategory === 'network') {
+          return {
+            network: {
+              direction: this.randomChoice(['inbound', 'outbound']),
+              forwarded_ip: `${this.randomIP()}`,
+            },
+          };
+        }
+        if (eventCategory === 'file') {
+          return { file: { path: 'C:\\My Documents\\business\\January\\processName' } };
+        }
+        if (eventCategory === 'dns') {
+          return { dns: { question: { name: `${this.randomIP()}` } } };
+        }
+        return {};
+      })(options.eventCategory);
     return {
       '@timestamp': options.timestamp ? options.timestamp : new Date().getTime(),
       agent: { ...this.commonInfo.agent, type: 'endpoint' },
       ecs: {
         version: '1.4.0',
       },
+      ...detailRecordForEventType,
       event: {
         category: options.eventCategory ? options.eventCategory : 'process',
         kind: 'event',
@@ -460,9 +487,26 @@ export class EndpointDocGenerator {
       },
       host: this.commonInfo.host,
       process: {
+        pid: options.pid ? options.pid : this.randomN(5000),
+        executable: `C:\\${processName}`,
+        args: `"C:\\${processName}" \\${this.randomString(3)}`,
+        code_signature: {
+          status: 'trusted',
+          subject_name: 'Microsoft',
+        },
+        hash: { md5: this.seededUUIDv4() },
         entity_id: options.entityID ? options.entityID : this.randomString(10),
-        parent: options.parentEntityID ? { entity_id: options.parentEntityID } : undefined,
-        name: options.processName ? options.processName : randomProcessName(),
+        parent: options.parentEntityID
+          ? {
+              entity_id: options.parentEntityID,
+              pid: options.parentPid ? options.parentPid : this.randomN(5000),
+            }
+          : undefined,
+        name: processName,
+      },
+      user: {
+        domain: this.randomString(10),
+        name: this.randomString(10),
       },
     };
   }
@@ -633,7 +677,7 @@ export class EndpointDocGenerator {
   ): Event[] {
     const events = [];
     const startDate = new Date().getTime();
-    const root = this.generateEvent({ timestamp: startDate + 1000 });
+    const root = this.generateEvent({ timestamp: startDate + 1000, pid: this.randomN(5000) });
     events.push(root);
     let ancestor = root;
     let timestamp = root['@timestamp'] + 1000;
@@ -668,6 +712,8 @@ export class EndpointDocGenerator {
       ancestor = this.generateEvent({
         timestamp,
         parentEntityID: ancestor.process.entity_id,
+        parentPid: ancestor.process.pid,
+        pid: this.randomN(5000),
       });
       events.push(ancestor);
       timestamp = timestamp + 1000;
@@ -1072,7 +1118,7 @@ export class EndpointDocGenerator {
     return [...this.randomNGenerator(255, 6)].map((x) => x.toString(16)).join('-');
   }
 
-  private randomIP(): string {
+  public randomIP(): string {
     return [10, ...this.randomNGenerator(255, 3)].map((x) => x.toString()).join('.');
   }
 

x-pack/plugins/security_solution/common/endpoint/models/event.ts

@@ -52,3 +52,123 @@ export function parentEntityId(event: ResolverEvent): string | undefined {
   }
   return event.process.parent?.entity_id;
 }
+
+/**
+ * @param event The event to get the category for
+ */
+export function eventCategory(event: ResolverEvent): string {
+  // Returning "Process" as a catch-all here because it seems pretty general
+  let eventCategoryToReturn: string = 'Process';
+  if (isLegacyEvent(event)) {
+    const legacyFullType = event.endgame.event_type_full;
+    if (legacyFullType) {
+      return legacyFullType;
+    }
+  } else {
+    const eventCategories = event.event.category;
+    const category =
+      typeof eventCategories === 'string' ? eventCategories : eventCategories[0] || '';
+
+    if (category) {
+      eventCategoryToReturn = category;
+    }
+  }
+  return eventCategoryToReturn;
+}
+
+/**
+ * ECS event type will be things like 'creation', 'deletion', 'access', etc.
+ * see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
+ * @param event The ResolverEvent to get the ecs type for
+ */
+export function ecsEventType(event: ResolverEvent): string {
+  if (isLegacyEvent(event)) {
+    return event.endgame.event_subtype_full || '';
+  }
+  return typeof event.event.type === 'string' ? event.event.type : event.event.type.join('/');
+}
+
+/**
+ * #Descriptive Names For Related Events:
+ *
+ * The following section provides facilities for deriving **Descriptive Names** for ECS-compliant event data.
+ * There are drawbacks to trying to do this: It *will* require ongoing maintenance. It presents temptations to overarticulate.
+ * On balance, however, it seems that the benefit of giving the user some form of information they can recognize & scan outweighs the drawbacks.
+ */
+
+/**
+ * A type that annotates the basic requirements for giving the event a `descriptive name`
+ */
+type detailRecord<T> = T extends 'registry'
+  ? { path: unknown; key: unknown }
+  : T extends 'dns'
+  ? { question: { name: unknown } }
+  : T extends 'network'
+  ? { direction: unknown; forwarded_ip: unknown }
+  : T extends 'file'
+  ? { path: unknown }
+  : unknown;
+type ecsRecordWithType<T extends string> = Record<T, detailRecord<T>>;
+
+/**
+ * Verify that the `ecsCategory` exists as a key on the event record. i.e. if ecsCategory is `registry`, the event is shaped like {registry: object}
+ *
+ * @param event
+ * @param ecsCategory
+ */
+export function isRecordNamable<T extends string>(
+  event: object,
+  ecsCategory: T
+): event is ecsRecordWithType<T> {
+  // The goal here is to reach in and grab a better name for the event (if one exists) without being too obtrusive/assertive about ECS
+  return typeof (event as ecsRecordWithType<T>)[ecsCategory] === 'object';
+}
+
+/**
+ * Based on the ECS category of the event, attempt to provide a more descriptive name
+ * (e.g. the `event.registry.key` for `registry` or the `dns.question.name` for `dns`, etc.).
+ * see: https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html
+ * @param event The ResolverEvent to get the descriptive name for
+ * @returns { descriptiveName } An attempt at providing a readable name to the user
+ */
+export function descriptiveName(event: ResolverEvent): string {
+  if (isLegacyEvent(event)) {
+    return eventName(event);
+  }
+  // For the purposes of providing a descriptive name, we're taking the first entry in the `event.type`
+  const ecsCategory = eventCategory(event);
+
+  /**
+   * This list of attempts can be expanded/adjusted as the underlying model changes over time:
+   */
+
+  // Stable, per ECS 1.5: https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html
+  if (ecsCategory === 'network' && isRecordNamable(event, ecsCategory)) {
+    if (event?.network?.forwarded_ip) {
+      return `${event?.network?.direction ? `${event?.network?.direction} ` : ''}${
+        event.network.forwarded_ip
+      }`;
+    }
+  }
+  if (ecsCategory === 'file' && isRecordNamable(event, ecsCategory)) {
+    if (event?.file?.path) {
+      return `${event.file.path}`;
+    }
+  }
+
+  // Extended categories (per ECS 1.5):
+  if (ecsCategory === 'registry' && isRecordNamable(event, ecsCategory)) {
+    const pathOrKey = event?.registry?.path || event?.registry?.key;
+    if (pathOrKey) {
+      return `${pathOrKey}`;
+    }
+  }
+  if (ecsCategory === 'dns' && isRecordNamable(event, ecsCategory)) {
+    if (event?.dns?.question?.name) {
+      return `${event.dns.question.name}`;
+    }
+  }
+
+  // Fall back on entityId if we can't fish a more descriptive name out.
+  return entityId(event);
+}

x-pack/plugins/security_solution/common/endpoint/types.ts

@@ -433,11 +433,26 @@ export interface EndpointEvent {
   process: {
     entity_id: string;
     name: string;
+    executable: string;
+    args: string;
+    code_signature: {
+      status: string;
+      subject_name: string;
+    };
+    pid: number;
+    hash: {
+      md5: string;
+    };
     parent?: {
       entity_id: string;
       name?: string;
+      pid: number;
     };
   };
+  user: {
+    domain: string;
+    name: string;
+  };
 }
 
 export type ResolverEvent = EndpointEvent | LegacyEndpointEvent;

x-pack/plugins/security_solution/public/endpoint_alerts/store/middleware.ts

@@ -13,14 +13,34 @@ import {
 import { AlertConstants } from '../../../common/endpoint_alerts/alert_constants';
 import { ImmutableMiddlewareFactory } from '../../common/store';
 import { cloneHttpFetchQuery } from '../../common/utils/clone_http_fetch_query';
+
 import {
   isOnAlertPage,
   apiQueryParams,
-  hasSelectedAlert,
   uiQueryParams,
+  hasSelectedAlert,
   isAlertPageTabChange,
 } from './selectors';
 
+let lastSelectedAlert: string | null = null;
+/**
+ * @returns <boolean> true once per change of `selectedAlert` in query params.
+ *
+ * As opposed to `hasSelectedAlert` which always returns true if the alert is present
+ * query params, which can cause unnecessary requests and re-renders in some cases.
+ */
+const selectedAlertHasChanged = (params: ReturnType<typeof uiQueryParams>): boolean => {
+  const { selected_alert: selectedAlert } = params;
+  if (typeof selectedAlert !== 'string') {
+    return false;
+  }
+  if (selectedAlert === lastSelectedAlert) {
+    return false;
+  }
+  lastSelectedAlert = selectedAlert;
+  return true;
+};
+
 export const alertMiddlewareFactory: ImmutableMiddlewareFactory<AlertListState> = (
   coreStart,
   depsStart
@@ -53,7 +73,7 @@ export const alertMiddlewareFactory: ImmutableMiddlewareFactory<AlertListState>
       });
       api.dispatch({ type: 'serverReturnedAlertsData', payload: listResponse });
 
-      if (hasSelectedAlert(state)) {
+      if (hasSelectedAlert(state) && selectedAlertHasChanged(uiQueryParams(state))) {
         const uiParams = uiQueryParams(state);
         const detailsResponse: AlertDetails = await coreStart.http.get(
           `/api/endpoint/alerts/${uiParams.selected_alert}`

x-pack/plugins/security_solution/public/resolver/models/process_event.ts

@@ -78,6 +78,17 @@ export function uniquePidForProcess(passedEvent: ResolverEvent): string {
   }
 }
 
+/**
+ * Returns the pid for the process on the host
+ */
+export function processPid(passedEvent: ResolverEvent): string {
+  if (event.isLegacyEvent(passedEvent)) {
+    return String(passedEvent.endgame.unique_pid);
+  } else {
+    return String(passedEvent.process.pid);
+  }
+}
+
 /**
  * Returns the process event's parent pid
  */
@@ -88,3 +99,62 @@ export function uniqueParentPidForProcess(passedEvent: ResolverEvent): string |
     return passedEvent.process.parent?.entity_id;
   }
 }
+
+/**
+ * Returns the process event's parent pid
+ */
+export function processParentPid(passedEvent: ResolverEvent): string | undefined {
+  if (event.isLegacyEvent(passedEvent)) {
+    return String(passedEvent.endgame.unique_ppid);
+  } else {
+    const ppid = passedEvent.process.parent?.pid;
+    return ppid ? String(ppid) : undefined;
+  }
+}
+
+/**
+ * Returns the process event's path on its host
+ */
+export function processPath(passedEvent: ResolverEvent): string | undefined {
+  if (event.isLegacyEvent(passedEvent)) {
+    return passedEvent.endgame.process_path;
+  } else {
+    return passedEvent.process.executable;
+  }
+}
+
+/**
+ * Returns the username for the account that ran the process
+ */
+export function userInfoForProcess(
+  passedEvent: ResolverEvent
+): { user?: string; domain?: string } | undefined {
+  return passedEvent.user;
+}
+
+/**
+ * Returns the MD5 hash for the `passedEvent` param, or undefined if it can't be located
+ * @param {ResolverEvent} passedEvent The `ResolverEvent` to get the MD5 value for
+ * @returns {string | undefined} The MD5 string for the event
+ */
+export function md5HashForProcess(passedEvent: ResolverEvent): string | undefined {
+  if (event.isLegacyEvent(passedEvent)) {
+    // There is not currently a key for this on Legacy event types
+    return undefined;
+  }
+  return passedEvent?.process?.hash?.md5;
+}
+
+/**
+ * Returns the command line path and arguments used to run the `passedEvent` if any
+ *
+ * @param {ResolverEvent} passedEvent The `ResolverEvent` to get the arguemnts value for
+ * @returns {string | undefined} The arguments (including the path) used to run the process
+ */
+export function argsForProcess(passedEvent: ResolverEvent): string | undefined {
+  if (event.isLegacyEvent(passedEvent)) {
+    // There is not currently a key for this on Legacy event types
+    return undefined;
+  }
+  return passedEvent?.process?.args;
+}