Adding siem index and guarding process ancestry

elastic · Jul 13, 2020 · 8bfcb5f · 8bfcb5f
1 parent 1b1962f
commit 8bfcb5f
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 13 deletions.
diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts
@@ -823,7 +823,7 @@ export class EndpointDocGenerator {
         timestamp,
         parentEntityID: ancestor.process.entity_id,
         // add the parent to the ancestry array
-        ancestry: [ancestor.process.entity_id, ...(ancestor.process.Ext.ancestry ?? [])],
+        ancestry: [ancestor.process.entity_id, ...(ancestor.process.Ext?.ancestry ?? [])],
         ancestryArrayLimit: opts.ancestryArraySize,
         parentPid: ancestor.process.pid,
         pid: this.randomN(5000),
@@ -840,7 +840,7 @@ export class EndpointDocGenerator {
             parentEntityID: ancestor.process.parent?.entity_id,
             eventCategory: 'process',
             eventType: 'end',
-            ancestry: ancestor.process.Ext.ancestry,
+            ancestry: ancestor.process.Ext?.ancestry,
             ancestryArrayLimit: opts.ancestryArraySize,
           })
         );
@@ -864,7 +864,7 @@ export class EndpointDocGenerator {
         timestamp,
         ancestor.process.entity_id,
         ancestor.process.parent?.entity_id,
-        ancestor.process.Ext.ancestry
+        ancestor.process.Ext?.ancestry
       )
     );
     return events;
@@ -914,7 +914,7 @@ export class EndpointDocGenerator {
         parentEntityID: currentState.event.process.entity_id,
         ancestry: [
           currentState.event.process.entity_id,
-          ...(currentState.event.process.Ext.ancestry ?? []),
+          ...(currentState.event.process.Ext?.ancestry ?? []),
         ],
         ancestryArrayLimit: opts.ancestryArraySize,
       });
@@ -938,7 +938,7 @@ export class EndpointDocGenerator {
           parentEntityID: child.process.parent?.entity_id,
           eventCategory: 'process',
           eventType: 'end',
-          ancestry: child.process.Ext.ancestry,
+          ancestry: child.process.Ext?.ancestry,
           ancestryArrayLimit: opts.ancestryArraySize,
         });
       }
@@ -984,7 +984,7 @@ export class EndpointDocGenerator {
           parentEntityID: node.process.parent?.entity_id,
           eventCategory: eventInfo.category,
           eventType: eventInfo.creationType,
-          ancestry: node.process.Ext.ancestry,
+          ancestry: node.process.Ext?.ancestry,
         });
       }
     }
@@ -1007,7 +1007,7 @@ export class EndpointDocGenerator {
         ts,
         node.process.entity_id,
         node.process.parent?.entity_id,
-        node.process.Ext.ancestry
+        node.process.Ext?.ancestry
       );
     }
   }

diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts
@@ -57,7 +57,9 @@ export function ancestryArray(event: ResolverEvent): string[] | undefined {
   if (isLegacyEvent(event)) {
     return undefined;
   }
-  return event.process.Ext.ancestry;
+  // this is to guard against the endpoint accidentally not sending the ancestry array
+  // otherwise the request will fail when really we should just try using the parent entity id
+  return event.process.Ext?.ancestry;
 }
 
 export function getAncestryAsArray(event: ResolverEvent | undefined): string[] {

diff --git a/x-pack/plugins/security_solution/common/endpoint/types.ts b/x-pack/plugins/security_solution/common/endpoint/types.ts
@@ -334,13 +334,13 @@ export interface AlertEvent {
     start: number;
     thread?: ThreadFields[];
     uptime: number;
-    Ext: {
+    Ext?: {
       /*
        * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the
        * values towards the end of the array are more distant ancestors (grandparents). Therefore
        * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
        */
-      ancestry: string[];
+      ancestry?: string[];
       code_signature: Array<{
         subject_name: string;
         trusted: boolean;
@@ -539,8 +539,8 @@ export interface EndpointEvent {
      * values towards the end of the array are more distant ancestors (grandparents). Therefore
      * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
      */
-    Ext: {
-      ancestry: string[];
+    Ext?: {
+      ancestry?: string[];
     };
   };
   user?: {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
@@ -18,6 +18,11 @@ export function handleEntities(): RequestHandler<unknown, TypeOf<typeof validate
       query: { _id, indices },
     } = request;
 
+    const siemClient = context.securitySolution!.getAppClient();
+    const queryIndices = indices;
+    // if the alert was promoted by a rule it will exist in the signals index so search there too
+    queryIndices.push(siemClient.getSignalsIndex());
+
     /**
      * A safe type for the response based on the semantics of the query.
      * We specify _source, asking for `process.entity_id` and we only
@@ -43,7 +48,8 @@ export function handleEntities(): RequestHandler<unknown, TypeOf<typeof validate
     const queryResponse: ExpectedQueryResponse = await context.core.elasticsearch.legacy.client.callAsCurrentUser(
       'search',
       {
-        index: indices,
+        ignoreUnavailable: true,
+        index: queryIndices,
         body: {
           // only return process.entity_id
           _source: 'process.entity_id',