From ebf2b9877164d675ed9874d605f8c45a0bd7b3ee Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
Date: Tue, 14 Jul 2020 11:27:45 -0400
Subject: [PATCH] [SecuritySolution][Resolver] Adding siem index and guarding
 process ancestry (#71570) (#71638)

* Adding siem index and guarding process ancestry

* Fixing type errors
---
 .../common/endpoint/generate_data.test.ts        | 16 ++++++++--------
 .../common/endpoint/generate_data.ts             | 14 +++++++-------
 .../common/endpoint/models/event.ts              |  4 +++-
 .../security_solution/common/endpoint/types.ts   |  8 ++++----
 .../server/endpoint/routes/resolver/entity.ts    |  8 +++++++-
 5 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
index f64462f71a87b..fcea86be4ae9e 100644
--- a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
@@ -120,7 +120,7 @@ describe('data generator', () => {
 
     it('creates all events with an empty ancestry array', () => {
       for (const event of tree.allEvents) {
-        expect(event.process.Ext.ancestry.length).toEqual(0);
+        expect(event.process.Ext!.ancestry!.length).toEqual(0);
       }
     });
   });
@@ -188,24 +188,24 @@ describe('data generator', () => {
     };
 
     const verifyAncestry = (event: Event, genTree: Tree) => {
-      if (event.process.Ext.ancestry!.length > 0) {
-        expect(event.process.parent?.entity_id).toBe(event.process.Ext.ancestry![0]);
+      if (event.process.Ext!.ancestry!.length > 0) {
+        expect(event.process.parent?.entity_id).toBe(event.process.Ext!.ancestry![0]);
       }
-      for (let i = 0; i < event.process.Ext.ancestry!.length; i++) {
-        const ancestor = event.process.Ext.ancestry![i];
+      for (let i = 0; i < event.process.Ext!.ancestry!.length; i++) {
+        const ancestor = event.process.Ext!.ancestry![i];
         const parent = genTree.children.get(ancestor) || genTree.ancestry.get(ancestor);
         expect(ancestor).toBe(parent?.lifecycle[0].process.entity_id);
 
         // the next ancestor should be the grandparent
-        if (i + 1 < event.process.Ext.ancestry!.length) {
-          const grandparent = event.process.Ext.ancestry![i + 1];
+        if (i + 1 < event.process.Ext!.ancestry!.length) {
+          const grandparent = event.process.Ext!.ancestry![i + 1];
           expect(grandparent).toBe(parent?.lifecycle[0].process.parent?.entity_id);
         }
       }
     };
 
     it('has ancestry array defined', () => {
-      expect(tree.origin.lifecycle[0].process.Ext.ancestry!.length).toBe(ANCESTRY_LIMIT);
+      expect(tree.origin.lifecycle[0].process.Ext!.ancestry!.length).toBe(ANCESTRY_LIMIT);
       for (const event of tree.allEvents) {
         verifyAncestry(event, tree);
       }
diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts
index 339e5554ccb12..66e786cb02e63 100644
--- a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts
@@ -823,7 +823,7 @@ export class EndpointDocGenerator {
         timestamp,
         parentEntityID: ancestor.process.entity_id,
         // add the parent to the ancestry array
-        ancestry: [ancestor.process.entity_id, ...(ancestor.process.Ext.ancestry ?? [])],
+        ancestry: [ancestor.process.entity_id, ...(ancestor.process.Ext?.ancestry ?? [])],
         ancestryArrayLimit: opts.ancestryArraySize,
         parentPid: ancestor.process.pid,
         pid: this.randomN(5000),
@@ -840,7 +840,7 @@ export class EndpointDocGenerator {
             parentEntityID: ancestor.process.parent?.entity_id,
             eventCategory: 'process',
             eventType: 'end',
-            ancestry: ancestor.process.Ext.ancestry,
+            ancestry: ancestor.process.Ext?.ancestry,
             ancestryArrayLimit: opts.ancestryArraySize,
           })
         );
@@ -864,7 +864,7 @@ export class EndpointDocGenerator {
         timestamp,
         ancestor.process.entity_id,
         ancestor.process.parent?.entity_id,
-        ancestor.process.Ext.ancestry
+        ancestor.process.Ext?.ancestry
       )
     );
     return events;
@@ -914,7 +914,7 @@ export class EndpointDocGenerator {
         parentEntityID: currentState.event.process.entity_id,
         ancestry: [
           currentState.event.process.entity_id,
-          ...(currentState.event.process.Ext.ancestry ?? []),
+          ...(currentState.event.process.Ext?.ancestry ?? []),
         ],
         ancestryArrayLimit: opts.ancestryArraySize,
       });
@@ -938,7 +938,7 @@ export class EndpointDocGenerator {
           parentEntityID: child.process.parent?.entity_id,
           eventCategory: 'process',
           eventType: 'end',
-          ancestry: child.process.Ext.ancestry,
+          ancestry: child.process.Ext?.ancestry,
           ancestryArrayLimit: opts.ancestryArraySize,
         });
       }
@@ -984,7 +984,7 @@ export class EndpointDocGenerator {
           parentEntityID: node.process.parent?.entity_id,
           eventCategory: eventInfo.category,
           eventType: eventInfo.creationType,
-          ancestry: node.process.Ext.ancestry,
+          ancestry: node.process.Ext?.ancestry,
         });
       }
     }
@@ -1007,7 +1007,7 @@ export class EndpointDocGenerator {
         ts,
         node.process.entity_id,
         node.process.parent?.entity_id,
-        node.process.Ext.ancestry
+        node.process.Ext?.ancestry
       );
     }
   }
diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts
index 9b4550f52ff22..f8a6807196557 100644
--- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts
@@ -57,7 +57,9 @@ export function ancestryArray(event: ResolverEvent): string[] | undefined {
   if (isLegacyEvent(event)) {
     return undefined;
   }
-  return event.process.Ext.ancestry;
+  // this is to guard against the endpoint accidentally not sending the ancestry array
+  // otherwise the request will fail when really we should just try using the parent entity id
+  return event.process.Ext?.ancestry;
 }
 
 export function getAncestryAsArray(event: ResolverEvent | undefined): string[] {
diff --git a/x-pack/plugins/security_solution/common/endpoint/types.ts b/x-pack/plugins/security_solution/common/endpoint/types.ts
index b75d4b2190fe8..b477207b1c5a3 100644
--- a/x-pack/plugins/security_solution/common/endpoint/types.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/types.ts
@@ -334,13 +334,13 @@ export interface AlertEvent {
     start: number;
     thread?: ThreadFields[];
     uptime: number;
-    Ext: {
+    Ext?: {
       /*
        * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the
        * values towards the end of the array are more distant ancestors (grandparents). Therefore
        * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
        */
-      ancestry: string[];
+      ancestry?: string[];
       code_signature: Array<{
         subject_name: string;
         trusted: boolean;
@@ -539,8 +539,8 @@ export interface EndpointEvent {
      * values towards the end of the array are more distant ancestors (grandparents). Therefore
      * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
      */
-    Ext: {
-      ancestry: string[];
+    Ext?: {
+      ancestry?: string[];
     };
   };
   user?: {
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
index 69b3780ec1683..ae91201646103 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity.ts
@@ -18,6 +18,11 @@ export function handleEntities(): RequestHandler<unknown, TypeOf<typeof validate
       query: { _id, indices },
     } = request;
 
+    const siemClient = context.securitySolution!.getAppClient();
+    const queryIndices = indices;
+    // if the alert was promoted by a rule it will exist in the signals index so search there too
+    queryIndices.push(siemClient.getSignalsIndex());
+
     /**
      * A safe type for the response based on the semantics of the query.
      * We specify _source, asking for `process.entity_id` and we only
@@ -43,7 +48,8 @@ export function handleEntities(): RequestHandler<unknown, TypeOf<typeof validate
     const queryResponse: ExpectedQueryResponse = await context.core.elasticsearch.legacy.client.callAsCurrentUser(
       'search',
       {
-        index: indices,
+        ignoreUnavailable: true,
+        index: queryIndices,
         body: {
           // only return process.entity_id
           _source: 'process.entity_id',