[SECURITY] Introduce kibana nav

x-pack/plugins/security_solution/common/constants.ts

@@ -34,6 +34,14 @@ export const DEFAULT_INTERVAL_VALUE = 300000; // ms
 export const DEFAULT_TIMEPICKER_QUICK_RANGES = 'timepicker:quickRanges';
 export const NO_ALERT_INDEX = 'no-alert-index-049FC71A-4C2C-446F-9901-37XMC5024C51';
 
+export const APP_OVERVIEW_PATH = `${APP_PATH}/overview`;
+export const APP_ALERTS_PATH = `${APP_PATH}/alerts`;
+export const APP_HOSTS_PATH = `${APP_PATH}/hosts`;
+export const APP_NETWORK_PATH = `${APP_PATH}/network`;
+export const APP_TIMELINES_PATH = `${APP_PATH}/timelines`;
+export const APP_CASES_PATH = `${APP_PATH}/cases`;
+export const APP_MANAGEMENT_PATH = `${APP_PATH}/management`;
+
 /** The comma-delimited list of Elasticsearch indices from which the SIEM app collects events */
 export const DEFAULT_INDEX_PATTERN = [
  'apm-*-transaction*',

x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts

@@ -10,6 +10,7 @@ import {
  TreeNode,
  RelatedEventCategory,
  ECSCategory,
+ ANCESTRY_LIMIT,
 } from './generate_data';
 
 interface Node {
@@ -113,6 +114,7 @@ describe('data generator', () => {
  relatedEvents: 0,
  relatedAlerts: 0,
  });
+ tree.ancestry.delete(tree.origin.id);
  });
 
  it('creates an alert for the origin node but no other nodes', () => {
@@ -159,6 +161,30 @@ describe('data generator', () => {
  return (inRelated || inRelatedAlerts || inLifecycle) && event.process.entity_id === node.id;
  };
 
+ const verifyAncestry = (event: Event, genTree: Tree) => {
+ if (event.process.Ext.ancestry.length > 0) {
+ expect(event.process.parent?.entity_id).toBe(event.process.Ext.ancestry[0]);
+ }
+ for (let i = 0; i < event.process.Ext.ancestry.length; i++) {
+ const ancestor = event.process.Ext.ancestry[i];
+ const parent = genTree.children.get(ancestor) || genTree.ancestry.get(ancestor);
+ expect(ancestor).toBe(parent?.lifecycle[0].process.entity_id);
+
+ // the next ancestor should be the grandparent
+ if (i + 1 < event.process.Ext.ancestry.length) {
+ const grandparent = event.process.Ext.ancestry[i + 1];
+ expect(grandparent).toBe(parent?.lifecycle[0].process.parent?.entity_id);
+ }
+ }
+ };
+
+ it('has ancestry array defined', () => {
+ expect(tree.origin.lifecycle[0].process.Ext.ancestry.length).toBe(ANCESTRY_LIMIT);
+ for (const event of tree.allEvents) {
+ verifyAncestry(event, tree);
+ }
+ });
+
  it('has the right related events for each node', () => {
  const checkRelatedEvents = (node: TreeNode) => {
  expect(node.relatedEvents.length).toEqual(4);
@@ -185,8 +211,6 @@ describe('data generator', () => {
  for (const node of tree.children.values()) {
  checkRelatedEvents(node);
  }
-
- checkRelatedEvents(tree.origin);
  });
 
  it('has the right number of related alerts for each node', () => {
@@ -202,7 +226,8 @@ describe('data generator', () => {
  });
 
  it('has the right number of ancestors', () => {
- expect(tree.ancestry.size).toEqual(ancestors);
+ // +1 for the origin node
+ expect(tree.ancestry.size).toEqual(ancestors + 1);
  });
 
  it('has the right number of total children', () => {
@@ -239,10 +264,7 @@ describe('data generator', () => {
  const children = tree.children.get(event.process.entity_id);
  if (children) {
  expect(eventInNode(event, children)).toBeTruthy();
- return;
  }
-
- expect(eventInNode(event, tree.origin)).toBeTruthy();
  });
  });
 
@@ -260,8 +282,6 @@ describe('data generator', () => {
  total += nodeEventCount(node);
  }
 
- total += nodeEventCount(tree.origin);
-
  expect(tree.allEvents.length).toEqual(total);
  });
  });

x-pack/plugins/security_solution/common/endpoint/generate_data.ts

@@ -18,6 +18,16 @@ import {
 import { factory as policyFactory } from './models/policy_config';
 
 export type Event = AlertEvent | EndpointEvent;
+/**
+ * This value indicates the limit for the size of the ancestry array. The endpoint currently saves up to 20 values
+ * in its messages. To simulate a limit on the array size I'm using 2 here so that we can't rely on there being a large
+ * number like 20. The ancestry array contains entity_ids for the ancestors of a particular process.
+ *
+ * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the
+ * values towards the end of the array are more distant ancestors (grandparents). Therefore
+ * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
+ */
+export const ANCESTRY_LIMIT: number = 2;
 
 interface EventOptions {
  timestamp?: number;
@@ -26,6 +36,7 @@ interface EventOptions {
  eventType?: string;
  eventCategory?: string | string[];
  processName?: string;
+ ancestry?: string[];
  pid?: number;
  parentPid?: number;
  extensions?: object;
@@ -352,7 +363,8 @@ export class EndpointDocGenerator {
  public generateAlert(
  ts = new Date().getTime(),
  entityID = this.randomString(10),
- parentEntityID?: string
+ parentEntityID?: string,
+ ancestryArray: string[] = []
  ): AlertEvent {
  return {
  ...this.commonInfo,
@@ -412,6 +424,9 @@ export class EndpointDocGenerator {
  sha256: 'fake sha256',
  },
  Ext: {
+ // simulate a finite ancestry array size, the endpoint limits the ancestry array to 20 entries we'll use
+ // 2 so that the backend can handle that case
+ ancestry: ancestryArray.slice(0, ANCESTRY_LIMIT),
  code_signature: [
  {
  trusted: false,
@@ -532,6 +547,9 @@ export class EndpointDocGenerator {
  }
  : undefined,
  name: processName,
+ // simulate a finite ancestry array size, the endpoint limits the ancestry array to 20 entries we'll use
+ // 2 so that the backend can handle that case
+ Ext: { ancestry: options.ancestry?.slice(0, ANCESTRY_LIMIT) || [] },
  },
  user: {
  domain: this.randomString(10),
@@ -589,9 +607,6 @@ export class EndpointDocGenerator {
  throw Error(`could not find origin while building tree: ${alert.process.entity_id}`);
  }
 
- // remove the origin node from the ancestry array
- ancestryNodes.delete(alert.process.entity_id);
-
  const children = Array.from(
  this.descendantsTreeGenerator(
  alert,
@@ -652,6 +667,7 @@ export class EndpointDocGenerator {
  const ancestry = this.createAlertEventAncestry(
  options.ancestors,
  options.relatedEvents,
+ options.relatedAlerts,
  options.percentWithRelated,
  options.percentTerminated
  );
@@ -715,7 +731,7 @@ export class EndpointDocGenerator {
  }
  };
 
- // generate related alerts for rootW
+ // generate related alerts for root
  const processDuration: number = 6 * 3600;
  if (this.randomN(100) < pctWithRelated) {
  addRelatedEvents(ancestor, processDuration, events);
@@ -740,6 +756,8 @@ export class EndpointDocGenerator {
  ancestor = this.generateEvent({
  timestamp,
  parentEntityID: ancestor.process.entity_id,
+ // add the parent to the ancestry array
+ ancestry: [ancestor.process.entity_id, ...ancestor.process.Ext.ancestry],
  parentPid: ancestor.process.pid,
  pid: this.randomN(5000),
  });
@@ -755,6 +773,7 @@ export class EndpointDocGenerator {
  parentEntityID: ancestor.process.parent?.entity_id,
  eventCategory: 'process',
  eventType: 'end',
+ ancestry: ancestor.process.Ext.ancestry,
  })
  );
  }
@@ -773,7 +792,12 @@ export class EndpointDocGenerator {
  }
  }
  events.push(
- this.generateAlert(timestamp, ancestor.process.entity_id, ancestor.process.parent?.entity_id)
+ this.generateAlert(
+ timestamp,
+ ancestor.process.entity_id,
+ ancestor.process.parent?.entity_id,
+ ancestor.process.Ext.ancestry
+ )
  );
  return events;
  }
@@ -828,6 +852,10 @@ export class EndpointDocGenerator {
  const child = this.generateEvent({
  timestamp,
  parentEntityID: currentState.event.process.entity_id,
+ ancestry: [
+ currentState.event.process.entity_id,
+ ...currentState.event.process.Ext.ancestry,
+ ],
  });
 
  maxChildren = this.randomN(maxChildrenPerNode + 1);
@@ -849,6 +877,7 @@ export class EndpointDocGenerator {
  parentEntityID: child.process.parent?.entity_id,
  eventCategory: 'process',
  eventType: 'end',
+ ancestry: child.process.Ext.ancestry,
  });
  }
  if (this.randomN(100) < percentNodesWithRelated) {
@@ -893,6 +922,7 @@ export class EndpointDocGenerator {
  parentEntityID: node.process.parent?.entity_id,
  eventCategory: eventInfo.category,
  eventType: eventInfo.creationType,
+ ancestry: node.process.Ext.ancestry,
  });
  }
  }
@@ -911,7 +941,12 @@ export class EndpointDocGenerator {
  ) {
  for (let i = 0; i < relatedAlerts; i++) {
  const ts = node['@timestamp'] + this.randomN(alertCreationTime) * 1000;
- yield this.generateAlert(ts, node.process.entity_id, node.process.parent?.entity_id);
+ yield this.generateAlert(
+ ts,
+ node.process.entity_id,
+ node.process.parent?.entity_id,
+ node.process.Ext.ancestry
+ );
  }
  }
 

x-pack/plugins/security_solution/common/endpoint/models/event.ts

@@ -53,6 +53,13 @@ export function parentEntityId(event: ResolverEvent): string | undefined {
  return event.process.parent?.entity_id;
 }
 
+export function ancestryArray(event: ResolverEvent): string[] | undefined {
+ if (isLegacyEvent(event)) {
+ return undefined;
+ }
+ return event.process.Ext.ancestry;
+}
+
 /**
  * @param event The event to get the category for
  */

x-pack/plugins/security_solution/common/endpoint/types.ts

@@ -300,6 +300,12 @@ export interface AlertEvent {
  thread?: ThreadFields[];
  uptime: number;
  Ext: {
+ /*
+ * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the
+ * values towards the end of the array are more distant ancestors (grandparents). Therefore
+ * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
+ */
+ ancestry: string[];
  code_signature: Array<{
  subject_name: string;
  trusted: boolean;
@@ -469,6 +475,14 @@ export interface EndpointEvent {
  name?: string;
  pid?: number;
  };
+ /*
+ * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the
+ * values towards the end of the array are more distant ancestors (grandparents). Therefore
+ * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id
+ */
+ Ext: {
+ ancestry: string[];
+ };
  };
  user?: {
  domain?: string;

x-pack/plugins/security_solution/cypress/integration/detections.spec.ts

@@ -28,13 +28,13 @@ import {
 import { esArchiverLoad } from '../tasks/es_archiver';
 import { loginAndWaitForPage } from '../tasks/login';
 
-import { DETECTIONS } from '../urls/navigation';
+import { ALERTS_URL } from '../urls/navigation';
 
 describe('Detections', () => {
  context('Closing alerts', () => {
  beforeEach(() => {
  esArchiverLoad('alerts');
- loginAndWaitForPage(DETECTIONS);
+ loginAndWaitForPage(ALERTS_URL);
  });
 
  it('Closes and opens alerts', () => {
@@ -161,7 +161,7 @@ describe('Detections', () => {
  context('Opening alerts', () => {
  beforeEach(() => {
  esArchiverLoad('closed_alerts');
- loginAndWaitForPage(DETECTIONS);
+ loginAndWaitForPage(ALERTS_URL);
  });
 
  it('Open one alert when more than one closed alerts are selected', () => {
@@ -207,7 +207,7 @@ describe('Detections', () => {
  context('Marking alerts as in-progress', () => {
  beforeEach(() => {
  esArchiverLoad('alerts');
- loginAndWaitForPage(DETECTIONS);
+ loginAndWaitForPage(ALERTS_URL);
  });
 
  it('Mark one alert in progress when more than one open alerts are selected', () => {

x-pack/plugins/security_solution/cypress/integration/detections_timeline.spec.ts

@@ -15,12 +15,12 @@ import {
 import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
 import { loginAndWaitForPage } from '../tasks/login';
 
-import { DETECTIONS } from '../urls/navigation';
+import { ALERTS_URL } from '../urls/navigation';
 
 describe('Detections timeline', () => {
  beforeEach(() => {
  esArchiverLoad('timeline_alerts');
- loginAndWaitForPage(DETECTIONS);
+ loginAndWaitForPage(ALERTS_URL);
  });
 
  afterEach(() => {