[Security_Solution][Bug] Handle non-ecs categories in events (#71714)

bkimmel · web-flow · commit 654d4da90460 · 2020-07-14T18:51:59.000-04:00
* Make resolver related event categories permissive
diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts b/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts
@@ -166,6 +166,15 @@ describe('Resolver Data Middleware', () => {
 
         expect(selectedEventsForFirstChildNode).toBe(firstChildNodeInTree.relatedEvents);
       });
+      it('should return related events for the category equal to the number of events of that type provided', () => {
+        const relatedEventsByCategory = selectors.relatedEventsByCategory(store.getState());
+        const relatedEventsForOvercountedCategory = relatedEventsByCategory(
+          firstChildNodeInTree.id
+        )(categoryToOverCount);
+        expect(relatedEventsForOvercountedCategory.length).toBe(
+          eventStatsForFirstChildNode.byCategory[categoryToOverCount] - 1
+        );
+      });
       it('should indicate the limit has been exceeded because the number of related events received for the category is less than what the stats count said it would be', () => {
         const selectedRelatedInfo = selectors.relatedEventInfoByEntityId(store.getState());
         const shouldShowLimit = selectedRelatedInfo(firstChildNodeInTree.id)
diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts b/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts
@@ -130,6 +130,38 @@ export function relatedEventsByEntityId(data: DataState): Map<string, ResolverRe
   return data.relatedEvents;
 }
 
+/**
+ * Returns a function that returns a function (when supplied with an entity id for a node)
+ * that returns related events for a node that match an event.category (when supplied with the category)
+ */
+export const relatedEventsByCategory = createSelector(
+  relatedEventsByEntityId,
+  function provideGettersByCategory(
+    /* eslint-disable no-shadow */
+    relatedEventsByEntityId
+    /* eslint-enable no-shadow */
+  ) {
+    return defaultMemoize((entityId: string) => {
+      return defaultMemoize((ecsCategory: string) => {
+        const relatedById = relatedEventsByEntityId.get(entityId);
+        // With no related events, we can't return related by category
+        if (!relatedById) {
+          return [];
+        }
+        return relatedById.events.reduce(
+          (eventsByCategory: ResolverEvent[], candidate: ResolverEvent) => {
+            if ([candidate && allEventCategories(candidate)].flat().includes(ecsCategory)) {
+              eventsByCategory.push(candidate);
+            }
+            return eventsByCategory;
+          },
+          []
+        );
+      });
+    });
+  }
+);
+
 /**
  * returns a map of entity_ids to booleans indicating if it is waiting on related event
  * A value of `undefined` can be interpreted as `not yet requested`
diff --git a/x-pack/plugins/security_solution/public/resolver/store/selectors.ts b/x-pack/plugins/security_solution/public/resolver/store/selectors.ts
@@ -100,6 +100,15 @@ export const relatedEventsByEntityId = composeSelectors(
   dataSelectors.relatedEventsByEntityId
 );
 
+/**
+ * Returns a function that returns a function (when supplied with an entity id for a node)
+ * that returns related events for a node that match an event.category (when supplied with the category)
+ */
+export const relatedEventsByCategory = composeSelectors(
+  dataStateSelector,
+  dataSelectors.relatedEventsByCategory
+);
+
 /**
  * Entity ids to booleans for waiting status
  */
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panel.tsx b/x-pack/plugins/security_solution/public/resolver/view/panel.tsx
@@ -7,7 +7,6 @@
 import React, { memo, useMemo, useContext, useLayoutEffect, useState } from 'react';
 import { useSelector } from 'react-redux';
 import { EuiPanel } from '@elastic/eui';
-import { displayNameRecord } from './process_event_dot';
 import * as selectors from '../store/selectors';
 import { useResolverDispatch } from './use_resolver_dispatch';
 import * as event from '../../../common/endpoint/models/event';
@@ -144,7 +143,7 @@ const PanelContent = memo(function PanelContent() {
        * | relateds list 1 type   | entity_id of process       | valid related event type |
        */
 
-      if (crumbEvent in displayNameRecord && uiSelectedEvent) {
+      if (crumbEvent && crumbEvent.length && uiSelectedEvent) {
         return 'processEventListNarrowedByType';
       }
     }
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_related_list.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_related_list.tsx
@@ -164,9 +164,6 @@ export const ProcessEventListNarrowedByType = memo(function ProcessEventListNarr
   const relatedsReadyMap = useSelector(selectors.relatedEventsReady);
   const relatedsReady = relatedsReadyMap.get(processEntityId);
 
-  const relatedEventsForThisProcess = useSelector(selectors.relatedEventsByEntityId).get(
-    processEntityId
-  );
   const dispatch = useResolverDispatch();
 
   useEffect(() => {
@@ -189,39 +186,30 @@ export const ProcessEventListNarrowedByType = memo(function ProcessEventListNarr
     ];
   }, [pushToQueryParams, eventsString]);
 
-  const relatedEventsToDisplay = useMemo(() => {
-    return relatedEventsForThisProcess?.events || [];
-  }, [relatedEventsForThisProcess?.events]);
+  const relatedByCategory = useSelector(selectors.relatedEventsByCategory);
 
   /**
    * A list entry will be displayed for each of these
    */
   const matchingEventEntries: MatchingEventEntry[] = useMemo(() => {
-    const relateds = relatedEventsToDisplay
-      .reduce((a: ResolverEvent[], candidate) => {
-        if (event.primaryEventCategory(candidate) === eventType) {
-          a.push(candidate);
-        }
-        return a;
-      }, [])
-      .map((resolverEvent) => {
-        const eventTime = event.eventTimestamp(resolverEvent);
-        const formattedDate = typeof eventTime === 'undefined' ? '' : formatDate(eventTime);
-        const entityId = event.eventId(resolverEvent);
+    const relateds = relatedByCategory(processEntityId)(eventType).map((resolverEvent) => {
+      const eventTime = event.eventTimestamp(resolverEvent);
+      const formattedDate = typeof eventTime === 'undefined' ? '' : formatDate(eventTime);
+      const entityId = event.eventId(resolverEvent);
 
-        return {
-          formattedDate,
-          eventCategory: `${eventType}`,
-          eventType: `${event.ecsEventType(resolverEvent)}`,
-          name: event.descriptiveName(resolverEvent),
-          entityId,
-          setQueryParams: () => {
-            pushToQueryParams({ crumbId: entityId, crumbEvent: processEntityId });
-          },
-        };
-      });
+      return {
+        formattedDate,
+        eventCategory: `${eventType}`,
+        eventType: `${event.ecsEventType(resolverEvent)}`,
+        name: event.descriptiveName(resolverEvent),
+        entityId,
+        setQueryParams: () => {
+          pushToQueryParams({ crumbId: entityId, crumbEvent: processEntityId });
+        },
+      };
+    });
     return relateds;
-  }, [relatedEventsToDisplay, eventType, processEntityId, pushToQueryParams]);
+  }, [relatedByCategory, eventType, processEntityId, pushToQueryParams]);
 
   const crumbs = useMemo(() => {
     return [
diff --git a/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx b/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx
@@ -8,7 +8,6 @@
 
 import React, { useCallback, useMemo } from 'react';
 import styled from 'styled-components';
-import { i18n } from '@kbn/i18n';
 import { htmlIdGenerator, EuiButton, EuiI18nNumber, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import { useSelector } from 'react-redux';
 import { NodeSubMenu, subMenuAssets } from './submenu';
@@ -21,172 +20,6 @@ import * as eventModel from '../../../common/endpoint/models/event';
 import * as selectors from '../store/selectors';
 import { useResolverQueryParams } from './use_resolver_query_params';
 
-/**
- * A record of all known event types (in schema format) to translations
- */
-export const displayNameRecord = {
-  application: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.applicationEventTypeDisplayName',
-    {
-      defaultMessage: 'Application',
-    }
-  ),
-  apm: i18n.translate('xpack.securitySolution.endpoint.resolver.apmEventTypeDisplayName', {
-    defaultMessage: 'APM',
-  }),
-  audit: i18n.translate('xpack.securitySolution.endpoint.resolver.auditEventTypeDisplayName', {
-    defaultMessage: 'Audit',
-  }),
-  authentication: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.authenticationEventTypeDisplayName',
-    {
-      defaultMessage: 'Authentication',
-    }
-  ),
-  certificate: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.certificateEventTypeDisplayName',
-    {
-      defaultMessage: 'Certificate',
-    }
-  ),
-  cloud: i18n.translate('xpack.securitySolution.endpoint.resolver.cloudEventTypeDisplayName', {
-    defaultMessage: 'Cloud',
-  }),
-  database: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.databaseEventTypeDisplayName',
-    {
-      defaultMessage: 'Database',
-    }
-  ),
-  driver: i18n.translate('xpack.securitySolution.endpoint.resolver.driverEventTypeDisplayName', {
-    defaultMessage: 'Driver',
-  }),
-  email: i18n.translate('xpack.securitySolution.endpoint.resolver.emailEventTypeDisplayName', {
-    defaultMessage: 'Email',
-  }),
-  file: i18n.translate('xpack.securitySolution.endpoint.resolver.fileEventTypeDisplayName', {
-    defaultMessage: 'File',
-  }),
-  host: i18n.translate('xpack.securitySolution.endpoint.resolver.hostEventTypeDisplayName', {
-    defaultMessage: 'Host',
-  }),
-  iam: i18n.translate('xpack.securitySolution.endpoint.resolver.iamEventTypeDisplayName', {
-    defaultMessage: 'IAM',
-  }),
-  iam_group: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.iam_groupEventTypeDisplayName',
-    {
-      defaultMessage: 'IAM Group',
-    }
-  ),
-  intrusion_detection: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.intrusion_detectionEventTypeDisplayName',
-    {
-      defaultMessage: 'Intrusion Detection',
-    }
-  ),
-  malware: i18n.translate('xpack.securitySolution.endpoint.resolver.malwareEventTypeDisplayName', {
-    defaultMessage: 'Malware',
-  }),
-  network_flow: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.network_flowEventTypeDisplayName',
-    {
-      defaultMessage: 'Network Flow',
-    }
-  ),
-  network: i18n.translate('xpack.securitySolution.endpoint.resolver.networkEventTypeDisplayName', {
-    defaultMessage: 'Network',
-  }),
-  package: i18n.translate('xpack.securitySolution.endpoint.resolver.packageEventTypeDisplayName', {
-    defaultMessage: 'Package',
-  }),
-  process: i18n.translate('xpack.securitySolution.endpoint.resolver.processEventTypeDisplayName', {
-    defaultMessage: 'Process',
-  }),
-  registry: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.registryEventTypeDisplayName',
-    {
-      defaultMessage: 'Registry',
-    }
-  ),
-  session: i18n.translate('xpack.securitySolution.endpoint.resolver.sessionEventTypeDisplayName', {
-    defaultMessage: 'Session',
-  }),
-  service: i18n.translate('xpack.securitySolution.endpoint.resolver.serviceEventTypeDisplayName', {
-    defaultMessage: 'Service',
-  }),
-  socket: i18n.translate('xpack.securitySolution.endpoint.resolver.socketEventTypeDisplayName', {
-    defaultMessage: 'Socket',
-  }),
-  vulnerability: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.vulnerabilityEventTypeDisplayName',
-    {
-      defaultMessage: 'Vulnerability',
-    }
-  ),
-  web: i18n.translate('xpack.securitySolution.endpoint.resolver.webEventTypeDisplayName', {
-    defaultMessage: 'Web',
-  }),
-  alert: i18n.translate('xpack.securitySolution.endpoint.resolver.alertEventTypeDisplayName', {
-    defaultMessage: 'Alert',
-  }),
-  security: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.securityEventTypeDisplayName',
-    {
-      defaultMessage: 'Security',
-    }
-  ),
-  dns: i18n.translate('xpack.securitySolution.endpoint.resolver.dnsEventTypeDisplayName', {
-    defaultMessage: 'DNS',
-  }),
-  clr: i18n.translate('xpack.securitySolution.endpoint.resolver.clrEventTypeDisplayName', {
-    defaultMessage: 'CLR',
-  }),
-  image_load: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.image_loadEventTypeDisplayName',
-    {
-      defaultMessage: 'Image Load',
-    }
-  ),
-  powershell: i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.powershellEventTypeDisplayName',
-    {
-      defaultMessage: 'Powershell',
-    }
-  ),
-  wmi: i18n.translate('xpack.securitySolution.endpoint.resolver.wmiEventTypeDisplayName', {
-    defaultMessage: 'WMI',
-  }),
-  api: i18n.translate('xpack.securitySolution.endpoint.resolver.apiEventTypeDisplayName', {
-    defaultMessage: 'API',
-  }),
-  user: i18n.translate('xpack.securitySolution.endpoint.resolver.userEventTypeDisplayName', {
-    defaultMessage: 'User',
-  }),
-} as const;
-
-const unknownEventTypeMessage = i18n.translate(
-  'xpack.securitySolution.endpoint.resolver.userEventTypeDisplayUnknown',
-  {
-    defaultMessage: 'Unknown',
-  }
-);
-
-type EventDisplayName = typeof displayNameRecord[keyof typeof displayNameRecord] &
-  typeof unknownEventTypeMessage;
-
-/**
- * Take a `schemaName` and return a translation.
- */
-const schemaNameTranslation: (
-  schemaName: string
-) => EventDisplayName = function nameInSchemaToDisplayName(schemaName) {
-  if (schemaName in displayNameRecord) {
-    return displayNameRecord[schemaName as keyof typeof displayNameRecord];
-  }
-  return unknownEventTypeMessage;
-};
-
 interface StyledActionsContainer {
   readonly color: string;
   readonly fontSize: number;
@@ -437,7 +270,7 @@ const UnstyledProcessEventDot = React.memo(
       )) {
         relatedStatsList.push({
           prefix: <EuiI18nNumber value={total || 0} />,
-          optionTitle: schemaNameTranslation(category),
+          optionTitle: category,
           action: () => {
             dispatch({
               type: 'userSelectedRelatedEventCategory',
