[Security Solution] Refactor MatrixHistogram to use Search Strategy (#76603) (#76856)

Author: patrykkopycinski

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts

@@ -4,11 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export * from './authentications';
 export * from './all';
+export * from './authentications';
 export * from './common';
-export * from './overview';
 export * from './first_last_seen';
+export * from './overview';
 export * from './uncommon_processes';
 
 export enum HostsQueries {

x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts

@@ -30,6 +30,11 @@ import {
   NetworkTopNFlowStrategyResponse,
   NetworkTopNFlowRequestOptions,
 } from './network';
+import {
+  MatrixHistogramQuery,
+  MatrixHistogramRequestOptions,
+  MatrixHistogramStrategyResponse,
+} from './matrix_histogram';
 import {
   DocValueFields,
   TimerangeInput,
@@ -39,9 +44,10 @@ import {
 } from '../common';
 
 export * from './hosts';
+export * from './matrix_histogram';
 export * from './network';
 
-export type FactoryQueryTypes = HostsQueries | NetworkQueries;
+export type FactoryQueryTypes = HostsQueries | NetworkQueries | typeof MatrixHistogramQuery;
 
 export interface RequestBasicOptions extends IEsSearchRequest {
   timerange: TimerangeInput;
@@ -81,6 +87,8 @@ export type StrategyResponseType<T extends FactoryQueryTypes> = T extends HostsQ
   ? NetworkTopCountriesStrategyResponse
   : T extends NetworkQueries.topNFlow
   ? NetworkTopNFlowStrategyResponse
+  : T extends typeof MatrixHistogramQuery
+  ? MatrixHistogramStrategyResponse
   : never;
 
 export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQueries.hosts
@@ -101,4 +109,6 @@ export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQu
   ? NetworkTopCountriesRequestOptions
   : T extends NetworkQueries.topNFlow
   ? NetworkTopNFlowRequestOptions
+  : T extends typeof MatrixHistogramQuery
+  ? MatrixHistogramRequestOptions
   : never;

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/alerts/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { HistogramBucket } from '../common';
+
+export interface AlertsGroupData {
+  key: string;
+  doc_count: number;
+  alerts: {
+    buckets: HistogramBucket[];
+  };
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/anomalies/index.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SearchHit } from '../../../common';
+
+interface AnomaliesOverTimeHistogramData {
+  key_as_string: string;
+  key: number;
+  doc_count: number;
+}
+
+export interface AnomaliesActionGroupData {
+  key: number;
+  anomalies: {
+    bucket: AnomaliesOverTimeHistogramData[];
+  };
+  doc_count: number;
+}
+
+export interface AnomalySource {
+  [field: string]: any; // eslint-disable-line @typescript-eslint/no-explicit-any
+}
+
+export interface AnomalyHit extends SearchHit {
+  sort: string[];
+  _source: AnomalySource;
+  aggregations: {
+    [agg: string]: any; // eslint-disable-line @typescript-eslint/no-explicit-any
+  };
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/authentications/index.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface AuthenticationsOverTimeHistogramData {
+  key_as_string: string;
+  key: number;
+  doc_count: number;
+}
+
+export interface AuthenticationsActionGroupData {
+  key: number;
+  events: {
+    bucket: AuthenticationsOverTimeHistogramData[];
+  };
+  doc_count: number;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/common/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface HistogramBucket {
+  key: number;
+  doc_count: number;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/dns/index.ts

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface DnsHistogramSubBucket {
+  key: string;
+  doc_count: number;
+  orderAgg: {
+    value: number;
+  };
+}
+interface DnsHistogramBucket {
+  doc_count_error_upper_bound: number;
+  sum_other_doc_count: number;
+  buckets: DnsHistogramSubBucket[];
+}
+
+export interface DnsHistogramGroupData {
+  key: number;
+  doc_count: number;
+  key_as_string: string;
+  histogram: DnsHistogramBucket;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/events/index.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SearchHit } from '../../../common';
+
+interface EventsMatrixHistogramData {
+  key_as_string: string;
+  key: number;
+  doc_count: number;
+}
+
+export interface EventSource {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  [field: string]: any;
+}
+
+export interface EventsActionGroupData {
+  key: number;
+  events: {
+    bucket: EventsMatrixHistogramData[];
+  };
+  doc_count: number;
+}
+
+export interface EventHit extends SearchHit {
+  sort: string[];
+  _source: EventSource;
+  aggregations: {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    [agg: string]: any;
+  };
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/index.ts

@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
+import { AuthenticationHit } from '../hosts';
+import { Inspect, Maybe, TimerangeInput } from '../../common';
+import { RequestBasicOptions } from '../';
+import { AlertsGroupData } from './alerts';
+import { AnomaliesActionGroupData, AnomalyHit } from './anomalies';
+import { DnsHistogramGroupData } from './dns';
+import { AuthenticationsActionGroupData } from './authentications';
+import { EventsActionGroupData, EventHit } from './events';
+
+export * from './alerts';
+export * from './anomalies';
+export * from './authentications';
+export * from './common';
+export * from './dns';
+export * from './events';
+
+export const MatrixHistogramQuery = 'matrixHistogram';
+
+export enum MatrixHistogramType {
+  authentications = 'authentications',
+  anomalies = 'anomalies',
+  events = 'events',
+  alerts = 'alerts',
+  dns = 'dns',
+}
+
+export interface MatrixHistogramRequestOptions extends RequestBasicOptions {
+  timerange: TimerangeInput;
+  histogramType: MatrixHistogramType;
+  stackByField: string;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface MatrixHistogramStrategyResponse extends IEsSearchResponse {
+  inspect?: Maybe<Inspect>;
+  matrixHistogramData: MatrixHistogramData[];
+  totalCount: number;
+}
+
+export interface MatrixHistogramData {
+  x?: Maybe<number>;
+  y?: Maybe<number>;
+  g?: Maybe<string>;
+}
+
+export interface MatrixHistogramBucket {
+  key: number;
+  doc_count: number;
+}
+
+export interface MatrixHistogramSchema<T> {
+  buildDsl: (options: MatrixHistogramRequestOptions) => {};
+  aggName: string;
+  parseKey: string;
+  parser?: <T>(data: MatrixHistogramParseData<T>, keyBucket: string) => MatrixHistogramData[];
+}
+
+export type MatrixHistogramParseData<T> = T extends MatrixHistogramType.alerts
+  ? AlertsGroupData[]
+  : T extends MatrixHistogramType.anomalies
+  ? AnomaliesActionGroupData[]
+  : T extends MatrixHistogramType.dns
+  ? DnsHistogramGroupData[]
+  : T extends MatrixHistogramType.authentications
+  ? AuthenticationsActionGroupData[]
+  : T extends MatrixHistogramType.events
+  ? EventsActionGroupData[]
+  : never;
+
+export type MatrixHistogramHit<T> = T extends MatrixHistogramType.alerts
+  ? EventHit
+  : T extends MatrixHistogramType.anomalies
+  ? AnomalyHit
+  : T extends MatrixHistogramType.dns
+  ? EventHit
+  : T extends MatrixHistogramType.authentications
+  ? AuthenticationHit
+  : T extends MatrixHistogramType.events
+  ? EventHit
+  : never;
+
+export type MatrixHistogramDataConfig = Record<
+  MatrixHistogramType,
+  MatrixHistogramSchema<MatrixHistogramType>
+>;

x-pack/plugins/security_solution/public/common/components/alerts_viewer/histogram_configs.ts

@@ -6,7 +6,7 @@
 
 import * as i18n from './translations';
 import { MatrixHistogramOption, MatrixHistogramConfigs } from '../matrix_histogram/types';
-import { HistogramType } from '../../../graphql/types';
+import { MatrixHistogramType } from '../../../../common/search_strategy/security_solution/matrix_histogram';
 
 export const alertsStackByOptions: MatrixHistogramOption[] = [
   {
@@ -25,7 +25,7 @@ export const histogramConfigs: MatrixHistogramConfigs = {
   defaultStackByOption:
     alertsStackByOptions.find((o) => o.text === DEFAULT_STACK_BY) ?? alertsStackByOptions[1],
   errorMessage: i18n.ERROR_FETCHING_ALERTS_DATA,
-  histogramType: HistogramType.alerts,
+  histogramType: MatrixHistogramType.alerts,
   stackByOptions: alertsStackByOptions,
   subtitle: undefined,
   title: i18n.ALERTS_GRAPH_TITLE,