Display node 75% view submenus

x-pack/plugins/endpoint/common/models/event.ts

@@ -4,7 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { i18n } from '@kbn/i18n';
 import { LegacyEndpointEvent, ResolverEvent } from '../types';
+import { EventCategory } from '../../public/embeddables/resolver/types';
 
 export function isLegacyEvent(event: ResolverEvent): event is LegacyEndpointEvent {
   return (event as LegacyEndpointEvent).endgame !== undefined;
@@ -46,3 +48,107 @@ export function parentEntityId(event: ResolverEvent): string | undefined {
   }
   return event.process.parent?.entity_id;
 }
+
+export function eventCategoryDisplayName(event: ResolverEvent): EventCategory {
+  const eventTypeToNameMap = new Map<string, EventCategory>([
+    [
+      'process',
+      i18n.translate('xpack.endpoint.resolver.Process', {
+        defaultMessage: 'Process',
+      }) as EventCategory,
+    ],
+    [
+      'alert',
+      i18n.translate('xpack.endpoint.resolver.Alert', {
+        defaultMessage: 'Alert',
+      }) as EventCategory,
+    ],
+    [
+      'security',
+      i18n.translate('xpack.endpoint.resolver.Security', {
+        defaultMessage: 'Security',
+      }) as EventCategory,
+    ],
+    [
+      'file',
+      i18n.translate('xpack.endpoint.resolver.File', {
+        defaultMessage: 'File',
+      }) as EventCategory,
+    ],
+    [
+      'network',
+      i18n.translate('xpack.endpoint.resolver.Network', {
+        defaultMessage: 'Network',
+      }) as EventCategory,
+    ],
+    [
+      'registry',
+      i18n.translate('xpack.endpoint.resolver.Registry', {
+        defaultMessage: 'Registry',
+      }) as EventCategory,
+    ],
+    [
+      'dns',
+      i18n.translate('xpack.endpoint.resolver.DNS', {
+        defaultMessage: 'DNS',
+      }) as EventCategory,
+    ],
+    [
+      'clr',
+      i18n.translate('xpack.endpoint.resolver.CLR', {
+        defaultMessage: 'CLR',
+      }) as EventCategory,
+    ],
+    [
+      'image_load',
+      i18n.translate('xpack.endpoint.resolver.ImageLoad', {
+        defaultMessage: 'Image Load',
+      }) as EventCategory,
+    ],
+    [
+      'powershell',
+      i18n.translate('xpack.endpoint.resolver.Powershell', {
+        defaultMessage: 'Powershell',
+      }) as EventCategory,
+    ],
+    [
+      'wmi',
+      i18n.translate('xpack.endpoint.resolver.WMI', {
+        defaultMessage: 'WMI',
+      }) as EventCategory,
+    ],
+    [
+      'api',
+      i18n.translate('xpack.endpoint.resolver.API', {
+        defaultMessage: 'API',
+      }) as EventCategory,
+    ],
+    [
+      'user',
+      i18n.translate('xpack.endpoint.resolver.User', {
+        defaultMessage: 'User',
+      }) as EventCategory,
+    ],
+  ]);
+
+  // Returning "Process" as a catch-all here because it seems pretty general
+  let eventCategoryToReturn: EventCategory = 'Process';
+  if (isLegacyEvent(event)) {
+    const legacyFullType = event.endgame.event_type_full;
+    if (legacyFullType) {
+      const mappedLegacyCategory = eventTypeToNameMap.get(legacyFullType);
+      if (mappedLegacyCategory) {
+        eventCategoryToReturn = mappedLegacyCategory;
+      }
+    }
+  } else {
+    const eventCategories = event.event.category;
+    const eventCategory =
+      typeof eventCategories === 'string' ? eventCategories : eventCategories[0] || '';
+    const mappedCategoryValue = eventTypeToNameMap.get(eventCategory);
+    if (mappedCategoryValue) {
+      eventCategoryToReturn = mappedCategoryValue;
+    }
+  }
+  return eventCategoryToReturn;
+}

x-pack/plugins/endpoint/public/embeddables/resolver/store/actions.ts

@@ -44,6 +44,15 @@ interface AppRequestedResolverData {
   readonly type: 'appRequestedResolverData';
 }
 
+/**
+ * The action dispatched when the app requests related event data for one or more
+ * subjects (whose ids should be included as an array @ `payload`)
+ */
+interface UserRequestedRelatedEventData {
+  readonly type: 'userRequestedRelatedEventData';
+  readonly payload: ResolverEvent;
+}
+
 /**
  * When the user switches the "active descendant" of the Resolver.
  * The "active descendant" (from the point of view of the parent element)
@@ -77,11 +86,27 @@ interface UserSelectedResolverNode {
   };
 }
 
+interface UserSelectedRelatedEventCategory {
+  readonly type: 'userSelectedRelatedEventCategory';
+  readonly payload: {
+    subject: ResolverEvent;
+    category: string;
+  };
+}
+
+interface UserSelectedRelatedAlerts {
+  readonly type: 'userSelectedRelatedAlerts';
+  readonly payload: ResolverEvent;
+}
+
 export type ResolverAction =
   | CameraAction
   | DataAction
   | UserBroughtProcessIntoView
   | UserChangedSelectedEvent
   | AppRequestedResolverData
   | UserFocusedOnResolverNode
-  | UserSelectedResolverNode;
+  | UserSelectedResolverNode
+  | UserRequestedRelatedEventData
+  | UserSelectedRelatedEventCategory
+  | UserSelectedRelatedAlerts;

x-pack/plugins/endpoint/public/embeddables/resolver/store/data/action.ts

@@ -5,6 +5,7 @@
  */
 
 import { ResolverEvent } from '../../../../../common/types';
+import { RelatedEventDataEntry } from '../../types';
 
 interface ServerReturnedResolverData {
   readonly type: 'serverReturnedResolverData';
@@ -15,4 +16,24 @@ interface ServerFailedToReturnResolverData {
   readonly type: 'serverFailedToReturnResolverData';
 }
 
-export type DataAction = ServerReturnedResolverData | ServerFailedToReturnResolverData;
+/**
+ * Will occur when a request for related event data is fulfilled by the API.
+ */
+interface ServerReturnedRelatedEventData {
+  readonly type: 'serverReturnedRelatedEventData';
+  readonly payload: Map<ResolverEvent, RelatedEventDataEntry>;
+}
+
+/**
+ * Will occur when a request for related event data is unsuccessful.
+ */
+interface ServerFailedToReturnRelatedEventData {
+  readonly type: 'serverFailedToReturnRelatedEventData';
+  readonly payload: [ResolverEvent, Error];
+}
+
+export type DataAction =
+  | ServerReturnedResolverData
+  | ServerFailedToReturnResolverData
+  | ServerReturnedRelatedEventData
+  | ServerFailedToReturnRelatedEventData;

x-pack/plugins/endpoint/public/embeddables/resolver/store/data/reducer.ts

@@ -5,13 +5,19 @@
  */
 
 import { Reducer } from 'redux';
-import { DataState, ResolverAction } from '../../types';
+import {
+  DataState,
+  ResolverAction,
+  resultsEnrichedWithRelatedEventInfo,
+  waitingForRelatedEventData,
+} from '../../types';
 
 function initialState(): DataState {
   return {
     results: [],
     isLoading: false,
     hasError: false,
+    [resultsEnrichedWithRelatedEventInfo]: new Map(),
   };
 }
 
@@ -23,6 +29,35 @@ export const dataReducer: Reducer<DataState, ResolverAction> = (state = initialS
       isLoading: false,
       hasError: false,
     };
+  } else if (action.type === 'userRequestedRelatedEventData') {
+    const resolverEvent = action.payload;
+    const statsMap = state[resultsEnrichedWithRelatedEventInfo];
+    if (statsMap) {
+      const currentStatsMap = new Map(statsMap);
+      /**
+       * Set the waiting indicator for this event to indicate that related event results are pending.
+       * It will be replaced by the actual results from the API when they are returned.
+       */
+      currentStatsMap.set(resolverEvent, waitingForRelatedEventData);
+      return { ...state, [resultsEnrichedWithRelatedEventInfo]: currentStatsMap };
+    }
+    return state;
+  } else if (action.type === 'serverFailedToReturnRelatedEventData') {
+    const statsMap = state[resultsEnrichedWithRelatedEventInfo];
+    if (statsMap) {
+      const currentStatsMap = new Map(statsMap);
+      const [resolverEvent, apiError] = action.payload;
+      currentStatsMap.set(resolverEvent, apiError);
+      return { ...state, [resultsEnrichedWithRelatedEventInfo]: currentStatsMap };
+    }
+    return state;
+  } else if (action.type === 'serverReturnedRelatedEventData') {
+    const statsMap = state[resultsEnrichedWithRelatedEventInfo];
+    if (statsMap && typeof statsMap?.set === 'function') {
+      const relatedDataEntries = new Map([...statsMap, ...action.payload]);
+      return { ...state, [resultsEnrichedWithRelatedEventInfo]: relatedDataEntries };
+    }
+    return state;
   } else if (action.type === 'appRequestedResolverData') {
     return {
       ...state,

x-pack/plugins/endpoint/public/embeddables/resolver/store/data/selectors.ts

@@ -14,6 +14,10 @@ import {
   ProcessWithWidthMetadata,
   Matrix3,
   AdjacentProcessMap,
+  RelatedEventData,
+  resultsEnrichedWithRelatedEventInfo,
+  RelatedEventType,
+  RelatedEventDataEntryWithStats,
 } from '../../types';
 import { ResolverEvent } from '../../../../../common/types';
 import { Vector2 } from '../../types';
@@ -405,6 +409,79 @@ export const indexedProcessTree = createSelector(graphableProcesses, function in
   return indexedProcessTreeFactory(graphableProcesses);
 });
 
+/**
+ * Process events that will be graphed.
+ */
+export const relatedEventResults = createSelector(
+  (data: DataState) => data,
+  function(data) {
+    return data[resultsEnrichedWithRelatedEventInfo];
+  }
+);
+
+export const relatedEventStats = createSelector(relatedEventResults, function getRelatedEvents(
+  /* eslint-disable no-shadow */
+  relatedEventResults
+  /* eslint-enable no-shadow */
+) {
+  /* eslint-disable no-shadow */
+  const relatedEventStats: RelatedEventData = new Map();
+  /* eslint-enable no-shadow */
+  if (!relatedEventResults) {
+    return relatedEventStats;
+  }
+
+  for (const updatedEvent of relatedEventResults.keys()) {
+    const newStatsEntry = relatedEventResults.get(updatedEvent);
+    if (typeof newStatsEntry === 'object') {
+      // compile stats
+      if (newStatsEntry instanceof Error) {
+        relatedEventStats.set(updatedEvent, newStatsEntry);
+        continue;
+      }
+      const statsForEntry = newStatsEntry?.relatedEvents.reduce(
+        (
+          compiledStats: Partial<Record<RelatedEventType, number>>,
+          relatedEvent: { relatedEventType: RelatedEventType }
+        ) => {
+          compiledStats[relatedEvent.relatedEventType] =
+            (compiledStats[relatedEvent.relatedEventType] || 0) + 1;
+          return compiledStats;
+        },
+        {}
+      );
+
+      const newRelatedEventStats: RelatedEventDataEntryWithStats = Object.assign(newStatsEntry, {
+        stats: statsForEntry,
+      });
+      relatedEventStats.set(updatedEvent, newRelatedEventStats);
+    }
+  }
+  return relatedEventStats;
+});
+
+export const relatedEvents = createSelector(
+  graphableProcesses,
+  relatedEventStats,
+  function getRelatedEvents(
+    /* eslint-disable no-shadow */
+    graphableProcesses,
+    relatedEventStats
+    /* eslint-enable no-shadow */
+  ) {
+    const eventsRelatedByProcess: RelatedEventData = new Map();
+    /* eslint-disable no-shadow */
+    return graphableProcesses.reduce((relatedEvents, graphableProcess) => {
+      /* eslint-enable no-shadow */
+      const relatedEventDataEntry = relatedEventStats?.get(graphableProcess);
+      if (relatedEventDataEntry) {
+        relatedEvents.set(graphableProcess, relatedEventDataEntry);
+      }
+      return relatedEvents;
+    }, eventsRelatedByProcess);
+  }
+);
+
 export const processAdjacencies = createSelector(
   indexedProcessTree,
   graphableProcesses,