[Security Solution][Resolver] Handle disabled process collection #73592
Conversation
jonathan-buttner
added
v8.0.0
release_note:skip
jonathan-buttner
requested review from
oatkiller,
bkimmel,
andrew-goldstein,
michaelolo24,
james-elastic and
kqualters-elastic
|
Pinging @elastic/endpoint-data-visibility-team (Team:Endpoint Data Visibility) |
|
Pinging @elastic/endpoint-app-team (Feature:Endpoint) |
| }); | ||
|
|
||
| it('returns false if process.entity_id is an empty array', () => { | ||
| const data: Ecs = { _id: '1', agent: { type: ['endpoint'] } }; |
There was a problem hiding this comment.
fyi, this is missing the empty array
There was a problem hiding this comment.
Ah thanks. I actually check that case below. Must be an accidental copy paste. I'll remove it.
| }); | ||
|
|
||
| it('excludes events that have an empty entity_id field', async () => { | ||
| // first lets get the _id of the document using the parent.process.entity_id |
There was a problem hiding this comment.
nothing to block over, but can't you set _id when you insert a document?
There was a problem hiding this comment.
Yeah good point. I'm using a helper function that inserts an array of documents so it's doing a bulk request. Later we can refactor it so it specifies the _id of the document so we don't have to do the search.
| before(async () => { | ||
| // construct a tree with an origin and two direct children. One child will not have an entity_id. That child | ||
| // should not be returned by the backend. | ||
| origin = generator.generateEvent({ entityID: 'a' }); |
There was a problem hiding this comment.
we should add tests of this kind to the UI too eventually
| ancestor2 = generator.generateEvent({ | ||
| entityID: '2', | ||
| }); | ||
| ancestor1 = generator.generateEvent({ |
There was a problem hiding this comment.
having trouble following what ancestor1 is for. but i'm tired. maybe you can explain it to me next week :)
There was a problem hiding this comment.
Yeah it was more of a sanity check. The origin node in that test has its process.parent.entity_id set to ancestor1's process.entity_id, but the backend should be using the ancestry array to determine the ancestors if it exists. So since ancestor1 was not returned in the request we can be assured that the backend is properly using the ancestry array.
| origin = generator.generateEvent({ | ||
| entityID: 'a', | ||
| parentEntityID: ancestor1.process.entity_id, | ||
| ancestry: ['', ancestor2.process.entity_id], |
There was a problem hiding this comment.
you could just make the first one here ancestorNoEntityID.process.entity_id too. Took me a sec to figure that's what was being referenced. Nothing to restart CI over though
There was a problem hiding this comment.
Yeah good point. I added that late. I wanted to make sure that the backend wouldn't return the event even if ES actually did have a document with entity_id as an empty string
…ed-process-collection-v2
|
@elasticmachine merge upstream |
💚 Build SucceededBuild metricsasync chunks size
History
To update your PR or re-run it, just comment with: |
…stic#73592) * Handling entity ids of empty string * Tests for entity id being empty * More comments * entity test * Renaming interface * Removing unneeded test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
…stic#73592) * Handling entity ids of empty string * Tests for entity id being empty * More comments * entity test * Renaming interface * Removing unneeded test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
) (#73619) * Handling entity ids of empty string * Tests for entity id being empty * More comments * entity test * Renaming interface * Removing unneeded test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
#73592) (#73620) * [Security Solution][Resolver] Handle disabled process collection (#73592) * Handling entity ids of empty string * Tests for entity id being empty * More comments * entity test * Renaming interface * Removing unneeded test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> * Fixing type error Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* master: (126 commits) [ML] Disabling ML if license feature is disabled (elastic#73187) [ML] Fixing old _xpack style es endpoint paths (elastic#73667) [DOCS] [Lens] 7.9 docs refresh (elastic#72301) [ML] DF Analytics results: ensure `View` link is only enabled when job has successfully completed (elastic#73539) Set timeRange to default to trigger the error message (elastic#73629) [ML] Functional tests - stabilize DFA navigation and index pattern handling (elastic#73660) [ILM] Add links to "Snapshot and Restore" from ILM "wait for snapshot policy" (elastic#72473) [kbn-storybook] Update Storybook to 5.3.19 (elastic#73320) [Metrics UI] Fix hasData call to ensure it has data not just indices (elastic#72969) [Uptime] Use `service.name` to link from Uptime -> APM where available (elastic#73618) allow others to update `URL.revokeObjectURL` property if needed (elastic#73639) regen docs (elastic#73650) [Visualize] Fix inspector download filename issue when saving in-place (elastic#72605) [Data] Query Input String manager (elastic#72093) [Security Solutions] Add tooltips (elastic#73436) Do not render descriptionless actions within an EuiCard (elastic#73611) [Security Solution][Detections] Value Lists Modal supports multiple exports (elastic#73532) [Security Solution][Resolver] Handle disabled process collection (elastic#73592) [Security_Solution][Bug] Fix user name/domain to ECS structure (elastic#73530) [Security Solution][Exceptions] - Update rule.exceptions_list to include exception list list_id (elastic#73349) ...
This PR allows resolver to gracefully handle events sent by the endpoint that do not have
process.entity_iddefined or it is set to an empty string.Notable changes:
process.entity_idexists on the document and it is not an empty stringentity_id is an empty string
entity_id exists and is not an empty string
