From e253fed7e89ba9c8e8f1b7a7436da7ee64bca108 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Thu, 18 Jun 2020 13:36:30 -0400 Subject: [PATCH] Fixing endgame queries --- .../common/endpoint/models/event.ts | 4 ++-- .../endpoint/routes/resolver/utils/fetch.ts | 18 ++++++++++++++++-- .../api_integration/apis/endpoint/resolver.ts | 1 + 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts index 0d6293ad1eb00..fdaef41dbf118 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts @@ -53,9 +53,9 @@ export function parentEntityId(event: ResolverEvent): string | undefined { return event.process.parent?.entity_id; } -export function ancestryArray(event: ResolverEvent): string[] { +export function ancestryArray(event: ResolverEvent): string[] | undefined { if (isLegacyEvent(event)) { - return []; + return undefined; } return event.process.Ext.ancestry; } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts index fce8e4d934382..8d7c3d7b73158 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts @@ -63,7 +63,7 @@ export class Fetcher { await this.doAncestors( // limit the ancestors we're looking for to the number of levels // the array could be up to length 20 but that could change - ancestryArray(originNode.lifecycle[0]).slice(0, limit), + Fetcher.getAncestryAsArray(originNode.lifecycle[0]).slice(0, limit), limit, ancestryInfo ); @@ -149,6 +149,20 @@ export class Fetcher { return createLifecycle(entityID, results); } + private static getAncestryAsArray(event: ResolverEvent): string[] { + const ancestors = ancestryArray(event); + if (ancestors) { + return ancestors; + } + + const parentID = parentEntityId(event); + if (parentID) { + return [parentID]; + } + + return []; + } + private async doAncestors( ancestors: string[], levels: number, @@ -188,7 +202,7 @@ export class Fetcher { const levelsLeft = levels - ancestryNodes.size; // the results come back in ascending order on timestamp so the first entry in the // results should be the further ancestor (most distant grandparent) - const next = ancestryArray(results[0]).slice(0, levelsLeft); + const next = Fetcher.getAncestryAsArray(results[0]).slice(0, levelsLeft); // the ancestry array currently only holds up to 20 values but we can't rely on that so keep recursing await this.doAncestors(next, levelsLeft, ancestorInfo); } diff --git a/x-pack/test/api_integration/apis/endpoint/resolver.ts b/x-pack/test/api_integration/apis/endpoint/resolver.ts index b702914fc16c5..c9356de07f711 100644 --- a/x-pack/test/api_integration/apis/endpoint/resolver.ts +++ b/x-pack/test/api_integration/apis/endpoint/resolver.ts @@ -424,6 +424,7 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC ) .expect(200); expect(body.ancestors[0].lifecycle.length).to.eql(2); + expect(body.ancestors.length).to.eql(2); expect(body.nextAncestor).to.eql(null); });