Added 2 new functions to DAL, adjusted old one to use new API

elastic · Sep 24, 2020 · 25fb54a · 25fb54a
1 parent 67c0ac7
commit 25fb54a
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 2 deletions.
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts
@@ -11,6 +11,8 @@ import {
   ResolverRelatedEvents,
   ResolverTree,
   ResolverEntityIndex,
+  ResolverPaginatedEvents,
+  SafeResolverEvent,
 } from '../../../common/endpoint/types';
 
 /**
@@ -22,12 +24,54 @@ export function dataAccessLayerFactory(
   const dataAccessLayer: DataAccessLayer = {
     /**
      * Used to get non-process related events for a node.
+     * @deprecated use the new API (eventsWithEntityIDAndCategory & event) instead
      */
     async relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
-      return context.services.http.post(`/api/endpoint/resolver/${entityID}/events`, {
-        query: { events: 100 },
+      const response: ResolverPaginatedEvents = await context.services.http.post(
+        '/api/endpoint/resolver/events',
+        {
+          query: {},
+          body: JSON.stringify({
+            filter: `process.entity_id:"${entityID}" and not event.category:"process"`,
+          }),
+        }
+      );
+
+      return { ...response, entityID };
+    },
+
+    /**
+     * Return events that have `process.entity_id` that includes `entityID` and that have
+     * a `event.category` that includes `category`.
+     */
+    async eventsWithEntityIDAndCategory(
+      entityID: string,
+      category: string,
+      after?: string
+    ): Promise<ResolverPaginatedEvents> {
+      return context.services.http.post('/api/endpoint/resolver/events', {
+        query: { afterEvent: after },
+        body: JSON.stringify({
+          filter: `process.entity_id:"${entityID}" and event.category:"${category}"`,
+        }),
       });
     },
+
+    /**
+     * Return up to one event that has an `event.id` that includes `eventID`.
+     */
+    async event(eventID: string): Promise<SafeResolverEvent | null> {
+      const response: ResolverPaginatedEvents = await context.services.http.post(
+        '/api/endpoint/resolver/events',
+        {
+          query: {},
+          body: JSON.stringify({ filter: `event.id:"${eventID}"` }),
+        }
+      );
+      const [oneEvent] = response.events;
+      return oneEvent ?? null;
+    },
+
     /**
      * Used to get descendant and ancestor process events for a node.
      */

diff --git a/x-pack/plugins/security_solution/public/resolver/types.ts b/x-pack/plugins/security_solution/public/resolver/types.ts
@@ -16,6 +16,7 @@ import {
   ResolverTree,
   ResolverEntityIndex,
   SafeResolverEvent,
+  ResolverPaginatedEvents,
 } from '../../common/endpoint/types';
 
 /**
@@ -503,6 +504,21 @@ export interface DataAccessLayer {
    */
   relatedEvents: (entityID: string) => Promise<ResolverRelatedEvents>;
 
+  /**
+   * Return events that have `process.entity_id` that includes `entityID` and that have
+   * a `event.category` that includes `category`.
+   */
+  eventsWithEntityIDAndCategory: (
+    entityID: string,
+    category: string,
+    after?: string
+  ) => Promise<ResolverPaginatedEvents>;
+
+  /**
+   * Return up to one event that has an `event.id` that includes `eventID`.
+   */
+  event: (eventID: string) => Promise<SafeResolverEvent | null>;
+
   /**
    * Fetch a ResolverTree for a entityID
    */