Merge branch 'master' into one-click-alert

elastic · Aug 26, 2020 · a0000d0 · a0000d0
2 parents dd3915b + b9c8201
commit a0000d0
Show file tree

Hide file tree

Showing 41 changed files with 1,559 additions and 518 deletions.
diff --git a/docs/developer/best-practices/index.asciidoc b/docs/developer/best-practices/index.asciidoc
@@ -48,7 +48,7 @@ guidelines]
 * Write all new code on
 {kib-repo}blob/{branch}/src/core/README.md[the
 platform], and following
-{kib-repo}blob/{branch}/src/core/CONVENTIONS.md[conventions]
+{kib-repo}blob/{branch}/src/core/CONVENTIONS.md[conventions].
 * _Always_ use the `SavedObjectClient` for reading and writing Saved
 Objects.
 * Add `README`s to all your plugins and services.

diff --git a/docs/developer/best-practices/stability.asciidoc b/docs/developer/best-practices/stability.asciidoc
@@ -52,15 +52,15 @@ storeinSessions?)
 [discrete]
 === Browser coverage
 
-Refer to the list of browsers and OS {kib} supports
+Refer to the list of browsers and OS {kib} supports:
 https://www.elastic.co/support/matrix
 
 Does the feature work efficiently on the list of supported browsers? 
 
 [discrete]
-=== Upgrade Scenarios - Migration scenarios- 
+=== Upgrade and Migration scenarios
 
-Does the feature affect old
-indices, saved objects ? - Has the feature been tested with {kib}
-aliases - Read/Write privileges of the indices before and after the
+* Does the feature affect old indices or saved objects?
+* Has the feature been tested with {kib} aliases?
+* Read/Write privileges of the indices before and after the
 upgrade?
diff --git a/docs/developer/getting-started/building-kibana.asciidoc b/docs/developer/getting-started/building-kibana.asciidoc
@@ -1,7 +1,7 @@
 [[building-kibana]]
 == Building a {kib} distributable
 
-The following commands will build a {kib} production distributable.
+The following command will build a {kib} production distributable:
 
 [source,bash]
 ----
@@ -36,4 +36,4 @@ To specify a package to build you can add `rpm` or `deb` as an argument.
 yarn build --rpm
 ----
 
-Distributable packages can be found in `target/` after the build completes.
+Distributable packages can be found in `target/` after the build completes.
diff --git a/docs/developer/getting-started/index.asciidoc b/docs/developer/getting-started/index.asciidoc
@@ -49,7 +49,7 @@ ____
 
 (You can also run `yarn kbn` to see the other available commands. For
 more info about this tool, see
-{kib-repo}tree/{branch}/packages/kbn-pm[{kib-repo}tree/{branch}packages/kbn-pm].)
+{kib-repo}tree/{branch}/packages/kbn-pm[{kib-repo}tree/{branch}/packages/kbn-pm].)
 
 When switching branches which use different versions of npm packages you
 may need to run:
@@ -137,4 +137,4 @@ include::debugging.asciidoc[leveloffset=+1]
 
 include::building-kibana.asciidoc[leveloffset=+1]
 
-include::development-plugin-resources.asciidoc[leveloffset=+1]
+include::development-plugin-resources.asciidoc[leveloffset=+1]
diff --git a/docs/developer/getting-started/running-kibana-advanced.asciidoc b/docs/developer/getting-started/running-kibana-advanced.asciidoc
@@ -73,8 +73,8 @@ settings].
 [discrete]
 === Potential Optimization Pitfalls
 
-* Webpack is trying to include a file in the bundle that I deleted and
-is now complaining about it is missing
+* Webpack is trying to include a file in the bundle that was deleted and
+is now complaining about it being missing
 * A module id that used to resolve to a single file now resolves to a
 directory, but webpack isn’t adapting
 * (if you discover other scenarios, please send a PR!)
@@ -84,4 +84,4 @@ directory, but webpack isn’t adapting
 
 {kib} includes self-signed certificates that can be used for
 development purposes in the browser and for communicating with
-{es}: `yarn start --ssl` & `yarn es snapshot --ssl`.
+{es}: `yarn start --ssl` & `yarn es snapshot --ssl`.
diff --git a/x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts b/x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts
@@ -198,12 +198,15 @@ export class EncryptedSavedObjectsService {
     if (typeDefinition === undefined) {
       return attributes;
     }
+    let encryptionAAD: string | undefined;
 
-    const encryptionAAD = this.getAAD(typeDefinition, descriptor, attributes);
     const encryptedAttributes: Record<string, string> = {};
     for (const attributeName of typeDefinition.attributesToEncrypt) {
       const attributeValue = attributes[attributeName];
       if (attributeValue != null) {
+        if (!encryptionAAD) {
+          encryptionAAD = this.getAAD(typeDefinition, descriptor, attributes);
+        }
         try {
           encryptedAttributes[attributeName] = (yield [attributeValue, encryptionAAD])!;
         } catch (err) {
@@ -376,8 +379,7 @@ export class EncryptedSavedObjectsService {
     if (typeDefinition === undefined) {
       return attributes;
     }
-
-    const encryptionAAD = this.getAAD(typeDefinition, descriptor, attributes);
+    let encryptionAAD: string | undefined;
     const decryptedAttributes: Record<string, EncryptOutput> = {};
     for (const attributeName of typeDefinition.attributesToEncrypt) {
       const attributeValue = attributes[attributeName];
@@ -393,7 +395,9 @@ export class EncryptedSavedObjectsService {
           )}`
         );
       }
-
+      if (!encryptionAAD) {
+        encryptionAAD = this.getAAD(typeDefinition, descriptor, attributes);
+      }
       try {
         decryptedAttributes[attributeName] = (yield [attributeValue, encryptionAAD])!;
       } catch (err) {

diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
@@ -169,6 +169,7 @@ describe('data generator', () => {
     const childrenPerNode = 3;
     const generations = 3;
     const relatedAlerts = 4;
+
     beforeEach(() => {
       tree = generator.generateTree({
         alwaysGenMaxChildrenPerNode: true,
@@ -182,6 +183,7 @@ describe('data generator', () => {
           { category: RelatedEventCategory.File, count: 2 },
           { category: RelatedEventCategory.Network, count: 1 },
         ],
+        relatedEventsOrdered: true,
         relatedAlerts,
         ancestryArraySize: ANCESTRY_LIMIT,
       });
@@ -212,6 +214,14 @@ describe('data generator', () => {
       }
     };
 
+    it('creates related events in ascending order', () => {
+      // the order should not change since it should already be in ascending order
+      const relatedEventsAsc = _.cloneDeep(tree.origin.relatedEvents).sort(
+        (event1, event2) => event1['@timestamp'] - event2['@timestamp']
+      );
+      expect(tree.origin.relatedEvents).toStrictEqual(relatedEventsAsc);
+    });
+
     it('has ancestry array defined', () => {
       expect(tree.origin.lifecycle[0].process.Ext!.ancestry!.length).toBe(ANCESTRY_LIMIT);
       for (const event of tree.allEvents) {

diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts
@@ -302,6 +302,12 @@ export interface TreeOptions {
   generations?: number;
   children?: number;
   relatedEvents?: RelatedEventInfo[] | number;
+  /**
+   * If true then the related events will be created with timestamps that preserve the
+   * generation order, meaning the first event will always have a timestamp number less
+   * than the next related event
+   */
+  relatedEventsOrdered?: boolean;
   relatedAlerts?: number;
   percentWithRelated?: number;
   percentTerminated?: number;
@@ -322,6 +328,7 @@ export function getTreeOptionsWithDef(options?: TreeOptions): TreeOptionDefaults
     generations: options?.generations ?? 2,
     children: options?.children ?? 2,
     relatedEvents: options?.relatedEvents ?? 5,
+    relatedEventsOrdered: options?.relatedEventsOrdered ?? false,
     relatedAlerts: options?.relatedAlerts ?? 3,
     percentWithRelated: options?.percentWithRelated ?? 30,
     percentTerminated: options?.percentTerminated ?? 100,
@@ -809,7 +816,8 @@ export class EndpointDocGenerator {
       for (const relatedEvent of this.relatedEventsGenerator(
         node,
         opts.relatedEvents,
-        secBeforeEvent
+        secBeforeEvent,
+        opts.relatedEventsOrdered
       )) {
         eventList.push(relatedEvent);
       }
@@ -877,6 +885,8 @@ export class EndpointDocGenerator {
         addRelatedAlerts(ancestor, numAlertsPerNode, processDuration, events);
       }
     }
+    timestamp = timestamp + 1000;
+
     events.push(
       this.generateAlert(
         timestamp,
@@ -961,7 +971,12 @@ export class EndpointDocGenerator {
         });
       }
       if (this.randomN(100) < opts.percentWithRelated) {
-        yield* this.relatedEventsGenerator(child, opts.relatedEvents, processDuration);
+        yield* this.relatedEventsGenerator(
+          child,
+          opts.relatedEvents,
+          processDuration,
+          opts.relatedEventsOrdered
+        );
         yield* this.relatedAlertsGenerator(child, opts.relatedAlerts, processDuration);
       }
     }
@@ -973,13 +988,17 @@ export class EndpointDocGenerator {
    * @param relatedEvents - can be an array of RelatedEventInfo objects describing the related events that should be generated for each process node
    *  or a number which defines the number of related events and will default to random categories
    * @param processDuration - maximum number of seconds after process event that related event timestamp can be
+   * @param ordered - if true the events will have an increasing timestamp, otherwise their timestamp will be random but
+   *  guaranteed to be greater than or equal to the originating event
    */
   public *relatedEventsGenerator(
     node: Event,
     relatedEvents: RelatedEventInfo[] | number = 10,
-    processDuration: number = 6 * 3600
+    processDuration: number = 6 * 3600,
+    ordered: boolean = false
   ) {
     let relatedEventsInfo: RelatedEventInfo[];
+    let ts = node['@timestamp'] + 1;
     if (typeof relatedEvents === 'number') {
       relatedEventsInfo = [{ category: RelatedEventCategory.Random, count: relatedEvents }];
     } else {
@@ -995,7 +1014,12 @@ export class EndpointDocGenerator {
           eventInfo = OTHER_EVENT_CATEGORIES[event.category];
         }
 
-        const ts = node['@timestamp'] + this.randomN(processDuration) * 1000;
+        if (ordered) {
+          ts += this.randomN(processDuration) * 1000;
+        } else {
+          ts = node['@timestamp'] + this.randomN(processDuration) * 1000;
+        }
+
         yield this.generateEvent({
           timestamp: ts,
           entityID: node.process.entity_id,

diff --git a/x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts b/x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts
@@ -33,6 +33,11 @@ export const validateEvents = {
     afterEvent: schema.maybe(schema.string()),
     legacyEndpointID: schema.maybe(schema.string({ minLength: 1 })),
   }),
+  body: schema.nullable(
+    schema.object({
+      filter: schema.maybe(schema.string()),
+    })
+  ),
 };
 
 /**
@@ -45,6 +50,11 @@ export const validateAlerts = {
     afterAlert: schema.maybe(schema.string()),
     legacyEndpointID: schema.maybe(schema.string({ minLength: 1 })),
   }),
+  body: schema.nullable(
+    schema.object({
+      filter: schema.maybe(schema.string()),
+    })
+  ),
 };
 
 /**