[Security Solution] Refactor Timeline Events to use Search Strategy (#…

…77205) (#77657)

Co-authored-by: Elastic Machine <[email protected]>

x-pack/plugins/security_solution/common/ecs/agent/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface AgentEcs {
+  type?: string[];
+}

x-pack/plugins/security_solution/common/ecs/endgame/index.ts

@@ -5,29 +5,17 @@
  */
 
 export interface EndgameEcs {
-  exit_code?: number;
-
-  file_name?: string;
-
-  file_path?: string;
-
-  logon_type?: number;
-
-  parent_process_name?: string;
-
-  pid?: number;
-
-  process_name?: string;
-
-  subject_domain_name?: string;
-
-  subject_logon_id?: string;
-
-  subject_user_name?: string;
-
-  target_domain_name?: string;
-
-  target_logon_id?: string;
-
-  target_user_name?: string;
+  exit_code?: number[];
+  file_name?: string[];
+  file_path?: string[];
+  logon_type?: number[];
+  parent_process_name?: string[];
+  pid?: number[];
+  process_name?: string[];
+  subject_domain_name?: string[];
+  subject_logon_id?: string[];
+  subject_user_name?: string[];
+  target_domain_name?: string[];
+  target_logon_id?: string[];
+  target_user_name?: string[];
 }

x-pack/plugins/security_solution/common/ecs/index.ts

@@ -4,11 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { AgentEcs } from './agent';
 import { AuditdEcs } from './auditd';
 import { DestinationEcs } from './destination';
 import { DnsEcs } from './dns';
 import { EndgameEcs } from './endgame';
 import { EventEcs } from './event';
+import { FileEcs } from './file';
 import { GeoEcs } from './geo';
 import { HostEcs } from './host';
 import { NetworkEcs } from './network';
@@ -28,6 +30,7 @@ import { SystemEcs } from './system';
 export interface Ecs {
   _id: string;
   _index?: string;
+  agent?: AgentEcs;
   auditd?: AuditdEcs;
   destination?: DestinationEcs;
   dns?: DnsEcs;
@@ -49,6 +52,6 @@ export interface Ecs {
   user?: UserEcs;
   winlog?: WinlogEcs;
   process?: ProcessEcs;
-  file?: File;
+  file?: FileEcs;
   system?: SystemEcs;
 }

x-pack/plugins/security_solution/common/ecs/process/index.ts

@@ -5,35 +5,25 @@
  */
 
 export interface ProcessEcs {
+  entity_id?: string[];
   hash?: ProcessHashData;
-
   pid?: number[];
-
   name?: string[];
-
   ppid?: number[];
-
   args?: string[];
-
   executable?: string[];
-
   title?: string[];
-
   thread?: Thread;
-
   working_directory?: string[];
 }
 
 export interface ProcessHashData {
   md5?: string[];
-
   sha1?: string[];
-
   sha256?: string[];
 }
 
 export interface Thread {
   id?: number[];
-
   start?: string[];
 }

x-pack/plugins/security_solution/common/ecs/rule/index.ts

@@ -6,64 +6,38 @@
 
 export interface RuleEcs {
   id?: string[];
-
   rule_id?: string[];
-
   false_positives: string[];
-
   saved_id?: string[];
-
   timeline_id?: string[];
-
   timeline_title?: string[];
-
   max_signals?: number[];
-
   risk_score?: string[];
-
   output_index?: string[];
-
   description?: string[];
-
   from?: string[];
-
   immutable?: boolean[];
-
   index?: string[];
-
   interval?: string[];
-
   language?: string[];
-
   query?: string[];
-
   references?: string[];
-
   severity?: string[];
-
   tags?: string[];
-
   threat?: unknown;
-
+  threshold?: {
+    field: string;
+    value: number;
+  };
   type?: string[];
-
   size?: string[];
-
   to?: string[];
-
   enabled?: boolean[];
-
   filters?: unknown;
-
   created_at?: string[];
-
   updated_at?: string[];
-
   created_by?: string[];
-
   updated_by?: string[];
-
   version?: string[];
-
   note?: string[];
 }

x-pack/plugins/security_solution/common/ecs/signal/index.ts

@@ -8,6 +8,6 @@ import { RuleEcs } from '../rule';
 
 export interface SignalEcs {
   rule?: RuleEcs;
-
   original_time?: string[];
+  status?: string[];
 }

x-pack/plugins/security_solution/common/search_strategy/common/index.ts

@@ -113,3 +113,13 @@ export interface GenericBuckets {
 }
 
 export type StringOrNumber = string | number;
+
+export interface TimerangeFilter {
+  range: {
+    [timestamp: string]: {
+      gte: string;
+      lte: string;
+      format: string;
+    };
+  };
+}

x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts

@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Ecs } from '../../../../ecs';
+import { CursorType, Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[]>;
+}
+
+export interface TimelineEventsAllStrategyResponse extends IEsSearchResponse {
+  edges: TimelineEdges[];
+  totalCount: number;
+  pageInfo: {
+    activePage: number;
+    totalPages: number;
+  };
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsAllRequestOptions extends TimelineRequestOptionsPaginated {
+  fields: string[];
+  fieldRequested: string[];
+}

x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Ecs } from '../../../../ecs';
+import { CursorType, Maybe } from '../../../common';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[] | string>;
+}

x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts → x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts

@@ -4,25 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
-import { Inspect, Maybe } from '../../common';
-import { TimelineRequestOptionsPaginated } from '..';
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
 
-export interface DetailItem {
+export interface TimelineEventsDetailsItem {
   field: string;
   values?: Maybe<string[]>;
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   originalValue?: Maybe<any>;
 }
 
-export interface TimelineDetailsStrategyResponse extends IEsSearchResponse {
-  data?: Maybe<DetailItem[]>;
+export interface TimelineEventsDetailsStrategyResponse extends IEsSearchResponse {
+  data?: Maybe<TimelineEventsDetailsItem[]>;
   inspect?: Maybe<Inspect>;
 }
 
-export interface TimelineDetailsRequestOptions extends Partial<TimelineRequestOptionsPaginated> {
+export interface TimelineEventsDetailsRequestOptions
+  extends Partial<TimelineRequestOptionsPaginated> {
   defaultIndex: string[];
-  executeQuery: boolean;
   indexName: string;
   eventId: string;
 }

x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export * from './all';
+export * from './details';
+export * from './last_event_time';
+
+export enum TimelineEventsQueries {
+  all = 'eventsAll',
+  details = 'eventsDetails',
+  lastEventTime = 'eventsLastEventTime',
+}

x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestBasicOptions } from '../..';
+
+export enum LastEventIndexKey {
+  hostDetails = 'hostDetails',
+  hosts = 'hosts',
+  ipDetails = 'ipDetails',
+  network = 'network',
+}
+
+export interface LastTimeDetails {
+  hostName?: Maybe<string>;
+  ip?: Maybe<string>;
+}
+
+export interface TimelineEventsLastEventTimeStrategyResponse extends IEsSearchResponse {
+  lastSeen: Maybe<string>;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsLastEventTimeRequestOptions
+  extends Omit<TimelineRequestBasicOptions, 'filterQuery' | 'timerange'> {
+  indexKey: LastEventIndexKey;
+  details: LastTimeDetails;
+}