[Security Solution] Refactor Host uncommon processes to use Search St…

…rategy (#76539)

* add search strategy of uncommon processes

* fixup

* fix host.name

* remove comment

* review

* revert path for libs

* fix path

* revert

* remove additional lines

* remove comment

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/authentications/index.ts

@@ -19,14 +19,14 @@ import {
 } from '../../../common';
 import { RequestOptionsPaginated } from '../../';
 
-export interface AuthenticationsStrategyResponse extends IEsSearchResponse {
+export interface HostAuthenticationsStrategyResponse extends IEsSearchResponse {
   edges: AuthenticationsEdges[];
   totalCount: number;
   pageInfo: PageInfoPaginated;
   inspect?: Maybe<Inspect>;
 }
 
-export interface AuthenticationsRequestOptions extends RequestOptionsPaginated {
+export interface HostAuthenticationsRequestOptions extends RequestOptionsPaginated {
   defaultIndex: string[];
 }
 

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts

@@ -6,7 +6,7 @@
 
 import { CloudEcs } from '../../../../ecs/cloud';
 import { HostEcs, OsEcs } from '../../../../ecs/host';
-import { Maybe, SearchHit, TotalValue } from '../../../common';
+import { Hit, Hits, Maybe, SearchHit, StringOrNumber, TotalValue } from '../../../common';
 
 export enum HostPolicyResponseActionStatus {
   success = 'success',
@@ -98,3 +98,15 @@ export interface HostAggEsData extends SearchHit {
   sort: string[];
   aggregations: HostAggEsItem;
 }
+
+export interface HostHit extends Hit {
+  _source: {
+    '@timestamp'?: string;
+    host: HostEcs;
+  };
+  cursor?: string;
+  firstSeen?: string;
+  sort?: StringOrNumber[];
+}
+
+export type HostHits = Hits<number, HostHit>;

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts

@@ -9,10 +9,12 @@ export * from './all';
 export * from './common';
 export * from './overview';
 export * from './first_last_seen';
+export * from './uncommon_processes';
 
 export enum HostsQueries {
   authentications = 'authentications',
   firstLastSeen = 'firstLastSeen',
   hosts = 'hosts',
   hostOverview = 'hostOverview',
+  uncommonProcesses = 'uncommonProcesses',
 }

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/uncommon_processes/index.ts

@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+
+import { HostEcs } from '../../../../ecs/host';
+import { UserEcs } from '../../../../ecs/user';
+import {
+  RequestOptionsPaginated,
+  SortField,
+  CursorType,
+  Inspect,
+  Maybe,
+  PageInfoPaginated,
+  Hit,
+  TotalHit,
+  StringOrNumber,
+  Hits,
+} from '../../..';
+
+export interface HostUncommonProcessesRequestOptions extends RequestOptionsPaginated {
+  sort: SortField;
+  defaultIndex: string[];
+}
+
+export interface HostUncommonProcessesStrategyResponse extends IEsSearchResponse {
+  edges: UncommonProcessesEdges[];
+  totalCount: number;
+  pageInfo: PageInfoPaginated;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface UncommonProcessesEdges {
+  node: UncommonProcessItem;
+  cursor: CursorType;
+}
+
+export interface UncommonProcessItem {
+  _id: string;
+  instances: number;
+  process: ProcessEcsFields;
+  hosts: HostEcs[];
+  user?: Maybe<UserEcs>;
+}
+
+export interface ProcessEcsFields {
+  hash?: Maybe<ProcessHashData>;
+  pid?: Maybe<number[]>;
+  name?: Maybe<string[]>;
+  ppid?: Maybe<number[]>;
+  args?: Maybe<string[]>;
+  entity_id?: Maybe<string[]>;
+  executable?: Maybe<string[]>;
+  title?: Maybe<string[]>;
+  thread?: Maybe<Thread>;
+  working_directory?: Maybe<string[]>;
+}
+
+export interface ProcessHashData {
+  md5?: Maybe<string[]>;
+  sha1?: Maybe<string[]>;
+  sha256?: Maybe<string[]>;
+}
+
+export interface Thread {
+  id?: Maybe<number[]>;
+  start?: Maybe<string[]>;
+}
+
+export interface UncommonProcessHit extends Hit {
+  total: TotalHit;
+  host: Array<{
+    id: string[] | undefined;
+    name: string[] | undefined;
+  }>;
+  _source: {
+    '@timestamp': string;
+    process: ProcessEcsFields;
+  };
+  cursor: string;
+  sort: StringOrNumber[];
+}
+
+export type ProcessHits = Hits<TotalHit, UncommonProcessHit>;

x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts

@@ -8,17 +8,17 @@ import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
 import {
   HostOverviewStrategyResponse,
+  HostAuthenticationsRequestOptions,
+  HostAuthenticationsStrategyResponse,
   HostOverviewRequestOptions,
   HostFirstLastSeenStrategyResponse,
   HostFirstLastSeenRequestOptions,
   HostsQueries,
   HostsRequestOptions,
   HostsStrategyResponse,
+  HostUncommonProcessesStrategyResponse,
+  HostUncommonProcessesRequestOptions,
 } from './hosts';
-import {
-  AuthenticationsRequestOptions,
-  AuthenticationsStrategyResponse,
-} from './hosts/authentications';
 import {
   NetworkQueries,
   NetworkTlsStrategyResponse,
@@ -66,9 +66,11 @@ export type StrategyResponseType<T extends FactoryQueryTypes> = T extends HostsQ
   : T extends HostsQueries.hostOverview
   ? HostOverviewStrategyResponse
   : T extends HostsQueries.authentications
-  ? AuthenticationsStrategyResponse
+  ? HostAuthenticationsStrategyResponse
   : T extends HostsQueries.firstLastSeen
   ? HostFirstLastSeenStrategyResponse
+  : T extends HostsQueries.uncommonProcesses
+  ? HostUncommonProcessesStrategyResponse
   : T extends NetworkQueries.tls
   ? NetworkTlsStrategyResponse
   : T extends NetworkQueries.http
@@ -82,9 +84,11 @@ export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQu
   : T extends HostsQueries.hostOverview
   ? HostOverviewRequestOptions
   : T extends HostsQueries.authentications
-  ? AuthenticationsRequestOptions
+  ? HostAuthenticationsRequestOptions
   : T extends HostsQueries.firstLastSeen
   ? HostFirstLastSeenRequestOptions
+  : T extends HostsQueries.uncommonProcesses
+  ? HostUncommonProcessesRequestOptions
   : T extends NetworkQueries.tls
   ? NetworkTlsRequestOptions
   : T extends NetworkQueries.http

x-pack/plugins/security_solution/public/hosts/components/authentications_table/mock.ts

@@ -4,9 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import { SearchResponse } from 'elasticsearch';
-import { AuthenticationsStrategyResponse } from '../../../../common/search_strategy/security_solution/hosts/authentications';
+import { HostAuthenticationsStrategyResponse } from '../../../../common/search_strategy/security_solution/hosts/authentications';
 
-export const mockData: { Authentications: AuthenticationsStrategyResponse } = {
+export const mockData: { Authentications: HostAuthenticationsStrategyResponse } = {
   Authentications: {
     rawResponse: {
       aggregations: {

x-pack/plugins/security_solution/public/hosts/containers/authentications/index.tsx

@@ -12,15 +12,14 @@ import deepEqual from 'fast-deep-equal';
 import { AbortError } from '../../../../../../../src/plugins/data/common';
 
 import { DEFAULT_INDEX_KEY } from '../../../../common/constants';
+import { HostsQueries } from '../../../../common/search_strategy/security_solution';
 import {
-  Direction,
-  DocValueFields,
-  HostPolicyResponseActionStatus,
-  HostsQueries,
-  PageInfoPaginated,
-  AuthenticationsRequestOptions,
-  AuthenticationsStrategyResponse,
+  HostAuthenticationsRequestOptions,
+  HostAuthenticationsStrategyResponse,
   AuthenticationsEdges,
+  PageInfoPaginated,
+  DocValueFields,
+  SortField,
 } from '../../../../common/search_strategy';
 import { ESTermQuery } from '../../../../common/typed_json';
 
@@ -75,7 +74,7 @@ export const useAuthentications = ({
   const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
   const [loading, setLoading] = useState(false);
   const [authenticationsRequest, setAuthenticationsRequest] = useState<
-    AuthenticationsRequestOptions
+    HostAuthenticationsRequestOptions
   >({
     defaultIndex,
     docValueFields: docValueFields ?? [],
@@ -87,10 +86,7 @@ export const useAuthentications = ({
       from: startDate,
       to: endDate,
     },
-    sort: {
-      direction: Direction.desc,
-      field: HostPolicyResponseActionStatus.success,
-    },
+    sort: {} as SortField,
   });
 
   const wrappedLoadMore = useCallback(
@@ -125,14 +121,14 @@ export const useAuthentications = ({
   });
 
   const authenticationsSearch = useCallback(
-    (request: AuthenticationsRequestOptions) => {
+    (request: HostAuthenticationsRequestOptions) => {
       let didCancel = false;
       const asyncSearch = async () => {
         abortCtrl.current = new AbortController();
         setLoading(true);
 
         const searchSubscription$ = data.search
-          .search<AuthenticationsRequestOptions, AuthenticationsStrategyResponse>(request, {
+          .search<HostAuthenticationsRequestOptions, HostAuthenticationsStrategyResponse>(request, {
             strategy: 'securitySolutionSearchStrategy',
             abortSignal: abortCtrl.current.signal,
           })