Skip to content

Commit

Permalink
[Security Solution] Fix DNS Network table query (elastic#82778)
Browse files Browse the repository at this point in the history
  • Loading branch information
patrykkopycinski authored Nov 10, 2020
1 parent 8ff92f2 commit 915f718
Show file tree
Hide file tree
Showing 6 changed files with 60 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@ import { PaginationInputPaginated } from '../../../graphql/types';

export const generateTablePaginationOptions = (
activePage: number,
limit: number
limit: number,
isBucketSort?: boolean
): PaginationInputPaginated => {
const cursorStart = activePage * limit;
return {
activePage,
cursorStart,
fakePossibleCount: 4 <= activePage && activePage > 0 ? limit * (activePage + 2) : limit * 5,
querySize: limit + cursorStart,
querySize: isBucketSort ? limit : limit + cursorStart,
};
};
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ export const useNetworkDns = ({
factoryQueryType: NetworkQueries.dns,
filterQuery: createFilter(filterQuery),
isPtrIncluded,
pagination: generateTablePaginationOptions(activePage, limit),
pagination: generateTablePaginationOptions(activePage, limit, true),
sort,
timerange: {
interval: '12h',
Expand Down Expand Up @@ -193,7 +193,7 @@ export const useNetworkDns = ({
isPtrIncluded,
factoryQueryType: NetworkQueries.dns,
filterQuery: createFilter(filterQuery),
pagination: generateTablePaginationOptions(activePage, limit),
pagination: generateTablePaginationOptions(activePage, limit, true),
sort,
timerange: {
interval: '12h',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -146,10 +146,23 @@ export const formattedSearchStrategyResponse = {
dns_name_query_count: {
terms: {
field: 'dns.question.registered_domain',
size: 10,
order: { unique_domains: 'desc' },
size: 1000000,
},
aggs: {
bucket_sort: {
bucket_sort: {
sort: [
{
unique_domains: {
order: 'desc',
},
},
{ _key: { order: 'asc' } },
],
from: 0,
size: 10,
},
},
unique_domains: { cardinality: { field: 'dns.question.name' } },
dns_bytes_in: { sum: { field: 'source.bytes' } },
dns_bytes_out: { sum: { field: 'destination.bytes' } },
Expand Down Expand Up @@ -204,10 +217,23 @@ export const expectedDsl = {
dns_name_query_count: {
terms: {
field: 'dns.question.registered_domain',
size: 10,
order: { unique_domains: 'desc' },
size: 1000000,
},
aggs: {
bucket_sort: {
bucket_sort: {
sort: [
{
unique_domains: {
order: 'desc',
},
},
{ _key: { order: 'asc' } },
],
from: 0,
size: 10,
},
},
unique_domains: { cardinality: { field: 'dns.question.name' } },
dns_bytes_in: { sum: { field: 'source.bytes' } },
dns_bytes_out: { sum: { field: 'destination.bytes' } },
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,10 @@ export const networkDns: SecuritySolutionFactory<NetworkQueries.dns> = {
options: NetworkDnsRequestOptions,
response: IEsSearchResponse<unknown>
): Promise<NetworkDnsStrategyResponse> => {
const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination;
const { activePage, fakePossibleCount } = options.pagination;
const totalCount = getOr(0, 'aggregations.dns_count.value', response.rawResponse);
const networkDnsEdges: NetworkDnsEdges[] = getDnsEdges(response);
const edges: NetworkDnsEdges[] = getDnsEdges(response);
const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount;
const edges = networkDnsEdges.splice(cursorStart, querySize - cursorStart);
const inspect = {
dsl: [inspectStringifyObject(buildDnsQuery(options))],
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,27 @@ import {
} from '../../../../../../common/search_strategy';
import { createQueryFilterClauses } from '../../../../../utils/build_query';

const HUGE_QUERY_SIZE = 1000000;

type QueryOrder =
| { _count: Direction }
| { _key: Direction }
| { unique_domains: Direction }
| { dns_bytes_in: Direction }
| { dns_bytes_out: Direction };
| { _count: { order: Direction } }
| { _key: { order: Direction } }
| { unique_domains: { order: Direction } }
| { dns_bytes_in: { order: Direction } }
| { dns_bytes_out: { order: Direction } };

const getQueryOrder = (sort: SortField<NetworkDnsFields>): QueryOrder => {
switch (sort.field) {
case NetworkDnsFields.queryCount:
return { _count: sort.direction };
return { _count: { order: sort.direction } };
case NetworkDnsFields.dnsName:
return { _key: sort.direction };
return { _key: { order: sort.direction } };
case NetworkDnsFields.uniqueDomains:
return { unique_domains: sort.direction };
return { unique_domains: { order: sort.direction } };
case NetworkDnsFields.dnsBytesIn:
return { dns_bytes_in: sort.direction };
return { dns_bytes_in: { order: sort.direction } };
case NetworkDnsFields.dnsBytesOut:
return { dns_bytes_out: sort.direction };
return { dns_bytes_out: { order: sort.direction } };
}
assertUnreachable(sort.field);
};
Expand Down Expand Up @@ -67,7 +69,7 @@ export const buildDnsQuery = ({
filterQuery,
isPtrIncluded,
sort,
pagination: { querySize },
pagination: { cursorStart, querySize },
stackByField = 'dns.question.registered_domain',
timerange: { from, to },
}: NetworkDnsRequestOptions) => {
Expand Down Expand Up @@ -95,12 +97,16 @@ export const buildDnsQuery = ({
dns_name_query_count: {
terms: {
field: stackByField,
size: querySize,
order: {
...getQueryOrder(sort),
},
size: HUGE_QUERY_SIZE,
},
aggs: {
bucket_sort: {
bucket_sort: {
sort: [getQueryOrder(sort), { _key: { order: 'asc' } }],
from: cursorStart,
size: querySize,
},
},
unique_domains: {
cardinality: {
field: 'dns.question.name',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');

// Failing: See https://github.com/elastic/kibana/issues/82207
describe.skip('Network DNS', () => {
describe('Network DNS', () => {
describe('With packetbeat', () => {
before(() => esArchiver.load('packetbeat/dns'));
after(() => esArchiver.unload('packetbeat/dns'));
Expand Down Expand Up @@ -59,7 +58,7 @@ export default function ({ getService }: FtrProviderContext) {
expect(networkDns.edges.length).to.be(10);
expect(networkDns.totalCount).to.be(44);
expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be(
'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,crowbird.com,d1oxlq5h9kq8q5.cloudfront.net'
'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,d1oxlq5h9kq8q5.cloudfront.net,d3epxf4t8a32oh.cloudfront.net'
);
expect(networkDns.pageInfo.fakeTotalCount).to.equal(30);
});
Expand Down

0 comments on commit 915f718

Please sign in to comment.