From 8935d79bdad42f42b433294136c466811eae480c Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Wed, 24 Jun 2020 13:31:39 -0500 Subject: [PATCH] [Security][Network] Exclude glob-only (*) Index Pattern from map layers (#69736) (#69824) * Exclude glob-only (*) index pattern from map layers This pattern is a special case that our map should ignore, as including it causes all indexes to be queried. * Ignore CCS glob pattern in our embedded map Users may have this pattern for cross-cluster search, and it should similarly be excluded when matching Security indexes. --- .../components/embeddables/__mocks__/mock.ts | 9 +++++++++ .../embeddables/embedded_map_helpers.test.tsx | 13 +++++++++++-- .../components/embeddables/embedded_map_helpers.tsx | 13 ++++++++++--- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/__mocks__/mock.ts b/x-pack/plugins/security_solution/public/network/components/embeddables/__mocks__/mock.ts index bc1de567b60ae..6f8c3e1123854 100644 --- a/x-pack/plugins/security_solution/public/network/components/embeddables/__mocks__/mock.ts +++ b/x-pack/plugins/security_solution/public/network/components/embeddables/__mocks__/mock.ts @@ -475,3 +475,12 @@ export const mockGlobIndexPattern: IndexPatternSavedObject = { title: '*', }, }; + +export const mockCCSGlobIndexPattern: IndexPatternSavedObject = { + id: '*:*', + type: 'index-pattern', + _version: 'abc', + attributes: { + title: '*:*', + }, +}; diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.test.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.test.tsx index d42ac919e9af0..50170f4f6ae9e 100644 --- a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.test.tsx @@ -14,6 +14,7 @@ import { mockAuditbeatIndexPattern, mockFilebeatIndexPattern, mockGlobIndexPattern, + mockCCSGlobIndexPattern, } from './__mocks__/mock'; const mockEmbeddable = embeddablePluginMock.createStartContract(); @@ -106,12 +107,20 @@ describe('embedded_map_helpers', () => { ]); }); - test('finds glob-only index patterns ', () => { + test('excludes glob-only index patterns', () => { const matchingIndexPatterns = findMatchingIndexPatterns({ kibanaIndexPatterns: [mockGlobIndexPattern, mockFilebeatIndexPattern], siemDefaultIndices, }); - expect(matchingIndexPatterns).toEqual([mockGlobIndexPattern, mockFilebeatIndexPattern]); + expect(matchingIndexPatterns).toEqual([mockFilebeatIndexPattern]); + }); + + test('excludes glob-only CCS index patterns', () => { + const matchingIndexPatterns = findMatchingIndexPatterns({ + kibanaIndexPatterns: [mockCCSGlobIndexPattern, mockFilebeatIndexPattern], + siemDefaultIndices, + }); + expect(matchingIndexPatterns).toEqual([mockFilebeatIndexPattern]); }); }); }); diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.tsx index e50dcd7a8c8d8..b0f8e2cc02403 100644 --- a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.tsx +++ b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map_helpers.tsx @@ -128,6 +128,9 @@ export const createEmbeddable = async ( return embeddableObject; }; +// These patterns are overly greedy and must be excluded when matching against Security indexes. +const ignoredIndexPatterns = ['*', '*:*']; + /** * Returns kibanaIndexPatterns that wildcard match at least one of siemDefaultIndices * @@ -142,9 +145,13 @@ export const findMatchingIndexPatterns = ({ siemDefaultIndices: string[]; }): IndexPatternSavedObject[] => { try { - return kibanaIndexPatterns.filter((kip) => - siemDefaultIndices.some((sdi) => minimatch(sdi, kip.attributes.title)) - ); + return kibanaIndexPatterns.filter((kip) => { + const pattern = kip.attributes.title; + return ( + !ignoredIndexPatterns.includes(pattern) && + siemDefaultIndices.some((sdi) => minimatch(sdi, pattern)) + ); + }); } catch { return []; }