[Security Solution] Fix DNS Network table query

patrykkopycinski · patrykkopycinski · commit 8d8db9c601ad · 2020-11-05T21:50:48.000+01:00
diff --git a/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts b/x-pack/plugins/security_solution/public/common/components/paginated_table/helpers.ts
@@ -8,13 +8,14 @@ import { PaginationInputPaginated } from '../../../graphql/types';
 
 export const generateTablePaginationOptions = (
   activePage: number,
-  limit: number
+  limit: number,
+  isBucketSort?: boolean
 ): PaginationInputPaginated => {
   const cursorStart = activePage * limit;
   return {
     activePage,
     cursorStart,
     fakePossibleCount: 4 <= activePage && activePage > 0 ? limit * (activePage + 2) : limit * 5,
-    querySize: limit + cursorStart,
+    querySize: isBucketSort ? limit : limit + cursorStart,
   };
 };
diff --git a/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx
@@ -80,7 +80,7 @@ export const useNetworkDns = ({
           factoryQueryType: NetworkQueries.dns,
           filterQuery: createFilter(filterQuery),
           isPtrIncluded,
-          pagination: generateTablePaginationOptions(activePage, limit),
+          pagination: generateTablePaginationOptions(activePage, limit, true),
           sort,
           timerange: {
             interval: '12h',
@@ -196,7 +196,7 @@ export const useNetworkDns = ({
         isPtrIncluded,
         factoryQueryType: NetworkQueries.dns,
         filterQuery: createFilter(filterQuery),
-        pagination: generateTablePaginationOptions(activePage, limit),
+        pagination: generateTablePaginationOptions(activePage, limit, true),
         sort,
         timerange: {
           interval: '12h',
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
@@ -33,11 +33,10 @@ export const networkDns: SecuritySolutionFactory<NetworkQueries.dns> = {
     options: NetworkDnsRequestOptions,
     response: IEsSearchResponse<unknown>
   ): Promise<NetworkDnsStrategyResponse> => {
-    const { activePage, cursorStart, fakePossibleCount, querySize } = options.pagination;
+    const { activePage, fakePossibleCount } = options.pagination;
     const totalCount = getOr(0, 'aggregations.dns_count.value', response.rawResponse);
-    const networkDnsEdges: NetworkDnsEdges[] = getDnsEdges(response);
+    const edges: NetworkDnsEdges[] = getDnsEdges(response);
     const fakeTotalCount = fakePossibleCount <= totalCount ? fakePossibleCount : totalCount;
-    const edges = networkDnsEdges.splice(cursorStart, querySize - cursorStart);
     const inspect = {
       dsl: [inspectStringifyObject(buildDnsQuery(options))],
     };
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts
@@ -15,25 +15,30 @@ import {
 } from '../../../../../../common/search_strategy';
 import { createQueryFilterClauses } from '../../../../../utils/build_query';
 
+const HUGE_QUERY_SIZE = 1000000;
+
 type QueryOrder =
-  | { _count: Direction }
-  | { _key: Direction }
-  | { unique_domains: Direction }
-  | { dns_bytes_in: Direction }
-  | { dns_bytes_out: Direction };
+  | { _count: { order: Direction } }
+  | { _key: { order: Direction } }
+  | { unique_domains: { order: Direction } }
+  | { dns_bytes_in: { order: Direction } }
+  | { dns_bytes_out: { order: Direction } };
 
 const getQueryOrder = (sort: SortField<NetworkDnsFields>): QueryOrder => {
   switch (sort.field) {
     case NetworkDnsFields.queryCount:
-      return { _count: sort.direction };
+      return {
+        _count: {
+          order: sort.direction,
+        },
+      };
     case NetworkDnsFields.dnsName:
-      return { _key: sort.direction };
+      return { _key: { order: sort.direction } };
     case NetworkDnsFields.uniqueDomains:
-      return { unique_domains: sort.direction };
+      return { unique_domains: { order: sort.direction } };
     case NetworkDnsFields.dnsBytesIn:
-      return { dns_bytes_in: sort.direction };
+      return { dns_bytes_in: { order: sort.direction } };
     case NetworkDnsFields.dnsBytesOut:
-      return { dns_bytes_out: sort.direction };
   }
   assertUnreachable(sort.field);
 };
@@ -67,7 +72,7 @@ export const buildDnsQuery = ({
   filterQuery,
   isPtrIncluded,
   sort,
-  pagination: { querySize },
+  pagination: { cursorStart, querySize },
   stackByField = 'dns.question.registered_domain',
   timerange: { from, to },
 }: NetworkDnsRequestOptions) => {
@@ -95,12 +100,16 @@ export const buildDnsQuery = ({
         dns_name_query_count: {
           terms: {
             field: stackByField,
-            size: querySize,
-            order: {
-              ...getQueryOrder(sort),
-            },
+            size: HUGE_QUERY_SIZE,
           },
           aggs: {
+            bucket_sort: {
+              bucket_sort: {
+                sort: [getQueryOrder(sort), { _key: { order: 'asc' } }],
+                from: cursorStart,
+                size: querySize,
+              },
+            },
             unique_domains: {
               cardinality: {
                 field: 'dns.question.name',
diff --git a/x-pack/test/api_integration/apis/security_solution/network_dns.ts b/x-pack/test/api_integration/apis/security_solution/network_dns.ts
@@ -18,8 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
 
-  // Failing: See https://github.com/elastic/kibana/issues/82207
-  describe.skip('Network DNS', () => {
+  describe('Network DNS', () => {
     describe('With packetbeat', () => {
       before(() => esArchiver.load('packetbeat/dns'));
       after(() => esArchiver.unload('packetbeat/dns'));
@@ -59,7 +58,7 @@ export default function ({ getService }: FtrProviderContext) {
         expect(networkDns.edges.length).to.be(10);
         expect(networkDns.totalCount).to.be(44);
         expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be(
-          'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,crowbird.com,d1oxlq5h9kq8q5.cloudfront.net'
+          'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,d1oxlq5h9kq8q5.cloudfront.net,d3epxf4t8a32oh.cloudfront.net'
         );
         expect(networkDns.pageInfo.fakeTotalCount).to.equal(30);
       });
