[8.x] [Cloud Security] Added filter support to graph API (#199048)#199702
Merged
kibanamachine merged 2 commits intoelastic:8.xfrom Nov 13, 2024
Merged
[8.x] [Cloud Security] Added filter support to graph API (#199048)#199702kibanamachine merged 2 commits intoelastic:8.xfrom
kibanamachine merged 2 commits intoelastic:8.xfrom
Conversation
## Summary
Enhances the graph API to support filtering by bool query.
Graph API is an internal API that hasn't been released yet to ESS, and
is not available yet on serverless (behind a feature-flag in
kibana.config) due to the above I don't consider it a breaking change.
Previous API request body:
```js
query: schema.object({
actorIds: schema.arrayOf(schema.string()),
eventIds: schema.arrayOf(schema.string()),
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
```
New API request body:
```js
nodesLimit: schema.maybe(schema.number()), // Maximum number of nodes in the graph (currently the graph doesn't handle very well graph with over 100 nodes)
showUnknownTarget: schema.maybe(schema.boolean()), // Whether or not to return events that miss target.entity.id
query: schema.object({
eventIds: schema.arrayOf(schema.string()), // Event ids that triggered the alert, would be marked in red
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
esQuery: schema.maybe( // elasticsearch's dsl bool query
schema.object({
bool: schema.object({
filter: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
should: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must_not: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
}),
})
```
New field to the graph API response (pseudo):
```js
messages?: ApiMessageCode[]
enum ApiMessageCode {
ReachedNodesLimit = 'REACHED_NODES_LIMIT',
}
```
### How to test
Toggle feature flag in kibana.dev.yml
```yaml
xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']
```
To test through the UI you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
1. Go to the alerts page
2. Change the query time range to show alerts from the 13th of October
2024 (**IMPORTANT**)
3. Open the alerts flyout
5. Scroll to see the graph visualization : D
To test **only** the API you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_api/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
And through dev tools:
```
POST kbn:/internal/cloud_security_posture/graph?apiVersion=1
{
"query": {
"eventIds": [],
"start": "now-1y/y",
"end": "now/d",
"esQuery": {
"bool": {
"filter": [
{
"match_phrase": {
"actor.entity.id": "admin@example.com"
}
}
]
}
}
}
}
```
### Related PRs
- elastic#196034
- elastic#195307
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 160e626)
1 task
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Historycc @kfirpeled |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation