[8.x] [Cloud Security] Added filter support to graph API (#199048) #199702

kibanamachine · 2024-11-11T19:52:20Z

Backport

This will backport the following commits from main to 8.x:

[Cloud Security] Added filter support to graph API (#199048)

Questions ?

Please refer to the Backport tool documentation

## Summary Enhances the graph API to support filtering by bool query. Graph API is an internal API that hasn't been released yet to ESS, and is not available yet on serverless (behind a feature-flag in kibana.config) due to the above I don't consider it a breaking change. Previous API request body: ```js query: schema.object({ actorIds: schema.arrayOf(schema.string()), eventIds: schema.arrayOf(schema.string()), // TODO: use zod for range validation instead of config schema start: schema.oneOf([schema.number(), schema.string()]), end: schema.oneOf([schema.number(), schema.string()]), ``` New API request body: ```js nodesLimit: schema.maybe(schema.number()), // Maximum number of nodes in the graph (currently the graph doesn't handle very well graph with over 100 nodes) showUnknownTarget: schema.maybe(schema.boolean()), // Whether or not to return events that miss target.entity.id query: schema.object({ eventIds: schema.arrayOf(schema.string()), // Event ids that triggered the alert, would be marked in red // TODO: use zod for range validation instead of config schema start: schema.oneOf([schema.number(), schema.string()]), end: schema.oneOf([schema.number(), schema.string()]), esQuery: schema.maybe( // elasticsearch's dsl bool query schema.object({ bool: schema.object({ filter: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), must: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), should: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), must_not: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), }), }) ``` New field to the graph API response (pseudo): ```js messages?: ApiMessageCode[] enum ApiMessageCode { ReachedNodesLimit = 'REACHED_NODES_LIMIT', } ``` ### How to test Toggle feature flag in kibana.dev.yml ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` To test through the UI you can use the mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 (**IMPORTANT**) 3. Open the alerts flyout 5. Scroll to see the graph visualization : D To test **only** the API you can use the mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_api/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` And through dev tools: ``` POST kbn:/internal/cloud_security_posture/graph?apiVersion=1 { "query": { "eventIds": [], "start": "now-1y/y", "end": "now/d", "esQuery": { "bool": { "filter": [ { "match_phrase": { "actor.entity.id": "[email protected]" } } ] } } } } ``` ### Related PRs - elastic#196034 - elastic#195307 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 160e626)

elasticmachine · 2024-11-11T21:25:31Z

💔 Build Failed

Buildkite Build
Commit: 9cd525b

Failed CI Steps

Test Failures

[job] [logs] FTR Configs #28 / EPM Endpoints Installs a package using stream-based approach security_detection_engine package should install security-rule assets from the package
[job] [logs] FTR Configs #28 / EPM Endpoints Installs a package using stream-based approach security_detection_engine package should install security-rule assets from the package
[job] [logs] FTR Configs #28 / EPM Endpoints Installs a package using stream-based approach security_detection_engine package should install security-rule assets from the package
[job] [logs] Jest Tests #4 / StepDefineRule related integrations submits a selected related integration

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	13.4MB	13.4MB	+356.0B

History

cc @kfirpeled

kibanamachine assigned kfirpeled Nov 11, 2024

kibanamachine added the backport label Nov 11, 2024

kibanamachine enabled auto-merge (squash) November 11, 2024 19:52

kibanamachine mentioned this pull request Nov 11, 2024

[Cloud Security] Added filter support to graph API #199048

Merged

1 task

github-actions bot approved these changes Nov 11, 2024

View reviewed changes

Merge branch '8.x' into backport/8.x/pr-199048

60a9c7f

kibanamachine merged commit 7a39e33 into elastic:8.x Nov 13, 2024
34 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[8.x] [Cloud Security] Added filter support to graph API (#199048) #199702

[8.x] [Cloud Security] Added filter support to graph API (#199048) #199702

kibanamachine commented Nov 11, 2024

elasticmachine commented Nov 11, 2024 •

edited

Loading

[8.x] [Cloud Security] Added filter support to graph API (#199048) #199702

[8.x] [Cloud Security] Added filter support to graph API (#199048) #199702

Conversation

kibanamachine commented Nov 11, 2024

Backport

Questions ?

elasticmachine commented Nov 11, 2024 • edited Loading

💔 Build Failed

Failed CI Steps

Test Failures

Metrics [docs]

Async chunks

History

elasticmachine commented Nov 11, 2024 •

edited

Loading