Refactor esql generation and helpers

Author: machadoum

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_user_activity/esql_source_query.ts

@@ -21,16 +21,14 @@ import {
   buildAuthenticationsColumns,
 } from './columns';
 import { getLensAttributes } from './get_lens_attributes';
-import {
-  getAccountSwitchesEsqlSource,
-  getAuthenticationsEsqlSource,
-  getGrantedRightsEsqlSource,
-} from './esql_source_query';
 import {
   ACCOUNT_SWITCH_STACK_BY,
   AUTHENTICATIONS_STACK_BY,
   GRANTED_RIGHTS_STACK_BY,
 } from './constants';
+import { getAuthenticationsEsqlSource } from '../../queries/authentications_esql_query';
+import { getAccountSwitchesEsqlSource } from '../../queries/account_switches_esql_query';
+import { getGrantedRightsEsqlSource } from '../../queries/granted_rights_esql_query';
 
 const toggleOptionsConfig = {
   [VisualizationToggleOptions.GRANTED_RIGHTS]: {
@@ -87,11 +85,17 @@ export const usePrivilegedUserActivityParams = (
     [selectedToggleOption, openRightPanel]
   );
 
+  const hasLoadedDependencies = useMemo(
+    () => Boolean(spaceId && indexPattern && fields),
+    [spaceId, indexPattern, fields]
+  );
+
   return {
     getLensAttributes,
     generateVisualizationQuery,
     generateTableQuery,
     columns,
+    hasLoadedDependencies,
   };
 };
 

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_user_activity/hooks.tsx

@@ -7,6 +7,7 @@
 
 import {
   EuiButtonGroup,
+  EuiCallOut,
   EuiFlexGroup,
   EuiFlexItem,
   EuiPanel,
@@ -47,10 +48,14 @@ export const UserActivityPrivilegedUsersPanel: React.FC<{
     VisualizationToggleOptions.GRANTED_RIGHTS
   );
 
-  const { getLensAttributes, columns, generateVisualizationQuery, generateTableQuery } =
-    usePrivilegedUserActivityParams(selectedToggleOption, sourcererDataView);
+  const {
+    getLensAttributes,
+    columns,
+    generateVisualizationQuery,
+    generateTableQuery,
+    hasLoadedDependencies,
+  } = usePrivilegedUserActivityParams(selectedToggleOption, sourcererDataView);
   const stackByOptions = useStackByOptions(selectedToggleOption);
-
   const setSelectedChartOptionCallback = useCallback(
     (event: React.ChangeEvent<HTMLSelectElement>) => {
       setSelectedStackByOption(
@@ -118,7 +123,7 @@ export const UserActivityPrivilegedUsersPanel: React.FC<{
             </EuiFlexItem>
           </EuiFlexGroup>
           <EuiSpacer size="m" />
-          {generateVisualizationQuery && generateTableQuery && (
+          {generateVisualizationQuery && generateTableQuery ? (
             <EsqlDashboardPanel<TableItemType>
               title={TITLE}
               stackByField={selectedStackByOption.value}
@@ -130,6 +135,25 @@ export const UserActivityPrivilegedUsersPanel: React.FC<{
               pageSize={PAGE_SIZE}
               showInspectTable={true}
             />
+          ) : (
+            // If dependencies are loaded but the query generation functions are not available, show an error message
+            hasLoadedDependencies && (
+              <EuiCallOut
+                title={
+                  <FormattedMessage
+                    id="xpack.securitySolution.entityAnalytics.privilegedUserMonitoring.userActivity.missingMappings.errorTitle"
+                    defaultMessage="There was a problem rendering the visualization"
+                  />
+                }
+                color="warning"
+                iconType="error"
+              >
+                <FormattedMessage
+                  id="xpack.securitySolution.entityAnalytics.privilegedUserMonitoring.userActivity.missingMappings.errorMessage"
+                  defaultMessage="The required fields are not present in the data view."
+                />
+              </EuiCallOut>
+            )
           )}
         </>
       )}

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_user_activity/index.tsx

@@ -19,7 +19,7 @@ import type { RiskLevelsTableItem, RiskLevelsPrivilegedUsersQueryResult } from '
 import { RiskScoreLevel } from '../../../severity/common';
 import type { RiskSeverity } from '../../../../../../common/search_strategy';
 import { esqlResponseToRecords } from '../../../../../common/utils/esql';
-import { getRiskLevelsPrivilegedUsersQueryBody } from './esql_query';
+import { getRiskLevelsPrivilegedUsersQueryBody } from '../../queries/risk_level_esql_query';
 
 export const useRiskLevelsPrivilegedUserQuery = ({
   skip,

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/risk_level_panel/hooks.tsx

@@ -23,14 +23,16 @@ import { HeaderSection } from '../../../../../common/components/header_section';
 import { InspectButtonContainer } from '../../../../../common/components/inspect';
 import { SEVERITY_UI_SORT_ORDER } from '../../../../common';
 import { useRiskScoreFillColor } from '../../../risk_score_donut_chart/use_risk_score_fill_color';
-import { DONUT_CHART_HEIGHT, RISK_LEVELS_PRIVILEGED_USERS_QUERY_ID } from './esql_query';
+import { RISK_LEVELS_PRIVILEGED_USERS_QUERY_ID } from '../../queries/risk_level_esql_query';
 import { useRiskLevelsPrivilegedUserQuery, useRiskLevelsTableColumns } from './hooks';
 
 const TITLE = i18n.translate(
   'xpack.securitySolution.entityAnalytics.privilegedUserMonitoring.riskLevels.title',
   { defaultMessage: 'Risk levels of privileged users' }
 );
 
+export const DONUT_CHART_HEIGHT = 160;
+
 export const RiskLevelsPrivilegedUsersPanel: React.FC<{ spaceId: string }> = ({ spaceId }) => {
   const fillColor = useRiskScoreFillColor();
   const { toggleStatus, setToggleStatus } = useQueryToggle(RISK_LEVELS_PRIVILEGED_USERS_QUERY_ID);

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/risk_level_panel/index.tsx

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { DataViewFieldMap } from '@kbn/data-views-plugin/common';
+import { getPrivilegedMonitorUsersJoin } from './helpers';
+
+export const getAccountSwitchesEsqlSource = (
+  namespace: string,
+  indexPattern: string,
+  fields: DataViewFieldMap
+) => {
+  return `FROM ${indexPattern} METADATA _id, _index
+    ${getPrivilegedMonitorUsersJoin(namespace)}
+    | WHERE process.command_line.caseless RLIKE "(su|sudo su|sudo -i|sudo -s|ssh [^@]+@[^\s]+)"
+    | RENAME process.command_line.caseless AS command_process, process.group_leader.user.name AS target_user, process.parent.real_group.name AS group_name, process.real_user.name as privileged_user, host.ip AS host_ip
+    | KEEP @timestamp, privileged_user, host_ip, target_user, group_name, command_process, _id, _index`;
+};

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/helpers.ts

@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { DataViewFieldMap } from '@kbn/data-views-plugin/common';
+import { getPrivilegedMonitorUsersJoin, removeInvalidForkBranchesFromESQL } from './helpers';
+
+// TODO Verify if we can improve the type field logic https://github.com/elastic/security-team/issues/12713
+export const getAuthenticationsEsqlSource = (
+  namespace: string,
+  indexPattern: string,
+  fields: DataViewFieldMap
+) =>
+  removeInvalidForkBranchesFromESQL(
+    fields,
+    `FROM ${indexPattern} METADATA _id, _index
+  ${getPrivilegedMonitorUsersJoin(namespace)}
+  | WHERE user.name IS NOT NULL
+  | FORK
+      (
+          WHERE event.dataset	== "okta.system"
+        | EVAL event_combined = COALESCE(event.action, okta.event_type, event.category)
+        | WHERE to_lower(event_combined) RLIKE ".*?(authn|authentication|sso|mfa|token.grant|authorize.code|session.start|unauth_app_access_attempt|evaluate_sign_on|verify_push).*?"
+        | EVAL result = okta.outcome.result
+        | EVAL destination = okta.target.display_name
+        | EVAL source = event.module
+        | EVAL host_ip = source.ip
+        | EVAL url = okta.debug_context.debug_data.url
+        | EVAL type = CASE(
+          STARTS_WITH(url, "/api/v1/authn"), "Direct",
+       STARTS_WITH(url, "/oauth2/v1/authorize") OR STARTS_WITH(url, "/oauth2/v1/token") OR
+           LOCATE(url, "/sso/saml") > 0, "Federated",
+        null)
+      )
+      (
+          WHERE event.dataset	!= "okta.system" AND event.category == "authentication"
+        | EVAL result = event.outcome
+        | EVAL source = host.os.name
+        | EVAL type = "Direct"
+        | EVAL destination = host.name
+        | EVAL host_ip = host.ip
+      )
+  | RENAME user.name as privileged_user
+| KEEP @timestamp, privileged_user, source, host_ip, result, destination, _id, _index, event.outcome, type`
+  );