diff --git a/x-pack/plugins/osquery/common/api/live_query/find_live_query_route.ts b/x-pack/plugins/osquery/common/api/live_query/find_live_query_route.ts index 110466a706457..be0787b85fd87 100644 --- a/x-pack/plugins/osquery/common/api/live_query/find_live_query_route.ts +++ b/x-pack/plugins/osquery/common/api/live_query/find_live_query_route.ts @@ -9,7 +9,7 @@ import * as t from 'io-ts'; import { toNumberRt } from '@kbn/io-ts-utils'; export const findLiveQueryRequestQuerySchema = t.type({ - filterQuery: t.union([t.string, t.undefined]), + kuery: t.union([t.string, t.undefined]), page: t.union([toNumberRt, t.undefined]), pageSize: t.union([toNumberRt, t.undefined]), sort: t.union([t.string, t.undefined]), diff --git a/x-pack/plugins/osquery/common/api/live_query/get_live_query_results_route.ts b/x-pack/plugins/osquery/common/api/live_query/get_live_query_results_route.ts index 553e3eae10cd8..ce09004ddb58f 100644 --- a/x-pack/plugins/osquery/common/api/live_query/get_live_query_results_route.ts +++ b/x-pack/plugins/osquery/common/api/live_query/get_live_query_results_route.ts @@ -9,7 +9,7 @@ import * as t from 'io-ts'; import { toNumberRt } from '@kbn/io-ts-utils'; export const getLiveQueryResultsRequestQuerySchema = t.type({ - filterQuery: t.union([t.string, t.undefined]), + kuery: t.union([t.string, t.undefined]), page: t.union([toNumberRt, t.undefined]), pageSize: t.union([toNumberRt, t.undefined]), sort: t.union([t.string, t.undefined]), diff --git a/x-pack/plugins/osquery/common/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/common/search_strategy/osquery/index.ts index b8985297b3062..53508c17208b2 100644 --- a/x-pack/plugins/osquery/common/search_strategy/osquery/index.ts +++ b/x-pack/plugins/osquery/common/search_strategy/osquery/index.ts @@ -5,9 +5,7 @@ * 2.0. */ -import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { IEsSearchRequest } from '@kbn/data-plugin/common'; -import type { ESQuery } from '../../typed_json'; import type { ActionsStrategyResponse, ActionsRequestOptions, @@ -19,7 +17,7 @@ import type { import type { AgentsStrategyResponse, AgentsRequestOptions } from './agents'; import type { ResultsStrategyResponse, ResultsRequestOptions } from './results'; -import type { DocValueFields, SortField, PaginationInputPaginated } from '../common'; +import type { SortField, PaginationInputPaginated } from '../common'; export * from './actions'; export * from './agents'; @@ -36,9 +34,7 @@ export enum OsqueryQueries { export type FactoryQueryTypes = OsqueryQueries; export interface RequestBasicOptions extends IEsSearchRequest { - filterQuery: ESQuery | string | undefined; - aggregations?: Record; - docValueFields?: DocValueFields[]; + kuery?: string; factoryQueryType?: FactoryQueryTypes; componentTemplateExists?: boolean; } diff --git a/x-pack/plugins/osquery/common/utils/build_query/filters.ts b/x-pack/plugins/osquery/common/utils/build_query/filters.ts index 0d82a581e27d9..3ae72c25edf82 100644 --- a/x-pack/plugins/osquery/common/utils/build_query/filters.ts +++ b/x-pack/plugins/osquery/common/utils/build_query/filters.ts @@ -5,15 +5,7 @@ * 2.0. */ -import { isEmpty, isString } from 'lodash/fp'; import type { PaginationInputPaginated, Inspect } from '../../search_strategy'; -import type { ESQuery } from '../../typed_json'; - -export const createQueryFilterClauses = (filterQuery: ESQuery | string | undefined) => - !isEmpty(filterQuery) ? [isString(filterQuery) ? JSON.parse(filterQuery) : filterQuery] : []; - -export const createFilter = (filterQuery: ESQuery | string | undefined) => - isString(filterQuery) ? filterQuery : JSON.stringify(filterQuery); export type InspectResponse = Inspect & { response: string[] }; diff --git a/x-pack/plugins/osquery/cypress/e2e/all/cases.cy.ts b/x-pack/plugins/osquery/cypress/e2e/all/cases.cy.ts index 93fa941da4727..178ff1e243c49 100644 --- a/x-pack/plugins/osquery/cypress/e2e/all/cases.cy.ts +++ b/x-pack/plugins/osquery/cypress/e2e/all/cases.cy.ts @@ -22,6 +22,7 @@ describe('Add to Cases', () => { loadLiveQuery({ agent_all: true, query: "SELECT * FROM os_version where name='Ubuntu';", + kuery: '', }).then((liveQuery) => { liveQueryId = liveQuery.action_id; liveQueryQuery = liveQuery.queries[0].query; diff --git a/x-pack/plugins/osquery/cypress/tasks/api_fixtures.ts b/x-pack/plugins/osquery/cypress/tasks/api_fixtures.ts index 4246c55afd912..1dd5a5c802fcc 100644 --- a/x-pack/plugins/osquery/cypress/tasks/api_fixtures.ts +++ b/x-pack/plugins/osquery/cypress/tasks/api_fixtures.ts @@ -122,6 +122,7 @@ export const loadLiveQuery = ( payload = { agent_all: true, query: 'select * from uptime;', + kuery: '', } ) => request<{ diff --git a/x-pack/plugins/osquery/public/action_results/use_action_results.ts b/x-pack/plugins/osquery/public/action_results/use_action_results.ts index f950b4f1907c3..ef7dbad151d20 100644 --- a/x-pack/plugins/osquery/public/action_results/use_action_results.ts +++ b/x-pack/plugins/osquery/public/action_results/use_action_results.ts @@ -11,11 +11,7 @@ import { useQuery } from '@tanstack/react-query'; import { i18n } from '@kbn/i18n'; import { lastValueFrom } from 'rxjs'; import type { InspectResponse } from '../common/helpers'; -import { - createFilter, - getInspectResponse, - generateTablePaginationOptions, -} from '../common/helpers'; +import { getInspectResponse, generateTablePaginationOptions } from '../common/helpers'; import { useKibana } from '../common/lib/kibana'; import type { ResultEdges, @@ -24,7 +20,6 @@ import type { Direction, } from '../../common/search_strategy'; import { OsqueryQueries } from '../../common/search_strategy'; -import type { ESTermQuery } from '../../common/typed_json'; import { queryClient } from '../query_client'; import { useErrorToast } from '../common/hooks/use_error_toast'; @@ -43,7 +38,7 @@ export interface UseActionResults { direction: Direction; limit: number; sortField: string; - filterQuery?: ESTermQuery | string; + kuery?: string; skip?: boolean; isLive?: boolean; } @@ -55,7 +50,7 @@ export const useActionResults = ({ direction, limit, sortField, - filterQuery, + kuery, skip = false, isLive = false, }: UseActionResults) => { @@ -70,7 +65,7 @@ export const useActionResults = ({ { actionId, factoryQueryType: OsqueryQueries.actionResults, - filterQuery: createFilter(filterQuery), + kuery, pagination: generateTablePaginationOptions(activePage, limit), sort: { direction, diff --git a/x-pack/plugins/osquery/public/actions/actions_table.tsx b/x-pack/plugins/osquery/public/actions/actions_table.tsx index ef256d73946e3..cd5e1a685d33b 100644 --- a/x-pack/plugins/osquery/public/actions/actions_table.tsx +++ b/x-pack/plugins/osquery/public/actions/actions_table.tsx @@ -62,11 +62,7 @@ const ActionsTableComponent = () => { const { data: actionsData } = useAllLiveQueries({ activePage: pageIndex, limit: pageSize, - filterQuery: { - exists: { - field: 'user_id', - }, - }, + kuery: 'user_id: *', }); const onTableChange = useCallback(({ page = {} }) => { diff --git a/x-pack/plugins/osquery/public/actions/use_all_live_queries.ts b/x-pack/plugins/osquery/public/actions/use_all_live_queries.ts index ec124b552b2aa..cb118d01bc867 100644 --- a/x-pack/plugins/osquery/public/actions/use_all_live_queries.ts +++ b/x-pack/plugins/osquery/public/actions/use_all_live_queries.ts @@ -9,10 +9,8 @@ import { useQuery } from '@tanstack/react-query'; import { i18n } from '@kbn/i18n'; import { API_VERSIONS } from '../../common/constants'; -import { createFilter } from '../common/helpers'; import { useKibana } from '../common/lib/kibana'; import type { ActionEdges, ActionsStrategyResponse } from '../../common/search_strategy'; -import type { ESTermQuery, ESExistsQuery } from '../../common/typed_json'; import { useErrorToast } from '../common/hooks/use_error_toast'; import { Direction } from '../../common/search_strategy'; @@ -22,7 +20,7 @@ export interface UseAllLiveQueriesConfig { direction?: Direction; limit?: number; sortField?: string; - filterQuery?: ESTermQuery | ESExistsQuery | string; + kuery?: string; skip?: boolean; alertId?: string; } @@ -35,7 +33,7 @@ export const useAllLiveQueries = ({ direction = Direction.desc, limit = 100, sortField = '@timestamp', - filterQuery, + kuery, skip = false, alertId, }: UseAllLiveQueriesConfig) => { @@ -53,7 +51,7 @@ export const useAllLiveQueries = ({ { version: API_VERSIONS.public.v1, query: { - filterQuery: createFilter(filterQuery), + kuery, page: activePage, pageSize: limit, sort: sortField, diff --git a/x-pack/plugins/osquery/public/actions/use_live_query_details.ts b/x-pack/plugins/osquery/public/actions/use_live_query_details.ts index bea2a0bc6b6fb..4437662625b1b 100644 --- a/x-pack/plugins/osquery/public/actions/use_live_query_details.ts +++ b/x-pack/plugins/osquery/public/actions/use_live_query_details.ts @@ -12,13 +12,12 @@ import { filter } from 'lodash'; import type { ECSMapping } from '@kbn/osquery-io-ts-types'; import { API_VERSIONS } from '../../common/constants'; import { useKibana } from '../common/lib/kibana'; -import type { ESTermQuery } from '../../common/typed_json'; import { useErrorToast } from '../common/hooks/use_error_toast'; interface UseLiveQueryDetails { actionId?: string; isLive?: boolean; - filterQuery?: ESTermQuery | string; + kuery?: string; skip?: boolean; queryIds?: string[]; } @@ -54,7 +53,7 @@ export interface LiveQueryDetailsItem { export const useLiveQueryDetails = ({ actionId, - filterQuery, + kuery, isLive = false, skip = false, queryIds, // enable finding out specific queries only, eg. in cases @@ -63,7 +62,7 @@ export const useLiveQueryDetails = ({ const setErrorToast = useErrorToast(); return useQuery<{ data: LiveQueryDetailsItem }, Error, LiveQueryDetailsItem>( - ['liveQueries', { actionId, filterQuery, queryIds }], + ['liveQueries', { actionId, kuery, queryIds }], () => http.get(`/api/osquery/live_queries/${actionId}`, { version: API_VERSIONS.public.v1 }), { enabled: !skip && !!actionId, diff --git a/x-pack/plugins/osquery/public/agents/use_agent_groups.ts b/x-pack/plugins/osquery/public/agents/use_agent_groups.ts index 156b439dcc18d..c7b72b489bbec 100644 --- a/x-pack/plugins/osquery/public/agents/use_agent_groups.ts +++ b/x-pack/plugins/osquery/public/agents/use_agent_groups.ts @@ -35,30 +35,13 @@ export const useAgentGroups = () => { >( ['agentGroups'], async () => { + const policiesQuery = osqueryPolicies?.reduce((acc, policy) => `${acc} OR ${policy}`); + const responseData = await lastValueFrom( data.search.search( { - filterQuery: { terms: { policy_id: osqueryPolicies } }, + kuery: `policy_id: ( ${policiesQuery} )`, factoryQueryType: OsqueryQueries.agents, - aggregations: { - platforms: { - terms: { - field: 'local_metadata.os.platform', - }, - aggs: { - policies: { - terms: { - field: 'policy_id', - }, - }, - }, - }, - policies: { - terms: { - field: 'policy_id', - }, - }, - }, pagination: generateTablePaginationOptions(0, 9000), sort: { direction: 'asc', diff --git a/x-pack/plugins/osquery/public/common/helpers.test.ts b/x-pack/plugins/osquery/public/common/helpers.test.ts deleted file mode 100644 index 968023d726b3b..0000000000000 --- a/x-pack/plugins/osquery/public/common/helpers.test.ts +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type { ESQuery } from '../../common/typed_json'; - -import { createFilter } from './helpers'; - -describe('Helpers', () => { - describe('#createFilter', () => { - test('if it is a string it returns untouched', () => { - const filter = createFilter('even invalid strings return the same'); - expect(filter).toBe('even invalid strings return the same'); - }); - - test('if it is an ESQuery object it will be returned as a string', () => { - const query: ESQuery = { term: { 'host.id': 'host-value' } }; - const filter = createFilter(query); - expect(filter).toBe(JSON.stringify(query)); - }); - - test('if it is undefined, then undefined is returned', () => { - const filter = createFilter(undefined); - expect(filter).toBe(undefined); - }); - }); -}); diff --git a/x-pack/plugins/osquery/public/common/helpers.ts b/x-pack/plugins/osquery/public/common/helpers.ts index 7697e1d59d5ce..db882c867326f 100644 --- a/x-pack/plugins/osquery/public/common/helpers.ts +++ b/x-pack/plugins/osquery/public/common/helpers.ts @@ -5,8 +5,6 @@ * 2.0. */ -import { isString } from 'lodash/fp'; - import type { PaginationInputPaginated, FactoryQueryTypes, @@ -14,11 +12,6 @@ import type { Inspect, } from '../../common/search_strategy'; -import type { ESQuery } from '../../common/typed_json'; - -export const createFilter = (filterQuery: ESQuery | string | undefined) => - isString(filterQuery) ? filterQuery : JSON.stringify(filterQuery); - export type InspectResponse = Inspect & { response: string[] }; export const generateTablePaginationOptions = ( diff --git a/x-pack/plugins/osquery/public/common/index.ts b/x-pack/plugins/osquery/public/common/index.ts deleted file mode 100644 index 377d7af6d8164..0000000000000 --- a/x-pack/plugins/osquery/public/common/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export { createFilter } from './helpers'; diff --git a/x-pack/plugins/osquery/public/results/use_all_results.ts b/x-pack/plugins/osquery/public/results/use_all_results.ts index ee545a2eaf9e9..09f18cfd2d17c 100644 --- a/x-pack/plugins/osquery/public/results/use_all_results.ts +++ b/x-pack/plugins/osquery/public/results/use_all_results.ts @@ -10,11 +10,7 @@ import { useQuery } from '@tanstack/react-query'; import { i18n } from '@kbn/i18n'; import { lastValueFrom } from 'rxjs'; import type { InspectResponse } from '../common/helpers'; -import { - createFilter, - generateTablePaginationOptions, - getInspectResponse, -} from '../common/helpers'; +import { generateTablePaginationOptions, getInspectResponse } from '../common/helpers'; import { useKibana } from '../common/lib/kibana'; import type { ResultEdges, @@ -23,7 +19,6 @@ import type { Direction, } from '../../common/search_strategy'; import { OsqueryQueries } from '../../common/search_strategy'; -import type { ESTermQuery } from '../../common/typed_json'; import { useErrorToast } from '../common/hooks/use_error_toast'; @@ -40,7 +35,7 @@ interface UseAllResults { activePage: number; limit: number; sort: Array<{ field: string; direction: Direction }>; - filterQuery?: ESTermQuery | string; + kuery?: string; skip?: boolean; isLive?: boolean; } @@ -50,7 +45,7 @@ export const useAllResults = ({ activePage, limit, sort, - filterQuery, + kuery, skip = false, isLive = false, }: UseAllResults) => { @@ -65,7 +60,7 @@ export const useAllResults = ({ { actionId, factoryQueryType: OsqueryQueries.results, - filterQuery: createFilter(filterQuery), + kuery, pagination: generateTablePaginationOptions(activePage, limit), sort, }, diff --git a/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts b/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts index 2e12d1cd967b1..2258843b73227 100644 --- a/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts @@ -21,8 +21,8 @@ import type { Direction, } from '../../../common/search_strategy'; import { OsqueryQueries } from '../../../common/search_strategy'; -import { createFilter, generateTablePaginationOptions } from '../../../common/utils/build_query'; import { findLiveQueryRequestQuerySchema } from '../../../common/api'; +import { generateTablePaginationOptions } from '../../../common/utils/build_query'; export const findLiveQueryRoute = (router: IRouter) => { router.versioned @@ -52,7 +52,7 @@ export const findLiveQueryRoute = (router: IRouter) = search.search( { factoryQueryType: OsqueryQueries.actions, - filterQuery: createFilter(request.query.filterQuery), + kuery: request.query.kuery, pagination: generateTablePaginationOptions( request.query.page ?? 0, request.query.pageSize ?? 100 diff --git a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts index a6b6b06dcaca4..2b32a3269b693 100644 --- a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts +++ b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts @@ -61,7 +61,6 @@ export const getLiveQueryDetailsRoute = (router: IRouter( { actionId: request.params.id, - filterQuery: {}, factoryQueryType: OsqueryQueries.actionDetails, }, { abortSignal, strategy: 'osquerySearchStrategy' } diff --git a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_results_route.ts b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_results_route.ts index bd924e9c93b34..a1154b3b8c0d2 100644 --- a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_results_route.ts +++ b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_results_route.ts @@ -22,7 +22,7 @@ import type { ActionDetailsStrategyResponse, } from '../../../common/search_strategy'; import { OsqueryQueries } from '../../../common/search_strategy'; -import { createFilter, generateTablePaginationOptions } from '../../../common/utils/build_query'; +import { generateTablePaginationOptions } from '../../../common/utils/build_query'; import { getActionResponses } from './utils'; import { getLiveQueryResultsRequestParamsSchema, @@ -61,7 +61,7 @@ export const getLiveQueryResultsRoute = (router: IRouter( { actionId: request.params.id, - filterQuery: createFilter(request.query.filterQuery), + kuery: request.query.kuery, factoryQueryType: OsqueryQueries.actionDetails, }, { abortSignal, strategy: 'osquerySearchStrategy' } @@ -83,7 +83,7 @@ export const getLiveQueryResultsRoute = (router: IRouter { - const filter = [...createQueryFilterClauses(filterQuery)]; + const { + bool: { filter }, + } = getQueryFilter({ filter: kuery }); const dslQuery = { allow_no_indices: true, diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/query.action_details.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/query.action_details.dsl.ts index da5f0d216c686..3a5fe3db37b7b 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/query.action_details.dsl.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/query.action_details.dsl.ts @@ -7,30 +7,30 @@ import type { ISearchRequestParams } from '@kbn/data-plugin/common'; import { AGENT_ACTIONS_INDEX } from '@kbn/fleet-plugin/common'; +import { isEmpty } from 'lodash'; +import { getQueryFilter } from '../../../../../utils/build_query'; import { ACTIONS_INDEX } from '../../../../../../common/constants'; import type { ActionDetailsRequestOptions } from '../../../../../../common/search_strategy'; -import { createQueryFilterClauses } from '../../../../../../common/utils/build_query'; export const buildActionDetailsQuery = ({ actionId, - filterQuery, + kuery, componentTemplateExists, }: ActionDetailsRequestOptions): ISearchRequestParams => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - match_phrase: { - action_id: actionId, - }, - }, - ]; + const actionIdQuery = `action_id: ${actionId}`; + let filter = actionIdQuery; + if (!isEmpty(kuery)) { + filter = filter + ` AND ${kuery}`; + } + + const filterQuery = getQueryFilter({ filter }); const dslQuery = { allow_no_indices: true, index: componentTemplateExists ? `${ACTIONS_INDEX}*` : AGENT_ACTIONS_INDEX, ignore_unavailable: true, body: { - query: { bool: { filter } }, + query: { bool: { filter: filterQuery } }, size: 1, fields: ['*'], }, diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts index 366342e954fad..47901f47b6593 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts @@ -7,25 +7,25 @@ import type { ISearchRequestParams } from '@kbn/data-plugin/common'; import { AGENT_ACTIONS_RESULTS_INDEX } from '@kbn/fleet-plugin/common'; +import { isEmpty } from 'lodash'; import { ACTION_RESPONSES_INDEX } from '../../../../../../common/constants'; import type { ActionResultsRequestOptions } from '../../../../../../common/search_strategy'; -import { createQueryFilterClauses } from '../../../../../../common/utils/build_query'; +import { getQueryFilter } from '../../../../../utils/build_query'; export const buildActionResultsQuery = ({ actionId, - filterQuery, + kuery, // pagination: { activePage, querySize }, sort, componentTemplateExists, }: ActionResultsRequestOptions): ISearchRequestParams => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - match_phrase: { - action_id: actionId, - }, - }, - ]; + const actionIdQuery = `action_id: ${actionId}`; + let filter = actionIdQuery; + if (!isEmpty(kuery)) { + filter = filter + ` AND ${kuery}`; + } + + const filterQuery = getQueryFilter({ filter }); const dslQuery = { allow_no_indices: true, @@ -70,7 +70,7 @@ export const buildActionResultsQuery = ({ }, }, }, - query: { bool: { filter } }, + query: { bool: { filter: filterQuery } }, // from: activePage * querySize, size: 10000, // querySize, track_total_hits: true, diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/agents/query.all_agents.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/agents/query.all_agents.dsl.ts index 908c0cbdd32bf..20a5f07c5d11d 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/agents/query.all_agents.dsl.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/agents/query.all_agents.dsl.ts @@ -7,19 +7,22 @@ import type { ISearchRequestParams } from '@kbn/data-plugin/common'; import { AGENTS_INDEX } from '@kbn/fleet-plugin/common'; +import { isEmpty } from 'lodash'; +import { getQueryFilter } from '../../../../utils/build_query'; import type { AgentsRequestOptions } from '../../../../../common/search_strategy'; -import { createQueryFilterClauses } from '../../../../../common/utils/build_query'; export const buildAgentsQuery = ({ - filterQuery, + kuery, pagination: { cursorStart, querySize }, sort, - aggregations, }: AgentsRequestOptions): ISearchRequestParams => { - const filter = [ - { term: { active: { value: 'true' } } }, - ...createQueryFilterClauses(filterQuery), - ]; + const activeQuery = `active: true`; + let filter = activeQuery; + if (!isEmpty(kuery)) { + filter = activeQuery + ` AND ${kuery}`; + } + + const filterQuery = getQueryFilter({ filter }); const dslQuery = { allow_no_indices: true, @@ -28,10 +31,28 @@ export const buildAgentsQuery = ({ body: { query: { bool: { - filter, + filter: filterQuery, + }, + }, + aggs: { + platforms: { + terms: { + field: 'local_metadata.os.platform', + }, + aggs: { + policies: { + terms: { + field: 'policy_id', + }, + }, + }, + }, + policies: { + terms: { + field: 'policy_id', + }, }, }, - aggs: aggregations, track_total_hits: true, sort: [ { diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts index 8a33b4b5a8371..2c8d408672275 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/results/query.all_results.dsl.ts @@ -6,34 +6,26 @@ */ import type { ISearchRequestParams } from '@kbn/data-plugin/common'; +import { isEmpty } from 'lodash'; +import { getQueryFilter } from '../../../../utils/build_query'; import { OSQUERY_INTEGRATION_NAME } from '../../../../../common'; import type { ResultsRequestOptions } from '../../../../../common/search_strategy'; -import { createQueryFilterClauses } from '../../../../../common/utils/build_query'; export const buildResultsQuery = ({ actionId, agentId, - filterQuery, + kuery, sort, pagination: { activePage, querySize }, }: ResultsRequestOptions): ISearchRequestParams => { - const filter = [ - ...createQueryFilterClauses(filterQuery), - { - match_phrase: { - action_id: actionId, - }, - }, - ...(agentId - ? [ - { - match_phrase: { - 'agent.id': agentId, - }, - }, - ] - : []), - ]; + const actionIdQuery = `action_id: ${actionId}`; + const agentQuery = agentId ? ` AND agent.id: ${agentId}` : ''; + let filter = actionIdQuery + agentQuery; + if (!isEmpty(kuery)) { + filter = filter + ` AND ${kuery}`; + } + + const filterQuery = getQueryFilter({ filter }); const dslQuery = { allow_no_indices: true, @@ -53,7 +45,7 @@ export const buildResultsQuery = ({ }, }, }, - query: { bool: { filter } }, + query: { bool: { filter: filterQuery } }, from: activePage * querySize, size: querySize, track_total_hits: true, diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts index bf7220026f59b..af14d84fa3637 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts @@ -41,13 +41,12 @@ export const osquerySearchStrategyProvider = ( mergeMap((exists) => { const strictRequest = { factoryQueryType: request.factoryQueryType, - filterQuery: request.filterQuery, - ...('aggregations' in request ? { aggregations: request.aggregations } : {}), + kuery: request.kuery, ...('pagination' in request ? { pagination: request.pagination } : {}), ...('sort' in request ? { sort: request.sort } : {}), ...('actionId' in request ? { actionId: request.actionId } : {}), ...('agentId' in request ? { agentId: request.agentId } : {}), - }; + } as StrategyRequestType; const dsl = queryFactory.buildDsl({ ...strictRequest, diff --git a/x-pack/plugins/osquery/server/utils/build_query.ts b/x-pack/plugins/osquery/server/utils/build_query.ts new file mode 100644 index 0000000000000..c085790febdec --- /dev/null +++ b/x-pack/plugins/osquery/server/utils/build_query.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Query } from '@kbn/es-query'; +import { buildEsQuery } from '@kbn/es-query'; + +export const getQueryFilter = ({ filter }: { filter: string }) => { + const kqlQuery: Query = { + language: 'kuery', + query: filter, + }; + + return buildEsQuery(undefined, kqlQuery, []); +}; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx index 4edc6b7ae08de..289561c0bc4aa 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx @@ -61,7 +61,7 @@ export const useOsqueryTab = ({ const { OsqueryResults, fetchAllLiveQueries } = osquery; const { data: actionsData } = fetchAllLiveQueries({ - filterQuery: { term: { alert_ids: alertId } }, + kuery: `alert_ids: ( ${alertId} )`, alertId, skip: shouldEarlyReturn, });