[Entity Analytics] Update entity maintainers to use new relationship schema (ids object)

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/maintainers/accesses/postprocess_records.test.ts

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { postprocessEsqlResults } from './postprocess_records';
+
+const COLUMNS = [
+  { name: 'actorUserId', type: 'keyword' },
+  { name: 'accesses_frequently', type: 'keyword' },
+  { name: 'accesses_infrequently', type: 'keyword' },
+];
+
+describe('postprocessEsqlResults', () => {
+  it('returns an empty array when values is empty', () => {
+    expect(postprocessEsqlResults(COLUMNS, [])).toEqual([]);
+  });
+
+  it('sets entityId to null when actorUserId is null', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [[null, null, null]]);
+    expect(record.entityId).toBeNull();
+  });
+
+  it('prefixes actorUserId with "user:" to form entityId', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [['alice@corp', null, null]]);
+    expect(record.entityId).toBe('user:alice@corp');
+  });
+
+  it('wraps null accesses_frequently in { ids: [] }', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [['alice@corp', null, null]]);
+    expect(record.accesses_frequently).toEqual({ ids: [] });
+  });
+
+  it('wraps null accesses_infrequently in { ids: [] }', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [['alice@corp', null, null]]);
+    expect(record.accesses_infrequently).toEqual({ ids: [] });
+  });
+
+  it('wraps a single string accesses_frequently value in { ids: [value] }', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [
+      ['alice@corp', 'host:prod-db-01@corp', null],
+    ]);
+    expect(record.accesses_frequently).toEqual({ ids: ['host:prod-db-01@corp'] });
+  });
+
+  it('wraps an array accesses_frequently value in { ids: [...] }', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [
+      ['alice@corp', ['host:prod-db-01@corp', 'host:prod-db-02@corp'], null],
+    ]);
+    expect(record.accesses_frequently).toEqual({
+      ids: ['host:prod-db-01@corp', 'host:prod-db-02@corp'],
+    });
+  });
+
+  it('wraps accesses_infrequently independently from accesses_frequently', () => {
+    const [record] = postprocessEsqlResults(COLUMNS, [
+      ['alice@corp', ['host:prod-db-01@corp'], ['host:legacy-01@corp']],
+    ]);
+    expect(record.accesses_frequently).toEqual({ ids: ['host:prod-db-01@corp'] });
+    expect(record.accesses_infrequently).toEqual({ ids: ['host:legacy-01@corp'] });
+  });
+
+  it('processes multiple rows independently', () => {
+    const results = postprocessEsqlResults(COLUMNS, [
+      ['alice@corp', ['host:a@corp'], null],
+      ['bob@corp', null, ['host:b@corp']],
+    ]);
+    expect(results).toHaveLength(2);
+    expect(results[0].entityId).toBe('user:alice@corp');
+    expect(results[0].accesses_frequently).toEqual({ ids: ['host:a@corp'] });
+    expect(results[0].accesses_infrequently).toEqual({ ids: [] });
+    expect(results[1].entityId).toBe('user:bob@corp');
+    expect(results[1].accesses_frequently).toEqual({ ids: [] });
+    expect(results[1].accesses_infrequently).toEqual({ ids: ['host:b@corp'] });
+  });
+});

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/maintainers/accesses/postprocess_records.ts

@@ -31,8 +31,8 @@ export function postprocessEsqlResults(
     return {
       // update entity method is using `user:<user_euid>` format
       entityId: record.actorUserId != null ? `user:${record.actorUserId}` : null,
-      accesses_frequently: toStringArray(record.accesses_frequently),
-      accesses_infrequently: toStringArray(record.accesses_infrequently),
+      accesses_frequently: { ids: toStringArray(record.accesses_frequently) },
+      accesses_infrequently: { ids: toStringArray(record.accesses_infrequently) },
     };
   });
 }

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/maintainers/accesses/run_maintainer.test.ts

@@ -221,15 +221,15 @@ describe('runMaintainer', () => {
       const page1Records: ProcessedEntityRecord[] = [
         {
           entityId: 'user-0',
-          accesses_frequently: ['host-a'],
-          accesses_infrequently: [],
+          accesses_frequently: { ids: ['host-a'] },
+          accesses_infrequently: { ids: [] },
         },
       ];
       const page2Records: ProcessedEntityRecord[] = [
         {
           entityId: 'user-last',
-          accesses_frequently: [],
-          accesses_infrequently: ['host-b'],
+          accesses_frequently: { ids: [] },
+          accesses_infrequently: { ids: ['host-b'] },
         },
       ];
 
@@ -303,15 +303,15 @@ describe('runMaintainer', () => {
       const records1: ProcessedEntityRecord[] = [
         {
           entityId: 'user-a',
-          accesses_frequently: ['host-1'],
-          accesses_infrequently: [],
+          accesses_frequently: { ids: ['host-1'] },
+          accesses_infrequently: { ids: [] },
         },
       ];
       const records2: ProcessedEntityRecord[] = [
         {
           entityId: 'user-b',
-          accesses_frequently: [],
-          accesses_infrequently: ['host-2'],
+          accesses_frequently: { ids: [] },
+          accesses_infrequently: { ids: ['host-2'] },
         },
       ];
 
@@ -429,8 +429,8 @@ describe('runMaintainer', () => {
       const records: ProcessedEntityRecord[] = [
         {
           entityId: 'user-1',
-          accesses_frequently: [],
-          accesses_infrequently: ['host-a'],
+          accesses_frequently: { ids: [] },
+          accesses_infrequently: { ids: ['host-a'] },
         },
       ];
       esClient.esql.query.mockResolvedValueOnce(createEsqlResponse() as never);
@@ -564,7 +564,11 @@ describe('runMaintainer', () => {
     it('skips bulk update when aborted after collecting records', async () => {
       const abortCtrl = new AbortController();
       const records: ProcessedEntityRecord[] = [
-        { entityId: 'user-1', accesses_frequently: ['host-a'], accesses_infrequently: [] },
+        {
+          entityId: 'user-1',
+          accesses_frequently: { ids: ['host-a'] },
+          accesses_infrequently: { ids: [] },
+        },
       ];
 
       esClient.search.mockResolvedValueOnce(createAggResponse([createBucket('user-1')]));

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/maintainers/accesses/run_maintainer.ts

@@ -163,10 +163,12 @@ export async function runMaintainer({
 
         for (const record of records) {
           const freq =
-            record.accesses_frequently.length > 0 ? record.accesses_frequently.join(', ') : 'none';
+            record.accesses_frequently.ids.length > 0
+              ? record.accesses_frequently.ids.join(', ')
+              : 'none';
           const infreq =
-            record.accesses_infrequently.length > 0
-              ? record.accesses_infrequently.join(', ')
+            record.accesses_infrequently.ids.length > 0
+              ? record.accesses_infrequently.ids.join(', ')
               : 'none';
           logger.info(
             `[${integration.id}] Entity ${record.entityId}: frequently=[${freq}], infrequently=[${infreq}]`

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/maintainers/accesses/types.ts

@@ -16,6 +16,6 @@ export interface CompositeBucket {
 
 export interface ProcessedEntityRecord {
   entityId: string | null;
-  accesses_frequently: string[];
-  accesses_infrequently: string[];
+  accesses_frequently: { ids: string[] };
+  accesses_infrequently: { ids: string[] };
 }