Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Endpoint] Add generator function that creates multiple alerts #67713

Merged
merged 2 commits into from
Jun 3, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions x-pack/plugins/siem/common/endpoint/generate_data.ts
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,41 @@ export class EndpointDocGenerator {
};
}

/**
* Wrapper generator for fullResolverTreeGenerator to make it easier to quickly stream
* many resolver trees to Elasticsearch.
* @param numAlerts - number of alerts to generate
* @param alertAncestors - number of ancestor generations to create relative to the alert
* @param childGenerations - number of child generations to create relative to the alert
* @param maxChildrenPerNode - maximum number of children for any given node in the tree
* @param relatedEventsPerNode - number of related events (file, registry, etc) to create for each process event in the tree
* @param percentNodesWithRelated - percent of nodes which should have related events
* @param percentTerminated - percent of nodes which will have process termination events
* @param alwaysGenMaxChildrenPerNode - flag to always return the max children per node instead of it being a random number of children
*/
public *alertsGenerator(
numAlerts: number,
alertAncestors?: number,
childGenerations?: number,
maxChildrenPerNode?: number,
relatedEventsPerNode?: number,
percentNodesWithRelated?: number,
percentTerminated?: number,
alwaysGenMaxChildrenPerNode?: boolean
) {
for (let i = 0; i < numAlerts; i++) {
yield* this.fullResolverTreeGenerator(
alertAncestors,
childGenerations,
maxChildrenPerNode,
relatedEventsPerNode,
percentNodesWithRelated,
percentTerminated,
alwaysGenMaxChildrenPerNode
);
}
}

/**
* Generator function that creates the full set of events needed to render resolver.
* The number of nodes grows exponentially with the number of generations and children per node.
Expand Down
56 changes: 29 additions & 27 deletions x-pack/plugins/siem/scripts/endpoint/resolver_generator.ts
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@ async function main() {
console.log(`No seed supplied, using random seed: ${seed}`);
}
const random = seedrandom(seed);
const startTime = new Date().getTime();
for (let i = 0; i < argv.numHosts; i++) {
const generator = new EndpointDocGenerator(random);
const timeBetweenDocs = 6 * 3600 * 1000; // 6 hours between metadata documents
Expand All @@ -241,36 +242,37 @@ async function main() {
});
}

for (let j = 0; j < argv.alertsPerHost; j++) {
const resolverDocGenerator = generator.fullResolverTreeGenerator(
argv.ancestors,
argv.generations,
argv.children,
argv.relatedEvents,
argv.percentWithRelated,
argv.percentTerminated,
argv.maxChildrenPerNode
);
let result = resolverDocGenerator.next();
while (!result.done) {
let k = 0;
const resolverDocs: Event[] = [];
while (k < 1000 && !result.done) {
resolverDocs.push(result.value);
result = resolverDocGenerator.next();
k++;
}
const body = resolverDocs.reduce(
// eslint-disable-next-line @typescript-eslint/no-explicit-any
(array: Array<Record<string, any>>, doc) => (
array.push({ index: { _index: argv.eventIndex } }, doc), array
),
[]
);
await client.bulk({ body });
const alertGenerator = generator.alertsGenerator(
argv.alertsPerHost,
argv.ancestors,
argv.generations,
argv.children,
argv.relatedEvents,
argv.percentWithRelated,
argv.percentTerminated,
argv.maxChildrenPerNode
);
let result = alertGenerator.next();
while (!result.done) {
let k = 0;
const resolverDocs: Event[] = [];
while (k < 1000 && !result.done) {
resolverDocs.push(result.value);
result = alertGenerator.next();
k++;
}
const body = resolverDocs.reduce(
// eslint-disable-next-line @typescript-eslint/no-explicit-any
(array: Array<Record<string, any>>, doc) => (
array.push({ index: { _index: argv.eventIndex } }, doc), array
),
[]
);
await client.bulk({ body });
}
}
// eslint-disable-next-line no-console
console.log(`Creating and indexing documents took: ${new Date().getTime() - startTime}ms`);
}

// eslint-disable-next-line @typescript-eslint/no-explicit-any
Expand Down