condense painless further

elastic · May 14, 2024 · 5690955 · 5690955
1 parent c99a6c3
commit 5690955
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 44 deletions.
diff --git a/...plugins/security_solution/server/lib/entity_analytics/risk_score/calculate_risk_scores.ts b/...plugins/security_solution/server/lib/entity_analytics/risk_score/calculate_risk_scores.ts
@@ -39,11 +39,7 @@ import type {
   CalculateScoresResponse,
   RiskScoreBucket,
 } from '../types';
-import {
-  RISK_SCORING_INPUTS_COUNT_MAX,
-  RISK_SCORING_SUM_MAX,
-  RISK_SCORING_SUM_VALUE,
-} from './constants';
+import { RISK_SCORING_SUM_MAX, RISK_SCORING_SUM_VALUE } from './constants';
 import { getPainlessScripts, type PainlessScripts } from './painless';
 
 const formatForResponse = ({
@@ -152,10 +148,9 @@ const buildIdentifierTypeAggregation = ({
               map_script: scriptedMetricPainless.map,
               combine_script: scriptedMetricPainless.combine,
               params: {
-                max_risk_inputs_per_identity: RISK_SCORING_INPUTS_COUNT_MAX,
                 p: RISK_SCORING_SUM_VALUE,
                 risk_cap: RISK_SCORING_SUM_MAX,
-                global_identifier_type_weight: globalIdentifierTypeWeight,
+                global_identifier_type_weight: globalIdentifierTypeWeight || 1,
               },
               reduce_script: scriptedMetricPainless.reduce,
             },

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/constants.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/constants.ts
@@ -16,11 +16,6 @@ export const RISK_SCORING_SUM_VALUE = 1.5;
  */
 export const RISK_SCORING_SUM_MAX = 261.2;
 
-/**
- * The risk scoring algorithm can only process a finite number of risk inputs per identity; this value represents the maximum number of inputs that will be processed.
- */
-export const RISK_SCORING_INPUTS_COUNT_MAX = 999999;
-
 /**
  * This value represents the maximum possible risk score after normalization.
  */

diff --git a/...curity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_map.painless b/...curity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_map.painless
@@ -1,10 +1,8 @@
 Map fields = new HashMap();
-String category = doc['event.kind'].value;
-double score = doc['kibana.alert.risk_score'].value;
+fields.put('id', doc['kibana.alert.uuid'].value);
+fields.put('index', doc['_index'].value);
 fields.put('time', doc['@timestamp'].value);
 fields.put('rule_name', doc['kibana.alert.rule.name'].value);
-fields.put('category', category);
-fields.put('index', doc['_index'].value);
-fields.put('id', doc['kibana.alert.uuid'].value);
-fields.put('score', score);
+fields.put('category', doc['event.kind'].value);
+fields.put('score', doc['kibana.alert.risk_score'].value);
 state.inputs.add(fields);      
diff --git a/...ity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_reduce.painless b/...ity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_reduce.painless
@@ -1,45 +1,33 @@
 Map results = new HashMap();
+results['notes'] = [];
+results['category_1_score'] = 0.0;
+results['category_1_count'] = 0;
+results['risk_inputs'] = [];
+results['score'] = 0;
+
 List inputs = [];
 for (state in states) {
   inputs.addAll(state.inputs)
 }
 Collections.sort(inputs, (a, b) -> b.get('score').compareTo(a.get('score')));
 
-double num_inputs_to_score = Math.min(inputs.length, params.max_risk_inputs_per_identity);
-results['notes'] = [];
-if (num_inputs_to_score == params.max_risk_inputs_per_identity) {
-  results['notes'].add('Number of risk inputs (' + inputs.length + ') exceeded the maximum allowed (' + params.max_risk_inputs_per_identity + ').');
-}
-
-results['category_1_score'] = 0.0;
-results['category_1_count'] = 0;
-
-double total_score = 0;
-double current_score = 0;
-List risk_inputs = [];
-for (int i = 0; i < num_inputs_to_score; i++) {
-  current_score = inputs[i].score / Math.pow(i + 1, params.p);
+for (int i = 0; i < inputs.length; i++) {
+  double current_score = inputs[i].score / Math.pow(i + 1, params.p);
 
   if (i < 10) {
     inputs[i]["contribution"] = 100 * current_score / params.risk_cap;
-    risk_inputs.add(inputs[i]);
+    results['risk_inputs'].add(inputs[i]);
   }
 
   if (inputs[i].category == 'signal') {
-    results['category_1_score'] += current_score; results['category_1_count'] += 1;
+    results['category_1_score'] += current_score;
+    results['category_1_count'] += 1;
   }
 
-  total_score += current_score;
+  results['score'] += current_score;
 }
 
-if (params.containsKey('global_identifier_type_weight') && params.global_identifier_type_weight != null) {
-  total_score *= params.global_identifier_type_weight;
-}
-
-double score_norm = 100 * total_score / params.risk_cap;
-results['score'] = total_score;
-results['normalized_score'] = score_norm;
-results['risk_inputs'] = risk_inputs;
+results['score'] *= params.global_identifier_type_weight;
+results['normalized_score'] = 100 * results['score'] / params.risk_cap;
 
 return results;
-