From f081e72f09475a74c586e299d5754fdb361a858e Mon Sep 17 00:00:00 2001
From: Brent Kimmel <bkimmel@endgame.com>
Date: Thu, 30 Apr 2020 14:42:08 -0400
Subject: [PATCH] add related event generation to ancestor nodes

---
 .../plugins/endpoint/common/generate_data.ts  | 34 +++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/endpoint/common/generate_data.ts b/x-pack/plugins/endpoint/common/generate_data.ts
index e40fc3e386bc89..9742725c9e1ca2 100644
--- a/x-pack/plugins/endpoint/common/generate_data.ts
+++ b/x-pack/plugins/endpoint/common/generate_data.ts
@@ -331,7 +331,11 @@ export class EndpointDocGenerator {
     percentNodesWithRelated?: number,
     percentChildrenTerminated?: number
   ) {
-    const ancestry = this.createAlertEventAncestry(alertAncestors);
+    const ancestry = this.createAlertEventAncestry(
+      alertAncestors,
+      relatedEventsPerNode,
+      percentNodesWithRelated
+    );
     for (let i = 0; i < ancestry.length; i++) {
       yield ancestry[i];
     }
@@ -350,18 +354,44 @@ export class EndpointDocGenerator {
    * Creates an alert event and associated process ancestry. The alert event will always be the last event in the return array.
    * @param alertAncestors - number of ancestor generations to create
    */
-  public createAlertEventAncestry(alertAncestors = 3): Event[] {
+  public createAlertEventAncestry(
+    alertAncestors = 3,
+    relatedEventsPerNode = 5,
+    pctWithRelated = 30
+  ): Event[] {
     const events = [];
     const startDate = new Date().getTime();
     const root = this.generateEvent({ timestamp: startDate + 1000 });
     events.push(root);
     let ancestor = root;
+    // generate related alerts for root
+    const processDuration: number = 6 * 3600;
+    if (this.randomN(100) < pctWithRelated) {
+      for (const relatedEvent of this.relatedEventsGenerator(
+        ancestor,
+        relatedEventsPerNode,
+        processDuration
+      )) {
+        events.push(relatedEvent);
+      }
+    }
     for (let i = 0; i < alertAncestors; i++) {
       ancestor = this.generateEvent({
         timestamp: startDate + 1000 * (i + 1),
         parentEntityID: ancestor.process.entity_id,
       });
       events.push(ancestor);
+
+      // generate related alerts for ancestor
+      if (this.randomN(100) < pctWithRelated) {
+        for (const relatedEvent of this.relatedEventsGenerator(
+          ancestor,
+          relatedEventsPerNode,
+          processDuration
+        )) {
+          events.push(relatedEvent);
+        }
+      }
     }
     events.push(
       this.generateAlert(