Skip to content

Commit

Permalink
Fixed query to work with different source timestamps
Browse files Browse the repository at this point in the history
  • Loading branch information
@FrankHassanabad
FrankHassanabad committed Jun 3, 2021
1 parent 60f6d4a commit b8c57f5
Show file tree
Hide file tree
Showing 12 changed files with 248 additions and 248 deletions.
8 changes: 4 additions & 4 deletions x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ export const sampleDocWithSortId = (
export const sampleDocNoSortId = (
someUuid: string = sampleIdGuid,
ip?: string
): SignalSourceHit => ({
): SignalSourceHit & { _source: Required<SignalSourceHit>['_source'] } => ({
_index: 'myFakeSignalIndex',
_type: 'doc',
_score: 100,
Expand Down Expand Up @@ -225,12 +225,12 @@ export const sampleWrappedSignalHit = (): WrappedSignalHit => {
};
};

export const sampleDocWithAncestors = (): SignalSearchResponse => {
export const sampleDocWithAncestors = (): SignalSearchResponse & {
hits: { hits: Array<ReturnType<typeof sampleDocNoSortId>> };
} => {
const sampleDoc = sampleDocNoSortId();
delete sampleDoc.sort;
// @ts-expect-error @elastic/elasticsearch _source is optional
delete sampleDoc._source.source;
// @ts-expect-error @elastic/elasticsearch _source is optional
sampleDoc._source.signal = {
parent: {
id: 'd5e8eb51-a6a0-456d-8a15-4b79bfec3d71',
Expand Down
61 changes: 24 additions & 37 deletions x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ import { SignalHit, SignalSourceHit } from './types';
import { SIGNALS_TEMPLATE_VERSION } from '../routes/index/get_signals_template';
import { getQueryRuleParams, getThresholdRuleParams } from '../schemas/rule_schemas.mock';

type SignalHitOptionalTimestamp = Omit<SignalHit, '@timestamp'> & {
'@timestamp'?: SignalHit['@timestamp'];
};

describe('buildBulkBody', () => {
beforeEach(() => {
jest.clearAllMocks();
Expand All @@ -32,11 +36,9 @@ describe('buildBulkBody', () => {
test('bulk body builds well-defined body', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.source;
const fakeSignalSourceHit = buildBulkBody(ruleSO, doc);
const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody(ruleSO, doc);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete fakeSignalSourceHit['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand Down Expand Up @@ -69,7 +71,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -81,9 +83,8 @@ describe('buildBulkBody', () => {
test('bulk body builds well-defined body with threshold results', () => {
const ruleSO = sampleRuleSO(getThresholdRuleParams());
const baseDoc = sampleDocNoSortId();
const doc: SignalSourceHit = {
const doc: SignalSourceHit & { _source: Required<SignalSourceHit>['_source'] } = {
...baseDoc,
// @ts-expect-error @elastic/elasticsearch _source is optional
_source: {
...baseDoc._source,
threshold_result: {
Expand All @@ -96,11 +97,9 @@ describe('buildBulkBody', () => {
},
},
};
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.source;
const fakeSignalSourceHit = buildBulkBody(ruleSO, doc);
const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody(ruleSO, doc);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete fakeSignalSourceHit['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand Down Expand Up @@ -133,7 +132,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: {
...expectedRule(),
Expand Down Expand Up @@ -167,18 +166,15 @@ describe('buildBulkBody', () => {
test('bulk body builds original_event if it exists on the event to begin with', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.source;
// @ts-expect-error @elastic/elasticsearch _source is optional
doc._source.event = {
action: 'socket_opened',
module: 'system',
dataset: 'socket',
kind: 'event',
};
const fakeSignalSourceHit = buildBulkBody(ruleSO, doc);
const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody(ruleSO, doc);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete fakeSignalSourceHit['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand Down Expand Up @@ -220,7 +216,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -232,17 +228,14 @@ describe('buildBulkBody', () => {
test('bulk body builds original_event if it exists on the event to begin with but no kind information', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.source;
// @ts-expect-error @elastic/elasticsearch _source is optional
doc._source.event = {
action: 'socket_opened',
module: 'system',
dataset: 'socket',
};
const fakeSignalSourceHit = buildBulkBody(ruleSO, doc);
const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody(ruleSO, doc);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete fakeSignalSourceHit['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand Down Expand Up @@ -283,7 +276,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -295,15 +288,12 @@ describe('buildBulkBody', () => {
test('bulk body builds original_event if it exists on the event to begin with with only kind information', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.source;
// @ts-expect-error @elastic/elasticsearch _source is optional
doc._source.event = {
kind: 'event',
};
const fakeSignalSourceHit = buildBulkBody(ruleSO, doc);
const fakeSignalSourceHit: SignalHitOptionalTimestamp = buildBulkBody(ruleSO, doc);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete fakeSignalSourceHit['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand Down Expand Up @@ -339,7 +329,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -351,7 +341,6 @@ describe('buildBulkBody', () => {
test('bulk body builds "original_signal" if it exists already as a numeric', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const sampleDoc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete sampleDoc._source.source;
const doc = ({
...sampleDoc,
Expand Down Expand Up @@ -393,7 +382,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -405,7 +394,6 @@ describe('buildBulkBody', () => {
test('bulk body builds "original_signal" if it exists already as an object', () => {
const ruleSO = sampleRuleSO(getQueryRuleParams());
const sampleDoc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete sampleDoc._source.source;
const doc = ({
...sampleDoc,
Expand Down Expand Up @@ -447,7 +435,7 @@ describe('buildBulkBody', () => {
depth: 0,
},
],
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
status: 'open',
rule: expectedRule(),
depth: 1,
Expand All @@ -466,9 +454,8 @@ describe('buildSignalFromSequence', () => {
block2._source.new_key = 'new_key_value';
const blocks = [block1, block2];
const ruleSO = sampleRuleSO(getQueryRuleParams());
const signal = buildSignalFromSequence(blocks, ruleSO);
const signal: SignalHitOptionalTimestamp = buildSignalFromSequence(blocks, ruleSO);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete signal['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { new_key: string } = {
new_key: 'new_key_value',
Expand Down Expand Up @@ -552,9 +539,8 @@ describe('buildSignalFromSequence', () => {
block2._source['@timestamp'] = '2021-05-20T22:28:46+0000';
block2._source.someKey = 'someOtherValue';
const ruleSO = sampleRuleSO(getQueryRuleParams());
const signal = buildSignalFromSequence([block1, block2], ruleSO);
const signal: SignalHitOptionalTimestamp = buildSignalFromSequence([block1, block2], ruleSO);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete signal['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> = {
event: {
Expand Down Expand Up @@ -635,12 +621,13 @@ describe('buildSignalFromSequence', () => {
describe('buildSignalFromEvent', () => {
test('builds a basic signal from a single event', () => {
const ancestor = sampleDocWithAncestors().hits.hits[0];
// @ts-expect-error @elastic/elasticsearch _source is optional
delete ancestor._source.source;
const ruleSO = sampleRuleSO(getQueryRuleParams());
const signal = buildSignalFromEvent(ancestor, ruleSO, true);
const signal: Omit<SignalHit, '@timestamp'> & {
'@timestamp'?: SignalHit['@timestamp'];
} = buildSignalFromEvent(ancestor, ruleSO, true);

// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete signal['@timestamp'];
const expected: Omit<SignalHit, '@timestamp'> & { someKey: 'someValue' } = {
someKey: 'someValue',
Expand All @@ -651,7 +638,7 @@ describe('buildSignalFromEvent', () => {
_meta: {
version: SIGNALS_TEMPLATE_VERSION,
},
original_time: '2020-04-20T21:27:45+0000',
original_time: '2020-04-20T21:27:45.000Z',
parent: {
id: sampleIdGuid,
rule: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
Expand Down
3 changes: 0 additions & 3 deletions ...ins/security_solution/server/lib/detection_engine/signals/build_event_type_signal.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ describe('buildEventTypeSignal', () => {

test('it returns the event appended of kind signal if it does not exist', () => {
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
delete doc._source.event;
const eventType = buildEventTypeSignal(doc);
const expected: object = { kind: 'signal' };
Expand All @@ -25,7 +24,6 @@ describe('buildEventTypeSignal', () => {

test('it returns the event appended of kind signal if it is an empty object', () => {
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
doc._source.event = {};
const eventType = buildEventTypeSignal(doc);
const expected: object = { kind: 'signal' };
Expand All @@ -34,7 +32,6 @@ describe('buildEventTypeSignal', () => {

test('it returns the event with kind signal and other properties if they exist', () => {
const doc = sampleDocNoSortId();
// @ts-expect-error @elastic/elasticsearch _source is optional
doc._source.event = {
action: 'socket_opened',
module: 'system',
Expand Down
Loading

0 comments on commit b8c57f5

Please sign in to comment.