elastic · dplumlee · Apr 26, 2023 · Mar 30, 2023 · Apr 13, 2023 · Apr 22, 2023
@@ -124,6 +124,8 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
 
                 if (filteredAlerts.length === 0) {
                   return { createdAlerts: [], errors: {}, alertsWereTruncated: false };
+                } else if (maxAlerts === 0) {
+                  return { createdAlerts: [], errors: {}, alertsWereTruncated: true };
                 }
 
                 let enrichedAlerts = filteredAlerts;

@@ -5,9 +5,9 @@
  * 2.0.
  */
 
-import chunk from 'lodash/fp/chunk';
 import type { OpenPointInTimeResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 
+import { uniq, chunk } from 'lodash/fp';
 import { getThreatList, getThreatListCount } from './get_threat_list';
 import type {
   CreateThreatSignalsOptions,
@@ -27,6 +27,7 @@ import { getAllowedFieldsForTermQuery } from './get_allowed_fields_for_terms_que
 import { getEventCount, getEventList } from './get_event_count';
 import { getMappingFilters } from './get_mapping_filters';
 import { THREAT_PIT_KEEP_ALIVE } from '../../../../../../common/cti/constants';
+import { getMaxSignalsWarning } from '../../utils/utils';
 
 export const createThreatSignals = async ({
   alertId,
@@ -107,11 +108,6 @@ export const createThreatSignals = async ({
 
   ruleExecutionLogger.debug(`Total event count: ${eventCount}`);
 
-  // if (eventCount === 0) {
-  //   ruleExecutionLogger.debug('Indicator matching rule has completed');
-  //   return results;
-  // }
-
   let threatPitId: OpenPointInTimeResponse['id'] = (
     await services.scopedClusterClient.asCurrentUser.openPointInTime({
       index: threatIndex,
@@ -171,6 +167,11 @@ export const createThreatSignals = async ({
         `all successes are ${results.success}`
       );
       if (results.createdSignalsCount >= params.maxSignals) {
+        if (results.warningMessages.includes(getMaxSignalsWarning())) {
+          results.warningMessages = uniq(results.warningMessages);
+        } else {
+          results.warningMessages.push(getMaxSignalsWarning());
+        }
-        if (results.warningMessages.includes(getMaxSignalsWarning())) {
-          results.warningMessages = uniq(results.warningMessages);
-        } else {
-          results.warningMessages.push(getMaxSignalsWarning());
-        }
+        if (results.warningMessages.includes(getMaxSignalsWarning())) {
+          results.warningMessages = uniq(results.warningMessages);
+        } else if (documentCount > 0) {
+          results.warningMessages.push(getMaxSignalsWarning());
+        }
-        if (results.warningMessages.includes(getMaxSignalsWarning())) {
-          results.warningMessages = uniq(results.warningMessages);
-        } else {
-          results.warningMessages.push(getMaxSignalsWarning());
-        }
+        if (results.warningMessages.includes(getMaxSignalsWarning())) {
+          results.warningMessages = uniq(results.warningMessages);
+        } else if (documentCount > 0) {
+          results.warningMessages.push(getMaxSignalsWarning());
+        }
         ruleExecutionLogger.debug(
           `Indicator match has reached its max signals count ${params.maxSignals}. Additional documents not checked are ${documentCount}`
         );

@@ -20,6 +20,7 @@ export const findMlSignals = async ({
   anomalyThreshold,
   from,
   to,
+  maxSignals,
   exceptionFilter,
 }: {
   ml: MlPluginSetup;
@@ -29,6 +30,7 @@ export const findMlSignals = async ({
   anomalyThreshold: number;
   from: string;
   to: string;
+  maxSignals: number;
   exceptionFilter: Filter | undefined;
 }): Promise<AnomalyResults> => {
   const { mlAnomalySearch } = ml.mlSystemProvider(request, savedObjectsClient);
@@ -37,6 +39,7 @@ export const findMlSignals = async ({
     threshold: anomalyThreshold,
     earliestMs: dateMath.parse(from)?.valueOf() ?? 0,
     latestMs: dateMath.parse(to)?.valueOf() ?? 0,
+    maxRecords: maxSignals,
     exceptionFilter,
   };
   return getAnomalies(params, mlAnomalySearch);

@@ -24,6 +24,7 @@ import {
   addToSearchAfterReturn,
   createErrorsFromShard,
   createSearchAfterReturnType,
+  getMaxSignalsWarning,
   mergeReturns,
 } from '../utils/utils';
 import type { SetupPlugins } from '../../../../plugin';
@@ -102,9 +103,14 @@ export const mlExecutor = async ({
       anomalyThreshold: ruleParams.anomalyThreshold,
       from: tuple.from.toISOString(),
       to: tuple.to.toISOString(),
+      maxSignals: tuple.maxSignals,
       exceptionFilter,
     });
 
+    if (anomalyResults.hits.total && anomalyResults.hits.total > tuple.maxSignals) {
+      result.warningMessages.push(getMaxSignalsWarning());
+    }
+
     const [filteredAnomalyHits, _] = await filterEventsAgainstList({
       listClient,
       ruleExecutionLogger,

@@ -38,6 +38,7 @@ import {
 import {
   addToSearchAfterReturn,
   createSearchAfterReturnType,
+  getMaxSignalsWarning,
   getUnprocessedExceptionsWarnings,
 } from '../utils/utils';
 import { createEnrichEventsFunction } from '../utils/enrichments';
@@ -153,7 +154,7 @@ export const createNewTermsAlertType = (
       // it's possible for the array to be truncated but alert documents could fail to be created for other reasons,
       // in which case createdSignalsCount would still be less than maxSignals. Since valid alerts were truncated from
       // the array in that case, we stop and report the errors.
-      while (result.createdSignalsCount < params.maxSignals) {
+      while (result.createdSignalsCount <= params.maxSignals) {
         // PHASE 1: Fetch a page of terms using a composite aggregation. This will collect a page from
         // all of the terms seen over the last rule interval. In the next phase we'll determine which
         // ones are new.
@@ -311,6 +312,10 @@ export const createNewTermsAlertType = (
             })
           );
 
+          if (bulkCreateResult.alertsWereTruncated) {
+            result.warningMessages.push(getMaxSignalsWarning());
+          }
+
           addToSearchAfterReturn({ current: result, next: bulkCreateResult });
 
           if (bulkCreateResult.alertsWereTruncated) {

@@ -26,7 +26,7 @@ export const buildGroupByFieldAggregation = ({
           },
         },
       })),
-      size: maxSignals,
+      size: maxSignals + 1, // Add extra bucket to check if there's more data after max signals
     },
     aggs: {
       topHits: {

@@ -19,7 +19,11 @@ import type {
   SearchAfterAndBulkCreateReturnType,
   SignalSource,
 } from '../../types';
-import { addToSearchAfterReturn, getUnprocessedExceptionsWarnings } from '../../utils/utils';
+import {
+  addToSearchAfterReturn,
+  getMaxSignalsWarning,
+  getUnprocessedExceptionsWarnings,
+} from '../../utils/utils';
 import type { SuppressionBuckets } from './wrap_suppressed_alerts';
 import { wrapSuppressedAlerts } from './wrap_suppressed_alerts';
 import { buildGroupByFieldAggregation } from './build_group_by_field_aggregation';
@@ -206,6 +210,10 @@ export const groupAndBulkCreate = async ({
         return toReturn;
       }
 
+      if (buckets.length > tuple.maxSignals) {
+        toReturn.warningMessages.push(getMaxSignalsWarning());
+      }
+
       const suppressionBuckets: SuppressionBuckets[] = buckets.map((bucket) => ({
         event: bucket.topHits.hits.hits[0],
         count: bucket.doc_count,

@@ -30,6 +30,7 @@ import type {
 } from './types';
 import { shouldFilterByCardinality } from './utils';
 import type { IRuleExecutionLogForExecutors } from '../../rule_monitoring';
+import { getMaxSignalsWarning } from '../utils/utils';
 
 interface FindThresholdSignalsParams {
   from: string;
@@ -70,6 +71,7 @@ export const findThresholdSignals = async ({
   buckets: ThresholdBucket[];
   searchDurations: string[];
   searchErrors: string[];
+  warnings: string[];
 }> => {
   // Leaf aggregations used below
   let sortKeys;
@@ -78,6 +80,7 @@ export const findThresholdSignals = async ({
     searchDurations: [],
     searchErrors: [],
   };
+  const warnings: string[] = [];
 
   const includeCardinalityFilter = shouldFilterByCardinality(threshold);
 
@@ -166,8 +169,13 @@ export const findThresholdSignals = async ({
     }
   }
 
+  if (buckets.length >= maxSignals) {
+    warnings.push(getMaxSignalsWarning());
+  }
+
   return {
     buckets: buckets.slice(0, maxSignals),
     ...searchAfterResults,
+    warnings,
   };
 };
@@ -128,7 +128,7 @@ export const thresholdExecutor = async ({
     });
 
     // Look for new events over threshold
-    const { buckets, searchErrors, searchDurations } = await findThresholdSignals({
+    const { buckets, searchErrors, searchDurations, warnings } = await findThresholdSignals({
       inputIndexPattern: inputIndex,
       from: tuple.from.toISOString(),
       to: tuple.to.toISOString(),
@@ -164,6 +164,7 @@ export const thresholdExecutor = async ({
 
     result.errors.push(...previousSearchErrors);
     result.errors.push(...searchErrors);
+    result.warningMessages.push(...warnings);
     result.searchAfterTimes = searchDurations;
 
     const createdAlerts = createResult.createdItems.map((alert) => {

@@ -19,6 +19,7 @@ import {
   mergeSearchResults,
   getSafeSortIds,
   addToSearchAfterReturn,
+  getMaxSignalsWarning,
 } from './utils';
 import type { SearchAfterAndBulkCreateParams, SearchAfterAndBulkCreateReturnType } from '../types';
 import { withSecuritySpan } from '../../../../utils/with_security_span';
@@ -60,7 +61,7 @@ export const searchAfterAndBulkCreate = async ({
       });
     }
 
-    while (toReturn.createdSignalsCount < tuple.maxSignals) {
+    while (toReturn.createdSignalsCount <= tuple.maxSignals) {
       try {
         let mergedSearchResults = createSearchResultReturnType();
         ruleExecutionLogger.debug(`sortIds: ${sortIds}`);
@@ -136,23 +137,23 @@ export const searchAfterAndBulkCreate = async ({
         // skip the call to bulk create and proceed to the next search_after,
         // if there is a sort id to continue the search_after with.
         if (includedEvents.length !== 0) {
-          // make sure we are not going to create more signals than maxSignals allows
-          const limitedEvents = includedEvents.slice(
-            0,
-            tuple.maxSignals - toReturn.createdSignalsCount
-          );
-          const enrichedEvents = await enrichment(limitedEvents);
+          const enrichedEvents = await enrichment(includedEvents);
           const wrappedDocs = wrapHits(enrichedEvents, buildReasonMessage);
 
           const bulkCreateResult = await bulkCreate(
             wrappedDocs,
-            undefined,
+            tuple.maxSignals - toReturn.createdSignalsCount,
             createEnrichEventsFunction({
               services,
               logger: ruleExecutionLogger,
             })
           );
 
+          if (bulkCreateResult.alertsWereTruncated) {
+            toReturn.warningMessages.push(getMaxSignalsWarning());
+            break;
+          }
+
           addToSearchAfterReturn({ current: toReturn, next: bulkCreateResult });
 
           ruleExecutionLogger.debug(`created ${bulkCreateResult.createdItemsCount} signals`);

@@ -953,3 +953,7 @@ export const getUnprocessedExceptionsWarnings = (
     )}`;
   }
 };
+
+export const getMaxSignalsWarning = (): string => {
+  return `The max alerts circut breaker was hit but there might still be alerts this rule is missing`;
+};
@@ -33,7 +33,10 @@ export const createSecuritySolutionAlerts = async (
   supertest: SuperTest.SuperTest<SuperTest.Test>,
   log: ToolingLog
 ): Promise<estypes.SearchResponse<DetectionAlert & RiskEnrichmentFields>> => {
-  const rule = getRuleForSignalTesting(['auditbeat-*']);
+  const rule = {
+    ...getRuleForSignalTesting(['auditbeat-*']),
+    query: 'process.executable: "/usr/bin/sudo"',
+  };
   const { id } = await createRule(supertest, log, rule);
   await waitForRuleSuccess({ supertest, log, id });
   await waitForSignalsToBePresent(supertest, log, 1, [id]);

diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/open_close_signals.ts b/x-pack/test/detection_engine_api_integration/basic/tests/open_close_signals.ts
@@ -55,7 +55,10 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       it('should be able to execute and get 10 signals', async () => {
-        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const rule = {
+          ...getRuleForSignalTesting(['auditbeat-*']),
+          query: 'process.executable: "/usr/bin/sudo"',
+        };
         const { id } = await createRule(supertest, log, rule);
         await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
@@ -64,7 +67,10 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       it('should be have set the signals in an open state initially', async () => {
-        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const rule = {
+          ...getRuleForSignalTesting(['auditbeat-*']),
+          query: 'process.executable: "/usr/bin/sudo"',
+        };
         const { id } = await createRule(supertest, log, rule);
         await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
@@ -76,7 +82,10 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       it('should be able to get a count of 10 closed signals when closing 10', async () => {
-        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const rule = {
+          ...getRuleForSignalTesting(['auditbeat-*']),
+          query: 'process.executable: "/usr/bin/sudo"',
+        };
         const { id } = await createRule(supertest, log, rule);
         await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
@@ -102,7 +111,10 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       it('should be able close 10 signals immediately and they all should be closed', async () => {
-        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const rule = {
+          ...getRuleForSignalTesting(['auditbeat-*']),
+          query: 'process.executable: "/usr/bin/sudo"',
+        };
         const { id } = await createRule(supertest, log, rule);
         await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts
@@ -58,7 +58,10 @@ export default ({ getService }: FtrProviderContext) => {
       ];
       indexTestCases.forEach((index) => {
         it(`for KQL rule with index param: ${index}`, async () => {
-          const rule = getRuleForSignalTesting(index);
+          const rule = {
+            ...getRuleForSignalTesting(index),
+            query: 'process.executable: "/usr/bin/sudo"',
+          };
           await createUserAndRole(getService, ROLES.detections_admin);
           const { id } = await createRuleWithAuth(supertestWithoutAuth, rule, {
             user: ROLES.detections_admin,

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/create_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/create_rules.ts
@@ -123,11 +123,14 @@ export default ({ getService }: FtrProviderContext) => {
          this pops up again elsewhere.
         */
         it('should create a single rule with a rule_id and validate it ran successfully', async () => {
-          const simpleRule = getRuleForSignalTesting(['auditbeat-*']);
+          const rule = {
+            ...getRuleForSignalTesting(['auditbeat-*']),
+            query: 'process.executable: "/usr/bin/sudo"',
+          };
           const { body } = await supertest
             .post(DETECTION_ENGINE_RULES_URL)
             .set('kbn-xsrf', 'true')
-            .send(simpleRule)
+            .send(rule)
             .expect(200);
 
           await waitForRuleSuccess({ supertest, log, id: body.id });
@@ -161,11 +164,14 @@ export default ({ getService }: FtrProviderContext) => {
         });
 
         it('should create a single rule with a rule_id and an index pattern that does not match anything and an index pattern that does and the rule should be successful', async () => {
-          const simpleRule = getRuleForSignalTesting(['does-not-exist-*', 'auditbeat-*']);
+          const rule = {
+            ...getRuleForSignalTesting(['does-not-exist-*', 'auditbeat-*']),
+            query: 'process.executable: "/usr/bin/sudo"',
+          };
           const { body } = await supertest
             .post(DETECTION_ENGINE_RULES_URL)
             .set('kbn-xsrf', 'true')
-            .send(simpleRule)
+            .send(rule)
             .expect(200);
 
           await waitForRuleSuccess({ supertest, log, id: body.id });