-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Adds max signals warning to UI propagated rule warnings #154112
Merged
Merged
Changes from 10 commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
ec6d4ce
adds max signal warning
dplumlee 605332f
makes more inclusive
dplumlee dbee6f9
updates from convo
dplumlee af1072e
updates message
dplumlee 4d86c88
ups max signal count for testing
dplumlee 5f00da8
revert
dplumlee 2ba57a7
updates tests
dplumlee 74308d2
updates remaining tests
dplumlee 1f94e84
Merge remote-tracking branch 'upstream/main' into max-signals-warning
dplumlee 16f2576
fixes tests
dplumlee 8d9b9eb
adds new tests
dplumlee 399e3ee
Merge remote-tracking branch 'upstream/main' into max-signals-warning
dplumlee 6facf8b
adds comment
dplumlee 345ea57
removes old code
dplumlee bff4179
changes eql
dplumlee 0116cd0
address comments
dplumlee c27a998
Merge remote-tracking branch 'upstream/main' into max-signals-warning
dplumlee 7680334
changes message
dplumlee 282094f
fixes flaky test
dplumlee 72674ba
Merge branch 'main' into max-signals-warning
kibanamachine 4fbc128
Merge branch 'main' into max-signals-warning
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -5,9 +5,9 @@ | |||||||||||||||||||||
* 2.0. | ||||||||||||||||||||||
*/ | ||||||||||||||||||||||
|
||||||||||||||||||||||
import chunk from 'lodash/fp/chunk'; | ||||||||||||||||||||||
import type { OpenPointInTimeResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; | ||||||||||||||||||||||
|
||||||||||||||||||||||
import { uniq, chunk } from 'lodash/fp'; | ||||||||||||||||||||||
import { getThreatList, getThreatListCount } from './get_threat_list'; | ||||||||||||||||||||||
import type { | ||||||||||||||||||||||
CreateThreatSignalsOptions, | ||||||||||||||||||||||
|
@@ -27,6 +27,7 @@ import { getAllowedFieldsForTermQuery } from './get_allowed_fields_for_terms_que | |||||||||||||||||||||
import { getEventCount, getEventList } from './get_event_count'; | ||||||||||||||||||||||
import { getMappingFilters } from './get_mapping_filters'; | ||||||||||||||||||||||
import { THREAT_PIT_KEEP_ALIVE } from '../../../../../../common/cti/constants'; | ||||||||||||||||||||||
import { getMaxSignalsWarning } from '../../utils/utils'; | ||||||||||||||||||||||
|
||||||||||||||||||||||
export const createThreatSignals = async ({ | ||||||||||||||||||||||
alertId, | ||||||||||||||||||||||
|
@@ -107,11 +108,6 @@ export const createThreatSignals = async ({ | |||||||||||||||||||||
|
||||||||||||||||||||||
ruleExecutionLogger.debug(`Total event count: ${eventCount}`); | ||||||||||||||||||||||
|
||||||||||||||||||||||
// if (eventCount === 0) { | ||||||||||||||||||||||
// ruleExecutionLogger.debug('Indicator matching rule has completed'); | ||||||||||||||||||||||
// return results; | ||||||||||||||||||||||
// } | ||||||||||||||||||||||
|
||||||||||||||||||||||
dplumlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||
let threatPitId: OpenPointInTimeResponse['id'] = ( | ||||||||||||||||||||||
await services.scopedClusterClient.asCurrentUser.openPointInTime({ | ||||||||||||||||||||||
index: threatIndex, | ||||||||||||||||||||||
|
@@ -171,6 +167,11 @@ export const createThreatSignals = async ({ | |||||||||||||||||||||
`all successes are ${results.success}` | ||||||||||||||||||||||
); | ||||||||||||||||||||||
if (results.createdSignalsCount >= params.maxSignals) { | ||||||||||||||||||||||
if (results.warningMessages.includes(getMaxSignalsWarning())) { | ||||||||||||||||||||||
results.warningMessages = uniq(results.warningMessages); | ||||||||||||||||||||||
} else { | ||||||||||||||||||||||
results.warningMessages.push(getMaxSignalsWarning()); | ||||||||||||||||||||||
} | ||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||||||
ruleExecutionLogger.debug( | ||||||||||||||||||||||
`Indicator match has reached its max signals count ${params.maxSignals}. Additional documents not checked are ${documentCount}` | ||||||||||||||||||||||
); | ||||||||||||||||||||||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...types/query/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Short circuiting here if
maxAlerts
is passed in as zero. We're using this function's deduping ability to check that: if max signals was hit, are any remaining alerts actual alerts or are they duplicates? If there are remaining alerts infilteredAlerts
at this point, we can assume they are actual alerts and don't need any additional function logic