Fix bug with incorrect calculation of threshold signal dupes when no …

…threshold field present
elastic · Dec 16, 2020 · 04b1432 · 04b1432
1 parent 6e94e3b
commit 04b1432
Showing 1 changed file with 22 additions and 18 deletions.
diff --git a/...ins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts b/...ins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts
@@ -4,6 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { isEmpty } from 'lodash';
+
 import { Filter } from 'src/plugins/data/common';
 import { ESFilter } from '../../../../../../typings/elasticsearch';
 
@@ -54,27 +56,29 @@ export const getThresholdBucketFilters = async ({
 
   const filters = searchResult.aggregations.threshold.buckets.reduce(
     (acc: ESFilter[], bucket: ThresholdQueryBucket): ESFilter[] => {
-      return [
-        ...acc,
-        {
-          bool: {
-            filter: [
-              {
-                term: {
-                  [bucketByField || 'signal.rule.rule_id']: bucket.key,
-                },
-              },
-              {
-                range: {
-                  [timestampOverride ?? '@timestamp']: {
-                    lte: bucket.lastSignalTimestamp.value_as_string,
-                  },
+      const filter = {
+        bool: {
+          filter: [
+            {
+              range: {
+                [timestampOverride ?? '@timestamp']: {
+                  lte: bucket.lastSignalTimestamp.value_as_string,
                 },
               },
-            ],
+            },
+          ],
+        },
+      } as ESFilter;
+
+      if (!isEmpty(bucketByField)) {
+        (filter.bool.filter as ESFilter[]).push({
+          term: {
+            [bucketByField]: bucket.key,
           },
-        } as ESFilter,
-      ];
+        });
+      }
+
+      return [...acc, filter];
     },
     [] as ESFilter[]
   );