Skip to content

Commit

Permalink
Fix EQL search request filter when built with exceptions (#79753)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marshallmain
marshallmain authored Oct 6, 2020
1 parent 0db0a16 commit 7f5b824
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 56 deletions.
106 changes: 63 additions & 43 deletions x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1105,11 +1105,17 @@ describe('get_filter', () => {
size: 100,
query: 'process where true',
filter: {
range: {
'@timestamp': {
gte: 'now-5m',
lte: 'now',
},
bool: {
filter: [
{
range: {
'@timestamp': {
gte: 'now-5m',
lte: 'now',
},
},
},
],
},
},
},
Expand All @@ -1135,11 +1141,17 @@ describe('get_filter', () => {
size: 100,
query: 'process where true',
filter: {
range: {
'event.ingested': {
gte: 'now-5m',
lte: 'now',
},
bool: {
filter: [
{
range: {
'event.ingested': {
gte: 'now-5m',
lte: 'now',
},
},
},
],
},
},
},
Expand All @@ -1164,44 +1176,52 @@ describe('get_filter', () => {
size: 100,
query: 'process where true',
filter: {
range: {
'@timestamp': {
gte: 'now-5m',
lte: 'now',
},
},
bool: {
must_not: {
bool: {
should: [
{
filter: [
{
range: {
'@timestamp': {
gte: 'now-5m',
lte: 'now',
},
},
},
{
bool: {
must_not: {
bool: {
filter: [
should: [
{
nested: {
path: 'some.parentField',
query: {
bool: {
minimum_should_match: 1,
should: [
{
match_phrase: {
'some.parentField.nested.field': 'some value',
bool: {
filter: [
{
nested: {
path: 'some.parentField',
query: {
bool: {
minimum_should_match: 1,
should: [
{
match_phrase: {
'some.parentField.nested.field': 'some value',
},
},
],
},
},
],
score_mode: 'none',
},
},
},
score_mode: 'none',
},
},
{
bool: {
minimum_should_match: 1,
should: [
{
match_phrase: {
'some.not.nested.field': 'some value',
bool: {
minimum_should_match: 1,
should: [
{
match_phrase: {
'some.not.nested.field': 'some value',
},
},
],
},
},
],
Expand All @@ -1210,9 +1230,9 @@ describe('get_filter', () => {
],
},
},
],
},
},
},
],
},
},
},
Expand Down
34 changes: 21 additions & 13 deletions x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,27 +110,35 @@ export const buildEqlSearchRequest = (
exceptionFilter = buildExceptionFilter(exceptionQueries, indexPattern, config, true, 1024);
}
const indexString = index.join();
const requestFilter: unknown[] = [
{
range: {
[timestamp]: {
gte: from,
lte: to,
},
},
},
];
if (exceptionFilter !== undefined) {
requestFilter.push({
bool: {
must_not: {
bool: exceptionFilter?.query.bool,
},
},
});
}
const baseRequest = {
method: 'POST',
path: `/${indexString}/_eql/search?allow_no_indices=true`,
body: {
size,
query,
filter: {
range: {
[timestamp]: {
gte: from,
lte: to,
},
bool: {
filter: requestFilter,
},
bool:
exceptionFilter !== undefined
? {
must_not: {
bool: exceptionFilter?.query.bool,
},
}
: undefined,
},
},
};
Expand Down

0 comments on commit 7f5b824

Please sign in to comment.