diff --git a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts index 0224caafb41a8..d6352d2e6aa15 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts @@ -1105,11 +1105,17 @@ describe('get_filter', () => { size: 100, query: 'process where true', filter: { - range: { - '@timestamp': { - gte: 'now-5m', - lte: 'now', - }, + bool: { + filter: [ + { + range: { + '@timestamp': { + gte: 'now-5m', + lte: 'now', + }, + }, + }, + ], }, }, }, @@ -1135,11 +1141,17 @@ describe('get_filter', () => { size: 100, query: 'process where true', filter: { - range: { - 'event.ingested': { - gte: 'now-5m', - lte: 'now', - }, + bool: { + filter: [ + { + range: { + 'event.ingested': { + gte: 'now-5m', + lte: 'now', + }, + }, + }, + ], }, }, }, @@ -1164,44 +1176,52 @@ describe('get_filter', () => { size: 100, query: 'process where true', filter: { - range: { - '@timestamp': { - gte: 'now-5m', - lte: 'now', - }, - }, bool: { - must_not: { - bool: { - should: [ - { + filter: [ + { + range: { + '@timestamp': { + gte: 'now-5m', + lte: 'now', + }, + }, + }, + { + bool: { + must_not: { bool: { - filter: [ + should: [ { - nested: { - path: 'some.parentField', - query: { - bool: { - minimum_should_match: 1, - should: [ - { - match_phrase: { - 'some.parentField.nested.field': 'some value', + bool: { + filter: [ + { + nested: { + path: 'some.parentField', + query: { + bool: { + minimum_should_match: 1, + should: [ + { + match_phrase: { + 'some.parentField.nested.field': 'some value', + }, + }, + ], }, }, - ], + score_mode: 'none', + }, }, - }, - score_mode: 'none', - }, - }, - { - bool: { - minimum_should_match: 1, - should: [ { - match_phrase: { - 'some.not.nested.field': 'some value', + bool: { + minimum_should_match: 1, + should: [ + { + match_phrase: { + 'some.not.nested.field': 'some value', + }, + }, + ], }, }, ], @@ -1210,9 +1230,9 @@ describe('get_filter', () => { ], }, }, - ], + }, }, - }, + ], }, }, }, diff --git a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts index 05c706164ab44..1a4852e450275 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts @@ -110,6 +110,25 @@ export const buildEqlSearchRequest = ( exceptionFilter = buildExceptionFilter(exceptionQueries, indexPattern, config, true, 1024); } const indexString = index.join(); + const requestFilter: unknown[] = [ + { + range: { + [timestamp]: { + gte: from, + lte: to, + }, + }, + }, + ]; + if (exceptionFilter !== undefined) { + requestFilter.push({ + bool: { + must_not: { + bool: exceptionFilter?.query.bool, + }, + }, + }); + } const baseRequest = { method: 'POST', path: `/${indexString}/_eql/search?allow_no_indices=true`, @@ -117,20 +136,9 @@ export const buildEqlSearchRequest = ( size, query, filter: { - range: { - [timestamp]: { - gte: from, - lte: to, - }, + bool: { + filter: requestFilter, }, - bool: - exceptionFilter !== undefined - ? { - must_not: { - bool: exceptionFilter?.query.bool, - }, - } - : undefined, }, }, };