Skip to content

Commit

Permalink
[Security Solution][Exceptions] Allows bulk close on exception to clo…
Browse files Browse the repository at this point in the history
…se acknowledged alerts (#110147) (#110330)

Co-authored-by: Davis Plumlee <[email protected]>
  • Loading branch information
kibanamachine and dplumlee authored Aug 26, 2021
1 parent cfd9f19 commit b828702
Show file tree
Hide file tree
Showing 4 changed files with 100 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ describe('useAddOrUpdateException', () => {
let addExceptionListItem: jest.SpyInstance<Promise<ExceptionListItemSchema>>;
let updateExceptionListItem: jest.SpyInstance<Promise<ExceptionListItemSchema>>;
let getQueryFilter: jest.SpyInstance<ReturnType<typeof getQueryFilterHelper.getQueryFilter>>;
let buildAlertStatusFilter: jest.SpyInstance<
ReturnType<typeof buildFilterHelpers.buildAlertStatusFilter>
let buildAlertStatusesFilter: jest.SpyInstance<
ReturnType<typeof buildFilterHelpers.buildAlertStatusesFilter>
>;
let buildAlertsRuleIdFilter: jest.SpyInstance<
ReturnType<typeof buildFilterHelpers.buildAlertsRuleIdFilter>
Expand Down Expand Up @@ -128,7 +128,7 @@ describe('useAddOrUpdateException', () => {

getQueryFilter = jest.spyOn(getQueryFilterHelper, 'getQueryFilter');

buildAlertStatusFilter = jest.spyOn(buildFilterHelpers, 'buildAlertStatusFilter');
buildAlertStatusesFilter = jest.spyOn(buildFilterHelpers, 'buildAlertStatusesFilter');

buildAlertsRuleIdFilter = jest.spyOn(buildFilterHelpers, 'buildAlertsRuleIdFilter');

Expand Down Expand Up @@ -328,8 +328,12 @@ describe('useAddOrUpdateException', () => {
addOrUpdateItems(...addOrUpdateItemsArgs);
}
await waitForNextUpdate();
expect(buildAlertStatusFilter).toHaveBeenCalledTimes(1);
expect(buildAlertStatusFilter.mock.calls[0][0]).toEqual('open');
expect(buildAlertStatusesFilter).toHaveBeenCalledTimes(1);
expect(buildAlertStatusesFilter.mock.calls[0][0]).toEqual([
'open',
'acknowledged',
'in-progress',
]);
});
});
it('should update the status of only alerts generated by the provided rule', async () => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ import { HttpStart } from '../../../../../../../src/core/public';
import { updateAlertStatus } from '../../../detections/containers/detection_engine/alerts/api';
import { getUpdateAlertsQuery } from '../../../detections/components/alerts_table/actions';
import {
buildAlertStatusFilter,
buildAlertsRuleIdFilter,
buildAlertStatusFilterRuleRegistry,
buildAlertStatusesFilter,
buildAlertStatusesFilterRuleRegistry,
} from '../../../detections/components/alerts_table/default_config';
import { getQueryFilter } from '../../../../common/detection_engine/get_query_filter';
import { Index } from '../../../../common/detection_engine/schemas/common/schemas';
Expand Down Expand Up @@ -133,8 +133,8 @@ export const useAddOrUpdateException = ({
if (bulkCloseIndex != null) {
// TODO: Once we are past experimental phase this code should be removed
const alertStatusFilter = ruleRegistryEnabled
? buildAlertStatusFilterRuleRegistry('open')
: buildAlertStatusFilter('open');
? buildAlertStatusesFilterRuleRegistry(['open', 'acknowledged', 'in-progress'])
: buildAlertStatusesFilter(['open', 'acknowledged', 'in-progress']);

const filter = getQueryFilter(
'',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import { ExistsFilter, Filter } from '@kbn/es-query';
import {
buildAlertsRuleIdFilter,
buildAlertStatusesFilter,
buildAlertStatusFilter,
buildThreatMatchFilter,
} from './default_config';
Expand Down Expand Up @@ -124,6 +125,42 @@ describe('alerts default_config', () => {
});
});

describe('buildAlertStatusesFilter', () => {
test('builds filter containing all statuses passed into function', () => {
const filters = buildAlertStatusesFilter(['open', 'acknowledged', 'in-progress']);
const expected = {
meta: {
alias: null,
disabled: false,
negate: false,
},
query: {
bool: {
should: [
{
term: {
'signal.status': 'open',
},
},
{
term: {
'signal.status': 'acknowledged',
},
},
{
term: {
'signal.status': 'in-progress',
},
},
],
},
},
};
expect(filters).toHaveLength(1);
expect(filters[0]).toEqual(expected);
});
});

// TODO: move these tests to ../timelines/components/timeline/body/events/event_column_view.tsx
// describe.skip('getAlertActions', () => {
// let setEventsLoading: ({ eventIds, isLoading }: SetEventsLoadingProps) => void;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,32 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => {
];
};

/**
* For backwards compatability issues, if `acknowledged` is a status prop, `in-progress` will likely have to be too
*/
export const buildAlertStatusesFilter = (statuses: Status[]): Filter[] => {
const combinedQuery = {
bool: {
should: statuses.map((status) => ({
term: {
'signal.status': status,
},
})),
},
};

return [
{
meta: {
alias: null,
negate: false,
disabled: false,
},
query: combinedQuery,
},
];
};

export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] =>
ruleId
? [
Expand Down Expand Up @@ -204,6 +230,30 @@ export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] =>
];
};

// TODO: Once we are past experimental phase this code should be removed
export const buildAlertStatusesFilterRuleRegistry = (statuses: Status[]): Filter[] => {
const combinedQuery = {
bool: {
should: statuses.map((status) => ({
term: {
[ALERT_STATUS]: status,
},
})),
},
};

return [
{
meta: {
alias: null,
negate: false,
disabled: false,
},
query: combinedQuery,
},
];
};

export const buildShowBuildingBlockFilterRuleRegistry = (
showBuildingBlockAlerts: boolean
): Filter[] =>
Expand Down

0 comments on commit b828702

Please sign in to comment.