Move indicator path defaulting outside of helper functions

This happens closer to where we pass data from the rule to our helpers, and will prevent errors/bugs due to defaulting logic down the road. It makes tests a little more verbose, but that's okay.
elastic · Feb 12, 2021 · c33dc3a · c33dc3a
1 parent 6b2d1d7
commit c33dc3a
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 15 deletions.
diff --git a/...n/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.test.ts b/...n/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.test.ts
@@ -93,6 +93,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries: [],
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toEqual([]);
@@ -102,6 +103,7 @@ describe('buildMatchedIndicator', () => {
     const [indicator] = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(get(indicator, 'matched.atomic')).toEqual('domain_1');
@@ -111,6 +113,7 @@ describe('buildMatchedIndicator', () => {
     const [indicator] = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(get(indicator, 'matched.field')).toEqual('event.field');
@@ -120,6 +123,7 @@ describe('buildMatchedIndicator', () => {
     const [indicator] = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(get(indicator, 'matched.type')).toEqual('type_1');
@@ -148,6 +152,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toHaveLength(queries.length);
@@ -157,6 +162,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toEqual([
@@ -192,9 +198,9 @@ describe('buildMatchedIndicator', () => {
     ];
 
     const indicators = buildMatchedIndicator({
-      indicatorPath: 'custom.indicator.path',
       queries,
       threats,
+      indicatorPath: 'custom.indicator.path',
     });
 
     expect(indicators).toEqual([
@@ -221,6 +227,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toEqual([
@@ -245,6 +252,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toEqual([
@@ -276,6 +284,7 @@ describe('buildMatchedIndicator', () => {
     const indicators = buildMatchedIndicator({
       queries,
       threats,
+      indicatorPath: 'threat.indicator',
     });
 
     expect(indicators).toEqual([
@@ -307,6 +316,7 @@ describe('buildMatchedIndicator', () => {
       buildMatchedIndicator({
         queries,
         threats,
+        indicatorPath: 'threat.indicator',
       })
     ).toThrowError('Expected indicator field to be an object, but found: not an object');
   });
@@ -327,6 +337,7 @@ describe('buildMatchedIndicator', () => {
       buildMatchedIndicator({
         queries,
         threats,
+        indicatorPath: 'threat.indicator',
       })
     ).toThrowError('Expected indicator field to be an object, but found: not an object');
   });
@@ -352,7 +363,11 @@ describe('enrichSignalThreatMatches', () => {
 
   it('performs no enrichment if there are no signals', async () => {
     const signals = getSignalsResponseMock([]);
-    const enrichedSignals = await enrichSignalThreatMatches(signals, getMatchedThreats);
+    const enrichedSignals = await enrichSignalThreatMatches(
+      signals,
+      getMatchedThreats,
+      'threat.indicator'
+    );
 
     expect(enrichedSignals.hits.hits).toEqual([]);
   });
@@ -363,7 +378,11 @@ describe('enrichSignalThreatMatches', () => {
       matched_queries: [matchedQuery],
     });
     const signals = getSignalsResponseMock([signalHit]);
-    const enrichedSignals = await enrichSignalThreatMatches(signals, getMatchedThreats);
+    const enrichedSignals = await enrichSignalThreatMatches(
+      signals,
+      getMatchedThreats,
+      'threat.indicator'
+    );
     const [enrichedHit] = enrichedSignals.hits.hits;
     const indicators = get(enrichedHit._source, 'threat.indicator');
 
@@ -384,7 +403,11 @@ describe('enrichSignalThreatMatches', () => {
       matched_queries: [matchedQuery],
     });
     const signals = getSignalsResponseMock([signalHit]);
-    const enrichedSignals = await enrichSignalThreatMatches(signals, getMatchedThreats);
+    const enrichedSignals = await enrichSignalThreatMatches(
+      signals,
+      getMatchedThreats,
+      'threat.indicator'
+    );
     const [enrichedHit] = enrichedSignals.hits.hits;
     const indicators = get(enrichedHit._source, 'threat.indicator');
 
@@ -401,7 +424,11 @@ describe('enrichSignalThreatMatches', () => {
       matched_queries: [matchedQuery],
     });
     const signals = getSignalsResponseMock([signalHit]);
-    const enrichedSignals = await enrichSignalThreatMatches(signals, getMatchedThreats);
+    const enrichedSignals = await enrichSignalThreatMatches(
+      signals,
+      getMatchedThreats,
+      'threat.indicator'
+    );
     const [enrichedHit] = enrichedSignals.hits.hits;
     const indicators = get(enrichedHit._source, 'threat.indicator');
 
@@ -422,9 +449,9 @@ describe('enrichSignalThreatMatches', () => {
       matched_queries: [matchedQuery],
     });
     const signals = getSignalsResponseMock([signalHit]);
-    await expect(() => enrichSignalThreatMatches(signals, getMatchedThreats)).rejects.toThrowError(
-      'Expected threat field to be an object, but found: whoops'
-    );
+    await expect(() =>
+      enrichSignalThreatMatches(signals, getMatchedThreats, 'threat.indicator')
+    ).rejects.toThrowError('Expected threat field to be an object, but found: whoops');
   });
 
   it('enriches from a configured indicator path, if specified', async () => {
@@ -499,7 +526,11 @@ describe('enrichSignalThreatMatches', () => {
       ],
     });
     const signals = getSignalsResponseMock([signalHit, otherSignalHit]);
-    const enrichedSignals = await enrichSignalThreatMatches(signals, getMatchedThreats);
+    const enrichedSignals = await enrichSignalThreatMatches(
+      signals,
+      getMatchedThreats,
+      'threat.indicator'
+    );
     expect(enrichedSignals.hits.total).toEqual(expect.objectContaining({ value: 1 }));
     expect(enrichedSignals.hits.hits).toHaveLength(1);
 

diff --git a/...lution/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.ts b/...lution/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.ts
@@ -16,7 +16,6 @@ import type {
 } from './types';
 import { extractNamedQueries } from './utils';
 
-const DEFAULT_INDICATOR_PATH = 'threat.indicator';
 const getSignalId = (signal: SignalSourceHit): string => signal._id;
 
 export const groupAndMergeSignalMatches = (signalHits: SignalSourceHit[]): SignalSourceHit[] => {
@@ -43,11 +42,11 @@ export const groupAndMergeSignalMatches = (signalHits: SignalSourceHit[]): Signa
 export const buildMatchedIndicator = ({
   queries,
   threats,
-  indicatorPath = DEFAULT_INDICATOR_PATH,
+  indicatorPath,
 }: {
   queries: ThreatMatchNamedQuery[];
   threats: ThreatListItem[];
-  indicatorPath?: string;
+  indicatorPath: string;
 }): ThreatIndicator[] =>
   queries.map((query) => {
     const matchedThreat = threats.find((threat) => threat._id === query.id);
@@ -68,7 +67,7 @@ export const buildMatchedIndicator = ({
 export const enrichSignalThreatMatches = async (
   signals: SignalSearchResponse,
   getMatchedThreats: GetMatchedThreats,
-  indicatorPath?: string
+  indicatorPath: string
 ): Promise<SignalSearchResponse> => {
   const signalHits = signals.hits.hits;
   if (signalHits.length === 0) {
@@ -79,10 +78,9 @@ export const enrichSignalThreatMatches = async (
   const signalMatches = uniqueHits.map((signalHit) => extractNamedQueries(signalHit));
   const matchedThreatIds = [...new Set(signalMatches.flat().map(({ id }) => id))];
   const matchedThreats = await getMatchedThreats(matchedThreatIds);
-  const defaultedIndicatorPath = indicatorPath ? indicatorPath : DEFAULT_INDICATOR_PATH;
   const matchedIndicators = signalMatches.map((queries) =>
     buildMatchedIndicator({
-      indicatorPath: defaultedIndicatorPath,
+      indicatorPath,
       queries,
       threats: matchedThreats,
     })

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/types.ts
@@ -216,6 +216,7 @@ export interface BuildThreatEnrichmentOptions {
   services: AlertServices<AlertInstanceState, AlertInstanceContext, 'default'>;
   threatFilters: PartialFilter[];
   threatIndex: ThreatIndex;
+  threatIndicatorPath: ThreatIndicatorPathOrUndefined;
   threatLanguage: ThreatLanguageOrUndefined;
   threatQuery: ThreatQuery;
 }