Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Registry][Security Solution] AlertWithPersistence return only alerts that were actually indexed #120439

Merged
merged 2 commits into from
Dec 7, 2021

Conversation

marshallmain
Copy link
Contributor

@marshallmain marshallmain commented Dec 4, 2021

Currently the rule data client returns undefined if any errors are encountered in the bulk indexing request. This can hide the fact that some of the bulk index operations actually succeeded and created or updated alerts. This PR updates the bulk method so it still returns the response to the caller if errors are encountered and the caller can handle the errors appropriately.

In the Persistence Rule Type, appropriate handling of errors means checking which of the bulk operations succeeded and returning those as createdAlerts. These createdAlerts are made available in the actions context later on, so it's important that any created alerts are returned, but also alerts that were submitted in the bulk request but were not actually created are not returned.

@marshallmain marshallmain added auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team v8.0.0 v8.1.0 labels Dec 4, 2021
@marshallmain marshallmain marked this pull request as ready for review December 6, 2021 16:19
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@marshallmain marshallmain requested review from a team December 6, 2021 16:21
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@madirey madirey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
8.0

This backport PR will be merged automatically after passing CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0 v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants