elastic · rylnd · Aug 24, 2023 · Aug 3, 2023 · Aug 3, 2023 · Aug 3, 2023
@@ -2956,8 +2956,34 @@
   "risk-engine-configuration": {
     "dynamic": false,
     "properties": {
+      "dataViewId": {
+        "type": "keyword"
+      },
       "enabled": {
         "type": "boolean"
+      },
+      "filter": {
+        "dynamic": false,
+        "properties": {}
+      },
+      "identifierType": {
+        "type": "keyword"
+      },
+      "interval": {
+        "type": "keyword"
+      },
+      "pageSize": {
+        "type": "integer"
+      },
+      "range": {
+        "properties": {
+          "start": {
+            "type": "keyword"
+          },
+          "end": {
+            "type": "keyword"
+          }
+        }
       }
     }
   },

@@ -126,7 +126,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "osquery-pack-asset": "b14101d3172c4b60eb5404696881ce5275c84152",
         "osquery-saved-query": "44f1161e165defe3f9b6ad643c68c542a765fcdb",
         "query": "21cbbaa09abb679078145ce90087b1e88b7eae95",
-        "risk-engine-configuration": "1b8b175e29ea5311408125c92c6247f502b2d79d",
+        "risk-engine-configuration": "b105d4a3c6adce40708d729d12e5ef3c8fbd9508",
         "rules-settings": "892a2918ebaeba809a612b8d97cec0b07c800b5f",
         "sample-data-telemetry": "37441b12f5b0159c2d6d5138a494c9f440e950b5",
         "search": "8d5184dd5b986d57250b6ffd9ae48a1925e4c7a3",

diff --git a/x-pack/plugins/security_solution/common/risk_engine/index.ts b/x-pack/plugins/security_solution/common/risk_engine/index.ts
@@ -8,6 +8,7 @@
 export * from './after_keys';
 export * from './risk_weights';
 export * from './identifier_types';
+export * from './range';
 export * from './types';
 export * from './indices';
 export * from './constants';
diff --git a/x-pack/plugins/security_solution/common/risk_engine/range.ts b/x-pack/plugins/security_solution/common/risk_engine/range.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+
+export const rangeSchema = t.type({
+  start: t.string,
+  end: t.string,
+});
+export type RangeSchema = t.TypeOf<typeof rangeSchema>;
+export type Range = RangeSchema;
diff --git a/x-pack/plugins/security_solution/common/risk_engine/risk_score_preview/request_schema.ts b/x-pack/plugins/security_solution/common/risk_engine/risk_score_preview/request_schema.ts
@@ -9,6 +9,7 @@ import * as t from 'io-ts';
 import { DataViewId } from '../../api/detection_engine/model/rule_schema';
 import { afterKeysSchema } from '../after_keys';
 import { identifierTypeSchema } from '../identifier_types';
+import { rangeSchema } from '../range';
 import { riskWeightsSchema } from '../risk_weights/schema';
 
 export const riskScorePreviewRequestSchema = t.exact(
@@ -22,10 +23,7 @@ export const riskScorePreviewRequestSchema = t.exact(
       filter: t.unknown,
       page_size: t.number,
       identifier_type: identifierTypeSchema,
-      range: t.type({
-        start: t.string,
-        end: t.string,
-      }),
+      range: rangeSchema,
       weights: riskWeightsSchema,
     }),
   ])

diff --git a/...plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts b/...plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
@@ -34,7 +34,7 @@ import type {
 
 import { getEndpointAuthzInitialStateMock } from '../../../../../common/endpoint/service/authz/mocks';
 import type { EndpointAuthz } from '../../../../../common/endpoint/types/authz';
-import { riskEngineDataClientMock } from '../../../risk_engine/__mocks__/risk_engine_data_client_mock';
+import { riskEngineDataClientMock } from '../../../risk_engine/risk_engine_data_client.mock';
 
 export const createMockClients = () => {
   const core = coreMock.createRequestHandlerContext();

diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.test.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.test.ts
@@ -48,6 +48,34 @@ describe('calculateRiskScores()', () => {
       );
     });
 
+    it('drops an empty object filter if specified by the caller', async () => {
+      params.filter = {};
+      await calculateRiskScores(params);
+      expect(esClient.search).toHaveBeenCalledWith(
+        expect.objectContaining({
+          query: {
+            bool: {
+              filter: expect.not.arrayContaining([{}]),
+            },
+          },
+        })
+      );
+    });
+
+    it('drops an empty array filter if specified by the caller', async () => {
+      params.filter = [];
+      await calculateRiskScores(params);
+      expect(esClient.search).toHaveBeenCalledWith(
+        expect.objectContaining({
+          query: {
+            bool: {
+              filter: expect.not.arrayContaining([[]]),
+            },
+          },
+        })
+      );
+    });
+
     describe('identifierType', () => {
       it('creates aggs for both host and user by default', async () => {
         await calculateRiskScores(params);

diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { isEmpty } from 'lodash';
 import type {
   AggregationsAggregationContainer,
   QueryDslQueryContainer,
@@ -213,7 +214,7 @@ export const calculateRiskScores = async ({
     const now = new Date().toISOString();
 
     const filter = [{ exists: { field: ALERT_RISK_SCORE } }, filterFromRange(range)];
-    if (userFilter) {
+    if (!isEmpty(userFilter)) {
       filter.push(userFilter as QueryDslQueryContainer);
     }
     const identifierTypes: IdentifierType[] = identifierType ? [identifierType] : ['host', 'user'];

diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/get_risk_inputs_index.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/get_risk_inputs_index.ts
@@ -9,7 +9,7 @@ import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/types'
 import type { Logger, SavedObjectsClientContract } from '@kbn/core/server';
 import type { DataViewAttributes } from '@kbn/data-views-plugin/common';
 
-interface RiskInputsIndexResponse {
+export interface RiskInputsIndexResponse {
   index: string;
   runtimeMappings: MappingRuntimeFields;
 }

diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/helpers.test.ts
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { isRiskScoreCalculationComplete } from './helpers';
+
+describe('isRiskScoreCalculationComplete', () => {
+  it('is true if both after_keys.host and after_keys.user are empty', () => {
+    const result = {
+      after_keys: {
+        host: {},
+        user: {},
+      },
+    };
+    // @ts-expect-error using a minimal result object for testing
+    expect(isRiskScoreCalculationComplete(result)).toEqual(true);
+  });
+
+  it('is true if after_keys is an empty object', () => {
+    const result = {
+      after_keys: {},
+    };
+    // @ts-expect-error using a minimal result object for testing
+    expect(isRiskScoreCalculationComplete(result)).toEqual(true);
+  });
+
+  it('is false if the host key has a key/value', () => {
+    const result = {
+      after_keys: {
+        host: {
+          key: 'value',
+        },
+      },
+    };
+    // @ts-expect-error using a minimal result object for testing
+    expect(isRiskScoreCalculationComplete(result)).toEqual(false);
+  });
+
+  it('is false if the user key has a key/value', () => {
+    const result = {
+      after_keys: {
+        user: {
+          key: 'value',
+        },
+      },
+    };
+    // @ts-expect-error using a minimal result object for testing
+    expect(isRiskScoreCalculationComplete(result)).toEqual(false);
+  });
+});
diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/helpers.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/helpers.ts
@@ -6,6 +6,7 @@
  */
 
 import type { AfterKey, AfterKeys, IdentifierType } from '../../../common/risk_engine';
+import type { CalculateAndPersistScoresResponse } from './types';
 
 export const getFieldForIdentifierAgg = (identifierType: IdentifierType): string =>
   identifierType === 'host' ? 'host.name' : 'user.name';
@@ -17,3 +18,9 @@ export const getAfterKeyForIdentifierType = ({
   afterKeys: AfterKeys;
   identifierType: IdentifierType;
 }): AfterKey | undefined => afterKeys[identifierType];
+
+export const isRiskScoreCalculationComplete = (
+  result: CalculateAndPersistScoresResponse
+): boolean =>
+  Object.keys(result.after_keys.host ?? {}).length === 0 &&
+  Object.keys(result.after_keys.user ?? {}).length === 0;
diff --git a/...__mocks__/risk_engine_data_client_mock.ts → ...sk_engine/risk_engine_data_client.mock.ts b/...__mocks__/risk_engine_data_client_mock.ts → ...sk_engine/risk_engine_data_client.mock.ts
@@ -5,13 +5,19 @@
  * 2.0.
  */
 
-import type { RiskEngineDataClient } from '../risk_engine_data_client';
+import type { RiskEngineDataClient } from './risk_engine_data_client';
 
 const createRiskEngineDataClientMock = () =>
   ({
+    disableLegacyRiskEngine: jest.fn(),
+    disableRiskEngine: jest.fn(),
+    enableRiskEngine: jest.fn(),
+    getConfiguration: jest.fn(),
+    getRiskInputsIndex: jest.fn(),
+    getStatus: jest.fn(),
     getWriter: jest.fn(),
-    initializeResources: jest.fn(),
     init: jest.fn(),
+    initializeResources: jest.fn(),
   } as unknown as jest.Mocked<RiskEngineDataClient>);
 
 export const riskEngineDataClientMock = { create: createRiskEngineDataClientMock };