From 815ce3d324e5a0645afeacf366ff5ee171e25d7a Mon Sep 17 00:00:00 2001
From: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
Date: Mon, 26 Oct 2020 20:46:32 -0400
Subject: [PATCH] [SECURITY SOLUTIONS] Bugs overview page + investigate eql in
 timeline (#81550)

* fix overview query to be connected to sourcerer

* investigate eql in timeline

* keep timeline indices

* trusting what is coming from timeline saved object for index pattern at initialization

* fix type + initialize old timeline to sourcerer

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../public/common/containers/source/index.tsx | 14 ++--
 .../containers/sourcerer/index.test.tsx       | 26 ++++++-
 .../common/containers/sourcerer/index.tsx     | 17 ++++-
 .../public/common/store/sourcerer/actions.ts  |  6 ++
 .../public/common/store/sourcerer/reducer.ts  | 27 +++++++
 .../common/store/sourcerer/selectors.ts       | 13 +++-
 .../components/alerts_table/actions.test.tsx  | 76 ++++++++++++++++++-
 .../components/alerts_table/actions.tsx       | 39 +++++-----
 .../public/overview/pages/overview.tsx        |  2 +-
 .../components/open_timeline/helpers.ts       |  2 +-
 10 files changed, 184 insertions(+), 38 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
index c36e2de61fcbf..2cc1c75015e07 100644
--- a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
@@ -194,15 +194,14 @@ export const useIndexFields = (sourcererScopeName: SourcererScopeName) => {
   const { data, notifications } = useKibana().services;
   const abortCtrl = useRef(new AbortController());
   const dispatch = useDispatch();
-  const previousIndexesName = useRef<string[]>([]);
-
   const indexNamesSelectedSelector = useMemo(
     () => sourcererSelectors.getIndexNamesSelectedSelector(),
     []
   );
-  const indexNames = useShallowEqualSelector<string[]>((state) =>
-    indexNamesSelectedSelector(state, sourcererScopeName)
-  );
+  const { indexNames, previousIndexNames } = useShallowEqualSelector<{
+    indexNames: string[];
+    previousIndexNames: string;
+  }>((state) => indexNamesSelectedSelector(state, sourcererScopeName));
 
   const setLoading = useCallback(
     (loading: boolean) => {
@@ -230,7 +229,6 @@ export const useIndexFields = (sourcererScopeName: SourcererScopeName) => {
               if (!response.isPartial && !response.isRunning) {
                 if (!didCancel) {
                   const stringifyIndices = response.indicesExist.sort().join();
-                  previousIndexesName.current = response.indicesExist;
                   dispatch(
                     sourcererActions.setSource({
                       id: sourcererScopeName,
@@ -279,8 +277,8 @@ export const useIndexFields = (sourcererScopeName: SourcererScopeName) => {
   );
 
   useEffect(() => {
-    if (!isEmpty(indexNames) && !isEqual(previousIndexesName.current, indexNames)) {
+    if (!isEmpty(indexNames) && previousIndexNames !== indexNames.sort().join()) {
       indexFieldsSearch(indexNames);
     }
-  }, [indexNames, indexFieldsSearch, previousIndexesName]);
+  }, [indexNames, indexFieldsSearch, previousIndexNames]);
 };
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
index 673db7af2b5e6..cd7f6cd496391 100644
--- a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
@@ -12,7 +12,7 @@ import { Provider } from 'react-redux';
 
 import { useInitSourcerer } from '.';
 import { mockPatterns, mockSource } from './mocks';
-// import { SourcererScopeName } from '../../store/sourcerer/model';
+import { SourcererScopeName } from '../../store/sourcerer/model';
 import { RouteSpyState } from '../../utils/route/types';
 import { SecurityPageName } from '../../../../common/constants';
 import { createStore, State } from '../../store';
@@ -85,7 +85,29 @@ describe('Sourcerer Hooks', () => {
     jest.clearAllMocks();
     jest.restoreAllMocks();
   });
-  const state: State = mockGlobalState;
+  const state: State = {
+    ...mockGlobalState,
+    sourcerer: {
+      ...mockGlobalState.sourcerer,
+      sourcererScopes: {
+        ...mockGlobalState.sourcerer.sourcererScopes,
+        [SourcererScopeName.default]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+          indexPattern: {
+            fields: [],
+            title: '',
+          },
+        },
+        [SourcererScopeName.timeline]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+          indexPattern: {
+            fields: [],
+            title: '',
+          },
+        },
+      },
+    },
+  };
   const { storage } = createSecuritySolutionStorageMock();
   let store = createStore(
     state,
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
index b02a09625ccf3..d9f2abeb3832e 100644
--- a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
@@ -16,6 +16,9 @@ import { ManageScope, SourcererScopeName } from '../../store/sourcerer/model';
 import { useIndexFields } from '../source';
 import { State } from '../../store';
 import { useUserInfo } from '../../../detections/components/user_info';
+import { timelineSelectors } from '../../../timelines/store/timeline';
+import { TimelineId } from '../../../../common/types/timeline';
+import { TimelineModel } from '../../../timelines/store/timeline/model';
 
 export const useInitSourcerer = (
   scopeId: SourcererScopeName.default | SourcererScopeName.detections = SourcererScopeName.default
@@ -29,6 +32,12 @@ export const useInitSourcerer = (
   );
   const ConfigIndexPatterns = useSelector(getConfigIndexPatternsSelector, isEqual);
 
+  const getTimelineSelector = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
+  const activeTimeline = useSelector<State, TimelineModel>(
+    (state) => getTimelineSelector(state, TimelineId.active),
+    isEqual
+  );
+
   useIndexFields(scopeId);
   useIndexFields(SourcererScopeName.timeline);
 
@@ -40,7 +49,11 @@ export const useInitSourcerer = (
 
   // Related to timeline
   useEffect(() => {
-    if (!loadingSignalIndex && signalIndexName != null) {
+    if (
+      !loadingSignalIndex &&
+      signalIndexName != null &&
+      (activeTimeline == null || (activeTimeline != null && activeTimeline.savedObjectId == null))
+    ) {
       dispatch(
         sourcererActions.setSelectedIndexPatterns({
           id: SourcererScopeName.timeline,
@@ -48,7 +61,7 @@ export const useInitSourcerer = (
         })
       );
     }
-  }, [ConfigIndexPatterns, dispatch, loadingSignalIndex, signalIndexName]);
+  }, [activeTimeline, ConfigIndexPatterns, dispatch, loadingSignalIndex, signalIndexName]);
 
   // Related to the detection page
   useEffect(() => {
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
index 0b40586798f09..8e92d7559f1d6 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
@@ -34,3 +34,9 @@ export const setSelectedIndexPatterns = actionCreator<{
   selectedPatterns: string[];
   eventType?: TimelineEventsType;
 }>('SET_SELECTED_INDEX_PATTERNS');
+
+export const initTimelineIndexPatterns = actionCreator<{
+  id: SourcererScopeName;
+  selectedPatterns: string[];
+  eventType?: TimelineEventsType;
+}>('INIT_TIMELINE_INDEX_PATTERNS');
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
index 221244aaf9200..3414b1cffbbcc 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
@@ -15,6 +15,7 @@ import {
   setSelectedIndexPatterns,
   setSignalIndexName,
   setSource,
+  initTimelineIndexPatterns,
 } from './actions';
 import { initialSourcererState, SourcererModel, SourcererScopeName } from './model';
 
@@ -76,6 +77,32 @@ export const sourcererReducer = reducerWithInitialState(initialSourcererState)
       },
     };
   })
+  .case(initTimelineIndexPatterns, (state, { id, selectedPatterns, eventType }) => {
+    let defaultIndexPatterns = state.configIndexPatterns;
+    if (isEmpty(selectedPatterns)) {
+      if (eventType === 'all' && !isEmpty(state.signalIndexName)) {
+        defaultIndexPatterns = [...state.configIndexPatterns, state.signalIndexName ?? ''];
+      } else if (eventType === 'raw') {
+        defaultIndexPatterns = state.configIndexPatterns;
+      } else if (
+        !isEmpty(state.signalIndexName) &&
+        (eventType === 'signal' || eventType === 'alert')
+      ) {
+        defaultIndexPatterns = [state.signalIndexName ?? ''];
+      }
+    }
+    return {
+      ...state,
+      sourcererScopes: {
+        ...state.sourcererScopes,
+        [id]: {
+          ...state.sourcererScopes[id],
+          selectedPatterns: isEmpty(selectedPatterns) ? defaultIndexPatterns : selectedPatterns,
+        },
+      },
+    };
+  })
+
   .case(setSource, (state, { id, payload }) => {
     const { ...sourcererScopes } = payload;
     return {
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
index f0859a0fb9b66..e7bd6234cb207 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
@@ -41,13 +41,18 @@ export const getIndexNamesSelectedSelector = () => {
   const getScopesSelector = scopesSelector();
   const getConfigIndexPatternsSelector = configIndexPatternsSelector();
 
-  const mapStateToProps = (state: State, scopeId: SourcererScopeName): string[] => {
+  const mapStateToProps = (
+    state: State,
+    scopeId: SourcererScopeName
+  ): { indexNames: string[]; previousIndexNames: string } => {
     const scope = getScopesSelector(state)[scopeId];
     const configIndexPatterns = getConfigIndexPatternsSelector(state);
-
-    return scope.selectedPatterns.length === 0 ? configIndexPatterns : scope.selectedPatterns;
+    return {
+      indexNames:
+        scope.selectedPatterns.length === 0 ? configIndexPatterns : scope.selectedPatterns,
+      previousIndexNames: scope.indexPattern.title,
+    };
   };
-
   return mapStateToProps;
 };
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
index 47da1e93cf004..17356d61e52e1 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -45,7 +45,9 @@ describe('alert actions', () => {
     searchStrategyClient = {
       aggs: {} as ISearchStart['aggs'],
       showError: jest.fn(),
-      search: jest.fn().mockResolvedValue({ data: mockTimelineDetails }),
+      search: jest
+        .fn()
+        .mockImplementation(() => ({ toPromise: () => ({ data: mockTimelineDetails }) })),
       searchSource: {} as ISearchStart['searchSource'],
     };
 
@@ -397,6 +399,78 @@ describe('alert actions', () => {
         expect(createTimeline).toHaveBeenCalledWith(defaultTimelineProps);
       });
     });
+
+    describe('Eql', () => {
+      test(' with signal.group.id', async () => {
+        const ecsDataMock: Ecs = {
+          ...mockEcsDataWithAlert,
+          signal: {
+            rule: {
+              ...mockEcsDataWithAlert.signal?.rule!,
+              type: ['eql'],
+              timeline_id: [''],
+            },
+            group: {
+              id: ['my-group-id'],
+            },
+          },
+        };
+
+        await sendAlertToTimelineAction({
+          createTimeline,
+          ecsData: ecsDataMock,
+          nonEcsData: [],
+          updateTimelineIsLoading,
+          searchStrategyClient,
+        });
+
+        expect(updateTimelineIsLoading).not.toHaveBeenCalled();
+        expect(createTimeline).toHaveBeenCalledTimes(1);
+        expect(createTimeline).toHaveBeenCalledWith({
+          ...defaultTimelineProps,
+          timeline: {
+            ...defaultTimelineProps.timeline,
+            dataProviders: [
+              {
+                and: [],
+                enabled: true,
+                excluded: false,
+                id:
+                  'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-alert-id-my-group-id',
+                kqlQuery: '',
+                name: '1',
+                queryMatch: { field: 'signal.group.id', operator: ':', value: 'my-group-id' },
+              },
+            ],
+          },
+        });
+      });
+
+      test(' with NO  signal.group.id', async () => {
+        const ecsDataMock: Ecs = {
+          ...mockEcsDataWithAlert,
+          signal: {
+            rule: {
+              ...mockEcsDataWithAlert.signal?.rule!,
+              type: ['eql'],
+              timeline_id: [''],
+            },
+          },
+        };
+
+        await sendAlertToTimelineAction({
+          createTimeline,
+          ecsData: ecsDataMock,
+          nonEcsData: [],
+          updateTimelineIsLoading,
+          searchStrategyClient,
+        });
+
+        expect(updateTimelineIsLoading).not.toHaveBeenCalled();
+        expect(createTimeline).toHaveBeenCalledTimes(1);
+        expect(createTimeline).toHaveBeenCalledWith(defaultTimelineProps);
+      });
+    });
   });
 
   describe('determineToAndFrom', () => {
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
index 043a5afc4480d..e3defaea2ec67 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
@@ -150,8 +150,10 @@ export const getThresholdAggregationDataProvider = (
   ];
 };
 
-export const isEqlRule = (ecsData: Ecs) =>
-  ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'eql';
+export const isEqlRuleWithGroupId = (ecsData: Ecs) =>
+  ecsData.signal?.rule?.type?.length &&
+  ecsData.signal?.rule?.type[0] === 'eql' &&
+  ecsData.signal?.group?.id?.length;
 
 export const isThresholdRule = (ecsData: Ecs) =>
   ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'threshold';
@@ -181,24 +183,23 @@ export const sendAlertToTimelineAction = async ({
             timelineType: TimelineType.template,
           },
         }),
-        searchStrategyClient.search<
-          TimelineEventsDetailsRequestOptions,
-          TimelineEventsDetailsStrategyResponse
-        >(
-          {
-            defaultIndex: [],
-            docValueFields: [],
-            indexName: ecsData._index ?? '',
-            eventId: ecsData._id,
-            factoryQueryType: TimelineEventsQueries.details,
-          },
-          {
-            strategy: 'securitySolutionTimelineSearchStrategy',
-          }
-        ),
+        searchStrategyClient
+          .search<TimelineEventsDetailsRequestOptions, TimelineEventsDetailsStrategyResponse>(
+            {
+              defaultIndex: [],
+              docValueFields: [],
+              indexName: ecsData._index ?? '',
+              eventId: ecsData._id,
+              factoryQueryType: TimelineEventsQueries.details,
+            },
+            {
+              strategy: 'securitySolutionTimelineSearchStrategy',
+            }
+          )
+          .toPromise(),
       ]);
       const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline);
-      const eventData: TimelineEventsDetailsItem[] = getOr([], 'data', eventDataResp);
+      const eventData: TimelineEventsDetailsItem[] = eventDataResp.data ?? [];
       if (!isEmpty(resultingTimeline)) {
         const timelineTemplate: TimelineResult = omitTypenameInTimeline(resultingTimeline);
         const { timeline, notes } = formatTimelineResultToModel(
@@ -327,7 +328,7 @@ export const sendAlertToTimelineAction = async ({
         },
       },
     ];
-    if (isEqlRule(ecsData)) {
+    if (isEqlRuleWithGroupId(ecsData)) {
       const signalGroupId = ecsData.signal?.group?.id?.length
         ? ecsData.signal?.group?.id[0]
         : 'unknown-signal-group-id';
diff --git a/x-pack/plugins/security_solution/public/overview/pages/overview.tsx b/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
index 5a3b4ec384686..a292ec3e1a119 100644
--- a/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
+++ b/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
@@ -131,7 +131,7 @@ const OverviewComponent: React.FC<PropsFromRedux> = ({
                     <EventCounts
                       filters={filters}
                       from={from}
-                      indexNames={[]}
+                      indexNames={selectedPatterns}
                       indexPattern={indexPattern}
                       query={query}
                       setQuery={setQuery}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
index c89740f667b29..4c3be81a4992a 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
@@ -378,7 +378,7 @@ export const dispatchUpdateTimeline = (dispatch: Dispatch): DispatchUpdateTimeli
   ruleNote,
 }: UpdateTimeline): (() => void) => () => {
   dispatch(
-    sourcererActions.setSelectedIndexPatterns({
+    sourcererActions.initTimelineIndexPatterns({
       id: SourcererScopeName.timeline,
       selectedPatterns: timeline.indexNames,
       eventType: timeline.eventType,