From 073bd66a8612f3f453aedbe0b8e0f29afb9766bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patryk=20Kopyci=C5=84ski?= <patryk.kopycinski@elastic.co>
Date: Wed, 22 Jul 2020 02:18:28 +0200
Subject: [PATCH] [Detections] Add validation for Threshold value field
 (#72611)

---
 .../rules/step_define_rule/schema.tsx         | 14 ++++++++
 .../bulk_create_threshold_signals.test.ts     | 35 +++++++++++++++++++
 .../signals/bulk_create_threshold_signals.ts  |  2 +-
 3 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
index 67d795ccf90f0..333b28bf27bbf 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
@@ -202,6 +202,20 @@ export const schema: FormSchema = {
           defaultMessage: 'Threshold',
         }
       ),
+      validations: [
+        {
+          validator: fieldValidators.numberGreaterThanField({
+            than: 1,
+            message: i18n.translate(
+              'xpack.securitySolution.detectionEngine.validations.thresholdValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
+              {
+                defaultMessage: 'Value must be greater than or equal one.',
+              }
+            ),
+            allowEquality: true,
+          }),
+        },
+      ],
     },
   },
 };
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts
index 744e2b0c06efe..d97dc4ba2cbd2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts
@@ -193,4 +193,39 @@ describe('getThresholdSignalQueryFields', () => {
       'event.dataset': 'traefik.access',
     });
   });
+
+  it('should return proper object for exists filters', () => {
+    const filters = {
+      bool: {
+        should: [
+          {
+            bool: {
+              should: [
+                {
+                  exists: {
+                    field: 'process.name',
+                  },
+                },
+              ],
+              minimum_should_match: 1,
+            },
+          },
+          {
+            bool: {
+              should: [
+                {
+                  exists: {
+                    field: 'event.type',
+                  },
+                },
+              ],
+              minimum_should_match: 1,
+            },
+          },
+        ],
+        minimum_should_match: 1,
+      },
+    };
+    expect(getThresholdSignalQueryFields(filters)).toEqual({});
+  });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts
index ef9fbe485b92f..e2f3d16bd6d03 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts
@@ -83,7 +83,7 @@ export const getThresholdSignalQueryFields = (filter: unknown) => {
         return { ...acc, ...item.match_phrase };
       }
 
-      if (item.bool.should && (item.bool.should[0].match || item.bool.should[0].match_phrase)) {
+      if (item.bool?.should && (item.bool.should[0].match || item.bool.should[0].match_phrase)) {
         return { ...acc, ...(item.bool.should[0].match || item.bool.should[0].match_phrase) };
       }