Skip to content

Commit

Permalink
[Security Solution] [Detections] Revert "[Security Solution] [Detecti…
Browse files Browse the repository at this point in the history
…ons] Fixes bug for determining when we hit max signals after filtering with lists (#71768)" (#71956) (#71983)

This reverts commit 56de45d.

Co-authored-by: Elastic Machine <[email protected]>
  • Loading branch information
dhurley14 and elasticmachine authored Jul 16, 2020
1 parent f298c56 commit 2515eb6
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ export const filterEventsAgainstList = async ({
buildRuleMessage,
}: FilterEventsAgainstList): Promise<SignalSearchResponse> => {
try {
logger.debug(buildRuleMessage(`exceptionsList: ${JSON.stringify(exceptionsList, null, 2)}`));
if (exceptionsList == null || exceptionsList.length === 0) {
logger.debug(buildRuleMessage('about to return original search result'));
return eventSearchResult;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ export const searchAfterAndBulkCreate = async ({
};

let sortId; // tells us where to start our next search_after query
let signalsCreatedCount = 0;
let searchResultSize = 0;

/*
The purpose of `maxResults` is to ensure we do not perform
Expand Down Expand Up @@ -127,8 +127,8 @@ export const searchAfterAndBulkCreate = async ({
toReturn.success = false;
return toReturn;
}
signalsCreatedCount = 0;
while (signalsCreatedCount < tuple.maxSignals) {
searchResultSize = 0;
while (searchResultSize < tuple.maxSignals) {
try {
logger.debug(buildRuleMessage(`sortIds: ${sortId}`));
const {
Expand Down Expand Up @@ -167,6 +167,7 @@ export const searchAfterAndBulkCreate = async ({
searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']
)
: null;
searchResultSize += searchResult.hits.hits.length;

// filter out the search results that match with the values found in the list.
// the resulting set are valid signals that are not on the allowlist.
Expand All @@ -186,14 +187,6 @@ export const searchAfterAndBulkCreate = async ({
break;
}

// make sure we are not going to create more signals than maxSignals allows
if (signalsCreatedCount + filteredEvents.hits.hits.length > tuple.maxSignals) {
filteredEvents.hits.hits = filteredEvents.hits.hits.slice(
0,
tuple.maxSignals - signalsCreatedCount
);
}

const {
bulkCreateDuration: bulkDuration,
createdItemsCount: createdCount,
Expand All @@ -218,7 +211,6 @@ export const searchAfterAndBulkCreate = async ({
});
logger.debug(buildRuleMessage(`created ${createdCount} signals`));
toReturn.createdSignalsCount += createdCount;
signalsCreatedCount += createdCount;
if (bulkDuration) {
toReturn.bulkCreateTimes.push(bulkDuration);
}
Expand Down

0 comments on commit 2515eb6

Please sign in to comment.