Skip to content

Commit

Permalink
[Security Solution][Detections] Enable writing rule execution events …
Browse files Browse the repository at this point in the history
…to Event Log by default (#115394)

* Enable writing rule execution events to Event Log by default

* Update event log provider name according to the RFC

* Fix SavedObjectClient find method arguments

Co-authored-by: Dmitry Shevchenko <[email protected]>
  • Loading branch information
banderror and xcrzx authored Oct 19, 2021
1 parent 1d46541 commit 30ce299
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,23 @@
import { getBuildingBlockRule } from '../../objects/rule';
import { OVERVIEW_ALERTS_HISTOGRAM } from '../../screens/overview';
import { OVERVIEW } from '../../screens/security_header';
import { waitForAlertsIndexToBeCreated, waitForAlertsPanelToBeLoaded } from '../../tasks/alerts';
import { goToRuleDetails } from '../../tasks/alerts_detection_rules';
import { createCustomRuleActivated } from '../../tasks/api_calls/rules';
import { cleanKibana } from '../../tasks/common';
import { waitForAlertsToPopulate, waitForTheRuleToBeExecuted } from '../../tasks/create_new_rule';
import { loginAndWaitForPage } from '../../tasks/login';
import { loginAndWaitForPage, loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
import { navigateFromHeaderTo } from '../../tasks/security_header';
import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
import { ALERTS_URL, DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';

const EXPECTED_NUMBER_OF_ALERTS = 16;

describe('Alerts generated by building block rules', () => {
beforeEach(() => {
cleanKibana();
loginAndWaitForPageWithoutDateRange(ALERTS_URL);
waitForAlertsPanelToBeLoaded();
waitForAlertsIndexToBeCreated();
});

it('Alerts should be visible on the Rule Detail page and not visible on the Overview page', () => {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/security_solution/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ export const configSchema = schema.object({
schema.literal(UnderlyingLogClient.eventLog),
schema.literal(UnderlyingLogClient.savedObjects),
],
{ defaultValue: UnderlyingLogClient.savedObjects }
{ defaultValue: UnderlyingLogClient.eventLog }
),
}),

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 2.0.
*/

export const RULE_EXECUTION_LOG_PROVIDER = 'rule-execution.security';
export const RULE_EXECUTION_LOG_PROVIDER = 'securitySolution.ruleExecution';

export const ALERT_SAVED_OBJECT_TYPE = 'alert';

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import { IRuleStatusSOAttributes } from '../../rules/types';

export interface RuleStatusSavedObjectsClient {
find: (
options?: Omit<SavedObjectsFindOptions, 'type'>
options: Omit<SavedObjectsFindOptions, 'type'> & { ruleId: string }
) => Promise<Array<SavedObjectsFindResult<IRuleStatusSOAttributes>>>;
findBulk: (ids: string[], statusesPerId: number) => Promise<FindBulkResponse>;
create: (
Expand All @@ -47,9 +47,14 @@ export const ruleStatusSavedObjectsClientFactory = (
savedObjectsClient: SavedObjectsClientContract
): RuleStatusSavedObjectsClient => ({
find: async (options) => {
const references = {
id: options.ruleId,
type: 'alert',
};
const result = await savedObjectsClient.find<IRuleStatusSOAttributes>({
...options,
type: legacyRuleStatusSavedObjectType,
hasReference: references,
});
return result.saved_objects;
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,7 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient {
perPage: logsCount,
sortField: 'statusDate',
sortOrder: 'desc',
search: ruleId,
searchFields: ['references.id'],
ruleId,
});
}

Expand Down

0 comments on commit 30ce299

Please sign in to comment.