From 6ef3d2dd6617d74840b0673a1a021ad99a193d4d Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Feb 2022 15:22:53 -0700 Subject: [PATCH 01/11] Attach the internal signal_id to the endpoint alert to join with insights --- .../signals/search_after_bulk_create.ts | 8 +++++- .../signals/send_telemetry_events.test.ts | 4 +-- .../signals/send_telemetry_events.ts | 27 ++++++++++++++++--- .../server/lib/telemetry/types.ts | 1 + 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts index f8270c53b07a..99230627cb6b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -176,7 +176,13 @@ export const searchAfterAndBulkCreate = async ({ buildRuleMessage(`enrichedEvents.hits.hits: ${enrichedEvents.hits.hits.length}`) ); - sendAlertTelemetryEvents(logger, eventsTelemetry, enrichedEvents, buildRuleMessage); + sendAlertTelemetryEvents( + logger, + eventsTelemetry, + enrichedEvents, + createdItems, + buildRuleMessage + ); } if (!hasSortId) { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts index 991378983e1b..ab814e089d2c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts @@ -63,8 +63,8 @@ describe('sendAlertTelemetry', () => { ], }, }; - - const sources = selectEvents(filteredEvents); + const joinMap = new Map(); + const sources = selectEvents(filteredEvents, joinMap); expect(sources).toStrictEqual([ { '@timestamp': 'x', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index 5904f943183c..d106e351ac30 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -11,15 +11,29 @@ import { BuildRuleMessage } from './rule_messages'; import { SignalSearchResponse, SignalSource } from './types'; import { Logger } from '../../../../../../../src/core/server'; -export interface SearchResultWithSource { +interface SearchResultWithEventId { + _source: { + event: { + id: string; + }; + }; +} + +interface SearchResultSource { _source: SignalSource; } -export function selectEvents(filteredEvents: SignalSearchResponse): TelemetryEvent[] { +type SearchResultWithSource = SearchResultSource & SearchResultWithEventId; + +export function selectEvents( + filteredEvents: SignalSearchResponse, + signalIdMap: Map +): TelemetryEvent[] { // @ts-expect-error @elastic/elasticsearch _source is optional const sources: TelemetryEvent[] = filteredEvents.hits.hits.map(function ( obj: SearchResultWithSource ): TelemetryEvent { + obj._source.signal_id = signalIdMap.get(obj._source.event.id); return obj._source; }); @@ -31,13 +45,20 @@ export function sendAlertTelemetryEvents( logger: Logger, eventsTelemetry: ITelemetryEventsSender | undefined, filteredEvents: SignalSearchResponse, + createdEvents: SignalSource[], buildRuleMessage: BuildRuleMessage ) { if (eventsTelemetry === undefined) { return; } + // Create map of ancenstor_id -> alert_id + let signalIdMap = new Map(); + createdEvents.map(function (obj: SignalSource) { + signalIdMap = signalIdMap.set(String(obj['kibana.alert.original_event.id']), String(obj._id)); + return null; + }); - const sources = selectEvents(filteredEvents); + const sources = selectEvents(filteredEvents, signalIdMap); try { eventsTelemetry.queueTelemetryEvents(sources); diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts index 35b701552b6b..8fd296c51bd1 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts @@ -45,6 +45,7 @@ export interface ESLicense { export interface TelemetryEvent { [key: string]: SearchTypes; '@timestamp'?: string; + signal_id?: string; data_stream?: { [key: string]: SearchTypes; dataset?: string; From 50d8fcb390dba0864769a5a865477f65f345c4e8 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Feb 2022 17:08:56 -0700 Subject: [PATCH 02/11] Ensure we forward signal_id field properly --- x-pack/plugins/security_solution/server/lib/telemetry/filters.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts index 452717f1efb4..d99136b3c42f 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts @@ -44,6 +44,7 @@ const allowlistProcessFields: AllowlistFields = { // Allow list for event-related fields, which can also be nested under events[] const allowlistBaseEventFields: AllowlistFields = { + signal_id: true, dll: { name: true, path: true, From 123fb64504a39b057ed85baa9e26eb3f822a04b7 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Feb 2022 17:17:46 -0700 Subject: [PATCH 03/11] Don't think we need to explicitly define the field in the top-level since it satisfies the key:string --- x-pack/plugins/security_solution/server/lib/telemetry/types.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts index 8fd296c51bd1..35b701552b6b 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts @@ -45,7 +45,6 @@ export interface ESLicense { export interface TelemetryEvent { [key: string]: SearchTypes; '@timestamp'?: string; - signal_id?: string; data_stream?: { [key: string]: SearchTypes; dataset?: string; From 920e59aaf3f168b388ab92a9227b54402bcf5e7d Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Feb 2022 18:51:47 -0700 Subject: [PATCH 04/11] Updated unit test to check for signal id enrichment --- .../signals/send_telemetry_events.test.ts | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts index ab814e089d2c..7c2821a1eb1d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts @@ -33,6 +33,9 @@ describe('sendAlertTelemetry', () => { data_stream: { dataset: 'endpoint.events', }, + event: { + id: 'foo', + }, }, }, { @@ -47,6 +50,9 @@ describe('sendAlertTelemetry', () => { dataset: 'endpoint.alerts', other: 'x', }, + event: { + id: 'bar', + }, }, }, { @@ -58,12 +64,19 @@ describe('sendAlertTelemetry', () => { '@timestamp': 'x', key3: 'hello', data_stream: {}, + event: { + id: 'baz', + }, }, }, ], }, }; - const joinMap = new Map(); + const joinMap = new Map([ + ['foo', '1234'], + ['bar', 'abcd'], + ['baz', '4567'], + ]); const sources = selectEvents(filteredEvents, joinMap); expect(sources).toStrictEqual([ { @@ -73,6 +86,10 @@ describe('sendAlertTelemetry', () => { dataset: 'endpoint.alerts', other: 'x', }, + event: { + id: 'bar', + }, + signal_id: 'abcd', }, ]); }); From 9785958c1d52a4e1aa6ad56e1937ca60a1b78340 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Mar 2022 08:10:55 -0700 Subject: [PATCH 05/11] Addressed some comments about alert_id enrichment --- .../signals/send_telemetry_events.ts | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index d106e351ac30..5b712d51c451 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -23,6 +23,9 @@ interface SearchResultSource { _source: SignalSource; } +type CreatedSignalId = string; +type AlertId = string; + type SearchResultWithSource = SearchResultSource & SearchResultWithEventId; export function selectEvents( @@ -52,11 +55,15 @@ export function sendAlertTelemetryEvents( return; } // Create map of ancenstor_id -> alert_id - let signalIdMap = new Map(); - createdEvents.map(function (obj: SignalSource) { - signalIdMap = signalIdMap.set(String(obj['kibana.alert.original_event.id']), String(obj._id)); - return null; - }); + const signalIdMap = createdEvents.reduce((signalMap, obj) => { + const ancestorId = String(obj['kibana.alert.original_event.id']); + const alertId = String(obj._id); + if (ancestorId !== null && ancestorId !== undefined) { + const newsignalMap = signalIdMap.set(ancestorId, alertId); + } + + return newsignalMap; + }, new Map()); const sources = selectEvents(filteredEvents, signalIdMap); From 1a95e050e87db5479cd93d783cfdc43cc9dd0c0a Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Mar 2022 10:07:04 -0700 Subject: [PATCH 06/11] Refactored send_telemetry_events to be more performant and idiomatic --- .../signals/send_telemetry_events.ts | 49 ++++++++++--------- .../server/lib/telemetry/types.ts | 3 ++ 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index 5b712d51c451..d8b90fcb626f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -11,14 +11,6 @@ import { BuildRuleMessage } from './rule_messages'; import { SignalSearchResponse, SignalSource } from './types'; import { Logger } from '../../../../../../../src/core/server'; -interface SearchResultWithEventId { - _source: { - event: { - id: string; - }; - }; -} - interface SearchResultSource { _source: SignalSource; } @@ -26,17 +18,11 @@ interface SearchResultSource { type CreatedSignalId = string; type AlertId = string; -type SearchResultWithSource = SearchResultSource & SearchResultWithEventId; - -export function selectEvents( - filteredEvents: SignalSearchResponse, - signalIdMap: Map -): TelemetryEvent[] { +export function selectEvents(filteredEvents: SignalSearchResponse): TelemetryEvent[] { // @ts-expect-error @elastic/elasticsearch _source is optional const sources: TelemetryEvent[] = filteredEvents.hits.hits.map(function ( - obj: SearchResultWithSource + obj: SearchResultSource ): TelemetryEvent { - obj._source.signal_id = signalIdMap.get(obj._source.event.id); return obj._source; }); @@ -44,6 +30,18 @@ export function selectEvents( return sources.filter((obj: TelemetryEvent) => obj.data_stream?.dataset === 'endpoint.alerts'); } +export function enrichEndpointAlertsSignalID( + events: TelemetryEvent[], + signalIdMap: Map +): TelemetryEvent[] { + return events.map(function (obj: TelemetryEvent): TelemetryEvent { + if (obj?.event?.id !== undefined) { + obj.signal_id = signalIdMap.get(obj.event.id); + } + return obj; + }); +} + export function sendAlertTelemetryEvents( logger: Logger, eventsTelemetry: ITelemetryEventsSender | undefined, @@ -55,21 +53,24 @@ export function sendAlertTelemetryEvents( return; } // Create map of ancenstor_id -> alert_id + /* eslint-disable no-param-reassign */ const signalIdMap = createdEvents.reduce((signalMap, obj) => { const ancestorId = String(obj['kibana.alert.original_event.id']); const alertId = String(obj._id); if (ancestorId !== null && ancestorId !== undefined) { - const newsignalMap = signalIdMap.set(ancestorId, alertId); + signalMap = signalIdMap.set(ancestorId, alertId); } - return newsignalMap; + return signalMap; }, new Map()); - const sources = selectEvents(filteredEvents, signalIdMap); - - try { - eventsTelemetry.queueTelemetryEvents(sources); - } catch (exc) { - logger.error(buildRuleMessage(`[-] queing telemetry events failed ${exc}`)); + const selectedEvents = selectEvents(filteredEvents); + if (selectedEvents.length > 0) { + const alertsWithSignalIds = enrichEndpointAlertsSignalID(selectedEvents, signalIdMap); + try { + eventsTelemetry.queueTelemetryEvents(alertsWithSignalIds); + } catch (exc) { + logger.error(buildRuleMessage(`[-] queing telemetry events failed ${exc}`)); + } } } diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts index 35b701552b6b..ef2283d2697c 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts @@ -58,6 +58,9 @@ export interface TelemetryEvent { }; }; license?: ESLicense; + event?: { + id?: string; + }; } // EP Policy Response From 72c6a2365d37b81a7882262e53e54bbfe9759f8d Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Mar 2022 16:26:27 -0700 Subject: [PATCH 07/11] Added test cases with a non-matching enrichment or non-existing enrichment --- .../signals/send_telemetry_events.test.ts | 57 ++++++++++++++++++- .../signals/send_telemetry_events.ts | 24 ++++---- 2 files changed, 68 insertions(+), 13 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts index 7c2821a1eb1d..36bb90936620 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { selectEvents } from './send_telemetry_events'; +import { selectEvents, enrichEndpointAlertsSignalID } from './send_telemetry_events'; describe('sendAlertTelemetry', () => { it('selectEvents', () => { @@ -69,6 +69,37 @@ describe('sendAlertTelemetry', () => { }, }, }, + { + _index: 'y', + _type: 'y', + _id: 'y', + _score: 0, + _source: { + '@timestamp': 'y', + key3: 'hello', + data_stream: { + dataset: 'endpoint.alerts', + other: 'y', + }, + event: { + id: 'not-in-map', + }, + }, + }, + { + _index: 'z', + _type: 'z', + _id: 'z', + _score: 0, + _source: { + '@timestamp': 'z', + key3: 'no-event-id', + data_stream: { + dataset: 'endpoint.alerts', + other: 'z', + }, + }, + }, ], }, }; @@ -77,7 +108,8 @@ describe('sendAlertTelemetry', () => { ['bar', 'abcd'], ['baz', '4567'], ]); - const sources = selectEvents(filteredEvents, joinMap); + const subsetEvents = selectEvents(filteredEvents); + const sources = enrichEndpointAlertsSignalID(subsetEvents, joinMap); expect(sources).toStrictEqual([ { '@timestamp': 'x', @@ -91,6 +123,27 @@ describe('sendAlertTelemetry', () => { }, signal_id: 'abcd', }, + { + '@timestamp': 'y', + key3: 'hello', + data_stream: { + dataset: 'endpoint.alerts', + other: 'y', + }, + event: { + id: 'not-in-map', + }, + signal_id: undefined, + }, + { + '@timestamp': 'z', + key3: 'no-event-id', + data_stream: { + dataset: 'endpoint.alerts', + other: 'z', + }, + signal_id: undefined, + }, ]); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index d8b90fcb626f..0a6448a26ce4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -35,6 +35,7 @@ export function enrichEndpointAlertsSignalID( signalIdMap: Map ): TelemetryEvent[] { return events.map(function (obj: TelemetryEvent): TelemetryEvent { + obj.signal_id = undefined; if (obj?.event?.id !== undefined) { obj.signal_id = signalIdMap.get(obj.event.id); } @@ -52,20 +53,21 @@ export function sendAlertTelemetryEvents( if (eventsTelemetry === undefined) { return; } - // Create map of ancenstor_id -> alert_id - /* eslint-disable no-param-reassign */ - const signalIdMap = createdEvents.reduce((signalMap, obj) => { - const ancestorId = String(obj['kibana.alert.original_event.id']); - const alertId = String(obj._id); - if (ancestorId !== null && ancestorId !== undefined) { - signalMap = signalIdMap.set(ancestorId, alertId); - } - - return signalMap; - }, new Map()); const selectedEvents = selectEvents(filteredEvents); if (selectedEvents.length > 0) { + // Create map of ancenstor_id -> alert_id + /* eslint-disable no-param-reassign */ + const signalIdMap = createdEvents.reduce((signalMap, obj) => { + const ancestorId = String(obj['kibana.alert.original_event.id']); + const alertId = String(obj._id); + if (ancestorId !== null && ancestorId !== undefined) { + signalMap = signalIdMap.set(ancestorId, alertId); + } + + return signalMap; + }, new Map()); + const alertsWithSignalIds = enrichEndpointAlertsSignalID(selectedEvents, signalIdMap); try { eventsTelemetry.queueTelemetryEvents(alertsWithSignalIds); From 9c59f24d8d558797f85806f3db1050783b9c9895 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Mar 2022 18:08:00 -0700 Subject: [PATCH 08/11] Broke some tests that don't assume QueueTelemetryEvents are endpoint.alerts --- .../signals/send_telemetry_events.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index 0a6448a26ce4..609cdbd07376 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -54,7 +54,7 @@ export function sendAlertTelemetryEvents( return; } - const selectedEvents = selectEvents(filteredEvents); + let selectedEvents = selectEvents(filteredEvents); if (selectedEvents.length > 0) { // Create map of ancenstor_id -> alert_id /* eslint-disable no-param-reassign */ @@ -68,11 +68,11 @@ export function sendAlertTelemetryEvents( return signalMap; }, new Map()); - const alertsWithSignalIds = enrichEndpointAlertsSignalID(selectedEvents, signalIdMap); - try { - eventsTelemetry.queueTelemetryEvents(alertsWithSignalIds); - } catch (exc) { - logger.error(buildRuleMessage(`[-] queing telemetry events failed ${exc}`)); - } + selectedEvents = enrichEndpointAlertsSignalID(selectedEvents, signalIdMap); + } + try { + eventsTelemetry.queueTelemetryEvents(selectedEvents); + } catch (exc) { + logger.error(buildRuleMessage(`[-] queing telemetry events failed ${exc}`)); } } From 717930b2dacfcff21f653c5c3dd3bbb23db7eb61 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Mar 2022 19:31:04 -0700 Subject: [PATCH 09/11] my types were still off --- .../security_solution/server/lib/telemetry/sender.test.ts | 2 ++ x-pack/plugins/security_solution/server/lib/telemetry/types.ts | 1 + 2 files changed, 3 insertions(+) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts index 70852aa3093c..d055f3843d47 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts @@ -35,6 +35,7 @@ describe('TelemetryEventsSender', () => { { event: { kind: 'alert', + id: 'test', }, dns: { question: { @@ -108,6 +109,7 @@ describe('TelemetryEventsSender', () => { { event: { kind: 'alert', + id: 'test', }, dns: { question: { diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts index ef2283d2697c..35b531ae6941 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/types.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/types.ts @@ -60,6 +60,7 @@ export interface TelemetryEvent { license?: ESLicense; event?: { id?: string; + kind?: string; }; } From f1b6f036787b42b359db1178f015d88df771aab1 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 2 Mar 2022 10:25:47 -0700 Subject: [PATCH 10/11] Addressed comments to use more idiomatic 'toString' function --- .../lib/detection_engine/signals/send_telemetry_events.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index 609cdbd07376..6560dcd3180b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -59,9 +59,9 @@ export function sendAlertTelemetryEvents( // Create map of ancenstor_id -> alert_id /* eslint-disable no-param-reassign */ const signalIdMap = createdEvents.reduce((signalMap, obj) => { - const ancestorId = String(obj['kibana.alert.original_event.id']); - const alertId = String(obj._id); - if (ancestorId !== null && ancestorId !== undefined) { + const ancestorId = obj['kibana.alert.original_event.id']?.toString(); + const alertId = obj._id?.toString(); + if (ancestorId !== null && ancestorId !== undefined && alertId !== undefined) { signalMap = signalIdMap.set(ancestorId, alertId); } From b223ddde8886e973da0d0ba84c86bf0d71ff1027 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 2 Mar 2022 12:03:16 -0700 Subject: [PATCH 11/11] Fixed 'Cannot access signalIdMap before initialization name' in reduce by instatiating map prior to reduce --- .../lib/detection_engine/signals/send_telemetry_events.ts | 3 ++- .../plugins/security_solution/server/lib/telemetry/filters.ts | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts index 6560dcd3180b..fc3aed36939c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts @@ -57,8 +57,9 @@ export function sendAlertTelemetryEvents( let selectedEvents = selectEvents(filteredEvents); if (selectedEvents.length > 0) { // Create map of ancenstor_id -> alert_id + let signalIdMap = new Map(); /* eslint-disable no-param-reassign */ - const signalIdMap = createdEvents.reduce((signalMap, obj) => { + signalIdMap = createdEvents.reduce((signalMap, obj) => { const ancestorId = obj['kibana.alert.original_event.id']?.toString(); const alertId = obj._id?.toString(); if (ancestorId !== null && ancestorId !== undefined && alertId !== undefined) { diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts index d99136b3c42f..bd41bc454e87 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts @@ -44,7 +44,6 @@ const allowlistProcessFields: AllowlistFields = { // Allow list for event-related fields, which can also be nested under events[] const allowlistBaseEventFields: AllowlistFields = { - signal_id: true, dll: { name: true, path: true, @@ -109,6 +108,7 @@ const allowlistBaseEventFields: AllowlistFields = { export const allowlistEventFields: AllowlistFields = { _id: true, '@timestamp': true, + signal_id: true, agent: true, Endpoint: true, /* eslint-disable @typescript-eslint/naming-convention */