[Security Solution][Detection Engine] fixes ES|QL rule type case, when alerts get truncated #170034
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n alerts get truncated
vitaliidm
added
Team:Detections and Resp
|
Flaky test runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/3775 |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
vitaliidm
added
the
release_note:skip
vitaliidm
commented
Oct 27, 2023
| it('should generate alerts when docs overlap execution intervals and alerts number reached max_signals in one of the executions', async () => { | ||
| // as per https://github.com/elastic/kibana/pull/170034, test is failing on CI and flaky locally | ||
| // skipping it for now for further investigation | ||
| it.skip('should generate alerts when docs overlap execution intervals and alerts number reached max_signals in one of the executions', async () => { |
There was a problem hiding this comment.
I had to skip this test, as it's flaky locally and failing on CI.
Will be investigated and fixed later
There was a problem hiding this comment.
Issue to unskip it: https://github.com/elastic/security-team/issues/7928
e40pud
approved these changes
Oct 27, 2023
💚 Build Succeeded
Metrics [docs]
To update your PR or re-run it, just comment with: cc @vitaliidm |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 27, 2023
…n alerts get truncated (elastic#170034) ## Summary Missing `break` statement can cause additional requests in ES|QL rule queries, in the next statement ```ts if (bulkCreateResult.alertsWereTruncated) { result.warningMessages.push(getMaxSignalsWarning()); } ``` where we check if alerts were truncated to display warning. If alerts were truncated, no need to do another paging request, we can safely break loop execution, since we reached max number of possible alerts ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) (cherry picked from commit 46ca1f0)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 30, 2023
…se, when alerts get truncated (#170034) (#170050) # Backport This will backport the following commits from `main` to `8.11`: - [[Security Solution][Detection Engine] fixes ES|QL rule type case, when alerts get truncated (#170034)](#170034) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-27T15:47:15Z","message":"[Security Solution][Detection Engine] fixes ES|QL rule type case, when alerts get truncated (#170034)\n\n## Summary\r\n\r\nMissing `break` statement can cause additional requests in ES|QL rule\r\nqueries, in the next statement\r\n\r\n```ts\r\n if (bulkCreateResult.alertsWereTruncated) {\r\n result.warningMessages.push(getMaxSignalsWarning());\r\n }\r\n```\r\nwhere we check if alerts were truncated to display warning.\r\n\r\nIf alerts were truncated, no need to do another paging request, we can\r\nsafely break loop execution, since we reached max number of possible\r\nalerts\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallowlisted in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)","sha":"46ca1f08b7965a88819c6bad7350301d347f4e44","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","backport:prev-minor","Team:Detection Engine","v8.11.0","v8.12.0"],"number":170034,"url":"https://github.com/elastic/kibana/pull/170034","mergeCommit":{"message":"[Security Solution][Detection Engine] fixes ES|QL rule type case, when alerts get truncated (#170034)\n\n## Summary\r\n\r\nMissing `break` statement can cause additional requests in ES|QL rule\r\nqueries, in the next statement\r\n\r\n```ts\r\n if (bulkCreateResult.alertsWereTruncated) {\r\n result.warningMessages.push(getMaxSignalsWarning());\r\n }\r\n```\r\nwhere we check if alerts were truncated to display warning.\r\n\r\nIf alerts were truncated, no need to do another paging request, we can\r\nsafely break loop execution, since we reached max number of possible\r\nalerts\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallowlisted in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)","sha":"46ca1f08b7965a88819c6bad7350301d347f4e44"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/170034","number":170034,"mergeCommit":{"message":"[Security Solution][Detection Engine] fixes ES|QL rule type case, when alerts get truncated (#170034)\n\n## Summary\r\n\r\nMissing `break` statement can cause additional requests in ES|QL rule\r\nqueries, in the next statement\r\n\r\n```ts\r\n if (bulkCreateResult.alertsWereTruncated) {\r\n result.warningMessages.push(getMaxSignalsWarning());\r\n }\r\n```\r\nwhere we check if alerts were truncated to display warning.\r\n\r\nIf alerts were truncated, no need to do another paging request, we can\r\nsafely break loop execution, since we reached max number of possible\r\nalerts\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallowlisted in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)","sha":"46ca1f08b7965a88819c6bad7350301d347f4e44"}}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Missing
breakstatement can cause additional requests in ES|QL rule queries, in the next statementwhere we check if alerts were truncated to display warning.
If alerts were truncated, no need to do another paging request, we can safely break loop execution, since we reached max number of possible alerts
Checklist
Delete any items that are not applicable to this PR.