From 08522efde74cb24874386aaaca847d04bb4ddf68 Mon Sep 17 00:00:00 2001 From: Devin Hurley Date: Wed, 23 Sep 2020 16:38:39 -0400 Subject: [PATCH 1/2] adds missing buildRuleMessage to debug logs to display rule id, name, etc. in logs --- .../signals/bulk_create_ml_signals.ts | 7 +- .../signals/bulk_create_threshold_signals.ts | 6 +- .../signals/find_threshold_signals.ts | 4 + .../signals/search_after_bulk_create.ts | 2 + .../signals/signal_rule_alert_type.ts | 89 ++++++++++--------- .../signals/single_bulk_create.test.ts | 13 +++ .../signals/single_bulk_create.ts | 23 +++-- .../signals/single_search_after.test.ts | 12 +++ .../signals/single_search_after.ts | 5 +- 9 files changed, 107 insertions(+), 54 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts index 80839545951d5..244a1604a2023 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts @@ -14,6 +14,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types'; import { RuleTypeParams, RefreshTypes } from '../types'; import { singleBulkCreate, SingleBulkCreateResponse } from './single_bulk_create'; import { AnomalyResults, Anomaly } from '../../machine_learning'; +import { BuildRuleMessage } from './rule_messages'; interface BulkCreateMlSignalsParams { actions: RuleAlertAction[]; @@ -81,10 +82,10 @@ const transformAnomalyResultsToEcs = (results: AnomalyResults): SearchResponse => { const anomalyResults = params.someResult; const ecsResults = transformAnomalyResultsToEcs(anomalyResults); - - return singleBulkCreate({ ...params, filteredEvents: ecsResults }); + return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts index bdcddbf2ed21b..580a3f9f20671 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts @@ -15,6 +15,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types'; import { RuleTypeParams, RefreshTypes } from '../types'; import { singleBulkCreate, SingleBulkCreateResponse } from './single_bulk_create'; import { SignalSearchResponse } from './types'; +import { BuildRuleMessage } from './rule_messages'; // used to generate constant Threshold Signals ID when run with the same params const NAMESPACE_ID = '0684ec03-7201-4ee0-8ee0-3a3f6b2479b2'; @@ -184,7 +185,8 @@ export const transformThresholdResultsToEcs = ( }; export const bulkCreateThresholdSignals = async ( - params: BulkCreateThresholdSignalsParams + params: BulkCreateThresholdSignalsParams, + buildRuleMessage: BuildRuleMessage ): Promise => { const thresholdResults = params.someResult; const ecsResults = transformThresholdResultsToEcs( @@ -196,5 +198,5 @@ export const bulkCreateThresholdSignals = async ( params.ruleParams.ruleId ); - return singleBulkCreate({ ...params, filteredEvents: ecsResults }); + return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_threshold_signals.ts index 604b452174045..2822568049960 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_threshold_signals.ts @@ -12,6 +12,7 @@ import { singleSearchAfter } from './single_search_after'; import { AlertServices } from '../../../../../alerts/server'; import { Logger } from '../../../../../../../src/core/server'; import { SignalSearchResponse } from './types'; +import { BuildRuleMessage } from './rule_messages'; interface FindThresholdSignalsParams { from: string; @@ -21,6 +22,7 @@ interface FindThresholdSignalsParams { logger: Logger; filter: unknown; threshold: Threshold; + buildRuleMessage: BuildRuleMessage; } export const findThresholdSignals = async ({ @@ -31,6 +33,7 @@ export const findThresholdSignals = async ({ logger, filter, threshold, + buildRuleMessage, }: FindThresholdSignalsParams): Promise<{ searchResult: SignalSearchResponse; searchDuration: string; @@ -59,5 +62,6 @@ export const findThresholdSignals = async ({ logger, filter, pageSize: 0, + buildRuleMessage, }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts index d369a91335347..2df180582a0ac 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -80,6 +80,7 @@ export const searchAfterAndBulkCreate = async ({ // perform search_after with optionally undefined sortId const { searchResult, searchDuration, searchErrors } = await singleSearchAfter({ + buildRuleMessage, searchAfterSortId: sortId, index: inputIndexPattern, from: tuple.from.toISOString(), @@ -153,6 +154,7 @@ export const searchAfterAndBulkCreate = async ({ success: bulkSuccess, errors: bulkErrors, } = await singleBulkCreate({ + buildRuleMessage, filteredEvents, ruleParams, services, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts index f7b56f42755ab..0f41af073fd04 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -239,25 +239,28 @@ export const signalRulesAlertType = ({ errors, bulkCreateDuration, createdItemsCount, - } = await bulkCreateMlSignals({ - actions, - throttle, - someResult: anomalyResults, - ruleParams: params, - services, - logger, - id: alertId, - signalsIndex: outputIndex, - name, - createdBy, - createdAt, - updatedBy, - updatedAt, - interval, - enabled, - refresh, - tags, - }); + } = await bulkCreateMlSignals( + { + actions, + throttle, + someResult: anomalyResults, + ruleParams: params, + services, + logger, + id: alertId, + signalsIndex: outputIndex, + name, + createdBy, + createdAt, + updatedBy, + updatedAt, + interval, + enabled, + refresh, + tags, + }, + buildRuleMessage + ); // The legacy ES client does not define failures when it can be present on the structure, hence why I have the & { failures: [] } const shardFailures = (anomalyResults._shards as typeof anomalyResults._shards & { failures: [] }).failures ?? @@ -295,6 +298,7 @@ export const signalRulesAlertType = ({ logger, filter: esFilter, threshold, + buildRuleMessage, }); const { @@ -302,28 +306,31 @@ export const signalRulesAlertType = ({ bulkCreateDuration, createdItemsCount, errors, - } = await bulkCreateThresholdSignals({ - actions, - throttle, - someResult: thresholdResults, - ruleParams: params, - filter: esFilter, - services, - logger, - id: alertId, - inputIndexPattern: inputIndex, - signalsIndex: outputIndex, - startedAt, - name, - createdBy, - createdAt, - updatedBy, - updatedAt, - interval, - enabled, - refresh, - tags, - }); + } = await bulkCreateThresholdSignals( + { + actions, + throttle, + someResult: thresholdResults, + ruleParams: params, + filter: esFilter, + services, + logger, + id: alertId, + inputIndexPattern: inputIndex, + signalsIndex: outputIndex, + startedAt, + name, + createdBy, + createdAt, + updatedBy, + updatedAt, + interval, + enabled, + refresh, + tags, + }, + buildRuleMessage + ); result = mergeReturns([ result, createSearchAfterReturnTypeFromResponse({ searchResult: thresholdResults }), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.test.ts index 374b967d1e77f..b7cc13fd13a01 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.test.ts @@ -19,7 +19,14 @@ import { import { DEFAULT_SIGNALS_INDEX } from '../../../../common/constants'; import { singleBulkCreate, filterDuplicateRules } from './single_bulk_create'; import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks'; +import { buildRuleMessageFactory } from './rule_messages'; +const buildRuleMessage = buildRuleMessageFactory({ + id: 'fake id', + ruleId: 'fake rule id', + index: 'fakeindex', + name: 'fake name', +}); describe('singleBulkCreate', () => { const mockService: AlertServicesMock = alertsMock.createAlertServices(); @@ -158,6 +165,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(success).toEqual(true); expect(createdItemsCount).toEqual(0); @@ -192,6 +200,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(success).toEqual(true); expect(createdItemsCount).toEqual(0); @@ -218,6 +227,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(success).toEqual(true); expect(createdItemsCount).toEqual(0); @@ -245,6 +255,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(mockLogger.error).not.toHaveBeenCalled(); @@ -274,6 +285,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(mockLogger.error).toHaveBeenCalled(); expect(errors).toEqual(['[4]: internal server error']); @@ -339,6 +351,7 @@ describe('singleBulkCreate', () => { refresh: false, tags: ['some fake tag 1', 'some fake tag 2'], throttle: 'no_actions', + buildRuleMessage, }); expect(success).toEqual(true); expect(createdItemsCount).toEqual(1); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts index e3c3c940b3225..759890cc9d074 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts @@ -12,6 +12,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types'; import { RuleTypeParams, RefreshTypes } from '../types'; import { generateId, makeFloatString, errorAggregator } from './utils'; import { buildBulkBody } from './build_bulk_body'; +import { BuildRuleMessage } from './rule_messages'; import { Logger } from '../../../../../../../src/core/server'; interface SingleBulkCreateParams { @@ -32,6 +33,7 @@ interface SingleBulkCreateParams { tags: string[]; throttle: string; refresh: RefreshTypes; + buildRuleMessage: BuildRuleMessage; } /** @@ -85,6 +87,7 @@ export interface BulkInsertSignalsResponse { // Bulk Index documents. export const singleBulkCreate = async ({ + buildRuleMessage, filteredEvents, ruleParams, services, @@ -104,9 +107,9 @@ export const singleBulkCreate = async ({ throttle, }: SingleBulkCreateParams): Promise => { filteredEvents.hits.hits = filterDuplicateRules(id, filteredEvents); - logger.debug(`about to bulk create ${filteredEvents.hits.hits.length} events`); + logger.debug(buildRuleMessage(`about to bulk create ${filteredEvents.hits.hits.length} events`)); if (filteredEvents.hits.hits.length === 0) { - logger.debug(`all events were duplicates`); + logger.debug(buildRuleMessage(`all events were duplicates`)); return { success: true, createdItemsCount: 0, errors: [] }; } // index documents after creating an ID based on the @@ -153,21 +156,27 @@ export const singleBulkCreate = async ({ body: bulkBody, }); const end = performance.now(); - logger.debug(`individual bulk process time took: ${makeFloatString(end - start)} milliseconds`); - logger.debug(`took property says bulk took: ${response.took} milliseconds`); + logger.debug( + buildRuleMessage( + `individual bulk process time took: ${makeFloatString(end - start)} milliseconds` + ) + ); + logger.debug(buildRuleMessage(`took property says bulk took: ${response.took} milliseconds`)); const createdItemsCount = countBy(response.items, 'create.status')['201'] ?? 0; const duplicateSignalsCount = countBy(response.items, 'create.status')['409']; const errorCountByMessage = errorAggregator(response, [409]); - logger.debug(`bulk created ${createdItemsCount} signals`); + logger.debug(buildRuleMessage(`bulk created ${createdItemsCount} signals`)); if (duplicateSignalsCount > 0) { - logger.debug(`ignored ${duplicateSignalsCount} duplicate signals`); + logger.debug(buildRuleMessage(`ignored ${duplicateSignalsCount} duplicate signals`)); } if (!isEmpty(errorCountByMessage)) { logger.error( - `[-] bulkResponse had errors with responses of: ${JSON.stringify(errorCountByMessage)}` + buildRuleMessage( + `[-] bulkResponse had errors with responses of: ${JSON.stringify(errorCountByMessage)}` + ) ); return { errors: Object.keys(errorCountByMessage), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts index da81911f07ad9..7b7c40f0c4355 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts @@ -12,7 +12,14 @@ import { import { singleSearchAfter } from './single_search_after'; import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks'; import { ShardError } from '../../types'; +import { buildRuleMessageFactory } from './rule_messages'; +const buildRuleMessage = buildRuleMessageFactory({ + id: 'fake id', + ruleId: 'fake rule id', + index: 'fakeindex', + name: 'fake name', +}); describe('singleSearchAfter', () => { const mockService: AlertServicesMock = alertsMock.createAlertServices(); @@ -32,6 +39,7 @@ describe('singleSearchAfter', () => { pageSize: 1, filter: undefined, timestampOverride: undefined, + buildRuleMessage, }); expect(searchResult).toEqual(sampleDocSearchResultsNoSortId()); }); @@ -47,6 +55,7 @@ describe('singleSearchAfter', () => { pageSize: 1, filter: undefined, timestampOverride: undefined, + buildRuleMessage, }); expect(searchErrors).toEqual([]); }); @@ -94,6 +103,7 @@ describe('singleSearchAfter', () => { pageSize: 1, filter: undefined, timestampOverride: undefined, + buildRuleMessage, }); expect(searchErrors).toEqual(['reason: some reason, type: some type, caused by: some reason']); }); @@ -110,6 +120,7 @@ describe('singleSearchAfter', () => { pageSize: 1, filter: undefined, timestampOverride: undefined, + buildRuleMessage, }); expect(searchResult).toEqual(sampleDocSearchResultsWithSortId()); }); @@ -129,6 +140,7 @@ describe('singleSearchAfter', () => { pageSize: 1, filter: undefined, timestampOverride: undefined, + buildRuleMessage, }) ).rejects.toThrow('Fake Error'); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts index f758adb21611c..3b89a2d79c0d0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts @@ -8,6 +8,7 @@ import { performance } from 'perf_hooks'; import { AlertServices } from '../../../../../alerts/server'; import { Logger } from '../../../../../../../src/core/server'; import { SignalSearchResponse } from './types'; +import { BuildRuleMessage } from './rule_messages'; import { buildEventsSearchQuery } from './build_events_query'; import { createErrorsFromShard, makeFloatString } from './utils'; import { TimestampOverrideOrUndefined } from '../../../../common/detection_engine/schemas/common/schemas'; @@ -23,6 +24,7 @@ interface SingleSearchAfterParams { pageSize: number; filter: unknown; timestampOverride: TimestampOverrideOrUndefined; + buildRuleMessage: BuildRuleMessage; } // utilize search_after for paging results into bulk. @@ -37,6 +39,7 @@ export const singleSearchAfter = async ({ logger, pageSize, timestampOverride, + buildRuleMessage, }: SingleSearchAfterParams): Promise<{ searchResult: SignalSearchResponse; searchDuration: string; @@ -69,7 +72,7 @@ export const singleSearchAfter = async ({ searchErrors, }; } catch (exc) { - logger.error(`[-] nextSearchAfter threw an error ${exc}`); + logger.error(buildRuleMessage(`[-] nextSearchAfter threw an error ${exc}`)); throw exc; } }; From b114812e9facaf580783bc2606b58251968b23e7 Mon Sep 17 00:00:00 2001 From: Devin Hurley Date: Mon, 28 Sep 2020 09:47:14 -0400 Subject: [PATCH 2/2] add buildRuleMessage fn to params --- .../signals/bulk_create_ml_signals.ts | 5 +- .../signals/bulk_create_threshold_signals.ts | 5 +- .../signals/signal_rule_alert_type.ts | 90 +++++++++---------- 3 files changed, 49 insertions(+), 51 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts index 244a1604a2023..5c2dfa62e5951 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts @@ -34,6 +34,7 @@ interface BulkCreateMlSignalsParams { refresh: RefreshTypes; tags: string[]; throttle: string; + buildRuleMessage: BuildRuleMessage; } interface EcsAnomaly extends Anomaly { @@ -82,10 +83,10 @@ const transformAnomalyResultsToEcs = (results: AnomalyResults): SearchResponse => { const anomalyResults = params.someResult; const ecsResults = transformAnomalyResultsToEcs(anomalyResults); + const buildRuleMessage = params.buildRuleMessage; return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts index 580a3f9f20671..9eee04030a909 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts @@ -41,6 +41,7 @@ interface BulkCreateThresholdSignalsParams { tags: string[]; throttle: string; startedAt: Date; + buildRuleMessage: BuildRuleMessage; } interface FilterObject { @@ -185,8 +186,7 @@ export const transformThresholdResultsToEcs = ( }; export const bulkCreateThresholdSignals = async ( - params: BulkCreateThresholdSignalsParams, - buildRuleMessage: BuildRuleMessage + params: BulkCreateThresholdSignalsParams ): Promise => { const thresholdResults = params.someResult; const ecsResults = transformThresholdResultsToEcs( @@ -197,6 +197,7 @@ export const bulkCreateThresholdSignals = async ( params.ruleParams.threshold!, params.ruleParams.ruleId ); + const buildRuleMessage = params.buildRuleMessage; return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 0f41af073fd04..a3b37270e50b1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -239,28 +239,26 @@ export const signalRulesAlertType = ({ errors, bulkCreateDuration, createdItemsCount, - } = await bulkCreateMlSignals( - { - actions, - throttle, - someResult: anomalyResults, - ruleParams: params, - services, - logger, - id: alertId, - signalsIndex: outputIndex, - name, - createdBy, - createdAt, - updatedBy, - updatedAt, - interval, - enabled, - refresh, - tags, - }, - buildRuleMessage - ); + } = await bulkCreateMlSignals({ + actions, + throttle, + someResult: anomalyResults, + ruleParams: params, + services, + logger, + id: alertId, + signalsIndex: outputIndex, + name, + createdBy, + createdAt, + updatedBy, + updatedAt, + interval, + enabled, + refresh, + tags, + buildRuleMessage, + }); // The legacy ES client does not define failures when it can be present on the structure, hence why I have the & { failures: [] } const shardFailures = (anomalyResults._shards as typeof anomalyResults._shards & { failures: [] }).failures ?? @@ -306,31 +304,29 @@ export const signalRulesAlertType = ({ bulkCreateDuration, createdItemsCount, errors, - } = await bulkCreateThresholdSignals( - { - actions, - throttle, - someResult: thresholdResults, - ruleParams: params, - filter: esFilter, - services, - logger, - id: alertId, - inputIndexPattern: inputIndex, - signalsIndex: outputIndex, - startedAt, - name, - createdBy, - createdAt, - updatedBy, - updatedAt, - interval, - enabled, - refresh, - tags, - }, - buildRuleMessage - ); + } = await bulkCreateThresholdSignals({ + actions, + throttle, + someResult: thresholdResults, + ruleParams: params, + filter: esFilter, + services, + logger, + id: alertId, + inputIndexPattern: inputIndex, + signalsIndex: outputIndex, + startedAt, + name, + createdBy, + createdAt, + updatedBy, + updatedAt, + interval, + enabled, + refresh, + tags, + buildRuleMessage, + }); result = mergeReturns([ result, createSearchAfterReturnTypeFromResponse({ searchResult: thresholdResults }),