Skip to content

Commit

Permalink
[Security Solution][Detections] Fix a bug in siem-detection-engine-ru…
Browse files Browse the repository at this point in the history
…le-status Saved Object migration to SO references (elastic#115355) (elastic#115486)

**Ticket:** elastic#107068
**Follow-up after:** elastic#114585

## Summary

The existing migration function `legacyMigrateRuleAlertIdSOReferences` that migrates `alertId` fields to SO references array did not include all the other attributes of a `siem-detection-engine-rule-status` doc being migrated to the resulting doc.

This PR includes a fix and an integration test for that.

## Run the test

To run the test, in one terminal execute:

```
cd ${KIBANA_HOME} && node scripts/functional_tests_server --config x-pack/test/detection_engine_api_integration/security_and_spaces/config.ts
```

In another terminal execute:

```
cd ${KIBANA_HOME} && node scripts/functional_test_runner --config x-pack/test/detection_engine_api_integration/security_and_spaces/config.ts --include=x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Georgii Gorbachev <[email protected]>
  • Loading branch information
kibanamachine and banderror authored Oct 19, 2021
1 parent 51e773f commit 361ba92
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 36 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,34 +18,19 @@ import { IRuleSavedAttributesSavedObjectAttributes } from '../types';
import { legacyGetRuleReference } from './legacy_utils';

export const truncateMessageFields: SavedObjectMigrationFn<Record<string, unknown>> = (doc) => {
const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes;
const { lastFailureMessage, lastSuccessMessage, ...otherAttributes } = doc.attributes;

return {
...doc,
attributes: {
...otherAttributes,
lastFailureMessage: truncateMessage(lastFailureMessage),
lastSuccessMessage: truncateMessage(lastSuccessMessage),
...restAttributes,
},
references: doc.references ?? [],
};
};

/**
* This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and
* additional fields on the Alerting Framework Rule SO.
*
* @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x)
*/
export const legacyRuleStatusSavedObjectMigration = {
'7.15.2': truncateMessageFields,
'7.16.0': (
doc: SavedObjectUnsanitizedDoc<IRuleSavedAttributesSavedObjectAttributes>
): SavedObjectSanitizedDoc<IRuleSavedAttributesSavedObjectAttributes> => {
return legacyMigrateRuleAlertIdSOReferences(doc);
},
};

/**
* This migrates alertId within legacy `siem-detection-engine-rule-status` to saved object references on an upgrade.
* We only migrate alertId if we find these conditions:
Expand All @@ -62,29 +47,24 @@ export const legacyRuleStatusSavedObjectMigration = {
export const legacyMigrateRuleAlertIdSOReferences = (
doc: SavedObjectUnsanitizedDoc<IRuleSavedAttributesSavedObjectAttributes>
): SavedObjectSanitizedDoc<IRuleSavedAttributesSavedObjectAttributes> => {
const { references } = doc;

// Isolate alertId from the doc
const { alertId, ...attributesWithoutAlertId } = doc.attributes;
const existingReferences = references ?? [];
const { alertId, ...otherAttributes } = doc.attributes;
const existingReferences = doc.references ?? [];

// early return if alertId is not a string as expected
if (!isString(alertId)) {
// early return if alertId is not a string as expected
return { ...doc, references: existingReferences };
} else {
const alertReferences = legacyMigrateAlertId({
alertId,
existingReferences,
});

return {
...doc,
attributes: {
...attributesWithoutAlertId.attributes,
},
references: [...existingReferences, ...alertReferences],
};
}

const alertReferences = legacyMigrateAlertId({
alertId,
existingReferences,
});

return {
...doc,
attributes: otherAttributes,
references: [...existingReferences, ...alertReferences],
};
};

/**
Expand Down Expand Up @@ -113,3 +93,14 @@ export const legacyMigrateAlertId = ({
return [legacyGetRuleReference(alertId)];
}
};

/**
* This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and
* additional fields on the Alerting Framework Rule SO.
*
* @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x)
*/
export const legacyRuleStatusSavedObjectMigration = {
'7.15.2': truncateMessageFields,
'7.16.0': legacyMigrateRuleAlertIdSOReferences,
};
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import expect from '@kbn/expect';
import { IRuleStatusSOAttributes } from '../../../../plugins/security_solution/server/lib/detection_engine/rules/types';
import { FtrProviderContext } from '../../common/ftr_provider_context';

// eslint-disable-next-line import/no-default-export
Expand Down Expand Up @@ -113,6 +114,30 @@ export default ({ getService }: FtrProviderContext): void => {
undefined
);
});

it('migrates legacy siem-detection-engine-rule-status and retains other attributes as the same attributes as before', async () => {
const response = await es.get<{
'siem-detection-engine-rule-status': IRuleStatusSOAttributes;
}>({
index: '.kibana',
id: 'siem-detection-engine-rule-status:d62d2980-27c4-11ec-92b0-f7b47106bb35',
});
expect(response.statusCode).to.eql(200);

expect(response.body._source?.['siem-detection-engine-rule-status']).to.eql({
statusDate: '2021-10-11T20:51:26.622Z',
status: 'succeeded',
lastFailureAt: '2021-10-11T18:10:08.982Z',
lastSuccessAt: '2021-10-11T20:51:26.622Z',
lastFailureMessage:
'4 days (323690920ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: "Threshy" id: "fb1046a0-0452-11ec-9b15-d13d79d162f3" rule id: "b789c80f-f6d8-41f1-8b4f-b4a23342cde2" signals index: ".siem-signals-spong-default"',
lastSuccessMessage: 'succeeded',
gap: '4 days',
bulkCreateTimeDurations: ['34.49'],
searchAfterTimeDurations: ['62.58'],
lastLookBackDate: null,
});
});
});
});
};

0 comments on commit 361ba92

Please sign in to comment.