From 568ea87d8a182f73a79811dc3f5771416f343a0e Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 21 Nov 2024 22:59:12 +0100 Subject: [PATCH] map properly EQL options to eql_query in upgrade perform API endpoint --- .../diffable_rule_fields_mappings.ts | 44 ++++++++++++------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts index 8a796b5db1e28..e828f5f34e9dc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { get } from 'lodash'; +import { get, has } from 'lodash'; import type { RuleSchedule, DataSourceIndexPatterns, @@ -48,9 +48,13 @@ export const mapDiffableRuleFieldValueToRuleSchemaFormat = ( return transformedValue.value; } + if (!has(diffableField, diffableRuleSubfieldName)) { + return diffableField; + } + // From the ThreeWayDiff, get the specific field that maps to the diffable rule field // Otherwise, the diffableField itself already matches the rule field, so retrieve that value. - const mappedField = get(diffableField, diffableRuleSubfieldName, diffableField); + const mappedField = get(diffableField, diffableRuleSubfieldName); return mappedField; }; @@ -81,9 +85,27 @@ export function mapRuleFieldToDiffableRuleField({ ruleType, fieldName, }: MapRuleFieldToDiffableRuleFieldParams): keyof AllFieldsDiff { + // Handle query, filters and language fields based on rule type + if (fieldName === 'query' || fieldName === 'language' || fieldName === 'filters') { + switch (ruleType) { + case 'query': + case 'saved_query': + return 'kql_query' as const; + case 'eql': + return 'eql_query'; + case 'esql': + return 'esql_query'; + default: + return 'kql_query'; + } + } + const diffableRuleFieldMap: Record = { building_block_type: 'building_block', saved_id: 'kql_query', + event_category_override: 'eql_query', + tiebreaker_field: 'eql_query', + timestamp_field: 'eql_query', threat_query: 'threat_query', threat_language: 'threat_query', threat_filters: 'threat_query', @@ -99,21 +121,6 @@ export function mapRuleFieldToDiffableRuleField({ timestamp_override_fallback_disabled: 'timestamp_override', }; - // Handle query, filters and language fields based on rule type - if (fieldName === 'query' || fieldName === 'language' || fieldName === 'filters') { - switch (ruleType) { - case 'query': - case 'saved_query': - return 'kql_query' as const; - case 'eql': - return 'eql_query'; - case 'esql': - return 'esql_query'; - default: - return 'kql_query'; - } - } - return diffableRuleFieldMap[fieldName] || fieldName; } @@ -138,6 +145,9 @@ export function mapRuleFieldToDiffableRuleSubfield(fieldName: string): string { index: 'index_patterns', data_view_id: 'data_view_id', saved_id: 'saved_query_id', + event_category_override: 'event_category_override', + tiebreaker_field: 'tiebreaker_field', + timestamp_field: 'timestamp_field', building_block_type: 'type', rule_name_override: 'field_name', timestamp_override: 'field_name',