[Security Solution][RAC] Adds OR bool for acknowledged status filter (#…

…109348)
elastic · Aug 20, 2021 · acc8465 · acc8465
1 parent 0ebe3c6
commit acc8465
Show file tree

Hide file tree

Showing 2 changed files with 142 additions and 35 deletions.
diff --git a/...ugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/...ugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx
@@ -6,7 +6,11 @@
  */
 
 import { ExistsFilter, Filter } from '@kbn/es-query';
-import { buildAlertsRuleIdFilter, buildThreatMatchFilter } from './default_config';
+import {
+  buildAlertsRuleIdFilter,
+  buildAlertStatusFilter,
+  buildThreatMatchFilter,
+} from './default_config';
 
 jest.mock('./actions');
 
@@ -61,6 +65,65 @@ describe('alerts default_config', () => {
     });
   });
 
+  describe('buildAlertStatusFilter', () => {
+    test('when status is acknowledged, filter will build for both `in-progress` and `acknowledged`', () => {
+      const filters = buildAlertStatusFilter('acknowledged');
+      const expected = {
+        meta: {
+          alias: null,
+          disabled: false,
+          key: 'signal.status',
+          negate: false,
+          params: {
+            query: 'acknowledged',
+          },
+          type: 'phrase',
+        },
+        query: {
+          bool: {
+            should: [
+              {
+                term: {
+                  'signal.status': 'acknowledged',
+                },
+              },
+              {
+                term: {
+                  'signal.status': 'in-progress',
+                },
+              },
+            ],
+          },
+        },
+      };
+      expect(filters).toHaveLength(1);
+      expect(filters[0]).toEqual(expected);
+    });
+
+    test('when status is `open` or `closed`, filter will build for solely that status', () => {
+      const filters = buildAlertStatusFilter('open');
+      const expected = {
+        meta: {
+          alias: null,
+          disabled: false,
+          key: 'signal.status',
+          negate: false,
+          params: {
+            query: 'open',
+          },
+          type: 'phrase',
+        },
+        query: {
+          term: {
+            'signal.status': 'open',
+          },
+        },
+      };
+      expect(filters).toHaveLength(1);
+      expect(filters[0]).toEqual(expected);
+    });
+  });
+
   // TODO: move these tests to ../timelines/components/timeline/body/events/event_column_view.tsx
   // describe.skip('getAlertActions', () => {
   //   let setEventsLoading: ({ eventIds, isLoading }: SetEventsLoadingProps) => void;

diff --git a/...ck/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/...ck/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@@ -26,25 +26,47 @@ import { SubsetTimelineModel } from '../../../timelines/store/timeline/model';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
 import { columns } from '../../configurations/security_solution_detections/columns';
 
-export const buildAlertStatusFilter = (status: Status): Filter[] => [
-  {
-    meta: {
-      alias: null,
-      negate: false,
-      disabled: false,
-      type: 'phrase',
-      key: 'signal.status',
-      params: {
-        query: status,
-      },
-    },
-    query: {
-      term: {
-        'signal.status': status,
+export const buildAlertStatusFilter = (status: Status): Filter[] => {
+  const combinedQuery =
+    status === 'acknowledged'
+      ? {
+          bool: {
+            should: [
+              {
+                term: {
+                  'signal.status': status,
+                },
+              },
+              {
+                term: {
+                  'signal.status': 'in-progress',
+                },
+              },
+            ],
+          },
+        }
+      : {
+          term: {
+            'signal.status': status,
+          },
+        };
+
+  return [
+    {
+      meta: {
+        alias: null,
+        negate: false,
+        disabled: false,
+        type: 'phrase',
+        key: 'signal.status',
+        params: {
+          query: status,
+        },
       },
+      query: combinedQuery,
     },
-  },
-];
+  ];
+};
 
 export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] =>
   ruleId
@@ -139,25 +161,47 @@ export const requiredFieldsForActions = [
 ];
 
 // TODO: Once we are past experimental phase this code should be removed
-export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => [
-  {
-    meta: {
-      alias: null,
-      negate: false,
-      disabled: false,
-      type: 'phrase',
-      key: ALERT_STATUS,
-      params: {
-        query: status,
-      },
-    },
-    query: {
-      term: {
-        [ALERT_STATUS]: status,
+export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => {
+  const combinedQuery =
+    status === 'acknowledged'
+      ? {
+          bool: {
+            should: [
+              {
+                term: {
+                  [ALERT_STATUS]: status,
+                },
+              },
+              {
+                term: {
+                  [ALERT_STATUS]: 'in-progress',
+                },
+              },
+            ],
+          },
+        }
+      : {
+          term: {
+            [ALERT_STATUS]: status,
+          },
+        };
+
+  return [
+    {
+      meta: {
+        alias: null,
+        negate: false,
+        disabled: false,
+        type: 'phrase',
+        key: ALERT_STATUS,
+        params: {
+          query: status,
+        },
       },
+      query: combinedQuery,
     },
-  },
-];
+  ];
+};
 
 export const buildShowBuildingBlockFilterRuleRegistry = (
   showBuildingBlockAlerts: boolean