From acc8465c19848d832b300c17d00d78f860738ef5 Mon Sep 17 00:00:00 2001 From: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> Date: Fri, 20 Aug 2021 17:30:10 -0400 Subject: [PATCH] [Security Solution][RAC] Adds OR bool for acknowledged status filter (#109348) --- .../alerts_table/default_config.test.tsx | 65 +++++++++- .../alerts_table/default_config.tsx | 112 ++++++++++++------ 2 files changed, 142 insertions(+), 35 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index c5a04e3a626df..1ef57a3499922 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -6,7 +6,11 @@ */ import { ExistsFilter, Filter } from '@kbn/es-query'; -import { buildAlertsRuleIdFilter, buildThreatMatchFilter } from './default_config'; +import { + buildAlertsRuleIdFilter, + buildAlertStatusFilter, + buildThreatMatchFilter, +} from './default_config'; jest.mock('./actions'); @@ -61,6 +65,65 @@ describe('alerts default_config', () => { }); }); + describe('buildAlertStatusFilter', () => { + test('when status is acknowledged, filter will build for both `in-progress` and `acknowledged`', () => { + const filters = buildAlertStatusFilter('acknowledged'); + const expected = { + meta: { + alias: null, + disabled: false, + key: 'signal.status', + negate: false, + params: { + query: 'acknowledged', + }, + type: 'phrase', + }, + query: { + bool: { + should: [ + { + term: { + 'signal.status': 'acknowledged', + }, + }, + { + term: { + 'signal.status': 'in-progress', + }, + }, + ], + }, + }, + }; + expect(filters).toHaveLength(1); + expect(filters[0]).toEqual(expected); + }); + + test('when status is `open` or `closed`, filter will build for solely that status', () => { + const filters = buildAlertStatusFilter('open'); + const expected = { + meta: { + alias: null, + disabled: false, + key: 'signal.status', + negate: false, + params: { + query: 'open', + }, + type: 'phrase', + }, + query: { + term: { + 'signal.status': 'open', + }, + }, + }; + expect(filters).toHaveLength(1); + expect(filters[0]).toEqual(expected); + }); + }); + // TODO: move these tests to ../timelines/components/timeline/body/events/event_column_view.tsx // describe.skip('getAlertActions', () => { // let setEventsLoading: ({ eventIds, isLoading }: SetEventsLoadingProps) => void; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 75bd41037934b..1c58c339cb5b2 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -26,25 +26,47 @@ import { SubsetTimelineModel } from '../../../timelines/store/timeline/model'; import { timelineDefaults } from '../../../timelines/store/timeline/defaults'; import { columns } from '../../configurations/security_solution_detections/columns'; -export const buildAlertStatusFilter = (status: Status): Filter[] => [ - { - meta: { - alias: null, - negate: false, - disabled: false, - type: 'phrase', - key: 'signal.status', - params: { - query: status, - }, - }, - query: { - term: { - 'signal.status': status, +export const buildAlertStatusFilter = (status: Status): Filter[] => { + const combinedQuery = + status === 'acknowledged' + ? { + bool: { + should: [ + { + term: { + 'signal.status': status, + }, + }, + { + term: { + 'signal.status': 'in-progress', + }, + }, + ], + }, + } + : { + term: { + 'signal.status': status, + }, + }; + + return [ + { + meta: { + alias: null, + negate: false, + disabled: false, + type: 'phrase', + key: 'signal.status', + params: { + query: status, + }, }, + query: combinedQuery, }, - }, -]; + ]; +}; export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] => ruleId @@ -139,25 +161,47 @@ export const requiredFieldsForActions = [ ]; // TODO: Once we are past experimental phase this code should be removed -export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => [ - { - meta: { - alias: null, - negate: false, - disabled: false, - type: 'phrase', - key: ALERT_STATUS, - params: { - query: status, - }, - }, - query: { - term: { - [ALERT_STATUS]: status, +export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => { + const combinedQuery = + status === 'acknowledged' + ? { + bool: { + should: [ + { + term: { + [ALERT_STATUS]: status, + }, + }, + { + term: { + [ALERT_STATUS]: 'in-progress', + }, + }, + ], + }, + } + : { + term: { + [ALERT_STATUS]: status, + }, + }; + + return [ + { + meta: { + alias: null, + negate: false, + disabled: false, + type: 'phrase', + key: ALERT_STATUS, + params: { + query: status, + }, }, + query: combinedQuery, }, - }, -]; + ]; +}; export const buildShowBuildingBlockFilterRuleRegistry = ( showBuildingBlockAlerts: boolean