[Security Solution] [Sourcerer] Adds missing alerts index filtration …

…from sourcerer that was removed during refactoring (#170484) ## Summary Fixes: elastic/security-team#7859 Thanks to @XavierM and @kqualters-elastic for spending time debugging this with me. When we added the [server-side fetching](#163448) of index patterns we missed the functionality that was filtering out the alerts index from the default sourcerer scope. Without this filtering, the logic for rendering the matched indices was not correctly refreshing when adding data the first time. The result was the alerts index would be set as a part of the filtered index patterns once a source event data index was present (`logs-*`, `auditbeat-*` etc..) and the redux store action to set the latest matched indices was not called because the `useDataView` hook would incorrectly believe the sourcerer data view no longer needed to be initialized. Steps to reproduce: 1. Start local ES and kibana 2. Navigate to Security Solution -> Overview page 3. Welcome / landing page should be visible 4. Start auditbeat (or generate any event data that would be part of the security solution default data view index patterns) 5. Navigate to Discover, wait for data to load 6. Navigate back to Security Solution -> Overview page 7. Data should be visible, Data View (sourcerer) in the header should display the correct index pattern for which data exists. Alerts index should not be included.
elastic · Nov 3, 2023 · d3c50cd · d3c50cd
1 parent 3249c1a
commit d3c50cd
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts
@@ -12,6 +12,23 @@ import type { SelectedDataViewPayload } from './actions';
 import type { sourcererModel } from '../model';
 import { ensurePatternFormat, sortWithExcludesAtEnd } from '../../../../common/utils/sourcerer';
 
+const getPatternListFromScope = (
+  scope: SourcererScopeName,
+  patternList: string[],
+  signalIndexName: string | null
+) => {
+  // when our SIEM data view is set, here are the defaults
+  switch (scope) {
+    case SourcererScopeName.default:
+      return sortWithExcludesAtEnd(patternList.filter((index) => index !== signalIndexName));
+    case SourcererScopeName.detections:
+      // set to signalIndexName whether or not it exists yet in the patternList
+      return signalIndexName != null ? [signalIndexName] : [];
+    case SourcererScopeName.timeline:
+      return sortWithExcludesAtEnd(patternList);
+  }
+};
+
 export const getScopePatternListSelection = (
   theDataView: SourcererDataView | undefined,
   sourcererScope: SourcererScopeName,
@@ -24,16 +41,8 @@ export const getScopePatternListSelection = (
   if (!isDefaultDataView) {
     return sortWithExcludesAtEnd(patternList);
   }
-  // when our SIEM data view is set, here are the defaults
-  switch (sourcererScope) {
-    case SourcererScopeName.default:
-      return sortWithExcludesAtEnd(patternList.filter((index) => index !== signalIndexName));
-    case SourcererScopeName.detections:
-      // set to signalIndexName whether or not it exists yet in the patternList
-      return signalIndexName != null ? [signalIndexName] : [];
-    case SourcererScopeName.timeline:
-      return sortWithExcludesAtEnd(patternList);
-  }
+
+  return getPatternListFromScope(sourcererScope, patternList, signalIndexName);
 };
 
 export const validateSelectedPatterns = (
@@ -55,7 +64,7 @@ export const validateSelectedPatterns = (
       (pattern) => !dedupeAllDefaultPatterns.includes(pattern)
     );
   }
-  const selectedPatterns =
+  let selectedPatterns =
     // shouldValidateSelectedPatterns is false when upgrading from
     // legacy pre-8.0 timeline index patterns to data view.
     shouldValidateSelectedPatterns &&
@@ -75,6 +84,8 @@ export const validateSelectedPatterns = (
         // but removed from the security data view
         // or its a legacy pre-8.0 timeline
         dedupePatterns;
+  const signalIndexName = state.signalIndexName;
+  selectedPatterns = getPatternListFromScope(id, selectedPatterns, signalIndexName);
 
   return {
     [id]: {

diff --git a/x-pack/plugins/security_solution/public/common/store/store.ts b/x-pack/plugins/security_solution/public/common/store/store.ts
@@ -272,6 +272,10 @@ export const createStore = (
     actionsBlacklist: ['USER_MOVED_POINTER', 'USER_SET_RASTER_SIZE'],
     actionSanitizer: actionSanitizer as EnhancerOptions['actionSanitizer'],
     stateSanitizer: stateSanitizer as EnhancerOptions['stateSanitizer'],
+    // uncomment the following to enable redux action tracing
+    // https://github.com/zalmoxisus/redux-devtools-extension/commit/64717bb9b3534ff616d9db56c2be680627c7b09d#diff-182cb140f8a0fd8bc37bbdcdad07bbadb9aebeb2d1b8ed026acd6132f2c88ce8R10
+    // trace: true,
+    // traceLimit: 100,
   };
 
   const composeEnhancers = composeWithDevTools(enhancerOptions);