Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAM] Add support for aggregating over any params to RulesClient #159602

Open
banderror opened this issue Jun 13, 2023 · 4 comments
Open

[RAM] Add support for aggregating over any params to RulesClient #159602

banderror opened this issue Jun 13, 2023 · 4 comments
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Rule Management Security Solution Detection Rule Management area response-ops-mx-backlog ResponseOps MX backlog Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture

Comments

@banderror
Copy link
Contributor

banderror commented Jun 13, 2023

Summary

The RulesClient.aggregate() method should allow solutions to aggregate over any fields inside the params object.

This is needed for various functionality in Security Solution, such as:

Details

Currently, this support is "added" via adding alert.attributes.params.* to ALLOW_FIELDS, but it doesn't work:

The support for the * pattern should be added to the validateFields function:

const validateFields = (container: AggregationsAggregationContainer) => {
Object.entries(container).forEach(([aggType, aggContainer]) => {
// Found field, check field against blocklist
if (AGG_TYPES_TO_VERIFY.includes(aggType) && !ALLOW_FIELDS.includes(aggContainer)) {
throw Boom.badRequest(`Invalid aggregation term: ${aggContainer}`);
}
// Did not find anything, keep recursing if possible
if (typeof aggContainer === 'object' && aggContainer !== null && !Array.isArray(aggContainer)) {
validateFields(aggContainer);
}
});
};

@banderror banderror added technical debt Improvement of the software architecture and operational architecture Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:Detection Rule Management Security Detection Rule Management Team labels Jun 13, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@XavierM
Copy link
Contributor

XavierM commented Jun 14, 2023

We talked about it and we will change the logic to allow alert.attributes.params.* for 8.10

@XavierM XavierM moved this from Todo to Up for grabs in AppEx: ResponseOps - Rules & Alerts Management Jul 12, 2023
@Zacqary Zacqary moved this from Up for grabs to Awaiting Triage in AppEx: ResponseOps - Rules & Alerts Management Feb 6, 2024
@XavierM XavierM moved this from Awaiting Triage to Needs Discussion in AppEx: ResponseOps - Rules & Alerts Management Feb 7, 2024
@cnasikas cnasikas added the response-ops-mx-backlog ResponseOps MX backlog label Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Rule Management Security Solution Detection Rule Management area response-ops-mx-backlog ResponseOps MX backlog Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture
Projects
No open projects
Status: Needs Discussion
Development

No branches or pull requests

4 participants