Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Enable writing rule execution events to Event Log by default #115394

Merged
merged 3 commits into from
Oct 19, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,23 @@
import { getBuildingBlockRule } from '../../objects/rule';
import { OVERVIEW_ALERTS_HISTOGRAM } from '../../screens/overview';
import { OVERVIEW } from '../../screens/security_header';
import { waitForAlertsIndexToBeCreated, waitForAlertsPanelToBeLoaded } from '../../tasks/alerts';
import { goToRuleDetails } from '../../tasks/alerts_detection_rules';
import { createCustomRuleActivated } from '../../tasks/api_calls/rules';
import { cleanKibana } from '../../tasks/common';
import { waitForAlertsToPopulate, waitForTheRuleToBeExecuted } from '../../tasks/create_new_rule';
import { loginAndWaitForPage } from '../../tasks/login';
import { loginAndWaitForPage, loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
import { navigateFromHeaderTo } from '../../tasks/security_header';
import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
import { ALERTS_URL, DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';

const EXPECTED_NUMBER_OF_ALERTS = 16;

describe('Alerts generated by building block rules', () => {
beforeEach(() => {
cleanKibana();
loginAndWaitForPageWithoutDateRange(ALERTS_URL);
waitForAlertsPanelToBeLoaded();
waitForAlertsIndexToBeCreated();
});

it('Alerts should be visible on the Rule Detail page and not visible on the Overview page', () => {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/security_solution/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ export const configSchema = schema.object({
schema.literal(UnderlyingLogClient.eventLog),
schema.literal(UnderlyingLogClient.savedObjects),
],
{ defaultValue: UnderlyingLogClient.savedObjects }
{ defaultValue: UnderlyingLogClient.eventLog }
),
}),

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 2.0.
*/

export const RULE_EXECUTION_LOG_PROVIDER = 'rule-execution.security';
export const RULE_EXECUTION_LOG_PROVIDER = 'securitySolution.ruleExecution';

export const ALERT_SAVED_OBJECT_TYPE = 'alert';

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import { IRuleStatusSOAttributes } from '../../rules/types';

export interface RuleStatusSavedObjectsClient {
find: (
options?: Omit<SavedObjectsFindOptions, 'type'>
options: Omit<SavedObjectsFindOptions, 'type'> & { ruleId: string }
) => Promise<Array<SavedObjectsFindResult<IRuleStatusSOAttributes>>>;
findBulk: (ids: string[], statusesPerId: number) => Promise<FindBulkResponse>;
create: (
Expand All @@ -47,9 +47,14 @@ export const ruleStatusSavedObjectsClientFactory = (
savedObjectsClient: SavedObjectsClientContract
): RuleStatusSavedObjectsClient => ({
find: async (options) => {
const references = {
id: options.ruleId,
type: 'alert',
};
const result = await savedObjectsClient.find<IRuleStatusSOAttributes>({
...options,
type: legacyRuleStatusSavedObjectType,
hasReference: references,
});
return result.saved_objects;
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,7 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient {
perPage: logsCount,
sortField: 'statusDate',
sortOrder: 'desc',
search: ruleId,
searchFields: ['references.id'],
ruleId,
});
}

Expand Down