From 6589cd3cf1bbde25623f08c01cebef827d34e7ea Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Tue, 13 Aug 2024 12:36:54 +0200 Subject: [PATCH] Revert override alert timestamp (#189724) ## Revert override alert timestamp Previously we added override of alert timestamp for manual rule runs. Later was decided, that timestamp for manual rule run should behave the same as regular alert and represent time when alert generated. --------- Co-authored-by: Elastic Machine --- .../create_persistence_rule_type_wrapper.ts | 10 ++-------- .../server/utils/persistence_types.ts | 3 +-- .../create_security_rule_type_wrapper.ts | 6 ++---- .../factories/bulk_create_factory.ts | 6 ++---- .../tests/alerting/backfill/task_runner.ts | 18 +++++++++--------- .../machine_learning_alert_suppression.ts | 3 --- 6 files changed, 16 insertions(+), 30 deletions(-) diff --git a/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts b/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts index 58ec5ea0818d1..c3c0f5c2480cb 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts @@ -249,13 +249,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper ...options, services: { ...options.services, - alertWithPersistence: async ( - alerts, - refresh, - maxAlerts = undefined, - enrichAlerts, - currentTimeOverride - ) => { + alertWithPersistence: async (alerts, refresh, maxAlerts = undefined, enrichAlerts) => { const numAlerts = alerts.length; logger.debug(`Found ${numAlerts} alerts.`); @@ -307,7 +301,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper alerts: enrichedAlerts, options, kibanaVersion: ruleDataClient.kibanaVersion, - currentTimeOverride, + currentTimeOverride: undefined, }); const response = await ruleDataClientWriter.bulk({ diff --git a/x-pack/plugins/rule_registry/server/utils/persistence_types.ts b/x-pack/plugins/rule_registry/server/utils/persistence_types.ts index 1ff6a6e62d743..328e5185a2b80 100644 --- a/x-pack/plugins/rule_registry/server/utils/persistence_types.ts +++ b/x-pack/plugins/rule_registry/server/utils/persistence_types.ts @@ -38,8 +38,7 @@ export type PersistenceAlertService = ( _id: string; _source: T; }> - >, - currentTimeOverride?: Date + > ) => Promise>; export type SuppressedAlertService = ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts index e45f2babe94f7..d0d4e32637d90 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts @@ -132,7 +132,6 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = params, previousStartedAt, startedAt, - startedAtOverridden, services, spaceId, state, @@ -366,13 +365,12 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = lists: params.exceptionsList, }); - const alertTimestampOverride = isPreview || startedAtOverridden ? startedAt : undefined; + const alertTimestampOverride = isPreview ? startedAt : undefined; const bulkCreate = bulkCreateFactory( alertWithPersistence, refresh, ruleExecutionLogger, - experimentalFeatures, - alertTimestampOverride + experimentalFeatures ); const legacySignalFields: string[] = Object.keys(aadFieldConversion); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts index add98067223aa..822d0314375d4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts @@ -35,8 +35,7 @@ export const bulkCreateFactory = alertWithPersistence: PersistenceAlertService, refreshForBulkCreate: RefreshTypes, ruleExecutionLogger: IRuleExecutionLogForExecutors, - experimentalFeatures?: ExperimentalFeatures, - currentTimeOverride?: Date + experimentalFeatures?: ExperimentalFeatures ) => async ( wrappedDocs: Array>, @@ -87,8 +86,7 @@ export const bulkCreateFactory = })), refreshForBulkCreate, maxAlerts, - enrichAlertsWrapper, - currentTimeOverride + enrichAlertsWrapper ); const end = performance.now(); diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/task_runner.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/task_runner.ts index f513866cd5ee5..354678cee71d4 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/task_runner.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/task_runner.ts @@ -309,9 +309,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide // check timestamps in alert docs for (const alert of alertDocsBackfill1) { const source = alert._source!; - expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[0].run_at); - expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[0].run_at); - expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[0].run_at); + expect(source[ALERT_START]).to.match(timestampPattern); + expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern); + expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[0].run_at); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql( scheduleResult[0].schedule[0].run_at @@ -331,9 +331,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide // check timestamps in alert docs for (const alert of alertDocsBackfill2) { const source = alert._source!; - expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[1].run_at); - expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[1].run_at); - expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[1].run_at); + expect(source[ALERT_START]).to.match(timestampPattern); + expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern); + expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[1].run_at); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql( scheduleResult[0].schedule[1].run_at @@ -351,9 +351,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide // check timestamps in alert docs for (const alert of alertDocsBackfill3) { const source = alert._source!; - expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[2].run_at); - expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[2].run_at); - expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[2].run_at); + expect(source[ALERT_START]).to.match(timestampPattern); + expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern); + expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[2].run_at); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern); expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql( scheduleResult[0].schedule[2].run_at diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts index 7f0327c3a644e..39a7138451f34 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts @@ -617,7 +617,6 @@ export default ({ getService }: FtrProviderContext) => { expect.objectContaining({ 'user.name': ['irrelevant'], [TIMESTAMP]: timestamp, - [ALERT_START]: timestamp, }) ); @@ -635,7 +634,6 @@ export default ({ getService }: FtrProviderContext) => { expect.objectContaining({ 'user.name': ['irrelevant'], [TIMESTAMP]: timestamp, - [ALERT_START]: timestamp, }) ); expect(previewAlerts[1]._source).toEqual( @@ -657,7 +655,6 @@ export default ({ getService }: FtrProviderContext) => { }, ], [TIMESTAMP]: timestamp, - [ALERT_START]: timestamp, [ALERT_ORIGINAL_TIME]: timestamp, [ALERT_SUPPRESSION_START]: timestamp, [ALERT_SUPPRESSION_END]: timestamp,