[Security Solution] Additional look-back time is not working correctly under preview results for advanced query preview (#137517) (#138017)

* [Security Solution] Alerts are not displayed in rule preview graph for custom rule (#137422) * Review feedback * Fix CI * Remove timeframe shifting * Review feedback Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit e36870bdfd) Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
2025-04-24 09:48:58 -04:00 · 2022-08-03 14:21:44 -04:00 · 2022-08-03 14:21:44 -04:00 · 4922f5da53
commit 4922f5da53
parent 01287cbccc
3 changed files with 15 additions and 13 deletions
--- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts
+++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts
@ -78,13 +78,15 @@ export const usePreviewRule = ({
      1000;

    const { unit: intervalUnit, value: intervalValue } = getTimeTypeValue(advancedOptions.interval);
-    const { unit: lookbackUnit, value: lookbackValue } = getTimeTypeValue(advancedOptions.lookback);
-    const duration = moment.duration(intervalValue, intervalUnit as 's' | 'm' | 'h');
-    duration.add(lookbackValue, lookbackUnit as 's' | 'm' | 'h');
+    const duration = moment.duration(intervalValue, intervalUnit);
    const ruleIntervalDuration = duration.asMilliseconds();

    invocationCount = Math.max(Math.ceil(timeframeDuration / ruleIntervalDuration), 1);
    interval = advancedOptions.interval;
+
+    const { unit: lookbackUnit, value: lookbackValue } = getTimeTypeValue(advancedOptions.lookback);
+    duration.add(lookbackValue, lookbackUnit);
+
    from = `now-${duration.asSeconds()}s`;
  }
  const showInvocationCountWarning = invocationCount > REASONABLE_INVOCATION_COUNT;
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.test.ts
@ -50,10 +50,10 @@ describe('helpers', () => {
      expect(result).toEqual({ unit: 'm', value: 0 });
    });

-    test('returns timeObj with unit set to empty string if no expected time type found', () => {
+    test('returns timeObj with unit set to default unit value of "ms" if no expected time type found', () => {
      const result = getTimeTypeValue('5l');

-      expect(result).toEqual({ unit: '', value: 5 });
+      expect(result).toEqual({ unit: 'ms', value: 5 });
    });

    test('returns timeObj with unit of s and value 5 when time is 5s ', () => {
@ -80,10 +80,10 @@ describe('helpers', () => {
      expect(result).toEqual({ unit: 'm', value: 5 });
    });

-    test('returns timeObj with value of 0 and unit of "" if random string passed in', () => {
+    test('returns timeObj with value of 0 and unit of "ms" if random string passed in', () => {
      const result = getTimeTypeValue('random');

-      expect(result).toEqual({ unit: '', value: 0 });
+      expect(result).toEqual({ unit: 'ms', value: 0 });
    });
  });

--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts
@ -50,9 +50,9 @@ import { stepActionsDefaultValue } from '../../../../components/rules/step_rule_
 import type { FieldValueThreshold } from '../../../../components/rules/threshold_input';
 import type { EqlOptionsSelected } from '../../../../../../common/search_strategy';

-export const getTimeTypeValue = (time: string): { unit: string; value: number } => {
-  const timeObj = {
-    unit: '',
+export const getTimeTypeValue = (time: string): { unit: Unit; value: number } => {
+  const timeObj: { unit: Unit; value: number } = {
+    unit: 'ms',
    value: 0,
  };
  const filterTimeVal = time.match(/\d+/g);
@ -65,7 +65,7 @@ export const getTimeTypeValue = (time: string): { unit: string; value: number }
    filterTimeType != null &&
    ['s', 'm', 'h'].includes(filterTimeType[0])
  ) {
-    timeObj.unit = filterTimeType[0];
+    timeObj.unit = filterTimeType[0] as Unit;
  }
  return timeObj;
 };
@ -461,8 +461,8 @@ export const formatScheduleStepData = (scheduleData: ScheduleStepRule): Schedule
      formatScheduleData.interval
    );
    const { unit: fromUnit, value: fromValue } = getTimeTypeValue(formatScheduleData.from);
-    const duration = moment.duration(intervalValue, intervalUnit as 's' | 'm' | 'h');
-    duration.add(fromValue, fromUnit as 's' | 'm' | 'h');
+    const duration = moment.duration(intervalValue, intervalUnit);
+    duration.add(fromValue, fromUnit);
    formatScheduleData.from = `now-${duration.asSeconds()}s`;
    formatScheduleData.to = 'now';
  }