Allows empty string for query when filters are set or ommiting them all together (#51398) (#51415)

Fixes a bug to allow an empty query string when filters are set or to omit the query on the post call if you have a set of filters defined. ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
2025-04-24 17:59:23 -04:00 · 2019-11-22 12:24:16 -07:00 · 2019-11-22 12:24:16 -07:00 · 4c14ca66ae
commit 4c14ca66ae
parent 084ded7e33
4 changed files with 189 additions and 1 deletions
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts
@ -984,6 +984,82 @@ describe('schemas', () => {
        }).error
      ).toBeTruthy();
    });
+
+    test('You can have an empty query string when filters are present', () => {
+      expect(
+        createSignalsSchema.validate<
+          Partial<Omit<SignalAlertParamsRest, 'meta'> & { meta: string }>
+        >({
+          rule_id: 'rule-1',
+          output_index: '.siem-signals',
+          risk_score: 50,
+          description: 'some description',
+          from: 'now-5m',
+          to: 'now',
+          immutable: true,
+          index: ['index-1'],
+          name: 'some-name',
+          severity: 'severity',
+          interval: '5m',
+          type: 'query',
+          references: ['index-1'],
+          query: '',
+          language: 'kuery',
+          filters: [],
+          max_signals: 1,
+        }).error
+      ).toBeFalsy();
+    });
+
+    test('You can omit the query string when filters are present', () => {
+      expect(
+        createSignalsSchema.validate<
+          Partial<Omit<SignalAlertParamsRest, 'meta'> & { meta: string }>
+        >({
+          rule_id: 'rule-1',
+          output_index: '.siem-signals',
+          risk_score: 50,
+          description: 'some description',
+          from: 'now-5m',
+          to: 'now',
+          immutable: true,
+          index: ['index-1'],
+          name: 'some-name',
+          severity: 'severity',
+          interval: '5m',
+          type: 'query',
+          references: ['index-1'],
+          language: 'kuery',
+          filters: [],
+          max_signals: 1,
+        }).error
+      ).toBeFalsy();
+    });
+
+    test('query string defaults to empty string when present with filters', () => {
+      expect(
+        createSignalsSchema.validate<
+          Partial<Omit<SignalAlertParamsRest, 'meta'> & { meta: string }>
+        >({
+          rule_id: 'rule-1',
+          output_index: '.siem-signals',
+          risk_score: 50,
+          description: 'some description',
+          from: 'now-5m',
+          to: 'now',
+          immutable: true,
+          index: ['index-1'],
+          name: 'some-name',
+          severity: 'severity',
+          interval: '5m',
+          type: 'query',
+          references: ['index-1'],
+          language: 'kuery',
+          filters: [],
+          max_signals: 1,
+        }).value.query
+      ).toEqual('');
+    });
  });

  describe('update signals schema', () => {
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts
@ -72,7 +72,14 @@ export const createSignalsSchema = Joi.object({
  interval: interval.default('5m'),
  query: Joi.when('type', {
    is: 'query',
-    then: query.required(),
+    then: Joi.when('filters', {
+      is: Joi.exist(),
+      then: query
+        .optional()
+        .allow('')
+        .default(''),
+      otherwise: Joi.required(),
+    }),
    otherwise: Joi.when('type', {
      is: 'saved_query',
      then: query.optional(),
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/filter_with_empty_query.json
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/filter_with_empty_query.json
@ -0,0 +1,53 @@
+{
+  "rule_id": "filters-with-empty-query",
+  "risk_score": 7,
+  "description": "Detecting root and admin users",
+  "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"],
+  "interval": "5m",
+  "name": "Detect Root/Admin Users",
+  "severity": "high",
+  "type": "query",
+  "from": "now-24h",
+  "to": "now",
+  "output_index": ".siem-signals",
+  "language": "lucene",
+  "query": "",
+  "filters": [
+    {
+      "$state": {
+        "store": "appState"
+      },
+      "meta": {
+        "alias": "custom label here",
+        "disabled": false,
+        "key": "host.name",
+        "negate": false,
+        "params": {
+          "query": "siem-windows"
+        },
+        "type": "phrase"
+      },
+      "query": {
+        "match_phrase": {
+          "host.name": "siem-windows"
+        }
+      }
+    },
+    {
+      "exists": {
+        "field": "host.hostname"
+      },
+      "meta": {
+        "type": "exists",
+        "disabled": false,
+        "negate": false,
+        "alias": "has a hostname",
+        "key": "host.hostname",
+        "value": "exists"
+      },
+      "$state": {
+        "store": "appState"
+      }
+    }
+  ]
+}
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/filter_without_query.json
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/filter_without_query.json
@ -0,0 +1,52 @@
+{
+  "rule_id": "filters-without-query",
+  "risk_score": 7,
+  "description": "Detecting root and admin users",
+  "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"],
+  "interval": "5m",
+  "name": "Detect Root/Admin Users",
+  "severity": "high",
+  "type": "query",
+  "from": "now-24h",
+  "to": "now",
+  "output_index": ".siem-signals",
+  "language": "lucene",
+  "filters": [
+    {
+      "$state": {
+        "store": "appState"
+      },
+      "meta": {
+        "alias": "custom label here",
+        "disabled": false,
+        "key": "host.name",
+        "negate": false,
+        "params": {
+          "query": "siem-windows"
+        },
+        "type": "phrase"
+      },
+      "query": {
+        "match_phrase": {
+          "host.name": "siem-windows"
+        }
+      }
+    },
+    {
+      "exists": {
+        "field": "host.hostname"
+      },
+      "meta": {
+        "type": "exists",
+        "disabled": false,
+        "negate": false,
+        "alias": "has a hostname",
+        "key": "host.hostname",
+        "value": "exists"
+      },
+      "$state": {
+        "store": "appState"
+      }
+    }
+  ]
+}