[Security Solution][Alerts] Pass filters from threshold alerts to timeline (#129405) (#129520)

* No need to deserialize filters anymore * Fix bug with missing meta field in filters (cherry picked from commit ec06440a2f) Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2022-04-05 16:52:10 -04:00 · 2022-04-05 16:52:10 -04:00 · 6f9838da9a
commit 6f9838da9a
parent 20fee3a81f
3 changed files with 52 additions and 14 deletions
--- a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts_aad.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts_aad.ts
@ -48,7 +48,20 @@ export const mockAADEcsDataWithAlert: Ecs = {
        enabled: [true],
        false_positives: ['test-1'],
        parameters: {
-          filters: [],
+          filters: [
+            {
+              meta: {
+                key: 'host.name',
+                negate: false,
+                params: '"{"query":"placeholder"}"',
+                type: 'phrase',
+              },
+              query: { match_phrase: { 'host.name': 'placeholder' } },
+            },
+            {
+              query: { match_all: {} },
+            },
+          ],
          language: ['kuery'],
          query: ['user.id:1'],
        },
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@ -547,7 +547,7 @@ describe('alert actions', () => {
        });
      });

-      test('Exceptions are included', async () => {
+      test('Exceptions and filters are included', async () => {
        mockGetExceptions.mockResolvedValue([getExceptionListItemSchemaMock()]);
        await sendAlertToTimelineAction({
          createTimeline,
@ -584,6 +584,21 @@ describe('alert actions', () => {
            },
            description: '_id: 1',
            filters: [
+              {
+                meta: {
+                  key: 'host.name',
+                  negate: false,
+                  params: '"{"query":"placeholder"}"',
+                  type: 'phrase',
+                },
+                query: { match_phrase: { 'host.name': 'placeholder' } },
+              },
+              {
+                // https://github.com/elastic/kibana/issues/126574 - if the provided filter has no `meta` field
+                // we expect an empty object to be inserted before calling `createTimeline`
+                meta: {},
+                query: { match_all: {} },
+              },
              {
                meta: {
                  alias: 'Exceptions',
@ -701,6 +716,21 @@ describe('alert actions', () => {
          ...defaultTimelineProps,
          timeline: {
            ...defaultTimelineProps.timeline,
+            filters: [
+              {
+                meta: {
+                  key: 'host.name',
+                  negate: false,
+                  params: '"{"query":"placeholder"}"',
+                  type: 'phrase',
+                },
+                query: { match_phrase: { 'host.name': 'placeholder' } },
+              },
+              {
+                meta: {},
+                query: { match_all: {} },
+              },
+            ],
            dataProviders: [
              {
                and: [],
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
@ -158,16 +158,6 @@ export const determineToAndFrom = ({ ecs }: { ecs: Ecs[] | Ecs }) => {
  return { to, from };
 };

-const getFiltersFromRule = (filters: string[]): Filter[] =>
-  filters.reduce((acc, filterString) => {
-    try {
-      const objFilter: Filter = JSON.parse(filterString);
-      return [...acc, objFilter];
-    } catch (e) {
-      return acc;
-    }
-  }, [] as Filter[]);
-
 const calculateFromTimeFallback = (thresholdData: Ecs, originalTime: moment.Moment) => {
  // relative time that the rule's time range starts at (e.g. now-1h)

@ -425,7 +415,12 @@ const createThresholdTimeline = async (

    const alertDoc = formattedAlertData[0];
    const params = getField(alertDoc, ALERT_RULE_PARAMETERS);
-    const filters = getFiltersFromRule(params.filters ?? alertDoc.signal?.rule?.filters) ?? [];
+    const filters: Filter[] = params.filters ?? alertDoc.signal?.rule?.filters;
+    // https://github.com/elastic/kibana/issues/126574 - if the provided filter has no `meta` field
+    // we expect an empty object to be inserted before calling `createTimeline`
+    const augmentedFilters = filters.map((filter) => {
+      return filter.meta != null ? filter : { ...filter, meta: {} };
+    });
    const language = params.language ?? alertDoc.signal?.rule?.language ?? 'kuery';
    const query = params.query ?? alertDoc.signal?.rule?.query ?? '';
    const indexNames = params.index ?? alertDoc.signal?.rule?.index ?? [];
@ -439,7 +434,7 @@ const createThresholdTimeline = async (
        chunkSize: 10000,
        alias: 'Exceptions',
      }) ?? [];
-    const allFilters = (templateValues.filters ?? filters).concat(exceptionsFilter);
+    const allFilters = (templateValues.filters ?? augmentedFilters).concat(exceptionsFilter);

    return createTimeline({
      from: thresholdFrom,