github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Adjust the on-read normalization for the actions and throttle rule fields (#154924)

Browse source 
**Addresses:** https://github.com/elastic/kibana/issues/147736

## Summary

This PR removes `throttle` field normalization based on `muteAll`'s value from Security Solution's `transformFromAlertThrottle` helper function used as a part of rule level to action level `throttle` upgrading functionality. 


### Checklist

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This commit is contained in:
Maxim Palenov 2023-05-05 12:04:22 +02:00 committed by GitHub
parent f2a268cc29
commit 9e9232b0b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 109 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

154
x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_actions.test.ts
View file

@ -83,75 +83,127 @@ describe('Rule actions normalization', () => {
});
describe('transformFromAlertThrottle', () => {
test('muteAll returns "NOTIFICATION_THROTTLE_NO_ACTIONS" even with notifyWhen set and actions has an array element', () => {
test('returns first action throttle if rule.notifyWhen is not set', () => {
expect(
transformFromAlertThrottle({
actions: [
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
notifyWhen: 'onThrottleInterval',
throttle: '1d',
},
},
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
notifyWhen: 'onThrottleInterval',
throttle: '2d',
},
},
],
} as RuleAlertType)
).toBe('1d');
});
test('returns "NOTIFICATION_THROTTLE_RULE" if rule.notifyWhen and first action notifyWhen are not set', () => {
expect(
transformFromAlertThrottle({
actions: [
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
throttle: '1d',
},
},
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
notifyWhen: 'onThrottleInterval',
throttle: '2d',
},
},
],
} as RuleAlertType)
).toBe(NOTIFICATION_THROTTLE_RULE);
});
test('returns "NOTIFICATION_THROTTLE_RULE" if rule.notifyWhen is not set and there are no actions', () => {
expect(
transformFromAlertThrottle({
actions: [],
} as unknown as RuleAlertType)
).toBe(NOTIFICATION_THROTTLE_RULE);
});
test('returns "NOTIFICATION_THROTTLE_RULE" if rule.notifyWhen is "onActiveAlert"', () => {
expect(
transformFromAlertThrottle({
notifyWhen: 'onActiveAlert',
actions: [],
} as unknown as RuleAlertType)
).toBe(NOTIFICATION_THROTTLE_RULE);
});
test('returns rule.throttle value if rule.notifyWhen is "onThrottleInterval"', () => {
expect(
transformFromAlertThrottle({
notifyWhen: 'onThrottleInterval',
throttle: '1d',
actions: [],
} as unknown as RuleAlertType)
).toBe('1d');
});
test('returns undefined if rule.notifyWhen is "onThrottleInterval" and rule.throttle is not set', () => {
expect(
transformFromAlertThrottle({
notifyWhen: 'onThrottleInterval',
actions: [],
} as unknown as RuleAlertType)
).toBeUndefined();
});
test('returns first action throttle if rule.notifyWhen is not set even if muteAll is set to true', () => {
expect(
transformFromAlertThrottle({
muteAll: true,
notifyWhen: 'onActiveAlert',
actions: [
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
notifyWhen: 'onThrottleInterval',
throttle: '1d',
},
},
],
} as RuleAlertType)
).toEqual(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
test('returns "NOTIFICATION_THROTTLE_NO_ACTIONS" if actions is an empty array and we do not have a throttle', () => {
expect(
transformFromAlertThrottle({
muteAll: false,
notifyWhen: 'onActiveAlert',
actions: [],
} as unknown as RuleAlertType)
).toEqual(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
test('returns "NOTIFICATION_THROTTLE_NO_ACTIONS" if actions is an empty array and we have a throttle', () => {
expect(
transformFromAlertThrottle({
muteAll: false,
notifyWhen: 'onThrottleInterval',
actions: [],
throttle: '1d',
} as unknown as RuleAlertType)
).toEqual(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
test('it returns "NOTIFICATION_THROTTLE_RULE" if "notifyWhen" is set, muteAll is false and we have an actions array', () => {
expect(
transformFromAlertThrottle({
muteAll: false,
notifyWhen: 'onActiveAlert',
actions: [
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
frequency: {
notifyWhen: 'onThrottleInterval',
throttle: '2d',
},
},
],
} as RuleAlertType)
).toEqual(NOTIFICATION_THROTTLE_RULE);
});
test('it returns "NOTIFICATION_THROTTLE_RULE" if "notifyWhen" and "throttle" are not set, but we have an actions array', () => {
expect(
transformFromAlertThrottle({
muteAll: false,
actions: [
{
group: 'group',
id: 'id-123',
actionTypeId: 'id-456',
params: {},
},
],
} as RuleAlertType)
).toEqual(NOTIFICATION_THROTTLE_RULE);
).toBe('1d');
});
});

16
x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_actions.ts
View file

@ -84,26 +84,22 @@ export const transformToAlertThrottle = (throttle: string | null | undefined): s
/**
* Given a throttle from an "alerting" Saved Object (SO) this will transform it into a "security_solution"
* throttle type. If given the "legacyRuleActions" but we detect that the rule for an unknown reason has actions
* on it to which should not be typical but possible due to the split nature of the API's, this will prefer the
* usage of the non-legacy version. Eventually the "legacyRuleActions" should be removed.
* @param throttle The throttle from a "alerting" Saved Object (SO)
* throttle type.
* @param throttle The throttle from an "alerting" Saved Object (SO)
* @returns The "security_solution" throttle
*/
export const transformFromAlertThrottle = (rule: RuleAlertType): string => {
if (rule.muteAll || rule.actions.length === 0) {
return NOTIFICATION_THROTTLE_NO_ACTIONS;
} else if (rule.notifyWhen == null) {
export const transformFromAlertThrottle = (rule: RuleAlertType): string | undefined => {
if (rule.notifyWhen == null) {
return transformFromFirstActionThrottle(rule);
} else if (rule.notifyWhen === 'onActiveAlert') {
return NOTIFICATION_THROTTLE_RULE;
}
return rule.throttle ?? NOTIFICATION_THROTTLE_NO_ACTIONS;
return rule.throttle ?? undefined;
};
function transformFromFirstActionThrottle(rule: RuleAlertType) {
const frequency = rule.actions[0].frequency ?? null;
const frequency = rule.actions[0]?.frequency ?? null;
if (!frequency || frequency.notifyWhen !== 'onThrottleInterval' || frequency.throttle == null)
return NOTIFICATION_THROTTLE_RULE;
return frequency.throttle;