[Security Solution][Alerts] Threshold alert history state is not always pruned correctly (#129821) (#136538)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 01:13:23 -04:00 · 2022-07-25 18:31:16 +02:00 · 2022-07-25 18:31:16 +02:00 · b6b53d152c
commit b6b53d152c
parent 170fa429ae
1 changed files with 62 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts
@ -16,6 +16,7 @@ import { getEntryListMock } from '@kbn/lists-plugin/common/schemas/types/entry_l
 import { getThresholdRuleParams, getCompleteRuleMock } from '../../schemas/rule_schemas.mock';
 import { buildRuleMessageFactory } from '../rule_messages';
 import { sampleEmptyAggsSearchResults } from '../__mocks__/es_results';
+import { getThresholdTermsHash } from '../utils';
 import { allowedExperimentalValues } from '../../../../../common/experimental_features';
 import type { ThresholdRuleParams } from '../../schemas/rule_schemas';
 import { createRuleDataClientMock } from '@kbn/rule-registry-plugin/server/rule_data_client/rule_data_client.mock';
@ -84,5 +85,66 @@ describe('threshold_executor', () => {
      });
      expect(response.warningMessages.length).toEqual(1);
    });
+
+    it('should clean up any signal history that has fallen outside the window when state is initialized', async () => {
+      const ruleDataClientMock = createRuleDataClientMock();
+      const terms1 = [
+        {
+          field: 'host.name',
+          value: 'elastic-pc-1',
+        },
+      ];
+      const signalHistoryRecord1 = {
+        terms: terms1,
+        lastSignalTimestamp: tuple.from.valueOf() - 60 * 1000,
+      };
+      const terms2 = [
+        {
+          field: 'host.name',
+          value: 'elastic-pc-2',
+        },
+      ];
+      const signalHistoryRecord2 = {
+        terms: terms2,
+        lastSignalTimestamp: tuple.from.valueOf() + 60 * 1000,
+      };
+      const state = {
+        initialized: true,
+        signalHistory: {
+          [`${getThresholdTermsHash(terms1)}`]: signalHistoryRecord1,
+          [`${getThresholdTermsHash(terms2)}`]: signalHistoryRecord2,
+        },
+      };
+      const response = await thresholdExecutor({
+        completeRule: thresholdCompleteRule,
+        tuple,
+        exceptionItems: [],
+        experimentalFeatures: allowedExperimentalValues,
+        services: alertServices,
+        state,
+        version,
+        logger,
+        buildRuleMessage,
+        startedAt: new Date(),
+        bulkCreate: jest.fn().mockImplementation((hits) => ({
+          errors: [],
+          success: true,
+          bulkCreateDuration: '0',
+          createdItemsCount: 0,
+          createdItems: [],
+        })),
+        wrapHits: jest.fn(),
+        ruleDataReader: ruleDataClientMock.getReader({ namespace: 'default' }),
+        runtimeMappings: {},
+        inputIndex: ['auditbeat-*'],
+        primaryTimestamp: TIMESTAMP,
+      });
+      expect(response.state).toEqual({
+        initialized: true,
+        signalHistory: {
+          [`${getThresholdTermsHash(terms2)}`]: signalHistoryRecord2,
+        },
+      });
+    });
  });
 });