[Security Solution] Fix Coverage Overview API activity filter (#163785)

**Relates to:** https://github.com/elastic/kibana/issues/158246 ## Summary If activity filter contains both allowed values `enabled` and `disabled` simultaneously Coverage Overview endpoint returns the response filtered by the first value only. This PR fixes wrong behavior os if `enabled` and `disabled` values are set simultaneously the response contains combined results for both `enabled` and `disabled` activity filter values. For example a request like below ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose ``` would produce the same response as the following request ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
2025-04-24 09:48:58 -04:00 · 2023-08-14 22:11:53 +02:00 · 2023-08-14 22:11:53 +02:00 · c610d03787
commit c610d03787
parent 26a9739bee
2 changed files with 53 additions and 5 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/handle_coverage_overview_request.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/handle_coverage_overview_request.ts
@ -33,16 +33,19 @@ export async function handleCoverageOverviewRequest({
  params: { filter },
  deps: { rulesClient },
 }: HandleCoverageOverviewRequestArgs): Promise<CoverageOverviewResponse> {
+  const activitySet = new Set(filter?.activity);
  const kqlFilter = filter
    ? convertRulesFilterToKQL({
        filter: filter.search_term,
        showCustomRules: filter.source?.includes(CoverageOverviewRuleSource.Custom) ?? false,
        showElasticRules: filter.source?.includes(CoverageOverviewRuleSource.Prebuilt) ?? false,
-        enabled: filter.activity?.includes(CoverageOverviewRuleActivity.Disabled)
-          ? false
-          : filter.activity?.includes(CoverageOverviewRuleActivity.Enabled)
-          ? true
-          : undefined,
+        enabled:
+          (activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
+            activitySet.has(CoverageOverviewRuleActivity.Disabled)) ||
+          (!activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
+            !activitySet.has(CoverageOverviewRuleActivity.Disabled))
+            ? undefined
+            : activitySet.has(CoverageOverviewRuleActivity.Enabled),
      })
    : undefined;

--- a/x-pack/test/detection_engine_api_integration/basic/tests/coverage_overview.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/coverage_overview.ts
@ -341,6 +341,51 @@ export default ({ getService }: FtrProviderContext): void => {
            },
          });
        });
+
+        it('returns response filtered by enabled and disabled rules equal to response if enabled and disabled are not set', async () => {
+          const expectedRule1 = await createRule(supertest, log, {
+            ...getSimpleRule('rule-1'),
+            name: 'Disabled rule',
+            threat: generateThreatArray(1),
+          });
+          const expectedRule2 = await createRule(supertest, log, {
+            ...getSimpleRule('rule-2', true),
+            name: 'Enabled rule',
+            threat: generateThreatArray(2),
+          });
+
+          const { body } = await supertest
+            .post(RULE_MANAGEMENT_COVERAGE_OVERVIEW_URL)
+            .set('kbn-xsrf', 'true')
+            .send({
+              filter: {
+                activity: ['enabled', 'disabled'],
+              },
+            })
+            .expect(200);
+
+          expect(body).to.eql({
+            coverage: {
+              T001: [expectedRule1.id],
+              TA001: [expectedRule1.id],
+              'T001.001': [expectedRule1.id],
+              T002: [expectedRule2.id],
+              TA002: [expectedRule2.id],
+              'T002.002': [expectedRule2.id],
+            },
+            unmapped_rule_ids: [],
+            rules_data: {
+              [expectedRule1.id]: {
+                activity: 'disabled',
+                name: 'Disabled rule',
+              },
+              [expectedRule2.id]: {
+                activity: 'enabled',
+                name: 'Enabled rule',
+              },
+            },
+          });
+        });
      });

      describe('source', () => {