From f9eff8f729fc82725e28b76f9cac659dfbc0cb4a Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Tue, 3 Dec 2024 16:32:07 -0500 Subject: [PATCH 1/4] fixes bug --- .../diffable_rule_fields_mappings.test.ts | 15 +++++++++++++++ .../diffable_rule_fields_mappings.ts | 7 ++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts new file mode 100644 index 0000000000000..95495ebea0d9d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { transformDiffableFieldValues } from './diffable_rule_fields_mappings'; + +describe('transformDiffableFieldValues', () => { + it('transforms rule_schedule into "from" value', () => { + const result = transformDiffableFieldValues('from', { interval: '5m', lookback: '4m' }); + expect(result).toEqual({ type: 'TRANSFORMED_FIELD', value: 'now-540s' }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts index 7caa0469eebeb..cdf85863291e5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts @@ -5,6 +5,7 @@ * 2.0. */ import { get, has } from 'lodash'; +import moment from 'moment'; import type { RuleSchedule, DataSourceIndexPatterns, @@ -15,6 +16,7 @@ import type { } from '../../../../../../common/api/detection_engine'; import { type AllFieldsDiff } from '../../../../../../common/api/detection_engine'; import type { PrebuiltRuleAsset } from '../../model/rule_assets/prebuilt_rule_asset'; +import { parseInterval } from '../../../rule_types/utils/utils'; /** * Retrieves and transforms the value for a specific field from a DiffableRule group. @@ -201,7 +203,10 @@ export const transformDiffableFieldValues = ( diffableFieldValue: RuleSchedule | InlineKqlQuery | unknown ): TransformValuesReturnType => { if (fieldName === 'from' && isRuleSchedule(diffableFieldValue)) { - return { type: 'TRANSFORMED_FIELD', value: `now-${diffableFieldValue.lookback}` }; + const interval = parseInterval(diffableFieldValue.interval) ?? moment.duration(0); + const parsedFrom = parseInterval(diffableFieldValue.lookback) ?? moment.duration(0); + const from = parsedFrom.asSeconds() + interval.asSeconds(); + return { type: 'TRANSFORMED_FIELD', value: `now-${from}s` }; } else if (fieldName === 'to') { return { type: 'TRANSFORMED_FIELD', value: `now` }; } else if (fieldName === 'saved_id' && isInlineQuery(diffableFieldValue)) { From 8684935469bbdeea3e7bf81765f218d6f8e519fe Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Wed, 4 Dec 2024 10:45:55 -0500 Subject: [PATCH 2/4] abstracts reused code --- .../diffable_rule_fields_mappings.ts | 10 +++++----- .../logic/bulk_actions/rule_params_modifier.ts | 11 +++++------ .../lib/detection_engine/rule_types/utils/utils.ts | 13 +++++++++++++ 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts index cdf85863291e5..2d2a0748ed501 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts @@ -5,7 +5,6 @@ * 2.0. */ import { get, has } from 'lodash'; -import moment from 'moment'; import type { RuleSchedule, DataSourceIndexPatterns, @@ -16,7 +15,7 @@ import type { } from '../../../../../../common/api/detection_engine'; import { type AllFieldsDiff } from '../../../../../../common/api/detection_engine'; import type { PrebuiltRuleAsset } from '../../model/rule_assets/prebuilt_rule_asset'; -import { parseInterval } from '../../../rule_types/utils/utils'; +import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils'; /** * Retrieves and transforms the value for a specific field from a DiffableRule group. @@ -203,9 +202,10 @@ export const transformDiffableFieldValues = ( diffableFieldValue: RuleSchedule | InlineKqlQuery | unknown ): TransformValuesReturnType => { if (fieldName === 'from' && isRuleSchedule(diffableFieldValue)) { - const interval = parseInterval(diffableFieldValue.interval) ?? moment.duration(0); - const parsedFrom = parseInterval(diffableFieldValue.lookback) ?? moment.duration(0); - const from = parsedFrom.asSeconds() + interval.asSeconds(); + const from = calculateFromValueWithRuleScheduleFields( + diffableFieldValue.interval, + diffableFieldValue.lookback + ); return { type: 'TRANSFORMED_FIELD', value: `now-${from}s` }; } else if (fieldName === 'to') { return { type: 'TRANSFORMED_FIELD', value: `now` }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts index 1d633817c7b53..f198498c38d70 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts @@ -5,8 +5,6 @@ * 2.0. */ -import moment from 'moment'; -import { parseInterval } from '@kbn/data-plugin/common/search/aggs/utils/date_interval_utils'; import type { RuleParamsModifierResult } from '@kbn/alerting-plugin/server/rules_client/methods/bulk_edit'; import type { ExperimentalFeatures } from '../../../../../../common'; import type { InvestigationFieldsCombined, RuleAlertType } from '../../../rule_schema'; @@ -17,6 +15,7 @@ import type { } from '../../../../../../common/api/detection_engine/rule_management'; import { BulkActionEditTypeEnum } from '../../../../../../common/api/detection_engine/rule_management'; import { invariant } from '../../../../../../common/utils/invariant'; +import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils'; export const addItemsToArray = (arr: T[], items: T[]): T[] => Array.from(new Set([...arr, ...items])); @@ -256,10 +255,10 @@ const applyBulkActionEditToRuleParams = ( } // update look-back period in from and meta.from fields case BulkActionEditTypeEnum.set_schedule: { - const interval = parseInterval(action.value.interval) ?? moment.duration(0); - const parsedFrom = parseInterval(action.value.lookback) ?? moment.duration(0); - - const from = parsedFrom.asSeconds() + interval.asSeconds(); + const from = calculateFromValueWithRuleScheduleFields( + action.value.interval, + action.value.lookback + ); ruleParams = { ...ruleParams, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts index bf0899978f2b2..16c49e9e72d7c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts @@ -544,6 +544,19 @@ export const getCatchupTuples = ({ return catchupTuples; }; +/** + * Takes the rule schedule fields `interval` and `lookback` and uses them to calculate the `from` value for a rule + * + * @param interval moment.Duration representing the interval on which the rule runs + * @param lookback moment.Moment representing the rule's additional lookback + * @returns moment.Moment representing the rule's 'from' property + */ +export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => { + const parsedInterval = parseInterval(interval) ?? moment.duration(0); + const parsedFrom = parseInterval(lookback) ?? moment.duration(0); + return parsedFrom.asSeconds() + parsedInterval.asSeconds(); +}; + /** * Given errors from a search query this will return an array of strings derived from the errors. * @param errors The errors to derive the strings from From 1f5945807c7d7efe752520bfb836e7bbe545a3d1 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Thu, 5 Dec 2024 12:11:22 -0500 Subject: [PATCH 3/4] addresses comments --- .../diffable_rule_fields_mappings.ts | 9 +++------ .../logic/bulk_actions/rule_params_modifier.ts | 9 +++------ .../detection_engine/rule_types/utils/utils.test.ts | 13 +++++++++++++ .../lib/detection_engine/rule_types/utils/utils.ts | 11 ++++++----- 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts index 2d2a0748ed501..d7e359b0daa25 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts @@ -15,7 +15,7 @@ import type { } from '../../../../../../common/api/detection_engine'; import { type AllFieldsDiff } from '../../../../../../common/api/detection_engine'; import type { PrebuiltRuleAsset } from '../../model/rule_assets/prebuilt_rule_asset'; -import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils'; +import { calculateFromValue } from '../../../rule_types/utils/utils'; /** * Retrieves and transforms the value for a specific field from a DiffableRule group. @@ -202,11 +202,8 @@ export const transformDiffableFieldValues = ( diffableFieldValue: RuleSchedule | InlineKqlQuery | unknown ): TransformValuesReturnType => { if (fieldName === 'from' && isRuleSchedule(diffableFieldValue)) { - const from = calculateFromValueWithRuleScheduleFields( - diffableFieldValue.interval, - diffableFieldValue.lookback - ); - return { type: 'TRANSFORMED_FIELD', value: `now-${from}s` }; + const from = calculateFromValue(diffableFieldValue.interval, diffableFieldValue.lookback); + return { type: 'TRANSFORMED_FIELD', value: from }; } else if (fieldName === 'to') { return { type: 'TRANSFORMED_FIELD', value: `now` }; } else if (fieldName === 'saved_id' && isInlineQuery(diffableFieldValue)) { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts index f198498c38d70..756fbd3998d69 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts @@ -15,7 +15,7 @@ import type { } from '../../../../../../common/api/detection_engine/rule_management'; import { BulkActionEditTypeEnum } from '../../../../../../common/api/detection_engine/rule_management'; import { invariant } from '../../../../../../common/utils/invariant'; -import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils'; +import { calculateFromValue } from '../../../rule_types/utils/utils'; export const addItemsToArray = (arr: T[], items: T[]): T[] => Array.from(new Set([...arr, ...items])); @@ -255,10 +255,7 @@ const applyBulkActionEditToRuleParams = ( } // update look-back period in from and meta.from fields case BulkActionEditTypeEnum.set_schedule: { - const from = calculateFromValueWithRuleScheduleFields( - action.value.interval, - action.value.lookback - ); + const from = calculateFromValue(action.value.interval, action.value.lookback); ruleParams = { ...ruleParams, @@ -266,7 +263,7 @@ const applyBulkActionEditToRuleParams = ( ...ruleParams.meta, from: action.value.lookback, }, - from: `now-${from}s`, + from, }; break; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts index 0a625ed5f245b..f95845151136f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts @@ -48,6 +48,7 @@ import { addToSearchAfterReturn, getUnprocessedExceptionsWarnings, getDisabledActionsWarningText, + calculateFromValue, } from './utils'; import type { BulkResponseErrorAggregation, SearchAfterAndBulkCreateReturnType } from '../types'; import { @@ -586,6 +587,18 @@ describe('utils', () => { }); }); + describe('calculateFromValue', () => { + test('should return formatted `from` value from rule schedule fields', () => { + const from = calculateFromValue('5m', '4m'); + expect(from).toEqual('now-540s'); + }); + + test('should return formatted `from` value from rule schedule fields with no lookback', () => { + const from = calculateFromValue('5m', '0m'); + expect(from).toEqual('now-300s'); + }); + }); + describe('getMaxCatchupRatio', () => { test('should return 0 if gap is 0', () => { const catchup = getNumCatchupIntervals({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts index 16c49e9e72d7c..729ec55fe69ca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts @@ -547,14 +547,15 @@ export const getCatchupTuples = ({ /** * Takes the rule schedule fields `interval` and `lookback` and uses them to calculate the `from` value for a rule * - * @param interval moment.Duration representing the interval on which the rule runs - * @param lookback moment.Moment representing the rule's additional lookback - * @returns moment.Moment representing the rule's 'from' property + * @param interval string representing the interval on which the rule runs + * @param lookback string representing the rule's additional lookback + * @returns string representing the rule's 'from' property */ -export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => { +export const calculateFromValue = (interval: string, lookback: string) => { const parsedInterval = parseInterval(interval) ?? moment.duration(0); const parsedFrom = parseInterval(lookback) ?? moment.duration(0); - return parsedFrom.asSeconds() + parsedInterval.asSeconds(); + const duration = parsedFrom.asSeconds() + parsedInterval.asSeconds(); + return `now-${duration}s`; }; /** From 1c6e505b7c72424ab0c96b555c43f6acd23fcc76 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Mon, 9 Dec 2024 12:02:13 -0500 Subject: [PATCH 4/4] adds one more test --- .../lib/detection_engine/rule_types/utils/utils.test.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts index f95845151136f..3430d2ae903ef 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts @@ -597,6 +597,11 @@ describe('utils', () => { const from = calculateFromValue('5m', '0m'); expect(from).toEqual('now-300s'); }); + + test('should return formatted `from` value from rule schedule fields with invalid moment fields', () => { + const from = calculateFromValue('5', '5'); + expect(from).toEqual('now-0s'); + }); }); describe('getMaxCatchupRatio', () => {