[Security Solution] Migrates siem-detection-engine-rule-status alertId to saved object references array

src/core/server/saved_objects/service/lib/aggregations/aggs_types/bucket_aggs.ts

@@ -16,6 +16,7 @@ import { sortOrderSchema } from './common_schemas';
  * - filter
  * - histogram
  * - nested
+ * - reverse_nested
  * - terms
  *
  * Not implemented:
@@ -37,7 +38,6 @@ import { sortOrderSchema } from './common_schemas';
  * - parent
  * - range
  * - rare_terms
- * - reverse_nested
  * - sampler
  * - significant_terms
  * - significant_text
@@ -76,6 +76,9 @@ export const bucketAggsSchemas: Record<string, ObjectType> = {
   nested: s.object({
     path: s.string(),
   }),
+  reverse_nested: s.object({
+    path: s.maybe(s.string()),
+  }),
   terms: s.object({
     field: s.maybe(s.string()),
     collect_mode: s.maybe(s.string()),

x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -479,7 +479,6 @@ export const getRuleExecutionStatuses = (): Array<
     type: 'my-type',
     id: 'e0b86950-4e9f-11ea-bdbd-07b56aa159b3',
     attributes: {
-      alertId: '04128c15-0d1b-4716-a4c5-46997ac7f3bc',
       statusDate: '2020-02-18T15:26:49.783Z',
       status: RuleExecutionStatus.succeeded,
       lastFailureAt: undefined,
@@ -492,15 +491,20 @@ export const getRuleExecutionStatuses = (): Array<
       bulkCreateTimeDurations: ['800.43'],
     },
     score: 1,
-    references: [],
+    references: [
+      {
+        id: '04128c15-0d1b-4716-a4c5-46997ac7f3bc',
+        type: 'alert',
+        name: 'alert_0',
+      },
+    ],
     updated_at: '2020-02-18T15:26:51.333Z',
     version: 'WzQ2LDFd',
   },
   {
     type: 'my-type',
     id: '91246bd0-5261-11ea-9650-33b954270f67',
     attributes: {
-      alertId: '1ea5a820-4da1-4e82-92a1-2b43a7bece08',
       statusDate: '2020-02-18T15:15:58.806Z',
       status: RuleExecutionStatus.failed,
       lastFailureAt: '2020-02-18T15:15:58.806Z',
@@ -514,7 +518,13 @@ export const getRuleExecutionStatuses = (): Array<
       bulkCreateTimeDurations: ['800.43'],
     },
     score: 1,
-    references: [],
+    references: [
+      {
+        id: '1ea5a820-4da1-4e82-92a1-2b43a7bece08',
+        type: 'alert',
+        name: 'alert_0',
+      },
+    ],
     updated_at: '2020-02-18T15:15:58.860Z',
     version: 'WzMyLDFd',
   },
@@ -523,7 +533,6 @@ export const getRuleExecutionStatuses = (): Array<
 export const getFindBulkResultStatus = (): FindBulkExecutionLogResponse => ({
   '04128c15-0d1b-4716-a4c5-46997ac7f3bd': [
     {
-      alertId: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
       statusDate: '2020-02-18T15:26:49.783Z',
       status: RuleExecutionStatus.succeeded,
       lastFailureAt: undefined,
@@ -538,7 +547,6 @@ export const getFindBulkResultStatus = (): FindBulkExecutionLogResponse => ({
   ],
   '1ea5a820-4da1-4e82-92a1-2b43a7bece08': [
     {
-      alertId: '1ea5a820-4da1-4e82-92a1-2b43a7bece08',
       statusDate: '2020-02-18T15:15:58.806Z',
       status: RuleExecutionStatus.failed,
       lastFailureAt: '2020-02-18T15:15:58.806Z',

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts

@@ -31,7 +31,7 @@ import { updatePrepackagedRules } from '../../rules/update_prepacked_rules';
 import { getRulesToInstall } from '../../rules/get_rules_to_install';
 import { getRulesToUpdate } from '../../rules/get_rules_to_update';
 import { getExistingPrepackagedRules } from '../../rules/get_existing_prepackaged_rules';
-import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset_saved_objects_client';
+import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset/rule_asset_saved_objects_client';
 
 import { buildSiemResponse } from '../utils';
 import { RulesClient } from '../../../../../../alerting/server';

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_prepackaged_rules_status_route.ts

@@ -20,7 +20,7 @@ import { getRulesToUpdate } from '../../rules/get_rules_to_update';
 import { findRules } from '../../rules/find_rules';
 import { getLatestPrepackagedRules } from '../../rules/get_prepackaged_rules';
 import { getExistingPrepackagedRules } from '../../rules/get_existing_prepackaged_rules';
-import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset_saved_objects_client';
+import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset/rule_asset_saved_objects_client';
 import { buildFrameworkRequest } from '../../../timeline/utils/common';
 import { ConfigType } from '../../../../config';
 import { SetupPlugins } from '../../../../plugin';

x-pack/plugins/security_solution/server/lib/detection_engine/routes/utils.test.ts

@@ -142,7 +142,7 @@ describe.each([
       statusTwo.attributes.status = RuleExecutionStatus.failed;
       const currentStatus = exampleRuleStatus();
       const foundRules = [currentStatus.attributes, statusOne.attributes, statusTwo.attributes];
-      const res = mergeStatuses(currentStatus.attributes.alertId, foundRules, {
+      const res = mergeStatuses(currentStatus.references[0].id, foundRules, {
         'myfakealertid-8cfac': {
           current_status: {
             alert_id: 'myfakealertid-8cfac',

x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts

@@ -42,7 +42,7 @@ export class EventLogAdapter implements IRuleExecutionLogClient {
   }
 
   public async update(args: UpdateExecutionLogArgs) {
-    const { attributes, spaceId, ruleName, ruleType } = args;
+    const { attributes, spaceId, ruleId, ruleName, ruleType } = args;
 
     await this.savedObjectsAdapter.update(args);
 
@@ -51,7 +51,7 @@ export class EventLogAdapter implements IRuleExecutionLogClient {
       this.eventLogClient.logStatusChange({
         ruleName,
         ruleType,
-        ruleId: attributes.alertId,
+        ruleId,
         newStatus: attributes.status,
         spaceId,
       });

x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/rule_status_saved_objects_client.ts

@@ -5,27 +5,33 @@
  * 2.0.
  */
 
-import { get } from 'lodash';
 import {
-  SavedObjectsClientContract,
   SavedObject,
-  SavedObjectsUpdateResponse,
+  SavedObjectsClientContract,
+  SavedObjectsCreateOptions,
   SavedObjectsFindOptions,
+  SavedObjectsFindOptionsReference,
   SavedObjectsFindResult,
-} from '../../../../../../../../src/core/server';
-import { ruleStatusSavedObjectType } from '../../rules/saved_object_mappings';
+  SavedObjectsUpdateResponse,
+} from 'kibana/server';
+import { get } from 'lodash';
+// eslint-disable-next-line no-restricted-imports
+import { legacyRuleStatusSavedObjectType } from '../../rules/legacy_rule_status/legacy_rule_status_saved_object_mappings';
 import { IRuleStatusSOAttributes } from '../../rules/types';
-import { buildChunkedOrFilter } from '../../signals/utils';
 
 export interface RuleStatusSavedObjectsClient {
   find: (
     options?: Omit<SavedObjectsFindOptions, 'type'>
   ) => Promise<Array<SavedObjectsFindResult<IRuleStatusSOAttributes>>>;
   findBulk: (ids: string[], statusesPerId: number) => Promise<FindBulkResponse>;
-  create: (attributes: IRuleStatusSOAttributes) => Promise<SavedObject<IRuleStatusSOAttributes>>;
+  create: (
+    attributes: IRuleStatusSOAttributes,
+    options?: SavedObjectsCreateOptions
+  ) => Promise<SavedObject<IRuleStatusSOAttributes>>;
   update: (
     id: string,
-    attributes: Partial<IRuleStatusSOAttributes>
+    attributes: Partial<IRuleStatusSOAttributes>,
+    options?: SavedObjectsCreateOptions
   ) => Promise<SavedObjectsUpdateResponse<IRuleStatusSOAttributes>>;
   delete: (id: string) => Promise<{}>;
 }
@@ -35,63 +41,80 @@ export interface FindBulkResponse {
 }
 
 /**
- * @pdeprecated Use RuleExecutionLogClient instead
+ * @deprecated Use RuleExecutionLogClient instead
  */
 export const ruleStatusSavedObjectsClientFactory = (
   savedObjectsClient: SavedObjectsClientContract
 ): RuleStatusSavedObjectsClient => ({
   find: async (options) => {
     const result = await savedObjectsClient.find<IRuleStatusSOAttributes>({
       ...options,
-      type: ruleStatusSavedObjectType,
+      type: legacyRuleStatusSavedObjectType,
     });
     return result.saved_objects;
   },
   findBulk: async (ids, statusesPerId) => {
     if (ids.length === 0) {
       return {};
     }
-    const filter = buildChunkedOrFilter(`${ruleStatusSavedObjectType}.attributes.alertId`, ids);
+    const references = ids.map<SavedObjectsFindOptionsReference>((alertId) => ({
+      id: alertId,
+      type: 'alert',
+    }));
     const order: 'desc' = 'desc';
     const aggs = {
-      alertIds: {
-        terms: {
-          field: `${ruleStatusSavedObjectType}.attributes.alertId`,
-          size: ids.length,
+      references: {
+        nested: {
+          path: `${legacyRuleStatusSavedObjectType}.references`,
         },
         aggs: {
-          most_recent_statuses: {
-            top_hits: {
-              sort: [
-                {
-                  [`${ruleStatusSavedObjectType}.statusDate`]: {
-                    order,
+          alertIds: {
+            terms: {
+              field: `${legacyRuleStatusSavedObjectType}.references.id`,
+              size: ids.length,
+            },
+            aggs: {
+              rule_status: {
+                reverse_nested: {},
+                aggs: {
+                  most_recent_statuses: {
+                    top_hits: {
+                      sort: [
+                        {
+                          [`${legacyRuleStatusSavedObjectType}.statusDate`]: {
+                            order,
+                          },
+                        },
+                      ],
+                      size: statusesPerId,
+                    },
                   },
                 },
-              ],
-              size: statusesPerId,
+              },
             },
           },
         },
       },
     };
     const results = await savedObjectsClient.find({
-      filter,
+      hasReference: references,
       aggs,
-      type: ruleStatusSavedObjectType,
+      type: legacyRuleStatusSavedObjectType,
       perPage: 0,
     });
-    const buckets = get(results, 'aggregations.alertIds.buckets');
+    const buckets = get(results, 'aggregations.references.alertIds.buckets');
     return buckets.reduce((acc: Record<string, unknown>, bucket: unknown) => {
       const key = get(bucket, 'key');
-      const hits = get(bucket, 'most_recent_statuses.hits.hits');
+      const hits = get(bucket, 'rule_status.most_recent_statuses.hits.hits');
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const statuses = hits.map((hit: any) => hit._source['siem-detection-engine-rule-status']);
-      acc[key] = statuses;
+      acc[key] = hits.map((hit: any) => hit._source[legacyRuleStatusSavedObjectType]);
       return acc;
     }, {});
   },
-  create: (attributes) => savedObjectsClient.create(ruleStatusSavedObjectType, attributes),
-  update: (id, attributes) => savedObjectsClient.update(ruleStatusSavedObjectType, id, attributes),
-  delete: (id) => savedObjectsClient.delete(ruleStatusSavedObjectType, id),
+  create: (attributes, options) => {
+    return savedObjectsClient.create(legacyRuleStatusSavedObjectType, attributes, options);
+  },
+  update: (id, attributes, options) =>
+    savedObjectsClient.update(legacyRuleStatusSavedObjectType, id, attributes, options),
+  delete: (id) => savedObjectsClient.delete(legacyRuleStatusSavedObjectType, id),
 });