From 2bcf458dd4884b63d5f42cccf0dc3286e8a8abb8 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 22 Feb 2022 17:03:33 -0700 Subject: [PATCH 01/24] Adds Rule Execution Log table --- .../schemas/common/rule_monitoring.ts | 45 ++++++ .../get_rule_execution_events_request.ts | 8 + .../get_rule_execution_events_response.ts | 13 +- .../detection_engine/rules/__mocks__/api.ts | 38 ++++- .../detection_engine/rules/api.test.ts | 21 ++- .../containers/detection_engine/rules/api.ts | 16 +- .../detection_engine/rules/translations.ts | 7 + .../rules/use_rule_execution_events.test.tsx | 53 +++++-- .../rules/use_rule_execution_events.tsx | 22 ++- .../execution_log_columns.tsx | 109 +++++++++++++ .../execution_log_search_bar.tsx | 86 +++++++++++ .../execution_log_table.tsx | 146 ++++++++++++++++++ .../rules/details/failure_history.tsx | 80 ---------- .../detection_engine/rules/details/index.tsx | 12 +- .../rules/details/translations.ts | 84 ++++++++-- .../routes/__mocks__/request_responses.ts | 62 ++++++++ .../get_rule_execution_events_route.test.ts | 15 +- .../rules/get_rule_execution_events_route.ts | 28 ++-- .../rule_execution_log/__mocks__/index.ts | 1 + .../client_for_routes/client.ts | 34 +++- .../client_for_routes/client_interface.ts | 23 +++ .../event_log/event_log_reader.ts | 115 ++++++++++++++ 22 files changed, 871 insertions(+), 147 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx delete mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/failure_history.tsx diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts index 6fd792c44ae96..7f693fe3abaae 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts @@ -106,3 +106,48 @@ export const ruleExecutionEvent = t.type({ }); export type RuleExecutionEvent = t.TypeOf; + +// ------------------------------------------------------------------------------------------------- +// Aggregate Rule execution events + +const metrics = t.type({ + total_alerts_created: t.number, + total_alerts_detected: t.number, + total_indexing_duration_ms: t.number, + total_search_duration_ms: t.number, +}); + +const execution = t.type({ + metrics, + status: t.string, +}); + +const rule = t.type({ + execution, +}); + +const alert = t.type({ + rule, +}); + +const event = t.type({ + duration: t.number, +}); + +const task = t.type({ + schedule_delay: t.number, +}); + +const kibana = t.type({ + task, + alert, +}); + +export const aggregateRuleExecutionEvent = t.type({ + kibana, + event, + message: t.string, + '@timestamp': IsoDateString, +}); + +export type AggregateRuleExecutionEvent = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts index 5e0e63ae7330d..3620075c80cde 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts @@ -13,6 +13,14 @@ export const GetRuleExecutionEventsRequestParams = t.exact( }) ); +export const GetRuleExecutionEventsQueryParams = t.exact( + t.type({ + start: t.string, + end: t.string, + filters: t.union([t.string, t.undefined]), + }) +); + export type GetRuleExecutionEventsRequestParams = t.TypeOf< typeof GetRuleExecutionEventsRequestParams >; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts index 9a732a46cbaba..571f78cf38aef 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts @@ -6,7 +6,7 @@ */ import * as t from 'io-ts'; -import { ruleExecutionEvent } from '../common'; +import { aggregateRuleExecutionEvent, ruleExecutionEvent } from '../common'; export const GetRuleExecutionEventsResponse = t.exact( t.type({ @@ -15,3 +15,14 @@ export const GetRuleExecutionEventsResponse = t.exact( ); export type GetRuleExecutionEventsResponse = t.TypeOf; + +export const GetAggregateRuleExecutionEventsResponse = t.exact( + t.type({ + events: t.array(aggregateRuleExecutionEvent), + maxEvents: t.number, + }) +); + +export type GetAggregateRuleExecutionEventsResponse = t.TypeOf< + typeof GetAggregateRuleExecutionEventsResponse +>; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts index 0922c4b3b78b7..c771e47354e8b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts @@ -5,9 +5,8 @@ * 2.0. */ -import { RuleExecutionStatus } from '../../../../../../common/detection_engine/schemas/common'; import { - GetRuleExecutionEventsResponse, + GetAggregateRuleExecutionEventsResponse, RulesSchema, } from '../../../../../../common/detection_engine/schemas/response'; @@ -62,19 +61,46 @@ export const fetchRules = async (_: FetchRulesProps): Promise => { +}): Promise => { return Promise.resolve({ events: [ { - date: '2021-12-29T10:42:59.996Z', - status: RuleExecutionStatus.succeeded, - message: 'Rule executed successfully', + kibana: { + task: { + schedule_delay: 13980000000, + }, + alert: { + rule: { + execution: { + metrics: { + total_alerts_created: 0, + total_alerts_detected: 0, + total_indexing_duration_ms: 0, + total_search_duration_ms: 9, + }, + status: 'succeeded', + }, + }, + }, + }, + event: { + duration: 2065000000, + }, + message: 'succeeded', + '@timestamp': '2022-02-01T05:51:27.143Z', }, ], + maxEvents: 1, }); }; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts index 004d1c3b7693c..e3d8119315ca6 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts @@ -678,19 +678,36 @@ describe('Detections Rules API', () => { }); test('calls API with correct parameters', async () => { - await fetchRuleExecutionEvents({ ruleId: '42', signal: abortCtrl.signal }); + await fetchRuleExecutionEvents({ + ruleId: '42', + start: 'now-30', + end: 'now', + filters: '', + signal: abortCtrl.signal, + }); expect(fetchMock).toHaveBeenCalledWith( '/internal/detection_engine/rules/42/execution/events', { method: 'GET', + query: { + end: 'now', + filters: '', + start: 'now-30', + }, signal: abortCtrl.signal, } ); }); test('returns API response as is', async () => { - const response = await fetchRuleExecutionEvents({ ruleId: '42', signal: abortCtrl.signal }); + const response = await fetchRuleExecutionEvents({ + ruleId: '42', + start: 'now-30', + end: 'now', + filters: '', + signal: abortCtrl.signal, + }); expect(response).toEqual(responseMock); }); }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts index 427cf28ef8f2f..f6bfca33fc1de 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts @@ -24,7 +24,7 @@ import { } from '../../../../../common/detection_engine/schemas/request'; import { RulesSchema, - GetRuleExecutionEventsResponse, + GetAggregateRuleExecutionEventsResponse, } from '../../../../../common/detection_engine/schemas/response'; import { @@ -374,20 +374,30 @@ export const exportRules = async ({ * Fetch rule execution events (e.g. status changes) from Event Log. * * @param ruleId string Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`) + * @param start string Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`) + * @param end string End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`) + * @param filters string Filters to apply to the search in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.total_alerts_detected > 100`) * @param signal AbortSignal Optional signal for cancelling the request * * @throws An error if response is not OK */ export const fetchRuleExecutionEvents = async ({ ruleId, + start, + end, + filters, signal, }: { ruleId: string; + start: string; + end: string; + filters?: string; signal?: AbortSignal; -}): Promise => { +}): Promise => { const url = detectionEngineRuleExecutionEventsUrl(ruleId); - return KibanaServices.get().http.fetch(url, { + return KibanaServices.get().http.fetch(url, { method: 'GET', + query: { start, end, filters }, signal, }); }; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/translations.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/translations.ts index 86107a4019b0a..5d2bac9e8b501 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/translations.ts @@ -14,6 +14,13 @@ export const RULE_AND_TIMELINE_FETCH_FAILURE = i18n.translate( } ); +export const RULE_EXECUTION_FETCH_FAILURE = i18n.translate( + 'xpack.securitySolution.containers.detectionEngine.ruleExecutionLogFailureDescription', + { + defaultMessage: 'Failed to fetch Rule Execution Events', + } +); + export const RULE_ADD_FAILURE = i18n.translate( 'xpack.securitySolution.containers.detectionEngine.addRuleFailDescription', { diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx index 4a98110153830..2a478446203b5 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx @@ -12,7 +12,6 @@ import React from 'react'; import { QueryClient, QueryClientProvider } from 'react-query'; import { renderHook, cleanup } from '@testing-library/react-hooks'; -import { RuleExecutionStatus } from '../../../../../common/detection_engine/schemas/common'; import { useRuleExecutionEvents } from './use_rule_execution_events'; import * as api from './api'; @@ -45,9 +44,18 @@ describe('useRuleExecutionEvents', () => { }; const render = () => - renderHook(() => useRuleExecutionEvents(SOME_RULE_ID), { - wrapper: createReactQueryWrapper(), - }); + renderHook( + () => + useRuleExecutionEvents({ + ruleId: SOME_RULE_ID, + start: 'now-30', + end: 'now', + filters: '', + }), + { + wrapper: createReactQueryWrapper(), + } + ); it('calls the API via fetchRuleExecutionEvents', async () => { const fetchRuleExecutionEvents = jest.spyOn(api, 'fetchRuleExecutionEvents'); @@ -77,13 +85,36 @@ describe('useRuleExecutionEvents', () => { expect(result.current.isLoading).toEqual(false); expect(result.current.isSuccess).toEqual(true); expect(result.current.isError).toEqual(false); - expect(result.current.data).toEqual([ - { - date: '2021-12-29T10:42:59.996Z', - status: RuleExecutionStatus.succeeded, - message: 'Rule executed successfully', - }, - ]); + expect(result.current.data).toEqual({ + events: [ + { + kibana: { + task: { + schedule_delay: 13980000000, + }, + alert: { + rule: { + execution: { + metrics: { + total_alerts_created: 0, + total_alerts_detected: 0, + total_indexing_duration_ms: 0, + total_search_duration_ms: 9, + }, + status: 'succeeded', + }, + }, + }, + }, + event: { + duration: 2065000000, + }, + message: 'succeeded', + '@timestamp': '2022-02-01T05:51:27.143Z', + }, + ], + maxEvents: 1, + }); }); it('handles exceptions from the API', async () => { diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx index 58f4c524dc362..6c019916071f1 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx @@ -6,18 +6,30 @@ */ import { useQuery } from 'react-query'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; import { useAppToasts } from '../../../../common/hooks/use_app_toasts'; import { fetchRuleExecutionEvents } from './api'; import * as i18n from './translations'; -export const useRuleExecutionEvents = (ruleId: string) => { +interface UseRuleExecutionEventsArgs { + ruleId: string; + start: string; + end: string; + filters?: string; +} + +export const useRuleExecutionEvents = ({ + ruleId, + start, + end, + filters, +}: UseRuleExecutionEventsArgs) => { const { addError } = useAppToasts(); - return useQuery( - ['ruleExecutionEvents', ruleId], + return useQuery( + ['ruleExecutionEvents', ruleId, start, end, filters], async ({ signal }) => { - const response = await fetchRuleExecutionEvents({ ruleId, signal }); - return response.events; + return fetchRuleExecutionEvents({ ruleId, start, end, filters, signal }); }, { onError: (e) => { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx new file mode 100644 index 0000000000000..278f006322115 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx @@ -0,0 +1,109 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiBasicTableColumn, EuiHealth } from '@elastic/eui'; + +import React from 'react'; +import { + AggregateRuleExecutionEvent, + RuleExecutionStatus, +} from '../../../../../../../common/detection_engine/schemas/common'; +import { + getEmptyTagValue, + getEmptyValue, + getOrEmptyTagFromValue, +} from '../../../../../../common/components/empty_value'; +import { FormattedDate } from '../../../../../../common/components/formatted_date'; +import { getStatusColor } from '../../../../../components/rules/rule_execution_status/utils'; + +import * as i18n from '../translations'; + +const ONE_SECOND_AS_NANOSECONDS = 1000000000; + +export const EXECUTION_LOG_COLUMNS: Array> = [ + { + name: i18n.COLUMN_STATUS, + field: 'kibana.alert.rule.execution.status', + render: (value: RuleExecutionStatus, data) => + value ? {value} : getEmptyTagValue(), + sortable: true, + truncateText: false, + width: '10%', + }, + { + field: '@timestamp', + name: i18n.COLUMN_TIMESTAMP, + render: (value: string) => , + sortable: true, + truncateText: false, + width: '15%', + }, + { + field: 'message', + name: i18n.COLUMN_MESSAGE, + render: (value: string) => <>{value}, + sortable: true, + truncateText: false, + width: '35%', + }, + { + field: 'event.duration', + name: i18n.COLUMN_DURATION, + render: (value: number) => <>{value ? value / ONE_SECOND_AS_NANOSECONDS : getEmptyValue()}, + sortable: true, + truncateText: false, + width: '5%', + }, + { + field: 'kibana.alert.rule.execution.metrics.total_alerts_created', + name: i18n.COLUMN_TOTAL_ALERTS_CREATED, + render: (value: number) => getOrEmptyTagFromValue(value), + sortable: true, + truncateText: false, + width: '5%', + }, + { + field: 'kibana.alert.rule.execution.metrics.total_alerts_detected', + name: i18n.COLUMN_TOTAL_ALERTS_DETECTED, + render: (value: number) => getOrEmptyTagFromValue(value), + sortable: true, + truncateText: false, + width: '5%', + }, + { + field: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', + name: i18n.COLUMN_GAP_DURATION, + render: (value: number) => getOrEmptyTagFromValue(value), + sortable: true, + truncateText: false, + width: '6%', + }, + { + field: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', + name: i18n.COLUMN_INDEX_DURATION, + render: (value: number) => getOrEmptyTagFromValue(value), + sortable: true, + truncateText: false, + width: '7%', + }, + { + field: 'kibana.alert.rule.execution.metrics.total_search_duration_ms', + name: i18n.COLUMN_SEARCH_DURATION, + render: (value: number) => getOrEmptyTagFromValue(value), + sortable: true, + truncateText: false, + width: '8%', + }, + { + field: 'kibana.task.schedule_delay', + name: 'Scheduling Delay (s)', + render: (value: number) => <>{value ? value / ONE_SECOND_AS_NANOSECONDS : getEmptyValue()}, + sortable: true, + truncateText: false, + width: '8%', + }, +]; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx new file mode 100644 index 0000000000000..4422aa6d39a6d --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiHealth, EuiSearchBar, EuiSearchBarProps, SearchFilterConfig } from '@elastic/eui'; +import { RuleExecutionStatus } from '../../../../../../../common/detection_engine/schemas/common'; +import { getStatusColor } from '../../../../../components/rules/rule_execution_status/utils'; + +import * as i18n from '../translations'; + +interface ExecutionLogTableSearchProps { + onSearch: (args: Parameters>[0]) => void; +} + +export const EXECUTION_LOG_SEARCH_SCHEMA = { + strict: true, + fields: { + 'kibana.alert.rule.execution.status': { + type: 'string', + }, + '@timestamp': { + type: 'string', + }, + 'event.duration': { + type: 'number', + }, + message: { + type: 'string', + }, + 'kibana.alert.rule.execution.metrics.total_alerts_created': { + type: 'number', + }, + 'kibana.alert.rule.execution.metrics.total_alerts_detected': { + type: 'number', + }, + 'kibana.alert.rule.execution.metrics.execution_gap_duration_s': { + type: 'number', + }, + 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms': { + type: 'number', + }, + 'kibana.alert.rule.execution.metrics.total_search_duration_ms': { + type: 'number', + }, + }, +}; + +const statuses = (Object.keys(RuleExecutionStatus) as Array).map( + (key) => key +); + +const filters: SearchFilterConfig[] = [ + { + type: 'field_value_selection', + field: 'kibana.alert.rule.execution.status', + name: 'Status', + multiSelect: 'or', + options: statuses.map((status) => ({ + value: status, + view: {status}, + })), + }, +]; + +export const ExecutionLogSearchBar = React.memo(({ onSearch }) => { + return ( + + ); +}); + +ExecutionLogSearchBar.displayName = 'ExecutionLogSearchBar'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx new file mode 100644 index 0000000000000..26d198596806d --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -0,0 +1,146 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { DurationRange } from '@elastic/eui/src/components/date_picker/types'; +import React, { useCallback, useState } from 'react'; +import { + EuiTextColor, + EuiFlexGroup, + EuiFlexItem, + EuiSearchBarProps, + EuiSuperDatePicker, + OnTimeChangeProps, + OnRefreshProps, + OnRefreshChangeProps, + EuiInMemoryTable, + EuiSpacer, +} from '@elastic/eui'; + +import { + UtilityBar, + UtilityBarGroup, + UtilityBarSection, + UtilityBarText, +} from '../../../../../../common/components/utility_bar'; +import { useRuleExecutionEvents } from '../../../../../containers/detection_engine/rules'; +import * as i18n from '../translations'; +import { EXECUTION_LOG_COLUMNS } from './execution_log_columns'; +import { ExecutionLogSearchBar } from './execution_log_search_bar'; + +interface ExecutionLogTableProps { + ruleId: string; +} + +// TODO: Hoist to package and share with server in events_reader +const MAX_EXECUTION_EVENTS_DISPLAYED = 500; + +const ExecutionLogTableComponent: React.FC = ({ ruleId }) => { + const [recentlyUsedRanges, setRecentlyUsedRanges] = useState([]); + const [refreshInterval, setRefreshInterval] = useState(1000); + const [isPaused, setIsPaused] = useState(true); + const [start, setStart] = useState('now-30m'); + const [end, setEnd] = useState('now'); + const [filters, setFilters] = useState(''); + + const { + data: events, + isFetching, + refetch, + } = useRuleExecutionEvents({ ruleId, start, end, filters }); + const items = events?.events ?? []; + const maxEvents = events?.maxEvents ?? 0; + + const onTimeChangeCallback = useCallback( + (props: OnTimeChangeProps) => { + const recentlyUsedRange = recentlyUsedRanges.filter((range) => { + const isDuplicate = range.start === props.start && range.end === props.end; + return !isDuplicate; + }); + recentlyUsedRange.unshift({ start: props.start, end: props.end }); + setStart(props.start); + setEnd(props.end); + setRecentlyUsedRanges( + recentlyUsedRange.length > 10 ? recentlyUsedRange.slice(0, 9) : recentlyUsedRange + ); + }, + [recentlyUsedRanges] + ); + + const onRefreshChangeCallback = useCallback((props: OnRefreshChangeProps) => { + setIsPaused(props.isPaused); + setRefreshInterval(props.refreshInterval); + }, []); + + const onRefreshCallback = useCallback( + (props: OnRefreshProps) => { + refetch(); + }, + [refetch] + ); + + const onSearchCallback = useCallback( + ({ queryText }: Parameters>[0]) => { + setFilters(queryText); + }, + [] + ); + + return ( + <> + + + + + +
+ +
+ + + + + + + + {i18n.SHOWING_EXECUTIONS(items.length)} + + + {maxEvents > MAX_EXECUTION_EVENTS_DISPLAYED && ( + + + + {i18n.RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED(maxEvents)} + + + + )} + + + + + ); +}; + +export const ExecutionLogTable = React.memo(ExecutionLogTableComponent); +ExecutionLogTable.displayName = 'ExecutionLogTable'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/failure_history.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/failure_history.tsx deleted file mode 100644 index 05665d7c6b3c2..0000000000000 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/failure_history.tsx +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { - EuiBasicTable, - EuiPanel, - EuiLoadingContent, - EuiHealth, - EuiBasicTableColumn, -} from '@elastic/eui'; - -import { RuleExecutionEvent } from '../../../../../../common/detection_engine/schemas/common'; -import { useRuleExecutionEvents } from '../../../../containers/detection_engine/rules'; -import { HeaderSection } from '../../../../../common/components/header_section'; -import * as i18n from './translations'; -import { FormattedDate } from '../../../../../common/components/formatted_date'; - -const columns: Array> = [ - { - name: i18n.COLUMN_STATUS_TYPE, - render: () => {i18n.TYPE_FAILED}, - truncateText: false, - width: '16%', - }, - { - field: 'date', - name: i18n.COLUMN_FAILED_AT, - render: (value: string) => , - sortable: false, - truncateText: false, - width: '24%', - }, - { - field: 'message', - name: i18n.COLUMN_FAILED_MSG, - render: (value: string) => <>{value}, - sortable: false, - truncateText: false, - width: '60%', - }, -]; - -interface FailureHistoryProps { - ruleId: string; -} - -const FailureHistoryComponent: React.FC = ({ ruleId }) => { - const events = useRuleExecutionEvents(ruleId); - const loading = events.isLoading; - const items = events.data ?? []; - - if (loading) { - return ( - - - - - ); - } - - return ( - - - - - ); -}; - -export const FailureHistory = React.memo(FailureHistoryComponent); -FailureHistory.displayName = 'FailureHistory'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx index c3f3131e65519..8a0a6502933a1 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx @@ -104,10 +104,10 @@ import { RuleStatusFailedCallOut, ruleStatusI18n, } from '../../../../components/rules/rule_execution_status'; -import { FailureHistory } from './failure_history'; import * as detectionI18n from '../../translations'; import * as ruleI18n from '../translations'; +import { ExecutionLogTable } from './execution_log_table/execution_log_table'; import * as i18n from './translations'; import { NeedAdminForUpdateRulesCallOut } from '../../../../components/callouts/need_admin_for_update_callout'; import { MissingPrivilegesCallOut } from '../../../../components/callouts/missing_privileges_callout'; @@ -133,7 +133,7 @@ const StyledFullHeightContainer = styled.div` enum RuleDetailTabs { alerts = 'alerts', - failures = 'failures', + executionLogs = 'executionLogs', exceptions = 'exceptions', } @@ -151,10 +151,10 @@ const ruleDetailTabs = [ dataTestSubj: 'exceptionsTab', }, { - id: RuleDetailTabs.failures, - name: i18n.FAILURE_HISTORY_TAB, + id: RuleDetailTabs.executionLogs, + name: i18n.RULE_EXECUTION_LOGS, disabled: false, - dataTestSubj: 'failureHistoryTab', + dataTestSubj: 'executionLogsTab', }, ]; @@ -804,7 +804,7 @@ const RuleDetailsPageComponent: React.FC = ({ onRuleChange={refreshRule} /> )} - {ruleDetailTab === RuleDetailTabs.failures && } + {ruleDetailTab === RuleDetailTabs.executionLogs && } diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts index 32745f39d27a8..4ff534abd1cb9 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts @@ -42,38 +42,92 @@ export const UNKNOWN = i18n.translate( } ); -export const FAILURE_HISTORY_TAB = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.failureHistoryTab', +export const RULE_EXECUTION_LOGS = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLogsTab', { - defaultMessage: 'Failure History', + defaultMessage: 'Rule execution logs ', } ); -export const LAST_FIVE_ERRORS = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.lastFiveErrorsTitle', +export const SHOWING_EXECUTIONS = (totalItems: number) => + i18n.translate('xpack.securitySolution.ruleExecutionLog.totalExecutionsLabel', { + values: { totalItems }, + defaultMessage: + 'Showing {totalItems} {totalItems, plural, =1 {rule execution} other {rule executions}}', + }); + +export const RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED = (totalItems: number) => + i18n.translate('xpack.securitySolution.ruleExecutionLog.searchLimitExceededLabel', { + values: { totalItems }, + defaultMessage: + "More than {totalItems} rule executions match filters provided. Showing first 500 by most recent '@timestamp'. Constrain filters further to view additional execution events", + }); + +export const RULE_EXECUTION_LOG_SEARCH_PLACEHOLDER = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchPlaceholder', + { + defaultMessage: 'event.duration > 100 OR kibana.alert.rule.execution.metrics.total_hits > 100', + } +); + +export const COLUMN_STATUS = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.statusColumn', + { + defaultMessage: 'Status', + } +); + +export const COLUMN_TIMESTAMP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.timestampColumn', + { + defaultMessage: 'Timestamp', + } +); + +export const COLUMN_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.durationColumn', + { + defaultMessage: 'Duration (s)', + } +); + +export const COLUMN_MESSAGE = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.messageColumn', { - defaultMessage: 'Last five errors', + defaultMessage: 'Message', } ); -export const COLUMN_STATUS_TYPE = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.statusTypeColumn', +export const COLUMN_TOTAL_ALERTS_CREATED = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.totalAlertsCreatedColumn', + { + defaultMessage: 'Total Alerts Created', + } +); +export const COLUMN_TOTAL_ALERTS_DETECTED = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.totalAlertsDetectedColumn', + { + defaultMessage: 'Total Alerts Detected', + } +); +export const COLUMN_GAP_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.gapDurationColumn', { - defaultMessage: 'Type', + defaultMessage: 'Gap Duration (s)', } ); -export const COLUMN_FAILED_AT = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.statusFailedAtColumn', +export const COLUMN_INDEX_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.indexDurationColumn', { - defaultMessage: 'Failed at', + defaultMessage: 'Index Duration (ms)', } ); -export const COLUMN_FAILED_MSG = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.statusFailedMsgColumn', +export const COLUMN_SEARCH_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumn', { - defaultMessage: 'Failed message', + defaultMessage: 'Search Duration (ms)', } ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 9118df4fc413f..f2793ebbdb5f9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -25,6 +25,7 @@ import { DETECTION_ENGINE_RULES_BULK_ACTION, DETECTION_ENGINE_RULE_EXECUTION_EVENTS_URL, } from '../../../../../common/constants'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; import { RuleAlertType, HapiReadableStream } from '../../rules/types'; import { requestMock } from './request'; import { QuerySignalsSchemaDecoded } from '../../../../../common/detection_engine/schemas/request/query_signals_index_schema'; @@ -242,6 +243,11 @@ export const getRuleExecutionEventsRequest = () => params: { ruleId: '04128c15-0d1b-4716-a4c5-46997ac7f3bd', }, + query: { + start: 'now-30', + end: 'now', + filters: '', + }, }); export const getImportRulesRequest = (hapiStream?: HapiReadableStream) => @@ -552,6 +558,62 @@ export const getLastFailures = (): RuleExecutionEvent[] => [ }, ]; +export const getAggregateExecutionEvents = (): GetAggregateRuleExecutionEventsResponse => ({ + events: [ + { + kibana: { + task: { + schedule_delay: 890000000, + }, + alert: { + rule: { + execution: { + metrics: { + total_alerts_created: 0, + total_alerts_detected: 0, + total_indexing_duration_ms: 0, + total_search_duration_ms: 5, + }, + status: 'succeeded', + }, + }, + }, + }, + event: { + duration: 2035000000, + }, + message: 'succeeded', + '@timestamp': '2022-02-01T05:56:27.813Z', + }, + { + kibana: { + task: { + schedule_delay: 13980000000, + }, + alert: { + rule: { + execution: { + metrics: { + total_alerts_created: 0, + total_alerts_detected: 0, + total_indexing_duration_ms: 0, + total_search_duration_ms: 9, + }, + status: 'succeeded', + }, + }, + }, + }, + event: { + duration: 2065000000, + }, + message: 'succeeded', + '@timestamp': '2022-02-01T05:51:27.143Z', + }, + ], + maxEvents: 2, +}); + export const getBasicEmptySearchResponse = (): estypes.SearchResponse => ({ took: 1, timed_out: false, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts index 97cba0f3b4f34..b41c7e6537fcf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts @@ -6,7 +6,10 @@ */ import { serverMock, requestContextMock } from '../__mocks__'; -import { getRuleExecutionEventsRequest, getLastFailures } from '../__mocks__/request_responses'; +import { + getRuleExecutionEventsRequest, + getAggregateExecutionEvents, +} from '../__mocks__/request_responses'; import { getRuleExecutionEventsRoute } from './get_rule_execution_events_route'; describe('getRuleExecutionEventsRoute', () => { @@ -22,21 +25,19 @@ describe('getRuleExecutionEventsRoute', () => { describe('when it finds events in rule execution log', () => { it('returns 200 response with the events', async () => { - const lastFailures = getLastFailures(); - clients.ruleExecutionLog.getLastFailures.mockResolvedValue(lastFailures); + const executionEvents = getAggregateExecutionEvents(); + clients.ruleExecutionLog.getAggregateExecutionEvents.mockResolvedValue(executionEvents); const response = await server.inject(getRuleExecutionEventsRequest(), context); expect(response.status).toEqual(200); - expect(response.body).toEqual({ - events: lastFailures, - }); + expect(response.body).toEqual(executionEvents); }); }); describe('when rule execution log client throws an error', () => { it('returns 500 response with it', async () => { - clients.ruleExecutionLog.getLastFailures.mockRejectedValue(new Error('Boom!')); + clients.ruleExecutionLog.getAggregateExecutionEvents.mockRejectedValue(new Error('Boom!')); const response = await server.inject(getRuleExecutionEventsRequest(), context); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts index 4a3e0aef8b2c7..bbf1581214c17 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts @@ -6,20 +6,20 @@ */ import { transformError } from '@kbn/securitysolution-es-utils'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; import { buildRouteValidation } from '../../../../utils/build_validation/route_validation'; import { buildSiemResponse } from '../utils'; import type { SecuritySolutionPluginRouter } from '../../../../types'; import { DETECTION_ENGINE_RULE_EXECUTION_EVENTS_URL } from '../../../../../common/constants'; -import { GetRuleExecutionEventsRequestParams } from '../../../../../common/detection_engine/schemas/request/get_rule_execution_events_request'; -import { GetRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response/get_rule_execution_events_response'; +import { + GetRuleExecutionEventsQueryParams, + GetRuleExecutionEventsRequestParams, +} from '../../../../../common/detection_engine/schemas/request/get_rule_execution_events_request'; /** - * Returns execution events of a given rule (e.g. status changes) from Event Log. - * Accepts rule's saved object ID (`rule.id`). - * - * NOTE: This endpoint is under construction. It will be extended and finalized. - * https://github.com/elastic/kibana/issues/119598 + * Returns execution events of a given rule (aggregated by executionId) from Event Log. + * Accepts rule's saved object ID (`rule.id`), `start`, `end` and `filters` query params. */ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter) => { router.get( @@ -27,6 +27,7 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter path: DETECTION_ENGINE_RULE_EXECUTION_EVENTS_URL, validate: { params: buildRouteValidation(GetRuleExecutionEventsRequestParams), + query: buildRouteValidation(GetRuleExecutionEventsQueryParams), }, options: { tags: ['access:securitySolution'], @@ -34,14 +35,21 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter }, async (context, request, response) => { const { ruleId } = request.params; + const { start, end, filters = '' } = request.query; const siemResponse = buildSiemResponse(response); try { const executionLog = context.securitySolution.getRuleExecutionLog(); - const executionEvents = await executionLog.getLastFailures(ruleId); + const { events, maxEvents } = await executionLog.getAggregateExecutionEvents({ + ruleId, + start, + end, + filters, + }); - const responseBody: GetRuleExecutionEventsResponse = { - events: executionEvents, + const responseBody: GetAggregateRuleExecutionEventsResponse = { + events, + maxEvents, }; return response.ok({ body: responseBody }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/__mocks__/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/__mocks__/index.ts index dbad1e95cb7d6..04516f22734db 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/__mocks__/index.ts @@ -13,6 +13,7 @@ import { const ruleExecutionLogForRoutesMock = { create: (): jest.Mocked => ({ + getAggregateExecutionEvents: jest.fn(), getExecutionSummariesBulk: jest.fn(), getExecutionSummary: jest.fn(), clearExecutionSummary: jest.fn(), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts index a4c528d941ba4..095f71939a9d3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts @@ -7,6 +7,7 @@ import { chunk, mapValues } from 'lodash'; import { Logger } from 'src/core/server'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; import { initPromisePool } from '../../../../utils/promise_pool'; import { withSecuritySpan } from '../../../../utils/with_security_span'; @@ -14,7 +15,7 @@ import { RuleExecutionStatus } from '../../../../../common/detection_engine/sche import { IEventLogReader } from '../event_log/event_log_reader'; import { IRuleExecutionSavedObjectsClient } from '../execution_saved_object/saved_objects_client'; -import { IRuleExecutionLogForRoutes } from './client_interface'; +import { GetAggregateExecutionEventsArgs, IRuleExecutionLogForRoutes } from './client_interface'; import { ExtMeta } from '../utils/console_logging'; import { truncateList } from '../utils/normalization'; @@ -28,6 +29,37 @@ export const createClientForRoutes = ( logger: Logger ): IRuleExecutionLogForRoutes => { return { + getAggregateExecutionEvents({ + ruleId, + start, + end, + filters, + }: GetAggregateExecutionEventsArgs): Promise { + return withSecuritySpan( + 'IRuleExecutionLogForRoutes.getAggregateExecutionEvents', + async () => { + try { + return await eventLog.getAggregateExecutionEvents({ + ruleId, + start, + end, + filters, + }); + } catch (e) { + const logMessage = + 'Error getting last aggregation of execution failures from event log'; + const logAttributes = `rule id: "${ruleId}"`; + const logReason = e instanceof Error ? e.message : String(e); + const logMeta: ExtMeta = { + rule: { id: ruleId }, + }; + + logger.error(`${logMessage}; ${logAttributes}; ${logReason}`, logMeta); + throw e; + } + } + ); + }, /** * Get the current rule execution summary for each of the given rule IDs. * This method splits work into chunks so not to overwhelm Elasticsearch diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts index 14f99762ed6ef..c1dd29913f424 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts @@ -9,6 +9,14 @@ import { RuleExecutionEvent, RuleExecutionSummary, } from '../../../../../common/detection_engine/schemas/common'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; + +export interface GetAggregateExecutionEventsArgs { + ruleId: string; + start: string; + end: string; + filters: string; +} /** * Used from route handlers to fetch and manage various information about the rule execution: @@ -16,6 +24,21 @@ import { * - execution events such as recent failures and status changes */ export interface IRuleExecutionLogForRoutes { + /** + * Fetches list of execution events aggregated by executionId, combining data from both alerting + * and security-solution event-log documents + * @param ruleId Saved object id of the rule (`rule.id`). + * @param start start of daterange to filter to + * @param end end of daterange to filter to + * @param filters array of field-based filters, e.g. kibana.alert.rule.execution.status:* + */ + getAggregateExecutionEvents({ + ruleId, + start, + end, + filters, + }: GetAggregateExecutionEventsArgs): Promise; + /** * Fetches a list of current execution summaries of multiple rules. * @param ruleIds A list of saved object ids of multiple rules (`rule.id`). diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index a3c2421edc85a..9cad342967292 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -5,12 +5,16 @@ * 2.0. */ +import dateMath from '@elastic/datemath'; +import { get, set } from 'lodash'; import { IEventLogClient } from '../../../../../../event_log/server'; import { + AggregateRuleExecutionEvent, RuleExecutionEvent, RuleExecutionStatus, } from '../../../../../common/detection_engine/schemas/common'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../common/detection_engine/schemas/response'; import { invariant } from '../../../../../common/utils/invariant'; import { withSecuritySpan } from '../../../../utils/with_security_span'; import { @@ -20,17 +24,128 @@ import { } from './constants'; export interface IEventLogReader { + getAggregateExecutionEvents( + args: GetAggregateExecutionEventsArgs + ): Promise; + getLastStatusChanges(args: GetLastStatusChangesArgs): Promise; } +export interface GetAggregateExecutionEventsArgs { + ruleId: string; + start: string; + end: string; + filters: string; +} + export interface GetLastStatusChangesArgs { ruleId: string; count: number; includeStatuses?: RuleExecutionStatus[]; } +// TODO: Hoist to package and share with UI in execution_log_table +const MAX_EXECUTION_EVENTS_DISPLAYED = 500; + export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader => { return { + async getAggregateExecutionEvents( + args: GetAggregateExecutionEventsArgs + ): Promise { + const { ruleId, start, end, filters } = args; + const soType = RULE_SAVED_OBJECT_TYPE; + const soIds = [ruleId]; + const startDate = dateMath.parse(start); + const endDate = dateMath.parse(end, { roundUp: true }); + + invariant(startDate?.isValid(), `Required "start" field is not valid: ${start}`); + invariant(endDate?.isValid(), `Required "end" field is not valid: ${end}`); + + // Fetch total unique executions per daterange to get max execution events + const { total: uniqueExecutionEventsResults = 0 } = await eventLog.findEventsBySavedObjectIds( + soType, + soIds, + { + start: startDate?.utc().toISOString(), + end: endDate?.utc().toISOString(), + page: 1, + per_page: 0, + sort_field: '@timestamp', + sort_order: 'desc', + filter: `event.action:execute-start`, + } + ); + + // Fetch all events to aggregate into individual execution events for each unique executionId + const findResult = await eventLog.findEventsBySavedObjectIds(soType, soIds, { + start: startDate?.utc().toISOString(), + end: endDate?.utc().toISOString(), + page: 1, + per_page: 10000, // TODO: Possibly constrain to 5x MAX_EXECUTION_EVENTS_DISPLAYED (i.e. max events per execution) + sort_field: '@timestamp', + sort_order: 'desc', + filter: filters, + }); + + const executeStartFields = ['@timestamp']; + const executeFields = ['kibana.task.schedule_delay', 'event.duration']; + const metricsFields = [ + 'kibana.alert.rule.execution.metrics.total_alerts_created', + 'kibana.alert.rule.execution.metrics.total_alerts_detected', + 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', + 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', + 'kibana.alert.rule.execution.metrics.total_search_duration_ms', + ]; + + // TODO: Rework to ensure all fields are included from necessary event types + // Maybe use `objectArrayIntersection` from EQL sequence building? + const aggregatedResults: Record = {}; + findResult.data.forEach((event) => { + const uuid: string = get(event, 'kibana.alert.rule.execution.uuid'); + const eventAction: string = get(event, 'event.action'); + const status = get(event, 'kibana.alert.rule.execution.status'); + if (aggregatedResults[uuid] == null) { + aggregatedResults[uuid] = {}; + } + + // Merge different event types into a single execution event. + // @timestamp comes from initial `execute-start` event from platform + // Remaining fields filled in from platform `execute` and security `metric`/`status-change` events + if (eventAction === 'execute-start') { + executeStartFields.forEach((field) => { + set(aggregatedResults[uuid], field, get(event, field)); + }); + } else if (eventAction === 'execute') { + executeFields.forEach((field) => { + set(aggregatedResults[uuid], field, get(event, field)); + }); + } else if (eventAction === 'execution-metrics') { + metricsFields.forEach((field) => { + set(aggregatedResults[uuid], field, get(event, field)); + }); + } else if (eventAction === 'status-change' && status !== 'running') { + if (status != null) { + set(aggregatedResults[uuid], 'kibana.alert.rule.execution.status', status); + } + const message = get(event, 'message'); + if (message != null) { + // TODO: Append messages? + set(aggregatedResults[uuid], 'message', message); + } + } + }); + + const aggEvents = Object.values(aggregatedResults); + // Constrain length as not supporting pagination through in-memory aggregations in MVP + if (aggEvents.length > MAX_EXECUTION_EVENTS_DISPLAYED) { + aggEvents.length = MAX_EXECUTION_EVENTS_DISPLAYED; + } + + return { + events: aggEvents as AggregateRuleExecutionEvent[], + maxEvents: uniqueExecutionEventsResults, + }; + }, async getLastStatusChanges(args) { const soType = RULE_SAVED_OBJECT_TYPE; const soIds = [args.ruleId]; From c7f91ae1cc1fc76fa8c47bb5aa12e4234eb430f4 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 22 Feb 2022 17:07:44 -0700 Subject: [PATCH 02/24] Removes total alerts created and detected metrics --- .../schemas/common/rule_monitoring.ts | 2 -- .../detection_engine/rules/__mocks__/api.ts | 2 -- .../containers/detection_engine/rules/api.ts | 2 +- .../rules/use_rule_execution_events.test.tsx | 2 -- .../execution_log_columns.tsx | 16 ---------------- .../execution_log_search_bar.tsx | 6 ------ .../rules/details/translations.ts | 13 ------------- .../routes/__mocks__/request_responses.ts | 4 ---- .../event_log/event_log_reader.ts | 2 -- 9 files changed, 1 insertion(+), 48 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts index 7f693fe3abaae..bf1e771606130 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts @@ -111,8 +111,6 @@ export type RuleExecutionEvent = t.TypeOf; // Aggregate Rule execution events const metrics = t.type({ - total_alerts_created: t.number, - total_alerts_detected: t.number, total_indexing_duration_ms: t.number, total_search_duration_ms: t.number, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts index c771e47354e8b..2e4556be71cad 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts @@ -83,8 +83,6 @@ export const fetchRuleExecutionEvents = async ({ rule: { execution: { metrics: { - total_alerts_created: 0, - total_alerts_detected: 0, total_indexing_duration_ms: 0, total_search_duration_ms: 9, }, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts index f6bfca33fc1de..584cdc858770b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts @@ -376,7 +376,7 @@ export const exportRules = async ({ * @param ruleId string Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`) * @param start string Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`) * @param end string End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`) - * @param filters string Filters to apply to the search in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.total_alerts_detected > 100`) + * @param filters string Filters to apply to the search in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.execution_gap_duration_s > 100`) * @param signal AbortSignal Optional signal for cancelling the request * * @throws An error if response is not OK diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx index 2a478446203b5..44a8661ffb77f 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx @@ -96,8 +96,6 @@ describe('useRuleExecutionEvents', () => { rule: { execution: { metrics: { - total_alerts_created: 0, - total_alerts_detected: 0, total_indexing_duration_ms: 0, total_search_duration_ms: 9, }, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx index 278f006322115..f4ae0532e183c 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx @@ -58,22 +58,6 @@ export const EXECUTION_LOG_COLUMNS: Array getOrEmptyTagFromValue(value), - sortable: true, - truncateText: false, - width: '5%', - }, - { - field: 'kibana.alert.rule.execution.metrics.total_alerts_detected', - name: i18n.COLUMN_TOTAL_ALERTS_DETECTED, - render: (value: number) => getOrEmptyTagFromValue(value), - sortable: true, - truncateText: false, - width: '5%', - }, { field: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', name: i18n.COLUMN_GAP_DURATION, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx index 4422aa6d39a6d..be042f9bca97d 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx @@ -31,12 +31,6 @@ export const EXECUTION_LOG_SEARCH_SCHEMA = { message: { type: 'string', }, - 'kibana.alert.rule.execution.metrics.total_alerts_created': { - type: 'number', - }, - 'kibana.alert.rule.execution.metrics.total_alerts_detected': { - type: 'number', - }, 'kibana.alert.rule.execution.metrics.execution_gap_duration_s': { type: 'number', }, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts index 4ff534abd1cb9..7fd22648b2ab5 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts @@ -97,19 +97,6 @@ export const COLUMN_MESSAGE = i18n.translate( defaultMessage: 'Message', } ); - -export const COLUMN_TOTAL_ALERTS_CREATED = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.totalAlertsCreatedColumn', - { - defaultMessage: 'Total Alerts Created', - } -); -export const COLUMN_TOTAL_ALERTS_DETECTED = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.totalAlertsDetectedColumn', - { - defaultMessage: 'Total Alerts Detected', - } -); export const COLUMN_GAP_DURATION = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.gapDurationColumn', { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index f2793ebbdb5f9..de3653c9bc9cd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -569,8 +569,6 @@ export const getAggregateExecutionEvents = (): GetAggregateRuleExecutionEventsRe rule: { execution: { metrics: { - total_alerts_created: 0, - total_alerts_detected: 0, total_indexing_duration_ms: 0, total_search_duration_ms: 5, }, @@ -594,8 +592,6 @@ export const getAggregateExecutionEvents = (): GetAggregateRuleExecutionEventsRe rule: { execution: { metrics: { - total_alerts_created: 0, - total_alerts_detected: 0, total_indexing_duration_ms: 0, total_search_duration_ms: 9, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 9cad342967292..3f64cc729b0fa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -90,8 +90,6 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader const executeStartFields = ['@timestamp']; const executeFields = ['kibana.task.schedule_delay', 'event.duration']; const metricsFields = [ - 'kibana.alert.rule.execution.metrics.total_alerts_created', - 'kibana.alert.rule.execution.metrics.total_alerts_detected', 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', 'kibana.alert.rule.execution.metrics.total_search_duration_ms', From 8699e4d9f26c6f047873acb556bc0e098f5e5118 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 22 Feb 2022 17:53:35 -0700 Subject: [PATCH 03/24] i18n fix --- x-pack/plugins/translations/translations/ja-JP.json | 5 ----- x-pack/plugins/translations/translations/zh-CN.json | 5 ----- 2 files changed, 10 deletions(-) diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 437980e71b488..554fbd18dadf3 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -23574,15 +23574,10 @@ "xpack.securitySolution.detectionEngine.ruleDetails.deletedRule": "削除されたルール", "xpack.securitySolution.detectionEngine.ruleDetails.exceptionsTab": "例外", "xpack.securitySolution.detectionEngine.ruleDetails.experimentalDescription": "テクニカルプレビュー", - "xpack.securitySolution.detectionEngine.ruleDetails.failureHistoryTab": "エラー履歴", - "xpack.securitySolution.detectionEngine.ruleDetails.lastFiveErrorsTitle": "最後の5件のエラー", "xpack.securitySolution.detectionEngine.ruleDetails.pageTitle": "ルール詳細", "xpack.securitySolution.detectionEngine.ruleDetails.ruleCreationDescription": "作成者: {by} 日付: {date}", "xpack.securitySolution.detectionEngine.ruleDetails.ruleUpdateDescription": "更新者:{by} 日付:{date}", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedAtColumn": "失敗", "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedDescription": "失敗", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedMsgColumn": "失敗メッセージ", - "xpack.securitySolution.detectionEngine.ruleDetails.statusTypeColumn": "型", "xpack.securitySolution.detectionEngine.ruleDetails.unknownDescription": "不明", "xpack.securitySolution.detectionEngine.rules.aboutRuleTitle": "ルールについて", "xpack.securitySolution.detectionEngine.rules.addNewRuleTitle": "新規ルールを作成", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index bfe694b73bc5a..499d5ec89a0b9 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -23945,15 +23945,10 @@ "xpack.securitySolution.detectionEngine.ruleDetails.deletedRule": "已删除规则", "xpack.securitySolution.detectionEngine.ruleDetails.exceptionsTab": "例外", "xpack.securitySolution.detectionEngine.ruleDetails.experimentalDescription": "技术预览", - "xpack.securitySolution.detectionEngine.ruleDetails.failureHistoryTab": "失败历史记录", - "xpack.securitySolution.detectionEngine.ruleDetails.lastFiveErrorsTitle": "上五个错误", "xpack.securitySolution.detectionEngine.ruleDetails.pageTitle": "规则详情", "xpack.securitySolution.detectionEngine.ruleDetails.ruleCreationDescription": "由 {by} 于 {date}创建", "xpack.securitySolution.detectionEngine.ruleDetails.ruleUpdateDescription": "由 {by} 于 {date}更新", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedAtColumn": "失败于", "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedDescription": "失败", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedMsgColumn": "失败消息", - "xpack.securitySolution.detectionEngine.ruleDetails.statusTypeColumn": "类型", "xpack.securitySolution.detectionEngine.ruleDetails.unknownDescription": "未知", "xpack.securitySolution.detectionEngine.rules.aboutRuleTitle": "关于规则", "xpack.securitySolution.detectionEngine.rules.addNewRuleTitle": "创建新规则", From 373ba43f3cd744b052293d7ce9bfbaa5aad7f496 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 10 Mar 2022 17:18:35 -0700 Subject: [PATCH 04/24] Sort type fix --- .../rule_execution_log/event_log/event_log_reader.ts | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 462b234fc9695..377113876ac4b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -70,8 +70,7 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader end: endDate?.utc().toISOString(), page: 1, per_page: 0, - sort_field: '@timestamp', - sort_order: 'desc', + sort: [{ sort_field: '@timestamp', sort_order: 'desc' }], filter: `event.action:execute-start`, } ); @@ -82,8 +81,7 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader end: endDate?.utc().toISOString(), page: 1, per_page: 10000, // TODO: Possibly constrain to 5x MAX_EXECUTION_EVENTS_DISPLAYED (i.e. max events per execution) - sort_field: '@timestamp', - sort_order: 'desc', + sort: [{ sort_field: '@timestamp', sort_order: 'desc' }], filter: filters, }); From f0074d78fb13640259bd207dc8a0c37e926e5d95 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 10 Mar 2022 18:15:23 -0700 Subject: [PATCH 05/24] Adds FR translations --- x-pack/plugins/translations/translations/fr-FR.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 110a8da6bd171..4827735aedfce 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -20842,15 +20842,10 @@ "xpack.securitySolution.detectionEngine.ruleDetails.deletedRule": "Règle supprimée", "xpack.securitySolution.detectionEngine.ruleDetails.exceptionsTab": "Exceptions", "xpack.securitySolution.detectionEngine.ruleDetails.experimentalDescription": "Expérimental", - "xpack.securitySolution.detectionEngine.ruleDetails.failureHistoryTab": "Historique des échecs", - "xpack.securitySolution.detectionEngine.ruleDetails.lastFiveErrorsTitle": "Cinq dernières erreurs", "xpack.securitySolution.detectionEngine.ruleDetails.pageTitle": "Détails de la règle", "xpack.securitySolution.detectionEngine.ruleDetails.ruleCreationDescription": "Créé par : {by} le {date}", "xpack.securitySolution.detectionEngine.ruleDetails.ruleUpdateDescription": "Mis à jour par : {by} le {date}", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedAtColumn": "Échoué à", "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedDescription": "Échoué", - "xpack.securitySolution.detectionEngine.ruleDetails.statusFailedMsgColumn": "Message échoué", - "xpack.securitySolution.detectionEngine.ruleDetails.statusTypeColumn": "Type", "xpack.securitySolution.detectionEngine.ruleDetails.unknownDescription": "Inconnu", "xpack.securitySolution.detectionEngine.rules.aboutRuleTitle": "À propos de la règle", "xpack.securitySolution.detectionEngine.rules.addNewRuleTitle": "Créer une nouvelle règle", From 0ad3bb24004d175e7e3d44494f0a8eb4b510db86 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Sun, 13 Mar 2022 22:27:43 -0600 Subject: [PATCH 06/24] Reworks to use event-log aggregations --- .../src/configuration_constants.ts | 12 + .../kbn-securitysolution-rules/src/index.ts | 1 + .../security_solution/common/constants.ts | 3 + .../schemas/common/rule_monitoring.ts | 53 ++- .../get_rule_execution_events_request.ts | 3 +- .../get_rule_execution_events_response.ts | 2 +- .../detection_engine/rules/__mocks__/api.ts | 44 +-- .../detection_engine/rules/api.test.ts | 9 +- .../containers/detection_engine/rules/api.ts | 16 +- .../rules/use_rule_execution_events.test.tsx | 3 +- .../rules/use_rule_execution_events.tsx | 10 +- .../rules/all/use_columns.tsx | 2 +- .../execution_log_columns.tsx | 149 +++++--- .../execution_log_search_bar.tsx | 186 ++++++---- .../execution_log_table.tsx | 193 +++++++++-- .../rule_duration_format.tsx | 59 ++++ .../execution_log_table/translations.ts | 189 ++++++++++ .../detection_engine/rules/details/index.tsx | 14 +- .../rules/details/translations.ts | 69 ---- .../detection_engine/rules/translations.ts | 7 + .../routes/__mocks__/request_responses.ts | 87 ++--- .../rules/get_rule_execution_events_route.ts | 9 +- .../client_for_routes/client.ts | 6 +- .../client_for_routes/client_interface.ts | 9 +- .../event_log/event_log_reader.ts | 127 +++---- .../get_execution_event_aggregation/index.ts | 323 ++++++++++++++++++ .../get_execution_event_aggregation/types.ts | 61 ++++ 27 files changed, 1235 insertions(+), 411 deletions(-) create mode 100644 packages/kbn-securitysolution-rules/src/configuration_constants.ts create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/types.ts diff --git a/packages/kbn-securitysolution-rules/src/configuration_constants.ts b/packages/kbn-securitysolution-rules/src/configuration_constants.ts new file mode 100644 index 0000000000000..115c6996739db --- /dev/null +++ b/packages/kbn-securitysolution-rules/src/configuration_constants.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Max number of execution events to aggregate in memory for the Rule Execution Log + */ +export const MAX_EXECUTION_EVENTS_DISPLAYED = 1000 as const; diff --git a/packages/kbn-securitysolution-rules/src/index.ts b/packages/kbn-securitysolution-rules/src/index.ts index 1d59b9842c90d..45d35ea80b39c 100644 --- a/packages/kbn-securitysolution-rules/src/index.ts +++ b/packages/kbn-securitysolution-rules/src/index.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +export * from './configuration_constants'; export * from './rule_type_constants'; export * from './rule_type_mappings'; export * from './utils'; diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index fa5481ca7f778..8a9fefa6ac15d 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -427,3 +427,6 @@ export const RULES_TABLE_PAGE_SIZE_OPTIONS = [5, 10, 20, 50, RULES_TABLE_MAX_PAG export const RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY = 'securitySolution.rulesManagementPage.newFeaturesTour.v8.1'; + +export const RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY = + 'securitySolution.ruleDetails.ruleExecutionLog.showMetrics.v8.2'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts index bf1e771606130..19369ca32f415 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts @@ -110,42 +110,27 @@ export type RuleExecutionEvent = t.TypeOf; // ------------------------------------------------------------------------------------------------- // Aggregate Rule execution events -const metrics = t.type({ - total_indexing_duration_ms: t.number, - total_search_duration_ms: t.number, -}); - -const execution = t.type({ - metrics, - status: t.string, -}); - -const rule = t.type({ - execution, -}); - -const alert = t.type({ - rule, -}); - -const event = t.type({ - duration: t.number, -}); - -const task = t.type({ - schedule_delay: t.number, -}); - -const kibana = t.type({ - task, - alert, -}); - export const aggregateRuleExecutionEvent = t.type({ - kibana, - event, + execution_uuid: t.string, + timestamp: IsoDateString, + duration_ms: t.number, + status: t.string, message: t.string, - '@timestamp': IsoDateString, + num_active_alerts: t.number, + num_new_alerts: t.number, + num_recovered_alerts: t.number, + num_triggered_actions: t.number, + num_succeeded_actions: t.number, + num_errored_actions: t.number, + total_search_duration_ms: t.number, + es_search_duration_ms: t.number, + schedule_delay_ms: t.number, + timed_out: t.boolean, + indexing_duration_ms: t.number, + search_duration_ms: t.number, + gap_duration_ms: t.number, + security_status: t.string, + security_message: t.string, }); export type AggregateRuleExecutionEvent = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts index 3620075c80cde..a1eabddb00917 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts @@ -17,7 +17,8 @@ export const GetRuleExecutionEventsQueryParams = t.exact( t.type({ start: t.string, end: t.string, - filters: t.union([t.string, t.undefined]), + queryText: t.union([t.string, t.undefined]), + statusFilters: t.union([t.string, t.undefined]), }) ); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts index 571f78cf38aef..dd1a8dd9d00ec 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts @@ -19,7 +19,7 @@ export type GetRuleExecutionEventsResponse = t.TypeOf { ruleId: '42', start: 'now-30', end: 'now', - filters: '', + queryText: '', + statusFilters: '', signal: abortCtrl.signal, }); @@ -692,7 +693,8 @@ describe('Detections Rules API', () => { method: 'GET', query: { end: 'now', - filters: '', + queryText: '', + statusFilters: '', start: 'now-30', }, signal: abortCtrl.signal, @@ -705,7 +707,8 @@ describe('Detections Rules API', () => { ruleId: '42', start: 'now-30', end: 'now', - filters: '', + queryText: '', + statusFilters: '', signal: abortCtrl.signal, }); expect(response).toEqual(responseMock); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts index 584cdc858770b..444ee1b686062 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts @@ -376,7 +376,8 @@ export const exportRules = async ({ * @param ruleId string Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`) * @param start string Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`) * @param end string End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`) - * @param filters string Filters to apply to the search in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.execution_gap_duration_s > 100`) + * @param queryText search string in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.execution_gap_duration_s > 100`) + * @param statusFilters comma separated string of `statusFilters` (e.g. `succeeded,failed,partial failure`) * @param signal AbortSignal Optional signal for cancelling the request * * @throws An error if response is not OK @@ -385,19 +386,26 @@ export const fetchRuleExecutionEvents = async ({ ruleId, start, end, - filters, + queryText, + statusFilters, signal, }: { ruleId: string; start: string; end: string; - filters?: string; + queryText?: string; + statusFilters?: string; signal?: AbortSignal; }): Promise => { const url = detectionEngineRuleExecutionEventsUrl(ruleId); return KibanaServices.get().http.fetch(url, { method: 'GET', - query: { start, end, filters }, + query: { + start, + end, + queryText: queryText?.trim(), + statusFilters: statusFilters?.trim(), + }, signal, }); }; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx index 44a8661ffb77f..85bdbf19bdb8a 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx @@ -50,7 +50,8 @@ describe('useRuleExecutionEvents', () => { ruleId: SOME_RULE_ID, start: 'now-30', end: 'now', - filters: '', + queryText: '', + statusFilters: '', }), { wrapper: createReactQueryWrapper(), diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx index 6c019916071f1..45fa68962479d 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx @@ -15,21 +15,23 @@ interface UseRuleExecutionEventsArgs { ruleId: string; start: string; end: string; - filters?: string; + queryText?: string; + statusFilters?: string; } export const useRuleExecutionEvents = ({ ruleId, start, end, - filters, + queryText, + statusFilters, }: UseRuleExecutionEventsArgs) => { const { addError } = useAppToasts(); return useQuery( - ['ruleExecutionEvents', ruleId, start, end, filters], + ['ruleExecutionEvents', ruleId, start, end, queryText, statusFilters], async ({ signal }) => { - return fetchRuleExecutionEvents({ ruleId, start, end, filters, signal }); + return fetchRuleExecutionEvents({ ruleId, start, end, queryText, statusFilters, signal }); }, { onError: (e) => { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/use_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/use_columns.tsx index 3788203008238..9565fb269d207 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/use_columns.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/use_columns.tsx @@ -346,7 +346,7 @@ export const useMonitoringColumns = ({ hasPermissions }: ColumnsProps): TableCol href={`${docLinks.links.siem.troubleshootGaps}`} target="_blank" > - {'see documentation'} + {i18n.COLUMN_GAP_TOOLTIP_SEE_DOCUMENTATION} ), }} diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx index f4ae0532e183c..68f6fe885bdc0 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx @@ -5,29 +5,32 @@ * 2.0. */ -import { EuiBasicTableColumn, EuiHealth } from '@elastic/eui'; - +import { EuiBasicTableColumn, EuiHealth, EuiLink, EuiText } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { DocLinksStart } from 'kibana/public'; import React from 'react'; import { AggregateRuleExecutionEvent, RuleExecutionStatus, } from '../../../../../../../common/detection_engine/schemas/common'; -import { - getEmptyTagValue, - getEmptyValue, - getOrEmptyTagFromValue, -} from '../../../../../../common/components/empty_value'; +import { getEmptyTagValue, getEmptyValue } from '../../../../../../common/components/empty_value'; import { FormattedDate } from '../../../../../../common/components/formatted_date'; import { getStatusColor } from '../../../../../components/rules/rule_execution_status/utils'; +import { PopoverTooltip } from '../../all/popover_tooltip'; +import { TableHeaderTooltipCell } from '../../all/table_header_tooltip_cell'; -import * as i18n from '../translations'; - -const ONE_SECOND_AS_NANOSECONDS = 1000000000; +import * as i18n from './translations'; +import { RuleDurationFormat } from './rule_duration_format'; export const EXECUTION_LOG_COLUMNS: Array> = [ { - name: i18n.COLUMN_STATUS, - field: 'kibana.alert.rule.execution.status', + name: ( + + ), + field: 'security_status', render: (value: RuleExecutionStatus, data) => value ? {value} : getEmptyTagValue(), sortable: true, @@ -35,59 +38,129 @@ export const EXECUTION_LOG_COLUMNS: Array + ), render: (value: string) => , sortable: true, truncateText: false, width: '15%', }, { - field: 'message', - name: i18n.COLUMN_MESSAGE, - render: (value: string) => <>{value}, + field: 'duration_ms', + name: ( + + ), + render: (value: number) => ( + <>{value ? : getEmptyValue()} + ), sortable: true, truncateText: false, - width: '35%', + width: '10%', }, { - field: 'event.duration', - name: i18n.COLUMN_DURATION, - render: (value: number) => <>{value ? value / ONE_SECOND_AS_NANOSECONDS : getEmptyValue()}, + field: 'security_message', + name: ( + + ), + render: (value: string) => <>{value}, sortable: true, truncateText: false, - width: '5%', + width: '35%', }, +]; + +export const GET_EXECUTION_LOG_METRICS_COLUMNS = ( + docLinks: DocLinksStart +): Array> => [ { - field: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', - name: i18n.COLUMN_GAP_DURATION, - render: (value: number) => getOrEmptyTagFromValue(value), + field: 'gap_duration_ms', + name: ( + + + +

+ + {i18n.COLUMN_GAP_TOOLTIP_SEE_DOCUMENTATION} + + ), + }} + /> +

+ + + + } + /> + ), + render: (value: number) => ( + <>{value ? : getEmptyValue()} + ), sortable: true, truncateText: false, - width: '6%', + width: '10%', }, { - field: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', - name: i18n.COLUMN_INDEX_DURATION, - render: (value: number) => getOrEmptyTagFromValue(value), + field: 'indexing_duration_ms', + name: ( + + ), + render: (value: number) => ( + <>{value ? : getEmptyValue()} + ), sortable: true, truncateText: false, - width: '7%', + width: '10%', }, { - field: 'kibana.alert.rule.execution.metrics.total_search_duration_ms', - name: i18n.COLUMN_SEARCH_DURATION, - render: (value: number) => getOrEmptyTagFromValue(value), + field: 'search_duration_ms', + name: ( + + ), + render: (value: number) => ( + <>{value ? : getEmptyValue()} + ), sortable: true, truncateText: false, - width: '8%', + width: '10%', }, { - field: 'kibana.task.schedule_delay', - name: 'Scheduling Delay (s)', - render: (value: number) => <>{value ? value / ONE_SECOND_AS_NANOSECONDS : getEmptyValue()}, + field: 'schedule_delay_ms', + name: ( + + ), + render: (value: number) => ( + <>{value ? : getEmptyValue()} + ), sortable: true, truncateText: false, - width: '8%', + width: '10%', }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx index be042f9bca97d..ada0fa4b8c2e5 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx @@ -5,76 +5,140 @@ * 2.0. */ -import React from 'react'; -import { EuiHealth, EuiSearchBar, EuiSearchBarProps, SearchFilterConfig } from '@elastic/eui'; +import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import { capitalize, replace } from 'lodash'; +import { + EuiHealth, + EuiFieldSearch, + EuiFlexGroup, + EuiFlexItem, + EuiPopover, + EuiFilterGroup, + EuiFilterButton, + EuiFilterSelectItem, +} from '@elastic/eui'; import { RuleExecutionStatus } from '../../../../../../../common/detection_engine/schemas/common'; import { getStatusColor } from '../../../../../components/rules/rule_execution_status/utils'; +import * as i18n from './translations'; -import * as i18n from '../translations'; +export const EXECUTION_LOG_SCHEMA_MAPPING = { + status: 'kibana.alert.rule.execution.status', + timestamp: '@timestamp', + duration: 'event.duration', + message: 'message', + gapDuration: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', + indexingDuration: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', + searchDuration: 'kibana.alert.rule.execution.metrics.total_search_duration_ms', + totalActions: 'kibana.alert.rule.execution.metrics.number_of_triggered_actions', + schedulingDelay: 'kibana.task.schedule_delay', +}; + +export const replaceQueryTextAliases = (queryText: string): string => { + return Object.entries(EXECUTION_LOG_SCHEMA_MAPPING).reduce( + (updatedQuery, [key, value]) => { + return replace(updatedQuery, key, value); + }, + queryText + ); +}; + +const statuses = [ + RuleExecutionStatus.succeeded, + RuleExecutionStatus.failed, + RuleExecutionStatus['partial failure'], +]; + +const statusFilters = statuses.map((status) => ({ + label: {capitalize(status)}, + selected: false, +})); interface ExecutionLogTableSearchProps { - onSearch: (args: Parameters>[0]) => void; + onSearch: (queryText: string) => void; + onStatusFilterChange: (statusFilters: string[]) => void; } -export const EXECUTION_LOG_SEARCH_SCHEMA = { - strict: true, - fields: { - 'kibana.alert.rule.execution.status': { - type: 'string', - }, - '@timestamp': { - type: 'string', - }, - 'event.duration': { - type: 'number', - }, - message: { - type: 'string', - }, - 'kibana.alert.rule.execution.metrics.execution_gap_duration_s': { - type: 'number', - }, - 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms': { - type: 'number', - }, - 'kibana.alert.rule.execution.metrics.total_search_duration_ms': { - type: 'number', - }, - }, -}; +export const ExecutionLogSearchBar = React.memo( + ({ onSearch, onStatusFilterChange }) => { + const [isPopoverOpen, setIsPopoverOpen] = useState(false); + const [selectedFilters, setSelectedFilters] = useState([]); -const statuses = (Object.keys(RuleExecutionStatus) as Array).map( - (key) => key -); + const onSearchCallback = useCallback( + (queryText: string) => { + onSearch(replaceQueryTextAliases(queryText)); + }, + [onSearch] + ); -const filters: SearchFilterConfig[] = [ - { - type: 'field_value_selection', - field: 'kibana.alert.rule.execution.status', - name: 'Status', - multiSelect: 'or', - options: statuses.map((status) => ({ - value: status, - view: {status}, - })), - }, -]; + const onStatusFilterChangeCallback = useCallback( + (filter: RuleExecutionStatus) => { + setSelectedFilters( + selectedFilters.includes(filter) + ? selectedFilters.filter((f) => f !== filter) + : [...selectedFilters, filter] + ); + }, + [selectedFilters] + ); -export const ExecutionLogSearchBar = React.memo(({ onSearch }) => { - return ( - - ); -}); + const filtersComponent = useMemo(() => { + return statuses.map((filter, index) => ( + onStatusFilterChangeCallback(filter)} + title={filter} + > + {capitalize(filter)} + + )); + }, [onStatusFilterChangeCallback, selectedFilters]); + + useEffect(() => { + onStatusFilterChange(selectedFilters); + }, [onStatusFilterChange, selectedFilters]); + + return ( + + + + + + + setIsPopoverOpen(!isPopoverOpen)} + numFilters={statusFilters.length} + isSelected={isPopoverOpen} + hasActiveFilters={selectedFilters.length > 0} + numActiveFilters={selectedFilters.length} + > + {i18n.COLUMN_STATUS} + + } + isOpen={isPopoverOpen} + closePopover={() => setIsPopoverOpen(false)} + panelPaddingSize="none" + repositionOnScroll + > + {filtersComponent} + + + + + ); + } +); ExecutionLogSearchBar.displayName = 'ExecutionLogSearchBar'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index 26d198596806d..b4bae2ce52203 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -6,19 +6,25 @@ */ import { DurationRange } from '@elastic/eui/src/components/date_picker/types'; -import React, { useCallback, useState } from 'react'; +import { get } from 'lodash'; +import styled from 'styled-components'; +import React, { useCallback, useMemo, useState } from 'react'; import { EuiTextColor, EuiFlexGroup, EuiFlexItem, - EuiSearchBarProps, EuiSuperDatePicker, OnTimeChangeProps, OnRefreshProps, OnRefreshChangeProps, EuiInMemoryTable, EuiSpacer, + EuiSwitch, + EuiToolTip, } from '@elastic/eui'; +import { buildFilter, FILTERS } from '@kbn/es-query'; +import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; +import { RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY } from '../../../../../../../common/constants'; import { UtilityBar, @@ -26,33 +32,60 @@ import { UtilityBarSection, UtilityBarText, } from '../../../../../../common/components/utility_bar'; +import { useSourcererDataView } from '../../../../../../common/containers/sourcerer'; +import { useAppToasts } from '../../../../../../common/hooks/use_app_toasts'; +import { useKibana } from '../../../../../../common/lib/kibana'; +import { SourcererScopeName } from '../../../../../../common/store/sourcerer/model'; import { useRuleExecutionEvents } from '../../../../../containers/detection_engine/rules'; -import * as i18n from '../translations'; -import { EXECUTION_LOG_COLUMNS } from './execution_log_columns'; +import * as i18n from './translations'; +import { EXECUTION_LOG_COLUMNS, GET_EXECUTION_LOG_METRICS_COLUMNS } from './execution_log_columns'; import { ExecutionLogSearchBar } from './execution_log_search_bar'; +const EXECUTION_UUID_FIELD_NAME = 'kibana.alert.rule.execution.uuid'; + +const UtilitySwitch = styled(EuiSwitch)` + margin-left: 17px; +`; + interface ExecutionLogTableProps { ruleId: string; + selectAlertsTab: () => void; } -// TODO: Hoist to package and share with server in events_reader -const MAX_EXECUTION_EVENTS_DISPLAYED = 500; - -const ExecutionLogTableComponent: React.FC = ({ ruleId }) => { +const ExecutionLogTableComponent: React.FC = ({ + ruleId, + selectAlertsTab, +}) => { + const { + docLinks, + data: { + query: { filterManager }, + }, + storage, + timelines, + } = useKibana().services; const [recentlyUsedRanges, setRecentlyUsedRanges] = useState([]); const [refreshInterval, setRefreshInterval] = useState(1000); const [isPaused, setIsPaused] = useState(true); - const [start, setStart] = useState('now-30m'); + const [start, setStart] = useState('now-24h'); const [end, setEnd] = useState('now'); - const [filters, setFilters] = useState(''); + const [queryText, setQueryText] = useState(''); + const [statusFilters, setStatusFilters] = useState(''); + const { indexPattern } = useSourcererDataView(SourcererScopeName.detections); + const { addError } = useAppToasts(); + const [showMetricColumns, setShowMetricColumns] = useState( + storage.get(RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY) ?? false + ); const { data: events, + dataUpdatedAt, isFetching, + isLoading, refetch, - } = useRuleExecutionEvents({ ruleId, start, end, filters }); + } = useRuleExecutionEvents({ ruleId, start, end, queryText, statusFilters }); const items = events?.events ?? []; - const maxEvents = events?.maxEvents ?? 0; + const maxEvents = events?.total ?? 0; const onTimeChangeCallback = useCallback( (props: OnTimeChangeProps) => { @@ -82,34 +115,104 @@ const ExecutionLogTableComponent: React.FC = ({ ruleId } [refetch] ); - const onSearchCallback = useCallback( - ({ queryText }: Parameters>[0]) => { - setFilters(queryText); + const onSearchCallback = useCallback((updatedQueryText: string) => { + setQueryText(updatedQueryText); + }, []); + + const onStatusFilterChangeCallback = useCallback((updatedStatusFilters: string[]) => { + setStatusFilters(updatedStatusFilters.sort().join(',')); + }, []); + + const onFilterByExecutionIdCallback = useCallback( + (executionId: string) => { + const field = indexPattern.fields.find((f) => f.name === EXECUTION_UUID_FIELD_NAME); + if (field != null) { + const filter = buildFilter( + indexPattern, + field, + FILTERS.PHRASE, + false, + false, + executionId, + null + ); + filterManager.addFilters(filter); + selectAlertsTab(); + } else { + addError(i18n.ACTIONS_FIELD_NOT_FOUND_ERROR, { + title: i18n.ACTIONS_FIELD_NOT_FOUND_ERROR_TITLE, + }); + } }, - [] + [addError, filterManager, indexPattern, selectAlertsTab] + ); + + const actions = useMemo( + () => [ + { + field: EXECUTION_UUID_FIELD_NAME, + name: i18n.COLUMN_ACTIONS, + width: '5%', + actions: [ + { + name: 'Edit', + isPrimary: true, + field: '', + description: i18n.COLUMN_ACTIONS_TOOLTIP, + icon: 'filter', + type: 'icon', + onClick: (value: object) => { + const executionId = get(value, EXECUTION_UUID_FIELD_NAME); + if (executionId) { + onFilterByExecutionIdCallback(executionId); + } + }, + 'data-test-subj': 'action-filter-by-execution-id', + }, + ], + }, + ], + [onFilterByExecutionIdCallback] + ); + + const executionLogColumns = useMemo( + () => + showMetricColumns + ? [...EXECUTION_LOG_COLUMNS, ...GET_EXECUTION_LOG_METRICS_COLUMNS(docLinks), ...actions] + : [...EXECUTION_LOG_COLUMNS, ...actions], + [actions, docLinks, showMetricColumns] + ); + + const onShowMetricColumnsCallback = useCallback( + (showMetrics: boolean) => { + storage.set(RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY, showMetrics); + setShowMetricColumns(showMetrics); + }, + [storage] ); return ( <> - - + + - -
- -
+ + @@ -130,12 +233,32 @@ const ExecutionLogTableComponent: React.FC = ({ ruleId } )} + + + {timelines.getLastUpdated({ + showUpdating: isLoading || isFetching, + updatedAt: dataUpdatedAt, + })} + + + onShowMetricColumnsCallback(e.target.checked)} + /> + + diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx new file mode 100644 index 0000000000000..3aeb7b822dbcd --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx @@ -0,0 +1,59 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import numeral from '@elastic/numeral'; +import moment from 'moment'; +import React, { useMemo } from 'react'; +import { EuiToolTip } from '@elastic/eui'; + +interface Props { + duration: number; + allowZero?: boolean; +} + +export function getFormattedDuration(value: number) { + if (!value) { + return '00:00'; + } + const duration = moment.duration(value); + const minutes = Math.floor(duration.asMinutes()).toString().padStart(2, '0'); + const seconds = duration.seconds().toString().padStart(2, '0'); + const ms = duration.milliseconds().toString().padStart(3, '0'); + return `${minutes}:${seconds}:${ms}`; +} + +export function getFormattedMilliseconds(value: number) { + const formatted = numeral(value).format('0,0'); + return `${formatted} ms`; +} + +const RuleDurationFormatComponent = (props: Props) => { + const { duration, allowZero = true } = props; + + const formattedDuration = useMemo(() => { + if (allowZero || typeof duration === 'number') { + return getFormattedDuration(duration); + } + return 'N/A'; + }, [duration, allowZero]); + + const formattedTooltip = useMemo(() => { + if (allowZero || typeof duration === 'number') { + return getFormattedMilliseconds(duration); + } + return 'N/A'; + }, [duration, allowZero]); + + return ( + + {formattedDuration} + + ); +}; + +export const RuleDurationFormat = React.memo(RuleDurationFormatComponent); +RuleDurationFormat.displayName = 'RuleDurationFormat'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts new file mode 100644 index 0000000000000..5336f9092c6cc --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts @@ -0,0 +1,189 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const SHOWING_EXECUTIONS = (totalItems: number) => + i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.totalExecutionsLabel', + { + values: { totalItems }, + defaultMessage: + 'Showing {totalItems} {totalItems, plural, =1 {rule execution} other {rule executions}}', + } + ); + +export const RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED = (totalItems: number) => + i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchLimitExceededLabel', + { + values: { totalItems }, + defaultMessage: + "More than {totalItems} rule executions match filters provided. Showing first 500 by most recent '@timestamp'. Constrain filters further to view additional execution events", + } + ); + +export const RULE_EXECUTION_LOG_SEARCH_PLACEHOLDER = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchPlaceholder', + { + defaultMessage: 'duration > 100 and gapDuration > 10', + } +); + +export const RULE_EXECUTION_LOG_SHOW_METRIC_COLUMNS_SWITCH = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.showMetricColumnsSwitchTitle', + { + defaultMessage: 'Show metrics columns', + } +); + +export const SHOW_METRIC_COLUMNS_SWITCH_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.showMetricColumnsSwitchTooltip', + { + defaultMessage: 'Enable to show additional metrics columns.', + } +); + +export const COLUMN_STATUS = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.statusColumn', + { + defaultMessage: 'Status', + } +); + +export const COLUMN_STATUS_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.statusColumnTooltip', + { + defaultMessage: 'Overall status of execution', + } +); + +export const COLUMN_TIMESTAMP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.timestampColumn', + { + defaultMessage: 'Timestamp', + } +); + +export const COLUMN_TIMESTAMP_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.timestampColumnTooltip', + { + defaultMessage: 'Datetime rule execution initiated', + } +); + +export const COLUMN_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.durationColumn', + { + defaultMessage: 'Duration', + } +); + +export const COLUMN_DURATION_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.durationColumnTooltip', + { + defaultMessage: 'The length of time it took for the rule to run (mm:ss:SSS)', + } +); + +export const COLUMN_MESSAGE = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.messageColumn', + { + defaultMessage: 'Message', + } +); + +export const COLUMN_MESSAGE_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.messageColumnTooltip', + { + defaultMessage: 'Relevant message from execution outcome', + } +); + +export const COLUMN_GAP_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.gapDurationColumn', + { + defaultMessage: 'Gap Duration', + } +); + +export const COLUMN_GAP_TOOLTIP_SEE_DOCUMENTATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.gapTooltipSeeDocsDescription', + { + defaultMessage: 'see documentation', + } +); + +export const COLUMN_INDEX_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.indexDurationColumn', + { + defaultMessage: 'Index Duration', + } +); + +export const COLUMN_INDEX_DURATION_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.indexDurationColumnTooltip', + { + defaultMessage: 'The length of time it took to index detected alerts (mm:ss:SSS)', + } +); + +export const COLUMN_SEARCH_DURATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumn', + { + defaultMessage: 'Search Duration', + } +); + +export const COLUMN_SEARCH_DURATION_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumnTooltip', + { + defaultMessage: 'The length of time it took to search for alerts (mm:ss:SSS)', + } +); + +export const COLUMN_SCHEDULING_DELAY = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumn', + { + defaultMessage: 'Scheduling Delay', + } +); + +export const COLUMN_SCHEDULING_DELAY_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumnTooltip', + { + defaultMessage: 'The length of time from rule scheduled till rule executed (mm:ss:SSS)', + } +); + +export const COLUMN_ACTIONS = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.actionsColumn', + { + defaultMessage: 'Actions', + } +); + +export const COLUMN_ACTIONS_TOOLTIP = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.actionsColumnTooltip', + { + defaultMessage: 'Filter alerts by rule execution ID', + } +); + +export const ACTIONS_FIELD_NOT_FOUND_ERROR_TITLE = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.actionFieldNotFoundErrorTitle', + { + defaultMessage: 'Unable to filter alerts', + } +); + +export const ACTIONS_FIELD_NOT_FOUND_ERROR = i18n.translate( + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.actionFieldNotFoundErrorDescription', + { + defaultMessage: "Cannot find field 'kibana.alert.rule.execution.uuid' in alerts index.", + } +); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx index 7dc939ebbe7a6..d3a6594faf038 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx @@ -316,7 +316,7 @@ const RuleDetailsPageComponent: React.FC = ({ setRuleDetailTab(RuleDetailTabs.exceptions); } else { setTabs(ruleDetailTabs); - setRuleDetailTab(RuleDetailTabs.alerts); + setRuleDetailTab(RuleDetailTabs.executionLogs); } }, [hasIndexRead]); @@ -429,7 +429,7 @@ const RuleDetailsPageComponent: React.FC = ({ setRuleDetailTab(tab.id)} isSelected={tab.id === ruleDetailTab} - disabled={tab.disabled} + disabled={tab.disabled || (tab.id === RuleDetailTabs.executionLogs && !isExistingRule)} key={tab.id} data-test-subj={tab.dataTestSubj} > @@ -438,7 +438,7 @@ const RuleDetailsPageComponent: React.FC = ({ ))} ), - [ruleDetailTab, setRuleDetailTab, pageTabs] + [isExistingRule, ruleDetailTab, setRuleDetailTab, pageTabs] ); const ruleIndices = useMemo(() => rule?.index ?? DEFAULT_INDEX_PATTERN, [rule?.index]); @@ -603,6 +603,10 @@ const RuleDetailsPageComponent: React.FC = ({ [containerElement, onSkipFocusBeforeEventsTable, onSkipFocusAfterEventsTable] ); + const selectAlertsTabCallback = useCallback(() => { + setRuleDetailTab(RuleDetailTabs.alerts); + }, []); + if ( redirectToDetections( isSignalIndexExists, @@ -804,7 +808,9 @@ const RuleDetailsPageComponent: React.FC = ({ onRuleChange={refreshRule} /> )} - {ruleDetailTab === RuleDetailTabs.executionLogs && } + {ruleDetailTab === RuleDetailTabs.executionLogs && ( + + )} diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts index 5167e667c550e..595396e0fd28a 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts @@ -49,75 +49,6 @@ export const RULE_EXECUTION_LOGS = i18n.translate( } ); -export const SHOWING_EXECUTIONS = (totalItems: number) => - i18n.translate('xpack.securitySolution.ruleExecutionLog.totalExecutionsLabel', { - values: { totalItems }, - defaultMessage: - 'Showing {totalItems} {totalItems, plural, =1 {rule execution} other {rule executions}}', - }); - -export const RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED = (totalItems: number) => - i18n.translate('xpack.securitySolution.ruleExecutionLog.searchLimitExceededLabel', { - values: { totalItems }, - defaultMessage: - "More than {totalItems} rule executions match filters provided. Showing first 500 by most recent '@timestamp'. Constrain filters further to view additional execution events", - }); - -export const RULE_EXECUTION_LOG_SEARCH_PLACEHOLDER = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchPlaceholder', - { - defaultMessage: 'event.duration > 100 OR kibana.alert.rule.execution.metrics.total_hits > 100', - } -); - -export const COLUMN_STATUS = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.statusColumn', - { - defaultMessage: 'Status', - } -); - -export const COLUMN_TIMESTAMP = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.timestampColumn', - { - defaultMessage: 'Timestamp', - } -); - -export const COLUMN_DURATION = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.durationColumn', - { - defaultMessage: 'Duration (s)', - } -); - -export const COLUMN_MESSAGE = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.messageColumn', - { - defaultMessage: 'Message', - } -); -export const COLUMN_GAP_DURATION = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.gapDurationColumn', - { - defaultMessage: 'Gap Duration (s)', - } -); - -export const COLUMN_INDEX_DURATION = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.indexDurationColumn', - { - defaultMessage: 'Index Duration (ms)', - } -); - -export const COLUMN_SEARCH_DURATION = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumn', - { - defaultMessage: 'Search Duration (ms)', - } -); - export const TYPE_FAILED = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.statusFailedDescription', { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/translations.ts index b1cc2e4f0388c..67e988de8f2f1 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/translations.ts @@ -722,6 +722,13 @@ export const COLUMN_GAP = i18n.translate( } ); +export const COLUMN_GAP_TOOLTIP_SEE_DOCUMENTATION = i18n.translate( + 'xpack.securitySolution.detectionEngine.rules.allRules.columns.gapTooltipSeeDocsDescription', + { + defaultMessage: 'see documentation', + } +); + export const RULES_TAB = i18n.translate( 'xpack.securitySolution.detectionEngine.rules.allRules.tabs.rules', { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index de3653c9bc9cd..13aacbdffd12d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -561,53 +561,54 @@ export const getLastFailures = (): RuleExecutionEvent[] => [ export const getAggregateExecutionEvents = (): GetAggregateRuleExecutionEventsResponse => ({ events: [ { - kibana: { - task: { - schedule_delay: 890000000, - }, - alert: { - rule: { - execution: { - metrics: { - total_indexing_duration_ms: 0, - total_search_duration_ms: 5, - }, - status: 'succeeded', - }, - }, - }, - }, - event: { - duration: 2035000000, - }, - message: 'succeeded', - '@timestamp': '2022-02-01T05:56:27.813Z', + execution_uuid: '34bab6e0-89b6-4d10-9cbb-cda76d362db6', + timestamp: '2022-03-11T22:04:05.931Z', + duration_ms: 1975, + status: 'success', + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 538, + schedule_delay_ms: 2091, + timed_out: false, + indexing_duration_ms: 7, + search_duration_ms: 551, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', }, { - kibana: { - task: { - schedule_delay: 13980000000, - }, - alert: { - rule: { - execution: { - metrics: { - total_indexing_duration_ms: 0, - total_search_duration_ms: 9, - }, - status: 'succeeded', - }, - }, - }, - }, - event: { - duration: 2065000000, - }, - message: 'succeeded', - '@timestamp': '2022-02-01T05:51:27.143Z', + execution_uuid: '254d8400-9dc7-43c5-ad4b-227273d1a44b', + timestamp: '2022-03-11T22:02:41.923Z', + duration_ms: 11916, + status: 'success', + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 1, + num_succeeded_actions: 1, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 1406, + schedule_delay_ms: 1583, + timed_out: false, + indexing_duration_ms: 0, + search_duration_ms: 0, + gap_duration_ms: 0, + security_status: 'partial failure', + security_message: + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [broken-index] name: "This Rule Makes Alerts, Actions, AND Moar!" id: "f78f3550-a186-11ec-89a1-0bce95157aba" rule id: "b64b4540-d035-4826-a1e7-f505bf4b9653" execution id: "254d8400-9dc7-43c5-ad4b-227273d1a44b" space ID: "default"', }, ], - maxEvents: 2, + total: 2, }); export const getBasicEmptySearchResponse = (): estypes.SearchResponse => ({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts index bbf1581214c17..3696496034d07 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts @@ -35,21 +35,22 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter }, async (context, request, response) => { const { ruleId } = request.params; - const { start, end, filters = '' } = request.query; + const { start, end, queryText = '', statusFilters = '' } = request.query; const siemResponse = buildSiemResponse(response); try { const executionLog = context.securitySolution.getRuleExecutionLog(); - const { events, maxEvents } = await executionLog.getAggregateExecutionEvents({ + const { events, total } = await executionLog.getAggregateExecutionEvents({ ruleId, start, end, - filters, + queryText, + statusFilters: statusFilters.length ? statusFilters.split(',') : [], }); const responseBody: GetAggregateRuleExecutionEventsResponse = { events, - maxEvents, + total, }; return response.ok({ body: responseBody }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts index 095f71939a9d3..c4a71db2d3e32 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts @@ -33,7 +33,8 @@ export const createClientForRoutes = ( ruleId, start, end, - filters, + queryText, + statusFilters, }: GetAggregateExecutionEventsArgs): Promise { return withSecuritySpan( 'IRuleExecutionLogForRoutes.getAggregateExecutionEvents', @@ -43,7 +44,8 @@ export const createClientForRoutes = ( ruleId, start, end, - filters, + queryText, + statusFilters, }); } catch (e) { const logMessage = diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts index c1dd29913f424..96bf802439ab4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts @@ -15,7 +15,8 @@ export interface GetAggregateExecutionEventsArgs { ruleId: string; start: string; end: string; - filters: string; + queryText: string; + statusFilters: string[]; } /** @@ -30,13 +31,15 @@ export interface IRuleExecutionLogForRoutes { * @param ruleId Saved object id of the rule (`rule.id`). * @param start start of daterange to filter to * @param end end of daterange to filter to - * @param filters array of field-based filters, e.g. kibana.alert.rule.execution.status:* + * @param queryText string of field-based filters, e.g. kibana.alert.rule.execution.status:* + * @param statusFilters array of status filters, e.g. ['succeeded', 'going to run'] */ getAggregateExecutionEvents({ ruleId, start, end, - filters, + queryText, + statusFilters, }: GetAggregateExecutionEventsArgs): Promise; /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 377113876ac4b..200ecda30358a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -6,11 +6,10 @@ */ import dateMath from '@elastic/datemath'; -import { get, set } from 'lodash'; +import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; import { IEventLogClient } from '../../../../../../event_log/server'; import { - AggregateRuleExecutionEvent, RuleExecutionEvent, RuleExecutionStatus, } from '../../../../../common/detection_engine/schemas/common'; @@ -22,6 +21,11 @@ import { RULE_EXECUTION_LOG_PROVIDER, RuleExecutionLogAction, } from './constants'; +import { + formatExecutionEventResponse, + getExecutionEventAggregation, +} from './get_execution_event_aggregation'; +import { ExecutionUuidAggResult } from './get_execution_event_aggregation/types'; export interface IEventLogReader { getAggregateExecutionEvents( @@ -35,7 +39,8 @@ export interface GetAggregateExecutionEventsArgs { ruleId: string; start: string; end: string; - filters: string; + queryText: string; + statusFilters: string[]; } export interface GetLastStatusChangesArgs { @@ -44,15 +49,12 @@ export interface GetLastStatusChangesArgs { includeStatuses?: RuleExecutionStatus[]; } -// TODO: Hoist to package and share with UI in execution_log_table -const MAX_EXECUTION_EVENTS_DISPLAYED = 500; - export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader => { return { async getAggregateExecutionEvents( args: GetAggregateExecutionEventsArgs ): Promise { - const { ruleId, start, end, filters } = args; + const { ruleId, start, end, queryText, statusFilters } = args; const soType = RULE_SAVED_OBJECT_TYPE; const soIds = [ruleId]; const startDate = dateMath.parse(start); @@ -61,86 +63,49 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader invariant(startDate?.isValid(), `Required "start" field is not valid: ${start}`); invariant(endDate?.isValid(), `Required "end" field is not valid: ${end}`); - // Fetch total unique executions per daterange to get max execution events - const { total: uniqueExecutionEventsResults = 0 } = await eventLog.findEventsBySavedObjectIds( - soType, - soIds, - { + const filterString = statusFilters.length + ? `kibana.alert.rule.execution.status:(${statusFilters.join(' OR ')})` + : ''; + const filter = queryText.length ? `${queryText} AND ${filterString}` : filterString; + + let idsFilter = ''; + if (filter.length) { + // TODO: Current workaround to support root level filters without missing fields in the aggregate event + // TODO: See: https://github.com/elastic/kibana/pull/127339/files#r825240516 + const filteredResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start: startDate?.utc().toISOString(), end: endDate?.utc().toISOString(), - page: 1, - per_page: 0, - sort: [{ sort_field: '@timestamp', sort_order: 'desc' }], - filter: `event.action:execute-start`, - } - ); + filter, + aggs: { + filteredExecutionUUIDs: { + terms: { + field: 'kibana.alert.rule.execution.uuid', + size: MAX_EXECUTION_EVENTS_DISPLAYED, + }, + }, + }, + }); + const filteredExecutionUUIDs = filteredResults.aggregations + ?.filteredExecutionUUIDs as ExecutionUuidAggResult; + const filteredIds = filteredExecutionUUIDs?.buckets?.map((b) => b.key) ?? []; + idsFilter = filteredIds.length + ? `kibana.alert.rule.execution.uuid:(${filteredIds.join(' OR ')})` + : ''; + } - // Fetch all events to aggregate into individual execution events for each unique executionId - const findResult = await eventLog.findEventsBySavedObjectIds(soType, soIds, { - start: startDate?.utc().toISOString(), + const results = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { + start: startDate?.utc().toISOString(), // TODO: Is there a way to get typescript to know startDate isn't null based on the above invariant? end: endDate?.utc().toISOString(), - page: 1, - per_page: 10000, // TODO: Possibly constrain to 5x MAX_EXECUTION_EVENTS_DISPLAYED (i.e. max events per execution) - sort: [{ sort_field: '@timestamp', sort_order: 'desc' }], - filter: filters, - }); - - const executeStartFields = ['@timestamp']; - const executeFields = ['kibana.task.schedule_delay', 'event.duration']; - const metricsFields = [ - 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', - 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', - 'kibana.alert.rule.execution.metrics.total_search_duration_ms', - ]; - - // TODO: Rework to ensure all fields are included from necessary event types - // Maybe use `objectArrayIntersection` from EQL sequence building? - const aggregatedResults: Record = {}; - findResult.data.forEach((event) => { - const uuid: string = get(event, 'kibana.alert.rule.execution.uuid'); - const eventAction: string = get(event, 'event.action'); - const status = get(event, 'kibana.alert.rule.execution.status'); - if (aggregatedResults[uuid] == null) { - aggregatedResults[uuid] = {}; - } - - // Merge different event types into a single execution event. - // @timestamp comes from initial `execute-start` event from platform - // Remaining fields filled in from platform `execute` and security `metric`/`status-change` events - if (eventAction === 'execute-start') { - executeStartFields.forEach((field) => { - set(aggregatedResults[uuid], field, get(event, field)); - }); - } else if (eventAction === 'execute') { - executeFields.forEach((field) => { - set(aggregatedResults[uuid], field, get(event, field)); - }); - } else if (eventAction === 'execution-metrics') { - metricsFields.forEach((field) => { - set(aggregatedResults[uuid], field, get(event, field)); - }); - } else if (eventAction === 'status-change' && status !== 'running') { - if (status != null) { - set(aggregatedResults[uuid], 'kibana.alert.rule.execution.status', status); - } - const message = get(event, 'message'); - if (message != null) { - // TODO: Append messages? - set(aggregatedResults[uuid], 'message', message); - } - } + filter: idsFilter, + aggs: getExecutionEventAggregation({ + maxExecutions: MAX_EXECUTION_EVENTS_DISPLAYED, + page: 1, + perPage: 10, + sort: [{ timestamp: { order: 'desc' } }], + }), }); - const aggEvents = Object.values(aggregatedResults); - // Constrain length as not supporting pagination through in-memory aggregations in MVP - if (aggEvents.length > MAX_EXECUTION_EVENTS_DISPLAYED) { - aggEvents.length = MAX_EXECUTION_EVENTS_DISPLAYED; - } - - return { - events: aggEvents as AggregateRuleExecutionEvent[], - maxEvents: uniqueExecutionEventsResults, - }; + return formatExecutionEventResponse(results); }, async getLastStatusChanges(args) { const soType = RULE_SAVED_OBJECT_TYPE; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts new file mode 100644 index 0000000000000..dbb4786234c75 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts @@ -0,0 +1,323 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { get } from 'lodash'; +import { AggregateEventsBySavedObjectResult } from '../../../../../../../event_log/server'; +import { AggregateRuleExecutionEvent } from '../../../../../../common/detection_engine/schemas/common'; +import { GetAggregateRuleExecutionEventsResponse } from '../../../../../../common/detection_engine/schemas/response'; +import { + ExecutionEventAggregationOptions, + ExecutionUuidAggResult, + ExecutionUuidAggBucket, +} from './types'; + +// Base ECS fields +const ACTION_FIELD = 'event.action'; +const DURATION_FIELD = 'event.duration'; +const MESSAGE_FIELD = 'message'; +const PROVIDER_FIELD = 'event.provider'; +const OUTCOME_FIELD = 'event.outcome'; +const START_FIELD = 'event.start'; +const TIMESTAMP_FIELD = '@timestamp'; +// Platform fields +const SCHEDULE_DELAY_FIELD = 'kibana.task.schedule_delay'; +const ES_SEARCH_DURATION_FIELD = 'kibana.alert.rule.execution.metrics.es_search_duration_ms'; +const TOTAL_ACTIONS_TRIGGERED_FIELD = + 'kibana.alert.rule.execution.metrics.number_of_triggered_actions'; +const EXECUTION_UUID_FIELD = 'kibana.alert.rule.execution.uuid'; +// TODO: To be added in https://github.com/elastic/kibana/pull/126210 +// const TOTAL_ALERTS_CREATED: 'kibana.alert.rule.execution.metrics.total_alerts_created', +// const TOTAL_ALERTS_DETECTED: 'kibana.alert.rule.execution.metrics.total_alerts_detected', +// Security fields +const GAP_DURATION_FIELD = 'kibana.alert.rule.execution.metrics.execution_gap_duration_s'; +const INDEXING_DURATION_FIELD = 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms'; +const SEARCH_DURATION_FIELD = 'kibana.alert.rule.execution.metrics.total_search_duration_ms'; +const STATUS_FIELD = 'kibana.alert.rule.execution.status'; + +const ONE_MILLISECOND_AS_NANOSECONDS = 1_000_000; + +const SORT_FIELD_TO_AGG_MAPPING: Record = { + status: 'ruleExecution>status', + timestamp: 'ruleExecution>executeStartTime', + execution_duration: 'ruleExecution>executionDuration', + total_indexing_duration: 'securityMetrics>indexingDuration', + total_search_duration: 'securityMetrics>totalSearchDuration', + gap_duration: 'securityMetrics>gapDuration', + schedule_delay: 'ruleExecution>scheduleDelay', + num_triggered_actions: 'ruleExecution>numTriggeredActions', + // TODO: To be added in https://github.com/elastic/kibana/pull/126210 + // total_alerts_created: 'ruleExecution>totalAlertsDetected', + // total_alerts_detected: 'ruleExecution>totalAlertsCreated', +}; + +/** + * Returns `aggs` to be supplied to aggregateEventsBySavedObjectIds + * @param maxExecutions upper bounds of execution events to return (to narrow below max terms agg limit) + * @param page current page to retrieve + * @param perPage number of execution events to display per page + * @param sort field to sort on + */ +export const getExecutionEventAggregation = ({ + maxExecutions, + page, + perPage, + sort, +}: ExecutionEventAggregationOptions): Record => { + return { + // Total unique executions for given root filters + totalExecutions: { + cardinality: { + field: EXECUTION_UUID_FIELD, + }, + }, + executionUuid: { + // Bucket by execution UUID + terms: { + field: EXECUTION_UUID_FIELD, + size: maxExecutions, + order: formatSortForTermsSort(sort), + }, + aggs: { + // Bucket sort for paging + executionUuidSorted: { + bucket_sort: { + sort: formatSortForBucketSort(sort), + from: (page - 1) * perPage, + size: perPage, + }, + }, + // Filter by action execute doc to retrieve action outcomes (successful/failed) + actionExecution: { + filter: getProviderAndActionFilter('actions', 'execute'), + aggs: { + actionOutcomes: { + terms: { + field: OUTCOME_FIELD, + size: 2, + }, + }, + }, + }, + // Filter by alerting execute doc to retrieve platform metrics + ruleExecution: { + filter: getProviderAndActionFilter('alerting', 'execute'), + aggs: { + executeStartTime: { + min: { + field: START_FIELD, + }, + }, + scheduleDelay: { + max: { + field: SCHEDULE_DELAY_FIELD, + }, + }, + esSearchDuration: { + max: { + field: ES_SEARCH_DURATION_FIELD, + }, + }, + numTriggeredActions: { + max: { + field: TOTAL_ACTIONS_TRIGGERED_FIELD, + }, + }, + executionDuration: { + max: { + field: DURATION_FIELD, + }, + }, + outcomeAndMessage: { + top_hits: { + size: 1, + _source: { + includes: [OUTCOME_FIELD, MESSAGE_FIELD], + }, + }, + }, + }, + }, + // Filter by securitySolution status-change doc to retrieve security metrics + securityMetrics: { + filter: getProviderAndActionFilter('securitySolution.ruleExecution', 'execution-metrics'), + aggs: { + gapDuration: { + min: { + field: GAP_DURATION_FIELD, + missing: 0, // Necessary for sorting since field isn't written if no gap + }, + }, + indexDuration: { + min: { + field: INDEXING_DURATION_FIELD, + }, + }, + searchDuration: { + min: { + field: SEARCH_DURATION_FIELD, + }, + }, + }, + }, + // Filter by securitySolution ruleExecution doc to retrieve status and message + securityStatus: { + filter: getProviderAndActionFilter('securitySolution.ruleExecution', 'status-change'), + aggs: { + status: { + top_hits: { + sort: { + [TIMESTAMP_FIELD]: { + order: 'desc', + }, + }, + size: 1, + _source: { + includes: STATUS_FIELD, + }, + }, + }, + message: { + top_hits: { + size: 1, + sort: { + [TIMESTAMP_FIELD]: { + order: 'desc', + }, + }, + _source: { + includes: MESSAGE_FIELD, + }, + }, + }, + }, + }, + // If there was a timeout, this filter will return non-zero doc count + timeoutMessage: { + filter: getProviderAndActionFilter('alerting', 'execute-timeout'), + }, + }, + }, + }; +}; + +/** + * Returns bool filter for matching a specific provider AND action combination + * @param provider provider to match + * @param action action to match + */ +const getProviderAndActionFilter = (provider: string, action: string) => { + return { + bool: { + must: [ + { + match: { + [ACTION_FIELD]: action, + }, + }, + { + match: { + [PROVIDER_FIELD]: provider, + }, + }, + ], + }, + }; +}; + +/** + * Formats aggregate execution event from bucket response + * @param bucket + */ +export const formatAggExecutionEventFromBucket = ( + bucket: ExecutionUuidAggBucket +): AggregateRuleExecutionEvent => { + const durationUs = bucket?.ruleExecution?.executionDuration?.value ?? 0; + const scheduleDelayUs = bucket?.ruleExecution?.scheduleDelay?.value ?? 0; + const timedOut = (bucket?.timeoutMessage?.doc_count ?? 0) > 0; + + const actionOutcomes = bucket?.actionExecution?.actionOutcomes?.buckets ?? []; + const actionExecutionSuccess = actionOutcomes.find((b) => b?.key === 'success')?.doc_count ?? 0; + const actionExecutionError = actionOutcomes.find((b) => b?.key === 'failure')?.doc_count ?? 0; + + return { + execution_uuid: bucket?.key ?? '', + timestamp: bucket?.ruleExecution?.executeStartTime.value_as_string ?? '', + duration_ms: durationUs / ONE_MILLISECOND_AS_NANOSECONDS, + status: bucket?.ruleExecution?.outcomeAndMessage?.hits?.hits[0]?._source?.event?.outcome, + message: bucket?.ruleExecution?.outcomeAndMessage?.hits?.hits[0]?._source?.message, + num_active_alerts: bucket?.alertCounts?.buckets?.activeAlerts?.doc_count ?? 0, + num_new_alerts: bucket?.alertCounts?.buckets?.newAlerts?.doc_count ?? 0, + num_recovered_alerts: bucket?.alertCounts?.buckets?.recoveredAlerts?.doc_count ?? 0, + num_triggered_actions: bucket?.ruleExecution?.numTriggeredActions?.value ?? 0, + num_succeeded_actions: actionExecutionSuccess, + num_errored_actions: actionExecutionError, + total_search_duration_ms: bucket?.ruleExecution?.totalSearchDuration?.value ?? 0, + es_search_duration_ms: bucket?.ruleExecution?.esSearchDuration?.value ?? 0, + schedule_delay_ms: scheduleDelayUs / ONE_MILLISECOND_AS_NANOSECONDS, + timed_out: timedOut, + // security fields + indexing_duration_ms: bucket?.securityMetrics?.indexDuration?.value ?? 0, + search_duration_ms: bucket?.securityMetrics?.searchDuration?.value ?? 0, + gap_duration_ms: bucket?.securityMetrics?.gapDuration?.value ?? 0, + security_status: + bucket?.securityStatus?.status?.hits?.hits[0]?._source?.kibana?.alert?.rule?.execution + ?.status, + security_message: bucket?.securityStatus?.message?.hits?.hits[0]?._source?.message, + }; +}; + +/** + * Formats getAggregateExecutionEvents response from Elasticsearch response + * @param results Elasticsearch response + */ +export const formatExecutionEventResponse = ( + results: AggregateEventsBySavedObjectResult +): GetAggregateRuleExecutionEventsResponse => { + const { aggregations } = results; + + if (!aggregations) { + return { + total: 0, + events: [], + }; + } + + const total = (aggregations.totalExecutions as estypes.AggregationsCardinalityAggregate).value; + const buckets = (aggregations.executionUuid as ExecutionUuidAggResult).buckets; + + return { + total, + events: buckets.map((b: ExecutionUuidAggBucket) => formatAggExecutionEventFromBucket(b)), + }; +}; + +/** + * Formats sort field into bucket_sort agg format + * @param sort + */ +export const formatSortForBucketSort = (sort: estypes.Sort) => { + return (sort as estypes.SortCombinations[]).map((s) => + Object.keys(s).reduce( + (acc, curr) => ({ ...acc, [SORT_FIELD_TO_AGG_MAPPING[curr]]: get(s, curr) }), + {} + ) + ); +}; + +/** + * Formats sort field into terms agg format + * @param sort + */ +export const formatSortForTermsSort = (sort: estypes.Sort) => { + return (sort as estypes.SortCombinations[]).map((s) => + Object.keys(s).reduce( + (acc, curr) => ({ ...acc, [SORT_FIELD_TO_AGG_MAPPING[curr]]: get(s, `${curr}.order`) }), + {} + ) + ); +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/types.ts new file mode 100644 index 0000000000000..bfe5f7d4e631b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/types.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; + +type AlertCounts = estypes.AggregationsMultiBucketAggregateBase & { + buckets: { + activeAlerts: estypes.AggregationsSingleBucketAggregateBase; + newAlerts: estypes.AggregationsSingleBucketAggregateBase; + recoveredAlerts: estypes.AggregationsSingleBucketAggregateBase; + }; +}; + +type ActionExecution = estypes.AggregationsTermsAggregateBase<{ + key: string; + doc_count: number; +}> & { + buckets: Array<{ key: string; doc_count: number }>; +}; + +export type ExecutionUuidAggBucket = estypes.AggregationsStringTermsBucketKeys & { + timeoutMessage: estypes.AggregationsMultiBucketBase; + ruleExecution: { + executeStartTime: estypes.AggregationsMinAggregate; + executionDuration: estypes.AggregationsMaxAggregate; + scheduleDelay: estypes.AggregationsMaxAggregate; + esSearchDuration: estypes.AggregationsMaxAggregate; + totalSearchDuration: estypes.AggregationsMaxAggregate; + numTriggeredActions: estypes.AggregationsMaxAggregate; + outcomeAndMessage: estypes.AggregationsTopHitsAggregate; + }; + alertCounts: AlertCounts; + actionExecution: { + actionOutcomes: ActionExecution; + }; + securityStatus: { + message: estypes.AggregationsTopHitsAggregate; + status: estypes.AggregationsTopHitsAggregate; + }; + securityMetrics: { + searchDuration: estypes.AggregationsMinAggregate; + indexDuration: estypes.AggregationsMinAggregate; + gapDuration: estypes.AggregationsMinAggregate; + }; +}; + +export type ExecutionUuidAggResult = + estypes.AggregationsAggregateBase & { + buckets: TBucket[]; + }; + +export interface ExecutionEventAggregationOptions { + maxExecutions: number; + page: number; + perPage: number; + sort: estypes.Sort; +} From de5e2e4cacd83e1c412e6ac6bbcd24dd5af21bcc Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Sun, 13 Mar 2022 22:37:49 -0600 Subject: [PATCH 07/24] Resolving duplicate i18n keys --- .../rules/details/execution_log_table/translations.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts index 5336f9092c6cc..24d1d3fad300b 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts @@ -147,14 +147,14 @@ export const COLUMN_SEARCH_DURATION_TOOLTIP = i18n.translate( ); export const COLUMN_SCHEDULING_DELAY = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumn', + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.schedulingDelayColumn', { defaultMessage: 'Scheduling Delay', } ); export const COLUMN_SCHEDULING_DELAY_TOOLTIP = i18n.translate( - 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumnTooltip', + 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.schedulingDelayColumnTooltip', { defaultMessage: 'The length of time from rule scheduled till rule executed (mm:ss:SSS)', } From 49e7431b371ae1feb0b2df6216044ddf5bd1c87b Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Mon, 14 Mar 2022 11:52:55 -0600 Subject: [PATCH 08/24] Fixing existing tests --- .../rules/use_rule_execution_events.test.tsx | 44 +++++++++---------- .../detection_engine/rules/details/index.tsx | 2 +- .../routes/__mocks__/request_responses.ts | 3 +- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx index 85bdbf19bdb8a..2a4efb7f69491 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx @@ -89,30 +89,30 @@ describe('useRuleExecutionEvents', () => { expect(result.current.data).toEqual({ events: [ { - kibana: { - task: { - schedule_delay: 13980000000, - }, - alert: { - rule: { - execution: { - metrics: { - total_indexing_duration_ms: 0, - total_search_duration_ms: 9, - }, - status: 'succeeded', - }, - }, - }, - }, - event: { - duration: 2065000000, - }, - message: 'succeeded', - '@timestamp': '2022-02-01T05:51:27.143Z', + duration_ms: 3866, + es_search_duration_ms: 1236, + execution_uuid: '88d15095-7937-462c-8f21-9763e1387cad', + gap_duration_ms: 0, + indexing_duration_ms: 95, + message: + "rule executed: siem.queryRule:fb1fc150-a292-11ec-a2cf-c1b28b0392b0: 'Lots of Execution Events'", + num_active_alerts: 0, + num_errored_actions: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_succeeded_actions: 1, + num_triggered_actions: 1, + schedule_delay_ms: -127535, + search_duration_ms: 1255, + security_message: 'succeeded', + security_status: 'succeeded', + status: 'success', + timed_out: false, + timestamp: '2022-03-13T06:04:05.838Z', + total_search_duration_ms: 0, }, ], - maxEvents: 1, + total: 1, }); }); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx index d3a6594faf038..82c7d4f3181f1 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx @@ -316,7 +316,7 @@ const RuleDetailsPageComponent: React.FC = ({ setRuleDetailTab(RuleDetailTabs.exceptions); } else { setTabs(ruleDetailTabs); - setRuleDetailTab(RuleDetailTabs.executionLogs); + setRuleDetailTab(RuleDetailTabs.alerts); } }, [hasIndexRead]); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 13aacbdffd12d..7822206c4d676 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -246,7 +246,8 @@ export const getRuleExecutionEventsRequest = () => query: { start: 'now-30', end: 'now', - filters: '', + queryText: '', + statusFilters: '', }, }); From 5c5c81c844810248fbbf7d0d770109b9b02629c4 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Mon, 14 Mar 2022 23:16:44 -0600 Subject: [PATCH 09/24] Move to EuiBasictable and support pagination & sorting through API --- ...ts => get_rule_execution_events_schema.ts} | 10 ++- .../containers/detection_engine/rules/api.ts | 26 ++++-- .../rules/use_rule_execution_events.tsx | 34 ++++++- .../execution_log_columns.tsx | 4 +- .../execution_log_search_bar.tsx | 2 +- .../execution_log_table.tsx | 83 +++++++++++++---- .../rules/get_rule_execution_events_route.ts | 17 +++- .../client_for_routes/client.ts | 8 ++ .../client_for_routes/client_interface.ts | 12 +++ .../event_log/event_log_reader.ts | 90 +++++++++++++++---- .../get_execution_event_aggregation/index.ts | 17 ++-- 11 files changed, 248 insertions(+), 55 deletions(-) rename x-pack/plugins/security_solution/common/detection_engine/schemas/request/{get_rule_execution_events_request.ts => get_rule_execution_events_schema.ts} (68%) diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts similarity index 68% rename from x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts rename to x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts index a1eabddb00917..328e3268aeb84 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts @@ -7,6 +7,8 @@ import * as t from 'io-ts'; +import { sort_field, sort_order } from '../common'; + export const GetRuleExecutionEventsRequestParams = t.exact( t.type({ ruleId: t.string, @@ -17,8 +19,12 @@ export const GetRuleExecutionEventsQueryParams = t.exact( t.type({ start: t.string, end: t.string, - queryText: t.union([t.string, t.undefined]), - statusFilters: t.union([t.string, t.undefined]), + query_text: t.union([t.string, t.undefined]), + status_filters: t.union([t.string, t.undefined]), + per_page: t.union([t.string, t.undefined]), + page: t.union([t.string, t.undefined]), + sort_field, + sort_order, }) ); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts index 444ee1b686062..6824b0358623e 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts @@ -373,11 +373,15 @@ export const exportRules = async ({ /** * Fetch rule execution events (e.g. status changes) from Event Log. * - * @param ruleId string Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`) - * @param start string Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`) - * @param end string End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`) + * @param ruleId Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`) + * @param start Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`) + * @param end End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`) * @param queryText search string in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.execution_gap_duration_s > 100`) * @param statusFilters comma separated string of `statusFilters` (e.g. `succeeded,failed,partial failure`) + * @param page current page to fetch + * @param perPage number of results to fetch per page + * @param sortField field to sort by + * @param sortOrder what order to sort by (e.g. `asc` or `desc`) * @param signal AbortSignal Optional signal for cancelling the request * * @throws An error if response is not OK @@ -388,6 +392,10 @@ export const fetchRuleExecutionEvents = async ({ end, queryText, statusFilters, + page, + perPage, + sortField, + sortOrder, signal, }: { ruleId: string; @@ -395,6 +403,10 @@ export const fetchRuleExecutionEvents = async ({ end: string; queryText?: string; statusFilters?: string; + page?: number; + perPage?: number; + sortField?: string; + sortOrder?: string; signal?: AbortSignal; }): Promise => { const url = detectionEngineRuleExecutionEventsUrl(ruleId); @@ -403,8 +415,12 @@ export const fetchRuleExecutionEvents = async ({ query: { start, end, - queryText: queryText?.trim(), - statusFilters: statusFilters?.trim(), + query_text: queryText?.trim(), + status_filters: statusFilters?.trim(), + page, + per_page: perPage, + sort_field: sortField, + sort_order: sortOrder, }, signal, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx index 45fa68962479d..33b965cab979f 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx @@ -17,6 +17,10 @@ interface UseRuleExecutionEventsArgs { end: string; queryText?: string; statusFilters?: string; + page?: number; + perPage?: number; + sortField?: string; + sortOrder?: string; } export const useRuleExecutionEvents = ({ @@ -25,13 +29,39 @@ export const useRuleExecutionEvents = ({ end, queryText, statusFilters, + page, + perPage, + sortField, + sortOrder, }: UseRuleExecutionEventsArgs) => { const { addError } = useAppToasts(); return useQuery( - ['ruleExecutionEvents', ruleId, start, end, queryText, statusFilters], + [ + 'ruleExecutionEvents', + ruleId, + start, + end, + queryText, + statusFilters, + page, + perPage, + sortField, + sortOrder, + ], async ({ signal }) => { - return fetchRuleExecutionEvents({ ruleId, start, end, queryText, statusFilters, signal }); + return fetchRuleExecutionEvents({ + ruleId, + start, + end, + queryText, + statusFilters, + page, + perPage, + sortField, + sortOrder, + signal, + }); }, { onError: (e) => { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx index 68f6fe885bdc0..a8ccc66a54f47 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx @@ -33,7 +33,7 @@ export const EXECUTION_LOG_COLUMNS: Array value ? {value} : getEmptyTagValue(), - sortable: true, + sortable: false, truncateText: false, width: '10%', }, @@ -74,7 +74,7 @@ export const EXECUTION_LOG_COLUMNS: Array ), render: (value: string) => <>{value}, - sortable: true, + sortable: false, truncateText: false, width: '35%', }, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx index ada0fa4b8c2e5..170172cb95dc5 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx @@ -27,7 +27,7 @@ export const EXECUTION_LOG_SCHEMA_MAPPING = { duration: 'event.duration', message: 'message', gapDuration: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', - indexingDuration: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', + indexDuration: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', searchDuration: 'kibana.alert.rule.execution.metrics.total_search_duration_ms', totalActions: 'kibana.alert.rule.execution.metrics.number_of_triggered_actions', schedulingDelay: 'kibana.task.schedule_delay', diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index b4bae2ce52203..de79a6c33c0f1 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -17,10 +17,10 @@ import { OnTimeChangeProps, OnRefreshProps, OnRefreshChangeProps, - EuiInMemoryTable, EuiSpacer, EuiSwitch, EuiToolTip, + EuiBasicTable, } from '@elastic/eui'; import { buildFilter, FILTERS } from '@kbn/es-query'; import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; @@ -64,29 +64,61 @@ const ExecutionLogTableComponent: React.FC = ({ storage, timelines, } = useKibana().services; + // Datepicker state const [recentlyUsedRanges, setRecentlyUsedRanges] = useState([]); const [refreshInterval, setRefreshInterval] = useState(1000); const [isPaused, setIsPaused] = useState(true); const [start, setStart] = useState('now-24h'); const [end, setEnd] = useState('now'); + + // Searchbar/Filter/Settings state const [queryText, setQueryText] = useState(''); const [statusFilters, setStatusFilters] = useState(''); - const { indexPattern } = useSourcererDataView(SourcererScopeName.detections); - const { addError } = useAppToasts(); const [showMetricColumns, setShowMetricColumns] = useState( storage.get(RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY) ?? false ); + // Pagination state + const [pageIndex, setPageIndex] = useState(0); + const [pageSize, setPageSize] = useState(5); + const [sortField, setSortField] = useState('timestamp'); + const [sortDirection, setSortDirection] = useState('desc'); + // Index for `add filter` action and toasts for errors + const { indexPattern } = useSourcererDataView(SourcererScopeName.detections); + const { addError } = useAppToasts(); + + // Table data state const { data: events, dataUpdatedAt, isFetching, isLoading, refetch, - } = useRuleExecutionEvents({ ruleId, start, end, queryText, statusFilters }); + } = useRuleExecutionEvents({ + ruleId, + start, + end, + queryText, + statusFilters, + page: pageIndex, + perPage: pageSize, + sortField, + sortOrder: sortDirection, + }); const items = events?.events ?? []; const maxEvents = events?.total ?? 0; + // Callbacks + const onTableChangeCallback = useCallback(({ page = {}, sort = {} }) => { + const { index, size } = page; + const { field, direction } = sort; + + setPageIndex(index); + setPageSize(size); + setSortField(field); + setSortDirection(direction); + }, []); + const onTimeChangeCallback = useCallback( (props: OnTimeChangeProps) => { const recentlyUsedRange = recentlyUsedRanges.filter((range) => { @@ -147,6 +179,33 @@ const ExecutionLogTableComponent: React.FC = ({ [addError, filterManager, indexPattern, selectAlertsTab] ); + const onShowMetricColumnsCallback = useCallback( + (showMetrics: boolean) => { + storage.set(RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY, showMetrics); + setShowMetricColumns(showMetrics); + }, + [storage] + ); + + // Memoized state + const pagination = useMemo(() => { + return { + pageIndex, + pageSize, + totalItemCount: maxEvents, + pageSizeOptions: [5, 10, 25, 50], + }; + }, [maxEvents, pageIndex, pageSize]); + + const sorting = useMemo(() => { + return { + sort: { + field: sortField, + direction: sortDirection, + }, + }; + }, [sortDirection, sortField]); + const actions = useMemo( () => [ { @@ -183,14 +242,6 @@ const ExecutionLogTableComponent: React.FC = ({ [actions, docLinks, showMetricColumns] ); - const onShowMetricColumnsCallback = useCallback( - (showMetrics: boolean) => { - storage.set(RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY, showMetrics); - setShowMetricColumns(showMetrics); - }, - [storage] - ); - return ( <> @@ -254,12 +305,14 @@ const ExecutionLogTableComponent: React.FC = ({ - ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts index 3696496034d07..0379c669eee24 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts @@ -15,7 +15,7 @@ import { DETECTION_ENGINE_RULE_EXECUTION_EVENTS_URL } from '../../../../../commo import { GetRuleExecutionEventsQueryParams, GetRuleExecutionEventsRequestParams, -} from '../../../../../common/detection_engine/schemas/request/get_rule_execution_events_request'; +} from '../../../../../common/detection_engine/schemas/request/get_rule_execution_events_schema'; /** * Returns execution events of a given rule (aggregated by executionId) from Event Log. @@ -35,7 +35,16 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter }, async (context, request, response) => { const { ruleId } = request.params; - const { start, end, queryText = '', statusFilters = '' } = request.query; + const { + start, + end, + query_text: queryText = '', + status_filters: statusFilters = '', + page, + per_page: perPage, + sort_field: sortField = '@timestamp', + sort_order: sortOrder = 'desc', + } = request.query; const siemResponse = buildSiemResponse(response); try { @@ -46,6 +55,10 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter end, queryText, statusFilters: statusFilters.length ? statusFilters.split(',') : [], + page: page != null ? parseInt(page, 10) : 0, + perPage: perPage != null ? parseInt(perPage, 10) : 10, + sortField, + sortOrder, }); const responseBody: GetAggregateRuleExecutionEventsResponse = { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts index c4a71db2d3e32..1ee23da39fe74 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client.ts @@ -35,6 +35,10 @@ export const createClientForRoutes = ( end, queryText, statusFilters, + page, + perPage, + sortField, + sortOrder, }: GetAggregateExecutionEventsArgs): Promise { return withSecuritySpan( 'IRuleExecutionLogForRoutes.getAggregateExecutionEvents', @@ -46,6 +50,10 @@ export const createClientForRoutes = ( end, queryText, statusFilters, + page, + perPage, + sortField, + sortOrder, }); } catch (e) { const logMessage = diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts index 96bf802439ab4..541eaa827097d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts @@ -17,6 +17,10 @@ export interface GetAggregateExecutionEventsArgs { end: string; queryText: string; statusFilters: string[]; + page: number; + perPage: number; + sortField: string; + sortOrder: string; } /** @@ -33,6 +37,10 @@ export interface IRuleExecutionLogForRoutes { * @param end end of daterange to filter to * @param queryText string of field-based filters, e.g. kibana.alert.rule.execution.status:* * @param statusFilters array of status filters, e.g. ['succeeded', 'going to run'] + * @param page current page to fetch + * @param perPage number of results to fetch per page + * @param sortField field to sort by + * @param sortOrder what order to sort by (e.g. `asc` or `desc`) */ getAggregateExecutionEvents({ ruleId, @@ -40,6 +48,10 @@ export interface IRuleExecutionLogForRoutes { end, queryText, statusFilters, + page, + perPage, + sortField, + sortOrder, }: GetAggregateExecutionEventsArgs): Promise; /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 200ecda30358a..e5002bff17a6a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -6,6 +6,7 @@ */ import dateMath from '@elastic/datemath'; +import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; import { IEventLogClient } from '../../../../../../event_log/server'; @@ -41,6 +42,10 @@ export interface GetAggregateExecutionEventsArgs { end: string; queryText: string; statusFilters: string[]; + page: number; + perPage: number; + sortField: string; + sortOrder: string; } export interface GetLastStatusChangesArgs { @@ -54,7 +59,8 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader async getAggregateExecutionEvents( args: GetAggregateExecutionEventsArgs ): Promise { - const { ruleId, start, end, queryText, statusFilters } = args; + const { ruleId, start, end, queryText, statusFilters, page, perPage, sortField, sortOrder } = + args; const soType = RULE_SAVED_OBJECT_TYPE; const soIds = [ruleId]; const startDate = dateMath.parse(start); @@ -62,20 +68,49 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader invariant(startDate?.isValid(), `Required "start" field is not valid: ${start}`); invariant(endDate?.isValid(), `Required "end" field is not valid: ${end}`); + // TODO: validate remaining params + + // Current workaround to support root level filters without missing fields in the aggregate event + // or including events from statuses that aren't selected + // TODO: See: https://github.com/elastic/kibana/pull/127339/files#r825240516 + // First fetch execution uuid's by status filter if provided + let statusIds: string[] = []; + if (statusFilters.length) { + const statusResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { + start: startDate?.utc().toISOString(), + end: endDate?.utc().toISOString(), + filter: `kibana.alert.rule.execution.status:(${statusFilters.join(' OR ')})`, + aggs: { + filteredExecutionUUIDs: { + terms: { + field: 'kibana.alert.rule.execution.uuid', + size: MAX_EXECUTION_EVENTS_DISPLAYED, + }, + }, + }, + }); + const filteredExecutionUUIDs = statusResults.aggregations + ?.filteredExecutionUUIDs as ExecutionUuidAggResult; + statusIds = filteredExecutionUUIDs?.buckets?.map((b) => b.key) ?? []; + // Early return if no results based on status filter + if (statusIds.length === 0) { + return { + total: 0, + events: [], + }; + } + } - const filterString = statusFilters.length - ? `kibana.alert.rule.execution.status:(${statusFilters.join(' OR ')})` - : ''; - const filter = queryText.length ? `${queryText} AND ${filterString}` : filterString; - - let idsFilter = ''; - if (filter.length) { - // TODO: Current workaround to support root level filters without missing fields in the aggregate event - // TODO: See: https://github.com/elastic/kibana/pull/127339/files#r825240516 + // Now fetch execution uuid's with user provided filter and constraining to statusId's + let filterIds: string[] = []; + if (queryText.length) { + const queryTextFilter = statusFilters.length + ? `${queryText} AND kibana.alert.rule.execution.uuid:(${statusIds.join(' OR ')})` + : queryText; const filteredResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start: startDate?.utc().toISOString(), end: endDate?.utc().toISOString(), - filter, + filter: queryTextFilter, aggs: { filteredExecutionUUIDs: { terms: { @@ -87,21 +122,40 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader }); const filteredExecutionUUIDs = filteredResults.aggregations ?.filteredExecutionUUIDs as ExecutionUuidAggResult; - const filteredIds = filteredExecutionUUIDs?.buckets?.map((b) => b.key) ?? []; - idsFilter = filteredIds.length - ? `kibana.alert.rule.execution.uuid:(${filteredIds.join(' OR ')})` - : ''; + filterIds = filteredExecutionUUIDs?.buckets?.map((b) => b.key) ?? []; + // Early return if no results based on queryText filter + if (filterIds.length === 0) { + return { + total: 0, + events: [], + }; + } + } + + // + const statusAndFilterIds = Array.from(new Set([...statusIds, ...filterIds])); + // Early return if no results based on both status and queryText filter + if ((statusFilters.length || queryText.length) && statusAndFilterIds.length === 0) { + return { + total: 0, + events: [], + }; } + // Finally, query for aggregate events, and pass any ID's as filters as determined from the above status/queryText results + const idsFilter = statusAndFilterIds.length + ? `kibana.alert.rule.execution.uuid:(${statusAndFilterIds.join(' OR ')})` + : ''; + const results = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start: startDate?.utc().toISOString(), // TODO: Is there a way to get typescript to know startDate isn't null based on the above invariant? end: endDate?.utc().toISOString(), filter: idsFilter, aggs: getExecutionEventAggregation({ maxExecutions: MAX_EXECUTION_EVENTS_DISPLAYED, - page: 1, - perPage: 10, - sort: [{ timestamp: { order: 'desc' } }], + page, + perPage, + sort: [{ [sortField]: { order: sortOrder } }] as estypes.Sort, }), }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts index dbb4786234c75..93fb1ca2ae8fe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts @@ -44,15 +44,16 @@ const ONE_MILLISECOND_AS_NANOSECONDS = 1_000_000; const SORT_FIELD_TO_AGG_MAPPING: Record = { status: 'ruleExecution>status', timestamp: 'ruleExecution>executeStartTime', - execution_duration: 'ruleExecution>executionDuration', - total_indexing_duration: 'securityMetrics>indexingDuration', - total_search_duration: 'securityMetrics>totalSearchDuration', - gap_duration: 'securityMetrics>gapDuration', - schedule_delay: 'ruleExecution>scheduleDelay', + duration_ms: 'ruleExecution>executionDuration', + indexing_duration_ms: 'securityMetrics>indexDuration', + search_duration_ms: 'securityMetrics>searchDuration', + gap_duration_ms: 'securityMetrics>gapDuration', + schedule_delay_ms: 'ruleExecution>scheduleDelay', num_triggered_actions: 'ruleExecution>numTriggeredActions', + security_status: 'securityStatus>status', // TODO: To be added in https://github.com/elastic/kibana/pull/126210 - // total_alerts_created: 'ruleExecution>totalAlertsDetected', - // total_alerts_detected: 'ruleExecution>totalAlertsCreated', + // total_alerts_created: 'securityMetrics>totalAlertsDetected', + // total_alerts_detected: 'securityMetrics>totalAlertsCreated', }; /** @@ -87,7 +88,7 @@ export const getExecutionEventAggregation = ({ executionUuidSorted: { bucket_sort: { sort: formatSortForBucketSort(sort), - from: (page - 1) * perPage, + from: page * perPage, size: perPage, }, }, From a6df26ee1a0087fb54705270078092feb29f9956 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 15 Mar 2022 09:40:07 -0600 Subject: [PATCH 10/24] Fixing tests --- .../schemas/request/get_rule_execution_events_schema.ts | 6 +++--- .../detection_engine/routes/__mocks__/request_responses.ts | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts index 328e3268aeb84..798e9abb5adec 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts @@ -7,7 +7,7 @@ import * as t from 'io-ts'; -import { sort_field, sort_order } from '../common'; +import { sortFieldOrUndefined, sortOrderOrUndefined } from '../common'; export const GetRuleExecutionEventsRequestParams = t.exact( t.type({ @@ -23,8 +23,8 @@ export const GetRuleExecutionEventsQueryParams = t.exact( status_filters: t.union([t.string, t.undefined]), per_page: t.union([t.string, t.undefined]), page: t.union([t.string, t.undefined]), - sort_field, - sort_order, + sort_field: sortFieldOrUndefined, + sort_order: sortOrderOrUndefined, }) ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 7822206c4d676..0c9418657a4eb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -246,8 +246,8 @@ export const getRuleExecutionEventsRequest = () => query: { start: 'now-30', end: 'now', - queryText: '', - statusFilters: '', + query_text: '', + status_filters: '', }, }); From c9a6088bd54912e4a37a354baf20c8d122d8b4cb Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 15 Mar 2022 12:00:35 -0600 Subject: [PATCH 11/24] More test updates --- .../detections/containers/detection_engine/rules/api.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts index d92e078c73d93..c608826db9b0d 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts @@ -693,8 +693,8 @@ describe('Detections Rules API', () => { method: 'GET', query: { end: 'now', - queryText: '', - statusFilters: '', + query_text: '', + status_filters: '', start: 'now-30', }, signal: abortCtrl.signal, From 53edd9a67e4781e1d457fa3d359bd69d5ef883b7 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 15 Mar 2022 23:35:33 -0600 Subject: [PATCH 12/24] Adding API integration and backend tests --- .../containers/detection_engine/rules/api.ts | 7 +- .../execution_log_table.tsx | 7 +- .../get_rule_execution_events_route.test.ts | 1 + .../rules/get_rule_execution_events_route.ts | 2 +- .../event_log/event_log_reader.ts | 25 +- .../index.test.ts | 1320 +++++++++++++++++ .../get_execution_event_aggregation/index.ts | 36 +- .../tests/get_rule_execution_events.ts | 197 +++ .../security_and_spaces/tests/index.ts | 1 + 9 files changed, 1569 insertions(+), 27 deletions(-) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts create mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts index 6824b0358623e..b314d272cd57b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts @@ -6,6 +6,7 @@ */ import { camelCase } from 'lodash'; +import dateMath from '@elastic/datemath'; import { HttpStart } from 'src/core/public'; import { @@ -410,11 +411,13 @@ export const fetchRuleExecutionEvents = async ({ signal?: AbortSignal; }): Promise => { const url = detectionEngineRuleExecutionEventsUrl(ruleId); + const startDate = dateMath.parse(start); + const endDate = dateMath.parse(end, { roundUp: true }); return KibanaServices.get().http.fetch(url, { method: 'GET', query: { - start, - end, + start: startDate?.utc().toISOString(), + end: endDate?.utc().toISOString(), query_text: queryText?.trim(), status_filters: statusFilters?.trim(), page, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index de79a6c33c0f1..3e0683db80cc2 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -5,6 +5,7 @@ * 2.0. */ +import { SortOrder } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { DurationRange } from '@elastic/eui/src/components/date_picker/types'; import { get } from 'lodash'; import styled from 'styled-components'; @@ -25,6 +26,7 @@ import { import { buildFilter, FILTERS } from '@kbn/es-query'; import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; import { RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY } from '../../../../../../../common/constants'; +import { AggregateRuleExecutionEvent } from '../../../../../../../common/detection_engine/schemas/common'; import { UtilityBar, @@ -81,8 +83,8 @@ const ExecutionLogTableComponent: React.FC = ({ // Pagination state const [pageIndex, setPageIndex] = useState(0); const [pageSize, setPageSize] = useState(5); - const [sortField, setSortField] = useState('timestamp'); - const [sortDirection, setSortDirection] = useState('desc'); + const [sortField, setSortField] = useState('timestamp'); + const [sortDirection, setSortDirection] = useState('desc'); // Index for `add filter` action and toasts for errors const { indexPattern } = useSourcererDataView(SourcererScopeName.detections); const { addError } = useAppToasts(); @@ -310,7 +312,6 @@ const ExecutionLogTableComponent: React.FC = ({ items={items} loading={isFetching} pagination={pagination} - // @ts-ignore-next-line //TODO: Resole sorting type sorting={sorting} onChange={onTableChangeCallback} /> diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts index b41c7e6537fcf..335fefa1ba125 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts @@ -24,6 +24,7 @@ describe('getRuleExecutionEventsRoute', () => { }); describe('when it finds events in rule execution log', () => { + // TODO: Increase integrity of test coverage, including default params, boundaries, etc it('returns 200 response with the events', async () => { const executionEvents = getAggregateExecutionEvents(); clients.ruleExecutionLog.getAggregateExecutionEvents.mockResolvedValue(executionEvents); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts index 0379c669eee24..d74f1df329730 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.ts @@ -42,7 +42,7 @@ export const getRuleExecutionEventsRoute = (router: SecuritySolutionPluginRouter status_filters: statusFilters = '', page, per_page: perPage, - sort_field: sortField = '@timestamp', + sort_field: sortField = 'timestamp', sort_order: sortOrder = 'desc', } = request.query; const siemResponse = buildSiemResponse(response); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index e5002bff17a6a..125811aa5549d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -5,7 +5,6 @@ * 2.0. */ -import dateMath from '@elastic/datemath'; import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; import { IEventLogClient } from '../../../../../../event_log/server'; @@ -63,12 +62,6 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader args; const soType = RULE_SAVED_OBJECT_TYPE; const soIds = [ruleId]; - const startDate = dateMath.parse(start); - const endDate = dateMath.parse(end, { roundUp: true }); - - invariant(startDate?.isValid(), `Required "start" field is not valid: ${start}`); - invariant(endDate?.isValid(), `Required "end" field is not valid: ${end}`); - // TODO: validate remaining params // Current workaround to support root level filters without missing fields in the aggregate event // or including events from statuses that aren't selected @@ -77,14 +70,15 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader let statusIds: string[] = []; if (statusFilters.length) { const statusResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { - start: startDate?.utc().toISOString(), - end: endDate?.utc().toISOString(), + start, + end, filter: `kibana.alert.rule.execution.status:(${statusFilters.join(' OR ')})`, aggs: { filteredExecutionUUIDs: { terms: { field: 'kibana.alert.rule.execution.uuid', size: MAX_EXECUTION_EVENTS_DISPLAYED, + order: { '@timestamp': 'desc' }, }, }, }, @@ -108,14 +102,15 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader ? `${queryText} AND kibana.alert.rule.execution.uuid:(${statusIds.join(' OR ')})` : queryText; const filteredResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { - start: startDate?.utc().toISOString(), - end: endDate?.utc().toISOString(), + start, + end, filter: queryTextFilter, aggs: { filteredExecutionUUIDs: { terms: { field: 'kibana.alert.rule.execution.uuid', size: MAX_EXECUTION_EVENTS_DISPLAYED, + order: { '@timestamp': 'desc' }, }, }, }, @@ -132,9 +127,8 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader } } - // - const statusAndFilterIds = Array.from(new Set([...statusIds, ...filterIds])); // Early return if no results based on both status and queryText filter + const statusAndFilterIds = Array.from(new Set([...statusIds, ...filterIds])); if ((statusFilters.length || queryText.length) && statusAndFilterIds.length === 0) { return { total: 0, @@ -146,10 +140,9 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader const idsFilter = statusAndFilterIds.length ? `kibana.alert.rule.execution.uuid:(${statusAndFilterIds.join(' OR ')})` : ''; - const results = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { - start: startDate?.utc().toISOString(), // TODO: Is there a way to get typescript to know startDate isn't null based on the above invariant? - end: endDate?.utc().toISOString(), + start, + end, filter: idsFilter, aggs: getExecutionEventAggregation({ maxExecutions: MAX_EXECUTION_EVENTS_DISPLAYED, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts new file mode 100644 index 0000000000000..0b1b951795845 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts @@ -0,0 +1,1320 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; + +import { + formatExecutionEventResponse, + formatSortForBucketSort, + formatSortForTermsSort, + getExecutionEventAggregation, + getProviderAndActionFilter, +} from './index'; + +describe('getExecutionEventAggregation', () => { + test('should throw error when given bad maxExecutions field', () => { + expect(() => { + getExecutionEventAggregation({ + maxExecutions: 1001, + page: 1, + perPage: 10, + sort: [{ timestamp: { order: 'asc' } }], + }); + }).toThrowErrorMatchingInlineSnapshot( + `"Invalid maxExecutions requested \\"1001\\" - must be less than ${MAX_EXECUTION_EVENTS_DISPLAYED}"` + ); + }); + + test('should throw error when given bad page field', () => { + expect(() => { + getExecutionEventAggregation({ + maxExecutions: 5, + page: -1, + perPage: 10, + sort: [{ timestamp: { order: 'asc' } }], + }); + }).toThrowErrorMatchingInlineSnapshot(`"Invalid page field \\"-1\\" - must be greater than 0"`); + }); + + test('should throw error when given bad perPage field', () => { + expect(() => { + getExecutionEventAggregation({ + maxExecutions: 5, + page: 1, + perPage: 0, + sort: [{ timestamp: { order: 'asc' } }], + }); + }).toThrowErrorMatchingInlineSnapshot( + `"Invalid perPage field \\"0\\" - must be greater than 0"` + ); + }); + + test('should throw error when given bad sort field', () => { + expect(() => { + getExecutionEventAggregation({ + maxExecutions: 5, + page: 1, + perPage: 10, + sort: [{ notsortable: { order: 'asc' } }], + }); + }).toThrowErrorMatchingInlineSnapshot( + `"Invalid sort field \\"notsortable\\" - must be one of [timestamp,duration_ms,indexing_duration_ms,search_duration_ms,gap_duration_ms,schedule_delay_ms,num_triggered_actions]"` + ); + }); + + test('should throw error when given one bad sort field', () => { + expect(() => { + getExecutionEventAggregation({ + maxExecutions: 5, + page: 1, + perPage: 10, + sort: [{ notsortable: { order: 'asc' } }, { timestamp: { order: 'asc' } }], + }); + }).toThrowErrorMatchingInlineSnapshot( + `"Invalid sort field \\"notsortable\\" - must be one of [timestamp,duration_ms,indexing_duration_ms,search_duration_ms,gap_duration_ms,schedule_delay_ms,num_triggered_actions]"` + ); + }); + + test('should correctly generate aggregation', () => { + expect( + getExecutionEventAggregation({ + maxExecutions: 5, + page: 2, + perPage: 10, + sort: [{ timestamp: { order: 'asc' } }, { duration_ms: { order: 'desc' } }], + }) + ).toEqual({ + totalExecutions: { + cardinality: { + field: 'kibana.alert.rule.execution.uuid', + }, + }, + executionUuid: { + terms: { + field: 'kibana.alert.rule.execution.uuid', + size: 5, + order: [ + { + 'ruleExecution>executeStartTime': 'asc', + }, + { + 'ruleExecution>executionDuration': 'desc', + }, + ], + }, + aggs: { + executionUuidSorted: { + bucket_sort: { + sort: [ + { + 'ruleExecution>executeStartTime': { + order: 'asc', + }, + }, + { + 'ruleExecution>executionDuration': { + order: 'desc', + }, + }, + ], + from: 20, + size: 10, + }, + }, + actionExecution: { + filter: { + bool: { + must: [ + { + match: { + 'event.action': 'execute', + }, + }, + { + match: { + 'event.provider': 'actions', + }, + }, + ], + }, + }, + aggs: { + actionOutcomes: { + terms: { + field: 'event.outcome', + size: 2, + }, + }, + }, + }, + ruleExecution: { + filter: { + bool: { + must: [ + { + match: { + 'event.action': 'execute', + }, + }, + { + match: { + 'event.provider': 'alerting', + }, + }, + ], + }, + }, + aggs: { + executeStartTime: { + min: { + field: 'event.start', + }, + }, + scheduleDelay: { + max: { + field: 'kibana.task.schedule_delay', + }, + }, + esSearchDuration: { + max: { + field: 'kibana.alert.rule.execution.metrics.es_search_duration_ms', + }, + }, + numTriggeredActions: { + max: { + field: 'kibana.alert.rule.execution.metrics.number_of_triggered_actions', + }, + }, + executionDuration: { + max: { + field: 'event.duration', + }, + }, + outcomeAndMessage: { + top_hits: { + size: 1, + _source: { + includes: ['event.outcome', 'message'], + }, + }, + }, + }, + }, + securityMetrics: { + filter: { + bool: { + must: [ + { + match: { + 'event.action': 'execution-metrics', + }, + }, + { + match: { + 'event.provider': 'securitySolution.ruleExecution', + }, + }, + ], + }, + }, + aggs: { + gapDuration: { + min: { + field: 'kibana.alert.rule.execution.metrics.execution_gap_duration_s', + missing: 0, + }, + }, + indexDuration: { + min: { + field: 'kibana.alert.rule.execution.metrics.total_indexing_duration_ms', + }, + }, + searchDuration: { + min: { + field: 'kibana.alert.rule.execution.metrics.total_search_duration_ms', + }, + }, + }, + }, + securityStatus: { + filter: { + bool: { + must: [ + { + match: { + 'event.action': 'status-change', + }, + }, + { + match: { + 'event.provider': 'securitySolution.ruleExecution', + }, + }, + ], + }, + }, + aggs: { + status: { + top_hits: { + sort: { + '@timestamp': { + order: 'desc', + }, + }, + size: 1, + _source: { + includes: 'kibana.alert.rule.execution.status', + }, + }, + }, + message: { + top_hits: { + size: 1, + sort: { + '@timestamp': { + order: 'desc', + }, + }, + _source: { + includes: 'message', + }, + }, + }, + }, + }, + timeoutMessage: { + filter: { + bool: { + must: [ + { + match: { + 'event.action': 'execute-timeout', + }, + }, + { + match: { + 'event.provider': 'alerting', + }, + }, + ], + }, + }, + }, + }, + }, + }); + }); +}); + +describe('getProviderAndActionFilter', () => { + test('should correctly format array of sort combinations for bucket sorting', () => { + expect(getProviderAndActionFilter('securitySolution.ruleExecution', 'status-change')).toEqual({ + bool: { + must: [ + { match: { 'event.action': 'status-change' } }, + { match: { 'event.provider': 'securitySolution.ruleExecution' } }, + ], + }, + }); + }); +}); + +describe('formatSortForBucketSort', () => { + test('should correctly format array of sort combinations for bucket sorting', () => { + expect( + formatSortForBucketSort([{ timestamp: { order: 'desc' } }, { duration_ms: { order: 'asc' } }]) + ).toEqual([ + { 'ruleExecution>executeStartTime': { order: 'desc' } }, + { 'ruleExecution>executionDuration': { order: 'asc' } }, + ]); + }); +}); + +describe('formatSortForTermsSort', () => { + test('should correctly format array of sort combinations for bucket sorting', () => { + expect( + formatSortForTermsSort([{ timestamp: { order: 'desc' } }, { duration_ms: { order: 'asc' } }]) + ).toEqual([ + { 'ruleExecution>executeStartTime': 'desc' }, + { 'ruleExecution>executionDuration': 'asc' }, + ]); + }); +}); + +describe('formatExecutionEventResponse', () => { + test('should return empty results if aggregations are undefined', () => { + expect(formatExecutionEventResponse({ aggregations: undefined })).toEqual({ + total: 0, + events: [], + }); + }); + test('should format results correctly', () => { + const results = { + aggregations: { + executionUuid: { + meta: {}, + doc_count_error_upper_bound: -1, + sum_other_doc_count: 1184, + buckets: [ + { + key: '01e458c9-d01a-4359-94f9-1ed256c6488e', + doc_count: 6, + timeoutMessage: { + meta: {}, + doc_count: 0, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 480.0, + }, + indexDuration: { + value: 7.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 3.147e9, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'Ca-qiX8Brb7RSEAgSLXB', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 464.0, + }, + executionDuration: { + value: 1.775e9, + }, + executeStartTime: { + value: 1.647282110867e12, + value_as_string: '2022-03-14T18:21:50.867Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 0, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647282112198], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647282112198], + }, + ], + }, + }, + }, + }, + { + key: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + doc_count: 5, + timeoutMessage: { + meta: {}, + doc_count: 0, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 9.0, + }, + indexDuration: { + value: 0.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 9.96e8, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'pK84iX8Brb7RSEAg3a-L', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 5.0, + }, + executionDuration: { + value: 1.922e9, + }, + executeStartTime: { + value: 1.647274677664e12, + value_as_string: '2022-03-14T16:17:57.664Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 0, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647274678629], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647274678629], + }, + ], + }, + }, + }, + }, + ], + }, + totalExecutions: { + value: 768, + }, + }, + }; + expect(formatExecutionEventResponse(results)).toEqual({ + total: 768, + events: [ + { + execution_uuid: '01e458c9-d01a-4359-94f9-1ed256c6488e', + timestamp: '2022-03-14T18:21:50.867Z', + duration_ms: 1775, + status: 'success', + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 464, + schedule_delay_ms: 3147, + timed_out: false, + indexing_duration_ms: 7, + search_duration_ms: 480, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + { + execution_uuid: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + timestamp: '2022-03-14T16:17:57.664Z', + duration_ms: 1922, + status: 'success', + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 5, + schedule_delay_ms: 996, + timed_out: false, + indexing_duration_ms: 0, + search_duration_ms: 9, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + ], + }); + }); + + test('should format results correctly when execution timeouts occur', () => { + const results = { + aggregations: { + executionUuid: { + meta: {}, + doc_count_error_upper_bound: -1, + sum_other_doc_count: 1184, + buckets: [ + { + key: '01e458c9-d01a-4359-94f9-1ed256c6488e', + doc_count: 6, + timeoutMessage: { + meta: {}, + doc_count: 1, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 480.0, + }, + indexDuration: { + value: 7.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 3.147e9, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'Ca-qiX8Brb7RSEAgSLXB', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 464.0, + }, + executionDuration: { + value: 1.775e9, + }, + executeStartTime: { + value: 1.647282110867e12, + value_as_string: '2022-03-14T18:21:50.867Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 0, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647282112198], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647282112198], + }, + ], + }, + }, + }, + }, + { + key: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + doc_count: 5, + timeoutMessage: { + meta: {}, + doc_count: 0, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 9.0, + }, + indexDuration: { + value: 0.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 9.96e8, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'pK84iX8Brb7RSEAg3a-L', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 5.0, + }, + executionDuration: { + value: 1.922e9, + }, + executeStartTime: { + value: 1.647274677664e12, + value_as_string: '2022-03-14T16:17:57.664Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 0, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647274678629], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647274678629], + }, + ], + }, + }, + }, + }, + ], + }, + totalExecutions: { + value: 768, + }, + }, + }; + expect(formatExecutionEventResponse(results)).toEqual({ + total: 768, + events: [ + { + execution_uuid: '01e458c9-d01a-4359-94f9-1ed256c6488e', + timestamp: '2022-03-14T18:21:50.867Z', + duration_ms: 1775, + status: 'success', + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 464, + schedule_delay_ms: 3147, + timed_out: true, + indexing_duration_ms: 7, + search_duration_ms: 480, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + { + execution_uuid: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + timestamp: '2022-03-14T16:17:57.664Z', + duration_ms: 1922, + status: 'success', + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 5, + schedule_delay_ms: 996, + timed_out: false, + indexing_duration_ms: 0, + search_duration_ms: 9, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + ], + }); + }); + + test('should format results correctly when action errors occur', () => { + const results = { + aggregations: { + executionUuid: { + meta: {}, + doc_count_error_upper_bound: -1, + sum_other_doc_count: 1184, + buckets: [ + { + key: '01e458c9-d01a-4359-94f9-1ed256c6488e', + doc_count: 6, + timeoutMessage: { + meta: {}, + doc_count: 1, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 480.0, + }, + indexDuration: { + value: 7.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 3.147e9, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'Ca-qiX8Brb7RSEAgSLXB', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 464.0, + }, + executionDuration: { + value: 1.775e9, + }, + executeStartTime: { + value: 1.647282110867e12, + value_as_string: '2022-03-14T18:21:50.867Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 5, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [ + { + key: 'success', + doc_count: 5, + }, + ], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647282112198], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'B6-qiX8Brb7RSEAgSLXB', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647282112198], + }, + ], + }, + }, + }, + }, + { + key: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + doc_count: 5, + timeoutMessage: { + meta: {}, + doc_count: 0, + }, + securityMetrics: { + meta: {}, + doc_count: 1, + searchDuration: { + value: 9.0, + }, + indexDuration: { + value: 0.0, + }, + gapDuration: { + value: 0.0, + }, + }, + ruleExecution: { + meta: {}, + doc_count: 1, + numTriggeredActions: { + value: 0.0, + }, + scheduleDelay: { + value: 9.96e8, + }, + outcomeAndMessage: { + hits: { + total: { + value: 1, + relation: 'eq', + }, + max_score: 1.0, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'pK84iX8Brb7RSEAg3a-L', + _score: 1.0, + _source: { + event: { + outcome: 'success', + }, + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + }, + }, + ], + }, + }, + esSearchDuration: { + value: 5.0, + }, + executionDuration: { + value: 1.922e9, + }, + executeStartTime: { + value: 1.647274677664e12, + value_as_string: '2022-03-14T16:17:57.664Z', + }, + }, + actionExecution: { + meta: {}, + doc_count: 0, + actionOutcomes: { + doc_count_error_upper_bound: 0, + sum_other_doc_count: 0, + buckets: [], + }, + }, + securityStatus: { + meta: {}, + doc_count: 2, + message: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + message: 'succeeded', + }, + sort: [1647274678629], + }, + ], + }, + }, + status: { + hits: { + total: { + value: 2, + relation: 'eq', + }, + max_score: null, + hits: [ + { + _index: '.kibana-event-log-8.2.0-000001', + _id: 'o684iX8Brb7RSEAg2a-j', + _score: null, + _source: { + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + }, + }, + }, + }, + }, + sort: [1647274678629], + }, + ], + }, + }, + }, + }, + ], + }, + totalExecutions: { + value: 768, + }, + }, + }; + expect(formatExecutionEventResponse(results)).toEqual({ + total: 768, + events: [ + { + execution_uuid: '01e458c9-d01a-4359-94f9-1ed256c6488e', + timestamp: '2022-03-14T18:21:50.867Z', + duration_ms: 1775, + status: 'success', + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 5, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 464, + schedule_delay_ms: 3147, + timed_out: true, + indexing_duration_ms: 7, + search_duration_ms: 480, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + { + execution_uuid: '02b7c7a4-ae1a-4da5-b134-c2fb96eb0e04', + timestamp: '2022-03-14T16:17:57.664Z', + duration_ms: 1922, + status: 'success', + message: + "rule executed: siem.queryRule:7457b121-a3a8-11ec-a0f0-cbd1c2ae6ee8: 'Endpoint Security'", + num_active_alerts: 0, + num_new_alerts: 0, + num_recovered_alerts: 0, + num_triggered_actions: 0, + num_succeeded_actions: 0, + num_errored_actions: 0, + total_search_duration_ms: 0, + es_search_duration_ms: 5, + schedule_delay_ms: 996, + timed_out: false, + indexing_duration_ms: 0, + search_duration_ms: 9, + gap_duration_ms: 0, + security_status: 'succeeded', + security_message: 'succeeded', + }, + ], + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts index 93fb1ca2ae8fe..724c97aaa4221 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts @@ -6,7 +6,9 @@ */ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { get } from 'lodash'; +import { BadRequestError } from '@kbn/securitysolution-es-utils'; +import { flatMap, get } from 'lodash'; +import { MAX_EXECUTION_EVENTS_DISPLAYED } from '@kbn/securitysolution-rules'; import { AggregateEventsBySavedObjectResult } from '../../../../../../../event_log/server'; import { AggregateRuleExecutionEvent } from '../../../../../../common/detection_engine/schemas/common'; import { GetAggregateRuleExecutionEventsResponse } from '../../../../../../common/detection_engine/schemas/response'; @@ -42,7 +44,6 @@ const STATUS_FIELD = 'kibana.alert.rule.execution.status'; const ONE_MILLISECOND_AS_NANOSECONDS = 1_000_000; const SORT_FIELD_TO_AGG_MAPPING: Record = { - status: 'ruleExecution>status', timestamp: 'ruleExecution>executeStartTime', duration_ms: 'ruleExecution>executionDuration', indexing_duration_ms: 'securityMetrics>indexDuration', @@ -50,7 +51,6 @@ const SORT_FIELD_TO_AGG_MAPPING: Record = { gap_duration_ms: 'securityMetrics>gapDuration', schedule_delay_ms: 'ruleExecution>scheduleDelay', num_triggered_actions: 'ruleExecution>numTriggeredActions', - security_status: 'securityStatus>status', // TODO: To be added in https://github.com/elastic/kibana/pull/126210 // total_alerts_created: 'securityMetrics>totalAlertsDetected', // total_alerts_detected: 'securityMetrics>totalAlertsCreated', @@ -59,7 +59,7 @@ const SORT_FIELD_TO_AGG_MAPPING: Record = { /** * Returns `aggs` to be supplied to aggregateEventsBySavedObjectIds * @param maxExecutions upper bounds of execution events to return (to narrow below max terms agg limit) - * @param page current page to retrieve + * @param page current page to retrieve, starting at 0 * @param perPage number of execution events to display per page * @param sort field to sort on */ @@ -69,6 +69,32 @@ export const getExecutionEventAggregation = ({ perPage, sort, }: ExecutionEventAggregationOptions): Record => { + // Last stop validation for any other consumers so there's a friendly message instead of failed ES Query + if (maxExecutions > MAX_EXECUTION_EVENTS_DISPLAYED) { + throw new BadRequestError( + `Invalid maxExecutions requested "${maxExecutions}" - must be less than ${MAX_EXECUTION_EVENTS_DISPLAYED}` + ); + } + + if (page < 0) { + throw new BadRequestError(`Invalid page field "${page}" - must be greater than 0`); + } + + if (perPage <= 0) { + throw new BadRequestError(`Invalid perPage field "${perPage}" - must be greater than 0`); + } + + const sortFields = flatMap(sort as estypes.SortCombinations[], (s) => Object.keys(s)); + for (const field of sortFields) { + if (!Object.keys(SORT_FIELD_TO_AGG_MAPPING).includes(field)) { + throw new BadRequestError( + `Invalid sort field "${field}" - must be one of [${Object.keys( + SORT_FIELD_TO_AGG_MAPPING + ).join(',')}]` + ); + } + } + return { // Total unique executions for given root filters totalExecutions: { @@ -211,7 +237,7 @@ export const getExecutionEventAggregation = ({ * @param provider provider to match * @param action action to match */ -const getProviderAndActionFilter = (provider: string, action: string) => { +export const getProviderAndActionFilter = (provider: string, action: string) => { return { bool: { must: [ diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts new file mode 100644 index 0000000000000..6d8fcbc2f5b29 --- /dev/null +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts @@ -0,0 +1,197 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import dateMath from '@elastic/datemath'; +import expect from '@kbn/expect'; +import { detectionEngineRuleExecutionEventsUrl } from '../../../../plugins/security_solution/common/constants'; + +import { RuleExecutionStatus } from '../../../../plugins/security_solution/common/detection_engine/schemas/common'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { + createRule, + createSignalsIndex, + deleteAllAlerts, + deleteSignalsIndex, + getRuleForSignalTesting, + waitForRuleSuccessOrStatus, + waitForSignalsToBePresent, +} from '../../utils'; + +// eslint-disable-next-line import/no-default-export +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const es = getService('es'); + const log = getService('log'); + + describe('Get Rule Execution Log Events', () => { + before(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alias'); + await createSignalsIndex(supertest, log); + }); + + after(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/alias'); + await deleteSignalsIndex(supertest, log); + }); + + beforeEach(async () => { + await deleteAllAlerts(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log); + }); + + it('should return an error if rule does not exist', async () => { + const start = dateMath.parse('now-24h')?.utc().toISOString(); + const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + const response = await supertest + .get(detectionEngineRuleExecutionEventsUrl('1')) + .set('kbn-xsrf', 'true') + .query({ start, end }); + + expect(response.status).to.eql(404); + expect(response.text).to.eql( + '{"message":"Saved object [alert/1] not found","status_code":404}' + ); + }); + + it('should return execution events for a rule that has executed successfully', async () => { + const rule = getRuleForSignalTesting(['auditbeat-*']); + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccessOrStatus(supertest, log, id); + await waitForSignalsToBePresent(supertest, log, 1, [id]); + + const start = dateMath.parse('now-24h')?.utc().toISOString(); + const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + const response = await supertest + .get(detectionEngineRuleExecutionEventsUrl(id)) + .set('kbn-xsrf', 'true') + .query({ start, end }); + + expect(response.status).to.eql(200); + expect(response.body.total).to.eql(1); + expect(response.body.events[0].duration_ms).to.greaterThan(0); + expect(response.body.events[0].search_duration_ms).to.greaterThan(0); + expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + expect(response.body.events[0].indexing_duration_ms).to.greaterThan(0); + expect(response.body.events[0].gap_duration_ms).to.eql(0); + expect(response.body.events[0].security_status).to.eql('succeeded'); + expect(response.body.events[0].security_message).to.eql('succeeded'); + }); + + it('should return execution events for a rule that has executed in a warning state', async () => { + const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus['partial failure']); + await waitForSignalsToBePresent(supertest, log, 1, [id]); + + const start = dateMath.parse('now-24h')?.utc().toISOString(); + const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + const response = await supertest + .get(detectionEngineRuleExecutionEventsUrl(id)) + .set('kbn-xsrf', 'true') + .query({ start, end }); + + expect(response.status).to.eql(200); + expect(response.body.total).to.eql(1); + expect(response.body.events[0].duration_ms).to.greaterThan(0); + expect(response.body.events[0].search_duration_ms).to.eql(0); + expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + expect(response.body.events[0].indexing_duration_ms).to.eql(0); + expect(response.body.events[0].gap_duration_ms).to.eql(0); + expect(response.body.events[0].security_status).to.eql('partial failure'); + expect(response.body.events[0].security_message).to.include( + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + ); + }); + + // TODO: Determine how to fake a failure with gap + // it('should return execution events for a rule that has executed in a failure state with a gap', async () => { + // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + // const { id } = await createRule(supertest, log, rule); + // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); + // await waitForSignalsToBePresent(supertest, log, 1, [id]); + // + // const start = dateMath.parse('now-24h')?.utc().toISOString(); + // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + // const response = await supertest + // .get(detectionEngineRuleExecutionEventsUrl(id)) + // .set('kbn-xsrf', 'true') + // .query({ start, end }); + // + // expect(response.status).to.eql(200); + // expect(response.body.total).to.eql(1); + // expect(response.body.events[0].duration_ms).to.greaterThan(0); + // expect(response.body.events[0].search_duration_ms).to.eql(0); + // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + // expect(response.body.events[0].indexing_duration_ms).to.eql(0); + // expect(response.body.events[0].gap_duration_ms).to.eql(0); + // expect(response.body.events[0].security_status).to.eql('failed'); + // expect(response.body.events[0].security_message).to.include( + // 'were not queried between this rule execution and the last execution, so signals may have been missed. ' + // ); + // }); + + // TODO: Determine how to fake a failure with gap + // it('should return execution events when providing a basic filter', async () => { + // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + // const { id } = await createRule(supertest, log, rule); + // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); + // await waitForSignalsToBePresent(supertest, log, 1, [id]); + // + // const start = dateMath.parse('now-24h')?.utc().toISOString(); + // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + // const response = await supertest + // .get(detectionEngineRuleExecutionEventsUrl(id)) + // .set('kbn-xsrf', 'true') + // .query({ start, end }); + // + // expect(response.status).to.eql(200); + // expect(response.body.total).to.eql(1); + // expect(response.body.events[0].duration_ms).to.greaterThan(0); + // expect(response.body.events[0].search_duration_ms).to.eql(0); + // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + // expect(response.body.events[0].indexing_duration_ms).to.eql(0); + // expect(response.body.events[0].gap_duration_ms).to.eql(0); + // expect(response.body.events[0].security_status).to.eql('failed'); + // expect(response.body.events[0].security_message).to.include( + // 'were not queried between this rule execution and the last execution, so signals may have been missed. ' + // ); + // }); + + // TODO: Determine how to fake a failure with gap + // it('should return execution events when providing a complex filter references fields from multiple sub-agg documents', async () => { + // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + // const { id } = await createRule(supertest, log, rule); + // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); + // await waitForSignalsToBePresent(supertest, log, 1, [id]); + // + // const start = dateMath.parse('now-24h')?.utc().toISOString(); + // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + // const response = await supertest + // .get(detectionEngineRuleExecutionEventsUrl(id)) + // .set('kbn-xsrf', 'true') + // .query({ start, end }); + // + // expect(response.status).to.eql(200); + // expect(response.body.total).to.eql(1); + // expect(response.body.events[0].duration_ms).to.greaterThan(0); + // expect(response.body.events[0].search_duration_ms).to.eql(0); + // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + // expect(response.body.events[0].indexing_duration_ms).to.eql(0); + // expect(response.body.events[0].gap_duration_ms).to.eql(0); + // expect(response.body.events[0].security_status).to.eql('failed'); + // expect(response.body.events[0].security_message).to.include( + // 'were not queried between this rule execution and the last execution, so signals may have been missed. ' + // ); + // }); + }); +}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts index a9bda19638041..dbe24c77b57ae 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts @@ -32,6 +32,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./find_rules')); loadTestFile(require.resolve('./generating_signals')); loadTestFile(require.resolve('./get_prepackaged_rules_status')); + loadTestFile(require.resolve('./get_rule_execution_events')); loadTestFile(require.resolve('./import_rules')); loadTestFile(require.resolve('./import_export_rules')); loadTestFile(require.resolve('./read_rules')); From a1cc08202db5268f60d0434514e8d1ee2cd7d2d4 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 16 Mar 2022 01:05:54 -0600 Subject: [PATCH 13/24] Adding remaining test stubs --- .../execution_log_search_bar.test.tsx.snap | 90 ++++++++ .../execution_log_table.test.tsx.snap | 217 ++++++++++++++++++ .../rule_duration_format.test.tsx.snap | 17 ++ .../execution_log_search_bar.test.tsx | 24 ++ .../execution_log_table.test.tsx | 104 +++++++++ .../rule_duration_format.test.tsx | 21 ++ .../get_rule_execution_events_route.test.ts | 3 +- .../tests/get_rule_execution_events.ts | 11 +- 8 files changed, 481 insertions(+), 6 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx create mode 100644 x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.test.tsx diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap new file mode 100644 index 0000000000000..89518eca72f04 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap @@ -0,0 +1,90 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`ExecutionLogSearchBar snapshots renders correctly against snapshot 1`] = ` + + + + + + + + Status + + } + closePopover={[Function]} + display="inlineBlock" + hasArrow={true} + isOpen={false} + ownFocus={true} + panelPaddingSize="none" + repositionOnScroll={true} + > + + + Succeeded + + + + + Failed + + + + + Partial failure + + + + + + +`; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap new file mode 100644 index 0000000000000..37ceaf2d3179b --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap @@ -0,0 +1,217 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` + + + + + + + + + + + + + + + Showing 0 rule executions + + + + + + + + + + + , + "render": [Function], + "sortable": false, + "truncateText": false, + "width": "10%", + }, + Object { + "field": "timestamp", + "name": , + "render": [Function], + "sortable": true, + "truncateText": false, + "width": "15%", + }, + Object { + "field": "duration_ms", + "name": , + "render": [Function], + "sortable": true, + "truncateText": false, + "width": "10%", + }, + Object { + "field": "security_message", + "name": , + "render": [Function], + "sortable": false, + "truncateText": false, + "width": "35%", + }, + Object { + "actions": Array [ + Object { + "data-test-subj": "action-filter-by-execution-id", + "description": "Filter alerts by rule execution ID", + "field": "", + "icon": "filter", + "isPrimary": true, + "name": "Edit", + "onClick": [Function], + "type": "icon", + }, + ], + "field": "kibana.alert.rule.execution.uuid", + "name": "Actions", + "width": "5%", + }, + ] + } + items={Array []} + noItemsMessage={ + + } + onChange={[Function]} + pagination={ + Object { + "pageIndex": 0, + "pageSize": 5, + "pageSizeOptions": Array [ + 5, + 10, + 25, + 50, + ], + "totalItemCount": 0, + } + } + responsive={true} + sorting={ + Object { + "sort": Object { + "direction": "desc", + "field": "timestamp", + }, + } + } + tableLayout="fixed" + /> + +`; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap new file mode 100644 index 0000000000000..aa5b37ea3083f --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap @@ -0,0 +1,17 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`RuleDurationFormat snapshots renders correctly against snapshot 1`] = ` + + + 00:00 + + +`; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx new file mode 100644 index 0000000000000..d81b26d02d833 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { shallow } from 'enzyme'; +import React from 'react'; +import { ExecutionLogSearchBar } from './execution_log_search_bar'; +import { noop } from 'lodash/fp'; + +// TODO: Replace snapshot test with base test cases + +describe('ExecutionLogSearchBar', () => { + describe('snapshots', () => { + test('renders correctly against snapshot', () => { + const wrapper = shallow( + + ); + expect(wrapper).toMatchSnapshot(); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx new file mode 100644 index 0000000000000..3ed1b49908b3c --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx @@ -0,0 +1,104 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { shallow } from 'enzyme'; +import { noop } from 'lodash/fp'; +import React from 'react'; +import { useDraggableKeyboardWrapper as mockUseDraggableKeyboardWrapper } from '../../../../../../../../timelines/public/components'; + +import { useSourcererDataView } from '../../../../../../common/containers/sourcerer'; +import { ExecutionLogTable } from './execution_log_table'; + +jest.mock('../../../../../containers/detection_engine/rules', () => { + const original = jest.requireActual('../../../../../containers/detection_engine/rules'); + return { + ...original, + useRuleExecutionEvents: jest.fn().mockReturnValue({ + loading: true, + setQuery: () => undefined, + data: null, + response: '', + request: '', + refetch: null, + }), + }; +}); + +jest.mock('../../../../../../common/containers/sourcerer'); + +jest.mock('../../../../../../common/hooks/use_app_toasts', () => { + const original = jest.requireActual('../../../../../../common/hooks/use_app_toasts'); + + return { + ...original, + useAppToasts: () => ({ + addSuccess: jest.fn(), + addError: jest.fn(), + }), + }; +}); + +jest.mock('react-redux', () => { + const original = jest.requireActual('react-redux'); + return { + ...original, + useDispatch: () => jest.fn(), + useSelector: () => jest.fn(), + }; +}); + +jest.mock('../../../../../../common/lib/kibana', () => { + const original = jest.requireActual('../../../../../../common/lib/kibana'); + + return { + ...original, + useUiSetting$: jest.fn().mockReturnValue([]), + useKibana: () => ({ + services: { + data: { + query: { + filterManager: jest.fn().mockReturnValue({}), + }, + }, + docLinks: { + links: { + siem: { + troubleshootGaps: 'link', + }, + }, + }, + storage: { + get: jest.fn(), + set: jest.fn(), + }, + timelines: { + getLastUpdated: jest.fn(), + getFieldBrowser: jest.fn(), + }, + }, + }), + }; +}); + +const mockUseSourcererDataView = useSourcererDataView as jest.Mock; +mockUseSourcererDataView.mockReturnValue({ + missingPatterns: {}, + selectedPatterns: {}, + scopeSelectedPatterns: {}, + loading: false, +}); + +// TODO: Replace snapshot test with base test cases + +describe('ExecutionLogTable', () => { + describe('snapshots', () => { + test('renders correctly against snapshot', () => { + const wrapper = shallow(); + expect(wrapper).toMatchSnapshot(); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.test.tsx new file mode 100644 index 0000000000000..44f765f934ae8 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.test.tsx @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { shallow } from 'enzyme'; +import React from 'react'; +import { RuleDurationFormat } from './rule_duration_format'; + +// TODO: Replace snapshot test with base test cases + +describe('RuleDurationFormat', () => { + describe('snapshots', () => { + test('renders correctly against snapshot', () => { + const wrapper = shallow(); + expect(wrapper).toMatchSnapshot(); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts index 335fefa1ba125..b24789d77a9bb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_rule_execution_events_route.test.ts @@ -12,6 +12,8 @@ import { } from '../__mocks__/request_responses'; import { getRuleExecutionEventsRoute } from './get_rule_execution_events_route'; +// TODO: Add additional tests for param validation + describe('getRuleExecutionEventsRoute', () => { let server: ReturnType; let { clients, context } = requestContextMock.createTools(); @@ -24,7 +26,6 @@ describe('getRuleExecutionEventsRoute', () => { }); describe('when it finds events in rule execution log', () => { - // TODO: Increase integrity of test coverage, including default params, boundaries, etc it('returns 200 response with the events', async () => { const executionEvents = getAggregateExecutionEvents(); clients.ruleExecutionLog.getAggregateExecutionEvents.mockResolvedValue(executionEvents); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts index 6d8fcbc2f5b29..1dfcf9ab94e7b 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts @@ -25,7 +25,6 @@ import { export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); - const es = getService('es'); const log = getService('log'); describe('Get Rule Execution Log Events', () => { @@ -108,8 +107,12 @@ export default ({ getService }: FtrProviderContext) => { expect(response.body.events[0].indexing_duration_ms).to.eql(0); expect(response.body.events[0].gap_duration_ms).to.eql(0); expect(response.body.events[0].security_status).to.eql('partial failure'); - expect(response.body.events[0].security_message).to.include( - 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + expect( + response.body.events[0].security_message + .startsWith( + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + ) + .to.be(true) ); }); @@ -140,7 +143,6 @@ export default ({ getService }: FtrProviderContext) => { // ); // }); - // TODO: Determine how to fake a failure with gap // it('should return execution events when providing a basic filter', async () => { // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); // const { id } = await createRule(supertest, log, rule); @@ -167,7 +169,6 @@ export default ({ getService }: FtrProviderContext) => { // ); // }); - // TODO: Determine how to fake a failure with gap // it('should return execution events when providing a complex filter references fields from multiple sub-agg documents', async () => { // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); // const { id } = await createRule(supertest, log, rule); From 6511b3b4a0ff558ba8859b94771d092b7bb54297 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 16 Mar 2022 01:20:22 -0600 Subject: [PATCH 14/24] Fixing more tests --- .../detection_engine/rules/api.test.ts | 12 ++-- .../tests/get_rule_execution_events.ts | 59 ++++++++++--------- 2 files changed, 38 insertions(+), 33 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts index c608826db9b0d..396d22a46520f 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts @@ -680,8 +680,8 @@ describe('Detections Rules API', () => { test('calls API with correct parameters', async () => { await fetchRuleExecutionEvents({ ruleId: '42', - start: 'now-30', - end: 'now', + start: '2001-01-01T17:00:00.000Z', + end: '2001-01-02T17:00:00.000Z', queryText: '', statusFilters: '', signal: abortCtrl.signal, @@ -692,10 +692,14 @@ describe('Detections Rules API', () => { { method: 'GET', query: { - end: 'now', + end: '2001-01-02T17:00:00.000Z', + page: undefined, + per_page: undefined, query_text: '', + sort_field: undefined, + sort_order: undefined, + start: '2001-01-01T17:00:00.000Z', status_filters: '', - start: 'now-30', }, signal: abortCtrl.signal, } diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts index 1dfcf9ab94e7b..ad3379f9bc115 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts @@ -86,35 +86,36 @@ export default ({ getService }: FtrProviderContext) => { expect(response.body.events[0].security_message).to.eql('succeeded'); }); - it('should return execution events for a rule that has executed in a warning state', async () => { - const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus['partial failure']); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - - const start = dateMath.parse('now-24h')?.utc().toISOString(); - const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); - const response = await supertest - .get(detectionEngineRuleExecutionEventsUrl(id)) - .set('kbn-xsrf', 'true') - .query({ start, end }); - - expect(response.status).to.eql(200); - expect(response.body.total).to.eql(1); - expect(response.body.events[0].duration_ms).to.greaterThan(0); - expect(response.body.events[0].search_duration_ms).to.eql(0); - expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); - expect(response.body.events[0].indexing_duration_ms).to.eql(0); - expect(response.body.events[0].gap_duration_ms).to.eql(0); - expect(response.body.events[0].security_status).to.eql('partial failure'); - expect( - response.body.events[0].security_message - .startsWith( - 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' - ) - .to.be(true) - ); - }); + // TODO: Perform cleanup between tests otherwise subsequent tests (like this one) will fail + // it('should return execution events for a rule that has executed in a warning state', async () => { + // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + // const { id } = await createRule(supertest, log, rule); + // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus['partial failure']); + // await waitForSignalsToBePresent(supertest, log, 1, [id]); + // + // const start = dateMath.parse('now-24h')?.utc().toISOString(); + // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + // const response = await supertest + // .get(detectionEngineRuleExecutionEventsUrl(id)) + // .set('kbn-xsrf', 'true') + // .query({ start, end }); + // + // expect(response.status).to.eql(200); + // expect(response.body.total).to.eql(1); + // expect(response.body.events[0].duration_ms).to.greaterThan(0); + // expect(response.body.events[0].search_duration_ms).to.eql(0); + // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + // expect(response.body.events[0].indexing_duration_ms).to.eql(0); + // expect(response.body.events[0].gap_duration_ms).to.eql(0); + // expect(response.body.events[0].security_status).to.eql('partial failure'); + // expect( + // response.body.events[0].security_message + // .startsWith( + // 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + // ) + // .to.be(true) + // ); + // }); // TODO: Determine how to fake a failure with gap // it('should return execution events for a rule that has executed in a failure state with a gap', async () => { From defb92717d753c71ca62033dfaa16365ab9d4d80 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 16 Mar 2022 01:43:16 -0600 Subject: [PATCH 15/24] Removing broken sort and fixing showing count on table --- .../rules/details/execution_log_table/execution_log_table.tsx | 2 +- .../rule_execution_log/event_log/event_log_reader.ts | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index 3e0683db80cc2..0b9468225f251 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -273,7 +273,7 @@ const ExecutionLogTableComponent: React.FC = ({ - {i18n.SHOWING_EXECUTIONS(items.length)} + {i18n.SHOWING_EXECUTIONS(maxEvents)} {maxEvents > MAX_EXECUTION_EVENTS_DISPLAYED && ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 125811aa5549d..e2a7f3aeb27e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -78,7 +78,6 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader terms: { field: 'kibana.alert.rule.execution.uuid', size: MAX_EXECUTION_EVENTS_DISPLAYED, - order: { '@timestamp': 'desc' }, }, }, }, @@ -110,7 +109,6 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader terms: { field: 'kibana.alert.rule.execution.uuid', size: MAX_EXECUTION_EVENTS_DISPLAYED, - order: { '@timestamp': 'desc' }, }, }, }, From bf2940fc673ea1eb0b756735ce0b344123623f62 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 16 Mar 2022 10:00:09 -0600 Subject: [PATCH 16/24] Removing unused import --- .../details/execution_log_table/execution_log_table.test.tsx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx index 3ed1b49908b3c..8a3bb8621f7ae 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.test.tsx @@ -5,10 +5,9 @@ * 2.0. */ +import React from 'react'; import { shallow } from 'enzyme'; import { noop } from 'lodash/fp'; -import React from 'react'; -import { useDraggableKeyboardWrapper as mockUseDraggableKeyboardWrapper } from '../../../../../../../../timelines/public/components'; import { useSourcererDataView } from '../../../../../../common/containers/sourcerer'; import { ExecutionLogTable } from './execution_log_table'; From 702ad4f7e552ac176366ad5cdc352fdefb0635e1 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 16 Mar 2022 11:10:48 -0600 Subject: [PATCH 17/24] Removing another unused import typechecker missed --- .../security_and_spaces/tests/get_rule_execution_events.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts index ad3379f9bc115..d2f852616081f 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts @@ -9,7 +9,6 @@ import dateMath from '@elastic/datemath'; import expect from '@kbn/expect'; import { detectionEngineRuleExecutionEventsUrl } from '../../../../plugins/security_solution/common/constants'; -import { RuleExecutionStatus } from '../../../../plugins/security_solution/common/detection_engine/schemas/common'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createRule, From f9ca0ea3c31e461e088eba6c3584f3fa32fbc05c Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Fri, 18 Mar 2022 00:21:48 -0600 Subject: [PATCH 18/24] Hides SearchBar, ui & bugfixes, and expanding API integration tests --- .../rules/all/popover_tooltip.tsx | 7 +- .../execution_log_search_bar.tsx | 21 +- .../execution_log_table.tsx | 5 +- .../rule_duration_format.tsx | 17 +- .../event_log/event_log_reader.ts | 52 +- .../get_execution_event_aggregation/index.ts | 1 + .../tests/get_rule_execution_events.ts | 149 +++-- .../tests/template_data/execution_events.ts | 630 ++++++++++++++++++ .../detection_engine_api_integration/utils.ts | 119 ++++ 9 files changed, 869 insertions(+), 132 deletions(-) create mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/tests/template_data/execution_events.ts diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx index 22bad4fffade9..89d89bbd95ed0 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx @@ -30,7 +30,12 @@ const PopoverTooltipComponent = ({ columnName, children }: PopoverTooltipProps) button={ setIsPopoverOpen(!isPopoverOpen)} + // TODO: Proper type here? `MouseEventHandler` satisfies onClick but doesn't have stopPropagation() + // TODO: and `MouseEvent` has stopPropagation() but doesn't satisfy onClick? + onClick={(event: { stopPropagation: () => void }) => { + setIsPopoverOpen(!isPopoverOpen); + event.stopPropagation(); + }} size="xs" color="primary" iconType="questionInCircle" diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx index 170172cb95dc5..2c0b18828dcbc 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.tsx @@ -54,12 +54,13 @@ const statusFilters = statuses.map((status) => ({ })); interface ExecutionLogTableSearchProps { + onlyShowFilters: true; onSearch: (queryText: string) => void; onStatusFilterChange: (statusFilters: string[]) => void; } export const ExecutionLogSearchBar = React.memo( - ({ onSearch, onStatusFilterChange }) => { + ({ onlyShowFilters, onSearch, onStatusFilterChange }) => { const [isPopoverOpen, setIsPopoverOpen] = useState(false); const [selectedFilters, setSelectedFilters] = useState([]); @@ -101,14 +102,16 @@ export const ExecutionLogSearchBar = React.memo( return ( - + {!onlyShowFilters && ( + + )} diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index 0b9468225f251..008092e4eacc1 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -247,13 +247,14 @@ const ExecutionLogTableComponent: React.FC = ({ return ( <> - + - + { const { duration, allowZero = true } = props; const formattedDuration = useMemo(() => { - if (allowZero || typeof duration === 'number') { + // Durations can be buggy and return negative + if (allowZero && duration >= 0) { return getFormattedDuration(duration); } return 'N/A'; }, [duration, allowZero]); - const formattedTooltip = useMemo(() => { - if (allowZero || typeof duration === 'number') { - return getFormattedMilliseconds(duration); - } - return 'N/A'; - }, [duration, allowZero]); - - return ( - - {formattedDuration} - - ); + return {formattedDuration}; }; export const RuleDurationFormat = React.memo(RuleDurationFormatComponent); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index e2a7f3aeb27e6..667284baec82a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -58,8 +58,7 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader async getAggregateExecutionEvents( args: GetAggregateExecutionEventsArgs ): Promise { - const { ruleId, start, end, queryText, statusFilters, page, perPage, sortField, sortOrder } = - args; + const { ruleId, start, end, statusFilters, page, perPage, sortField, sortOrder } = args; const soType = RULE_SAVED_OBJECT_TYPE; const soIds = [ruleId]; @@ -68,7 +67,8 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader // TODO: See: https://github.com/elastic/kibana/pull/127339/files#r825240516 // First fetch execution uuid's by status filter if provided let statusIds: string[] = []; - if (statusFilters.length) { + // If 0 or 3 statuses are selected we can search for all statuses and don't need this pre-filter by ID + if (statusFilters.length > 0 && statusFilters.length < 3) { const statusResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start, end, @@ -94,49 +94,9 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader } } - // Now fetch execution uuid's with user provided filter and constraining to statusId's - let filterIds: string[] = []; - if (queryText.length) { - const queryTextFilter = statusFilters.length - ? `${queryText} AND kibana.alert.rule.execution.uuid:(${statusIds.join(' OR ')})` - : queryText; - const filteredResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { - start, - end, - filter: queryTextFilter, - aggs: { - filteredExecutionUUIDs: { - terms: { - field: 'kibana.alert.rule.execution.uuid', - size: MAX_EXECUTION_EVENTS_DISPLAYED, - }, - }, - }, - }); - const filteredExecutionUUIDs = filteredResults.aggregations - ?.filteredExecutionUUIDs as ExecutionUuidAggResult; - filterIds = filteredExecutionUUIDs?.buckets?.map((b) => b.key) ?? []; - // Early return if no results based on queryText filter - if (filterIds.length === 0) { - return { - total: 0, - events: [], - }; - } - } - - // Early return if no results based on both status and queryText filter - const statusAndFilterIds = Array.from(new Set([...statusIds, ...filterIds])); - if ((statusFilters.length || queryText.length) && statusAndFilterIds.length === 0) { - return { - total: 0, - events: [], - }; - } - - // Finally, query for aggregate events, and pass any ID's as filters as determined from the above status/queryText results - const idsFilter = statusAndFilterIds.length - ? `kibana.alert.rule.execution.uuid:(${statusAndFilterIds.join(' OR ')})` + // Now query for aggregate events, and pass any ID's as filters as determined from the above status/queryText results + const idsFilter = statusIds.length + ? `kibana.alert.rule.execution.uuid:(${statusIds.join(' OR ')})` : ''; const results = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts index 724c97aaa4221..a66a2cccd538a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts @@ -116,6 +116,7 @@ export const getExecutionEventAggregation = ({ sort: formatSortForBucketSort(sort), from: page * perPage, size: perPage, + gap_policy: 'insert_zeros', }, }, // Filter by action execute doc to retrieve action outcomes (successful/failed) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts index d2f852616081f..555c16e206ab8 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts @@ -7,23 +7,31 @@ import dateMath from '@elastic/datemath'; import expect from '@kbn/expect'; +import moment from 'moment'; +import { set } from '@elastic/safer-lodash-set'; +import uuid from 'uuid'; import { detectionEngineRuleExecutionEventsUrl } from '../../../../plugins/security_solution/common/constants'; +import { RuleExecutionStatus } from '../../../../plugins/security_solution/common/detection_engine/schemas/common'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createRule, createSignalsIndex, deleteAllAlerts, + deleteAllEventLogExecutionEvents, deleteSignalsIndex, getRuleForSignalTesting, + indexEventLogExecutionEvents, + waitForEventLogExecuteComplete, waitForRuleSuccessOrStatus, - waitForSignalsToBePresent, } from '../../utils'; +import { failedGapExecution } from './template_data/execution_events'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); + const es = getService('es'); const log = getService('log'); describe('Get Rule Execution Log Events', () => { @@ -41,10 +49,12 @@ export default ({ getService }: FtrProviderContext) => { beforeEach(async () => { await deleteAllAlerts(supertest, log); + await deleteAllEventLogExecutionEvents(es, log); }); afterEach(async () => { await deleteAllAlerts(supertest, log); + await deleteAllEventLogExecutionEvents(es, log); }); it('should return an error if rule does not exist', async () => { @@ -65,7 +75,7 @@ export default ({ getService }: FtrProviderContext) => { const rule = getRuleForSignalTesting(['auditbeat-*']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccessOrStatus(supertest, log, id); - await waitForSignalsToBePresent(supertest, log, 1, [id]); + await waitForEventLogExecuteComplete(es, log, id); const start = dateMath.parse('now-24h')?.utc().toISOString(); const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); @@ -85,65 +95,84 @@ export default ({ getService }: FtrProviderContext) => { expect(response.body.events[0].security_message).to.eql('succeeded'); }); - // TODO: Perform cleanup between tests otherwise subsequent tests (like this one) will fail - // it('should return execution events for a rule that has executed in a warning state', async () => { - // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); - // const { id } = await createRule(supertest, log, rule); - // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus['partial failure']); - // await waitForSignalsToBePresent(supertest, log, 1, [id]); - // - // const start = dateMath.parse('now-24h')?.utc().toISOString(); - // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); - // const response = await supertest - // .get(detectionEngineRuleExecutionEventsUrl(id)) - // .set('kbn-xsrf', 'true') - // .query({ start, end }); - // - // expect(response.status).to.eql(200); - // expect(response.body.total).to.eql(1); - // expect(response.body.events[0].duration_ms).to.greaterThan(0); - // expect(response.body.events[0].search_duration_ms).to.eql(0); - // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); - // expect(response.body.events[0].indexing_duration_ms).to.eql(0); - // expect(response.body.events[0].gap_duration_ms).to.eql(0); - // expect(response.body.events[0].security_status).to.eql('partial failure'); - // expect( - // response.body.events[0].security_message - // .startsWith( - // 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' - // ) - // .to.be(true) - // ); - // }); + it('should return execution events for a rule that has executed in a warning state', async () => { + const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus['partial failure']); + await waitForEventLogExecuteComplete(es, log, id); - // TODO: Determine how to fake a failure with gap - // it('should return execution events for a rule that has executed in a failure state with a gap', async () => { - // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); - // const { id } = await createRule(supertest, log, rule); - // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); - // await waitForSignalsToBePresent(supertest, log, 1, [id]); - // - // const start = dateMath.parse('now-24h')?.utc().toISOString(); - // const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); - // const response = await supertest - // .get(detectionEngineRuleExecutionEventsUrl(id)) - // .set('kbn-xsrf', 'true') - // .query({ start, end }); - // - // expect(response.status).to.eql(200); - // expect(response.body.total).to.eql(1); - // expect(response.body.events[0].duration_ms).to.greaterThan(0); - // expect(response.body.events[0].search_duration_ms).to.eql(0); - // expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); - // expect(response.body.events[0].indexing_duration_ms).to.eql(0); - // expect(response.body.events[0].gap_duration_ms).to.eql(0); - // expect(response.body.events[0].security_status).to.eql('failed'); - // expect(response.body.events[0].security_message).to.include( - // 'were not queried between this rule execution and the last execution, so signals may have been missed. ' - // ); - // }); + const start = dateMath.parse('now-24h')?.utc().toISOString(); + const end = dateMath.parse('now', { roundUp: true })?.utc().toISOString(); + const response = await supertest + .get(detectionEngineRuleExecutionEventsUrl(id)) + .set('kbn-xsrf', 'true') + .query({ start, end }); + + expect(response.status).to.eql(200); + expect(response.body.total).to.eql(1); + expect(response.body.events[0].duration_ms).to.greaterThan(0); + expect(response.body.events[0].search_duration_ms).to.eql(0); + expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + expect(response.body.events[0].indexing_duration_ms).to.eql(0); + expect(response.body.events[0].gap_duration_ms).to.eql(0); + expect(response.body.events[0].security_status).to.eql('partial failure'); + expect( + response.body.events[0].security_message.startsWith( + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + ) + ).to.eql(true); + }); + + // TODO: Debug indexing + it.skip('should return execution events for a rule that has executed in a failure state with a gap', async () => { + const rule = getRuleForSignalTesting(['auditbeat-*'], uuid.v4(), false); + const { id } = await createRule(supertest, log, rule); + + const start = dateMath.parse('now')?.utc().toISOString(); + const end = dateMath.parse('now+24h', { roundUp: true })?.utc().toISOString(); + + // Create 5 timestamps a minute apart to use in the templated data + const dateTimes = [...Array(5).keys()].map((i) => + moment(start) + .add(i + 1, 'm') + .toDate() + .toISOString() + ); + + const events = failedGapExecution.map((e, i) => { + set(e, '@timestamp', dateTimes[i]); + set(e, 'event.start', dateTimes[i]); + set(e, 'event.end', dateTimes[i]); + set(e, 'rule.id', id); + return e; + }); + + await indexEventLogExecutionEvents(es, log, events); + await waitForEventLogExecuteComplete(es, log, id); + + const response = await supertest + .get(detectionEngineRuleExecutionEventsUrl(id)) + .set('kbn-xsrf', 'true') + .query({ start, end }); + + // console.log(JSON.stringify(response)); + + expect(response.status).to.eql(200); + expect(response.body.total).to.eql(1); + expect(response.body.events[0].duration_ms).to.eql(4236); + expect(response.body.events[0].search_duration_ms).to.eql(0); + expect(response.body.events[0].schedule_delay_ms).to.greaterThan(0); + expect(response.body.events[0].indexing_duration_ms).to.eql(0); + expect(response.body.events[0].gap_duration_ms).to.greaterThan(0); + expect(response.body.events[0].security_status).to.eql('failed'); + expect( + response.body.events[0].security_message.startsWith( + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [no-name-index]' + ) + ).to.eql(true); + }); - // it('should return execution events when providing a basic filter', async () => { + // it('should return execution events when providing a status filter', async () => { // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); // const { id } = await createRule(supertest, log, rule); // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); @@ -169,7 +198,7 @@ export default ({ getService }: FtrProviderContext) => { // ); // }); - // it('should return execution events when providing a complex filter references fields from multiple sub-agg documents', async () => { + // it('should return execution events when providing a status filter and sortField', async () => { // const rule = getRuleForSignalTesting(['auditbeat-*', 'no-name-index']); // const { id } = await createRule(supertest, log, rule); // await waitForRuleSuccessOrStatus(supertest, log, id, RuleExecutionStatus.failed); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/template_data/execution_events.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/template_data/execution_events.ts new file mode 100644 index 0000000000000..c4767bbcc5632 --- /dev/null +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/template_data/execution_events.ts @@ -0,0 +1,630 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const successfulExecution = [ + { + '@timestamp': '2022-03-17T22:59:31.360Z', + event: { + provider: 'alerting', + action: 'execute', + kind: 'alert', + category: ['siem'], + start: '2022-03-17T22:59:28.100Z', + outcome: 'success', + end: '2022-03-17T22:59:31.283Z', + duration: 3183000000, + }, + kibana: { + alert: { + rule: { + execution: { + uuid: '7e62d859-aeaa-4e3d-8b9c-b3b737356383', + metrics: { + number_of_triggered_actions: 0, + number_of_searches: 2, + es_search_duration_ms: 1, + total_search_duration_ms: 15, + }, + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-17T22:59:25.051Z', + schedule_delay: 3049000000, + }, + alerting: { + status: 'ok', + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + name: 'Lots of Execution Events', + }, + message: + "rule executed: siem.queryRule:fb1fc150-a292-11ec-a2cf-c1b28b0392b0: 'Lots of Execution Events'", + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T22:59:30.296Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'metric', + action: 'execution-metrics', + sequence: 1, + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + metrics: { + total_search_duration_ms: 12, + total_indexing_duration_ms: 0, + }, + uuid: '7e62d859-aeaa-4e3d-8b9c-b3b737356383', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T22:59:30.296Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 2, + }, + message: 'succeeded', + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'succeeded', + status_order: 0, + uuid: '7e62d859-aeaa-4e3d-8b9c-b3b737356383', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T22:59:28.134Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 0, + }, + message: '', + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'running', + status_order: 15, + uuid: '7e62d859-aeaa-4e3d-8b9c-b3b737356383', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T22:59:28.100Z', + event: { + provider: 'alerting', + action: 'execute-start', + kind: 'alert', + category: ['siem'], + start: '2022-03-17T22:59:28.100Z', + }, + kibana: { + alert: { + rule: { + execution: { + uuid: '7e62d859-aeaa-4e3d-8b9c-b3b737356383', + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-17T22:59:25.051Z', + schedule_delay: 3049000000, + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + }, + message: 'rule execution start: "fb1fc150-a292-11ec-a2cf-c1b28b0392b0"', + ecs: { + version: '1.8.0', + }, + }, +]; + +export const failedGapExecution = [ + { + '@timestamp': '2022-03-17T12:36:16.413Z', + event: { + provider: 'alerting', + action: 'execute', + kind: 'alert', + category: ['siem'], + start: '2022-03-17T12:36:14.868Z', + outcome: 'success', + end: '2022-03-17T12:36:16.413Z', + duration: 1545000000, + }, + kibana: { + alert: { + rule: { + execution: { + uuid: '38fa2d4a-94d3-4ea3-80d6-d1284eb98357', + metrics: { + number_of_triggered_actions: 0, + number_of_searches: 6, + es_search_duration_ms: 2, + total_search_duration_ms: 15, + }, + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-17T12:27:10.060Z', + schedule_delay: 544808000000, + }, + alerting: { + status: 'ok', + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + name: 'Lots of Execution Events', + }, + message: + "rule executed: siem.queryRule:fb1fc150-a292-11ec-a2cf-c1b28b0392b0: 'Lots of Execution Events'", + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T12:36:15.382Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'metric', + action: 'execution-metrics', + sequence: 1, + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + metrics: { + execution_gap_duration_s: 245, + }, + uuid: '38fa2d4a-94d3-4ea3-80d6-d1284eb98357', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T12:36:15.382Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 2, + }, + message: + '4 minutes (244689ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: "Lots of Execution Events" id: "fb1fc150-a292-11ec-a2cf-c1b28b0392b0" rule id: "7c44befd-f611-4994-b116-9861df75d0cb" execution id: "38fa2d4a-94d3-4ea3-80d6-d1284eb98357" space ID: "default"', + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'failed', + status_order: 30, + uuid: '38fa2d4a-94d3-4ea3-80d6-d1284eb98357', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T12:36:14.888Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 0, + }, + message: '', + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + name: 'Lots of Execution Events', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'running', + status_order: 15, + uuid: '38fa2d4a-94d3-4ea3-80d6-d1284eb98357', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-17T12:36:14.868Z', + event: { + provider: 'alerting', + action: 'execute-start', + kind: 'alert', + category: ['siem'], + start: '2022-03-17T12:36:14.868Z', + }, + kibana: { + alert: { + rule: { + execution: { + uuid: '38fa2d4a-94d3-4ea3-80d6-d1284eb98357', + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-17T12:27:10.060Z', + schedule_delay: 544808000000, + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'fb1fc150-a292-11ec-a2cf-c1b28b0392b0', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + }, + message: 'rule execution start: "fb1fc150-a292-11ec-a2cf-c1b28b0392b0"', + ecs: { + version: '1.8.0', + }, + }, +]; + +export const partialWarningExecution = [ + { + '@timestamp': '2022-03-16T23:28:36.012Z', + event: { + provider: 'alerting', + action: 'execute', + kind: 'alert', + category: ['siem'], + start: '2022-03-16T23:28:34.365Z', + outcome: 'success', + end: '2022-03-16T23:28:36.012Z', + duration: 1647000000, + }, + kibana: { + alert: { + rule: { + execution: { + uuid: 'ce37a09d-9359-4756-abbf-e319dd6b1336', + metrics: { + number_of_triggered_actions: 0, + number_of_searches: 2, + es_search_duration_ms: 0, + total_search_duration_ms: 3, + }, + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-16T23:28:31.233Z', + schedule_delay: 3132000000, + }, + alerting: { + status: 'ok', + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + name: 'This Rule Makes Alerts, Actions, AND Moar!', + }, + message: + "rule executed: siem.queryRule:f78f3550-a186-11ec-89a1-0bce95157aba: 'This Rule Makes Alerts, Actions, AND Moar!'", + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-16T23:28:34.998Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 1, + }, + message: + 'Check privileges failed to execute ResponseError: index_not_found_exception: [index_not_found_exception] Reason: no such index [frank] name: "This Rule Makes Alerts, Actions, AND Moar!" id: "f78f3550-a186-11ec-89a1-0bce95157aba" rule id: "b64b4540-d035-4826-a1e7-f505bf4b9653" execution id: "ce37a09d-9359-4756-abbf-e319dd6b1336" space ID: "default"', + rule: { + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + name: 'This Rule Makes Alerts, Actions, AND Moar!', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'partial failure', + status_order: 20, + uuid: 'ce37a09d-9359-4756-abbf-e319dd6b1336', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-16T23:28:34.386Z', + event: { + provider: 'securitySolution.ruleExecution', + kind: 'event', + action: 'status-change', + sequence: 0, + }, + message: '', + rule: { + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + name: 'This Rule Makes Alerts, Actions, AND Moar!', + category: 'siem.queryRule', + }, + kibana: { + alert: { + rule: { + execution: { + status: 'running', + status_order: 15, + uuid: 'ce37a09d-9359-4756-abbf-e319dd6b1336', + }, + }, + }, + space_ids: ['default'], + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + }, + ], + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + ecs: { + version: '1.8.0', + }, + }, + { + '@timestamp': '2022-03-16T23:28:34.365Z', + event: { + provider: 'alerting', + action: 'execute-start', + kind: 'alert', + category: ['siem'], + start: '2022-03-16T23:28:34.365Z', + }, + kibana: { + alert: { + rule: { + execution: { + uuid: 'ce37a09d-9359-4756-abbf-e319dd6b1336', + }, + }, + }, + saved_objects: [ + { + rel: 'primary', + type: 'alert', + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + type_id: 'siem.queryRule', + }, + ], + task: { + scheduled: '2022-03-16T23:28:31.233Z', + schedule_delay: 3132000000, + }, + server_uuid: '5b2de169-2785-441b-ae8c-186a1936b17d', + version: '8.2.0', + }, + rule: { + id: 'f78f3550-a186-11ec-89a1-0bce95157aba', + license: 'basic', + category: 'siem.queryRule', + ruleset: 'siem', + }, + message: 'rule execution start: "f78f3550-a186-11ec-89a1-0bce95157aba"', + ecs: { + version: '1.8.0', + }, + }, +]; diff --git a/x-pack/test/detection_engine_api_integration/utils.ts b/x-pack/test/detection_engine_api_integration/utils.ts index 545bd20fc777b..594f380199dd6 100644 --- a/x-pack/test/detection_engine_api_integration/utils.ts +++ b/x-pack/test/detection_engine_api_integration/utils.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SearchTotalHits } from '@elastic/elasticsearch/lib/api/types'; import { KbnClient } from '@kbn/test'; import { ALERT_RULE_RULE_ID, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; @@ -1466,6 +1467,124 @@ export const waitForSignalsToBePresent = async ( ); }; +/** + * Waits for the event-log execution completed doc count to be greater than the + * supplied number before continuing with a default of at least one execution + * @param es The ES client + * @param log + * @param ruleId The id of rule to check execution logs for + * @param totalExecutions The number of executions to wait for, default is 1 + */ +export const waitForEventLogExecuteComplete = async ( + es: Client, + log: ToolingLog, + ruleId: string, + totalExecutions = 1 +): Promise => { + await waitFor( + async () => { + const executionCount = await getEventLogExecuteCompleteById(es, log, ruleId); + return executionCount >= totalExecutions; + }, + 'waitForEventLogExecuteComplete', + log + ); +}; + +/** + * Given a single rule id this will return the number of event-log execution + * completed docs + * @param es The ES client + * @param log + * @param ruleId Rule id + */ +export const getEventLogExecuteCompleteById = async ( + es: Client, + log: ToolingLog, + ruleId: string +): Promise => { + const response = await es.search({ + index: '.kibana-event-log*', + track_total_hits: true, + size: 0, + query: { + bool: { + must: [], + filter: [ + { + match_phrase: { + 'event.provider': 'alerting', + }, + }, + { + match_phrase: { + 'event.action': 'execute', + }, + }, + { + match_phrase: { + 'rule.id': ruleId, + }, + }, + ], + should: [], + must_not: [], + }, + }, + }); + + return (response?.hits?.total as SearchTotalHits)?.value ?? 0; +}; + +/** + * Indexes provided execution events into .kibana-event-log-* + * @param es The ElasticSearch handle + * @param log The tooling logger + * @param events + */ +export const indexEventLogExecutionEvents = async ( + es: Client, + log: ToolingLog, + events: object[] +): Promise => { + const operations = events.flatMap((doc: object) => [ + { index: { _index: '.kibana-event-log-*' } }, + doc, + ]); + + await es.bulk({ refresh: true, operations }); + + return; +}; + +/** + * Remove all .kibana-event-log-* documents with an execution.uuid + * This will retry 20 times before giving up and hopefully still not interfere with other tests + * @param es The ElasticSearch handle + * @param log The tooling logger + */ +export const deleteAllEventLogExecutionEvents = async ( + es: Client, + log: ToolingLog +): Promise => { + return countDownES( + async () => { + return es.deleteByQuery( + { + index: '.kibana-event-log-*', + q: '_exists_:kibana.alert.rule.execution.uuid', + wait_for_completion: true, + refresh: true, + body: {}, + }, + { meta: true } + ); + }, + 'deleteAllEventLogExecutionEvents', + log + ); +}; + /** * Returns all signals both closed and opened by ruleId * @param supertest Deps From 8b57322fbbf50237ef442b68705e858ef80c9b6d Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Fri, 18 Mar 2022 09:19:59 -0600 Subject: [PATCH 19/24] Increases integrity of test outputs --- .../execution_log_search_bar.test.tsx.snap | 14 +------------- .../rule_duration_format.test.tsx.snap | 16 ++++------------ .../execution_log_search_bar.test.tsx | 2 +- .../index.test.ts | 1 + 4 files changed, 7 insertions(+), 26 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap index 89518eca72f04..a4e8e2cf6e9bd 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_search_bar.test.tsx.snap @@ -6,19 +6,7 @@ exports[`ExecutionLogSearchBar snapshots renders correctly against snapshot 1`] > - - + /> diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap index aa5b37ea3083f..0605ad35a9218 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap @@ -1,17 +1,9 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`RuleDurationFormat snapshots renders correctly against snapshot 1`] = ` - - - 00:00 - - + 00:00 + `; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx index d81b26d02d833..cfa5322769940 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_search_bar.test.tsx @@ -16,7 +16,7 @@ describe('ExecutionLogSearchBar', () => { describe('snapshots', () => { test('renders correctly against snapshot', () => { const wrapper = shallow( - + ); expect(wrapper).toMatchSnapshot(); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts index 0b1b951795845..d90d262688e86 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts @@ -130,6 +130,7 @@ describe('getExecutionEventAggregation', () => { ], from: 20, size: 10, + gap_policy: 'insert_zeros', }, }, actionExecution: { From c4bfb274b71a603717a3b2960ad4e52281be93b9 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Fri, 18 Mar 2022 11:13:30 -0600 Subject: [PATCH 20/24] Bugfixes around table counts and fixing snapshot --- .../execution_log_table.test.tsx.snap | 13 +++++++------ .../execution_log_table/execution_log_columns.tsx | 7 ++++++- .../execution_log_table/execution_log_table.tsx | 14 +++++++++++--- .../details/execution_log_table/translations.ts | 6 +++--- .../event_log/event_log_reader.ts | 1 + 5 files changed, 28 insertions(+), 13 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap index 37ceaf2d3179b..a45f8c9a61bb2 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap @@ -6,19 +6,20 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` gutterSize="s" > - value ? {value} : getEmptyTagValue(), + value ? ( + {capitalize(value)} + ) : ( + getEmptyTagValue() + ), sortable: false, truncateText: false, width: '10%', diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index 008092e4eacc1..51f84eeb338bd 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -194,7 +194,8 @@ const ExecutionLogTableComponent: React.FC = ({ return { pageIndex, pageSize, - totalItemCount: maxEvents, + totalItemCount: + maxEvents > MAX_EXECUTION_EVENTS_DISPLAYED ? MAX_EXECUTION_EVENTS_DISPLAYED : maxEvents, pageSizeOptions: [5, 10, 25, 50], }; }, [maxEvents, pageIndex, pageSize]); @@ -274,14 +275,21 @@ const ExecutionLogTableComponent: React.FC = ({ - {i18n.SHOWING_EXECUTIONS(maxEvents)} + {i18n.SHOWING_EXECUTIONS( + maxEvents > MAX_EXECUTION_EVENTS_DISPLAYED + ? MAX_EXECUTION_EVENTS_DISPLAYED + : maxEvents + )} {maxEvents > MAX_EXECUTION_EVENTS_DISPLAYED && ( - {i18n.RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED(maxEvents)} + {i18n.RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED( + maxEvents, + MAX_EXECUTION_EVENTS_DISPLAYED + )} diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts index 24d1d3fad300b..0c2af8b564503 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts @@ -17,13 +17,13 @@ export const SHOWING_EXECUTIONS = (totalItems: number) => } ); -export const RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED = (totalItems: number) => +export const RULE_EXECUTION_LOG_SEARCH_LIMIT_EXCEEDED = (totalItems: number, maxItems: number) => i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchLimitExceededLabel', { - values: { totalItems }, + values: { totalItems, maxItems }, defaultMessage: - "More than {totalItems} rule executions match filters provided. Showing first 500 by most recent '@timestamp'. Constrain filters further to view additional execution events", + "More than {totalItems} rule executions match filters provided. Showing first {maxItems} by most recent '@timestamp'. Constrain filters further to view additional execution events", } ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts index 667284baec82a..765defb803756 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts @@ -69,6 +69,7 @@ export const createEventLogReader = (eventLog: IEventLogClient): IEventLogReader let statusIds: string[] = []; // If 0 or 3 statuses are selected we can search for all statuses and don't need this pre-filter by ID if (statusFilters.length > 0 && statusFilters.length < 3) { + // TODO: Add cardinality agg and pass as maxEvents in response const statusResults = await eventLog.aggregateEventsBySavedObjectIds(soType, soIds, { start, end, From 3f8891bc4b3a3646b7298b6a58068831c5b85806 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Sun, 20 Mar 2022 21:33:29 -0600 Subject: [PATCH 21/24] Copy fixes --- .../execution_log_table.tsx | 19 +++++--------- .../execution_log_table/translations.ts | 25 +++++++------------ 2 files changed, 15 insertions(+), 29 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx index 51f84eeb338bd..212ac9ec5b94f 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_table.tsx @@ -20,7 +20,6 @@ import { OnRefreshChangeProps, EuiSpacer, EuiSwitch, - EuiToolTip, EuiBasicTable, } from '@elastic/eui'; import { buildFilter, FILTERS } from '@kbn/es-query'; @@ -302,18 +301,12 @@ const ExecutionLogTableComponent: React.FC = ({ updatedAt: dataUpdatedAt, })} - - onShowMetricColumnsCallback(e.target.checked)} - /> - + onShowMetricColumnsCallback(e.target.checked)} + /> Date: Mon, 21 Mar 2022 07:57:24 -0600 Subject: [PATCH 22/24] Updated snapshot --- .../execution_log_table.test.tsx.snap | 30 +++++++------------ 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap index a45f8c9a61bb2..b878c2557dcd0 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap @@ -100,20 +100,12 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` - - - + , "render": [Function], "sortable": false, @@ -134,7 +126,7 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` "field": "timestamp", "name": , "render": [Function], "sortable": true, @@ -145,7 +137,7 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` "field": "duration_ms", "name": , "render": [Function], "sortable": true, @@ -156,7 +148,7 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` "field": "security_message", "name": , "render": [Function], "sortable": false, @@ -167,7 +159,7 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` "actions": Array [ Object { "data-test-subj": "action-filter-by-execution-id", - "description": "Filter alerts by rule execution ID", + "description": "Filter alerts by rule execution ID.", "field": "", "icon": "filter", "isPrimary": true, From 1e8dbfbf39ea20429431154c82b072cf942f9738 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Mon, 21 Mar 2022 18:19:42 -0600 Subject: [PATCH 23/24] Fixing duration display and adding format for hours --- .../execution_log_table.test.tsx.snap | 2 +- .../execution_log_table/execution_log_columns.tsx | 6 +++--- .../execution_log_table/rule_duration_format.tsx | 15 +++++++++++---- .../details/execution_log_table/translations.ts | 8 ++++---- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap index b878c2557dcd0..fdec953b833e6 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/execution_log_table.test.tsx.snap @@ -137,7 +137,7 @@ exports[`ExecutionLogTable snapshots renders correctly against snapshot 1`] = ` "field": "duration_ms", "name": , "render": [Function], "sortable": true, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx index f0abadb720039..5242b6dbe0313 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx @@ -96,10 +96,10 @@ export const GET_EXECUTION_LOG_METRICS_COLUMNS = ( customTooltip={
- +

), render: (value: number) => ( - <>{value ? : getEmptyValue()} + <>{value ? : getEmptyValue()} ), sortable: true, truncateText: false, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx index 760b1cb795db7..c40bffffc60a7 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx @@ -11,6 +11,7 @@ import React, { useMemo } from 'react'; interface Props { duration: number; + isMillis?: boolean; allowZero?: boolean; } @@ -19,10 +20,11 @@ export function getFormattedDuration(value: number) { return '00:00'; } const duration = moment.duration(value); + const hours = Math.floor(duration.asHours()).toString().padStart(2, '0'); const minutes = Math.floor(duration.asMinutes()).toString().padStart(2, '0'); const seconds = duration.seconds().toString().padStart(2, '0'); const ms = duration.milliseconds().toString().padStart(3, '0'); - return `${minutes}:${seconds}:${ms}`; + return `${hours}:${minutes}:${seconds}:${ms}`; } export function getFormattedMilliseconds(value: number) { @@ -30,16 +32,21 @@ export function getFormattedMilliseconds(value: number) { return `${formatted} ms`; } +/** + * Formats duration as (hh:mm:ss:SSS) + * @param props duration default as nanos, set isMillis:true to pass in ms + * @constructor + */ const RuleDurationFormatComponent = (props: Props) => { - const { duration, allowZero = true } = props; + const { duration, isMillis = false, allowZero = true } = props; const formattedDuration = useMemo(() => { // Durations can be buggy and return negative if (allowZero && duration >= 0) { - return getFormattedDuration(duration); + return getFormattedDuration(isMillis ? duration * 1000 : duration); } return 'N/A'; - }, [duration, allowZero]); + }, [allowZero, duration, isMillis]); return {formattedDuration}; }; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts index 1513efc46be57..97ae8e42ebb61 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/translations.ts @@ -79,7 +79,7 @@ export const COLUMN_DURATION = i18n.translate( export const COLUMN_DURATION_TOOLTIP = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.durationColumnTooltip', { - defaultMessage: 'The length of time it took for the rule to run (mm:ss:SSS).', + defaultMessage: 'The length of time it took for the rule to run (hh:mm:ss:SSS).', } ); @@ -121,7 +121,7 @@ export const COLUMN_INDEX_DURATION = i18n.translate( export const COLUMN_INDEX_DURATION_TOOLTIP = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.indexDurationColumnTooltip', { - defaultMessage: 'The length of time it took to index detected alerts (mm:ss:SSS).', + defaultMessage: 'The length of time it took to index detected alerts (hh:mm:ss:SSS).', } ); @@ -135,7 +135,7 @@ export const COLUMN_SEARCH_DURATION = i18n.translate( export const COLUMN_SEARCH_DURATION_TOOLTIP = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.searchDurationColumnTooltip', { - defaultMessage: 'The length of time it took to search for alerts (mm:ss:SSS).', + defaultMessage: 'The length of time it took to search for alerts (hh:mm:ss:SSS).', } ); @@ -149,7 +149,7 @@ export const COLUMN_SCHEDULING_DELAY = i18n.translate( export const COLUMN_SCHEDULING_DELAY_TOOLTIP = i18n.translate( 'xpack.securitySolution.detectionEngine.ruleDetails.ruleExecutionLog.schedulingDelayColumnTooltip', { - defaultMessage: 'The length of time from rule scheduled till rule executed (mm:ss:SSS).', + defaultMessage: 'The length of time from rule scheduled till rule executed (hh:mm:ss:SSS).', } ); From ca6e3f4ca3e4c1986f855cb765897c5b9ed9b008 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 22 Mar 2022 23:07:43 -0600 Subject: [PATCH 24/24] Type fixes and fallback duration fix --- .../pages/detection_engine/rules/all/popover_tooltip.tsx | 4 +--- .../__snapshots__/rule_duration_format.test.tsx.snap | 2 +- .../details/execution_log_table/rule_duration_format.tsx | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx index 89d89bbd95ed0..564f73c379c63 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/popover_tooltip.tsx @@ -30,9 +30,7 @@ const PopoverTooltipComponent = ({ columnName, children }: PopoverTooltipProps) button={ ` satisfies onClick but doesn't have stopPropagation() - // TODO: and `MouseEvent` has stopPropagation() but doesn't satisfy onClick? - onClick={(event: { stopPropagation: () => void }) => { + onClick={(event: React.MouseEvent) => { setIsPopoverOpen(!isPopoverOpen); event.stopPropagation(); }} diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap index 0605ad35a9218..ddb59cf52a890 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/__snapshots__/rule_duration_format.test.tsx.snap @@ -4,6 +4,6 @@ exports[`RuleDurationFormat snapshots renders correctly against snapshot 1`] = ` - 00:00 + 00:00:00:000 `; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx index c40bffffc60a7..cdbc19ce16c3b 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/rule_duration_format.tsx @@ -17,7 +17,7 @@ interface Props { export function getFormattedDuration(value: number) { if (!value) { - return '00:00'; + return '00:00:00:000'; } const duration = moment.duration(value); const hours = Math.floor(duration.asHours()).toString().padStart(2, '0');