Skip to content

Commit

Permalink
[Security Solution] Ensure alerts are scheduled when rule times out (#…
Browse files Browse the repository at this point in the history 
…128276)

* Schedule notifications when rule times out

* Test notifications on rule timeout (revert this)

* Revert "Test notifications on rule timeout (revert this)"

This reverts commit 0c49fc4.

* Remove comment

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
  • Loading branch information
@madirey @kibanamachine
madirey and kibanamachine authored Mar 25, 2022
1 parent 48324db commit 1837a7f
Showing 1 changed file with 43 additions and 57 deletions.
100 changes: 43 additions & 57 deletions ...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
const persistenceRuleType = createPersistenceRuleTypeWrapper({ ruleDataClient, logger });
return persistenceRuleType({
...type,
cancelAlertsOnRuleTimeout: false,
useSavedObjectReferences: {
extractReferences: (params) => extractReferences({ logger, params }),
injectReferences: (params, savedObjectReferences) =>
Expand Down Expand Up @@ -304,51 +305,52 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
});
}

if (result.success) {
const createdSignalsCount = result.createdSignals.length;

if (actions.length) {
const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x');
const toInMs = parseScheduleDates('now')?.format('x');
const resultsLink = getNotificationResultsLink({
from: fromInMs,
to: toInMs,
const createdSignalsCount = result.createdSignals.length;

if (actions.length) {
const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x');
const toInMs = parseScheduleDates('now')?.format('x');
const resultsLink = getNotificationResultsLink({
from: fromInMs,
to: toInMs,
id: alertId,
kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined)
?.kibana_siem_app_url,
});

logger.debug(
buildRuleMessage(`Found ${createdSignalsCount} signals for notification.`)
);

if (completeRule.ruleConfig.throttle != null) {
// NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early
await scheduleThrottledNotificationActions({
alertInstance: services.alertFactory.create(alertId),
throttle: completeRule.ruleConfig.throttle ?? '',
startedAt,
id: alertId,
kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined)
?.kibana_siem_app_url,
outputIndex: ruleDataClient.indexNameWithNamespace(spaceId),
ruleId,
esClient: services.scopedClusterClient.asCurrentUser,
notificationRuleParams,
signals: result.createdSignals,
logger,
});
} else if (createdSignalsCount) {
const alertInstance = services.alertFactory.create(alertId);
scheduleNotificationActions({
alertInstance,
signalsCount: createdSignalsCount,
signals: result.createdSignals,
resultsLink,
ruleParams: notificationRuleParams,
});

logger.debug(
buildRuleMessage(`Found ${createdSignalsCount} signals for notification.`)
);

if (completeRule.ruleConfig.throttle != null) {
await scheduleThrottledNotificationActions({
alertInstance: services.alertFactory.create(alertId),
throttle: completeRule.ruleConfig.throttle ?? '',
startedAt,
id: alertId,
kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined)
?.kibana_siem_app_url,
outputIndex: ruleDataClient.indexNameWithNamespace(spaceId),
ruleId,
esClient: services.scopedClusterClient.asCurrentUser,
notificationRuleParams,
signals: result.createdSignals,
logger,
});
} else if (createdSignalsCount) {
const alertInstance = services.alertFactory.create(alertId);
scheduleNotificationActions({
alertInstance,
signalsCount: createdSignalsCount,
signals: result.createdSignals,
resultsLink,
ruleParams: notificationRuleParams,
});
}
}
}

if (result.success) {
logger.debug(buildRuleMessage('[+] Signal Rule execution completed.'));
logger.debug(
buildRuleMessage(
Expand Down Expand Up @@ -392,23 +394,6 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
indexingDurations: result.bulkCreateTimes,
},
});
// NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early
if (completeRule.ruleConfig.throttle != null) {
await scheduleThrottledNotificationActions({
alertInstance: services.alertFactory.create(alertId),
throttle: completeRule.ruleConfig.throttle ?? '',
startedAt,
id: completeRule.alertId,
kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined)
?.kibana_siem_app_url,
outputIndex: ruleDataClient.indexNameWithNamespace(spaceId),
ruleId,
esClient: services.scopedClusterClient.asCurrentUser,
notificationRuleParams,
signals: result.createdSignals,
logger,
});
}
}
} catch (error) {
const errorMessage = error.message ?? '(no error message given)';
Expand All @@ -426,8 +411,9 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
indexingDurations: result.bulkCreateTimes,
},
});

// NOTE: Since this is throttled we have to call it even on an error condition, otherwise it will "reset" the throttle and fire early
if (completeRule.ruleConfig.throttle != null) {
if (actions.length && completeRule.ruleConfig.throttle != null) {
await scheduleThrottledNotificationActions({
alertInstance: services.alertFactory.create(alertId),
throttle: completeRule.ruleConfig.throttle ?? '',
Expand Down

0 comments on commit 1837a7f

Please sign in to comment.