[7.7] [SIEM][Detections] Allow synchronous rule actions to be updated…

… via PATCH (#67914) (#68684) * [SIEM][Detections] Allow synchronous rule actions to be updated via PATCH (#67914) * Update synchronous actions in patchRules This method was typed to accept actions, but it was not doing anything with them. This was mainly a "bug by omission" so I'm simply adding unit tests for regression purposes. * Allow synchronous actions to be patched either individually or in bulk Now that patchRules uses this field, we simply need to pass it. Co-authored-by: Garrett Spong <spong@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts # x-pack/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_route.ts # x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.test.ts # x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts * Update tests for backport This API changed since 7.7, so we can't just backport our uses of it (e.g. the tests).
elastic · Jun 9, 2020 · 94504d4 · 94504d4
1 parent 359697b
commit 94504d4
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 1 deletion.
diff --git a/...ck/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts b/...ck/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts
@@ -120,6 +120,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
               version,
               anomalyThreshold,
               machineLearningJobId,
+              actions,
             });
             if (rule != null && rule.enabled != null && rule.name != null) {
               const ruleActions = await updateRulesNotifications({

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_route.ts
@@ -116,6 +116,7 @@ export const patchRulesRoute = (router: IRouter) => {
           version,
           anomalyThreshold,
           machineLearningJobId,
+          actions,
         });
         if (rule != null && rule.enabled != null && rule.name != null) {
           const ruleActions = await updateRulesNotifications({

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.test.ts
@@ -97,4 +97,86 @@ describe('patchRules', () => {
       })
     );
   });
+
+  describe('regression tests', () => {
+    it("updates the rule's actions if provided", async () => {
+      const existingRule = getResult();
+      alertsClient.get.mockResolvedValue(existingRule);
+
+      const action = {
+        action_type_id: '.slack',
+        id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
+        params: {
+          message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
+        },
+        group: 'default',
+      };
+
+      await patchRules({
+        alertsClient,
+        actionsClient,
+        savedObjectsClient,
+        actions: [action],
+        id: existingRule.id,
+      });
+
+      expect(alertsClient.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            actions: [
+              {
+                actionTypeId: '.slack',
+                id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
+                params: {
+                  message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
+                },
+                group: 'default',
+              },
+            ],
+          }),
+        })
+      );
+    });
+
+    it('does not update actions if none are specified', async () => {
+      const existingRule = {
+        ...getResult(),
+        actions: [
+          {
+            actionTypeId: '.slack',
+            id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
+            params: {
+              message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
+            },
+            group: 'default',
+          },
+        ],
+      };
+      alertsClient.get.mockResolvedValue(existingRule);
+
+      await patchRules({
+        alertsClient,
+        actionsClient,
+        savedObjectsClient,
+        id: existingRule.id,
+      });
+
+      expect(alertsClient.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            actions: [
+              {
+                actionTypeId: '.slack',
+                id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
+                params: {
+                  message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
+                },
+                group: 'default',
+              },
+            ],
+          }),
+        })
+      );
+    });
+  });
 });
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts
@@ -6,6 +6,7 @@
 
 import { defaults } from 'lodash/fp';
 import { PartialAlert } from '../../../../../../../plugins/alerting/server';
+import { transformRuleToAlertAction } from '../../../../common/detection_engine/transform_actions';
 import { readRules } from './read_rules';
 import { PatchRuleParams, IRuleSavedAttributesSavedObjectAttributes } from './types';
 import { addTags } from './add_tags';
@@ -47,6 +48,7 @@ export const patchRules = async ({
   lists,
   anomalyThreshold,
   machineLearningJobId,
+  actions,
 }: PatchRuleParams): Promise<PartialAlert | null> => {
   const rule = await readRules({ alertsClient, ruleId, id });
   if (rule == null) {
@@ -125,7 +127,7 @@ export const patchRules = async ({
       schedule: {
         interval: calculateInterval(interval, rule.schedule.interval),
       },
-      actions: rule.actions,
+      actions: actions?.map(transformRuleToAlertAction) ?? rule.actions,
       params: nextParams,
     },
   });