Skip to content

Commit

Permalink
[SIEM][Detections] Allow synchronous rule actions to be updated via P…
Browse files Browse the repository at this point in the history
…ATCH (#67914) (#67990)

* Update synchronous actions in patchRules

This method was typed to accept actions, but it was not doing anything
with them. This was mainly a "bug by omission" so I'm simply adding
unit tests for regression purposes.

* Allow synchronous actions to be patched either individually or in bulk

Now that patchRules uses this field, we simply need to pass it.

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Conflicts:
#	x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts
  • Loading branch information
rylnd authored Jun 2, 2020
1 parent 173845d commit bc04493
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ export const patchRulesBulkRoute = (router: IRouter, ml: SetupPlugins['ml']) =>
version,
anomalyThreshold,
machineLearningJobId,
actions,
});
if (rule != null && rule.enabled != null && rule.name != null) {
const ruleActions = await updateRulesNotifications({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ export const patchRulesRoute = (router: IRouter, ml: SetupPlugins['ml']) => {
version,
anomalyThreshold,
machineLearningJobId,
actions,
});
if (rule != null && rule.enabled != null && rule.name != null) {
const ruleActions = await updateRulesNotifications({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,82 @@ describe('patchRules', () => {
})
);
});

describe('regression tests', () => {
it("updates the rule's actions if provided", async () => {
const existingRule = getResult();

const action = {
action_type_id: '.slack',
id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
params: {
message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
},
group: 'default',
};

await patchRules({
alertsClient,
savedObjectsClient,
actions: [action],
rule: existingRule,
});

expect(alertsClient.update).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
actions: [
{
actionTypeId: '.slack',
id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
params: {
message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
},
group: 'default',
},
],
}),
})
);
});

it('does not update actions if none are specified', async () => {
const existingRule = {
...getResult(),
actions: [
{
actionTypeId: '.slack',
id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
params: {
message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
},
group: 'default',
},
],
};

await patchRules({
alertsClient,
savedObjectsClient,
rule: existingRule,
});

expect(alertsClient.update).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
actions: [
{
actionTypeId: '.slack',
id: '2933e581-d81c-4fe3-88fe-c57c6b8a5bfd',
params: {
message: 'Rule {{context.rule.name}} generated {{state.signals_count}} signals',
},
group: 'default',
},
],
}),
})
);
});
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

import { defaults } from 'lodash/fp';
import { PartialAlert } from '../../../../../alerting/server';
import { transformRuleToAlertAction } from '../../../../common/detection_engine/transform_actions';
import { PatchRuleParams } from './types';
import { addTags } from './add_tags';
import { calculateVersion, calculateName, calculateInterval } from './utils';
Expand Down Expand Up @@ -44,6 +45,7 @@ export const patchRules = async ({
exceptions_list,
anomalyThreshold,
machineLearningJobId,
actions,
}: PatchRuleParams): Promise<PartialAlert | null> => {
if (rule == null) {
return null;
Expand Down Expand Up @@ -121,7 +123,7 @@ export const patchRules = async ({
schedule: {
interval: calculateInterval(interval, rule.schedule.interval),
},
actions: rule.actions,
actions: actions?.map(transformRuleToAlertAction) ?? rule.actions,
params: nextParams,
},
});
Expand Down

0 comments on commit bc04493

Please sign in to comment.