fixing merge with master conflicts

elastic · Aug 3, 2021 · 774c3ca · 774c3ca
1 parent 6fca0da
commit 774c3ca
Show file tree

Hide file tree

Showing 12 changed files with 76 additions and 30 deletions.
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -38,10 +38,13 @@ import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 // TODO: Fix typings https://github.com/elastic/kibana/issues/101776
 type NonNullableProps<Obj extends {}, Props extends keyof Obj> = Omit<Obj, Props> &
   { [K in Props]-?: NonNullable<Obj[K]> };
-type AlertType = NonNullableProps<ParsedTechnicalFields, 'rule.id' | 'kibana.alert.owner'>;
+type AlertType = NonNullableProps<
+  ParsedTechnicalFields,
+  typeof RULE_ID | typeof ALERT_OWNER | typeof SPACE_IDS
+>;
 
 const isValidAlert = (source?: ParsedTechnicalFields): source is AlertType => {
-  return source?.[RULE_ID] != null && source?.[ALERT_OWNER] != null;
+  return source?.[RULE_ID] != null && source?.[ALERT_OWNER] != null && source?.[SPACE_IDS] != null;
 };
 export interface ConstructorOptions {
   logger: Logger;
@@ -205,11 +208,11 @@ export class AlertsClient {
           if (
             item._source != null &&
             item._source[RULE_ID] != null &&
-            item._source[OWNER] != null
+            item._source[ALERT_OWNER] != null
           ) {
             return this.authorization.ensureAuthorized({
               ruleTypeId: item._source[RULE_ID],
-              consumer: item._source[OWNER],
+              consumer: item._source[ALERT_OWNER],
               operation,
               entity: AlertingAuthorizationEntity.Alert,
             });
@@ -251,7 +254,7 @@ export class AlertsClient {
         AlertingAuthorizationEntity.Alert,
         {
           type: AlertingAuthorizationFilterType.ESDSL,
-          fieldNames: { consumer: OWNER, ruleTypeId: RULE_ID },
+          fieldNames: { consumer: ALERT_OWNER, ruleTypeId: RULE_ID },
         },
         operation
       );

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
@@ -77,10 +77,9 @@ describe('get()', () => {
     const result = await alertsClient.get({ id: '1', index: '.alerts-observability-apm' });
     expect(result).toMatchInlineSnapshot(`
       Object {
-        "_version": "WzM2MiwyXQ==",
-        "${ALERT_OWNER}": "apm",
-        "${ALERT_STATUS}": "open",
-        "${SPACE_IDS}": Array [
+        "kibana.alert.owner": "apm",
+        "kibana.alert.status": "open",
+        "kibana.space_ids": Array [
           "test_default_space_id",
         ],
         "message": "hello world 1",
@@ -254,10 +253,9 @@ describe('get()', () => {
 
       expect(result).toMatchInlineSnapshot(`
         Object {
-          "_version": "WzM2MiwyXQ==",
-          "${ALERT_OWNER}": "apm",
-          "${ALERT_STATUS}": "open",
-          "${SPACE_IDS}": Array [
+          "kibana.alert.owner": "apm",
+          "kibana.alert.status": "open",
+          "kibana.space_ids": Array [
             "test_default_space_id",
           ],
           "message": "hello world 1",

diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
@@ -12,6 +12,7 @@ import {
   ALERT_STATUS,
   CONSUMERS,
   ECS_VERSION,
+  SPACE_IDS,
   RULE_ID,
   TIMESTAMP,
   VERSION,
@@ -33,6 +34,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
   [ALERT_OWNER]: 'apm',
   [ALERT_STATUS]: 'open',
   [ALERT_RULE_RISK_SCORE]: 20,
+  [SPACE_IDS]: ['fake-space-id'],
   [ALERT_RULE_SEVERITY]: 'warning',
 });
 

diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts
@@ -24,7 +24,8 @@ import {
   EVENT_ACTION,
   EVENT_KIND,
   RULE_ID,
-  OWNER,
+  ALERT_OWNER,
+  SPACE_IDS,
 } from '../../common/technical_rule_data_field_names';
 import { createRuleDataClientMock } from '../rule_data_client/create_rule_data_client_mock';
 import { createLifecycleExecutor } from './create_lifecycle_executor';
@@ -130,15 +131,15 @@ describe('createLifecycleExecutor', () => {
           {
             fields: {
               [ALERT_ID]: 'TEST_ALERT_0',
-              [OWNER]: 'CONSUMER',
+              [ALERT_OWNER]: 'CONSUMER',
               [RULE_ID]: 'RULE_TYPE_ID',
               labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
             },
           },
           {
             fields: {
               [ALERT_ID]: 'TEST_ALERT_1',
-              [OWNER]: 'CONSUMER',
+              [ALERT_OWNER]: 'CONSUMER',
               [RULE_ID]: 'RULE_TYPE_ID',
               labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
             },
@@ -228,17 +229,19 @@ describe('createLifecycleExecutor', () => {
             fields: {
               '@timestamp': '',
               [ALERT_ID]: 'TEST_ALERT_0',
-              [OWNER]: 'CONSUMER',
+              [ALERT_OWNER]: 'CONSUMER',
               [RULE_ID]: 'RULE_TYPE_ID',
+              [SPACE_IDS]: ['fake-space-id'],
               labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must show up in the written doc
             },
           },
           {
             fields: {
               '@timestamp': '',
               [ALERT_ID]: 'TEST_ALERT_1',
-              [OWNER]: 'CONSUMER',
+              [ALERT_OWNER]: 'CONSUMER',
               [RULE_ID]: 'RULE_TYPE_ID',
+              [SPACE_IDS]: ['fake-space-id'],
               labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
             },
           },

diff --git a/.../detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts b/.../detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts
@@ -18,6 +18,9 @@ import {
  * @deprecated ruleExecutionFieldMap is kept here only as a reference. It will be superseded with EventLog implementation
  */
 export const ruleExecutionFieldMap = {
+  // [ALERT_OWNER]: { type: 'keyword', required: true },
+  // [SPACE_IDS]: { type: 'keyword', array: true, required: true },
+  // [RULE_ID]: { type: 'keyword', required: true },
   [MESSAGE]: { type: 'keyword' },
   [EVENT_SEQUENCE]: { type: 'long' },
   [EVENT_END]: { type: 'date' },

diff --git a/.../detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts b/.../detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts
@@ -6,7 +6,14 @@
  */
 
 import { estypes } from '@elastic/elasticsearch';
-import { EVENT_ACTION, EVENT_KIND, RULE_ID, SPACE_IDS, TIMESTAMP } from '@kbn/rule-data-utils';
+import {
+  EVENT_ACTION,
+  EVENT_KIND,
+  RULE_ID,
+  SPACE_IDS,
+  TIMESTAMP,
+  ALERT_OWNER,
+} from '@kbn/rule-data-utils';
 import { once } from 'lodash/fp';
 import moment from 'moment';
 import { RuleDataClient, RuleDataPluginService } from '../../../../../../rule_registry/server';
@@ -201,6 +208,14 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient {
     );
   }
 
+  // { [x: string]: string | string[] | ExecutionMetricValue<T>;
+  //   [x: number]: string;
+  //   "kibana.space_ids": string[];
+  //   "event.action": T;
+  //   "event.kind": string;
+  //   "rule.id": string;
+  //   "@timestamp": string; }
+
   public async logExecutionMetric<T extends ExecutionMetric>({
     ruleId,
     namespace,
@@ -216,6 +231,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient {
         [getMetricField(metric)]: value,
         [RULE_ID]: ruleId,
         [TIMESTAMP]: new Date().toISOString(),
+        [ALERT_OWNER]: 'siem',
       },
       namespace
     );
@@ -239,6 +255,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient {
         [RULE_STATUS_SEVERITY]: statusSeverityDict[newStatus],
         [RULE_STATUS]: newStatus,
         [TIMESTAMP]: new Date().toISOString(),
+        [ALERT_OWNER]: 'siem',
       },
       namespace
     );

diff --git a/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_factory.ts b/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_factory.ts
@@ -189,6 +189,7 @@ export const createSecurityRuleTypeFactory: CreateSecurityRuleTypeFactory = ({
         );
 
         const wrapHits = wrapHitsFactory({
+          spaceId,
           ruleSO,
           mergeStrategy,
         });

diff --git a/...s/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/...s/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
@@ -5,7 +5,14 @@
  * 2.0.
  */
 
-import { ALERT_STATUS, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
+import {
+  ALERT_STATUS,
+  ALERT_WORKFLOW_STATUS,
+  TIMESTAMP,
+  RULE_ID,
+  ALERT_OWNER,
+  SPACE_IDS,
+} from '@kbn/rule-data-utils';
 import { SearchTypes } from '../../../../../../common/detection_engine/types';
 import { RulesSchema } from '../../../../../../common/detection_engine/schemas/response/rules_schema';
 import { isEventTypeSignal } from '../../../signals/build_event_type_signal';
@@ -85,7 +92,11 @@ export const removeClashes = (doc: BaseSignalHit): BaseSignalHit => {
  * @param docs The parent signals/events of the new signal to be built.
  * @param rule The rule that is generating the new signal.
  */
-export const buildAlert = (doc: SignalSourceHit, rule: RulesSchema) => {
+export const buildAlert = (
+  spaceId: string | null | undefined,
+  doc: SignalSourceHit,
+  rule: RulesSchema
+) => {
   const removedClashes = removeClashes(doc);
   const parent = buildParent(removedClashes);
   const ancestors = buildAncestors(removedClashes);
@@ -96,6 +107,10 @@ export const buildAlert = (doc: SignalSourceHit, rule: RulesSchema) => {
   const signalRule = signal?.rule;
 
   return {
+    [TIMESTAMP]: new Date().toISOString(),
+    [RULE_ID]: rule.id,
+    [ALERT_OWNER]: 'siem',
+    [SPACE_IDS]: [spaceId],
     'kibana.alert.ancestors': ancestors as object[],
     [ALERT_STATUS]: 'open',
     [ALERT_WORKFLOW_STATUS]: 'open',

diff --git a/...curity_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/...curity_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
@@ -24,17 +24,19 @@ import { filterSource } from './filter_source';
  * @returns The body that can be added to a bulk call for inserting the signal.
  */
 export const buildBulkBody = (
+  spaceId: string | null | undefined,
   ruleSO: SavedObject<AlertAttributes>,
   doc: SignalSourceHit,
   mergeStrategy: ConfigType['alertMergeStrategy']
 ): RACAlert => {
   const mergedDoc = getMergeStrategy(mergeStrategy)({ doc });
   const rule = buildRuleWithOverrides(ruleSO, mergedDoc._source ?? {});
   const filteredSource = filterSource(mergedDoc);
-  return {
+  const toReturn = {
     ...filteredSource,
-    ...buildAlert(mergedDoc, rule),
+    ...buildAlert(spaceId, mergedDoc, rule),
     ...additionalAlertFields(mergedDoc),
-    '@timestamp': new Date().toISOString(),
   };
+  // TODO: fix this type issue introduced here: https://github.com/elastic/kibana/pull/105096
+  return (toReturn as unknown) as RACAlert;
 };
diff --git a/...s/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts b/...s/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts
@@ -13,9 +13,11 @@ import type { ConfigType } from '../../../../config';
 import { WrappedRACAlert } from '../types';
 
 export const wrapHitsFactory = ({
+  spaceId,
   ruleSO,
   mergeStrategy,
 }: {
+  spaceId: string | null | undefined;
   ruleSO: SearchAfterAndBulkCreateParams['ruleSO'];
   mergeStrategy: ConfigType['alertMergeStrategy'];
 }): WrapHits => (events) => {
@@ -28,7 +30,7 @@ export const wrapHitsFactory = ({
         String(doc._version),
         ruleSO.attributes.params.ruleId ?? ''
       ),
-      _source: buildBulkBody(ruleSO, doc as SignalSourceHit, mergeStrategy),
+      _source: buildBulkBody(spaceId, ruleSO, doc as SignalSourceHit, mergeStrategy),
     },
   ]);
 

diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -92,8 +92,8 @@
       "@timestamp": "2020-12-16T15:16:18.570Z",
       "rule.id": "siem.signals",
       "message": "hello world security",
-      "kibana.rac.alert.owner": "siem",
-      "kibana.rac.alert.status": "open",
+      "kibana.alert.owner": "siem",
+      "kibana.alert.status": "open",
       "kibana.space_ids": ["space1"]
     }
   }
@@ -108,8 +108,8 @@
       "@timestamp": "2020-12-16T15:16:18.570Z",
       "rule.id": "siem.signals",
       "message": "hello world security",
-      "kibana.rac.alert.owner": "siem",
-      "kibana.rac.alert.status": "open",
+      "kibana.alert.owner": "siem",
+      "kibana.alert.status": "open",
       "kibana.space_ids": ["space2"]
     }
   }

diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
@@ -126,7 +126,7 @@ export default ({ getService }: FtrProviderContext) => {
             .set('kbn-xsrf', 'true')
             .send({
               status: 'closed',
-              query: 'kibana.rac.alert.status: open',
+              query: 'kibana.alert.status: open',
               index,
             });
           expect(updated.statusCode).to.eql(200);
-Original file line number
+Diff line change
@@ Expand Up @@
             );
             const wrapHits = wrapHitsFactory({
+              spaceId,
               ruleSO,
               mergeStrategy,
             });
@@ Expand Down @@