Use template timeline filters/query/data providers for threshold alerts

elastic · Jan 25, 2022 · 12c42d3 · 12c42d3
1 parent 84dd174
commit 12c42d3
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 22 deletions.
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -15,6 +15,7 @@ import {
   mockEcsDataWithAlert,
   mockTimelineDetails,
   mockTimelineResult,
+  mockAADEcsDataWithAlert,
 } from '../../../common/mock/';
 import { CreateTimeline, UpdateTimelineLoading } from './types';
 import { Ecs } from '../../../../common/ecs';
@@ -437,14 +438,53 @@ describe('alert actions', () => {
     });
 
     test('it uses original_time and threshold_result.from for threshold alerts', async () => {
-      const ecsDataMock = getThresholdDetectionAlertAADMock();
+      const ecsDataMockWithNoTemplateTimeline = getThresholdDetectionAlertAADMock({
+        ...mockAADEcsDataWithAlert,
+        kibana: {
+          alert: {
+            ...mockAADEcsDataWithAlert.kibana?.alert,
+            rule: {
+              ...mockAADEcsDataWithAlert.kibana?.alert?.rule,
+              parameters: {
+                ...mockAADEcsDataWithAlert.kibana?.alert?.rule?.parameters,
+                threshold: {
+                  field: ['destination.ip'],
+                  value: 1,
+                },
+              },
+              name: ['mock threshold rule'],
+              saved_id: [],
+              type: ['threshold'],
+              uuid: ['c5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'],
+              timeline_id: undefined,
+              timeline_title: undefined,
+            },
+            threshold_result: {
+              count: 99,
+              from: '2021-01-10T21:11:45.839Z',
+              cardinality: [
+                {
+                  field: 'source.ip',
+                  value: 1,
+                },
+              ],
+              terms: [
+                {
+                  field: 'destination.ip',
+                  value: 1,
+                },
+              ],
+            },
+          },
+        },
+      });
 
       const expectedFrom = '2021-01-10T21:11:45.839Z';
       const expectedTo = '2021-01-10T21:12:45.839Z';
 
       await sendAlertToTimelineAction({
         createTimeline,
-        ecsData: ecsDataMock,
+        ecsData: ecsDataMockWithNoTemplateTimeline,
         updateTimelineIsLoading,
         searchStrategyClient,
       });

diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
@@ -387,10 +387,10 @@ const buildEqlDataProviderOrFilter = (
 const createThresholdTimeline = (
   ecsData: Ecs,
   createTimeline: ({ from, timeline, to }: CreateTimelineProps) => void,
-  noteContent: string
+  noteContent: string,
+  templateValues: { filters?: Filter[]; query?: string; dataProviders?: DataProvider[] }
 ) => {
   const { thresholdFrom, thresholdTo, dataProviders } = getThresholdAggregationData(ecsData);
-
   const params = getField(ecsData, ALERT_RULE_PARAMETERS);
   const filters = getFiltersFromRule(params.filters ?? ecsData.signal?.rule?.filters) ?? [];
   const language = params.language ?? ecsData.signal?.rule?.language ?? 'kuery';
@@ -403,8 +403,8 @@ const createThresholdTimeline = (
     timeline: {
       ...timelineDefaults,
       description: `_id: ${ecsData._id}`,
-      filters,
-      dataProviders,
+      filters: templateValues.filters ?? filters,
+      dataProviders: templateValues.dataProviders ?? dataProviders,
       id: TimelineId.active,
       indexNames,
       dateRange: {
@@ -416,9 +416,9 @@ const createThresholdTimeline = (
         filterQuery: {
           kuery: {
             kind: language,
-            expression: query,
+            expression: templateValues.query ?? query,
           },
-          serializedQuery: query,
+          serializedQuery: templateValues.query ?? query,
         },
       },
     },
@@ -479,22 +479,25 @@ export const sendAlertToTimelineAction = async ({
           true,
           timelineTemplate.timelineType ?? TimelineType.default
         );
-
+        const query = replaceTemplateFieldFromQuery(
+          timeline.kqlQuery?.filterQuery?.kuery?.expression ?? '',
+          eventData,
+          timeline.timelineType
+        );
+        const filters = replaceTemplateFieldFromMatchFilters(timeline.filters ?? [], eventData);
+        const dataProviders = replaceTemplateFieldFromDataProviders(
+          timeline.dataProviders ?? [],
+          eventData,
+          timeline.timelineType
+        );
         // threshold with template
         if (isThresholdRule(ecsData)) {
-          createThresholdTimeline(ecsData, createTimeline, noteContent);
+          createThresholdTimeline(ecsData, createTimeline, noteContent, {
+            filters,
+            query,
+            dataProviders,
+          });
         } else {
-          const query = replaceTemplateFieldFromQuery(
-            timeline.kqlQuery?.filterQuery?.kuery?.expression ?? '',
-            eventData,
-            timeline.timelineType
-          );
-          const filters = replaceTemplateFieldFromMatchFilters(timeline.filters ?? [], eventData);
-          const dataProviders = replaceTemplateFieldFromDataProviders(
-            timeline.dataProviders ?? [],
-            eventData,
-            timeline.timelineType
-          );
           return createTimeline({
             from,
             timeline: {
@@ -547,7 +550,7 @@ export const sendAlertToTimelineAction = async ({
       });
     }
   } else if (isThresholdRule(ecsData)) {
-    createThresholdTimeline(ecsData, createTimeline, noteContent);
+    createThresholdTimeline(ecsData, createTimeline, noteContent, {});
   } else {
     let { dataProviders, filters } = buildTimelineDataProviderOrFilter(alertIds ?? [], ecsData._id);
     if (isEqlRuleWithGroupId(ecsData)) {