[Security Solution] Open alerts with an associated template in the te…

…mplate view (#123333) (#123689) * Open alerts with a template, with a template * Add default values back instead of template derived ones * Use data providers over filters always, set timeline description to alert id * Remove prepopulated description from non threshold alerts * Open any event in timeline, use correct timestamp * Remove unneeded @timestamp, make sure alertsEcsData is not empty array * Add basic getField tests * Explicity check if alertGroupId is an array instead of using length * Always use a valid date for time range * Only use filter if more than 1 alert is present * Possibly controversial change to calculate threshold time range with a template, fix test that should never have passed * Create threshold timeline in separate function * Use better type for createTimeline passed to createThresholdTimeline * Invert negation as suggested in pr comment * Use template timeline filters/query/data providers for threshold alerts Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit cef886f) Co-authored-by: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
elastic · Jan 25, 2022 · 2325ed6 · 2325ed6
1 parent 1b46b68
commit 2325ed6
Show file tree

Hide file tree

Showing 5 changed files with 263 additions and 126 deletions.
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -15,6 +15,7 @@ import {
   mockEcsDataWithAlert,
   mockTimelineDetails,
   mockTimelineResult,
+  mockAADEcsDataWithAlert,
 } from '../../../common/mock/';
 import { CreateTimeline, UpdateTimelineLoading } from './types';
 import { Ecs } from '../../../../common/ecs';
@@ -268,6 +269,9 @@ describe('alert actions', () => {
           updateTimelineIsLoading,
           searchStrategyClient,
         });
+        const defaultTimelinePropsWithoutNote = { ...defaultTimelineProps };
+
+        delete defaultTimelinePropsWithoutNote.ruleNote;
 
         expect(updateTimelineIsLoading).toHaveBeenCalledWith({
           id: TimelineId.active,
@@ -278,7 +282,17 @@ describe('alert actions', () => {
           isLoading: false,
         });
         expect(createTimeline).toHaveBeenCalledTimes(1);
-        expect(createTimeline).toHaveBeenCalledWith(defaultTimelineProps);
+        expect(createTimeline).toHaveBeenCalledWith({
+          ...defaultTimelinePropsWithoutNote,
+          timeline: {
+            ...defaultTimelinePropsWithoutNote.timeline,
+            dataProviders: [],
+            kqlQuery: {
+              filterQuery: null,
+            },
+            resolveTimelineConfig: undefined,
+          },
+        });
       });
     });
 
@@ -289,8 +303,7 @@ describe('alert actions', () => {
           signal: {
             rule: {
               ...mockEcsDataWithAlert.signal?.rule,
-              // @ts-expect-error
-              timeline_id: null,
+              timeline_id: [''],
             },
           },
         };
@@ -362,6 +375,7 @@ describe('alert actions', () => {
           ...defaultTimelineProps,
           timeline: {
             ...defaultTimelineProps.timeline,
+            resolveTimelineConfig: undefined,
             dataProviders: [
               {
                 and: [],
@@ -424,14 +438,53 @@ describe('alert actions', () => {
     });
 
     test('it uses original_time and threshold_result.from for threshold alerts', async () => {
-      const ecsDataMock = getThresholdDetectionAlertAADMock();
+      const ecsDataMockWithNoTemplateTimeline = getThresholdDetectionAlertAADMock({
+        ...mockAADEcsDataWithAlert,
+        kibana: {
+          alert: {
+            ...mockAADEcsDataWithAlert.kibana?.alert,
+            rule: {
+              ...mockAADEcsDataWithAlert.kibana?.alert?.rule,
+              parameters: {
+                ...mockAADEcsDataWithAlert.kibana?.alert?.rule?.parameters,
+                threshold: {
+                  field: ['destination.ip'],
+                  value: 1,
+                },
+              },
+              name: ['mock threshold rule'],
+              saved_id: [],
+              type: ['threshold'],
+              uuid: ['c5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'],
+              timeline_id: undefined,
+              timeline_title: undefined,
+            },
+            threshold_result: {
+              count: 99,
+              from: '2021-01-10T21:11:45.839Z',
+              cardinality: [
+                {
+                  field: 'source.ip',
+                  value: 1,
+                },
+              ],
+              terms: [
+                {
+                  field: 'destination.ip',
+                  value: 1,
+                },
+              ],
+            },
+          },
+        },
+      });
 
       const expectedFrom = '2021-01-10T21:11:45.839Z';
       const expectedTo = '2021-01-10T21:12:45.839Z';
 
       await sendAlertToTimelineAction({
         createTimeline,
-        ecsData: ecsDataMock,
+        ecsData: ecsDataMockWithNoTemplateTimeline,
         updateTimelineIsLoading,
         searchStrategyClient,
       });