Skip to content

Commit

Permalink
[7.11] [Security Solution] [Detections] Updates warning message when …
Browse files Browse the repository at this point in the history
…no indices match provided index patterns (#93094) (#93227)

* [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (#93094)

* updates warning messages and modifies warning message when endpoint security rule is missing index pattern

* fix integration test text
# Conflicts:
#	x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts

* fix ftr test
  • Loading branch information
dhurley14 authored Mar 2, 2021
1 parent 7b9b093 commit 44bc123
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ export const signalRulesAlertType = ({
hasTimestampFields(
wroteStatus,
hasTimestampOverride ? (timestampOverride as string) : '@timestamp',
name,
timestampFieldCaps,
inputIndices,
ruleStatusService,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -843,6 +843,7 @@ describe('utils', () => {
const res = await hasTimestampFields(
false,
timestampField,
'myfakerulename',
// eslint-disable-next-line @typescript-eslint/no-explicit-any
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
['myfa*'],
Expand Down Expand Up @@ -883,6 +884,7 @@ describe('utils', () => {
const res = await hasTimestampFields(
false,
timestampField,
'myfakerulename',
// eslint-disable-next-line @typescript-eslint/no-explicit-any
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
['myfa*'],
Expand All @@ -895,6 +897,60 @@ describe('utils', () => {
);
expect(res).toBeTruthy();
});

test('returns true when missing logs-endpoint.alerts-* index and rule name is Endpoint Security', async () => {
const timestampField = '@timestamp';
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
body: {
indices: [],
fields: {},
},
};
mockLogger.error.mockClear();
const res = await hasTimestampFields(
false,
timestampField,
'Endpoint Security',
// eslint-disable-next-line @typescript-eslint/no-explicit-any
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
['logs-endpoint.alerts-*'],
ruleStatusServiceMock,
mockLogger,
buildRuleMessage
);
expect(mockLogger.error).toHaveBeenCalledWith(
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
);
expect(res).toBeTruthy();
});

test('returns true when missing logs-endpoint.alerts-* index and rule name is NOT Endpoint Security', async () => {
const timestampField = '@timestamp';
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
body: {
indices: [],
fields: {},
},
};
mockLogger.error.mockClear();
const res = await hasTimestampFields(
false,
timestampField,
'NOT Endpoint Security',
// eslint-disable-next-line @typescript-eslint/no-explicit-any
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
['logs-endpoint.alerts-*'],
ruleStatusServiceMock,
mockLogger,
buildRuleMessage
);
expect(mockLogger.error).toHaveBeenCalledWith(
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
);
expect(res).toBeTruthy();
});
});

describe('wrapBuildingBlocks', () => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ export const hasReadIndexPrivileges = async (
export const hasTimestampFields = async (
wroteStatus: boolean,
timestampField: string,
ruleName: string,
// any is derived from here
// node_modules/@elastic/elasticsearch/api/kibana.d.ts
// eslint-disable-next-line @typescript-eslint/no-explicit-any
Expand All @@ -110,11 +111,15 @@ export const hasTimestampFields = async (
buildRuleMessage: BuildRuleMessage
): Promise<boolean> => {
if (!wroteStatus && isEmpty(timestampFieldCapsResponse.body.indices)) {
const errorString = `The following index patterns did not match any indices: ${JSON.stringify(
const errorString = `This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ${JSON.stringify(
inputIndices
)}`;
logger.error(buildRuleMessage(errorString));
await ruleStatusService.warning(errorString);
)} was found. This warning will continue to appear until a matching index is created or this rule is de-activated. ${
ruleName === 'Endpoint Security'
? 'If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.'
: ''
}`;
logger.error(buildRuleMessage(errorString.trimEnd()));
await ruleStatusService.warning(errorString.trimEnd());
return true;
} else if (
!wroteStatus &&
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ export default ({ getService }: FtrProviderContext) => {

expect(statusBody[body.id].current_status.status).to.eql('warning');
expect(statusBody[body.id].current_status.last_success_message).to.eql(
'The following index patterns did not match any indices: ["does-not-exist-*"]'
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["does-not-exist-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.'
);
});

Expand Down

0 comments on commit 44bc123

Please sign in to comment.