Test fixes

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/wrap_hits_factory.ts

@@ -39,7 +39,7 @@ export const wrapHitsFactory = ({
       },
     ]);
 
-    return filterDuplicateSignals(ruleSO.id, wrappedDocs);
+    return filterDuplicateSignals(ruleSO.id, wrappedDocs, true);
   } catch (error) {
     logger.error(error);
     return [];

x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_duplicate_signals.test.ts

@@ -38,11 +38,11 @@ const mockSignals = [
 describe('filterDuplicateSignals', () => {
   describe('detection engine implementation', () => {
     it('filters duplicate signals', () => {
-      expect(filterDuplicateSignals(mockRuleId1, mockSignals).length).toEqual(1);
+      expect(filterDuplicateSignals(mockRuleId1, mockSignals, false).length).toEqual(1);
     });
 
     it('does not filter non-duplicate signals', () => {
-      expect(filterDuplicateSignals(mockRuleId3, mockSignals).length).toEqual(2);
+      expect(filterDuplicateSignals(mockRuleId3, mockSignals, false).length).toEqual(2);
     });
   });
 });

x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_duplicate_signals.ts

@@ -7,21 +7,22 @@
 
 import { WrappedRACAlert } from '../rule_types/types';
 import { Ancestor, SimpleHit, WrappedSignalHit } from './types';
-import { isWrappedRACAlert, isWrappedSignalHit } from './utils';
 
-export const filterDuplicateSignals = (ruleId: string, signals: SimpleHit[]) => {
-  if (isWrappedSignalHit(signals[0])) {
+export const filterDuplicateSignals = (
+  ruleId: string,
+  signals: SimpleHit[],
+  isRuleRegistryEnabled: boolean
+) => {
+  if (!isRuleRegistryEnabled) {
     return (signals as WrappedSignalHit[]).filter(
       (doc) => !doc._source.signal?.ancestors.some((ancestor) => ancestor.rule === ruleId)
     );
-  } else if (isWrappedRACAlert(signals[0])) {
+  } else {
     return (signals as WrappedRACAlert[]).filter(
       (doc) =>
         !(doc._source['kibana.alert.ancestors'] as Ancestor[]).some(
           (ancestor) => ancestor.rule === ruleId
         )
     );
-  } else {
-    return signals;
   }
 };

x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts

@@ -8,15 +8,17 @@ import { createHash } from 'crypto';
 import { chunk, get, isEmpty, partition } from 'lodash';
 import moment from 'moment';
 import uuidv5 from 'uuid/v5';
+
 import dateMath from '@elastic/datemath';
 import type { estypes } from '@elastic/elasticsearch';
 import { ApiResponse, Context } from '@elastic/elasticsearch/lib/Transport';
-
+import { ALERT_ID } from '@kbn/rule-data-utils';
 import type { ListArray, ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import { MAX_EXCEPTION_LIST_SIZE } from '@kbn/securitysolution-list-constants';
 import { hasLargeValueList } from '@kbn/securitysolution-list-utils';
 import { parseScheduleDates } from '@kbn/securitysolution-io-ts-utils';
 import { ElasticsearchClient } from '@kbn/securitysolution-es-utils';
+
 import {
   TimestampOverrideOrUndefined,
   Privilege,
@@ -938,11 +940,11 @@ export const isWrappedEventHit = (event: SimpleHit): event is WrappedEventHit =>
 };
 
 export const isWrappedSignalHit = (event: SimpleHit): event is WrappedSignalHit => {
-  return (event as WrappedSignalHit)._source.signal != null;
+  return (event as WrappedSignalHit)?._source?.signal != null;
 };
 
 export const isWrappedRACAlert = (event: SimpleHit): event is WrappedRACAlert => {
-  return (event as WrappedRACAlert)._source['kibana.rac.alert.id'] != null;
+  return (event as WrappedRACAlert)?._source?.[ALERT_ID] != null;
 };
 
 export const getField = <T extends SearchTypes>(event: SimpleHit, field: string): T | undefined => {

x-pack/plugins/security_solution/server/lib/detection_engine/signals/wrap_hits_factory.ts

@@ -38,5 +38,5 @@ export const wrapHitsFactory = ({
     },
   ]);
 
-  return filterDuplicateSignals(ruleSO.id, wrappedDocs);
+  return filterDuplicateSignals(ruleSO.id, wrappedDocs, false);
 };