-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detection Engine] Bubbles up more error messages from ES queries to the UI #78004
[Security Solution][Detection Engine] Bubbles up more error messages from ES queries to the UI #78004
Conversation
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Accumulating these failures will help us out a lot going forward with users debugging issues and bringing some "self - service" to the detection engine. Also, thanks for cleaning up the code with those merge functions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Desk tested and saw these lovely new errors!
I had a suggestion for a minor refactor that might clean things up and obviate some of the test permutations, but feel free to take it or leave it!
success: boolean; | ||
searchAfterTimes: string[]; | ||
bulkCreateTimes: string[]; | ||
lastLookBackDate: Date | null | undefined; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the semantic distinction between null and undefined for this value? Looking at the implementation of createSearchAfterReturnType
it seems like it'll never be undefined
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a bit weird. It sometimes can be undefined if it has never been set before. I think we used null
as setting it for another type of value. But yeah, it can be either of those three states.
logger.debug(buildRuleMessage(`created ${createdCount} signals`)); | ||
toReturn.createdSignalsCount += createdCount; | ||
toReturn = mergeSearchAfterAndBulkCreate({ | ||
prev: toReturn, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: the prev
and next
arguments are a little odd to me, I would expect this kind of function to instead operate on a uniform array, e.g. (A[]) => A
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh that's interesting. An ordered array. That's a good idea. I can try to add that and see if it makes sense and then commit it if it does.
const searchReturn = createSearchAfterReturnType({ | ||
success: searchResult._shards.failed === 0, | ||
lastLookBackDate: | ||
searchResult.hits.hits.length > 0 | ||
? new Date(searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']) | ||
: undefined, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const searchReturn = createSearchAfterReturnType({ | |
success: searchResult._shards.failed === 0, | |
lastLookBackDate: | |
searchResult.hits.hits.length > 0 | |
? new Date(searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']) | |
: undefined, | |
}); | |
const searchReturn = createSearchAfterReturnTypeFromResponse(searchResult); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ha! Thank you. Pure 🥇 gold here. Appreciate the eyes. Will fix.
? new Date(searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']) | ||
: undefined, | ||
}); | ||
const partialMerge = mergeSearchAfterAndBulkCreate({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a suggestion to normalize these merging functions, but I realize it might cause a bunch of churn so feel free to ignore it. The basic idea is to decompose into the following functions:
- function to merge two
SearchAfterAndBulkCreateReturnType
s into one (e.g.(a: A, b: A) => A
) - function to reduce n
SearchAfterAndBulkCreateReturnType
s via the above function, usingcreateSearchAfterReturnType()
as the starting value
That would eliminate the need for these prev/next parameters and the partialMerge stuff. Again, just a suggestion, take it or leave it!
toReturn = mergeSearchAfterReturnTypeFromResponse({ | ||
searchResult, | ||
searchDuration, | ||
}: { searchResult: SignalSearchResponse; searchDuration: string } = await singleSearchAfter( | ||
{ | ||
searchAfterSortId: sortId, | ||
index: inputIndexPattern, | ||
from: tuple.from.toISOString(), | ||
to: tuple.to.toISOString(), | ||
services, | ||
logger, | ||
filter, | ||
pageSize: tuple.maxSignals < pageSize ? Math.ceil(tuple.maxSignals) : pageSize, // maximum number of docs to receive per search result. | ||
timestampOverride: ruleParams.timestampOverride, | ||
} | ||
); | ||
toReturn.searchAfterTimes.push(searchDuration); | ||
prev: toReturn, | ||
next: createSearchAfterReturnType({ | ||
searchAfterTimes: [searchDuration], | ||
errors: searchErrors, | ||
}), | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With those suggested changes this could be:
toReturn = mergeReturns([
toReturn,
createSearchAfterReturnFromResponse(searchResult),
createSearchAfterReturnType(),
]);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think with the changes where I was able to utilize an N array of items for the merge which respect the order I was able to do this:
toReturn = mergeReturns([
toReturn,
createSearchAfterReturnTypeFromResponse({ searchResult }),
createSearchAfterReturnType({
searchAfterTimes: [searchDuration],
errors: searchErrors,
}),
]);
And then remove that specific function. So I think this is all cleaning up nicely. I will update and make sure all the unit tests work and then re-do the ad-hoc tests again and push this all up.
Really really appreciate the thoughts you give to the API's in these places. Really makes things a lot better.
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
…from ES queries to the UI (elastic#78004) ## Summary Fixes: elastic#77254 Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up. Steps to reproduce: Go to a detections rule and add an invalid value within the exceptions such as this one below: <img width="1523" alt="Screen Shot 2020-09-21 at 7 52 59 AM" src="https://user-images.githubusercontent.com/1151048/93817197-d1a53780-fc15-11ea-8cf2-4dd7fd5a3c13.png"> Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not: <img width="1503" alt="Screen Shot 2020-09-21 at 7 52 44 AM" src="https://user-images.githubusercontent.com/1151048/93817231-e1bd1700-fc15-11ea-9038-99668233191a.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* master: (31 commits) skip tests for old pacakge (elastic#78194) [Ingest Pipelines] Add url generator for ingest pipelines app (elastic#77872) [Lens] Rename "telemetry" to "stats" (elastic#78125) [CSM] Url search (elastic#77516) [Drilldowns] Config to disable URL Drilldown (elastic#77887) [Lens] Combined histogram/range aggregation for numbers (elastic#76121) Remove legacy plugins support (elastic#77599) 'Auto' interval must be correctly calculated for natural numbers (elastic#77995) [CSM] fix ingest data retry order messed up (elastic#78163) Add response status helpers (elastic#78006) Bump react-beautiful-dnd (elastic#78028) [Security Solution][Detection Engine] Bubbles up more error messages from ES queries to the UI (elastic#78004) Index pattern - refactor constructor (elastic#77791) Add `xpack.security.sameSiteCookies` to docker allow list (elastic#78192) Remove [key: string]: any; from IIndexPattern (elastic#77968) Remove requirement for manage_index_templates privilege for Index Management (elastic#77377) [Ingest Manager] Agent bulk actions UI (elastic#77690) [Metrics UI] Add inventory view timeline (elastic#77804) Reporting/Docs: Updates for setting to enable CSV Download (elastic#78101) Update to latest rum-react (elastic#78193) ...
…from ES queries to the UI (#78004) (#78244) ## Summary Fixes: #77254 Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up. Steps to reproduce: Go to a detections rule and add an invalid value within the exceptions such as this one below: <img width="1523" alt="Screen Shot 2020-09-21 at 7 52 59 AM" src="https://user-images.githubusercontent.com/1151048/93817197-d1a53780-fc15-11ea-8cf2-4dd7fd5a3c13.png"> Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not: <img width="1503" alt="Screen Shot 2020-09-21 at 7 52 44 AM" src="https://user-images.githubusercontent.com/1151048/93817231-e1bd1700-fc15-11ea-9038-99668233191a.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Fixes: #77254
Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up.
Steps to reproduce:
Go to a detections rule and add an invalid value within the exceptions such as this one below:
Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not:
Checklist