Skip to content

Commit b3241b0

Browse files
dhurley14dhurley14
committed
updates warning messages and modifies warning message when endpoint security rule is missing index pattern
1 parent 4b42574 commit b3241b0

3 files changed

Lines changed: 66 additions & 4 deletions

File tree

x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,7 @@ export const signalRulesAlertType = ({
214214
hasTimestampFields(
215215
wroteStatus,
216216
hasTimestampOverride ? (timestampOverride as string) : '@timestamp',
217+
name,
217218
timestampFieldCaps,
218219
inputIndices,
219220
ruleStatusService,

x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -814,6 +814,7 @@ describe('utils', () => {
814814
const res = await hasTimestampFields(
815815
false,
816816
timestampField,
817+
'myfakerulename',
817818
// eslint-disable-next-line @typescript-eslint/no-explicit-any
818819
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
819820
['myfa*'],
@@ -854,6 +855,7 @@ describe('utils', () => {
854855
const res = await hasTimestampFields(
855856
false,
856857
timestampField,
858+
'myfakerulename',
857859
// eslint-disable-next-line @typescript-eslint/no-explicit-any
858860
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
859861
['myfa*'],
@@ -866,6 +868,60 @@ describe('utils', () => {
866868
);
867869
expect(res).toBeTruthy();
868870
});
871+
872+
test('returns true when missing logs-endpoint.alerts-* index and rule name is Endpoint Security', async () => {
873+
const timestampField = '@timestamp';
874+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
875+
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
876+
body: {
877+
indices: [],
878+
fields: {},
879+
},
880+
};
881+
mockLogger.error.mockClear();
882+
const res = await hasTimestampFields(
883+
false,
884+
timestampField,
885+
'Endpoint Security',
886+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
887+
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
888+
['logs-endpoint.alerts-*'],
889+
ruleStatusServiceMock,
890+
mockLogger,
891+
buildRuleMessage
892+
);
893+
expect(mockLogger.error).toHaveBeenCalledWith(
894+
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
895+
);
896+
expect(res).toBeTruthy();
897+
});
898+
899+
test('returns true when missing logs-endpoint.alerts-* index and rule name is NOT Endpoint Security', async () => {
900+
const timestampField = '@timestamp';
901+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
902+
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
903+
body: {
904+
indices: [],
905+
fields: {},
906+
},
907+
};
908+
mockLogger.error.mockClear();
909+
const res = await hasTimestampFields(
910+
false,
911+
timestampField,
912+
'NOT Endpoint Security',
913+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
914+
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
915+
['logs-endpoint.alerts-*'],
916+
ruleStatusServiceMock,
917+
mockLogger,
918+
buildRuleMessage
919+
);
920+
expect(mockLogger.error).toHaveBeenCalledWith(
921+
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
922+
);
923+
expect(res).toBeTruthy();
924+
});
869925
});
870926

871927
describe('wrapBuildingBlocks', () => {

x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ export const hasReadIndexPrivileges = async (
105105
export const hasTimestampFields = async (
106106
wroteStatus: boolean,
107107
timestampField: string,
108+
ruleName: string,
108109
// any is derived from here
109110
// node_modules/@elastic/elasticsearch/api/kibana.d.ts
110111
// eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -115,11 +116,15 @@ export const hasTimestampFields = async (
115116
buildRuleMessage: BuildRuleMessage
116117
): Promise<boolean> => {
117118
if (!wroteStatus && isEmpty(timestampFieldCapsResponse.body.indices)) {
118-
const errorString = `The following index patterns did not match any indices: ${JSON.stringify(
119+
const errorString = `This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ${JSON.stringify(
119120
inputIndices
120-
)}`;
121-
logger.error(buildRuleMessage(errorString));
122-
await ruleStatusService.warning(errorString);
121+
)} was found. This warning will continue to appear until a matching index is created or this rule is de-activated. ${
122+
ruleName === 'Endpoint Security'
123+
? 'If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.'
124+
: ''
125+
}`;
126+
logger.error(buildRuleMessage(errorString.trimEnd()));
127+
await ruleStatusService.warning(errorString.trimEnd());
123128
return true;
124129
} else if (
125130
!wroteStatus &&

0 commit comments

Comments
 (0)