Skip to content

Commit b7151f9

Browse files
dhurley14elasticmachine
dhurley14
and
elasticmachine
committed
[Security Solution] [Detections] Log message enhancements (#78429)
* adds missing buildRuleMessage to debug logs to display rule id, name, etc. in logs * add buildRuleMessage fn to params Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts
1 parent 7e12fc7 commit b7151f9

9 files changed

Lines changed: 55 additions & 8 deletions

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_ml_signals.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types';
1414
import { RuleTypeParams, RefreshTypes } from '../types';
1515
import { singleBulkCreate, SingleBulkCreateResponse } from './single_bulk_create';
1616
import { AnomalyResults, Anomaly } from '../../machine_learning';
17+
import { BuildRuleMessage } from './rule_messages';
1718

1819
interface BulkCreateMlSignalsParams {
1920
actions: RuleAlertAction[];
@@ -33,6 +34,7 @@ interface BulkCreateMlSignalsParams {
3334
refresh: RefreshTypes;
3435
tags: string[];
3536
throttle: string;
37+
buildRuleMessage: BuildRuleMessage;
3638
}
3739

3840
interface EcsAnomaly extends Anomaly {
@@ -85,6 +87,6 @@ export const bulkCreateMlSignals = async (
8587
): Promise<SingleBulkCreateResponse> => {
8688
const anomalyResults = params.someResult;
8789
const ecsResults = transformAnomalyResultsToEcs(anomalyResults);
88-
89-
return singleBulkCreate({ ...params, filteredEvents: ecsResults });
90+
const buildRuleMessage = params.buildRuleMessage;
91+
return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage });
9092
};

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types';
1515
import { RuleTypeParams, RefreshTypes } from '../types';
1616
import { singleBulkCreate, SingleBulkCreateResponse } from './single_bulk_create';
1717
import { SignalSearchResponse } from './types';
18+
import { BuildRuleMessage } from './rule_messages';
1819

1920
// used to generate constant Threshold Signals ID when run with the same params
2021
const NAMESPACE_ID = '0684ec03-7201-4ee0-8ee0-3a3f6b2479b2';
@@ -40,6 +41,7 @@ interface BulkCreateThresholdSignalsParams {
4041
tags: string[];
4142
throttle: string;
4243
startedAt: Date;
44+
buildRuleMessage: BuildRuleMessage;
4345
}
4446

4547
interface FilterObject {
@@ -194,6 +196,7 @@ export const bulkCreateThresholdSignals = async (
194196
params.ruleParams.threshold!,
195197
params.ruleParams.ruleId
196198
);
199+
const buildRuleMessage = params.buildRuleMessage;
197200

198-
return singleBulkCreate({ ...params, filteredEvents: ecsResults });
201+
return singleBulkCreate({ ...params, filteredEvents: ecsResults, buildRuleMessage });
199202
};

x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_threshold_signals.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import { singleSearchAfter } from './single_search_after';
1212
import { AlertServices } from '../../../../../alerts/server';
1313
import { Logger } from '../../../../../../../src/core/server';
1414
import { SignalSearchResponse } from './types';
15+
import { BuildRuleMessage } from './rule_messages';
1516

1617
interface FindThresholdSignalsParams {
1718
from: string;
@@ -21,6 +22,7 @@ interface FindThresholdSignalsParams {
2122
logger: Logger;
2223
filter: unknown;
2324
threshold: Threshold;
25+
buildRuleMessage: BuildRuleMessage;
2426
}
2527

2628
export const findThresholdSignals = async ({
@@ -31,6 +33,7 @@ export const findThresholdSignals = async ({
3133
logger,
3234
filter,
3335
threshold,
36+
buildRuleMessage,
3437
}: FindThresholdSignalsParams): Promise<{
3538
searchResult: SignalSearchResponse;
3639
searchDuration: string;
@@ -58,5 +61,6 @@ export const findThresholdSignals = async ({
5861
logger,
5962
filter,
6063
pageSize: 0,
64+
buildRuleMessage,
6165
});
6266
};

x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,7 @@ export const searchAfterAndBulkCreate = async ({
126126
searchDuration,
127127
}: { searchResult: SignalSearchResponse; searchDuration: string } = await singleSearchAfter(
128128
{
129+
buildRuleMessage,
129130
searchAfterSortId: sortId,
130131
index: inputIndexPattern,
131132
from: tuple.from.toISOString(),
@@ -205,6 +206,7 @@ export const searchAfterAndBulkCreate = async ({
205206
bulkCreateDuration: bulkDuration,
206207
createdItemsCount: createdCount,
207208
} = await singleBulkCreate({
209+
buildRuleMessage,
208210
filteredEvents,
209211
ruleParams,
210212
services,

x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,7 @@ export const signalRulesAlertType = ({
240240
enabled,
241241
refresh,
242242
tags,
243+
buildRuleMessage,
243244
});
244245
result.success = success;
245246
result.createdSignalsCount = createdItemsCount;
@@ -267,6 +268,7 @@ export const signalRulesAlertType = ({
267268
logger,
268269
filter: esFilter,
269270
threshold,
271+
buildRuleMessage,
270272
});
271273

272274
const {
@@ -294,6 +296,7 @@ export const signalRulesAlertType = ({
294296
enabled,
295297
refresh,
296298
tags,
299+
buildRuleMessage,
297300
});
298301
result.success = success;
299302
result.createdSignalsCount = createdItemsCount;

x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.test.ts

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,14 @@ import {
1919
import { DEFAULT_SIGNALS_INDEX } from '../../../../common/constants';
2020
import { singleBulkCreate, filterDuplicateRules } from './single_bulk_create';
2121
import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks';
22+
import { buildRuleMessageFactory } from './rule_messages';
2223

24+
const buildRuleMessage = buildRuleMessageFactory({
25+
id: 'fake id',
26+
ruleId: 'fake rule id',
27+
index: 'fakeindex',
28+
name: 'fake name',
29+
});
2330
describe('singleBulkCreate', () => {
2431
const mockService: AlertServicesMock = alertsMock.createAlertServices();
2532

@@ -158,6 +165,7 @@ describe('singleBulkCreate', () => {
158165
refresh: false,
159166
tags: ['some fake tag 1', 'some fake tag 2'],
160167
throttle: 'no_actions',
168+
buildRuleMessage,
161169
});
162170
expect(success).toEqual(true);
163171
expect(createdItemsCount).toEqual(0);
@@ -192,6 +200,7 @@ describe('singleBulkCreate', () => {
192200
refresh: false,
193201
tags: ['some fake tag 1', 'some fake tag 2'],
194202
throttle: 'no_actions',
203+
buildRuleMessage,
195204
});
196205
expect(success).toEqual(true);
197206
expect(createdItemsCount).toEqual(0);
@@ -218,6 +227,7 @@ describe('singleBulkCreate', () => {
218227
refresh: false,
219228
tags: ['some fake tag 1', 'some fake tag 2'],
220229
throttle: 'no_actions',
230+
buildRuleMessage,
221231
});
222232
expect(success).toEqual(true);
223233
expect(createdItemsCount).toEqual(0);
@@ -245,6 +255,7 @@ describe('singleBulkCreate', () => {
245255
refresh: false,
246256
tags: ['some fake tag 1', 'some fake tag 2'],
247257
throttle: 'no_actions',
258+
buildRuleMessage,
248259
});
249260

250261
expect(mockLogger.error).not.toHaveBeenCalled();
@@ -274,6 +285,7 @@ describe('singleBulkCreate', () => {
274285
refresh: false,
275286
tags: ['some fake tag 1', 'some fake tag 2'],
276287
throttle: 'no_actions',
288+
buildRuleMessage,
277289
});
278290

279291
expect(mockLogger.error).toHaveBeenCalled();
@@ -369,6 +381,7 @@ describe('singleBulkCreate', () => {
369381
refresh: false,
370382
tags: ['some fake tag 1', 'some fake tag 2'],
371383
throttle: 'no_actions',
384+
buildRuleMessage,
372385
});
373386
expect(success).toEqual(true);
374387
expect(createdItemsCount).toEqual(1);

x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import { RuleAlertAction } from '../../../../common/detection_engine/types';
1212
import { RuleTypeParams, RefreshTypes } from '../types';
1313
import { generateId, makeFloatString, errorAggregator } from './utils';
1414
import { buildBulkBody } from './build_bulk_body';
15+
import { BuildRuleMessage } from './rule_messages';
1516
import { Logger } from '../../../../../../../src/core/server';
1617

1718
interface SingleBulkCreateParams {
@@ -32,6 +33,7 @@ interface SingleBulkCreateParams {
3233
tags: string[];
3334
throttle: string;
3435
refresh: RefreshTypes;
36+
buildRuleMessage: BuildRuleMessage;
3537
}
3638

3739
/**
@@ -64,6 +66,7 @@ export interface SingleBulkCreateResponse {
6466

6567
// Bulk Index documents.
6668
export const singleBulkCreate = async ({
69+
buildRuleMessage,
6770
filteredEvents,
6871
ruleParams,
6972
services,
@@ -83,9 +86,9 @@ export const singleBulkCreate = async ({
8386
throttle,
8487
}: SingleBulkCreateParams): Promise<SingleBulkCreateResponse> => {
8588
filteredEvents.hits.hits = filterDuplicateRules(id, filteredEvents);
86-
logger.debug(`about to bulk create ${filteredEvents.hits.hits.length} events`);
89+
logger.debug(buildRuleMessage(`about to bulk create ${filteredEvents.hits.hits.length} events`));
8790
if (filteredEvents.hits.hits.length === 0) {
88-
logger.debug(`all events were duplicates`);
91+
logger.debug(buildRuleMessage(`all events were duplicates`));
8992
return { success: true, createdItemsCount: 0 };
9093
}
9194
// index documents after creating an ID based on the
@@ -132,8 +135,12 @@ export const singleBulkCreate = async ({
132135
body: bulkBody,
133136
});
134137
const end = performance.now();
135-
logger.debug(`individual bulk process time took: ${makeFloatString(end - start)} milliseconds`);
136-
logger.debug(`took property says bulk took: ${response.took} milliseconds`);
138+
logger.debug(
139+
buildRuleMessage(
140+
`individual bulk process time took: ${makeFloatString(end - start)} milliseconds`
141+
)
142+
);
143+
logger.debug(buildRuleMessage(`took property says bulk took: ${response.took} milliseconds`));
137144

138145
if (response.errors) {
139146
const duplicateSignalsCount = countBy(response.items, 'create.status')['409'];

x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.test.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,14 @@ import {
1111
} from './__mocks__/es_results';
1212
import { singleSearchAfter } from './single_search_after';
1313
import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks';
14+
import { buildRuleMessageFactory } from './rule_messages';
1415

16+
const buildRuleMessage = buildRuleMessageFactory({
17+
id: 'fake id',
18+
ruleId: 'fake rule id',
19+
index: 'fakeindex',
20+
name: 'fake name',
21+
});
1522
describe('singleSearchAfter', () => {
1623
const mockService: AlertServicesMock = alertsMock.createAlertServices();
1724

@@ -32,6 +39,7 @@ describe('singleSearchAfter', () => {
3239
pageSize: 1,
3340
filter: undefined,
3441
timestampOverride: undefined,
42+
buildRuleMessage,
3543
});
3644
expect(searchResult).toEqual(sampleDocSearchResultsNoSortId);
3745
});
@@ -48,6 +56,7 @@ describe('singleSearchAfter', () => {
4856
pageSize: 1,
4957
filter: undefined,
5058
timestampOverride: undefined,
59+
buildRuleMessage,
5160
});
5261
expect(searchResult).toEqual(sampleDocSearchResultsWithSortId);
5362
});
@@ -67,6 +76,7 @@ describe('singleSearchAfter', () => {
6776
pageSize: 1,
6877
filter: undefined,
6978
timestampOverride: undefined,
79+
buildRuleMessage,
7080
})
7181
).rejects.toThrow('Fake Error');
7282
});

x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import { performance } from 'perf_hooks';
88
import { AlertServices } from '../../../../../alerts/server';
99
import { Logger } from '../../../../../../../src/core/server';
1010
import { SignalSearchResponse } from './types';
11+
import { BuildRuleMessage } from './rule_messages';
1112
import { buildEventsSearchQuery } from './build_events_query';
1213
import { makeFloatString } from './utils';
1314
import { TimestampOverrideOrUndefined } from '../../../../common/detection_engine/schemas/common/schemas';
@@ -23,6 +24,7 @@ interface SingleSearchAfterParams {
2324
pageSize: number;
2425
filter: unknown;
2526
timestampOverride: TimestampOverrideOrUndefined;
27+
buildRuleMessage: BuildRuleMessage;
2628
}
2729

2830
// utilize search_after for paging results into bulk.
@@ -37,6 +39,7 @@ export const singleSearchAfter = async ({
3739
logger,
3840
pageSize,
3941
timestampOverride,
42+
buildRuleMessage,
4043
}: SingleSearchAfterParams): Promise<{
4144
searchResult: SignalSearchResponse;
4245
searchDuration: string;
@@ -61,7 +64,7 @@ export const singleSearchAfter = async ({
6164
const end = performance.now();
6265
return { searchResult: nextSearchAfterResult, searchDuration: makeFloatString(end - start) };
6366
} catch (exc) {
64-
logger.error(`[-] nextSearchAfter threw an error ${exc}`);
67+
logger.error(buildRuleMessage(`[-] nextSearchAfter threw an error ${exc}`));
6568
throw exc;
6669
}
6770
};

0 commit comments

Comments
 (0)