Exclude closed alerts from risk scoring

rylnd · rylnd · commit be1d8440e7ff · 2023-09-28T11:28:31.000-05:00
I don't believe that we have any tests that explicitly include closed
alerts; I'll look to add these in the near future.
diff --git a/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.ts b/x-pack/plugins/security_solution/server/lib/risk_engine/calculate_risk_scores.ts
@@ -14,6 +14,7 @@ import type { ElasticsearchClient, Logger } from '@kbn/core/server';
 import {
   ALERT_RISK_SCORE,
   ALERT_RULE_NAME,
+  ALERT_WORKFLOW_STATUS,
   EVENT_KIND,
 } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import type {
@@ -213,7 +214,11 @@ export const calculateRiskScores = async ({
   withSecuritySpan('calculateRiskScores', async () => {
     const now = new Date().toISOString();
 
-    const filter = [{ exists: { field: ALERT_RISK_SCORE } }, filterFromRange(range)];
+    const filter = [
+      filterFromRange(range),
+      { bool: { must_not: { term: { [ALERT_WORKFLOW_STATUS]: 'closed' } } } },
+      { exists: { field: ALERT_RISK_SCORE } },
+    ];
     if (!isEmpty(userFilter)) {
       filter.push(userFilter as QueryDslQueryContainer);
     }
