Add mapping version check before executing EQL rules (#79553)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
parent
e4fc48cd5f
commit
0db0a16ead
|
@ -8,6 +8,7 @@ import signalsMapping from './signals_mapping.json';
|
||||||
import ecsMapping from './ecs_mapping.json';
|
import ecsMapping from './ecs_mapping.json';
|
||||||
|
|
||||||
export const getSignalsTemplate = (index: string) => {
|
export const getSignalsTemplate = (index: string) => {
|
||||||
|
const version = 2;
|
||||||
const template = {
|
const template = {
|
||||||
settings: {
|
settings: {
|
||||||
index: {
|
index: {
|
||||||
|
@ -29,8 +30,11 @@ export const getSignalsTemplate = (index: string) => {
|
||||||
...ecsMapping.mappings.properties,
|
...ecsMapping.mappings.properties,
|
||||||
signal: signalsMapping.mappings.properties.signal,
|
signal: signalsMapping.mappings.properties.signal,
|
||||||
},
|
},
|
||||||
|
_meta: {
|
||||||
|
version,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
version: 1,
|
version,
|
||||||
};
|
};
|
||||||
return template;
|
return template;
|
||||||
};
|
};
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
|
|
||||||
import { Logger, KibanaRequest } from 'src/core/server';
|
import { Logger, KibanaRequest } from 'src/core/server';
|
||||||
|
|
||||||
|
import { get } from 'lodash';
|
||||||
import {
|
import {
|
||||||
SIGNALS_ID,
|
SIGNALS_ID,
|
||||||
DEFAULT_SEARCH_AFTER_PAGE_SIZE,
|
DEFAULT_SEARCH_AFTER_PAGE_SIZE,
|
||||||
|
@ -116,6 +117,18 @@ export const signalRulesAlertType = ({
|
||||||
type,
|
type,
|
||||||
exceptionsList,
|
exceptionsList,
|
||||||
} = params;
|
} = params;
|
||||||
|
const outputIndexTemplateMapping: unknown = await services.callCluster(
|
||||||
|
'indices.getTemplate',
|
||||||
|
{ name: outputIndex }
|
||||||
|
);
|
||||||
|
const signalMappingVersion: number | undefined = get(outputIndexTemplateMapping, [
|
||||||
|
outputIndex,
|
||||||
|
'version',
|
||||||
|
]);
|
||||||
|
if (signalMappingVersion !== undefined && typeof signalMappingVersion !== 'number') {
|
||||||
|
throw new Error('Found non-numeric value for "version" in output index template');
|
||||||
|
}
|
||||||
|
|
||||||
const searchAfterSize = Math.min(maxSignals, DEFAULT_SEARCH_AFTER_PAGE_SIZE);
|
const searchAfterSize = Math.min(maxSignals, DEFAULT_SEARCH_AFTER_PAGE_SIZE);
|
||||||
let hasError: boolean = false;
|
let hasError: boolean = false;
|
||||||
let result = createSearchAfterReturnType();
|
let result = createSearchAfterReturnType();
|
||||||
|
@ -436,7 +449,16 @@ export const signalRulesAlertType = ({
|
||||||
});
|
});
|
||||||
} else if (isEqlRule(type)) {
|
} else if (isEqlRule(type)) {
|
||||||
if (query === undefined) {
|
if (query === undefined) {
|
||||||
throw new Error('eql query rule must have a query defined');
|
throw new Error('EQL query rule must have a query defined');
|
||||||
|
}
|
||||||
|
const MIN_EQL_RULE_TEMPLATE_VERSION = 2;
|
||||||
|
if (
|
||||||
|
signalMappingVersion === undefined ||
|
||||||
|
signalMappingVersion < MIN_EQL_RULE_TEMPLATE_VERSION
|
||||||
|
) {
|
||||||
|
throw new Error(
|
||||||
|
`EQL based rules require an update to version ${MIN_EQL_RULE_TEMPLATE_VERSION} of the detection alerts index mapping`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
const inputIndex = await getInputIndex(services, version, index);
|
const inputIndex = await getInputIndex(services, version, index);
|
||||||
const request = buildEqlSearchRequest(
|
const request = buildEqlSearchRequest(
|
||||||
|
|
Loading…
Reference in a new issue