[Security Solution] [Detections] Updates warning message when no indices match provided index patterns (#93094)

* updates warning messages and modifies warning message when endpoint security rule is missing index pattern * fix integration test text
2021-03-02 09:10:59 -05:00 · 2021-03-02 09:10:59 -05:00 · 1bdf0022ee
commit 1bdf0022ee
parent ca25e5162c
4 changed files with 67 additions and 5 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@ -215,6 +215,7 @@ export const signalRulesAlertType = ({
                  hasTimestampFields(
                    wroteStatus,
                    hasTimestampOverride ? (timestampOverride as string) : '@timestamp',
+                    name,
                    timestampFieldCaps,
                    inputIndices,
                    ruleStatusService,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts
@ -814,6 +814,7 @@ describe('utils', () => {
      const res = await hasTimestampFields(
        false,
        timestampField,
+        'myfakerulename',
        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
        ['myfa*'],
@ -854,6 +855,7 @@ describe('utils', () => {
      const res = await hasTimestampFields(
        false,
        timestampField,
+        'myfakerulename',
        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
        ['myfa*'],
@ -866,6 +868,60 @@ describe('utils', () => {
      );
      expect(res).toBeTruthy();
    });
+
+    test('returns true when missing logs-endpoint.alerts-* index and rule name is Endpoint Security', async () => {
+      const timestampField = '@timestamp';
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
+        body: {
+          indices: [],
+          fields: {},
+        },
+      };
+      mockLogger.error.mockClear();
+      const res = await hasTimestampFields(
+        false,
+        timestampField,
+        'Endpoint Security',
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
+        ['logs-endpoint.alerts-*'],
+        ruleStatusServiceMock,
+        mockLogger,
+        buildRuleMessage
+      );
+      expect(mockLogger.error).toHaveBeenCalledWith(
+        'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
+      );
+      expect(res).toBeTruthy();
+    });
+
+    test('returns true when missing logs-endpoint.alerts-* index and rule name is NOT Endpoint Security', async () => {
+      const timestampField = '@timestamp';
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
+        body: {
+          indices: [],
+          fields: {},
+        },
+      };
+      mockLogger.error.mockClear();
+      const res = await hasTimestampFields(
+        false,
+        timestampField,
+        'NOT Endpoint Security',
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
+        ['logs-endpoint.alerts-*'],
+        ruleStatusServiceMock,
+        mockLogger,
+        buildRuleMessage
+      );
+      expect(mockLogger.error).toHaveBeenCalledWith(
+        'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
+      );
+      expect(res).toBeTruthy();
+    });
  });

  describe('wrapBuildingBlocks', () => {
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
@ -105,6 +105,7 @@ export const hasReadIndexPrivileges = async (
 export const hasTimestampFields = async (
  wroteStatus: boolean,
  timestampField: string,
+  ruleName: string,
  // any is derived from here
  // node_modules/@elastic/elasticsearch/api/kibana.d.ts
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
@ -115,11 +116,15 @@ export const hasTimestampFields = async (
  buildRuleMessage: BuildRuleMessage
 ): Promise<boolean> => {
  if (!wroteStatus && isEmpty(timestampFieldCapsResponse.body.indices)) {
-    const errorString = `The following index patterns did not match any indices: ${JSON.stringify(
+    const errorString = `This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ${JSON.stringify(
      inputIndices
-    )}`;
-    logger.error(buildRuleMessage(errorString));
-    await ruleStatusService.warning(errorString);
+    )} was found. This warning will continue to appear until a matching index is created or this rule is de-activated. ${
+      ruleName === 'Endpoint Security'
+        ? 'If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.'
+        : ''
+    }`;
+    logger.error(buildRuleMessage(errorString.trimEnd()));
+    await ruleStatusService.warning(errorString.trimEnd());
    return true;
  } else if (
    !wroteStatus &&
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts
@ -138,7 +138,7 @@ export default ({ getService }: FtrProviderContext) => {

          expect(statusBody[body.id].current_status.status).to.eql('warning');
          expect(statusBody[body.id].current_status.last_success_message).to.eql(
-            'The following index patterns did not match any indices: ["does-not-exist-*"]'
+            'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["does-not-exist-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.'
          );
        });