[Security Solution] [Detections] Updates warning message when no indices match provided index patterns (#93094)
* updates warning messages and modifies warning message when endpoint security rule is missing index pattern * fix integration test text
This commit is contained in:
parent
ca25e5162c
commit
1bdf0022ee
4 changed files with 67 additions and 5 deletions
|
@ -215,6 +215,7 @@ export const signalRulesAlertType = ({
|
|||
hasTimestampFields(
|
||||
wroteStatus,
|
||||
hasTimestampOverride ? (timestampOverride as string) : '@timestamp',
|
||||
name,
|
||||
timestampFieldCaps,
|
||||
inputIndices,
|
||||
ruleStatusService,
|
||||
|
|
|
@ -814,6 +814,7 @@ describe('utils', () => {
|
|||
const res = await hasTimestampFields(
|
||||
false,
|
||||
timestampField,
|
||||
'myfakerulename',
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
|
||||
['myfa*'],
|
||||
|
@ -854,6 +855,7 @@ describe('utils', () => {
|
|||
const res = await hasTimestampFields(
|
||||
false,
|
||||
timestampField,
|
||||
'myfakerulename',
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
|
||||
['myfa*'],
|
||||
|
@ -866,6 +868,60 @@ describe('utils', () => {
|
|||
);
|
||||
expect(res).toBeTruthy();
|
||||
});
|
||||
|
||||
test('returns true when missing logs-endpoint.alerts-* index and rule name is Endpoint Security', async () => {
|
||||
const timestampField = '@timestamp';
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
|
||||
body: {
|
||||
indices: [],
|
||||
fields: {},
|
||||
},
|
||||
};
|
||||
mockLogger.error.mockClear();
|
||||
const res = await hasTimestampFields(
|
||||
false,
|
||||
timestampField,
|
||||
'Endpoint Security',
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
|
||||
['logs-endpoint.alerts-*'],
|
||||
ruleStatusServiceMock,
|
||||
mockLogger,
|
||||
buildRuleMessage
|
||||
);
|
||||
expect(mockLogger.error).toHaveBeenCalledWith(
|
||||
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
|
||||
);
|
||||
expect(res).toBeTruthy();
|
||||
});
|
||||
|
||||
test('returns true when missing logs-endpoint.alerts-* index and rule name is NOT Endpoint Security', async () => {
|
||||
const timestampField = '@timestamp';
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
const timestampFieldCapsResponse: Partial<ApiResponse<Record<string, any>, Context>> = {
|
||||
body: {
|
||||
indices: [],
|
||||
fields: {},
|
||||
},
|
||||
};
|
||||
mockLogger.error.mockClear();
|
||||
const res = await hasTimestampFields(
|
||||
false,
|
||||
timestampField,
|
||||
'NOT Endpoint Security',
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
|
||||
['logs-endpoint.alerts-*'],
|
||||
ruleStatusServiceMock,
|
||||
mockLogger,
|
||||
buildRuleMessage
|
||||
);
|
||||
expect(mockLogger.error).toHaveBeenCalledWith(
|
||||
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "fake name" id: "fake id" rule id: "fake rule id" signals index: "fakeindex"'
|
||||
);
|
||||
expect(res).toBeTruthy();
|
||||
});
|
||||
});
|
||||
|
||||
describe('wrapBuildingBlocks', () => {
|
||||
|
|
|
@ -105,6 +105,7 @@ export const hasReadIndexPrivileges = async (
|
|||
export const hasTimestampFields = async (
|
||||
wroteStatus: boolean,
|
||||
timestampField: string,
|
||||
ruleName: string,
|
||||
// any is derived from here
|
||||
// node_modules/@elastic/elasticsearch/api/kibana.d.ts
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
|
@ -115,11 +116,15 @@ export const hasTimestampFields = async (
|
|||
buildRuleMessage: BuildRuleMessage
|
||||
): Promise<boolean> => {
|
||||
if (!wroteStatus && isEmpty(timestampFieldCapsResponse.body.indices)) {
|
||||
const errorString = `The following index patterns did not match any indices: ${JSON.stringify(
|
||||
const errorString = `This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ${JSON.stringify(
|
||||
inputIndices
|
||||
)}`;
|
||||
logger.error(buildRuleMessage(errorString));
|
||||
await ruleStatusService.warning(errorString);
|
||||
)} was found. This warning will continue to appear until a matching index is created or this rule is de-activated. ${
|
||||
ruleName === 'Endpoint Security'
|
||||
? 'If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.'
|
||||
: ''
|
||||
}`;
|
||||
logger.error(buildRuleMessage(errorString.trimEnd()));
|
||||
await ruleStatusService.warning(errorString.trimEnd());
|
||||
return true;
|
||||
} else if (
|
||||
!wroteStatus &&
|
||||
|
|
|
@ -138,7 +138,7 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
|
||||
expect(statusBody[body.id].current_status.status).to.eql('warning');
|
||||
expect(statusBody[body.id].current_status.last_success_message).to.eql(
|
||||
'The following index patterns did not match any indices: ["does-not-exist-*"]'
|
||||
'This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["does-not-exist-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.'
|
||||
);
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in a new issue