From 6a33a78f31ca4ef3a39cf573f4f74a739b7cbdfb Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Thu, 2 Jul 2020 17:04:48 -0400 Subject: [PATCH] fix 400 error on initial signals search (#70618) ### Summary On initial render of the SIEM pages, a 400 error was showing for POST http://localhost:5601/api/detection_engine/signals/search. This PR is a temporary fix for this bug. This initial call is being used to populate the Last alert text that shows at the top of a number of the pages. The reason the size was 0 is because we weren't interested in the signals themselves, just the timestamp of the last alert. Teamed up with @XavierM and it seems to us that the issue is the server side validation. It may be Hapi misreading the 0 as false or our updated validation not accepting size 0. --- .../public/alerts/components/alerts_info/query.dsl.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/alerts/components/alerts_info/query.dsl.ts b/x-pack/plugins/security_solution/public/alerts/components/alerts_info/query.dsl.ts index a3972fd35bf2..4b57c7dc20d9 100644 --- a/x-pack/plugins/security_solution/public/alerts/components/alerts_info/query.dsl.ts +++ b/x-pack/plugins/security_solution/public/alerts/components/alerts_info/query.dsl.ts @@ -10,6 +10,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { bool: { should: [{ match: { 'signal.status': 'open' } }], minimum_should_match: 1 }, }, ]; + return { aggs: { lastSeen: { max: { field: '@timestamp' } }, @@ -30,7 +31,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { : queryFilter, }, }, - size: 0, + size: 1, track_total_hits: true, }; };