[Security Solution][Threshold Rules] Fixes for 7.11 (#88120)
* Use OR for threshold timeline query (not AND) * Speed up aggregatable fields filter with mutation
This commit is contained in:
Madison Caldwell
GitHub
parent
a98052bc72
commit
af02f3d83f
|
|
@ -272,6 +272,7 @@ export const sendAlertToTimelineAction = async ({
|
|||
notes: null,
|
||||
timeline: {
|
||||
...timelineDefaults,
|
||||
kqlMode: 'search',
|
||||
filters: getFiltersFromRule(ecsData.signal?.rule?.filters as string[]),
|
||||
dataProviders: [
|
||||
{
|
||||
|
|
|
|||
|
|
@ -173,15 +173,14 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
|
|||
return {
|
||||
...groupAcc,
|
||||
[groupName]: {
|
||||
fields: Object.entries(groupValue.fields ?? {}).reduce<Partial<BrowserField>>(
|
||||
(fieldAcc, [fieldName, fieldValue]) => {
|
||||
if (fieldValue.aggregatable === true) {
|
||||
return { ...fieldAcc, [fieldName]: fieldValue };
|
||||
}
|
||||
return fieldAcc;
|
||||
},
|
||||
{}
|
||||
),
|
||||
fields: Object.entries(groupValue.fields ?? {}).reduce<
|
||||
Record<string, Partial<BrowserField>>
|
||||
>((fieldAcc, [fieldName, fieldValue]) => {
|
||||
if (fieldValue.aggregatable === true) {
|
||||
fieldAcc[fieldName] = fieldValue;
|
||||
}
|
||||
return fieldAcc;
|
||||
}, {}),
|
||||
} as Partial<BrowserField>,
|
||||
};
|
||||
},
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ export interface TimelineModel {
|
|||
deletedEventIds: string[];
|
||||
/** A summary of the events and notes in this timeline */
|
||||
description: string;
|
||||
/** Typoe of event you want to see in this timeline */
|
||||
/** Type of event you want to see in this timeline */
|
||||
eventType?: TimelineEventsType;
|
||||
/** A map of events in this timeline to the chronologically ordered notes (in this timeline) associated with the event */
|
||||
eventIdToNoteIds: Record<string, string[]>;
|
||||
|
|
|
|||
Loading…
Reference in a new issue