[Detections] Add validation for Threshold value field (#72611) (#72776)

spong · patrykkopycinski · web-flow · commit 1ba3dbcfcf1c · 2020-07-21T22:44:52.000-06:00
Co-authored-by: Patryk Kopyciński &lt;patryk.kopycinski@elastic.co&gt;
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
@@ -202,6 +202,20 @@ export const schema: FormSchema = {
           defaultMessage: 'Threshold',
         }
       ),
+      validations: [
+        {
+          validator: fieldValidators.numberGreaterThanField({
+            than: 1,
+            message: i18n.translate(
+              'xpack.securitySolution.detectionEngine.validations.thresholdValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
+              {
+                defaultMessage: 'Value must be greater than or equal one.',
+              }
+            ),
+            allowEquality: true,
+          }),
+        },
+      ],
     },
   },
 };
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts
@@ -193,4 +193,39 @@ describe('getThresholdSignalQueryFields', () => {
       'event.dataset': 'traefik.access',
     });
   });
+
+  it('should return proper object for exists filters', () => {
+    const filters = {
+      bool: {
+        should: [
+          {
+            bool: {
+              should: [
+                {
+                  exists: {
+                    field: 'process.name',
+                  },
+                },
+              ],
+              minimum_should_match: 1,
+            },
+          },
+          {
+            bool: {
+              should: [
+                {
+                  exists: {
+                    field: 'event.type',
+                  },
+                },
+              ],
+              minimum_should_match: 1,
+            },
+          },
+        ],
+        minimum_should_match: 1,
+      },
+    };
+    expect(getThresholdSignalQueryFields(filters)).toEqual({});
+  });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts
@@ -83,7 +83,7 @@ export const getThresholdSignalQueryFields = (filter: unknown) => {
         return { ...acc, ...item.match_phrase };
       }
 
-      if (item.bool.should && (item.bool.should[0].match || item.bool.should[0].match_phrase)) {
+      if (item.bool?.should && (item.bool.should[0].match || item.bool.should[0].match_phrase)) {
         return { ...acc, ...(item.bool.should[0].match || item.bool.should[0].match_phrase) };
       }
 

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ export const getThresholdSignalQueryFields = (filter: unknown) => {`
`83`	`83`	`return { ...acc, ...item.match_phrase };`
`84`	`84`	`}`
`85`	`85`
`86`		`- if (item.bool.should && (item.bool.should[0].match \|\| item.bool.should[0].match_phrase)) {`
	`86`	`+ if (item.bool?.should && (item.bool.should[0].match \|\| item.bool.should[0].match_phrase)) {`
`87`	`87`	`return { ...acc, ...(item.bool.should[0].match \|\| item.bool.should[0].match_phrase) };`
`88`	`88`	`}`
`89`	`89`