From 86db5ee351fd04c51d9c725758960d0a7525f0e7 Mon Sep 17 00:00:00 2001 From: Marshall Main <55718608+marshallmain@users.noreply.github.com> Date: Mon, 22 Jan 2024 13:22:07 -0800 Subject: [PATCH] [Security Solution] Use current user instead of internal user when querying for threshold rule history (#174723) ## Summary Follow up to https://github.com/elastic/kibana/pull/174216 (cherry picked from commit f87a34838659fed1bd22f21f9de0bc1162ae917b) --- .../create_security_rule_type_wrapper.ts | 2 +- .../threshold/create_threshold_alert_type.ts | 4 ++-- .../threshold/get_threshold_signal_history.ts | 17 +++++++++++++---- .../rule_types/threshold/threshold.test.ts | 4 ++-- .../rule_types/threshold/threshold.ts | 10 ++++++---- .../lib/detection_engine/rule_types/types.ts | 3 +-- 6 files changed, 25 insertions(+), 15 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts index 371f9601a8465..b36d22e505d27 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts @@ -412,7 +412,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = wrapHits, wrapSequences, listClient, - ruleDataReader: ruleDataClient.getReader({ namespace: options.spaceId }), + ruleDataClient, mergeStrategy, primaryTimestamp, secondaryTimestamp, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts index 40eec8e10a808..459f3da501e2d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts @@ -62,7 +62,7 @@ export const createThresholdAlertType = ( completeRule, tuple, wrapHits, - ruleDataReader, + ruleDataClient, inputIndex, runtimeMappings, primaryTimestamp, @@ -88,7 +88,7 @@ export const createThresholdAlertType = ( state, bulkCreate, wrapHits, - ruleDataReader, + ruleDataClient, inputIndex, runtimeMappings, primaryTimestamp, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/get_threshold_signal_history.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/get_threshold_signal_history.ts index 157300796a8ee..018d63c345e3a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/get_threshold_signal_history.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/get_threshold_signal_history.ts @@ -6,8 +6,9 @@ */ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import type { IRuleDataReader } from '@kbn/rule-registry-plugin/server'; +import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server'; import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import type { ElasticsearchClient } from '@kbn/core/server'; import type { ThresholdSignalHistory } from './types'; import { buildThresholdSignalHistory } from './build_signal_history'; import { createErrorsFromShard } from '../utils/utils'; @@ -17,7 +18,9 @@ interface GetThresholdSignalHistoryParams { to: string; frameworkRuleId: string; bucketByFields: string[]; - ruleDataReader: IRuleDataReader; + spaceId: string; + ruleDataClient: IRuleDataClient; + esClient: ElasticsearchClient; } export const getThresholdSignalHistory = async ({ @@ -25,7 +28,9 @@ export const getThresholdSignalHistory = async ({ to, frameworkRuleId, bucketByFields, - ruleDataReader, + spaceId, + ruleDataClient, + esClient, }: GetThresholdSignalHistoryParams): Promise<{ signalHistory: ThresholdSignalHistory; searchErrors: string[]; @@ -37,7 +42,11 @@ export const getThresholdSignalHistory = async ({ bucketByFields, }); - const response = await ruleDataReader.search(request); + const indexPattern = ruleDataClient?.indexNameWithNamespace(spaceId); + const response = await esClient.search({ + ...request, + index: indexPattern, + }); return { signalHistory: buildThresholdSignalHistory({ alerts: response.hits.hits }), searchErrors: createErrorsFromShard({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts index 4cd366722a279..342776d0fcc1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts @@ -99,7 +99,7 @@ describe('threshold_executor', () => { createdItems: [], })), wrapHits: jest.fn(), - ruleDataReader: ruleDataClientMock.getReader({ namespace: 'default' }), + ruleDataClient: ruleDataClientMock, runtimeMappings: {}, inputIndex: ['auditbeat-*'], primaryTimestamp: TIMESTAMP, @@ -164,7 +164,7 @@ describe('threshold_executor', () => { createdItems: [], })), wrapHits: jest.fn(), - ruleDataReader: ruleDataClientMock.getReader({ namespace: 'default' }), + ruleDataClient: ruleDataClientMock, runtimeMappings: {}, inputIndex: ['auditbeat-*'], primaryTimestamp: TIMESTAMP, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts index 70c554231a0e1..72e6311ebdb90 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts @@ -17,7 +17,7 @@ import type { AlertInstanceState, RuleExecutorServices, } from '@kbn/alerting-plugin/server'; -import type { IRuleDataReader } from '@kbn/rule-registry-plugin/server'; +import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server'; import type { Filter, DataViewFieldBase } from '@kbn/es-query'; import type { CompleteRule, ThresholdRuleParams } from '../../rule_schema'; import { getFilter } from '../utils/get_filter'; @@ -59,7 +59,7 @@ export const thresholdExecutor = async ({ state, bulkCreate, wrapHits, - ruleDataReader, + ruleDataClient, primaryTimestamp, secondaryTimestamp, aggregatableTimestampField, @@ -81,7 +81,7 @@ export const thresholdExecutor = async ({ state: ThresholdAlertState; bulkCreate: BulkCreate; wrapHits: WrapHits; - ruleDataReader: IRuleDataReader; + ruleDataClient: IRuleDataClient; primaryTimestamp: string; secondaryTimestamp?: string; aggregatableTimestampField: string; @@ -112,7 +112,9 @@ export const thresholdExecutor = async ({ to: tuple.to.toISOString(), frameworkRuleId: completeRule.alertId, bucketByFields: ruleParams.threshold.field, - ruleDataReader, + spaceId, + ruleDataClient, + esClient: services.scopedClusterClient.asCurrentUser, }); const validSignalHistory = getSignalHistory(state, signalHistory, tuple); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index 8e91f48038845..4c5aa555ed212 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -26,7 +26,6 @@ import type { ListClient } from '@kbn/lists-plugin/server'; import type { PersistenceServices, IRuleDataClient, - IRuleDataReader, SuppressedAlertService, } from '@kbn/rule-registry-plugin/server'; import type { EcsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map'; @@ -86,7 +85,7 @@ export interface RunOpts { bulkCreate: BulkCreate; wrapHits: WrapHits; wrapSequences: WrapSequences; - ruleDataReader: IRuleDataReader; + ruleDataClient: IRuleDataClient; inputIndex: string[]; runtimeMappings: estypes.MappingRuntimeFields | undefined; mergeStrategy: ConfigType['alertMergeStrategy'];