From 04b143248b47a3fcc05526c2efed7307ff5d2291 Mon Sep 17 00:00:00 2001 From: Madison Caldwell Date: Wed, 16 Dec 2020 21:21:30 +0000 Subject: [PATCH] Fix bug with incorrect calculation of threshold signal dupes when no threshold field present --- .../signals/threshold_get_bucket_filters.ts | 40 ++++++++++--------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts index 9eff26995ad6e..bf060da1e76b8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold_get_bucket_filters.ts @@ -4,6 +4,8 @@ * you may not use this file except in compliance with the Elastic License. */ +import { isEmpty } from 'lodash'; + import { Filter } from 'src/plugins/data/common'; import { ESFilter } from '../../../../../../typings/elasticsearch'; @@ -54,27 +56,29 @@ export const getThresholdBucketFilters = async ({ const filters = searchResult.aggregations.threshold.buckets.reduce( (acc: ESFilter[], bucket: ThresholdQueryBucket): ESFilter[] => { - return [ - ...acc, - { - bool: { - filter: [ - { - term: { - [bucketByField || 'signal.rule.rule_id']: bucket.key, - }, - }, - { - range: { - [timestampOverride ?? '@timestamp']: { - lte: bucket.lastSignalTimestamp.value_as_string, - }, + const filter = { + bool: { + filter: [ + { + range: { + [timestampOverride ?? '@timestamp']: { + lte: bucket.lastSignalTimestamp.value_as_string, }, }, - ], + }, + ], + }, + } as ESFilter; + + if (!isEmpty(bucketByField)) { + (filter.bool.filter as ESFilter[]).push({ + term: { + [bucketByField]: bucket.key, }, - } as ESFilter, - ]; + }); + } + + return [...acc, filter]; }, [] as ESFilter[] );