remove allow_no_indices param, adds a check if response has empty ind…

…ices property then write error status with index patterns provided to rule
elastic · Feb 1, 2021 · 14ef150 · 14ef150
1 parent 52f5403
commit 14ef150
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 15 deletions.
diff --git a/...k/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/...k/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@@ -9,7 +9,7 @@
 import { Logger, KibanaRequest } from 'src/core/server';
 import isEmpty from 'lodash/isEmpty';
 import { chain, tryCatch } from 'fp-ts/lib/TaskEither';
-import { flow, pipe } from 'fp-ts/lib/function';
+import { flow } from 'fp-ts/lib/function';
 
 import { toError, toPromise } from '../../../../common/fp_utils';
 
@@ -188,22 +188,14 @@ export const signalRulesAlertType = ({
       try {
         if (!isEmpty(index)) {
           const hasTimestampOverride = timestampOverride != null && !isEmpty(timestampOverride);
+          const inputIndices = await getInputIndex(services, version, index);
           const [privileges, timestampFieldCaps] = await Promise.all([
-            pipe(
-              { services, version, index },
-              ({ services: svc, version: ver, index: idx }) =>
-                pipe(
-                  tryCatch(() => getInputIndex(svc, ver, idx), toError),
-                  chain((indices) => tryCatch(() => checkPrivileges(svc, indices), toError))
-                ),
-              toPromise
-            ),
+            checkPrivileges(services, inputIndices),
             services.scopedClusterClient.fieldCaps({
               index,
               fields: hasTimestampOverride
                 ? ['@timestamp', timestampOverride as string]
                 : ['@timestamp'],
-              allow_no_indices: false,
               include_unmapped: true,
             }),
           ]);
@@ -222,6 +214,7 @@ export const signalRulesAlertType = ({
                     wroteStatus,
                     hasTimestampOverride ? (timestampOverride as string) : '@timestamp',
                     timestampFieldCaps,
+                    inputIndices,
                     ruleStatusService,
                     logger,
                     buildRuleMessage

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts
@@ -843,6 +843,7 @@ describe('utils', () => {
         timestampField,
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
+        ['myfa*'],
         ruleStatusServiceMock,
         mockLogger,
         buildRuleMessage
@@ -881,6 +882,7 @@ describe('utils', () => {
         timestampField,
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         timestampFieldCapsResponse as ApiResponse<Record<string, any>>,
+        ['myfa*'],
         ruleStatusServiceMock,
         mockLogger,
         buildRuleMessage

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
@@ -100,18 +100,48 @@ export const hasReadIndexPrivileges = async (
   return false;
 };
 
+const getFieldCapFailingIndices = (
+  inputIndices: string[], // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  timestampFieldCapsResponse: ApiResponse<Record<string, any>, Context>,
+  timestampField: string
+) => {
+  if (
+    isEmpty(timestampFieldCapsResponse.body.fields) &&
+    isEmpty(timestampFieldCapsResponse.body.indices)
+  ) {
+    return inputIndices;
+  } else if (
+    isEmpty(timestampFieldCapsResponse.body.fields) &&
+    !isEmpty(timestampFieldCapsResponse.body.indices)
+  ) {
+    return timestampFieldCapsResponse.body.indices;
+  } else {
+    return timestampFieldCapsResponse.body.fields[timestampField].unmapped.indices;
+  }
+};
+
 export const hasTimestampFields = async (
   wroteStatus: boolean,
   timestampField: string,
   // any is derived from here
   // node_modules/@elastic/elasticsearch/api/kibana.d.ts
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   timestampFieldCapsResponse: ApiResponse<Record<string, any>, Context>,
+  inputIndices: string[],
   ruleStatusService: RuleStatusService,
   logger: Logger,
   buildRuleMessage: BuildRuleMessage
 ): Promise<boolean> => {
-  if (
+  if (!wroteStatus && isEmpty(timestampFieldCapsResponse.body.indices)) {
+    const errorString = `The following indices are missing the ${
+      timestampField === '@timestamp'
+        ? 'timestamp field "@timestamp"'
+        : `timestamp override field "${timestampField}"`
+    }: ${JSON.stringify(inputIndices)}`;
+    logger.error(buildRuleMessage(errorString));
+    await ruleStatusService.error(errorString);
+    return true;
+  } else if (
     !wroteStatus &&
     (isEmpty(timestampFieldCapsResponse.body.fields) ||
       timestampFieldCapsResponse.body.fields[timestampField] == null ||
@@ -124,9 +154,7 @@ export const hasTimestampFields = async (
         ? 'timestamp field "@timestamp"'
         : `timestamp override field "${timestampField}"`
     }: ${JSON.stringify(
-      isEmpty(timestampFieldCapsResponse.body.fields)
-        ? timestampFieldCapsResponse.body.indices
-        : timestampFieldCapsResponse.body.fields[timestampField].unmapped.indices
+      getFieldCapFailingIndices(inputIndices, timestampFieldCapsResponse, timestampField)
     )}`;
     logger.error(buildRuleMessage(errorString));
     await ruleStatusService.partialFailure(errorString);