[Security Solution] [CTI] Fixes bug that caused Threshold and Indicat…

…or Match rules to ignore custom rule filters if a saved query was used in the rule definition. (#109253) * Ignore saved_id for Threat match and threshold rules Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
elastic · Sep 2, 2021 · b0a0dc2 · b0a0dc2
1 parent e8191ed
commit b0a0dc2
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts
@@ -137,6 +137,52 @@ describe('get_filter', () => {
       });
     });
 
+    test('returns the query persisted to the threat_match rule, despite saved_id being specified', async () => {
+      const filter = await getFilter({
+        type: 'threat_match',
+        filters: undefined,
+        language: 'kuery',
+        query: 'host.name: siem',
+        savedId: 'some-id',
+        services: servicesMock,
+        index: ['auditbeat-*'],
+        lists: [],
+      });
+      expect(filter).toEqual({
+        bool: {
+          filter: [
+            { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'siem' } }] } },
+          ],
+          must: [],
+          must_not: [],
+          should: [],
+        },
+      });
+    });
+
+    test('returns the query persisted to the threshold rule, despite saved_id being specified', async () => {
+      const filter = await getFilter({
+        type: 'threat_match',
+        filters: undefined,
+        language: 'kuery',
+        query: 'host.name: siem',
+        savedId: 'some-id',
+        services: servicesMock,
+        index: ['auditbeat-*'],
+        lists: [],
+      });
+      expect(filter).toEqual({
+        bool: {
+          filter: [
+            { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'siem' } }] } },
+          ],
+          must: [],
+          must_not: [],
+          should: [],
+        },
+      });
+    });
+
     test('throws on saved query if saved_id is undefined', async () => {
       await expect(
         getFilter({

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts
@@ -94,9 +94,7 @@ export const getFilter = async ({
 
   switch (type) {
     case 'threat_match':
-    case 'threshold': {
-      return savedId != null ? savedQueryFilter() : queryFilter();
-    }
+    case 'threshold':
     case 'query': {
       return queryFilter();
     }