-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Write failing status when executionStatus is in error #79311
Conversation
Pinging @elastic/siem (Team:SIEM) |
482fd74
to
348263c
Compare
...lugins/security_solution/server/lib/detection_engine/routes/__mocks__/rule_status_service.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_route.ts
Outdated
Show resolved
Hide resolved
...lugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_status_route.ts
Outdated
Show resolved
Hide resolved
...lugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_status_route.ts
Outdated
Show resolved
Hide resolved
...ns/security_solution/server/lib/detection_engine/signals/rule_status_saved_objects_client.ts
Outdated
Show resolved
Hide resolved
348263c
to
ab6ee8a
Compare
…object inside find rules status route, updates find rules route to display error if executionStatus is in error, but not be in charge of writing the status. That job belongs to the find rules status route.
…les_status_route and adds a test for general error checking
…ter to append rule ids to the end of query, removes object.keys()
…the executionStatus property and merge that result with our stored failures
…cessary references to mock in tests
9c66410
to
8624cdb
Compare
convertToSnakeCase<IRuleStatusAttributes>(errorItem.attributes) | ||
), | ||
}, | ||
} as RuleStatusResponse; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Don't think you need the as cast, it will validate fine without it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a few nits but just one issue with unhandled promise rejections. Note: I did not exercise the functionality here, this was simply code review. However, I've got this on my list and will be testing during feature freeze.
@@ -46,6 +48,33 @@ describe('find_statuses', () => { | |||
status_code: 500, | |||
}); | |||
}); | |||
|
|||
test('returns success if rule status client writes an error status', async () => { | |||
// 0. task manager tried to run the rule but couldn't, so the alerting framework |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
zero-indexed comments, I like it
test('returns success if rule status client writes an error status', async () => { | ||
// 0. task manager tried to run the rule but couldn't, so the alerting framework | ||
// wrote an error to the executionStatus. | ||
const failingExecutionRule = getResult(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: better to call out the mutation of failingExecutionRule
as part of its assignment:
const failingExecutionRule = { ...getResult(), ...overrides };
to prevent it from being overlooked
ruleActions, | ||
ruleStatuses.saved_objects[0] | ||
); | ||
const currentStatus = ruleStatuses.saved_objects[0]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const currentStatus = ruleStatuses.saved_objects[0]; | |
const [currentStatus] = ruleStatuses.saved_objects; |
id: string, | ||
failures: Array<SavedObjectsFindResult<IRuleStatusAttributes>>, | ||
acc: RuleStatusResponse | ||
) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: explicit return type here. This might also remove the need for the as RuleStatusResponse
below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
edit: still need the as
below, but I think the issue that it's resolving is correct (convertToSnakeCase
is too fuzzy).
}, | ||
...accum, | ||
}; | ||
}, {} as Record<string, SanitizedAlert>) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: you can also pass this as a type argument to reduce
}; | ||
|
||
export const getFailingRules = (ids: string[], alertsClient: AlertsClient) => | ||
Promise.all( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to handle the potential rejections/errors thrown by the alertsClient, here. Might be easier to convert to a try/catch/await.
|
||
export type RuleStatusServiceMock = jest.Mocked<RuleStatusService>; | ||
|
||
export const ruleStatusServiceFactoryMock = async ({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this file is used anymore? If not, you want to delete it? You can keep it if you think these mocks will be useful for someone else though. Just pointing it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pre-emptive approval if we aren't around and FF is today.
Tested it a lot and it is looking pretty good, some comments about code from others below feel free to address them as you have time or do follow ups.
Otherwise, so so much goodness here with the refactoring and ❤️ how we can get these API key errors and others bubbled up now with this PR. Appreciate it.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…tatus is in error (#79311) (#79812) * Write failing status when executionStatus is in error * adds unit test for error handling if rule status service throws an error * adds success test for when executionStatus is failed * moves logic for writing executionStatus failure to rule status saved object inside find rules status route, updates find rules route to display error if executionStatus is in error, but not be in charge of writing the status. That job belongs to the find rules status route. * test if we are writing an error status when calls are made to find_rules_status_route and adds a test for general error checking * adds JSDocs description for rules status route, updates findRules filter to append rule ids to the end of query, removes object.keys() * don't write an error to our rule status in the route, only read from the executionStatus property and merge that result with our stored failures * fixes tests * move mock rule status service out of __mocks__ folder and remove unnecessary references to mock in tests * fix type error * updates json.gzip for cypress * PR feedback * fix timing issue with integration tests * removes unzipped data.json
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
We can now set an error status when an exception occurs outside of our rule executor. For example, when an alert fails to decrypt or some other issue occurs in task manager where the rule executor function fails to execute, we can query the
executionStatus
property on the rule set by #75553With this addition, we can now alert users when their rules are failing due to errors thrown outside of our code like so:
Checklist
Delete any items that are not applicable to this PR.
For maintainers