[Security Solution] [Detections] Write failing status when executionStatus is in error #79311
Conversation
dhurley14
added
release_note:enhancement
review
Team:SIEM
v7.10.0
v8.0.0
Feature:Detection Rules
|
Pinging @elastic/siem (Team:SIEM) |
dhurley14
force-pushed
the
exception-status-rules-2
branch
from
482fd74
to
348263c
Compare
...lugins/security_solution/server/lib/detection_engine/routes/__mocks__/rule_status_service.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_route.ts
Outdated
Show resolved
Hide resolved
...lugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_status_route.ts
Outdated
Show resolved
Hide resolved
...lugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_status_route.ts
Outdated
Show resolved
Hide resolved
...ns/security_solution/server/lib/detection_engine/signals/rule_status_saved_objects_client.ts
Outdated
Show resolved
Hide resolved
dhurley14
force-pushed
the
exception-status-rules-2
branch
from
348263c
to
ab6ee8a
Compare
…object inside find rules status route, updates find rules route to display error if executionStatus is in error, but not be in charge of writing the status. That job belongs to the find rules status route.
…les_status_route and adds a test for general error checking
…ter to append rule ids to the end of query, removes object.keys()
…the executionStatus property and merge that result with our stored failures
…cessary references to mock in tests
dhurley14
force-pushed
the
exception-status-rules-2
branch
from
9c66410
to
8624cdb
Compare
| convertToSnakeCase<IRuleStatusAttributes>(errorItem.attributes) | ||
| ), | ||
| }, | ||
| } as RuleStatusResponse; |
There was a problem hiding this comment.
nit: Don't think you need the as cast, it will validate fine without it.
| @@ -46,6 +48,33 @@ describe('find_statuses', () => { | |||
| status_code: 500, | |||
| }); | |||
| }); | |||
|
|
|||
| test('returns success if rule status client writes an error status', async () => { | |||
| // 0. task manager tried to run the rule but couldn't, so the alerting framework | |||
There was a problem hiding this comment.
zero-indexed comments, I like it
| test('returns success if rule status client writes an error status', async () => { | ||
| // 0. task manager tried to run the rule but couldn't, so the alerting framework | ||
| // wrote an error to the executionStatus. | ||
| const failingExecutionRule = getResult(); |
There was a problem hiding this comment.
nit: better to call out the mutation of failingExecutionRule as part of its assignment:
const failingExecutionRule = { ...getResult(), ...overrides };to prevent it from being overlooked
| ruleActions, | ||
| ruleStatuses.saved_objects[0] | ||
| ); | ||
| const currentStatus = ruleStatuses.saved_objects[0]; |
There was a problem hiding this comment.
| const currentStatus = ruleStatuses.saved_objects[0]; | |
| const [currentStatus] = ruleStatuses.saved_objects; |
| id: string, | ||
| failures: Array<SavedObjectsFindResult<IRuleStatusAttributes>>, | ||
| acc: RuleStatusResponse | ||
| ) => { |
There was a problem hiding this comment.
Nit: explicit return type here. This might also remove the need for the as RuleStatusResponse below
There was a problem hiding this comment.
edit: still need the as below, but I think the issue that it's resolving is correct (convertToSnakeCase is too fuzzy).
| }, | ||
| ...accum, | ||
| }; | ||
| }, {} as Record<string, SanitizedAlert>) |
There was a problem hiding this comment.
nit: you can also pass this as a type argument to reduce
| }; | ||
|
|
||
| export const getFailingRules = (ids: string[], alertsClient: AlertsClient) => | ||
| Promise.all( |
There was a problem hiding this comment.
I think we need to handle the potential rejections/errors thrown by the alertsClient, here. Might be easier to convert to a try/catch/await.
|
|
||
| export type RuleStatusServiceMock = jest.Mocked<RuleStatusService>; | ||
|
|
||
| export const ruleStatusServiceFactoryMock = async ({ |
There was a problem hiding this comment.
I don't think this file is used anymore? If not, you want to delete it? You can keep it if you think these mocks will be useful for someone else though. Just pointing it out.
There was a problem hiding this comment.
This is a pre-emptive approval if we aren't around and FF is today.
Tested it a lot and it is looking pretty good, some comments about code from others below feel free to address them as you have time or do follow ups.
Otherwise, so so much goodness here with the refactoring and ❤️ how we can get these API key errors and others bubbled up now with this PR. Appreciate it.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…tatus is in error (#79311) (#79812) * Write failing status when executionStatus is in error * adds unit test for error handling if rule status service throws an error * adds success test for when executionStatus is failed * moves logic for writing executionStatus failure to rule status saved object inside find rules status route, updates find rules route to display error if executionStatus is in error, but not be in charge of writing the status. That job belongs to the find rules status route. * test if we are writing an error status when calls are made to find_rules_status_route and adds a test for general error checking * adds JSDocs description for rules status route, updates findRules filter to append rule ids to the end of query, removes object.keys() * don't write an error to our rule status in the route, only read from the executionStatus property and merge that result with our stored failures * fixes tests * move mock rule status service out of __mocks__ folder and remove unnecessary references to mock in tests * fix type error * updates json.gzip for cypress * PR feedback * fix timing issue with integration tests * removes unzipped data.json
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
We can now set an error status when an exception occurs outside of our rule executor. For example, when an alert fails to decrypt or some other issue occurs in task manager where the rule executor function fails to execute, we can query the
executionStatusproperty on the rule set by #75553With this addition, we can now alert users when their rules are failing due to errors thrown outside of our code like so:
Checklist
Delete any items that are not applicable to this PR.
For maintainers