Skip to content

Commit

Permalink
[Security Solution] [Detections] Fixes bug for determining when we hi…
Browse files Browse the repository at this point in the history
…t max signals after filtering with lists (#71768)

update signal counter with filtered results, not with direct search results.
  • Loading branch information
dhurley14 authored Jul 15, 2020
1 parent a885f8a commit 56de45d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ export const filterEventsAgainstList = async ({
buildRuleMessage,
}: FilterEventsAgainstList): Promise<SignalSearchResponse> => {
try {
logger.debug(buildRuleMessage(`exceptionsList: ${JSON.stringify(exceptionsList, null, 2)}`));
if (exceptionsList == null || exceptionsList.length === 0) {
logger.debug(buildRuleMessage('about to return original search result'));
return eventSearchResult;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ export const searchAfterAndBulkCreate = async ({
};

let sortId; // tells us where to start our next search_after query
let searchResultSize = 0;
let signalsCreatedCount = 0;

/*
The purpose of `maxResults` is to ensure we do not perform
Expand Down Expand Up @@ -127,8 +127,8 @@ export const searchAfterAndBulkCreate = async ({
toReturn.success = false;
return toReturn;
}
searchResultSize = 0;
while (searchResultSize < tuple.maxSignals) {
signalsCreatedCount = 0;
while (signalsCreatedCount < tuple.maxSignals) {
try {
logger.debug(buildRuleMessage(`sortIds: ${sortId}`));
const {
Expand Down Expand Up @@ -167,7 +167,6 @@ export const searchAfterAndBulkCreate = async ({
searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']
)
: null;
searchResultSize += searchResult.hits.hits.length;

// filter out the search results that match with the values found in the list.
// the resulting set are valid signals that are not on the allowlist.
Expand All @@ -187,6 +186,14 @@ export const searchAfterAndBulkCreate = async ({
break;
}

// make sure we are not going to create more signals than maxSignals allows
if (signalsCreatedCount + filteredEvents.hits.hits.length > tuple.maxSignals) {
filteredEvents.hits.hits = filteredEvents.hits.hits.slice(
0,
tuple.maxSignals - signalsCreatedCount
);
}

const {
bulkCreateDuration: bulkDuration,
createdItemsCount: createdCount,
Expand All @@ -211,6 +218,7 @@ export const searchAfterAndBulkCreate = async ({
});
logger.debug(buildRuleMessage(`created ${createdCount} signals`));
toReturn.createdSignalsCount += createdCount;
signalsCreatedCount += createdCount;
if (bulkDuration) {
toReturn.bulkCreateTimes.push(bulkDuration);
}
Expand Down

0 comments on commit 56de45d

Please sign in to comment.