Skip to content

Commit

Permalink
updated logic per feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
@yctercero
yctercero committed Jul 14, 2020
1 parent e48737a commit c3dc4ec
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 28 deletions.
44 changes: 22 additions & 22 deletions x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,7 +382,7 @@ describe('build_exceptions_query', () => {
lists: payload,
exclude,
});
const expectedQuery = 'not (b:("value-1" or "value-2") and not c:"value-3")';
const expectedQuery = 'not (b:("value-1" or "value-2") or not c:"value-3")';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -403,7 +403,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (b:("value-1" or "value-2") and parent:{ nestedField:"value-3" })';
const expectedQuery = 'not (b:("value-1" or "value-2") or parent:{ nestedField:"value-3" })';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -426,7 +426,7 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'not (b:("value-1" or "value-2") and parent:{ nestedField:"value-3" } and d:*)';
'not (b:("value-1" or "value-2") or parent:{ nestedField:"value-3" } or d:*)';
expect(query).toEqual(expectedQuery);
});

Expand All @@ -448,7 +448,7 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'NOT (b:("value-1" OR "value-2") AND parent:{ nestedField:"value-3" } AND NOT _exists_e)';
'NOT (b:("value-1" OR "value-2") OR parent:{ nestedField:"value-3" } OR NOT _exists_e)';
expect(query).toEqual(expectedQuery);
});

Expand All @@ -467,7 +467,7 @@ describe('build_exceptions_query', () => {
lists: payload,
exclude,
});
const expectedQuery = 'b:("value-1" or "value-2") and not c:"value-3"';
const expectedQuery = 'b:("value-1" or "value-2") or not c:"value-3"';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -488,7 +488,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" }';
const expectedQuery = 'b:("value-1" or "value-2") or parent:{ nestedField:"value-3" }';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -511,7 +511,7 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" } and d:*';
'b:("value-1" or "value-2") or parent:{ nestedField:"value-3" } or d:*';
expect(query).toEqual(expectedQuery);
});

Expand All @@ -533,7 +533,7 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'b:("value-1" OR "value-2") AND parent:{ nestedField:"value-3" } AND NOT _exists_e';
'b:("value-1" OR "value-2") OR parent:{ nestedField:"value-3" } OR NOT _exists_e';
expect(query).toEqual(expectedQuery);
});
});
Expand Down Expand Up @@ -577,7 +577,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (not b:* and parent:{ c:"value-1" })';
const expectedQuery = 'not (not b:* or parent:{ c:"value-1" })';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -600,7 +600,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (b:* and parent:{ c:"value-1" and d:"value-2" } and e:*)';
const expectedQuery = 'not (b:* or parent:{ c:"value-1" and d:"value-2" } or e:*)';

expect(query).toEqual(expectedQuery);
});
Expand Down Expand Up @@ -647,7 +647,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (not b:"value" and parent:{ c:"valueC" })';
const expectedQuery = 'not (not b:"value" or parent:{ c:"valueC" })';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -671,7 +671,7 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'not (b:"value" and parent:{ c:"valueC" and d:"valueD" } and e:"valueE")';
'not (b:"value" or parent:{ c:"valueC" and d:"valueD" } or e:"valueE")';

expect(query).toEqual(expectedQuery);
});
Expand Down Expand Up @@ -716,7 +716,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (not b:("value-1" or "value-2") and parent:{ c:"valueC" })';
const expectedQuery = 'not (not b:("value-1" or "value-2") or parent:{ c:"valueC" })';

expect(query).toEqual(expectedQuery);
});
Expand All @@ -731,7 +731,7 @@ describe('build_exceptions_query', () => {
lists,
exclude,
});
const expectedQuery = 'not (b:("value-1" or "value-2") and c:("value-1" or "value-2"))';
const expectedQuery = 'not (b:("value-1" or "value-2") or c:("value-1" or "value-2"))';

expect(query).toEqual(expectedQuery);
});
Expand Down Expand Up @@ -788,7 +788,7 @@ describe('build_exceptions_query', () => {
lists: [payload, payload2],
});
const expectedQuery =
'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")';
'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")';

expect(query).toEqual([{ query: expectedQuery, language: 'kuery' }]);
});
Expand All @@ -813,9 +813,9 @@ describe('build_exceptions_query', () => {
lists: [payload, payload2],
});
const expectedQuery =
'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")';
'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")';
const expectedQuery2 =
'not (b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2"))';
'not (b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2"))';

expect(query).toEqual([
{ query: expectedQuery, language: 'kuery' },
Expand Down Expand Up @@ -843,9 +843,9 @@ describe('build_exceptions_query', () => {
lists: [payload, payload2],
});
const expectedQuery =
'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")';
'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")';
const expectedQuery2 =
'not (b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2"))';
'not (b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2"))';

expect(query).toEqual([
{ language: 'kuery', query: expectedQuery },
Expand Down Expand Up @@ -911,9 +911,9 @@ describe('build_exceptions_query', () => {
exclude,
});
const expectedQuery =
'some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value"';
'some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value"';
const expectedQuery2 =
'b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2")';
'b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2")';

expect(query).toEqual([
{ query: expectedQuery, language: 'kuery' },
Expand Down Expand Up @@ -944,7 +944,7 @@ describe('build_exceptions_query', () => {
});
const expectedQuery = 'b:("value-1" OR "value-2")';
const expectedQuery2 =
'b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2")';
'b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2")';

expect(query).toEqual([
{ language: 'lucene', query: expectedQuery },
Expand Down
6 changes: 3 additions & 3 deletions x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,16 +155,16 @@ export const buildExceptionItemEntries = ({
language: Language;
exclude: boolean;
}): string => {
const and = getLanguageBooleanOperator({ language, value: 'and' });
const or = getLanguageBooleanOperator({ language, value: 'or' });
const not = getLanguageBooleanOperator({ language, value: 'not' });
const exceptionItem = lists
.filter(({ type }) => type !== 'list')
.reduce<string[]>((accum, listItem) => {
const exceptionSegment = evaluateValues({ item: listItem, language });
return [...accum, exceptionSegment];
}, []);
const exceptionQuery = exceptionItem.join(` ${and} `);
return !exclude ? `${exceptionQuery}` : `${not} (${exceptionItem.join(` ${and} `)})`;
const exceptionQuery = exceptionItem.join(` ${or} `);
return !exclude ? `${exceptionQuery}` : `${not} (${exceptionQuery})`;
};

export const buildQueryExceptions = ({
Expand Down
6 changes: 4 additions & 2 deletions x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,7 +367,8 @@ describe('get_filter', () => {
bool: {
must_not: {
bool: {
filter: [
minimum_should_match: 1,
should: [
{
nested: {
path: 'some.parentField',
Expand Down Expand Up @@ -455,7 +456,8 @@ describe('get_filter', () => {
{ bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'linux' } }] } },
{
bool: {
filter: [
minimum_should_match: 1,
should: [
{
nested: {
path: 'some.parentField',
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import sinon from 'sinon';

import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks';
import { listMock } from '../../../../../lists/server/mocks';
import { EntriesArray } from '../../../../common/shared_imports';
import { buildRuleMessageFactory } from './rule_messages';
import { ExceptionListClient } from '../../../../../lists/server';
import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';
Expand Down

0 comments on commit c3dc4ec

Please sign in to comment.