From c3dc4ec53c663ec9f00d390e41f51216d143f0ad Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Tue, 14 Jul 2020 19:07:00 -0400 Subject: [PATCH] updated logic per feedback --- .../build_exceptions_query.test.ts | 44 +++++++++---------- .../build_exceptions_query.ts | 6 +-- .../detection_engine/get_query_filter.test.ts | 6 ++- .../detection_engine/signals/utils.test.ts | 1 - 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts index 160c5f5e94a7800..973d3f638555abb 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts @@ -382,7 +382,7 @@ describe('build_exceptions_query', () => { lists: payload, exclude, }); - const expectedQuery = 'not (b:("value-1" or "value-2") and not c:"value-3")'; + const expectedQuery = 'not (b:("value-1" or "value-2") or not c:"value-3")'; expect(query).toEqual(expectedQuery); }); @@ -403,7 +403,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (b:("value-1" or "value-2") and parent:{ nestedField:"value-3" })'; + const expectedQuery = 'not (b:("value-1" or "value-2") or parent:{ nestedField:"value-3" })'; expect(query).toEqual(expectedQuery); }); @@ -426,7 +426,7 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'not (b:("value-1" or "value-2") and parent:{ nestedField:"value-3" } and d:*)'; + 'not (b:("value-1" or "value-2") or parent:{ nestedField:"value-3" } or d:*)'; expect(query).toEqual(expectedQuery); }); @@ -448,7 +448,7 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'NOT (b:("value-1" OR "value-2") AND parent:{ nestedField:"value-3" } AND NOT _exists_e)'; + 'NOT (b:("value-1" OR "value-2") OR parent:{ nestedField:"value-3" } OR NOT _exists_e)'; expect(query).toEqual(expectedQuery); }); @@ -467,7 +467,7 @@ describe('build_exceptions_query', () => { lists: payload, exclude, }); - const expectedQuery = 'b:("value-1" or "value-2") and not c:"value-3"'; + const expectedQuery = 'b:("value-1" or "value-2") or not c:"value-3"'; expect(query).toEqual(expectedQuery); }); @@ -488,7 +488,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" }'; + const expectedQuery = 'b:("value-1" or "value-2") or parent:{ nestedField:"value-3" }'; expect(query).toEqual(expectedQuery); }); @@ -511,7 +511,7 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" } and d:*'; + 'b:("value-1" or "value-2") or parent:{ nestedField:"value-3" } or d:*'; expect(query).toEqual(expectedQuery); }); @@ -533,7 +533,7 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'b:("value-1" OR "value-2") AND parent:{ nestedField:"value-3" } AND NOT _exists_e'; + 'b:("value-1" OR "value-2") OR parent:{ nestedField:"value-3" } OR NOT _exists_e'; expect(query).toEqual(expectedQuery); }); }); @@ -577,7 +577,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (not b:* and parent:{ c:"value-1" })'; + const expectedQuery = 'not (not b:* or parent:{ c:"value-1" })'; expect(query).toEqual(expectedQuery); }); @@ -600,7 +600,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (b:* and parent:{ c:"value-1" and d:"value-2" } and e:*)'; + const expectedQuery = 'not (b:* or parent:{ c:"value-1" and d:"value-2" } or e:*)'; expect(query).toEqual(expectedQuery); }); @@ -647,7 +647,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (not b:"value" and parent:{ c:"valueC" })'; + const expectedQuery = 'not (not b:"value" or parent:{ c:"valueC" })'; expect(query).toEqual(expectedQuery); }); @@ -671,7 +671,7 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'not (b:"value" and parent:{ c:"valueC" and d:"valueD" } and e:"valueE")'; + 'not (b:"value" or parent:{ c:"valueC" and d:"valueD" } or e:"valueE")'; expect(query).toEqual(expectedQuery); }); @@ -716,7 +716,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (not b:("value-1" or "value-2") and parent:{ c:"valueC" })'; + const expectedQuery = 'not (not b:("value-1" or "value-2") or parent:{ c:"valueC" })'; expect(query).toEqual(expectedQuery); }); @@ -731,7 +731,7 @@ describe('build_exceptions_query', () => { lists, exclude, }); - const expectedQuery = 'not (b:("value-1" or "value-2") and c:("value-1" or "value-2"))'; + const expectedQuery = 'not (b:("value-1" or "value-2") or c:("value-1" or "value-2"))'; expect(query).toEqual(expectedQuery); }); @@ -788,7 +788,7 @@ describe('build_exceptions_query', () => { lists: [payload, payload2], }); const expectedQuery = - 'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")'; + 'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")'; expect(query).toEqual([{ query: expectedQuery, language: 'kuery' }]); }); @@ -813,9 +813,9 @@ describe('build_exceptions_query', () => { lists: [payload, payload2], }); const expectedQuery = - 'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")'; + 'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")'; const expectedQuery2 = - 'not (b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2"))'; + 'not (b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2"))'; expect(query).toEqual([ { query: expectedQuery, language: 'kuery' }, @@ -843,9 +843,9 @@ describe('build_exceptions_query', () => { lists: [payload, payload2], }); const expectedQuery = - 'not (some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value")'; + 'not (some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value")'; const expectedQuery2 = - 'not (b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2"))'; + 'not (b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2"))'; expect(query).toEqual([ { language: 'kuery', query: expectedQuery }, @@ -911,9 +911,9 @@ describe('build_exceptions_query', () => { exclude, }); const expectedQuery = - 'some.parentField:{ nested.field:"some value" } and some.not.nested.field:"some value"'; + 'some.parentField:{ nested.field:"some value" } or some.not.nested.field:"some value"'; const expectedQuery2 = - 'b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2")'; + 'b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2")'; expect(query).toEqual([ { query: expectedQuery, language: 'kuery' }, @@ -944,7 +944,7 @@ describe('build_exceptions_query', () => { }); const expectedQuery = 'b:("value-1" OR "value-2")'; const expectedQuery2 = - 'b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and e:("value-1" or "value-2")'; + 'b:("value-1" or "value-2") or parent:{ c:"valueC" and d:"valueD" } or e:("value-1" or "value-2")'; expect(query).toEqual([ { language: 'lucene', query: expectedQuery }, diff --git a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts index 981652729f652b2..fa3b30e08faba66 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts @@ -155,7 +155,7 @@ export const buildExceptionItemEntries = ({ language: Language; exclude: boolean; }): string => { - const and = getLanguageBooleanOperator({ language, value: 'and' }); + const or = getLanguageBooleanOperator({ language, value: 'or' }); const not = getLanguageBooleanOperator({ language, value: 'not' }); const exceptionItem = lists .filter(({ type }) => type !== 'list') @@ -163,8 +163,8 @@ export const buildExceptionItemEntries = ({ const exceptionSegment = evaluateValues({ item: listItem, language }); return [...accum, exceptionSegment]; }, []); - const exceptionQuery = exceptionItem.join(` ${and} `); - return !exclude ? `${exceptionQuery}` : `${not} (${exceptionItem.join(` ${and} `)})`; + const exceptionQuery = exceptionItem.join(` ${or} `); + return !exclude ? `${exceptionQuery}` : `${not} (${exceptionQuery})`; }; export const buildQueryExceptions = ({ diff --git a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts index a8eb4e7bbb15bba..657f759dec057d2 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.test.ts @@ -367,7 +367,8 @@ describe('get_filter', () => { bool: { must_not: { bool: { - filter: [ + minimum_should_match: 1, + should: [ { nested: { path: 'some.parentField', @@ -455,7 +456,8 @@ describe('get_filter', () => { { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'linux' } }] } }, { bool: { - filter: [ + minimum_should_match: 1, + should: [ { nested: { path: 'some.parentField', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts index 779d54070fd211a..fa1635324e0f262 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts @@ -9,7 +9,6 @@ import sinon from 'sinon'; import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks'; import { listMock } from '../../../../../lists/server/mocks'; -import { EntriesArray } from '../../../../common/shared_imports'; import { buildRuleMessageFactory } from './rule_messages'; import { ExceptionListClient } from '../../../../../lists/server'; import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';