[Security Solution][Case][Bug] Only update alert status in its specific index #92530
Conversation
jonathan-buttner
added
v8.0.0
release_note:skip
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
@elasticmachine merge upstream |
| ids: ['alert-id-1'], | ||
| status: CaseStatuses.closed, | ||
| indices: new Set<string>(['.siem-signals']), | ||
| alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses.closed }], |
There was a problem hiding this comment.
So each alert will only have one index? Just curious if index should still be a Set()
| // create an array of requests that indicate the id, index, and status to update an alert | ||
| const alertsToUpdate = totalAlerts.saved_objects.reduce( | ||
| (acc: UpdateAlertRequest[], alertComment) => { | ||
| if (isCommentRequestTypeAlertOrGenAlert(alertComment.attributes)) { |
There was a problem hiding this comment.
Not necessary for this PR, but just thinking it may be better to have functions that only care about one status, i.e. isCommentRequestType(attributes) || isGenAlert(attributes). I just imagine other forms of alerts in the near or far future appearing and this becoming more unwieldy.
| @@ -219,8 +219,8 @@ export class CaseClientHandler implements CaseClient { | |||
| } catch (error) { | |||
| throw createCaseError({ | |||
| message: `Failed to get alerts using client ids: ${JSON.stringify( | |||
| args.ids | |||
| )} \nindices: ${JSON.stringify([...args.indices])}: ${error}`, | |||
| args.alertsInfo | |||
There was a problem hiding this comment.
is it (saw your client/types file). Also, forgot to change the "ids" to "alerts" right before the stringify in this changealerts or alertsInfo...Looking at your other change in this file on line 172 (should they be the same or different?)
There was a problem hiding this comment.
Oh thank you. Yeah alertsInfo vs alerts is kind of confusing. They're slightly different structures but I didn't know how to name them haha. Any ideas?
| * id existing in an index at each position in the array. This is not ideal. Ideally an alert comment request would | ||
| * accept an array of objects like this: Array<{id: string; index: string; ruleName: string ruleID: string}> instead. | ||
| * | ||
| * To reformat the alert comment request requires a migration and a breaking API change. |
There was a problem hiding this comment.
Can you create an issue for this when you have time, so we can discuss it there? It sounds like it's worth making the change for more stability. And the changed API seems much easier to potentially work with
There was a problem hiding this comment.
Yeah good idea. I'll create the issue 👍
There was a problem hiding this comment.
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
…ic index (elastic#92530) * Writing failing test for duplicate ids * Test is correctly failing prior to bug fix * Working jest tests * Adding more jest tests * Fixing jest tests * Adding await and gzip * Fixing type errors * Updating log message Co-authored-by: Kibana Machine <[email protected]>
…ic index (elastic#92530) * Writing failing test for duplicate ids * Test is correctly failing prior to bug fix * Working jest tests * Adding more jest tests * Fixing jest tests * Adding await and gzip * Fixing type errors * Updating log message Co-authored-by: Kibana Machine <[email protected]>
…ic index (#92530) (#93484) * Writing failing test for duplicate ids * Test is correctly failing prior to bug fix * Working jest tests * Adding more jest tests * Fixing jest tests * Adding await and gzip * Fixing type errors * Updating log message Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
…ic index (#92530) (#93509) * Writing failing test for duplicate ids * Test is correctly failing prior to bug fix * Working jest tests * Adding more jest tests * Fixing jest tests * Adding await and gzip * Fixing type errors * Updating log message Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
ghost
mentioned this pull request
This PR fixes a bug where updating the status of an alert could change multiple alerts if they have the same
_idin separate indices. To fix this we'll update and retrieve alerts using the Elasticsearch bulk and mget APIs. The alert information is currently stored in two arrays (alertIds and index) within the saved object. Before we interact with the Elasticsearch APIs we'll transform them into an array of objects so we tie each alert ID to a specific index. This avoids accidentally updating an alert with a specific_idacross multiple indices at the same time.Issue: #91936