/
get_detection_rules.ts
82 lines (76 loc) · 2.57 KB
/
get_detection_rules.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type {
Logger,
SavedObjectsCreatePointInTimeFinderOptions,
SavedObjectsClientContract,
SavedObjectsFindResult,
} from 'kibana/server';
import {
SIGNALS_ID,
EQL_RULE_TYPE_ID,
INDICATOR_RULE_TYPE_ID,
ML_RULE_TYPE_ID,
QUERY_RULE_TYPE_ID,
THRESHOLD_RULE_TYPE_ID,
SAVED_QUERY_RULE_TYPE_ID,
} from '@kbn/securitysolution-rules';
import type { RuleSearchResult } from '../types';
export interface GetDetectionRulesOptions {
maxSize: number;
maxPerPage: number;
logger: Logger;
savedObjectsClient: SavedObjectsClientContract;
}
export const getDetectionRules = async ({
maxSize,
maxPerPage,
logger,
savedObjectsClient,
}: GetDetectionRulesOptions): Promise<Array<SavedObjectsFindResult<RuleSearchResult>>> => {
const filterAttribute = 'alert.attributes.alertTypeId';
const filter = [
`${filterAttribute}: ${SIGNALS_ID}`,
`${filterAttribute}: ${EQL_RULE_TYPE_ID}`,
`${filterAttribute}: ${ML_RULE_TYPE_ID}`,
`${filterAttribute}: ${QUERY_RULE_TYPE_ID}`,
`${filterAttribute}: ${SAVED_QUERY_RULE_TYPE_ID}`,
`${filterAttribute}: ${THRESHOLD_RULE_TYPE_ID}`,
`${filterAttribute}: ${INDICATOR_RULE_TYPE_ID}`,
].join(' OR ');
const query: SavedObjectsCreatePointInTimeFinderOptions = {
type: 'alert',
perPage: maxPerPage,
namespaces: ['*'],
filter,
};
logger.debug(
`Getting detection rules with point in time (PIT) query:', ${JSON.stringify(query)}`
);
const finder = savedObjectsClient.createPointInTimeFinder<RuleSearchResult>(query);
let responses: Array<SavedObjectsFindResult<RuleSearchResult>> = [];
for await (const response of finder.find()) {
const extra = responses.length + response.saved_objects.length - maxSize;
if (extra > 0) {
responses = [
...responses,
...response.saved_objects.slice(-response.saved_objects.length, -extra),
];
} else {
responses = [...responses, ...response.saved_objects];
}
}
try {
finder.close();
} catch (exception) {
// This is just a pre-caution in case the finder does a throw we don't want to blow up
// the response. We have seen this within e2e test containers but nothing happen in normal
// operational conditions which is why this try/catch is here.
}
logger.debug(`Returning cases response of length: "${responses.length}"`);
return responses;
};