-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Better threshold rule error checking #131088
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
@elasticmachine merge upstream |
@@ -96,29 +96,39 @@ export const validateTimelineTitle = (rule: AddPrepackagedRulesSchema): string[] | |||
}; | |||
|
|||
export const validateThreshold = (rule: AddPrepackagedRulesSchema): string[] => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, if there is a way to extract validateThreshold
check in a separate function which we could reuse in all five cases (add, create, import, patch and update)? They look same to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@e40pud Yes, that is probably a good idea!
@@ -96,29 +96,39 @@ export const validateTimelineTitle = (rule: AddPrepackagedRulesSchema): string[] | |||
}; | |||
|
|||
export const validateThreshold = (rule: AddPrepackagedRulesSchema): string[] => { | |||
const errors: string[] = []; | |||
if (isThresholdRule(rule.type)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that we use both isThresholdRule(rule.type)
and rule.type === 'threshold'
. Are those different?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@e40pud Yeah, those could use some refactoring. They're essentially equivalent for now, but their usages have been inconsistent.
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Summary
Threshold rule configuration allows the selection of a cardinality constraint for any field. But when the cardinality field is also a field that we're aggregating on, the cardinality is guaranteed to be 1 for each bucket. This adds 2 unnecessary aggregations to the query in this case (essentially no-ops) which negatively impact performance with no benefit.
This PR adds a check to ensure the above situation never happens. It also adds some additional server-side validation for cases that we were previously only checking in the UI.
Fixes #113587
Checklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
For maintainers