Skip to content

Commit

Permalink
[Security Solution] Fix Coverage Overview API activity filter (#163785)
Browse files Browse the repository at this point in the history 
**Relates to:** #158246

## Summary

If activity filter contains both allowed values `enabled` and `disabled` simultaneously Coverage Overview endpoint returns the response filtered by the first value only.

This PR fixes wrong behavior os if `enabled` and `disabled` values are set simultaneously the response contains combined results for both `enabled` and `disabled` activity filter values.

For example a request like below

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

would produce the same response as the following request

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
  • Loading branch information
@maximpn @bryce-b
maximpn authored and bryce-b committed Aug 22, 2023
1 parent a625206 commit 629a796
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 5 deletions.
13 changes: 8 additions & 5 deletions ...on_engine/rule_management/api/rules/coverage_overview/handle_coverage_overview_request.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,19 @@ export async function handleCoverageOverviewRequest({
params: { filter },
deps: { rulesClient },
}: HandleCoverageOverviewRequestArgs): Promise<CoverageOverviewResponse> {
const activitySet = new Set(filter?.activity);
const kqlFilter = filter
? convertRulesFilterToKQL({
filter: filter.search_term,
showCustomRules: filter.source?.includes(CoverageOverviewRuleSource.Custom) ?? false,
showElasticRules: filter.source?.includes(CoverageOverviewRuleSource.Prebuilt) ?? false,
enabled: filter.activity?.includes(CoverageOverviewRuleActivity.Disabled)
? false
: filter.activity?.includes(CoverageOverviewRuleActivity.Enabled)
? true
: undefined,
enabled:
(activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
activitySet.has(CoverageOverviewRuleActivity.Disabled)) ||
(!activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
!activitySet.has(CoverageOverviewRuleActivity.Disabled))
? undefined
: activitySet.has(CoverageOverviewRuleActivity.Enabled),
})
: undefined;

Expand Down
45 changes: 45 additions & 0 deletions x-pack/test/detection_engine_api_integration/basic/tests/coverage_overview.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,51 @@ export default ({ getService }: FtrProviderContext): void => {
},
});
});

it('returns response filtered by enabled and disabled rules equal to response if enabled and disabled are not set', async () => {
const expectedRule1 = await createRule(supertest, log, {
...getSimpleRule('rule-1'),
name: 'Disabled rule',
threat: generateThreatArray(1),
});
const expectedRule2 = await createRule(supertest, log, {
...getSimpleRule('rule-2', true),
name: 'Enabled rule',
threat: generateThreatArray(2),
});

const { body } = await supertest
.post(RULE_MANAGEMENT_COVERAGE_OVERVIEW_URL)
.set('kbn-xsrf', 'true')
.send({
filter: {
activity: ['enabled', 'disabled'],
},
})
.expect(200);

expect(body).to.eql({
coverage: {
T001: [expectedRule1.id],
TA001: [expectedRule1.id],
'T001.001': [expectedRule1.id],
T002: [expectedRule2.id],
TA002: [expectedRule2.id],
'T002.002': [expectedRule2.id],
},
unmapped_rule_ids: [],
rules_data: {
[expectedRule1.id]: {
activity: 'disabled',
name: 'Disabled rule',
},
[expectedRule2.id]: {
activity: 'enabled',
name: 'Enabled rule',
},
},
});
});
});

describe('source', () => {
Expand Down

0 comments on commit 629a796

Please sign in to comment.