wip

Author: dhurley14

x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts

@@ -31,7 +31,7 @@ export const filterEventsAgainstList = async ({
   buildRuleMessage,
 }: FilterEventsAgainstList): Promise<SignalSearchResponse> => {
   try {
-    logger.debug(buildRuleMessage(`exceptionsList: ${JSON.stringify(exceptionsList, null, 2)}`));
+    // logger.debug(buildRuleMessage(`exceptionsList: ${JSON.stringify(exceptionsList, null, 2)}`));
     if (exceptionsList == null || exceptionsList.length === 0) {
       logger.debug(buildRuleMessage('about to return original search result'));
       return eventSearchResult;

x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts

@@ -166,7 +166,6 @@ export const searchAfterAndBulkCreate = async ({
                 searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']
               )
             : null;
-        searchResultSize += searchResult.hits.hits.length;
 
         // filter out the search results that match with the values found in the list.
         // the resulting set are valid signals that are not on the allowlist.
@@ -180,12 +179,24 @@ export const searchAfterAndBulkCreate = async ({
                 buildRuleMessage,
               })
             : searchResult;
+        // searchResultSize += filteredEvents.hits.hits.length;
         if (filteredEvents.hits.total === 0 || filteredEvents.hits.hits.length === 0) {
           // everything in the events were allowed, so no need to generate signals
           toReturn.success = true;
           break;
         }
 
+        // make sure we are not going to create more signals than maxSignals allows
+        if (
+          searchResultSize != null &&
+          searchResultSize + filteredEvents.hits.hits.length > tuple.maxSignals
+        ) {
+          filteredEvents.hits.hits = filteredEvents.hits.hits.slice(
+            0,
+            tuple.maxSignals - searchResultSize
+          );
+        }
+
         const {
           bulkCreateDuration: bulkDuration,
           createdItemsCount: createdCount,
@@ -207,9 +218,11 @@ export const searchAfterAndBulkCreate = async ({
           refresh,
           tags,
           throttle,
+          searchResultSize,
         });
         logger.debug(buildRuleMessage(`created ${createdCount} signals`));
         toReturn.createdSignalsCount += createdCount;
+        searchResultSize += createdCount;
         if (bulkDuration) {
           toReturn.bulkCreateTimes.push(bulkDuration);
         }
@@ -230,6 +243,11 @@ export const searchAfterAndBulkCreate = async ({
             ? filteredEvents.hits.hits[0].sort[0]
             : undefined;
         }
+        logger.debug(
+          `is searchResultSize (${searchResultSize}) > maxSignals (${tuple.maxSignals})?: ${
+            searchResultSize > tuple.maxSignals
+          }`
+        );
       } catch (exc) {
         logger.error(buildRuleMessage(`[-] search_after and bulk threw an error ${exc}`));
         toReturn.success = false;