Revert "Remove saved_query logic for getFilters"

This reverts commit 567afc3.

Author: nkhristinin

x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/query.ts

@@ -66,6 +66,8 @@ export const queryExecutor = async ({
     filters: ruleParams.filters,
     language: ruleParams.language,
     query: ruleParams.query,
+    savedId: ruleParams.savedId,
+    services,
     index: inputIndex,
     lists: exceptionItems,
   });

x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts

@@ -103,6 +103,8 @@ export const thresholdExecutor = async ({
     filters: ruleParams.filters ? ruleParams.filters.concat(bucketFilters) : bucketFilters,
     language: ruleParams.language,
     query: ruleParams.query,
+    savedId: ruleParams.savedId,
+    services,
     index: inputIndex,
     lists: exceptionItems,
   });

x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts

@@ -41,6 +41,8 @@ describe('get_filter', () => {
         filters: undefined,
         language: 'kuery',
         query: 'host.name: siem',
+        savedId: undefined,
+        services: servicesMock,
         index: ['auditbeat-*'],
         lists: [],
       });
@@ -74,6 +76,8 @@ describe('get_filter', () => {
           filters: undefined,
           language: undefined,
           query: 'host.name: siem',
+          savedId: undefined,
+          services: servicesMock,
           index: ['auditbeat-*'],
           lists: [],
         })
@@ -87,6 +91,8 @@ describe('get_filter', () => {
           filters: undefined,
           language: 'kuery',
           query: undefined,
+          savedId: undefined,
+          services: servicesMock,
           index: ['auditbeat-*'],
           lists: [],
         })
@@ -100,19 +106,76 @@ describe('get_filter', () => {
           filters: undefined,
           language: 'kuery',
           query: 'host.name: siem',
+          savedId: undefined,
+          services: servicesMock,
           index: undefined,
           lists: [],
         })
       ).rejects.toThrow('query, filters, and index parameter should be defined');
     });
 
+    test('returns a saved query if given a type of query', async () => {
+      const filter = await getFilter({
+        type: 'saved_query',
+        filters: undefined,
+        language: undefined,
+        query: undefined,
+        savedId: 'some-id',
+        services: servicesMock,
+        index: ['auditbeat-*'],
+        lists: [],
+      });
+      expect(filter).toEqual({
+        bool: {
+          filter: [
+            { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'linux' } }] } },
+          ],
+          must: [],
+          must_not: [],
+          should: [],
+        },
+      });
+    });
+
+    test('throws on saved query if saved_id is undefined', async () => {
+      await expect(
+        getFilter({
+          type: 'saved_query',
+          filters: undefined,
+          language: undefined,
+          query: undefined,
+          savedId: undefined,
+          services: servicesMock,
+          index: ['auditbeat-*'],
+          lists: [],
+        })
+      ).rejects.toThrow('savedId parameter should be defined');
+    });
+
+    test('throws on saved query if index is undefined', async () => {
+      await expect(
+        getFilter({
+          type: 'saved_query',
+          filters: undefined,
+          language: undefined,
+          query: undefined,
+          savedId: 'some-id',
+          services: servicesMock,
+          index: undefined,
+          lists: [],
+        })
+      ).rejects.toThrow('savedId parameter should be defined');
+    });
+
     test('throws on machine learning query', async () => {
       await expect(
         getFilter({
           type: 'machine_learning',
           filters: undefined,
           language: undefined,
           query: undefined,
+          savedId: 'some-id',
+          services: servicesMock,
           index: undefined,
           lists: [],
         })
@@ -125,6 +188,8 @@ describe('get_filter', () => {
         filters: undefined,
         language: 'kuery',
         query: 'host.name: siem',
+        savedId: undefined,
+        services: servicesMock,
         index: ['auditbeat-*'],
         lists: [getExceptionListItemSchemaMock()],
       });

x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts

@@ -12,23 +12,43 @@ import { assertUnreachable } from '../../../../common/utility_types';
 import { getQueryFilter } from '../../../../common/detection_engine/get_query_filter';
 import {
   QueryOrUndefined,
+  SavedIdOrUndefined,
   IndexOrUndefined,
 } from '../../../../common/detection_engine/schemas/common/schemas';
+import {
+  AlertInstanceContext,
+  AlertInstanceState,
+  AlertServices,
+} from '../../../../../alerting/server';
+import { PartialFilter } from '../types';
 import { QueryFilter } from './types';
 
 interface GetFilterArgs {
   type: Type;
   filters: unknown | undefined;
   language: LanguageOrUndefined;
   query: QueryOrUndefined;
+  savedId: SavedIdOrUndefined;
+  services: AlertServices<AlertInstanceState, AlertInstanceContext, 'default'>;
   index: IndexOrUndefined;
   lists: ExceptionListItemSchema[];
 }
 
+interface QueryAttributes {
+  // NOTE: doesn't match Query interface
+  query: {
+    query: string;
+    language: Language;
+  };
+  filters: PartialFilter[];
+}
+
 export const getFilter = async ({
   filters,
   index,
   language,
+  savedId,
+  services,
   type,
   query,
   lists,
@@ -41,13 +61,48 @@ export const getFilter = async ({
     }
   };
 
+  const savedQueryFilter = async () => {
+    if (savedId != null && index != null) {
+      try {
+        // try to get the saved object first
+        const savedObject = await services.savedObjectsClient.get<QueryAttributes>(
+          'query',
+          savedId
+        );
+        return getQueryFilter(
+          savedObject.attributes.query.query,
+          savedObject.attributes.query.language,
+          savedObject.attributes.filters,
+          index,
+          lists
+        );
+      } catch (err) {
+        // saved object does not exist, so try and fall back if the user pushed
+        // any additional language, query, filters, etc...
+        if (query != null && language != null && index != null) {
+          return getQueryFilter(query, language, filters || [], index, lists);
+        } else {
+          // user did not give any additional fall back mechanism for generating a rule
+          // rethrow error for activity monitoring
+          throw err;
+        }
+      }
+    } else {
+      throw new BadRequestError('savedId parameter should be defined');
+    }
+  };
+
   switch (type) {
     case 'threat_match':
-    case 'threshold':
-    case 'query':
-    case 'saved_query': {
+    case 'threshold': {
+      return savedId != null ? savedQueryFilter() : queryFilter();
+    }
+    case 'query': {
       return queryFilter();
     }
+    case 'saved_query': {
+      return savedQueryFilter();
+    }
     case 'machine_learning': {
       throw new BadRequestError(
         'Unsupported Rule of type "machine_learning" supplied to getFilter'

x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/create_threat_signal.ts

@@ -58,6 +58,8 @@ export const createThreatSignal = async ({
       filters: [...filters, threatFilter],
       language,
       query,
+      savedId,
+      services,
       index: inputIndex,
       lists: exceptionItems,
     });