Skip to content

Commit 8dd7631

Browse files
dhurley14dhurley14
authored
[7.9] [Security Solution] [Detections] Revert "[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (#71768)" (#71956) (#71984)
This reverts commit 56de45d.
1 parent 7697566 commit 8dd7631

File tree

2 files changed

+5
-12
lines changed

2 files changed

+5
-12
lines changed

x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ export const filterEventsAgainstList = async ({
3131
buildRuleMessage,
3232
}: FilterEventsAgainstList): Promise<SignalSearchResponse> => {
3333
try {
34+
logger.debug(buildRuleMessage(`exceptionsList: ${JSON.stringify(exceptionsList, null, 2)}`));
3435
if (exceptionsList == null || exceptionsList.length === 0) {
3536
logger.debug(buildRuleMessage('about to return original search result'));
3637
return eventSearchResult;

x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ export const searchAfterAndBulkCreate = async ({
9191
};
9292

9393
let sortId; // tells us where to start our next search_after query
94-
let signalsCreatedCount = 0;
94+
let searchResultSize = 0;
9595

9696
/*
9797
The purpose of `maxResults` is to ensure we do not perform
@@ -127,8 +127,8 @@ export const searchAfterAndBulkCreate = async ({
127127
toReturn.success = false;
128128
return toReturn;
129129
}
130-
signalsCreatedCount = 0;
131-
while (signalsCreatedCount < tuple.maxSignals) {
130+
searchResultSize = 0;
131+
while (searchResultSize < tuple.maxSignals) {
132132
try {
133133
logger.debug(buildRuleMessage(`sortIds: ${sortId}`));
134134
const {
@@ -167,6 +167,7 @@ export const searchAfterAndBulkCreate = async ({
167167
searchResult.hits.hits[searchResult.hits.hits.length - 1]?._source['@timestamp']
168168
)
169169
: null;
170+
searchResultSize += searchResult.hits.hits.length;
170171

171172
// filter out the search results that match with the values found in the list.
172173
// the resulting set are valid signals that are not on the allowlist.
@@ -186,14 +187,6 @@ export const searchAfterAndBulkCreate = async ({
186187
break;
187188
}
188189

189-
// make sure we are not going to create more signals than maxSignals allows
190-
if (signalsCreatedCount + filteredEvents.hits.hits.length > tuple.maxSignals) {
191-
filteredEvents.hits.hits = filteredEvents.hits.hits.slice(
192-
0,
193-
tuple.maxSignals - signalsCreatedCount
194-
);
195-
}
196-
197190
const {
198191
bulkCreateDuration: bulkDuration,
199192
createdItemsCount: createdCount,
@@ -218,7 +211,6 @@ export const searchAfterAndBulkCreate = async ({
218211
});
219212
logger.debug(buildRuleMessage(`created ${createdCount} signals`));
220213
toReturn.createdSignalsCount += createdCount;
221-
signalsCreatedCount += createdCount;
222214
if (bulkDuration) {
223215
toReturn.bulkCreateTimes.push(bulkDuration);
224216
}

0 commit comments

Comments
 (0)