update tests

Author: michaelolo24

x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts

@@ -160,6 +160,20 @@ describe('reason_formatter', () => {
         );
       });
     });
+    describe('when rule and mergedDoc are provided without any fields of interest', () => {
+      it('should return the full reason message', () => {
+        const updatedMergedDoc = {
+          fields: {
+            'event.category': ['test'],
+            'user.name': ['test-user'],
+            '@timestamp': '2021-08-11T02:28:59.101Z',
+          },
+        };
+        expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
+          `"test event by test-user created medium alert my-rule."`
+        );
+      });
+    });
     describe('when only rule is provided', () => {
       it('should return the reason message without host name or user name', () => {
         expect(buildReasonMessageUtil({ rule })).toMatchInlineSnapshot(`""`);

x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts

@@ -56,15 +56,19 @@ export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUt
 
   const fieldPresenceTracker = { hasFieldOfInterest: false };
 
-  const getFieldTemplateValue = (field: string | string[] | undefined | null): string => {
-    if (!field || !field.length || (field.length === 1 && field[0] === '-')) return 'null';
-    if (!fieldPresenceTracker.hasFieldOfInterest) fieldPresenceTracker.hasFieldOfInterest = true;
+  const getFieldTemplateValue = (
+    field: string | string[] | undefined | null,
+    isFieldOfInterest?: boolean
+  ): string | null => {
+    if (!field || !field.length || (field.length === 1 && field[0] === '-')) return null;
+    if (isFieldOfInterest && !fieldPresenceTracker.hasFieldOfInterest)
+      fieldPresenceTracker.hasFieldOfInterest = true;
     return Array.isArray(field) ? field.join(', ') : field;
   };
 
   return i18n.translate('xpack.securitySolution.detectionEngine.signals.alertReasonDescription', {
     defaultMessage: `{eventCategory, select, null {} other {{eventCategory}{whitespace}}}event\
-{hasFieldOfInterest, select, null {} other {{whitespace}with}}\
+{hasFieldOfInterest, select, false {} other {{whitespace}with}}\
 {processName, select, null {} other {{whitespace}process {processName},} }\
 {processParentName, select, null {} other {{whitespace}parent process {processParentName},} }\
 {fileName, select, null {} other {{whitespace}file {fileName},} }\
@@ -76,15 +80,15 @@ created {alertSeverity} alert {alertName}.`,
     values: {
       alertName: rule.name,
       alertSeverity: rule.severity,
-      destinationAddress: getFieldTemplateValue(destinationAddress),
-      destinationPort: getFieldTemplateValue(destinationPort),
+      destinationAddress: getFieldTemplateValue(destinationAddress, true),
+      destinationPort: getFieldTemplateValue(destinationPort, true),
       eventCategory: getFieldTemplateValue(eventCategory),
-      fileName: getFieldTemplateValue(fileName),
+      fileName: getFieldTemplateValue(fileName, true),
       hostName: getFieldTemplateValue(hostName),
-      processName: getFieldTemplateValue(processName),
-      processParentName: getFieldTemplateValue(processParentName),
-      sourceAddress: getFieldTemplateValue(sourceAddress),
-      sourcePort: getFieldTemplateValue(sourcePort),
+      processName: getFieldTemplateValue(processName, true),
+      processParentName: getFieldTemplateValue(processParentName, true),
+      sourceAddress: getFieldTemplateValue(sourceAddress, true),
+      sourcePort: getFieldTemplateValue(sourcePort, true),
       userName: getFieldTemplateValue(userName),
       hasFieldOfInterest: fieldPresenceTracker.hasFieldOfInterest, // Tracking if we have any fields to show the 'with' word
       whitespace: ' ', // there isn't support for the unicode /u0020 for whitespace, and leading spaces are deleted, so to prevent double-whitespace explicitly passing the space in.