add retrieve results to security solution search strategy

elastic · Jan 21, 2025 · 1d9a361 · 1d9a361
1 parent fac6ed8
commit 1d9a361
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/...on/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts b/...on/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts
@@ -10,6 +10,7 @@ import {
   buildEventEnrichmentRawResponseMock,
 } from '../../../../../../common/search_strategy/security_solution/cti/index.mock';
 import { parseEventEnrichmentResponse } from './response';
+import type { IEsSearchResponse } from '@kbn/search-types';
 
 describe('parseEventEnrichmentResponse', () => {
   it('includes an accurate inspect response', async () => {
@@ -101,4 +102,16 @@ describe('parseEventEnrichmentResponse', () => {
       }),
     ]);
   });
+
+  it('returns an empty array when no hits', async () => {
+    const options = buildEventEnrichmentRequestOptionsMock();
+    const response = {
+      rawResponse: {
+        hits: {},
+      },
+    } as IEsSearchResponse;
+    const parsedResponse = await parseEventEnrichmentResponse(options, response);
+
+    expect(parsedResponse.enrichments).toEqual([]);
+  });
 });
diff --git a/...olution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts b/...olution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts
@@ -6,6 +6,8 @@
  */
 
 import type { IEsSearchResponse } from '@kbn/search-types';
+import { getOr } from 'lodash/fp';
+import type { SearchHit } from '@elastic/elasticsearch/lib/api/types';
 import type { EventEnrichmentRequestOptions } from '../../../../../../common/api/search_strategy';
 import { inspectStringifyObject } from '../../../../../utils/build_query';
 import { buildIndicatorEnrichments, getTotalCount } from './helpers';
@@ -19,7 +21,8 @@ export const parseEventEnrichmentResponse = async (
     dsl: [inspectStringifyObject(buildEventEnrichmentQuery(options))],
   };
   const totalCount = getTotalCount(response.rawResponse.hits.total);
-  const enrichments = buildIndicatorEnrichments(response.rawResponse.hits.hits);
+  const hits: SearchHit[] = getOr([], 'rawResponse.hits.hits', response);
+  const enrichments = buildIndicatorEnrichments(hits);
 
   return {
     ...response,

diff --git a/...ions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts b/...ions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts
@@ -29,6 +29,8 @@ export const securitySolutionSearchStrategyProvider = (
     search: (request, options, deps) => {
       const parsedRequest = searchStrategyRequestSchema.parse(request);
       const queryFactory = securitySolutionFactory[parsedRequest.factoryQueryType];
+      // NOTE: without this parameter, .hits.hits can be empty
+      options.retrieveResults = true;
       const dsl = queryFactory.buildDsl(parsedRequest);
 
       return es.search({ ...request, params: dsl }, options, deps).pipe(