From 1d9a36139c079f90be8d7257c34db29efe6b5efb Mon Sep 17 00:00:00 2001 From: Angela Chuang Date: Tue, 21 Jan 2025 17:37:08 +0800 Subject: [PATCH] add retrieve results to security solution search strategy --- .../factory/cti/event_enrichment/response.test.ts | 13 +++++++++++++ .../factory/cti/event_enrichment/response.ts | 5 ++++- .../search_strategy/security_solution/index.ts | 2 ++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts index adddb12aa16e6..2591a48f22853 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts @@ -10,6 +10,7 @@ import { buildEventEnrichmentRawResponseMock, } from '../../../../../../common/search_strategy/security_solution/cti/index.mock'; import { parseEventEnrichmentResponse } from './response'; +import type { IEsSearchResponse } from '@kbn/search-types'; describe('parseEventEnrichmentResponse', () => { it('includes an accurate inspect response', async () => { @@ -101,4 +102,16 @@ describe('parseEventEnrichmentResponse', () => { }), ]); }); + + it('returns an empty array when no hits', async () => { + const options = buildEventEnrichmentRequestOptionsMock(); + const response = { + rawResponse: { + hits: {}, + }, + } as IEsSearchResponse; + const parsedResponse = await parseEventEnrichmentResponse(options, response); + + expect(parsedResponse.enrichments).toEqual([]); + }); }); diff --git a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts index ebbff68d18cab..7be7694df8037 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.ts @@ -6,6 +6,8 @@ */ import type { IEsSearchResponse } from '@kbn/search-types'; +import { getOr } from 'lodash/fp'; +import type { SearchHit } from '@elastic/elasticsearch/lib/api/types'; import type { EventEnrichmentRequestOptions } from '../../../../../../common/api/search_strategy'; import { inspectStringifyObject } from '../../../../../utils/build_query'; import { buildIndicatorEnrichments, getTotalCount } from './helpers'; @@ -19,7 +21,8 @@ export const parseEventEnrichmentResponse = async ( dsl: [inspectStringifyObject(buildEventEnrichmentQuery(options))], }; const totalCount = getTotalCount(response.rawResponse.hits.total); - const enrichments = buildIndicatorEnrichments(response.rawResponse.hits.hits); + const hits: SearchHit[] = getOr([], 'rawResponse.hits.hits', response); + const enrichments = buildIndicatorEnrichments(hits); return { ...response, diff --git a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts index 00393e2e6187e..5c8c4444dd761 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/search_strategy/security_solution/index.ts @@ -29,6 +29,8 @@ export const securitySolutionSearchStrategyProvider = ( search: (request, options, deps) => { const parsedRequest = searchStrategyRequestSchema.parse(request); const queryFactory = securitySolutionFactory[parsedRequest.factoryQueryType]; + // NOTE: without this parameter, .hits.hits can be empty + options.retrieveResults = true; const dsl = queryFactory.buildDsl(parsedRequest); return es.search({ ...request, params: dsl }, options, deps).pipe(