From 6e80d9fe09e82c59853a18146dcc96b684bbd22c Mon Sep 17 00:00:00 2001
From: "Devin W. Hurley" <devin.hurley@elastic.co>
Date: Tue, 1 Dec 2020 10:15:51 -0500
Subject: [PATCH] [Security Solution] [Detections] Create a 'partial failure'
 status for rules (#84293)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../schemas/common/schemas.ts                 |  7 ++++-
 .../components/rules/rule_status/helpers.ts   |  2 +-
 .../detection_engine/rules/types.ts           | 11 +++++++-
 .../detection_engine/rules/details/index.tsx  | 27 ++++++++++++++-----
 .../details/status_failed_callout.test.tsx    |  7 +++++
 .../rules/details/status_failed_callout.tsx   |  8 ++++--
 .../rules/details/translations.ts             |  7 +++++
 .../signals/rule_status_service.mock.ts       |  2 ++
 .../signals/rule_status_service.test.ts       | 15 +++++++++++
 .../signals/rule_status_service.ts            | 20 ++++++++++++++
 10 files changed, 95 insertions(+), 11 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
index 82b803c62a9406..ff76a0fcb5593f 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
@@ -320,7 +320,12 @@ export type SeverityMappingOrUndefined = t.TypeOf<typeof severityMappingOrUndefi
 export const status = t.keyof({ open: null, closed: null, 'in-progress': null });
 export type Status = t.TypeOf<typeof status>;
 
-export const job_status = t.keyof({ succeeded: null, failed: null, 'going to run': null });
+export const job_status = t.keyof({
+  succeeded: null,
+  failed: null,
+  'going to run': null,
+  'partial failure': null,
+});
 export type JobStatus = t.TypeOf<typeof job_status>;
 
 export const conflicts = t.keyof({ abort: null, proceed: null });
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/rule_status/helpers.ts b/x-pack/plugins/security_solution/public/detections/components/rules/rule_status/helpers.ts
index e99894afeb63c4..e6482577f89edc 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/rule_status/helpers.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/rule_status/helpers.ts
@@ -13,6 +13,6 @@ export const getStatusColor = (status: RuleStatusType | string | null) =>
     ? 'success'
     : status === 'failed'
     ? 'danger'
-    : status === 'executing' || status === 'going to run'
+    : status === 'executing' || status === 'going to run' || status === 'partial failure'
     ? 'warning'
     : 'subdued';
diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts
index e9c89130736c05..d7908a6780ebb2 100644
--- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts
@@ -70,6 +70,13 @@ const MetaRule = t.intersection([
   }),
 ]);
 
+const StatusTypes = t.union([
+  t.literal('succeeded'),
+  t.literal('failed'),
+  t.literal('going to run'),
+  t.literal('partial failure'),
+]);
+
 export const RuleSchema = t.intersection([
   t.type({
     author,
@@ -108,13 +115,15 @@ export const RuleSchema = t.intersection([
     license,
     last_failure_at: t.string,
     last_failure_message: t.string,
+    last_success_message: t.string,
+    last_success_at: t.string,
     meta: MetaRule,
     machine_learning_job_id: t.string,
     output_index: t.string,
     query: t.string,
     rule_name_override,
     saved_id: t.string,
-    status: t.string,
+    status: StatusTypes,
     status_date: t.string,
     threshold,
     threat_query,
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
index ba676835d60f11..4866824f882cfc 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
@@ -275,18 +275,33 @@ export const RuleDetailsPageComponent: FC<PropsFromRedux> = ({
     ),
     [ruleDetailTabs, ruleDetailTab, setRuleDetailTab]
   );
-  const ruleError = useMemo(
-    () =>
+  const ruleError = useMemo(() => {
+    if (
       rule?.status === 'failed' &&
       ruleDetailTab === RuleDetailTabs.alerts &&
-      rule?.last_failure_at != null ? (
+      rule?.last_failure_at != null
+    ) {
+      return (
         <RuleStatusFailedCallOut
           message={rule?.last_failure_message ?? ''}
           date={rule?.last_failure_at}
         />
-      ) : null,
-    [rule, ruleDetailTab]
-  );
+      );
+    } else if (
+      rule?.status === 'partial failure' &&
+      ruleDetailTab === RuleDetailTabs.alerts &&
+      rule?.last_success_at != null
+    ) {
+      return (
+        <RuleStatusFailedCallOut
+          message={rule?.last_success_message ?? ''}
+          date={rule?.last_success_at}
+          color="warning"
+        />
+      );
+    }
+    return null;
+  }, [rule, ruleDetailTab]);
 
   const updateDateRangeCallback = useCallback<UpdateDateRange>(
     ({ x }) => {
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.test.tsx
index 3394b0fc8c5c05..c7436234020635 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.test.tsx
@@ -13,6 +13,13 @@ describe('RuleStatusFailedCallOut', () => {
   it('renders correctly', () => {
     const wrapper = shallow(<RuleStatusFailedCallOut date="date" message="message" />);
 
+    expect(wrapper.find('EuiCallOut')).toHaveLength(1);
+  });
+  it('renders correctly with optional params', () => {
+    const wrapper = shallow(
+      <RuleStatusFailedCallOut date="date" message="message" color="warning" />
+    );
+
     expect(wrapper.find('EuiCallOut')).toHaveLength(1);
   });
 });
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.tsx
index 5b5b96ace8670c..121ff6b8686c34 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/status_failed_callout.tsx
@@ -13,22 +13,26 @@ import * as i18n from './translations';
 interface RuleStatusFailedCallOutComponentProps {
   date: string;
   message: string;
+  color?: 'danger' | 'primary' | 'success' | 'warning';
 }
 
 const RuleStatusFailedCallOutComponent: React.FC<RuleStatusFailedCallOutComponentProps> = ({
   date,
   message,
+  color,
 }) => (
   <EuiCallOut
     title={
       <EuiFlexGroup gutterSize="xs" alignItems="center" justifyContent="flexStart">
-        <EuiFlexItem grow={false}>{i18n.ERROR_CALLOUT_TITLE}</EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          {color === 'warning' ? i18n.PARTIAL_FAILURE_CALLOUT_TITLE : i18n.ERROR_CALLOUT_TITLE}
+        </EuiFlexItem>
         <EuiFlexItem grow={true}>
           <FormattedDate value={date} fieldName="last_failure_at" />
         </EuiFlexItem>
       </EuiFlexGroup>
     }
-    color="danger"
+    color={color ? color : 'danger'}
     iconType="alert"
   >
     <p>{message}</p>
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts
index 94dfdc3e9daa02..5fbe0a5b786713 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/translations.ts
@@ -48,6 +48,13 @@ export const ERROR_CALLOUT_TITLE = i18n.translate(
   }
 );
 
+export const PARTIAL_FAILURE_CALLOUT_TITLE = i18n.translate(
+  'xpack.securitySolution.detectionEngine.ruleDetails.partialErrorCalloutTitle',
+  {
+    defaultMessage: 'Partial rule failure at',
+  }
+);
+
 export const FAILURE_HISTORY_TAB = i18n.translate(
   'xpack.securitySolution.detectionEngine.ruleDetails.failureHistoryTab',
   {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts
index 1d6a8227ebc13e..f7b1790e127d94 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts
@@ -22,6 +22,8 @@ export const ruleStatusServiceFactoryMock = async ({
 
     success: jest.fn(),
 
+    partialFailure: jest.fn(),
+
     error: jest.fn(),
   };
 };
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.test.ts
index cde6a506c657d2..449ecd11257d74 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.test.ts
@@ -53,6 +53,21 @@ describe('buildRuleStatusAttributes', () => {
     expect(result.statusDate).toEqual(result.lastSuccessAt);
   });
 
+  it('returns partial failure fields if "partial failure"', () => {
+    const result = buildRuleStatusAttributes(
+      'partial failure',
+      'some indices missing timestamp override field'
+    );
+    expect(result).toEqual({
+      status: 'partial failure',
+      statusDate: expectIsoDateString,
+      lastSuccessAt: expectIsoDateString,
+      lastSuccessMessage: 'some indices missing timestamp override field',
+    });
+
+    expect(result.statusDate).toEqual(result.lastSuccessAt);
+  });
+
   it('returns failure fields if "failed"', () => {
     const result = buildRuleStatusAttributes('failed', 'failure message');
     expect(result).toEqual({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.ts
index 433ad4e2affea4..debc329bf40d77 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.ts
@@ -23,6 +23,7 @@ interface Attributes {
 export interface RuleStatusService {
   goingToRun: () => Promise<void>;
   success: (message: string, attributes?: Attributes) => Promise<void>;
+  partialFailure: (message: string, attributes?: Attributes) => Promise<void>;
   error: (message: string, attributes?: Attributes) => Promise<void>;
 }
 
@@ -46,6 +47,13 @@ export const buildRuleStatusAttributes: (
         lastSuccessMessage: message,
       };
     }
+    case 'partial failure': {
+      return {
+        ...baseAttributes,
+        lastSuccessAt: now,
+        lastSuccessMessage: message,
+      };
+    }
     case 'failed': {
       return {
         ...baseAttributes,
@@ -93,6 +101,18 @@ export const ruleStatusServiceFactory = async ({
       });
     },
 
+    partialFailure: async (message, attributes) => {
+      const [currentStatus] = await getOrCreateRuleStatuses({
+        alertId,
+        ruleStatusClient,
+      });
+
+      await ruleStatusClient.update(currentStatus.id, {
+        ...currentStatus.attributes,
+        ...buildRuleStatusAttributes('partial failure', message, attributes),
+      });
+    },
+
     error: async (message, attributes) => {
       const ruleStatuses = await getOrCreateRuleStatuses({
         alertId,