[8.8] [Security Solution][Alerts] resolves alerts suppression review feedback (#155839) (#157192)

# Backport This will backport the following commits from `main` to `8.8`: - [[Security Solution][Alerts] resolves alerts suppression review feedback (#155839)](https://github.com/elastic/kibana/pull/155839)  ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)  Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Co-authored-by: Pedro Jaramillo <pedro.jaramillo@elastic.co>
2025-04-24 01:38:56 -04:00 · 2023-05-09 22:56:34 -04:00 · 2023-05-09 22:56:34 -04:00 · 951802a7a9
commit 951802a7a9
parent e8e87a7629
10 changed files with 135 additions and 73 deletions
--- a/packages/kbn-doc-links/src/get_doc_links.ts
+++ b/packages/kbn-doc-links/src/get_doc_links.ts
@ -380,6 +380,7 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => {
      networkMap: `${SECURITY_SOLUTION_DOCS}conf-map-ui.html`,
      troubleshootGaps: `${SECURITY_SOLUTION_DOCS}alerts-ui-monitor.html#troubleshoot-gaps`,
      ruleApiOverview: `${SECURITY_SOLUTION_DOCS}rule-api-overview.html`,
+      configureAlertSuppression: `${SECURITY_SOLUTION_DOCS}alert-suppression.html#_configure_alert_suppression`,
    },
    securitySolution: {
      trustedApps: `${SECURITY_SOLUTION_DOCS}trusted-apps-ov.html`,
--- a/packages/kbn-doc-links/src/types.ts
+++ b/packages/kbn-doc-links/src/types.ts
@ -283,6 +283,7 @@ export interface DocLinks {
    readonly networkMap: string;
    readonly troubleshootGaps: string;
    readonly ruleApiOverview: string;
+    readonly configureAlertSuppression: string;
  };
  readonly securitySolution: {
    readonly trustedApps: string;
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/translations.ts
@ -151,13 +151,13 @@ export const ALERT_SUPPRESSION_PER_RULE_EXECUTION = i18n.translate(
 export const ALERT_SUPPRESSION_SUPPRESS_ON_MISSING_FIELDS = i18n.translate(
  'xpack.securitySolution.detectionEngine.ruleDescription.alertSuppressionSuppressOnMissingFieldsDescription',
  {
-    defaultMessage: 'Suppress on missing field value',
+    defaultMessage: 'Suppress and group alerts for events with missing fields',
  }
 );

 export const ALERT_SUPPRESSION_DO_NOT_SUPPRESS_ON_MISSING_FIELDS = i18n.translate(
  'xpack.securitySolution.detectionEngine.ruleDescription.alertSuppressionDoNotSuppressOnMissingFieldsDescription',
  {
-    defaultMessage: 'Do not suppress',
+    defaultMessage: 'Do not suppress alerts for events with missing fields',
  }
 );
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@ -7,7 +7,6 @@

 import type { EuiButtonGroupOptionProps } from '@elastic/eui';
 import {
-  EuiAccordion,
  EuiButtonEmpty,
  EuiFlexGroup,
  EuiFlexItem,
@ -58,6 +57,7 @@ import { PickTimeline } from '../pick_timeline';
 import { StepContentWrapper } from '../step_content_wrapper';
 import { NextStep } from '../next_step';
 import { ThresholdInput } from '../threshold_input';
+import { SuppressionInfoIcon } from '../suppression_info_icon';
 import {
  Field,
  Form,
@ -129,6 +129,10 @@ const RuleTypeEuiFormRow = styled(EuiFormRow).attrs<{ $isVisible: boolean }>(({
  },
 }))<{ $isVisible: boolean }>``;

+const IntendedRuleTypeEuiFormRow = styled(RuleTypeEuiFormRow)`
+  ${({ theme }) => `padding-left: ${theme.eui.euiSizeXL};`}
+`;
+
 const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
  addPadding = false,
  defaultValues: initialState,
@ -899,68 +903,63 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
            </>
          )}

-          <EuiSpacer size="l" />
-          <EuiAccordion
-            data-test-subj="alertSuppressionAccordion"
-            id="alertSuppressionAccordion"
-            buttonContent={i18n.ALERT_SUPPRESSION_ACCORDION_BUTTON}
+          <RuleTypeEuiFormRow
+            $isVisible={isQueryRule(ruleType)}
+            data-test-subj="alertSuppressionInput"
          >
-            <EuiSpacer size="l" />
+            <UseField
+              path="groupByFields"
+              component={GroupByFields}
+              componentProps={{
+                browserFields: termsAggregationFields,
+                isDisabled:
+                  !license.isAtLeast(minimumLicenseForSuppression) &&
+                  initialState.groupByFields.length === 0,
+              }}
+            />
+          </RuleTypeEuiFormRow>

-            <RuleTypeEuiFormRow
-              $isVisible={isQueryRule(ruleType)}
-              data-test-subj="alertSuppressionInput"
+          <IntendedRuleTypeEuiFormRow
+            $isVisible={isQueryRule(ruleType)}
+            data-test-subj="alertSuppressionDuration"
+          >
+            <UseMultiFields
+              fields={{
+                groupByRadioSelection: {
+                  path: 'groupByRadioSelection',
+                },
+                groupByDurationValue: {
+                  path: 'groupByDuration.value',
+                },
+                groupByDurationUnit: {
+                  path: 'groupByDuration.unit',
+                },
+              }}
            >
-              <UseField
-                path="groupByFields"
-                component={GroupByFields}
-                componentProps={{
-                  browserFields: termsAggregationFields,
-                  isDisabled:
-                    !license.isAtLeast(minimumLicenseForSuppression) &&
-                    initialState.groupByFields.length === 0,
-                }}
-              />
-            </RuleTypeEuiFormRow>
+              {GroupByChildren}
+            </UseMultiFields>
+          </IntendedRuleTypeEuiFormRow>

-            <RuleTypeEuiFormRow
-              $isVisible={isQueryRule(ruleType)}
-              data-test-subj="alertSuppressionDuration"
+          <IntendedRuleTypeEuiFormRow
+            $isVisible={isQueryRule(ruleType)}
+            data-test-subj="alertSuppressionMissingFields"
+            label={
+              <span>
+                {i18n.ALERT_SUPPRESSION_MISSING_FIELDS_FORM_ROW_LABEL} <SuppressionInfoIcon />
+              </span>
+            }
+            fullWidth
+          >
+            <UseMultiFields
+              fields={{
+                suppressionMissingFields: {
+                  path: 'suppressionMissingFields',
+                },
+              }}
            >
-              <UseMultiFields
-                fields={{
-                  groupByRadioSelection: {
-                    path: 'groupByRadioSelection',
-                  },
-                  groupByDurationValue: {
-                    path: 'groupByDuration.value',
-                  },
-                  groupByDurationUnit: {
-                    path: 'groupByDuration.unit',
-                  },
-                }}
-              >
-                {GroupByChildren}
-              </UseMultiFields>
-            </RuleTypeEuiFormRow>
-
-            <RuleTypeEuiFormRow
-              $isVisible={isQueryRule(ruleType)}
-              data-test-subj="alertSuppressionMissingFields"
-              label={i18n.ALERT_SUPPRESSION_MISSING_FIELDS_FORM_ROW_LABEL}
-            >
-              <UseMultiFields
-                fields={{
-                  suppressionMissingFields: {
-                    path: 'suppressionMissingFields',
-                  },
-                }}
-              >
-                {AlertsSuppressionMissingFields}
-              </UseMultiFields>
-            </RuleTypeEuiFormRow>
-          </EuiAccordion>
-          <EuiSpacer size="l" />
+              {AlertsSuppressionMissingFields}
+            </UseMultiFields>
+          </IntendedRuleTypeEuiFormRow>

          <RuleTypeEuiFormRow $isVisible={isMlRule(ruleType)} fullWidth>
            <>
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
@ -626,7 +626,7 @@ export const schema: FormSchema<DefineStepRule> = {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.suppressionMissingFieldsLabel',
      {
-        defaultMessage: 'If “Suppress by” field does not exist',
+        defaultMessage: 'If a suppression field is missing',
      }
    ),
  },
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
@ -150,30 +150,23 @@ export const RULE_PREVIEW_TITLE = i18n.translate(
  }
 );

-export const ALERT_SUPPRESSION_ACCORDION_BUTTON = i18n.translate(
-  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionAccordionButtonLabel',
-  {
-    defaultMessage: 'Suppression Configuration',
-  }
-);
-
 export const ALERT_SUPPRESSION_MISSING_FIELDS_FORM_ROW_LABEL = i18n.translate(
  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsLabel',
  {
-    defaultMessage: 'If “Suppress by” field does not exist',
+    defaultMessage: 'If a suppression field is missing',
  }
 );

 export const ALERT_SUPPRESSION_MISSING_FIELDS_SUPPRESS_OPTION = i18n.translate(
  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsSuppressLabel',
  {
-    defaultMessage: 'Suppress on missing field value',
+    defaultMessage: 'Suppress and group alerts for events with missing fields',
  }
 );

 export const ALERT_SUPPRESSION_MISSING_FIELDS_DO_NOT_SUPPRESS_OPTION = i18n.translate(
  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsDoNotSuppressLabel',
  {
-    defaultMessage: 'Do not suppress',
+    defaultMessage: 'Do not suppress alerts for events with missing fields',
  }
 );
--- a/x-pack/plugins/security_solution/public/detections/components/rules/suppression_info_icon/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/suppression_info_icon/index.tsx
@ -0,0 +1,66 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useState } from 'react';
+import { EuiLink, EuiPopover, EuiText, EuiButtonIcon } from '@elastic/eui';
+import { FormattedMessage } from '@kbn/i18n-react';
+
+import { useKibana } from '../../../../common/lib/kibana';
+
+const POPOVER_WIDTH = 320;
+
+/**
+ * Icon and popover that gives hint to users how suppression for missing fields work
+ */
+const SuppressionInfoIconComponent = () => {
+  const [isPopoverOpen, setIsPopoverOpen] = useState(false);
+  const { docLinks } = useKibana().services;
+
+  const onButtonClick = () => setIsPopoverOpen(!isPopoverOpen);
+  const closePopover = () => setIsPopoverOpen(false);
+
+  const button = (
+    <EuiButtonIcon
+      iconType="questionInCircle"
+      onClick={onButtonClick}
+      aria-label="Open help popover"
+    />
+  );
+
+  return (
+    <EuiPopover button={button} isOpen={isPopoverOpen} closePopover={closePopover}>
+      <EuiText style={{ width: POPOVER_WIDTH }} size="s">
+        <FormattedMessage
+          id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsTooltipContent"
+          defaultMessage="Choose how to handle events with missing {suppressBy} fields. Either group events with missing fields together, or create a separate alert for each event. {learnMoreLink}"
+          values={{
+            suppressBy: (
+              <strong>
+                <FormattedMessage
+                  id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsTooltipSuppressByDescription"
+                  defaultMessage="Suppress alerts by"
+                />
+              </strong>
+            ),
+            learnMoreLink: (
+              <EuiLink href={docLinks.links.siem.configureAlertSuppression} target="_blank">
+                <FormattedMessage
+                  id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.alertSuppressionMissingFieldsTooltipLink"
+                  defaultMessage="Learn more"
+                />
+              </EuiLink>
+            ),
+          }}
+        />
+      </EuiText>
+    </EuiPopover>
+  );
+};
+
+export const SuppressionInfoIcon = React.memo(SuppressionInfoIconComponent);
+
+SuppressionInfoIcon.displayName = 'SuppressionInfoIcon';
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/utils.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/utils.ts
@ -20,6 +20,7 @@ import { DEFAULT_THREAT_MATCH_QUERY, RULES_PATH } from '../../../../../common/co
 import type { AboutStepRule, DefineStepRule, RuleStepsOrder, ScheduleStepRule } from './types';
 import { DataSourceType, GroupByOptions, RuleStep } from './types';
 import type { GetSecuritySolutionUrl } from '../../../../common/components/link_to';
+import { DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY } from '../../../../../common/detection_engine/rule_schema';
 import {
  RuleDetailTabs,
  RULE_DETAILS_TAB_NAME,
@ -154,6 +155,7 @@ export const stepDefineDefaultValue: DefineStepRule = {
    value: 5,
    unit: 'm',
  },
+  suppressionMissingFields: DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY,
 };

 export const stepAboutDefaultValue: AboutStepRule = {
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/alert_suppression/bulk_create_unsuppressed_alerts.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/alert_suppression/bulk_create_unsuppressed_alerts.ts
@ -40,7 +40,7 @@ export const bulkCreateUnsuppressedAlerts: BulkCreateUnsuppressedAlerts = async
 }) => {
  const bulkCreatedResult = await searchAfterAndBulkCreate({
    tuple: { ...runOpts.tuple, maxSignals: size },
-    exceptionsList: runOpts.unprocessedExceptions,
+    exceptionsList: [],
    services,
    listClient: runOpts.listClient,
    ruleExecutionLogger: runOpts.ruleExecutionLogger,
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/query.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/query.ts
@ -1911,7 +1911,7 @@ export default ({ getService }: FtrProviderContext) => {
            const firstDoc = { id, '@timestamp': timestamp, agent: { name: 'agent-1' } };
            const secondDoc = { id, '@timestamp': laterTimestamp, agent: { name: 'agent-1' } };
            const thirdDoc = { id, '@timestamp': laterTimestamp, agent: { name: 'agent-2' } };
-            const missingFieldDoc1 = { id, '@timestamp': laterTimestamp };
+            const missingFieldDoc1 = { id, '@timestamp': timestamp };
            const missingFieldDoc2 = { id, '@timestamp': laterTimestamp };

            await indexListOfDocuments([