[Security Solution][Exceptions] - Exception Modal Part I

[peluja1012]

Summary

This PR adds modals for Adding and Editing exception items. These modals will be used in various pages in the app to enable the user to add Exceptions to their rules.

• When an endpoint exception is added, the modal is pre-populated with exception items most common to the Endpoint use case
• When adding an exception item, the items are enriched with comments before they're sent to the server. Endpoint exceptions are also enriched with an operating system _tag.
• When a user edits an item, they can edit the item entries but also have the option to add new items. Handling of deletion of an item while editing will be address in an upcoming PR
• The modals have checkboxes for "Closing the alert" and for "Bulk close alerts matching exception attributes". When editing or adding exceptions from the exceptions viewer, users will only able to bulk close alerts given that there is no "alert" context.
• When creating an exception for the first time, a new exception list will be created and a new reference to this list will be added to the corresponding rule.

Coming in Part II

• Handle case when user deletes an item in the Edit Modal.
• Implement bulk close. Currently the checkbox doesn't trigger a bulk close action on the server.
• Filter out fields not included in the list of Endpoint "exceptionable" fields when the user tries to add an Endpoint Exception
• Allow the user to add Exceptions from the Timeline
• Disable "Add Endpoint Exception" option for non-Endpoint alerts
• Add tests for helper functions
• Add tests for react components if necessary
• Look into using lists plugin hooks like the persistExceptionItem hook

Usage Examples

Alerts page

Rule Details External Alerts tab

Rule Details Exceptions tab

Adding an exception from the exceptions viewer

Adding an exception from an alert event

Editing an exception

Exception comments

Testing

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

• Navigate to the Alerts page or Rule Details page and select Add Exception or Add Endpoint Exception from the options in the alerts Timeline
• In the Rule Details page, click on the Exceptions tab, then select Add to endpoint list or Add to detection list from the options in the Exception Viewer header.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser
• This was checked for cross-browser compatibility, including a check against IE11

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[yctercero]

I'm not sure we need to export these as they are all available in useApi

[yctercero]

You can use != here to check for both null and undefined

[yctercero]

Could onAddExceptionCancel and onAddExceptionConfirm be combined into one function like onCloseAddExceptionModal?

[peluja1012]

Will look into this in the follow up PR

[yctercero]

Same here as before, using != null will catch both undefined and null

[yctercero]

You should just be able to use the usePersistExceptionItem hook from the lists plugin. It determines when to use the post vs put within it. Maybe you can update that existing hook to accept a list of items instead of just 1?

[peluja1012]

Will look into this in the follow up PR. This hook will eventually need to handle bulk close as well as current alert close also.

[yctercero]

Working to get that PR in! :) Hope to have it cleaned up EOD.

[yctercero]

Is there a case where there wouldn't be a username accessible here? If there isn't one does that mean they don't have certain access rights and would we at that point not let them add an exception at all?

[yctercero]

I might be explicit here like ruleExceptionLists: ExceptionListSchema[] | undefined; Because we're using it as a tell for whether the user is creating a new list vs. editing right?

[yctercero]

Mentioned it above, but I think you can just use the existing persist_exception_item.ts hook in the lists plugin.

[yctercero]

I might move some of these functions out into a helpers.ts file so you can unit test them easily.

[peluja1012]

We'll look into moving the entire enrichExceptionItems function to the helpers file in the follow up PR.

[yctercero]

I think I might avoid passing this in, since the ExceptionBuilder manages its own state, it just takes an initial list of exception list items to start with. Might be easier to discuss this one offline to see if I missed something.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[peluja1012]

We'll need to handle conflict errors in Part || if the exception list already exists due to stale rule references or race conditions.

[peluja1012]

In Part II, we'll create a constant and share it with the endpoint exceptions artifact builder code.

[yctercero]

I don't think you need to pass a list_id here. It will be generated by the server.

[yctercero]

Nit: I might add the typing here like - const [addExceptionModalState, setAddExceptionModalState] = useState<AddExceptionOnClick>(addExceptionModalInitialState);

[yctercero]

Nit: Can we make this an enum for the different modal types?

[yctercero]

Here I would use the != null to catch null and undefined.

[yctercero]

Do you need the onSuccess or can that be inferred from the return value?

[peluja1012]

Don't need it. Removed.

[yctercero]

I think one pattern I've noticed is that we try to avoid using lets and casting. I think here it could be something like:

      const newExceptonListReference = {
        id: newExceptionList.id,
        namespace_type: newExceptionList.namespace_type,
      };
      const newExceptionListReferences: ListArray = [...(ruleResponse.exceptions_list ?? []), newExceptionListReference];

[peluja1012]

Good call. Updated.

[yctercero]

Is this functionally the same as getOperatingSystems?

[peluja1012]

I think so. @dplumlee is going to look into dropping the additional formatting from getOperatingSystems in the next PR.

[yctercero]

In kibana/x-pack/plugins/lists/common/schemas/request/create_exception_list_item_schema.ts it looks like _tags gets defaulted to an empty array on creation, so we should be good to remove the ?? [].

[yctercero]

I think you can use the helper export const isListType = (item: BuilderEntry): item is EmptyListEntry => item.type === OperatorTypeEnum.LIST; here?

[peluja1012]

To be addressed in follow up PR

[yctercero]

Could you return an empty array here and then you don't have to do checks like the following and the return type is just string[]: getMappedNonEcsValue({ data: alertData, fieldName: 'file.hash.sha1' }) ?? []

[peluja1012]

To be addressed in follow up PR

[yctercero]

Played around with the modal together while debugging a separate issue. Excited to see it all come together! LGTM - thanks for creating a ticket with the list of things to follow up on so they don't slip through the cracks. Some things I would make sure to follow up on is using != null, that'll help avoid missing catching an undefined or null if we try to explicitly check for each separately. Also, following up on the need for list_id on creation of exception lists. Thanks so much!

[yctercero]

I think the title needs to be in i18n?

[peluja1012]

Good catch. Done.

[yctercero]

Nit: I think we can get rid of the ? here? Comments defaults to an empty array, so it should appear. Or maybe make it explicit Comments[] | undefined if in a not yet created exception item it's not yet defined?

[peluja1012]

My thinking was that this prop would be optional because we use this commend in the Add Modal also where there are no pre-existing comments.

[yctercero]

I don't think this needs to be casted here. The schema checks should validate that it's either endpoint | detection.

[peluja1012]

yup, done.

[yctercero]

I think I missed this in my PR, but here we can update to use the enum from the lists plugin.

[peluja1012]

This is actually why I was having problems with listType in the modal. I'll update the builder to use the enum.

[yctercero]

Same as comment above, I think I missed updating the prop to be ExceptionListTypeEnum (from lists plugin). That should remove any need to cast.

[peluja1012]

done

[yctercero]

I missed this in my PR. I would update to use ExceptionListTypeEnum from lists common schema.

[yctercero]

I think we can use the getListMock from x-pack/plugins/security_solution/common/detection_engine/schemas/types/lists.mock.ts

[peluja1012]

Good call. Done.

[yctercero]

I don't think you need to pass a list_id here. It will be generated by the server.

[yctercero]

Since the response gets validated, we shouldn't need to do any casting.

[peluja1012]

Yup, this is not needed. It's leftover from when the types weren't finalized yet.

[yctercero]

I might check with @FrankHassanabad , but almost certain that we shouldn't create a list_id in the client. We should let the server create it and then reference it here using the response from the creation.

[peluja1012]

We need to think about the right behavior is here when there is no exception list present. We can iterate on it.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: f03a20f

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	810	+1	809

History

• 💛 Build #59567 was flaky 1fd2a48
• 💔 Build #59545 failed 052a80e
• 💔 Build #59074 failed 169cd10
• 💔 Build #59029 failed 08a2f68
• 💔 Build #58748 failed 931bc45

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)