[Security Solution][Exceptions] - Exception Modal Part I

x-pack/plugins/lists/public/index.tsx

@@ -13,6 +13,12 @@ export { useFindLists } from './lists/hooks/use_find_lists';
 export { useImportList } from './lists/hooks/use_import_list';
 export { useDeleteList } from './lists/hooks/use_delete_list';
 export { useExportList } from './lists/hooks/use_export_list';
+export {
+  addExceptionListItem,
+  updateExceptionListItem,
+  fetchExceptionListById,
+  addExceptionList,
+} from './exceptions/api';
 export {
   ExceptionList,
   ExceptionIdentifiers,

x-pack/plugins/security_solution/public/alerts/components/alerts_table/default_config.tsx

@@ -37,6 +37,8 @@ import {
   UpdateTimelineLoading,
 } from './types';
 import { Ecs } from '../../../graphql/types';
+import { AddExceptionOnClick } from '../../../common/components/exceptions/add_exception_modal';
+import { getMappedNonEcsValue } from '../../../common/components/exceptions/helpers';
 
 export const buildAlertStatusFilter = (status: Status): Filter[] => [
   {
@@ -172,6 +174,13 @@ export const requiredFieldsForActions = [
   'signal.rule.query',
   'signal.rule.to',
   'signal.rule.id',
+
+  // Endpoint exception fields
+  'file.path',
+  'file.Ext.code_signature.subject_name',
+  'file.Ext.code_signature.trusted',
+  'file.hash.sha1',
+  'host.os.family',
 ];
 
 interface AlertActionArgs {
@@ -188,6 +197,12 @@ interface AlertActionArgs {
   status: Status;
   timelineId: string;
   updateTimelineIsLoading: UpdateTimelineLoading;
+  openAddExceptionModal: ({
+    exceptionListType,
+    alertData,
+    ruleName,
+    ruleId,
+  }: AddExceptionOnClick) => void;
 }
 
 export const getAlertActions = ({
@@ -204,6 +219,7 @@ export const getAlertActions = ({
   status,
   timelineId,
   updateTimelineIsLoading,
+  openAddExceptionModal,
 }: AlertActionArgs): TimelineRowAction[] => {
   const openAlertActionComponent: TimelineRowAction = {
     ariaLabel: 'Open alert',
@@ -289,5 +305,52 @@ export const getAlertActions = ({
     ...(FILTER_OPEN !== status ? [openAlertActionComponent] : []),
     ...(FILTER_CLOSED !== status ? [closeAlertActionComponent] : []),
     ...(FILTER_IN_PROGRESS !== status ? [inProgressAlertActionComponent] : []),
+    // TODO: disable this option if the alert is not an Endpoint alert
+    {
+      onClick: ({ ecsData, data }: TimelineRowActionOnClick) => {
+        const ruleNameValue = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
+        const ruleId = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
+        if (ruleId !== undefined && ruleId.length > 0) {
+          openAddExceptionModal({
+            ruleName: ruleNameValue ? ruleNameValue[0] : '',
+            ruleId: ruleId[0],
+            exceptionListType: 'endpoint',
+            alertData: {
+              ecsData,
+              nonEcsData: data,
+            },
+          });
+        }
+      },
+      id: 'addEndpointException',
+      isActionDisabled: () => !canUserCRUD || !hasIndexWrite,
+      dataTestSubj: 'add-endpoint-exception-menu-item',
+      ariaLabel: 'Add Endpoint Exception',
+      content: <EuiText size="m">{i18n.ACTION_ADD_ENDPOINT_EXCEPTION}</EuiText>,
+      displayType: 'contextMenu',
+    },
+    {
+      onClick: ({ ecsData, data }: TimelineRowActionOnClick) => {
+        const ruleNameValue = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
+        const ruleId = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
+        if (ruleId !== undefined && ruleId.length > 0) {
+          openAddExceptionModal({
+            ruleName: ruleNameValue ? ruleNameValue[0] : '',
+            ruleId: ruleId[0],
+            exceptionListType: 'detection',
+            alertData: {
+              ecsData,
+              nonEcsData: data,
+            },
+          });
+        }
+      },
+      id: 'addException',
+      isActionDisabled: () => !canUserCRUD || !hasIndexWrite,
+      dataTestSubj: 'add-exception-menu-item',
+      ariaLabel: 'Add Exception',
+      content: <EuiText size="m">{i18n.ACTION_ADD_EXCEPTION}</EuiText>,
+      displayType: 'contextMenu',
+    },
   ];
 };

x-pack/plugins/security_solution/public/alerts/components/alerts_table/index.tsx

@@ -50,6 +50,10 @@ import {
 } from '../../../common/components/toasters';
 import { Ecs } from '../../../graphql/types';
 import { getInvestigateInResolverAction } from '../../../timelines/components/timeline/body/helpers';
+import {
+  AddExceptionModal,
+  AddExceptionOnClick,
+} from '../../../common/components/exceptions/add_exception_modal';
 
 interface OwnProps {
   timelineId: TimelineIdLiteral;
@@ -64,6 +68,13 @@ interface OwnProps {
 
 type AlertsTableComponentProps = OwnProps & PropsFromRedux;
 
+const addExceptionModalInitialState: AddExceptionOnClick = {
+  ruleName: '',
+  ruleId: '',
+  exceptionListType: 'detection',
+  alertData: undefined,
+};
+
 export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
   timelineId,
   canUserCRUD,
@@ -92,6 +103,10 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
 
   const [showClearSelectionAction, setShowClearSelectionAction] = useState(false);
   const [filterGroup, setFilterGroup] = useState<Status>(FILTER_OPEN);
+  const [shouldShowAddExceptionModal, setShouldShowAddExceptionModal] = useState(false);
+  const [addExceptionModalState, setAddExceptionModalState] = useState<AddExceptionOnClick>(
+    addExceptionModalInitialState
+  );
   const [{ browserFields, indexPatterns }] = useFetchIndexPatterns(
     signalsIndex !== '' ? [signalsIndex] : []
   );
@@ -192,6 +207,21 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
     [dispatchToaster]
   );
 
+  const openAddExceptionModalCallback = useCallback(
+    ({ ruleName, ruleId, exceptionListType, alertData }: AddExceptionOnClick) => {
+      if (alertData !== null && alertData !== undefined) {
+        setShouldShowAddExceptionModal(true);
+        setAddExceptionModalState({
+          ruleName,
+          ruleId,
+          exceptionListType,
+          alertData,
+        });
+      }
+    },
+    [setShouldShowAddExceptionModal, setAddExceptionModalState]
+  );
+
   // Catches state change isSelectAllChecked->false upon user selection change to reset utility bar
   useEffect(() => {
     if (!isSelectAllChecked) {
@@ -306,6 +336,7 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
         status: filterGroup,
         timelineId,
         updateTimelineIsLoading,
+        openAddExceptionModal: openAddExceptionModalCallback,
       }),
     [
       apolloClient,
@@ -320,6 +351,7 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
       updateTimelineIsLoading,
       onAlertStatusUpdateSuccess,
       onAlertStatusUpdateFailure,
+      openAddExceptionModalCallback,
     ]
   );
   const defaultIndices = useMemo(() => [signalsIndex], [signalsIndex]);
@@ -360,6 +392,19 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
     [onFilterGroupChangedCallback]
   );
 
+  const closeAddExceptionModal = useCallback(() => {
+    setShouldShowAddExceptionModal(false);
+    setAddExceptionModalState(addExceptionModalInitialState);
+  }, [setShouldShowAddExceptionModal, setAddExceptionModalState]);
+
+  const onAddExceptionCancel = useCallback(() => {
+    closeAddExceptionModal();
+  }, [closeAddExceptionModal]);
+
+  const onAddExceptionConfirm = useCallback(() => {
+    closeAddExceptionModal();
+  }, [closeAddExceptionModal]);
+
   if (loading || isEmpty(signalsIndex)) {
     return (
       <EuiPanel>
@@ -370,16 +415,28 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
   }
 
   return (
-    <StatefulEventsViewer
-      defaultIndices={defaultIndices}
-      pageFilters={defaultFiltersMemo}
-      defaultModel={alertsDefaultModel}
-      end={to}
-      headerFilterGroup={headerFilterGroup}
-      id={timelineId}
-      start={from}
-      utilityBar={utilityBarCallback}
-    />
+    <>
+      <StatefulEventsViewer
+        defaultIndices={defaultIndices}
+        pageFilters={defaultFiltersMemo}
+        defaultModel={alertsDefaultModel}
+        end={to}
+        headerFilterGroup={headerFilterGroup}
+        id={timelineId}
+        start={from}
+        utilityBar={utilityBarCallback}
+      />
+      {shouldShowAddExceptionModal === true && addExceptionModalState.alertData !== null && (
+        <AddExceptionModal
+          ruleName={addExceptionModalState.ruleName}
+          ruleId={addExceptionModalState.ruleId}
+          exceptionListType={addExceptionModalState.exceptionListType}
+          alertData={addExceptionModalState.alertData}
+          onCancel={onAddExceptionCancel}
+          onConfirm={onAddExceptionConfirm}
+        />
+      )}
+    </>
   );
 };
 

x-pack/plugins/security_solution/public/alerts/components/alerts_table/translations.ts

@@ -122,6 +122,20 @@ export const ACTION_INVESTIGATE_IN_TIMELINE = i18n.translate(
   }
 );
 
+export const ACTION_ADD_EXCEPTION = i18n.translate(
+  'xpack.securitySolution.detectionEngine.alerts.actions.addException',
+  {
+    defaultMessage: 'Add exception',
+  }
+);
+
+export const ACTION_ADD_ENDPOINT_EXCEPTION = i18n.translate(
+  'xpack.securitySolution.detectionEngine.alerts.actions.addEndpointException',
+  {
+    defaultMessage: 'Add Endpoint exception',
+  }
+);
+
 export const CLOSED_ALERT_SUCCESS_TOAST = (totalAlerts: number) =>
   i18n.translate('xpack.securitySolution.detectionEngine.alerts.closedAlertSuccessToastMessage', {
     values: { totalAlerts },

x-pack/plugins/security_solution/public/alerts/containers/detection_engine/rules/__mocks__/api.ts

@@ -6,6 +6,7 @@
 
 import {
   AddRulesProps,
+  PatchRuleProps,
   NewRule,
   PrePackagedRulesStatusResponse,
   BasicFetchProps,
@@ -20,6 +21,9 @@ import { ruleMock, savedRuleMock, rulesMock } from '../mock';
 export const addRule = async ({ rule, signal }: AddRulesProps): Promise<NewRule> =>
   Promise.resolve(ruleMock);
 
+export const patchRule = async ({ ruleProperties, signal }: PatchRuleProps): Promise<NewRule> =>
+  Promise.resolve(ruleMock);
+
 export const getPrePackagedRulesStatus = async ({
   signal,
 }: {

x-pack/plugins/security_solution/public/alerts/containers/detection_engine/rules/api.ts

@@ -28,6 +28,7 @@ import {
   ImportDataResponse,
   PrePackagedRulesStatusResponse,
   BulkRuleResponse,
+  PatchRuleProps,
 } from './types';
 import { KibanaServices } from '../../../../common/lib/kibana';
 import * as i18n from '../../../pages/detection_engine/rules/translations';
@@ -47,6 +48,21 @@ export const addRule = async ({ rule, signal }: AddRulesProps): Promise<NewRule>
     signal,
   });
 
+/**
+ * Patch provided Rule
+ *
+ * @param ruleProperties to patch
+ * @param signal to cancel request
+ *
+ * @throws An error if response is not OK
+ */
+export const patchRule = async ({ ruleProperties, signal }: PatchRuleProps): Promise<NewRule> =>
+  KibanaServices.get().http.fetch<NewRule>(DETECTION_ENGINE_RULES_URL, {
+    method: 'PATCH',
+    body: JSON.stringify(ruleProperties),
+    signal,
+  });
+
 /**
  * Fetches all rules from the Detection Engine API
  *

x-pack/plugins/security_solution/public/alerts/containers/detection_engine/rules/types.ts

@@ -22,6 +22,7 @@ import {
   listArray,
   listArrayOrUndefined,
 } from '../../../../../common/detection_engine/schemas/types';
+import { PatchRulesSchema } from '../../../../../common/detection_engine/schemas/request/patch_rules_schema';
 
 /**
  * Params is an "record", since it is a type of AlertActionParams which is action templates.
@@ -80,6 +81,11 @@ export interface AddRulesProps {
   signal: AbortSignal;
 }
 
+export interface PatchRuleProps {
+  ruleProperties: PatchRulesSchema;
+  signal: AbortSignal;
+}
+
 const MetaRule = t.intersection([
   t.type({
     from: t.string,

x-pack/plugins/security_solution/public/alerts/pages/detection_engine/rules/details/index.tsx

@@ -439,6 +439,7 @@ export const RuleDetailsPageComponent: FC<PropsFromRedux> = ({
             {ruleDetailTab === RuleDetailTabs.exceptions && (
               <ExceptionsViewer
                 ruleId={ruleId ?? ''}
+                ruleName={rule?.name ?? ''}
                 availableListTypes={exceptionLists.allowedExceptionListTypes}
                 commentsAccordionId={'ruleDetailsTabExceptions'}
                 exceptionListsMeta={exceptionLists.lists}