From 1fcc754525b426a76088d3a9ab24dde0b4e4fe05 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Mon, 8 May 2023 12:53:50 -0400
Subject: [PATCH] [8.8] [Security Solution] Actions with conditional logic
 cannot be added through bulk actions (#156866) (#156905) (#156976)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution] Actions with conditional logic cannot be added
through bulk actions (#156866)
(#156905)](https://github.com/elastic/kibana/pull/156905)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2023-05-08T12:01:18Z","message":"[Security
Solution] Actions with conditional logic cannot be added through bulk
actions (#156866) (#156905)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156866\r\n\r\nThese changes fix
the issue with the conditional actions in bulk\r\nediting. We did not
add action filter attributes to the bulk editing\r\nscheme.\r\n\r\nMore
details
here\r\nhttps://github.com/elastic/kibana/issues/156866#issuecomment-1536469202","sha":"9f69d2dafd2ad7d53525f2f55967b7128644516a","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detection
Rules","Team:Detection
Alerts","backport:prev-minor","ci:cloud-deploy","v8.9.0"],"number":156905,"url":"https://github.com/elastic/kibana/pull/156905","mergeCommit":{"message":"[Security
Solution] Actions with conditional logic cannot be added through bulk
actions (#156866) (#156905)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156866\r\n\r\nThese changes fix
the issue with the conditional actions in bulk\r\nediting. We did not
add action filter attributes to the bulk editing\r\nscheme.\r\n\r\nMore
details
here\r\nhttps://github.com/elastic/kibana/issues/156866#issuecomment-1536469202","sha":"9f69d2dafd2ad7d53525f2f55967b7128644516a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156905","number":156905,"mergeCommit":{"message":"[Security
Solution] Actions with conditional logic cannot be added through bulk
actions (#156866) (#156905)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156866\r\n\r\nThese changes fix
the issue with the conditional actions in bulk\r\nediting. We did not
add action filter attributes to the bulk editing\r\nscheme.\r\n\r\nMore
details
here\r\nhttps://github.com/elastic/kibana/issues/156866#issuecomment-1536469202","sha":"9f69d2dafd2ad7d53525f2f55967b7128644516a"}}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
---
 .../api/rules/bulk_actions/request_schema.ts  |  6 ++-
 .../transform_actions.test.ts                 | 40 +++++++++++++++++++
 .../detection_engine/transform_actions.ts     | 30 ++++++++++++++
 .../bulk_actions/forms/rule_actions_form.tsx  |  3 +-
 .../action_to_rules_client_operation.ts       |  9 ++++-
 5 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/bulk_actions/request_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/bulk_actions/request_schema.ts
index e0a392885bad9..118c886e94042 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/bulk_actions/request_schema.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/bulk_actions/request_schema.ts
@@ -9,6 +9,7 @@ import * as t from 'io-ts';
 
 import { NonEmptyArray, TimeDuration } from '@kbn/securitysolution-io-ts-types';
 import {
+  RuleActionAlertsFilter,
   RuleActionFrequency,
   RuleActionGroup,
   RuleActionId,
@@ -95,8 +96,8 @@ const BulkActionEditPayloadTimeline = t.type({
  * per rulesClient.bulkEdit rules actions operation contract (x-pack/plugins/alerting/server/rules_client/rules_client.ts)
  * normalized rule action object is expected (NormalizedAlertAction) as value for the edit operation
  */
-type NormalizedRuleAction = t.TypeOf<typeof NormalizedRuleAction>;
-const NormalizedRuleAction = t.exact(
+export type NormalizedRuleAction = t.TypeOf<typeof NormalizedRuleAction>;
+export const NormalizedRuleAction = t.exact(
   t.intersection([
     t.type({
       group: RuleActionGroup,
@@ -104,6 +105,7 @@ const NormalizedRuleAction = t.exact(
       params: RuleActionParams,
     }),
     t.partial({ frequency: RuleActionFrequency }),
+    t.partial({ alerts_filter: RuleActionAlertsFilter }),
   ])
 );
 
diff --git a/x-pack/plugins/security_solution/common/detection_engine/transform_actions.test.ts b/x-pack/plugins/security_solution/common/detection_engine/transform_actions.test.ts
index 309dccbf5804a..df8a56e999a06 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/transform_actions.test.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/transform_actions.test.ts
@@ -8,11 +8,15 @@
 import {
   transformRuleToAlertAction,
   transformAlertToRuleAction,
+  transformNormalizedRuleToAlertAction,
+  transformAlertToNormalizedRuleAction,
   transformRuleToAlertResponseAction,
   transformAlertToRuleResponseAction,
 } from './transform_actions';
 import type { ResponseAction, RuleResponseAction } from './rule_response_actions/schemas';
 import { RESPONSE_ACTION_TYPES } from './rule_response_actions/schemas';
+import type { NormalizedRuleAction } from './rule_management/api/rules/bulk_actions/request_schema';
+import type { RuleAction } from '@kbn/alerting-plugin/common';
 
 describe('transform_actions', () => {
   test('it should transform RuleAlertAction[] to RuleAction[]', () => {
@@ -48,6 +52,42 @@ describe('transform_actions', () => {
       uuid: '111',
     });
   });
+  test('it should transform NormalizedRuleAction[] to NormalizedAlertAction[]', () => {
+    const ruleAction: NormalizedRuleAction = {
+      id: 'id',
+      group: 'group',
+      params: {},
+      frequency: { summary: true, throttle: null, notifyWhen: 'onActiveAlert' },
+      alerts_filter: { query: { kql: '*', filters: [] } },
+    };
+    const alertAction = transformNormalizedRuleToAlertAction(ruleAction);
+    expect(alertAction).toEqual({
+      id: ruleAction.id,
+      group: ruleAction.group,
+      params: ruleAction.params,
+      frequency: ruleAction.frequency,
+      alertsFilter: ruleAction.alerts_filter,
+    });
+  });
+  test('it should transform RuleAction[] to NormalizedRuleAction[]', () => {
+    const alertAction: RuleAction = {
+      id: 'id',
+      group: 'group',
+      actionTypeId: 'actionTypeId',
+      params: {},
+      uuid: '111',
+      frequency: { summary: true, throttle: null, notifyWhen: 'onActiveAlert' },
+      alertsFilter: { query: { kql: '*', filters: [] } },
+    };
+    const ruleAction = transformAlertToNormalizedRuleAction(alertAction);
+    expect(ruleAction).toEqual({
+      id: alertAction.id,
+      group: alertAction.group,
+      params: alertAction.params,
+      frequency: alertAction.frequency,
+      alerts_filter: alertAction.alertsFilter,
+    });
+  });
   test('it should transform ResponseAction[] to RuleResponseAction[]', () => {
     const ruleAction: ResponseAction = {
       action_type_id: RESPONSE_ACTION_TYPES.OSQUERY,
diff --git a/x-pack/plugins/security_solution/common/detection_engine/transform_actions.ts b/x-pack/plugins/security_solution/common/detection_engine/transform_actions.ts
index 3808837dc0df2..b17b4d5276c19 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/transform_actions.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/transform_actions.ts
@@ -6,6 +6,8 @@
  */
 
 import type { RuleAction } from '@kbn/alerting-plugin/common';
+import type { NormalizedAlertAction } from '@kbn/alerting-plugin/server/rules_client';
+import type { NormalizedRuleAction } from './rule_management/api/rules/bulk_actions/request_schema';
 import type { ResponseAction, RuleResponseAction } from './rule_response_actions/schemas';
 import { RESPONSE_ACTION_TYPES } from './rule_response_actions/schemas';
 import type { RuleAlertAction } from './types';
@@ -46,6 +48,34 @@ export const transformAlertToRuleAction = ({
   ...(frequency && { frequency }),
 });
 
+export const transformNormalizedRuleToAlertAction = ({
+  group,
+  id,
+  params,
+  frequency,
+  alerts_filter: alertsFilter,
+}: NormalizedRuleAction): NormalizedAlertAction => ({
+  group,
+  id,
+  params,
+  ...(alertsFilter && { alertsFilter }),
+  ...(frequency && { frequency }),
+});
+
+export const transformAlertToNormalizedRuleAction = ({
+  group,
+  id,
+  params,
+  frequency,
+  alertsFilter,
+}: RuleAction): NormalizedRuleAction => ({
+  group,
+  id,
+  params,
+  ...(alertsFilter && { alerts_filter: alertsFilter }),
+  ...(frequency && { frequency }),
+});
+
 export const transformRuleToAlertResponseAction = ({
   action_type_id: actionTypeId,
   params,
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/rule_actions_form.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/rule_actions_form.tsx
index 903ff44dfba3f..358549d9dd55a 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/rule_actions_form.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/rule_actions_form.tsx
@@ -13,6 +13,7 @@ import type {
   ActionTypeRegistryContract,
 } from '@kbn/triggers-actions-ui-plugin/public';
 
+import { transformAlertToNormalizedRuleAction } from '../../../../../../../common/detection_engine/transform_actions';
 import type { FormSchema } from '../../../../../../shared_imports';
 import {
   useForm,
@@ -104,7 +105,7 @@ const RuleActionsFormComponent = ({ rulesCount, onClose, onConfirm }: RuleAction
     onConfirm({
       type: editAction,
       value: {
-        actions: actions.map(({ actionTypeId, ...action }) => action),
+        actions: actions.map(transformAlertToNormalizedRuleAction),
       },
     });
   }, [form, onConfirm]);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts
index 29d285432dfdc..b463567838a38 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts
@@ -6,6 +6,7 @@
  */
 
 import type { BulkEditOperation } from '@kbn/alerting-plugin/server';
+import { transformNormalizedRuleToAlertAction } from '../../../../../../common/detection_engine/transform_actions';
 
 import type { BulkActionEditForRuleAttributes } from '../../../../../../common/detection_engine/rule_management/api/rules/bulk_actions/request_schema';
 import { BulkActionEditType } from '../../../../../../common/detection_engine/rule_management/api/rules/bulk_actions/request_schema';
@@ -55,7 +56,9 @@ export const bulkEditActionToRulesClientOperation = (
         {
           field: 'actions',
           operation: 'add',
-          value: transformToActionFrequency(action.value.actions, action.value.throttle),
+          value: transformToActionFrequency(action.value.actions, action.value.throttle).map(
+            transformNormalizedRuleToAlertAction
+          ),
         },
       ];
 
@@ -64,7 +67,9 @@ export const bulkEditActionToRulesClientOperation = (
         {
           field: 'actions',
           operation: 'set',
-          value: transformToActionFrequency(action.value.actions, action.value.throttle),
+          value: transformToActionFrequency(action.value.actions, action.value.throttle).map(
+            transformNormalizedRuleToAlertAction
+          ),
         },
       ];