[Security Solution][Detection Alerts] Alert tagging

packages/kbn-securitysolution-ecs/src/index.ts

@@ -122,6 +122,7 @@ export interface EcsSecurityExtension {
   suricata?: SuricataEcs;
   system?: SystemEcs;
   timestamp?: string;
+  tags?: string[];
   winlog?: WinlogEcs;
   zeek?: ZeekEcs;
 }

src/plugins/kibana_usage_collection/server/collectors/management/schema.ts

@@ -18,6 +18,10 @@ export const stackManagementSchema: MakeSchemaFrom<UsageStats> = {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },
   },
+  'securitySolution:alertTags': {
+    type: 'keyword',
+    _meta: { description: 'Default value of the setting was changed.' },
+  },
   'securitySolution:newsFeedUrl': {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },

src/plugins/kibana_usage_collection/server/collectors/management/types.ts

@@ -12,6 +12,7 @@ export interface UsageStats {
    */
   'securitySolution:defaultIndex': string;
   'securitySolution:defaultThreatIndex': string;
+  'securitySolution:alertTags': string;
   'securitySolution:newsFeedUrl': string;
   'xpackReporting:customPdfLogo': string;
   'notifications:banner': string;

src/plugins/telemetry/schema/oss_plugins.json

@@ -8683,6 +8683,12 @@
             "description": "Non-default value of setting."
           }
         },
+        "securitySolution:alertTags": {
+          "type": "keyword",
+          "_meta": {
+            "description": "Default value of the setting was changed."
+          }
+        },
         "search:includeFrozen": {
           "type": "boolean",
           "_meta": {

x-pack/plugins/security_solution/common/constants.ts

@@ -6,6 +6,7 @@
  */
 
 import { RuleNotifyWhen } from '@kbn/alerting-plugin/common';
+import * as i18n from './translations';
 
 /**
  * as const
@@ -359,6 +360,7 @@ export const DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/migration_status` as const;
 export const DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/finalize_migration` as const;
+export const DETECTION_ENGINE_ALERT_TAGS_URL = `${DETECTION_ENGINE_SIGNALS_URL}/tags` as const;
 
 export const ALERTS_AS_DATA_URL = '/internal/rac/alerts' as const;
 export const ALERTS_AS_DATA_FIND_URL = `${ALERTS_AS_DATA_URL}/find` as const;
@@ -535,3 +537,10 @@ export const ALERTS_TABLE_REGISTRY_CONFIG_IDS = {
   RULE_DETAILS: `${APP_ID}-rule-details`,
   CASE: `${APP_ID}-case`,
 } as const;
+
+export const DEFAULT_ALERT_TAGS_KEY = 'securitySolution:alertTags' as const;
+export const DEFAULT_ALERT_TAGS_VALUE = [
+  i18n.DUPLICATE,
+  i18n.FALSE_POSITIVE,
+  i18n.FURTHER_INVESTIGATION_REQUIRED,
+] as const;

x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts

@@ -45,6 +45,8 @@ export type SignalIds = t.TypeOf<typeof signal_ids>;
 // TODO: Can this be more strict or is this is the set of all Elastic Queries?
 export const signal_status_query = t.object;
 
+export const alert_tag_query = t.object; // TODO: i agree with the above TODO
+
 export const fields = t.array(t.string);
 export type Fields = t.TypeOf<typeof fields>;
 export const fieldsOrUndefined = t.union([fields, t.undefined]);
@@ -125,3 +127,10 @@ export const privilege = t.type({
 });
 
 export type Privilege = t.TypeOf<typeof privilege>;
+
+export const alert_tags = t.type({
+  tags_to_add: t.array(t.string),
+  tags_to_remove: t.array(t.string),
+});
+
+export type AlertTags = t.TypeOf<typeof alert_tags>;

x-pack/plugins/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+
+import { alert_tag_query, alert_tags } from '../common/schemas';
+
+export const setAlertTagsSchema = t.intersection([
+  t.type({
+    tags: alert_tags,
+  }),
+  t.partial({
+    query: alert_tag_query,
+  }),
+]);
+
+export type SetAlertTagsSchema = t.TypeOf<typeof setAlertTagsSchema>;
+export type SetAlertTagsSchemaDecoded = SetAlertTagsSchema;

x-pack/plugins/security_solution/common/translations.ts

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const DUPLICATE = i18n.translate('xpack.securitySolution.defaultAlertTags.duplicate', {
+  defaultMessage: 'Duplicate',
+});
+
+export const FALSE_POSITIVE = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.falsePositive',
+  {
+    defaultMessage: 'False Positive',
+  }
+);
+
+export const FURTHER_INVESTIGATION_REQUIRED = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.furtherInvestigationRequired',
+  {
+    defaultMessage: 'Further investigation required',
+  }
+);

x-pack/plugins/security_solution/public/common/components/event_details/overview/status_popover_button.tsx

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { EuiContextMenuPanel, EuiPopover, EuiPopoverTitle } from '@elastic/eui';
+import { EuiContextMenu, EuiPopover, EuiPopoverTitle } from '@elastic/eui';
 import React, { useCallback, useMemo, useState } from 'react';
 
 import { useAlertsActions } from '../../../../detections/components/alerts_table/timeline_actions/use_alerts_actions';
@@ -56,6 +56,8 @@ export const StatusPopoverButton = React.memo<StatusPopoverButtonProps>(
       refetch: refetchGlobalQuery,
     });
 
+    const panels = useMemo(() => [{ id: 0, items: actionItems }], [actionItems]);
+
     // statusPopoverVisible includes the logic for the visibility of the popover in
     // case actionItems is an empty array ( ex, when user has read access ).
     const statusPopoverVisible = useMemo(() => actionItems.length > 0, [actionItems]);
@@ -94,9 +96,10 @@ export const StatusPopoverButton = React.memo<StatusPopoverButtonProps>(
         data-test-subj="alertStatus"
       >
         <EuiPopoverTitle paddingSize="m">{CHANGE_ALERT_STATUS}</EuiPopoverTitle>
-        <EuiContextMenuPanel
+        <EuiContextMenu
+          panels={panels}
+          initialPanelId={0}
           data-test-subj="event-details-alertStatusPopover"
-          items={actionItems}
         />
       </EuiPopover>
     );

x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_tags.tsx

@@ -0,0 +1,170 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { EuiSelectableOption } from '@elastic/eui';
+import { EuiPopoverTitle, EuiSelectable, EuiButton } from '@elastic/eui';
+import type { TimelineItem } from '@kbn/timelines-plugin/common';
+import React, { memo, useCallback, useMemo, useState } from 'react';
+import { TAGS } from '@kbn/rule-data-utils';
+import type { EuiSelectableOnChangeEvent } from '@elastic/eui/src/components/selectable/selectable';
+import { getUpdateAlertsQuery } from '../../../../detections/components/alerts_table/actions';
+import { DEFAULT_ALERT_TAGS_KEY } from '../../../../../common/constants';
+import { useUiSetting$ } from '../../../lib/kibana';
+import { useSetAlertTags } from './use_set_alert_tags';
+import { useAppToasts } from '../../../hooks/use_app_toasts';
+import * as i18n from './translations';
+import { createInitialTagsState } from './helpers';
+
+interface BulkAlertTagsPanelComponentProps {
+  alertItems: TimelineItem[];
+  refetchQuery?: () => void;
+  setIsLoading: (isLoading: boolean) => void;
+  refresh?: () => void;
+  clearSelection?: () => void;
+  closePopoverMenu: () => void;
+}
+const BulkAlertTagsPanelComponent: React.FC<BulkAlertTagsPanelComponentProps> = ({
+  alertItems,
+  refresh,
+  refetchQuery,
+  setIsLoading,
+  clearSelection,
+  closePopoverMenu,
+}) => {
+  const [defaultAlertTagOptions] = useUiSetting$<string[]>(DEFAULT_ALERT_TAGS_KEY);
+  const { addSuccess, addError, addWarning } = useAppToasts();
+
+  const { setAlertTags } = useSetAlertTags();
+  const existingTags = useMemo(
+    () => alertItems.map((item) => item.data.find((data) => data.field === TAGS)?.value ?? []),
+    [alertItems]
+  );
+  const initalTagsState = useMemo(
+    () => createInitialTagsState(existingTags, defaultAlertTagOptions),
+    [existingTags, defaultAlertTagOptions]
+  );
+
+  const tagsToAdd: Record<string, boolean> = useMemo(() => ({}), []);
+  const tagsToRemove: Record<string, boolean> = useMemo(() => ({}), []);
+
+  const onUpdateSuccess = useCallback(
+    (updated: number, conflicts: number) => {
+      if (conflicts > 0) {
+        addWarning({
+          title: i18n.UPDATE_ALERT_TAGS_FAILED(conflicts),
+          text: i18n.UPDATE_ALERT_TAGS_FAILED_DETAILED(updated, conflicts),
+        });
+      } else {
+        addSuccess(i18n.UPDATE_ALERT_TAGS_SUCCESS_TOAST(updated));
+      }
+    },
+    [addSuccess, addWarning]
+  );
+
+  const onUpdateFailure = useCallback(
+    (error: Error) => {
+      addError(error.message, { title: i18n.UPDATE_ALERT_TAGS_FAILURE });
+    },
+    [addError]
+  );
+
+  const [selectableAlertTags, setSelectableAlertTags] =
+    useState<EuiSelectableOption[]>(initalTagsState);
+
+  const onTagsUpdate = useCallback(async () => {
+    closePopoverMenu();
+    const ids = alertItems.map((item) => item._id);
+    const query: Record<string, unknown> = getUpdateAlertsQuery(ids).query;
+    const tagsToAddArray = Object.keys(tagsToAdd);
+    const tagsToRemoveArray = Object.keys(tagsToRemove);
+    try {
+      setIsLoading(true);
+
+      const response = await setAlertTags({
+        tags: { tags_to_add: tagsToAddArray, tags_to_remove: tagsToRemoveArray },
+        query,
+      });
+
+      setIsLoading(false);
+      if (refetchQuery) refetchQuery();
+      if (refresh) refresh();
+      if (clearSelection) clearSelection();
+
+      if (response.version_conflicts && ids.length === 1) {
+        throw new Error(i18n.BULK_ACTION_FAILED_SINGLE_ALERT);
+      }
+
+      onUpdateSuccess(response.updated ?? 0, response.version_conflicts ?? 0);
+    } catch (err) {
+      onUpdateFailure(err);
+    }
+  }, [
+    closePopoverMenu,
+    alertItems,
+    tagsToAdd,
+    tagsToRemove,
+    setIsLoading,
+    setAlertTags,
+    refetchQuery,
+    refresh,
+    clearSelection,
+    onUpdateSuccess,
+    onUpdateFailure,
+  ]);
+
+  const handleTagsOnChange = (
+    newOptions: EuiSelectableOption[],
+    event: EuiSelectableOnChangeEvent,
+    changedOption: EuiSelectableOption
+  ) => {
+    if (changedOption.checked === 'off') {
+      // Don't allow intermediate state when selecting, only from initial state
+      newOptions[newOptions.findIndex((option) => option.label === changedOption.label)] = {
+        ...changedOption,
+        checked: undefined,
+      };
+      tagsToRemove[changedOption.label] = true;
+      delete tagsToAdd[changedOption.label];
+    } else if (changedOption.checked === 'on') {
+      tagsToAdd[changedOption.label] = true;
+      delete tagsToRemove[changedOption.label];
+    } else if (!changedOption.checked) {
+      tagsToRemove[changedOption.label] = true;
+      delete tagsToAdd[changedOption.label];
+    }
+    setSelectableAlertTags(newOptions);
+  };
+
+  return (
+    <>
+      <EuiSelectable
+        allowExclusions
+        searchable
+        searchProps={{
+          placeholder: i18n.ALERT_TAGS_MENU_SEARCH_PLACEHOLDER,
+        }}
+        aria-label={i18n.ALERT_TAGS_MENU_SEARCH_PLACEHOLDER}
+        options={selectableAlertTags}
+        onChange={handleTagsOnChange}
+        emptyMessage={i18n.ALERT_TAGS_MENU_EMPTY}
+        noMatchesMessage={i18n.ALERT_TAGS_MENU_SEARCH_NO_TAGS_FOUND}
+      >
+        {(list, search) => (
+          <div>
+            <EuiPopoverTitle>{search}</EuiPopoverTitle>
+            {list}
+          </div>
+        )}
+      </EuiSelectable>
+      <EuiButton fullWidth size="s" onClick={onTagsUpdate}>
+        {i18n.ALERT_TAGS_UPDATE_BUTTON_MESSAGE}
+      </EuiButton>
+    </>
+  );
+};
+
+export const BulkAlertTagsPanel = memo(BulkAlertTagsPanelComponent);

x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/helpers.test.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createInitialTagsState } from './helpers';
+
+const defaultTags = ['test 1', 'test 2', 'test 3'];
+
+describe('createInitialTagsState', () => {
+  it('should return default tags if no existing tags are provided ', () => {
+    const initialState = createInitialTagsState([], defaultTags);
+    expect(initialState).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "checked": undefined,
+          "label": "test 1",
+        },
+        Object {
+          "checked": undefined,
+          "label": "test 2",
+        },
+        Object {
+          "checked": undefined,
+          "label": "test 3",
+        },
+      ]
+    `);
+  });
+});

x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/helpers.ts

@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { EuiSelectableOption } from '@elastic/eui';
+import { intersection, union } from 'lodash';
+
+export const createInitialTagsState = (existingTags: string[][], defaultTags: string[]) => {
+  const existingTagsIntersection = intersection(...existingTags);
+  const existingTagsUnion = union(...existingTags);
+  const allTagsUnion = union(existingTagsUnion, defaultTags);
+  return allTagsUnion
+    .map((tag): EuiSelectableOption => {
+      return {
+        label: tag,
+        checked: existingTagsIntersection.includes(tag)
+          ? 'on'
+          : existingTagsUnion.includes(tag)
+          ? 'off'
+          : undefined,
+      };
+    })
+    .sort((a, b) => (a.checked ? a.checked < b.checked : true));
+};