[Security Solution][Detection Alerts] Alert tagging

packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -33,6 +33,7 @@ import {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -173,6 +174,11 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
+  [ALERT_WORKFLOW_TAGS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
   [SPACE_IDS]: {
     type: 'keyword',
     array: true,

packages/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -67,6 +67,9 @@ const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
 // kibana.alert.workflow_status - open/closed status of alert
 const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 
+// kibana.alert.workflow_tags - user workflow alert tags
+const ALERT_WORKFLOW_TAGS = `${ALERT_NAMESPACE}.workflow_tags` as const;
+
 // kibana.alert.rule.category - rule type name for rule that generated this alert
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 
@@ -133,6 +136,7 @@ const fields = {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -171,6 +175,7 @@ export {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -33,6 +33,7 @@ import {
   ALERT_TIME_RANGE,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -169,6 +170,7 @@ const fields = {
   ALERT_UUID,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   ALERT_WORKFLOW_USER,
   ALERT_RULE_UUID,
   ALERT_RULE_CATEGORY,

packages/kbn-securitysolution-ecs/src/index.ts

@@ -111,6 +111,7 @@ export interface EcsSecurityExtension {
   // Not representative of the parsed types that are camel cased.
   'kibana.alert.rule.parameters'?: { index: string[]; data_view_id?: string };
   'kibana.alert.workflow_status'?: 'open' | 'acknowledged' | 'in-progress' | 'closed';
+  'kibana.alert.workflow_tags'?: string[];
   // eslint-disable-next-line @typescript-eslint/naming-convention
   Memory_protection?: MemoryProtection;
   Ransomware?: Ransomware;
@@ -122,6 +123,7 @@ export interface EcsSecurityExtension {
   suricata?: SuricataEcs;
   system?: SystemEcs;
   timestamp?: string;
+  tags?: string[];
   winlog?: WinlogEcs;
   zeek?: ZeekEcs;
 }

src/plugins/kibana_usage_collection/server/collectors/management/schema.ts

@@ -18,6 +18,10 @@ export const stackManagementSchema: MakeSchemaFrom<UsageStats> = {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },
   },
+  'securitySolution:alertTags': {
+    type: 'keyword',
+    _meta: { description: 'Default value of the setting was changed.' },
+  },
   'securitySolution:newsFeedUrl': {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },

src/plugins/kibana_usage_collection/server/collectors/management/types.ts

@@ -12,6 +12,7 @@ export interface UsageStats {
    */
   'securitySolution:defaultIndex': string;
   'securitySolution:defaultThreatIndex': string;
+  'securitySolution:alertTags': string;
   'securitySolution:newsFeedUrl': string;
   'xpackReporting:customPdfLogo': string;
   'notifications:banner': string;

src/plugins/telemetry/schema/oss_plugins.json

@@ -8945,6 +8945,12 @@
             "description": "Non-default value of setting."
           }
         },
+        "securitySolution:alertTags": {
+          "type": "keyword",
+          "_meta": {
+            "description": "Default value of the setting was changed."
+          }
+        },
         "search:includeFrozen": {
           "type": "boolean",
           "_meta": {

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts

@@ -296,6 +296,11 @@ it('matches snapshot', () => {
         "required": false,
         "type": "keyword",
       },
+      "kibana.alert.workflow_tags": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.workflow_user": Object {
         "array": false,
         "required": false,

x-pack/plugins/security_solution/common/constants.ts

@@ -6,6 +6,7 @@
  */
 
 import { RuleNotifyWhen } from '@kbn/alerting-plugin/common';
+import * as i18n from './translations';
 
 /**
  * as const
@@ -361,6 +362,7 @@ export const DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/migration_status` as const;
 export const DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/finalize_migration` as const;
+export const DETECTION_ENGINE_ALERT_TAGS_URL = `${DETECTION_ENGINE_SIGNALS_URL}/tags` as const;
 
 export const ALERTS_AS_DATA_URL = '/internal/rac/alerts' as const;
 export const ALERTS_AS_DATA_FIND_URL = `${ALERTS_AS_DATA_URL}/find` as const;
@@ -537,3 +539,10 @@ export const ALERTS_TABLE_REGISTRY_CONFIG_IDS = {
   RULE_DETAILS: `${APP_ID}-rule-details`,
   CASE: `${APP_ID}-case`,
 } as const;
+
+export const DEFAULT_ALERT_TAGS_KEY = 'securitySolution:alertTags' as const;
+export const DEFAULT_ALERT_TAGS_VALUE = [
+  i18n.DUPLICATE,
+  i18n.FALSE_POSITIVE,
+  i18n.FURTHER_INVESTIGATION_REQUIRED,
+] as const;

x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts

@@ -45,6 +45,9 @@ export type SignalIds = t.TypeOf<typeof signal_ids>;
 // TODO: Can this be more strict or is this is the set of all Elastic Queries?
 export const signal_status_query = t.object;
 
+export const alert_tag_query = t.record(t.string, t.unknown);
+export type AlertTagQuery = t.TypeOf<typeof alert_tag_query>;
+
 export const fields = t.array(t.string);
 export type Fields = t.TypeOf<typeof fields>;
 export const fieldsOrUndefined = t.union([fields, t.undefined]);
@@ -125,3 +128,10 @@ export const privilege = t.type({
 });
 
 export type Privilege = t.TypeOf<typeof privilege>;
+
+export const alert_tags = t.type({
+  tags_to_add: t.array(t.string),
+  tags_to_remove: t.array(t.string),
+});
+
+export type AlertTags = t.TypeOf<typeof alert_tags>;

x-pack/plugins/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.mock.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { SetAlertTagsSchema } from './set_alert_tags_schema';
+
+export const getSetAlertTagsRequestMock = (
+  tagsToAdd: string[] = [],
+  tagsToRemove: string[] = []
+): SetAlertTagsSchema => ({ tags: { tags_to_add: tagsToAdd, tags_to_remove: tagsToRemove } });

x-pack/plugins/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+
+import { alert_tag_query, alert_tags } from '../common/schemas';
+
+export const setAlertTagsSchema = t.intersection([
+  t.type({
+    tags: alert_tags,
+  }),
+  t.partial({
+    query: alert_tag_query,
+  }),
+]);
+
+export type SetAlertTagsSchema = t.TypeOf<typeof setAlertTagsSchema>;
+export type SetAlertTagsSchemaDecoded = SetAlertTagsSchema;

x-pack/plugins/security_solution/common/translations.ts

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const DUPLICATE = i18n.translate('xpack.securitySolution.defaultAlertTags.duplicate', {
+  defaultMessage: 'Duplicate',
+});
+
+export const FALSE_POSITIVE = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.falsePositive',
+  {
+    defaultMessage: 'False Positive',
+  }
+);
+
+export const FURTHER_INVESTIGATION_REQUIRED = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.furtherInvestigationRequired',
+  {
+    defaultMessage: 'Further investigation required',
+  }
+);

x-pack/plugins/security_solution/public/common/components/event_details/overview/status_popover_button.tsx

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { EuiContextMenuPanel, EuiPopover, EuiPopoverTitle } from '@elastic/eui';
+import { EuiContextMenu, EuiPopover, EuiPopoverTitle } from '@elastic/eui';
 import React, { useCallback, useMemo, useState } from 'react';
 
 import { useAlertsActions } from '../../../../detections/components/alerts_table/timeline_actions/use_alerts_actions';
@@ -56,6 +56,8 @@ export const StatusPopoverButton = React.memo<StatusPopoverButtonProps>(
       refetch: refetchGlobalQuery,
     });
 
+    const panels = useMemo(() => [{ id: 0, items: actionItems }], [actionItems]);
+
     // statusPopoverVisible includes the logic for the visibility of the popover in
     // case actionItems is an empty array ( ex, when user has read access ).
     const statusPopoverVisible = useMemo(() => actionItems.length > 0, [actionItems]);
@@ -94,9 +96,10 @@ export const StatusPopoverButton = React.memo<StatusPopoverButtonProps>(
         data-test-subj="alertStatus"
       >
         <EuiPopoverTitle paddingSize="m">{CHANGE_ALERT_STATUS}</EuiPopoverTitle>
-        <EuiContextMenuPanel
+        <EuiContextMenu
+          panels={panels}
+          initialPanelId={0}
           data-test-subj="event-details-alertStatusPopover"
-          items={actionItems}
         />
       </EuiPopover>
     );

x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_tags.test.tsx

@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { TestProviders } from '../../../mock';
+import { useUiSetting$ } from '../../../lib/kibana';
+
+import { BulkAlertTagsPanel } from './alert_bulk_tags';
+import { ALERT_WORKFLOW_TAGS } from '@kbn/rule-data-utils';
+import { useAppToasts } from '../../../hooks/use_app_toasts';
+import { useSetAlertTags } from './use_set_alert_tags';
+
+jest.mock('../../../lib/kibana');
+jest.mock('../../../hooks/use_app_toasts');
+jest.mock('./use_set_alert_tags');
+
+const mockTagItems = [
+  {
+    _id: 'test-id',
+    data: [{ field: ALERT_WORKFLOW_TAGS, value: ['tag-1', 'tag-2'] }],
+    ecs: { _id: 'test-id' },
+  },
+];
+
+(useUiSetting$ as jest.Mock).mockReturnValue(['default-test-tag']);
+(useAppToasts as jest.Mock).mockReturnValue({
+  addError: jest.fn(),
+  addSuccess: jest.fn(),
+  addWarning: jest.fn(),
+});
+(useSetAlertTags as jest.Mock).mockReturnValue({
+  setAlertTags: jest.fn(),
+});
+
+describe('BulkAlertTagsPanel', () => {
+  test('it renders', () => {
+    const wrapper = render(
+      <TestProviders>
+        <BulkAlertTagsPanel
+          alertItems={mockTagItems}
+          setIsLoading={() => {}}
+          closePopoverMenu={() => {}}
+        />
+      </TestProviders>
+    );
+
+    expect(wrapper.queryByTestId('alert-tags-selectable-menu')).toBeTruthy();
+  });
+});