From fcf838e1f389cae6fcaeb9f7bce713123a01c939 Mon Sep 17 00:00:00 2001
From: Pete Hampton <pjhampton@users.noreply.github.com>
Date: Mon, 21 Aug 2023 21:02:00 +0100
Subject: [PATCH 1/3] Add threat indicator fields to prebuilt rule filterlist.
 (#164275)

## Summary

Adds a filterlist entry for threat indicator match rules to the prebuilt
rule alert filterlist.
I will open an OOB artifact separately.

### Checklist

Delete any items that are not applicable to this PR.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)


### Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.

When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:

| Risk | Probability | Severity | Mitigation/Notes |

|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces&mdash;unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes&mdash;Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---
 .../lib/telemetry/filterlists/index.test.ts   | 23 ++++++++++
 .../filterlists/prebuilt_rules_alerts.ts      | 46 +++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/index.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/index.test.ts
index 2cfb0a4ff1f64..d63fa7510f495 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/index.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/index.test.ts
@@ -255,5 +255,28 @@ describe('Security Telemetry filters', () => {
         'kubernetes.pod.ip': '10-245-0-5',
       });
     });
+
+    it('copies over threat indicator fields', () => {
+      const event = {
+        not_event: 'much data, much wow',
+        threat: {
+          feed: {
+            name: 'test_feed',
+            reference: 'test',
+            description: 'this is a test description',
+            dashboard_id: '69c33c01-f856-42c6-b23f-4a6e1c98fe82',
+          },
+        },
+      };
+      expect(copyAllowlistedFields(prebuiltRuleAllowlistFields, event)).toStrictEqual({
+        threat: {
+          feed: {
+            name: 'test_feed',
+            reference: 'test',
+            description: 'this is a test description',
+          },
+        },
+      });
+    });
   });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/prebuilt_rules_alerts.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/prebuilt_rules_alerts.ts
index 0c74f4dd35508..98d4816e01cee 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/prebuilt_rules_alerts.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/prebuilt_rules_alerts.ts
@@ -205,6 +205,52 @@ export const prebuiltRuleAllowlistFields: AllowlistFields = {
     name: true,
   },
   source: true,
+  threat: {
+    enrichments: {
+      indicator: {
+        confidence: true,
+        description: true,
+        email: {
+          address: true,
+        },
+        first_seen: true,
+        ip: true,
+        last_seen: true,
+        marking: {
+          tlp: true,
+          tlp_version: true,
+        },
+        modified_at: true,
+        name: true,
+        port: true,
+        provider: true,
+        reference: true,
+        scanner_stats: true,
+        sightings: true,
+        type: true,
+        matched: {
+          atomic: true,
+          field: true,
+          id: true,
+          index: true,
+          occurred: true,
+          type: true,
+        },
+      },
+    },
+    feed: {
+      description: true,
+      name: true,
+      reference: true,
+    },
+    framework: true,
+    group: {
+      alias: true,
+      id: true,
+      name: true,
+      reference: true,
+    },
+  },
   tls: {
     server: {
       hash: true,

From 43135b6a5dd88f297ec721dc2b9504a16be839e9 Mon Sep 17 00:00:00 2001
From: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Date: Mon, 21 Aug 2023 22:25:55 +0200
Subject: [PATCH 2/3] [Security Solution] Enable Detections Coverage Overview
 dashboard by default (#164343)

**Epic:** https://github.com/elastic/security-team/issues/2905
(internal)

## Summary

Enables the Detections Coverage Overview dashboard feature flag by
default. We're aiming to release this feature in 8.10.

Before the last BC, we will:

- remove the flag if we're confident that we should release the feature
in 8.10
- otherwise, revert the flag back to `false` by default
---
 .../plugins/security_solution/common/experimental_features.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts
index 8393ef508c097..7314277c440f2 100644
--- a/x-pack/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/plugins/security_solution/common/experimental_features.ts
@@ -92,11 +92,11 @@ export const allowedExperimentalValues = Object.freeze({
   /**
    * Enables Protections/Detections Coverage Overview page (Epic link https://github.com/elastic/security-team/issues/2905)
    *
-   * This flag aims to facilitate the development process as the feature may not make it to 8.9 release.
+   * This flag aims to facilitate the development process as the feature may not make it to 8.10 release.
    *
    * The flag doesn't have to be documented and has to be removed after the feature is ready to release.
    */
-  detectionsCoverageOverview: false,
+  detectionsCoverageOverview: true,
 
   /**
    * Enable risk engine client and initialisation of datastream, component templates and mappings

From 823890034079c146ccc012de6f9d84aed9da3674 Mon Sep 17 00:00:00 2001
From: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Date: Mon, 21 Aug 2023 22:47:54 +0200
Subject: [PATCH 3/3] [Security Solution] Update CODEOWNERS for the Detection
 Engine team (#164359)

## Summary

This PR updates the COEOWNERS file by adding missing Cypress tests
folders owned by the @elastic/security-detection-engine team.
---
 .github/CODEOWNERS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index fbc2b28e9f8a5..2add1ca0d24c5 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1227,6 +1227,8 @@ x-pack/plugins/cloud_integrations/cloud_full_story/server/config.ts @elastic/kib
 /x-pack/plugins/security_solution/server/lib/sourcerer @elastic/security-detection-engine
 
 /x-pack/test/security_solution_cypress/cypress/e2e/data_sources @elastic/security-detection-engine
+/x-pack/test/security_solution_cypress/cypress/e2e/detection_alerts @elastic/security-detection-engine
+/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_actions @elastic/security-detection-engine
 /x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation @elastic/security-detection-engine
 /x-pack/test/security_solution_cypress/cypress/e2e/detection_response/value_lists @elastic/security-detection-engine
 /x-pack/test/security_solution_cypress/cypress/e2e/entity_analytics @elastic/security-detection-engine