[Detection Engine] Adds Alert Suppression to ML Rules

packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml

@@ -35,6 +35,7 @@ viewer:
         - '.fleet-actions*'
         - 'risk-score.risk-score-*'
         - '.asset-criticality.asset-criticality-*'
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -100,6 +101,10 @@ editor:
         - 'read'
         - 'write'
       allow_restricted_indices: false
+    - names:
+        - '.ml-anomalies-*'
+      privileges:
+        - read
   applications:
     - application: 'kibana-.kibana'
       privileges:
@@ -154,6 +159,7 @@ t1_analyst:
         - '.fleet-actions*'
         - risk-score.risk-score-*
         - .asset-criticality.asset-criticality-*
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -201,6 +207,7 @@ t2_analyst:
         - .fleet-agents*
         - .fleet-actions*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
     - names:
@@ -262,6 +269,7 @@ t3_analyst:
         - .fleet-agents*
         - .fleet-actions*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -331,6 +339,7 @@ threat_intelligence_analyst:
         - .fleet-agents*
         - .fleet-actions*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -389,6 +398,7 @@ rule_author:
         - .fleet-agents*
         - .fleet-actions*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -453,6 +463,7 @@ soc_manager:
         - .fleet-agents*
         - .fleet-actions*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
   applications:
@@ -513,6 +524,7 @@ detections_admin:
         - metrics-endpoint.metadata_current_*
         - .fleet-agents*
         - .fleet-actions*
+        - '.ml-anomalies-*'
       privileges:
         - read
     - names:
@@ -570,6 +582,10 @@ platform_engineer:
       privileges:
         - read
         - write
+    - names:
+        - '.ml-anomalies-*'
+      privileges:
+        - read
   applications:
     - application: 'kibana-.kibana'
       privileges:
@@ -620,6 +636,7 @@ endpoint_operations_analyst:
         - .lists*
         - .items*
         - risk-score.risk-score-*
+        - '.ml-anomalies-*'
       privileges:
         - read
     - names:
@@ -710,6 +727,10 @@ endpoint_policy_manager:
         - read
         - write
         - manage
+    - names:
+        - '.ml-anomalies-*'
+      privileges:
+        - read
   applications:
     - application: 'kibana-.kibana'
       privileges:

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts

@@ -1272,6 +1272,7 @@ describe('rules schema', () => {
       { ruleType: 'saved_query', ruleMock: getCreateSavedQueryRulesSchemaMock() },
       { ruleType: 'eql', ruleMock: getCreateEqlRuleSchemaMock() },
       { ruleType: 'new_terms', ruleMock: getCreateNewTermsRulesSchemaMock() },
+      { ruleType: 'machine_learning', ruleMock: getCreateMachineLearningRulesSchemaMock() },
     ];
 
     cases.forEach(({ ruleType, ruleMock }) => {

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts

@@ -468,14 +468,25 @@ export const MachineLearningRuleRequiredFields = z.object({
   machine_learning_job_id: MachineLearningJobId,
 });
 
+export type MachineLearningRuleOptionalFields = z.infer<typeof MachineLearningRuleOptionalFields>;
+export const MachineLearningRuleOptionalFields = z.object({
+  alert_suppression: AlertSuppression.optional(),
+});
+
 export type MachineLearningRulePatchFields = z.infer<typeof MachineLearningRulePatchFields>;
-export const MachineLearningRulePatchFields = MachineLearningRuleRequiredFields.partial();
+export const MachineLearningRulePatchFields = MachineLearningRuleRequiredFields.partial().merge(
+  MachineLearningRuleOptionalFields
+);
 
 export type MachineLearningRuleResponseFields = z.infer<typeof MachineLearningRuleResponseFields>;
-export const MachineLearningRuleResponseFields = MachineLearningRuleRequiredFields;
+export const MachineLearningRuleResponseFields = MachineLearningRuleRequiredFields.merge(
+  MachineLearningRuleOptionalFields
+);
 
 export type MachineLearningRuleCreateFields = z.infer<typeof MachineLearningRuleCreateFields>;
-export const MachineLearningRuleCreateFields = MachineLearningRuleRequiredFields;
+export const MachineLearningRuleCreateFields = MachineLearningRuleRequiredFields.merge(
+  MachineLearningRuleOptionalFields
+);
 
 export type MachineLearningRule = z.infer<typeof MachineLearningRule>;
 export const MachineLearningRule = SharedResponseProps.merge(MachineLearningRuleResponseFields);

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml

@@ -686,18 +686,27 @@ components:
         - machine_learning_job_id
         - anomaly_threshold
 
+    MachineLearningRuleOptionalFields:
+      type: object
+      properties:
+        alert_suppression:
+          $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
+
     MachineLearningRulePatchFields:
       allOf:
         - $ref: '#/components/schemas/MachineLearningRuleRequiredFields'
           x-modify: partial
+        - $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
 
     MachineLearningRuleResponseFields:
       allOf:
         - $ref: '#/components/schemas/MachineLearningRuleRequiredFields'
+        - $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
 
     MachineLearningRuleCreateFields:
       allOf:
         - $ref: '#/components/schemas/MachineLearningRuleRequiredFields'
+        - $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
 
     MachineLearningRule:
       allOf:

x-pack/plugins/security_solution/common/detection_engine/constants.ts

@@ -47,6 +47,7 @@ export const SUPPRESSIBLE_ALERT_RULES: Type[] = [
   'new_terms',
   'threat_match',
   'eql',
+  'machine_learning',
 ];
 
 export const SUPPRESSIBLE_ALERT_RULES_GA: Type[] = ['saved_query', 'query'];

x-pack/plugins/security_solution/common/detection_engine/utils.test.ts

@@ -236,9 +236,7 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressibleAlertRule('threat_match')).toBe(true);
       expect(isSuppressibleAlertRule('new_terms')).toBe(true);
       expect(isSuppressibleAlertRule('eql')).toBe(true);
-
-      // Rule types that don't support alert suppression:
-      expect(isSuppressibleAlertRule('machine_learning')).toBe(false);
+      expect(isSuppressibleAlertRule('machine_learning')).toBe(true);
     });
 
     test('should return false for an unknown rule type', () => {
@@ -273,9 +271,7 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithDuration('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithDuration('new_terms')).toBe(true);
       expect(isSuppressionRuleConfiguredWithDuration('eql')).toBe(true);
-
-      // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithDuration('machine_learning')).toBe(false);
+      expect(isSuppressionRuleConfiguredWithDuration('machine_learning')).toBe(true);
     });
 
     test('should return false for an unknown rule type', () => {
@@ -294,9 +290,7 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithGroupBy('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithGroupBy('new_terms')).toBe(true);
       expect(isSuppressionRuleConfiguredWithGroupBy('eql')).toBe(true);
-
-      // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithGroupBy('machine_learning')).toBe(false);
+      expect(isSuppressionRuleConfiguredWithGroupBy('machine_learning')).toBe(true);
     });
 
     test('should return false for a threshold rule type', () => {
@@ -320,9 +314,7 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithMissingFields('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithMissingFields('new_terms')).toBe(true);
       expect(isSuppressionRuleConfiguredWithMissingFields('eql')).toBe(true);
-
-      // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithMissingFields('machine_learning')).toBe(false);
+      expect(isSuppressionRuleConfiguredWithMissingFields('machine_learning')).toBe(true);
     });
 
     test('should return false for a threshold rule type', () => {

x-pack/plugins/security_solution/common/experimental_features.ts

@@ -175,6 +175,11 @@ export const allowedExperimentalValues = Object.freeze({
    */
   riskEnginePrivilegesRouteEnabled: true,
 
+  /**
+   * Enables alerts suppression for machine learning rules
+   */
+  alertSuppressionForMachineLearningRuleEnabled: false,
+
   /**
    * Enables experimental Experimental S1 integration data to be available in Analyzer
    */

x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useMemo } from 'react';
+import type { DataViewFieldBase } from '@kbn/es-query';
+
+import { getTermsAggregationFields } from '../../../../detection_engine/rule_creation_ui/components/step_define_rule/utils';
+import { useRuleFields } from '../../../../detection_engine/rule_management/logic/use_rule_fields';
+import type { BrowserField } from '../../../containers/source';
+import { useMlCapabilities } from './use_ml_capabilities';
+import { useMlRuleValidations } from './use_ml_rule_validations';
+import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions';
+import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license';
+
+export interface UseMlRuleConfigReturn {
+  hasMlAdminPermissions: boolean;
+  hasMlLicense: boolean;
+  mlFields: DataViewFieldBase[];
+  mlFieldsLoading: boolean;
+  mlSuppressionFields: BrowserField[];
+  noMlJobsStarted: boolean;
+  someMlJobsStarted: boolean;
+}
+
+/**
+ * This hook is used to retrieve the various configurations and status needed for creating/editing an ML Rule in the Detection Engine UI. It composes several other ML hooks.
+ *
+ * @param machineLearningJobId The ID(s) of the ML job to retrieve the configuration for
+ *
+ * @returns {UseMlRuleConfigReturn} An object containing the various configurations and statuses needed for creating/editing an ML Rule
+ *
+ */
+export const useMLRuleConfig = ({
+  machineLearningJobId,
+}: {
+  machineLearningJobId: string[];
+}): UseMlRuleConfigReturn => {
+  const mlCapabilities = useMlCapabilities();
+  const { someJobsStarted: someMlJobsStarted, noJobsStarted: noMlJobsStarted } =
+    useMlRuleValidations({ machineLearningJobId });
+  const { loading: mlFieldsLoading, fields: mlFields } = useRuleFields({
+    machineLearningJobId,
+  });
+  const mlSuppressionFields = useMemo(
+    () => getTermsAggregationFields(mlFields as BrowserField[]),
+    [mlFields]
+  );
+
+  return {
+    hasMlAdminPermissions: hasMlAdminPermissions(mlCapabilities),
+    hasMlLicense: hasMlLicense(mlCapabilities),
+    mlFields,
+    mlFieldsLoading,
+    mlSuppressionFields,
+    noMlJobsStarted,
+    someMlJobsStarted,
+  };
+};