[Security Solution] [Detections] Adds support for system actions (and cases action) to detection rules

packages/kbn-securitysolution-io-ts-alerting-types/src/actions/index.ts

@@ -110,12 +110,12 @@ export type RuleActionCamel = t.TypeOf<typeof RuleActionCamel>;
 export const RuleActionCamel = t.exact(
   t.intersection([
     t.type({
-      group: RuleActionGroup,
       id: RuleActionId,
       actionTypeId: RuleActionTypeId,
       params: RuleActionParams,
     }),
     t.partial({
+      group: RuleActionGroup,
       uuid: RuleActionUuid,
       alertsFilter: RuleActionAlertsFilter,
       frequency: RuleActionFrequency,

x-pack/plugins/cases/server/connectors/cases/index.ts

@@ -56,7 +56,7 @@ export const getCasesConnectorType = ({
     config: CasesConnectorConfigSchema,
     secrets: CasesConnectorSecretsSchema,
   },
-  supportedFeatureIds: [UptimeConnectorFeatureId, AlertingConnectorFeatureId],
+  supportedFeatureIds: [UptimeConnectorFeatureId, AlertingConnectorFeatureId, 'siem'],
   minimumLicenseRequired: 'platinum' as const,
   isSystemActionType: true,
   getKibanaPrivileges: ({ params } = { params: { subAction: 'run', subActionParams: {} } }) => {

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts

@@ -444,7 +444,7 @@ export const RuleAction = z.object({
    * The action type used for sending notifications.
    */
   action_type_id: z.string(),
-  group: RuleActionGroup,
+  group: RuleActionGroup.optional(),
   id: RuleActionId,
   params: RuleActionParams,
   uuid: NonEmptyString.optional(),

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml

@@ -479,7 +479,6 @@ components:
           $ref: '#/components/schemas/RuleActionFrequency'
       required:
         - action_type_id
-        - group
         - id
         - params
 

x-pack/plugins/security_solution/common/detection_engine/transform_actions.ts

@@ -24,7 +24,6 @@ export const transformRuleToAlertAction = ({
   frequency,
   alerts_filter: alertsFilter,
 }: RuleAction): AlertingRuleAction => ({
-  group,
   id,
   params: params as AlertingRuleAction['params'],
   actionTypeId,
@@ -33,6 +32,7 @@ export const transformRuleToAlertAction = ({
   }),
   ...(uuid && { uuid }),
   ...(frequency && { frequency }),
+  ...(group && { group }),
 });
 
 export const transformAlertToRuleAction = ({
@@ -44,7 +44,6 @@ export const transformAlertToRuleAction = ({
   frequency,
   alertsFilter,
 }: AlertingRuleAction): RuleAction => ({
-  group,
   id,
   params,
   action_type_id: actionTypeId,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts

@@ -54,8 +54,8 @@ export const createRuleRoute = (router: SecuritySolutionPluginRouter): void => {
             'licensing',
             'alerting',
             'lists',
+            'actions',
           ]);
-
           const rulesClient = ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
           const exceptionsClient = ctx.lists?.getExceptionListClient();

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts

@@ -6,6 +6,8 @@
  */
 
 import type { RulesClient } from '@kbn/alerting-plugin/server';
+import type { ActionsClient } from '@kbn/actions-plugin/server';
+
 import type { MlAuthz } from '../../../../machine_learning/authz';
 
 import type { RuleAlertType } from '../../../rule_schema';
@@ -32,12 +34,13 @@ import { importRule } from './methods/import_rule';
 import { withSecuritySpan } from '../../../../../utils/with_security_span';
 
 export const createDetectionRulesClient = (
+  actionsClient: ActionsClient,
   rulesClient: RulesClient,
   mlAuthz: MlAuthz
 ): IDetectionRulesClient => ({
   async createCustomRule(args: CreateCustomRuleArgs): Promise<RuleResponse> {
     return withSecuritySpan('DetectionRulesClient.createCustomRule', async () => {
-      return createCustomRule(rulesClient, args, mlAuthz);
+      return createCustomRule(actionsClient, rulesClient, args, mlAuthz);
     });
   },
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/create_custom_rule.ts

@@ -4,7 +4,9 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
+import { partition } from 'lodash';
 
+import type { ActionsClient } from '@kbn/actions-plugin/server';
 import type { RulesClient } from '@kbn/alerting-plugin/server';
 import { stringifyZodError } from '@kbn/zod-helpers';
 import type { CreateCustomRuleArgs } from '../detection_rules_client_interface';
@@ -16,14 +18,25 @@ import { transform } from '../../../utils/utils';
 import { validateMlAuth, RuleResponseValidationError } from '../utils';
 
 export const createCustomRule = async (
+  actionsClient: ActionsClient,
   rulesClient: RulesClient,
   args: CreateCustomRuleArgs,
   mlAuthz: MlAuthz
 ): Promise<RuleResponse> => {
   const { params } = args;
   await validateMlAuth(mlAuthz, params.type);
+  const [oldActions, systemActions] = partition(params.actions, (action) =>
+    actionsClient.isSystemAction(action.action_type_id)
+  );
 
-  const internalRule = convertCreateAPIToInternalSchema(params, { immutable: false });
+  const internalRule = convertCreateAPIToInternalSchema(
+    {
+      ...params,
+      actions: oldActions,
+      systemActions,
+    },
+    { immutable: false }
+  );
   const rule = await rulesClient.create<RuleParams>({
     data: internalRule,
   });

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_by_object_ids.ts

@@ -40,6 +40,7 @@ export const getExportByObjectIds = async (
     const rulesAndErrors = await fetchRulesByIds(rulesClient, ruleIds);
     const { rules, missingRuleIds } = rulesAndErrors;
 
+    console.error('RULES AND ERRORS', JSON.stringify(rulesAndErrors));
     // Retrieve exceptions
     const exceptions = rules.flatMap((rule) => rule.exceptions_list ?? []);
     const { exportData: exceptionLists, exportDetails: exceptionDetails } =
@@ -99,6 +100,7 @@ const fetchRulesByIds = async (
         sortField: undefined,
         sortOrder: undefined,
       });
+      console.error(JSON.stringify(rulesResult, null, 2));
       const rulesMap = new Map<string, PartialRule<RuleParams>>();
 
       for (const rule of rulesResult.data) {
@@ -144,6 +146,8 @@ const fetchRulesByIds = async (
     }
   }
 
+  console.error('ABOUT TO RETURN RULES');
+
   return {
     rules,
     missingRuleIds,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_rule_action_connectors.ts

@@ -76,7 +76,14 @@ export const getRuleActionConnectorsForExport = async (
     actionConnectorDetails: defaultActionConnectorDetails,
   };
 
-  let actionsIds = [...new Set(rules.flatMap((rule) => rule.actions.map(({ id }) => id)))];
+  const ids = [
+    ...new Set(
+      rules.flatMap((rule) => rule.actions.map(({ id }) => id).filter((id) => id != null))
+    ),
+  ];
+
+  console.error('WHAT ARE THE IDS', ids);
+  let actionsIds = ids;
   if (!actionsIds.length) return exportedActionConnectors;
 
   // handle preconfigured connectors

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts

@@ -564,6 +564,11 @@ export const convertCreateAPIToInternalSchema = (
   const typeSpecificParams = typeSpecificSnakeToCamel(input);
   const newRuleId = input.rule_id ?? uuidv4();
 
+  const alertSystemActions = input.systemActions.map((action) => {
+    const { group, ...ruleAction } = transformRuleToAlertAction(action);
+    return ruleAction;
+  });
+
   const alertActions = input.actions?.map((action) => transformRuleToAlertAction(action)) ?? [];
   const actions = transformToActionFrequency(alertActions, input.throttle);
 
@@ -610,6 +615,7 @@ export const convertCreateAPIToInternalSchema = (
     schedule: { interval: input.interval ?? '5m' },
     enabled: input.enabled ?? defaultEnabled,
     actions,
+    systemActions: alertSystemActions,
   };
 };
 
@@ -777,6 +783,13 @@ export const internalRuleToAPIResponse = (
   const alertActions = rule.actions.map(transformAlertToRuleAction);
   const throttle = transformFromAlertThrottle(rule);
   const actions = transformToActionFrequency(alertActions, throttle);
+  const systemActions = rule.systemActions.map((action) => {
+    const { id, ...transformedAction } = transformAlertToRuleAction(action);
+    return transformedAction;
+  });
+
+  console.error('alertActions', JSON.stringify(alertActions));
+  console.error('systemActions', JSON.stringify(systemActions));
 
   return {
     // saved object properties
@@ -800,7 +813,7 @@ export const internalRuleToAPIResponse = (
     ...typeSpecificCamelToSnake(rule.params),
     // Actions
     throttle: undefined,
-    actions,
+    actions: [...actions, ...systemActions],
     // Execution summary
     execution_summary: executionSummary ?? undefined,
   };

x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts

@@ -343,6 +343,7 @@ export interface InternalRuleCreate {
   };
   enabled: IsRuleEnabled;
   actions: RuleActionArrayCamel;
+  systemActions: RuleActionArrayCamel;
   params: RuleParams;
   throttle?: RuleActionThrottle | null;
   notifyWhen?: RuleActionNotifyWhen | null;

x-pack/plugins/security_solution/server/request_context_factory.ts

@@ -69,6 +69,7 @@ export class RequestContextFactory implements IRequestContextFactory {
     const frameworkRequest = await buildFrameworkRequest(context, security, request);
     const coreContext = await context.core;
     const licensing = await context.licensing;
+    const actionsClient = await startPlugins.actions.getActionsClientWithRequest(request);
 
     const getSpaceId = (): string =>
       startPlugins.spaces?.spacesService?.getSpaceId(request) || DEFAULT_SPACE_ID;
@@ -123,6 +124,7 @@ export class RequestContextFactory implements IRequestContextFactory {
         });
 
         return createDetectionRulesClient(
+          actionsClient,
           startPlugins.alerting.getRulesClientWithRequest(request),
           mlAuthz
         );

x-pack/plugins/security_solution/server/types.ts

@@ -11,7 +11,7 @@ import type {
   IRouter,
   KibanaRequest,
 } from '@kbn/core/server';
-import type { ActionsApiRequestHandlerContext } from '@kbn/actions-plugin/server';
+import type { ActionsApiRequestHandlerContext, ActionsClient } from '@kbn/actions-plugin/server';
 import type { AlertingApiRequestHandlerContext } from '@kbn/alerting-plugin/server';
 import type { FleetRequestHandlerContext } from '@kbn/fleet-plugin/server';
 import type { LicensingApiRequestHandlerContext } from '@kbn/licensing-plugin/server';
@@ -45,7 +45,7 @@ export interface SecuritySolutionApiRequestHandlerContext {
   getAppClient: () => AppClient;
   getSpaceId: () => string;
   getRuleDataService: () => IRuleDataService;
-  getDetectionRulesClient: () => IDetectionRulesClient;
+  getDetectionRulesClient: (actionsClient?: ActionsClient) => IDetectionRulesClient;
   getDetectionEngineHealthClient: () => IDetectionEngineHealthClient;
   getRuleExecutionLog: () => IRuleExecutionLogForRoutes;
   getRacClient: (req: KibanaRequest) => Promise<AlertsClient>;