[Security Solution][Detections] Disable exceptions for Threshold and …

…ML rules (#72137)

* Move isThresholdRule predicate into our common folder

This is very similar to isMlRule, which is already used extensively and
lives at this level.

* Disable endpoint association checkbox for ML and Threshold rules

The fullWidth and isDisabled props were not used; what we want is
disabled.

* Fix react warning about nesting buttons

This removes the AdvancedSettingsAccordion in favor of a plain
EuiAccordion with buttonContent, as that seems to be all that's needed
here.

* Disable Exceptions tab on Details for ML or Threshold rules

These rule types do not currently support exceptions.

* Fix type error

Unused import

x-pack/plugins/security_solution/common/detection_engine/utils.ts

@@ -5,6 +5,7 @@
  */
 
 import { EntriesArray } from '../shared_imports';
+import { RuleType } from './types';
 
 export const hasLargeValueList = (entries: EntriesArray): boolean => {
  const found = entries.filter(({ type }) => type === 'list');
@@ -15,3 +16,5 @@ export const hasNestedEntry = (entries: EntriesArray): boolean => {
  const found = entries.filter(({ type }) => type === 'nested');
  return found.length > 0;
 };
+
+export const isThresholdRule = (ruleType: RuleType) => ruleType === 'threshold';

x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/index.tsx

@@ -8,14 +8,13 @@ import React, { useCallback, useMemo } from 'react';
 import { EuiCard, EuiFlexGrid, EuiFlexItem, EuiFormRow, EuiIcon } from '@elastic/eui';
 
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
+import { isThresholdRule } from '../../../../../common/detection_engine/utils';
 import { RuleType } from '../../../../../common/detection_engine/types';
 import { FieldHook } from '../../../../shared_imports';
 import { useKibana } from '../../../../common/lib/kibana';
 import * as i18n from './translations';
 import { MlCardDescription } from './ml_card_description';
 
-const isThresholdRule = (ruleType: RuleType) => ruleType === 'threshold';
-
 interface SelectRuleTypeProps {
  describedByIds?: string[];
  field: FieldHook;

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx

@@ -4,10 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { EuiAccordion, EuiFlexItem, EuiSpacer, EuiButtonEmpty, EuiFormRow } from '@elastic/eui';
+import { EuiAccordion, EuiFlexItem, EuiSpacer, EuiFormRow } from '@elastic/eui';
 import React, { FC, memo, useCallback, useEffect, useState } from 'react';
 import styled from 'styled-components';
 
+import { isMlRule } from '../../../../../common/machine_learning/helpers';
+import { isThresholdRule } from '../../../../../common/detection_engine/utils';
 import {
  RuleStepProps,
  RuleStep,
@@ -58,26 +60,6 @@ const TagContainer = styled.div`
 
 TagContainer.displayName = 'TagContainer';
 
-const AdvancedSettingsAccordion = styled(EuiAccordion)`
- .euiAccordion__iconWrapper {
- display: none;
- }
-
- .euiAccordion__childWrapper {
- transition-duration: 1ms; /* hack to fire Step accordion to set proper content's height */
- }
-
- &.euiAccordion-isOpen .euiButtonEmpty__content > svg {
- transform: rotate(90deg);
- }
-`;
-
-const AdvancedSettingsAccordionButton = (
- <EuiButtonEmpty flush="left" size="s" iconType="arrowRight">
- {I18n.ADVANCED_SETTINGS}
- </EuiButtonEmpty>
-);
-
 const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  addPadding = false,
  defaultValues,
@@ -94,6 +76,10 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  const [{ isLoading: indexPatternLoading, indexPatterns }] = useFetchIndexPatterns(
  defineRuleData?.index ?? []
  );
+ const canUseExceptions =
+ defineRuleData?.ruleType &&
+ !isMlRule(defineRuleData.ruleType) &&
+ !isThresholdRule(defineRuleData.ruleType);
 
  const { form } = useForm({
  defaultValue: initialState,
@@ -193,10 +179,10 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  />
  </TagContainer>
  <EuiSpacer size="l" />
- <AdvancedSettingsAccordion
+ <EuiAccordion
  data-test-subj="advancedSettings"
  id="advancedSettingsAccordion"
- buttonContent={AdvancedSettingsAccordionButton}
+ buttonContent={I18n.ADVANCED_SETTINGS}
  >
  <EuiSpacer size="l" />
  <UseField
@@ -274,8 +260,7 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  idAria: 'detectionEngineStepAboutRuleAssociatedToEndpointList',
  'data-test-subj': 'detectionEngineStepAboutRuleAssociatedToEndpointList',
  euiFieldProps: {
- fullWidth: true,
- isDisabled: isLoading,
+ disabled: isLoading || !canUseExceptions,
  },
  }}
  />
@@ -287,8 +272,7 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  idAria: 'detectionEngineStepAboutRuleBuildingBlock',
  'data-test-subj': 'detectionEngineStepAboutRuleBuildingBlock',
  euiFieldProps: {
- fullWidth: true,
- isDisabled: isLoading,
+ disabled: isLoading,
  },
  }}
  />
@@ -319,7 +303,7 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  placeholder: '',
  }}
  />
- </AdvancedSettingsAccordion>
+ </EuiAccordion>
  <FormDataProvider pathsToWatch="severity">
  {({ severity }) => {
  const newRiskScore = defaultRiskScoreBySeverity[severity as SeverityValue];

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx

@@ -37,7 +37,7 @@ import {
 } from '../../../../../common/components/link_to/redirect_to_detection_engine';
 import { SiemSearchBar } from '../../../../../common/components/search_bar';
 import { WrapperPage } from '../../../../../common/components/wrapper_page';
-import { useRule } from '../../../../containers/detection_engine/rules';
+import { useRule, Rule } from '../../../../containers/detection_engine/rules';
 import { useListsConfig } from '../../../../containers/detection_engine/lists/use_lists_config';
 
 import { useWithSource } from '../../../../../common/containers/source';
@@ -90,30 +90,35 @@ import {
  MIN_EVENTS_VIEWER_BODY_HEIGHT,
 } from '../../../../../timelines/components/timeline/body/helpers';
 import { footerHeight } from '../../../../../timelines/components/timeline/footer';
+import { isMlRule } from '../../../../../../common/machine_learning/helpers';
+import { isThresholdRule } from '../../../../../../common/detection_engine/utils';
 
 enum RuleDetailTabs {
  alerts = 'alerts',
  failures = 'failures',
  exceptions = 'exceptions',
 }
 
-const ruleDetailTabs = [
- {
- id: RuleDetailTabs.alerts,
- name: detectionI18n.ALERT,
- disabled: false,
- },
- {
- id: RuleDetailTabs.exceptions,
- name: i18n.EXCEPTIONS_TAB,
- disabled: false,
- },
- {
- id: RuleDetailTabs.failures,
- name: i18n.FAILURE_HISTORY_TAB,
- disabled: false,
- },
-];
+const getRuleDetailsTabs = (rule: Rule | null) => {
+ const canUseExceptions = rule && !isMlRule(rule.type) && !isThresholdRule(rule.type);
+ return [
+ {
+ id: RuleDetailTabs.alerts,
+ name: detectionI18n.ALERT,
+ disabled: false,
+ },
+ {
+ id: RuleDetailTabs.exceptions,
+ name: i18n.EXCEPTIONS_TAB,
+ disabled: !canUseExceptions,
+ },
+ {
+ id: RuleDetailTabs.failures,
+ name: i18n.FAILURE_HISTORY_TAB,
+ disabled: false,
+ },
+ ];
+};
 
 export const RuleDetailsPageComponent: FC<PropsFromRedux> = ({
  filters,
@@ -160,6 +165,7 @@ export const RuleDetailsPageComponent: FC<PropsFromRedux> = ({
  // TODO: Refactor license check + hasMlAdminPermissions to common check
  const hasMlPermissions =
  mlCapabilities.isPlatinumOrTrialLicense && hasMlAdminPermissions(mlCapabilities);
+ const ruleDetailTabs = getRuleDetailsTabs(rule);
 
  const title = isLoading === true || rule === null ? <EuiLoadingSpinner size="m" /> : rule.name;
  const subTitle = useMemo(