[RAC][Security Solution] Add base Security Rule Type

[madirey]

Summary

This PR adds a base security rule type, which wraps the persistence rule type to provide Detections-specific logic.

Summary of changes

• Add base security rule type
  • Implement gap detection
  • Do privilege checks
  • Handle exception lists
  • Map event fields to new alerts-as-data schema (outlined here)
  • End-to-end query rule execution
  • Static typing for new rule executors

How to test this implementation

1. Enable experimental feature flag: echo "xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']" >> ./config/kibana.dev.yml
2. Enable rule registry writing: echo "xpack.ruleRegistry.write.enabled: true" >> ./config/kibana.dev.yml
3. Create a rule by running ./x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_query.sh

It creates a rule that generates up to 10 alerts every minute or so. The created rule is not visible in our UI and is not accessible through most of our API endpoints.

To be addressed in future PRs

• Implementations for the remaining 4 rule types
• Remove threshold rule's reliance on outputIndex by utilizing state

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[dominiqueclarke]

Uptime changes look good to me. Only did a code review.

[dominiqueclarke]

Thank you for doing this. I actually have a branch up getting ready to update this. Much appreciated.

[xcrzx]

Checked changes in regards to rule execution logging, LGTM 👍
It would be great to merge this PR sooner so that we can start integration with the new Exec log.

[dhurley14]

In regards to the comment in your PR description around The created rule is not visible in our UI and is not accessible through most of our API endpoints. I think we just need a small update so we can still manage these rules through the security solution detections page by updating the routes to include the new QUERY_ALERT_TYPE_ID.

One example is in the find_rules route

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rules/find_rules.ts

Lines 13 to 19 in 01293bf

	export const getFilter = (filter: string | null | undefined) => {
	if (filter == null) {
	return `alert.attributes.alertTypeId: ${SIGNALS_ID}`;
	} else {
	return `alert.attributes.alertTypeId: ${SIGNALS_ID} AND ${filter}`;
	}
	};

where we can update this filter to include the new QUERY_ALERT_TYPE_ID

If you agree with the above, I think there are other places where this change should propagate as well, like in the import rules route.

[ecezalp]

Wow! The changes look fantastic. I think that the overall modularization efforts really came together, and everything became easier to understand! Thank you so much for doing this work!

One comment though - I flipped on the ruleRegistryFlag (by adding xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] to my kibana.dev.yml, but I wasn't able to get any alerts on the Custom Query Rule. It seemed like a new alerting index didn't get created, I wasn't able to catch any suspicious errors / logs in my terminal. I was wondering if I am missing a step or if I should try again. Please let me know! just noticed the instructions above. will try again!

[michaelolo24]

making a personal note to add kibana.alert.reason 😄

[madirey]

@elasticmachine merge upstream

[madirey]

@elasticmachine merge upstream

[smith]

APM changes look good.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 1882710
• Storybooks Preview
• Documentation Changes

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	2338	2341	+3
uptime	563	566	+3
total			+6

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
apm	4.3MB	4.3MB	+13.7KB
observability	490.9KB	507.4KB	+16.5KB
securitySolution	6.4MB	6.4MB	+5.8KB
uptime	954.5KB	954.5KB	+8.0B
total			+36.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
apm	41.6KB	44.4KB	+2.8KB
infra	146.4KB	149.2KB	+2.8KB
uptime	29.3KB	34.7KB	+5.4KB
total			+10.9KB

Unknown metric groups

API count

id	before	after	diff
ruleRegistry	82	89	+7

API count missing comments

id	before	after	diff
ruleRegistry	82	89	+7

References to deprecated APIs

id	before	after	diff
securitySolution	836	832	-4

History

• 💔 Build #142648 failed 9c02627
• 💚 Build #142389 succeeded cfbdd20
• 💔 Build #142331 failed 3ef3de9
• 💛 Build #142106 was flaky 7f519e8
• 💚 Build #142053 succeeded 44d0a2a

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream