[Detection Engine][Rule Suppression] Add Suppression to EQL Non-sequence based queries

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.mock.ts

@@ -17,6 +17,7 @@ import type {
   ThresholdRuleCreateProps,
   NewTermsRuleCreateProps,
   NewTermsRuleUpdateProps,
+  EqlRuleCreateProps,
 } from './rule_schemas.gen';
 
 export const getCreateRulesSchemaMock = (ruleId = 'rule-1'): QueryRuleCreateProps => ({
@@ -213,3 +214,15 @@ export const getUpdateNewTermsSchemaMock = (
   new_terms_fields: ['user.name'],
   history_window_start: 'now-7d',
 });
+
+export const getCreateEqlRuleSchemaMock = (ruleId = 'rule-1'): EqlRuleCreateProps => ({
+  description: 'Event correlation index pattern rule',
+  name: 'Event correlation index pattern rule',
+  index: ['auditbeat-*'],
+  severity: 'high',
+  risk_score: 55,
+  rule_id: ruleId,
+  type: 'eql',
+  language: 'eql',
+  query: 'process where process.name == "regsvr32.exe"',
+});

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts

@@ -8,6 +8,7 @@
 import { expectParseError, expectParseSuccess, stringifyZodError } from '@kbn/zod-helpers';
 import { getListArrayMock } from '../../../../detection_engine/schemas/types/lists.mock';
 import {
+  getCreateEqlRuleSchemaMock,
   getCreateEsqlRulesSchemaMock,
   getCreateMachineLearningRulesSchemaMock,
   getCreateNewTermsRulesSchemaMock,
@@ -1268,6 +1269,7 @@ describe('rules schema', () => {
       { ruleType: 'threat_match', ruleMock: getCreateThreatMatchRulesSchemaMock() },
       { ruleType: 'query', ruleMock: getCreateRulesSchemaMock() },
       { ruleType: 'saved_query', ruleMock: getCreateSavedQueryRulesSchemaMock() },
+      { ruleType: 'eql', ruleMock: getCreateEqlRuleSchemaMock() },
       { ruleType: 'new_terms', ruleMock: getCreateNewTermsRulesSchemaMock() },
     ];
 

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts

@@ -62,8 +62,8 @@ import {
   IndexPatternArray,
   DataViewId,
   RuleFilterArray,
-  SavedQueryId,
   AlertSuppression,
+  SavedQueryId,
   KqlQueryLanguage,
 } from './common_attributes.gen';
 import { RuleExecutionSummary } from '../../rule_monitoring/model/execution_summary.gen';
@@ -219,6 +219,7 @@ export const EqlOptionalFields = z.object({
   event_category_override: EventCategoryOverride.optional(),
   tiebreaker_field: TiebreakerField.optional(),
   timestamp_field: TimestampField.optional(),
+  alert_suppression: AlertSuppression.optional(),
 });
 
 export type EqlRuleCreateFields = z.infer<typeof EqlRuleCreateFields>;

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml

@@ -278,6 +278,8 @@ components:
           $ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TiebreakerField'
         timestamp_field:
           $ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TimestampField'
+        alert_suppression:
+          $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
 
     EqlRuleCreateFields:
       allOf:

x-pack/plugins/security_solution/common/detection_engine/constants.ts

@@ -45,4 +45,5 @@ export const SUPPRESSIBLE_ALERT_RULES: Type[] = [
   'query',
   'new_terms',
   'threat_match',
+  'eql',
 ];

x-pack/plugins/security_solution/common/detection_engine/utils.test.ts

@@ -17,6 +17,7 @@ import {
   isSuppressionRuleConfiguredWithDuration,
   isSuppressionRuleConfiguredWithGroupBy,
   isSuppressionRuleConfiguredWithMissingFields,
+  isEqlSequenceQuery,
 } from './utils';
 import type { Type } from '@kbn/securitysolution-io-ts-alerting-types';
 
@@ -232,9 +233,9 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressibleAlertRule('query')).toBe(true);
       expect(isSuppressibleAlertRule('threat_match')).toBe(true);
       expect(isSuppressibleAlertRule('new_terms')).toBe(true);
+      expect(isSuppressibleAlertRule('eql')).toBe(true);
 
       // Rule types that don't support alert suppression:
-      expect(isSuppressibleAlertRule('eql')).toBe(false);
       expect(isSuppressibleAlertRule('machine_learning')).toBe(false);
       expect(isSuppressibleAlertRule('esql')).toBe(false);
     });
@@ -254,9 +255,9 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithDuration('query')).toBe(true);
       expect(isSuppressionRuleConfiguredWithDuration('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithDuration('new_terms')).toBe(true);
+      expect(isSuppressionRuleConfiguredWithDuration('eql')).toBe(true);
 
       // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithDuration('eql')).toBe(false);
       expect(isSuppressionRuleConfiguredWithDuration('machine_learning')).toBe(false);
       expect(isSuppressionRuleConfiguredWithDuration('esql')).toBe(false);
     });
@@ -275,9 +276,9 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithGroupBy('query')).toBe(true);
       expect(isSuppressionRuleConfiguredWithGroupBy('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithGroupBy('new_terms')).toBe(true);
+      expect(isSuppressionRuleConfiguredWithGroupBy('eql')).toBe(true);
 
       // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithGroupBy('eql')).toBe(false);
       expect(isSuppressionRuleConfiguredWithGroupBy('machine_learning')).toBe(false);
       expect(isSuppressionRuleConfiguredWithGroupBy('esql')).toBe(false);
     });
@@ -301,9 +302,9 @@ describe('Alert Suppression Rules', () => {
       expect(isSuppressionRuleConfiguredWithMissingFields('query')).toBe(true);
       expect(isSuppressionRuleConfiguredWithMissingFields('threat_match')).toBe(true);
       expect(isSuppressionRuleConfiguredWithMissingFields('new_terms')).toBe(true);
+      expect(isSuppressionRuleConfiguredWithMissingFields('eql')).toBe(true);
 
       // Rule types that don't support alert suppression:
-      expect(isSuppressionRuleConfiguredWithMissingFields('eql')).toBe(false);
       expect(isSuppressionRuleConfiguredWithMissingFields('machine_learning')).toBe(false);
       expect(isSuppressionRuleConfiguredWithMissingFields('esql')).toBe(false);
     });
@@ -319,4 +320,31 @@ describe('Alert Suppression Rules', () => {
       expect(result).toBe(false);
     });
   });
+
+  describe('isEqlSequenceQuery', () => {
+    it('is false if query is undefined', () => {
+      const result = isEqlSequenceQuery(undefined);
+      expect(result).toBe(false);
+    });
+
+    it('is false if query is an empty string', () => {
+      const result = isEqlSequenceQuery('');
+      expect(result).toBe(false);
+    });
+
+    it('is false if query is an nonempty string', () => {
+      const result = isEqlSequenceQuery('any where true');
+      expect(result).toBe(false);
+    });
+
+    it('is true if query begins with "sequence"', () => {
+      const query = 'sequence where true';
+      expect(isEqlSequenceQuery(query)).toBe(true);
+    });
+
+    it('is true if query begins with some whitespace and then "sequence"', () => {
+      const query = '   sequence where true';
+      expect(isEqlSequenceQuery(query)).toBe(true);
+    });
+  });
 });

x-pack/plugins/security_solution/common/detection_engine/utils.ts

@@ -60,6 +60,9 @@ export const normalizeThresholdField = (
       [thresholdField!];
 };
 
+export const isEqlSequenceQuery = (ruleQuery: string | undefined): boolean =>
+  ruleQuery?.trim().startsWith('sequence') ?? false;
+
 export const normalizeThresholdObject = (threshold: Threshold): ThresholdNormalized => {
   return {
     ...threshold,

x-pack/plugins/security_solution/common/experimental_features.ts

@@ -179,6 +179,11 @@ export const allowedExperimentalValues = Object.freeze({
    */
   alertSuppressionForNewTermsRuleEnabled: false,
 
+  /**
+   * Enables alerts suppression for Eql rules with non-sequence queries
+   */
+  alertSuppressionForNonSequenceEqlRuleEnabled: false,
+
   /**
    * Enables experimental Experimental S1 integration data to be available in Analyzer
    */

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx

@@ -575,7 +575,7 @@ describe('description_step', () => {
     });
 
     describe('alert suppression', () => {
-      const ruleTypesWithoutSuppression: Type[] = ['eql', 'esql', 'machine_learning'];
+      const ruleTypesWithoutSuppression: Type[] = ['esql', 'machine_learning'];
       const suppressionFields = {
         groupByDuration: {
           unit: 'm',

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/eql_query_bar/eql_query_bar.test.tsx

@@ -6,14 +6,14 @@
  */
 
 import React from 'react';
-import { shallow, mount } from 'enzyme';
+import { shallow } from 'enzyme';
+import { render, screen, fireEvent, within } from '@testing-library/react';
 
 import { mockIndexPattern, TestProviders, useFormFieldMock } from '../../../../common/mock';
 import { mockQueryBar } from '../../../rule_management_ui/components/rules_table/__mocks__/mock';
 import type { EqlQueryBarProps } from './eql_query_bar';
 import { EqlQueryBar } from './eql_query_bar';
 import { getEqlValidationError } from './validators.mock';
-import { fireEvent, render, within } from '@testing-library/react';
 
 jest.mock('../../../../common/lib/kibana');
 
@@ -26,7 +26,7 @@ describe('EqlQueryBar', () => {
     });
   });
 
-  it('renders correctly', () => {
+  it('should render correctly', () => {
     const wrapper = shallow(
       <EqlQueryBar
         dataTestSubj="myQueryBar"
@@ -54,8 +54,8 @@ describe('EqlQueryBar', () => {
     expect(wrapper.find('[data-test-subj="eqlFilterBar"]')).toHaveLength(1);
   });
 
-  it('sets the field value on input change', () => {
-    const wrapper = mount(
+  it('should set the field value on input change', () => {
+    render(
       <TestProviders>
         <EqlQueryBar
           dataTestSubj="myQueryBar"
@@ -65,11 +65,8 @@ describe('EqlQueryBar', () => {
         />
       </TestProviders>
     );
-
-    wrapper
-      .find('[data-test-subj="eqlQueryBarTextInput"]')
-      .last()
-      .simulate('change', { target: { value: 'newQuery' } });
+    const inputElement = screen.getByTestId('eqlQueryBarTextInput');
+    fireEvent.change(inputElement, { target: { value: 'newQuery' } });
 
     const expected = {
       filters: mockQueryBar.filters,
@@ -83,8 +80,8 @@ describe('EqlQueryBar', () => {
     expect(mockField.setValue).toHaveBeenCalledWith(expected);
   });
 
-  it('does not render errors for a valid query', () => {
-    const wrapper = mount(
+  it('should not render errors for a valid query', () => {
+    const { queryByTestId } = render(
       <TestProviders>
         <EqlQueryBar
           dataTestSubj="myQueryBar"
@@ -95,17 +92,15 @@ describe('EqlQueryBar', () => {
       </TestProviders>
     );
 
-    expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(
-      false
-    );
+    expect(queryByTestId('eql-validation-errors-popover')).not.toBeInTheDocument();
   });
 
-  it('renders errors for an invalid query', () => {
+  it('should render errors for an invalid query', () => {
     const invalidMockField = useFormFieldMock({
       value: mockQueryBar,
       errors: [getEqlValidationError()],
     });
-    const wrapper = mount(
+    const { getByTestId } = render(
       <TestProviders>
         <EqlQueryBar
           dataTestSubj="myQueryBar"
@@ -116,7 +111,7 @@ describe('EqlQueryBar', () => {
       </TestProviders>
     );
 
-    expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(true);
+    expect(getByTestId('eql-validation-errors-popover')).toBeInTheDocument();
   });
 
   describe('EQL options interaction', () => {