[EDR Workflows] Automated Actions in more rule types

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts

@@ -224,6 +224,7 @@ export const EqlOptionalFields = z.object({
   tiebreaker_field: TiebreakerField.optional(),
   timestamp_field: TimestampField.optional(),
   alert_suppression: AlertSuppression.optional(),
+  response_actions: z.array(ResponseAction).optional(),
 });
 
 export type EqlRuleCreateFields = z.infer<typeof EqlRuleCreateFields>;
@@ -574,6 +575,7 @@ export const EsqlRuleRequiredFields = z.object({
 export type EsqlRuleOptionalFields = z.infer<typeof EsqlRuleOptionalFields>;
 export const EsqlRuleOptionalFields = z.object({
   alert_suppression: AlertSuppression.optional(),
+  response_actions: z.array(ResponseAction).optional(),
 });
 
 export type EsqlRulePatchFields = z.infer<typeof EsqlRulePatchFields>;

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml

@@ -292,6 +292,10 @@ components:
           $ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TimestampField'
         alert_suppression:
           $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
+        response_actions:
+          type: array
+          items:
+            $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
 
     EqlRuleCreateFields:
       allOf:
@@ -840,6 +844,10 @@ components:
       properties:
         alert_suppression:
           $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
+        response_actions:
+          type: array
+          items:
+            $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
 
     EsqlRulePatchFields:
       allOf:

x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml

@@ -2042,6 +2042,10 @@ components:
           $ref: '#/components/schemas/RuleFilterArray'
         index:
           $ref: '#/components/schemas/IndexPatternArray'
+        response_actions:
+          items:
+            $ref: '#/components/schemas/ResponseAction'
+          type: array
         tiebreaker_field:
           $ref: '#/components/schemas/TiebreakerField'
         timestamp_field:
@@ -2729,6 +2733,10 @@ components:
       properties:
         alert_suppression:
           $ref: '#/components/schemas/AlertSuppression'
+        response_actions:
+          items:
+            $ref: '#/components/schemas/ResponseAction'
+          type: array
     EsqlRulePatchProps:
       allOf:
         - type: object

x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml

@@ -1316,6 +1316,10 @@ components:
           $ref: '#/components/schemas/RuleFilterArray'
         index:
           $ref: '#/components/schemas/IndexPatternArray'
+        response_actions:
+          items:
+            $ref: '#/components/schemas/ResponseAction'
+          type: array
         tiebreaker_field:
           $ref: '#/components/schemas/TiebreakerField'
         timestamp_field:
@@ -2003,6 +2007,10 @@ components:
       properties:
         alert_suppression:
           $ref: '#/components/schemas/AlertSuppression'
+        response_actions:
+          items:
+            $ref: '#/components/schemas/ResponseAction'
+          type: array
     EsqlRulePatchProps:
       allOf:
         - type: object

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx

@@ -17,7 +17,7 @@ import type {
 import { UseArray } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
 import type { Type } from '@kbn/securitysolution-io-ts-alerting-types';
 import type { RuleObjectId } from '../../../../../common/api/detection_engine/model/rule_schema';
-import { isQueryRule } from '../../../../../common/detection_engine/utils';
+import { isQueryRule, isEsqlRule, isEqlRule } from '../../../../../common/detection_engine/utils';
 import { ResponseActionsForm } from '../../../rule_response_actions/response_actions_form';
 import type {
   RuleStepProps,
@@ -101,7 +101,7 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
     [actionMessageParams, summaryActionMessageParams]
   );
   const displayResponseActionsOptions = useMemo(() => {
-    if (isQueryRule(ruleType)) {
+    if (isQueryRule(ruleType) || isEsqlRule(ruleType) || isEqlRule(ruleType)) {
       return (
         <UseArray path="responseActions" initialNumberOfItems={0}>
           {ResponseActionsForm}

x-pack/plugins/security_solution/public/management/cypress/e2e/automated_response_actions/form.cy.ts

@@ -7,6 +7,7 @@
 
 import {
   addEndpointResponseAction,
+  fillUpNewEsqlRule,
   fillUpNewRule,
   focusAndOpenCommandDropdown,
   tryAddingDisabledResponseAction,
@@ -202,6 +203,31 @@ describe(
       });
     });
 
+    describe('User should be able to add response action to ESQL rule', () => {
+      let ruleId: string;
+      const [ruleName, ruleDescription] = generateRandomStringName(2);
+
+      beforeEach(() => {
+        login(ROLE.soc_manager);
+      });
+      afterEach(() => {
+        if (ruleId) {
+          cleanupRule(ruleId);
+        }
+      });
+
+      it('create and save endpoint response action inside of a rule', () => {
+        fillUpNewEsqlRule(ruleName, ruleDescription);
+        addEndpointResponseAction();
+        focusAndOpenCommandDropdown();
+        validateAvailableCommands();
+        cy.getByTestSubj(`command-type-isolate`).click();
+
+        cy.getByTestSubj('create-enabled-false').click();
+        cy.contains(`${ruleName} was created`);
+      });
+    });
+
     describe('User should not see endpoint action when no rbac', () => {
       const [ruleName, ruleDescription] = generateRandomStringName(2);
 

x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts

@@ -69,6 +69,24 @@ export const fillUpNewRule = (name = 'Test', description = 'Test') => {
   cy.getByTestSubj('about-continue').click();
   cy.getByTestSubj('schedule-continue').click();
 };
+export const fillUpNewEsqlRule = (name = 'Test', description = 'Test') => {
+  loadPage('app/security/rules/management');
+  cy.getByTestSubj('create-new-rule').click();
+  cy.getByTestSubj('stepDefineRule').within(() => {
+    cy.getByTestSubj('esqlRuleType').click();
+    cy.getByTestSubj('globalQueryBar').first().click();
+    cy.getByTestSubj('kibanaCodeEditor').type('FROM * METADATA _index, _id {backspace}{enter}');
+  });
+  cy.getByTestSubj('define-continue').click();
+  cy.getByTestSubj('detectionEngineStepAboutRuleName').within(() => {
+    cy.getByTestSubj('input').type(name);
+  });
+  cy.getByTestSubj('detectionEngineStepAboutRuleDescription').within(() => {
+    cy.getByTestSubj('input').type(description);
+  });
+  cy.getByTestSubj('about-continue').click();
+  cy.getByTestSubj('schedule-continue').click();
+};
 export const visitRuleActions = (ruleId: string) => {
   loadPage(`app/security/rules/id/${ruleId}/edit`);
   cy.getByTestSubj('edit-rule-actions-tab').should('exist');

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.test.ts

@@ -16,7 +16,11 @@ import {
 } from '../../../../routes/__mocks__/request_responses';
 import { requestContextMock, serverMock, requestMock } from '../../../../routes/__mocks__';
 import { createRuleRoute } from './route';
-import { getCreateRulesSchemaMock } from '../../../../../../../common/api/detection_engine/model/rule_schema/mocks';
+import {
+  getCreateEqlRuleSchemaMock,
+  getCreateEsqlRulesSchemaMock,
+  getCreateRulesSchemaMock,
+} from '../../../../../../../common/api/detection_engine/model/rule_schema/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { getQueryRuleParams } from '../../../../rule_schema/mocks';
 import { HttpAuthzError } from '../../../../../machine_learning/validation';
@@ -182,7 +186,7 @@ describe('Create rule route', () => {
     });
     const defaultAction = getResponseAction();
 
-    test('is successful', async () => {
+    test('is successful in query rule', async () => {
       const request = requestMock.create({
         method: 'post',
         path: DETECTION_ENGINE_RULES_URL,
@@ -195,6 +199,32 @@ describe('Create rule route', () => {
       const response = await server.inject(request, requestContextMock.convertContext(context));
       expect(response.status).toEqual(200);
     });
+    test('is successful in esql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEsqlRulesSchemaMock('rule-2'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
+    test('is successful in eql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEqlRuleSchemaMock('rule-3'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
 
     test('fails when isolate rbac is set to false', async () => {
       (context.securitySolution.getEndpointAuthz as jest.Mock).mockReturnValue(() => ({