Merge branch 'master' into timeline-bug-7.9

x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts

@@ -16,6 +16,7 @@ import {
 } from '../../common/schemas';
 
 import { getExceptionListClient } from './utils/get_exception_list_client';
+import { endpointDisallowedFields } from './endpoint_disallowed_fields';
 
 export const createExceptionListItemRoute = (router: IRouter): void => {
   router.post(
@@ -70,6 +71,22 @@ export const createExceptionListItemRoute = (router: IRouter): void => {
               statusCode: 409,
             });
           } else {
+            if (exceptionList.type === 'endpoint') {
+              for (const entry of entries) {
+                if (entry.type === 'list') {
+                  return siemResponse.error({
+                    body: `cannot add exception item with entry of type "list" to endpoint exception list`,
+                    statusCode: 400,
+                  });
+                }
+                if (endpointDisallowedFields.includes(entry.field)) {
+                  return siemResponse.error({
+                    body: `cannot add endpoint exception item on field ${entry.field}`,
+                    statusCode: 400,
+                  });
+                }
+              }
+            }
             const createdList = await exceptionLists.createExceptionListItem({
               _tags,
               comments,

x-pack/plugins/lists/server/routes/endpoint_disallowed_fields.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const endpointDisallowedFields = [
+  'file.Ext.quarantine_path',
+  'file.Ext.quarantine_result',
+  'process.entity_id',
+  'process.parent.entity_id',
+  'process.ancestry',
+];

x-pack/plugins/security_solution/public/detections/components/alerts_histogram_panel/index.tsx

@@ -83,7 +83,7 @@ const NO_LEGEND_DATA: LegendItem[] = [];
 export const AlertsHistogramPanel = memo<AlertsHistogramPanelProps>(
   ({
     chartHeight,
-    defaultStackByOption = alertsHistogramOptions[0],
+    defaultStackByOption = alertsHistogramOptions[8], // signal.rule.name
     deleteQuery,
     filters,
     headerChildren,

x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/ml_card_description.tsx

@@ -5,7 +5,8 @@
  */
 
 import { FormattedMessage } from '@kbn/i18n/react';
-import { EuiText, EuiLink } from '@elastic/eui';
+import { EuiLink } from '@elastic/eui';
+import styled from 'styled-components';
 import React from 'react';
 
 import { ML_TYPE_DESCRIPTION } from './translations';
@@ -15,11 +16,15 @@ interface MlCardDescriptionProps {
   hasValidLicense?: boolean;
 }
 
+const SmallText = styled.span`
+  font-size: ${({ theme }) => theme.eui.euiFontSizeS};
+`;
+
 const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
   subscriptionUrl,
   hasValidLicense = false,
 }) => (
-  <EuiText size="s">
+  <SmallText>
     {hasValidLicense ? (
       ML_TYPE_DESCRIPTION
     ) : (
@@ -38,7 +43,7 @@ const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
         }}
       />
     )}
-  </EuiText>
+  </SmallText>
 );
 
 MlCardDescriptionComponent.displayName = 'MlCardDescriptionComponent';

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts

@@ -18,6 +18,7 @@ export const stepAboutDefaultValue: AboutStepRule = {
   author: [],
   name: '',
   description: '',
+  isAssociatedToEndpointList: false,
   isBuildingBlock: false,
   isNew: true,
   severity: { value: 'low', mapping: [] },

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx

@@ -165,6 +165,7 @@ describe('StepAboutRuleComponent', () => {
     await wait();
     const expected: Omit<AboutStepRule, 'isNew'> = {
       author: [],
+      isAssociatedToEndpointList: false,
       isBuildingBlock: false,
       license: '',
       ruleNameOverride: '',
@@ -223,6 +224,7 @@ describe('StepAboutRuleComponent', () => {
     await wait();
     const expected: Omit<AboutStepRule, 'isNew'> = {
       author: [],
+      isAssociatedToEndpointList: false,
       isBuildingBlock: false,
       license: '',
       ruleNameOverride: '',

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx

@@ -282,7 +282,20 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
               }}
             />
             <EuiSpacer size="l" />
-            <EuiFormRow label={I18n.BUILDING_BLOCK} isInvalid={false} fullWidth>
+            <EuiFormRow label={I18n.GLOBAL_ENDPOINT_EXCEPTION_LIST} fullWidth>
+              <CommonUseField
+                path="isAssociatedToEndpointList"
+                componentProps={{
+                  idAria: 'detectionEngineStepAboutRuleAssociatedToEndpointList',
+                  'data-test-subj': 'detectionEngineStepAboutRuleAssociatedToEndpointList',
+                  euiFieldProps: {
+                    fullWidth: true,
+                    isDisabled: isLoading,
+                  },
+                }}
+              />
+            </EuiFormRow>
+            <EuiFormRow label={I18n.BUILDING_BLOCK} fullWidth>
               <CommonUseField
                 path="isBuildingBlock"
                 componentProps={{
@@ -291,7 +304,6 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
                   euiFieldProps: {
                     fullWidth: true,
                     isDisabled: isLoading,
-                    placeholder: '',
                   },
                 }}
               />

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/schema.tsx

@@ -91,6 +91,16 @@ export const schema: FormSchema = {
     ),
     labelAppend: OptionalFieldLabel,
   },
+  isAssociatedToEndpointList: {
+    type: FIELD_TYPES.CHECKBOX,
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldAssociatedToEndpointListLabel',
+      {
+        defaultMessage: 'Associate rule to Global Endpoint Exception List',
+      }
+    ),
+    labelAppend: OptionalFieldLabel,
+  },
   severity: {
     value: {
       type: FIELD_TYPES.SUPER_SELECT,

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/translations.ts

@@ -26,6 +26,14 @@ export const ADD_FALSE_POSITIVE = i18n.translate(
     defaultMessage: 'Add false positive example',
   }
 );
+
+export const GLOBAL_ENDPOINT_EXCEPTION_LIST = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepAboutRuleForm.endpointExceptionListLabel',
+  {
+    defaultMessage: 'Global endpoint exception list',
+  }
+);
+
 export const BUILDING_BLOCK = i18n.translate(
   'xpack.securitySolution.detectionEngine.createRule.stepAboutRuleForm.buildingBlockLabel',
   {

x-pack/plugins/security_solution/public/detections/components/value_lists_management_modal/modal.test.tsx

@@ -11,7 +11,8 @@ import { TestProviders } from '../../../common/mock';
 import { ValueListsModal } from './modal';
 import { waitForUpdates } from '../../../common/utils/test_utils';
 
-describe('ValueListsModal', () => {
+// TODO: These are occasionally timing out
+describe.skip('ValueListsModal', () => {
   it('renders nothing if showModal is false', () => {
     const container = mount(
       <TestProviders>

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts

@@ -167,6 +167,7 @@ export const mockRuleWithEverything = (id: string): Rule => ({
 export const mockAboutStepRule = (isNew = false): AboutStepRule => ({
   isNew,
   author: ['Elastic'],
+  isAssociatedToEndpointList: false,
   isBuildingBlock: false,
   timestampOverride: '',
   ruleNameOverride: '',

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts

@@ -153,6 +153,7 @@ export const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRule
     riskScore,
     severity,
     threat,
+    isAssociatedToEndpointList,
     isBuildingBlock,
     isNew,
     note,
@@ -163,6 +164,13 @@ export const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRule
   const resp = {
     author: author.filter((item) => !isEmpty(item)),
     ...(isBuildingBlock ? { building_block_type: 'default' } : {}),
+    ...(isAssociatedToEndpointList
+      ? {
+          exceptions_list: [
+            { id: 'endpoint_list', namespace_type: 'agnostic', type: 'endpoint' },
+          ] as AboutStepRuleJson['exceptions_list'],
+        }
+      : {}),
     false_positives: falsePositives.filter((item) => !isEmpty(item)),
     references: references.filter((item) => !isEmpty(item)),
     risk_score: riskScore.value,

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx

@@ -83,10 +83,12 @@ describe('rule helpers', () => {
           title: 'Titled timeline',
         },
       };
-      const aboutRuleStepData = {
+
+      const aboutRuleStepData: AboutStepRule = {
         author: [],
         description: '24/7',
         falsePositives: ['test'],
+        isAssociatedToEndpointList: false,
         isBuildingBlock: false,
         isNew: false,
         license: 'Elastic License',

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx

@@ -122,6 +122,7 @@ export const getAboutStepsData = (rule: Rule, detailsView: boolean): AboutStepRu
   const {
     author,
     building_block_type: buildingBlockType,
+    exceptions_list: exceptionsList,
     license,
     risk_score_mapping: riskScoreMapping,
     rule_name_override: ruleNameOverride,
@@ -138,6 +139,7 @@ export const getAboutStepsData = (rule: Rule, detailsView: boolean): AboutStepRu
   return {
     isNew: false,
     author,
+    isAssociatedToEndpointList: exceptionsList?.some(({ id }) => id === 'endpoint_list') ?? false,
     isBuildingBlock: buildingBlockType !== undefined,
     license: license ?? '',
     ruleNameOverride: ruleNameOverride ?? '',

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts

@@ -20,6 +20,7 @@ import {
   SeverityMapping,
   TimestampOverride,
 } from '../../../../../common/detection_engine/schemas/common/schemas';
+import { List } from '../../../../../common/detection_engine/schemas/types';
 
 export interface EuiBasicTableSortTypes {
   field: string;
@@ -65,6 +66,7 @@ export interface AboutStepRule extends StepRuleData {
   author: string[];
   name: string;
   description: string;
+  isAssociatedToEndpointList: boolean;
   isBuildingBlock: boolean;
   severity: AboutStepSeverity;
   riskScore: AboutStepRiskScore;
@@ -136,6 +138,7 @@ export interface DefineStepRuleJson {
 export interface AboutStepRuleJson {
   author: Author;
   building_block_type?: BuildingBlockType;
+  exceptions_list?: List[];
   name: string;
   description: string;
   license: License;

x-pack/test/api_integration/apis/index.js

@@ -31,5 +31,6 @@ export default function ({ loadTestFile }) {
     loadTestFile(require.resolve('./transform'));
     loadTestFile(require.resolve('./endpoint'));
     loadTestFile(require.resolve('./ingest_manager'));
+    loadTestFile(require.resolve('./lists'));
   });
 }

x-pack/test/api_integration/apis/lists/create_exception_list_item.ts

@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from '@kbn/expect/expect.js';
+import { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const supertest = getService('supertest');
+  describe('Lists API', () => {
+    before(async () => await esArchiver.load('lists'));
+
+    after(async () => await esArchiver.unload('lists'));
+
+    it('should return a 400 if an endpoint exception item with a list-based entry is provided', async () => {
+      const badItem = {
+        namespace_type: 'agnostic',
+        description: 'bad endpoint item for testing',
+        name: 'bad endpoint item',
+        list_id: 'endpoint_list',
+        type: 'simple',
+        entries: [
+          {
+            type: 'list',
+            field: 'some.field',
+            operator: 'included',
+            list: {
+              id: 'somelist',
+              type: 'keyword',
+            },
+          },
+        ],
+      };
+      const { body } = await supertest
+        .post(`/api/exception_lists/items`)
+        .set('kbn-xsrf', 'xxx')
+        .send(badItem)
+        .expect(400);
+      expect(body.message).to.eql(
+        'cannot add exception item with entry of type "list" to endpoint exception list'
+      );
+    });
+
+    it('should return a 400 if endpoint exception entry has disallowed field', async () => {
+      const fieldName = 'file.Ext.quarantine_path';
+      const badItem = {
+        namespace_type: 'agnostic',
+        description: 'bad endpoint item for testing',
+        name: 'bad endpoint item',
+        list_id: 'endpoint_list',
+        type: 'simple',
+        entries: [
+          {
+            type: 'match',
+            field: fieldName,
+            operator: 'included',
+            value: 'doesnt matter',
+          },
+        ],
+      };
+      const { body } = await supertest
+        .post(`/api/exception_lists/items`)
+        .set('kbn-xsrf', 'xxx')
+        .send(badItem)
+        .expect(400);
+      expect(body.message).to.eql(`cannot add endpoint exception item on field ${fieldName}`);
+    });
+  });
+}

x-pack/test/api_integration/apis/lists/index.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function listsAPIIntegrationTests({ loadTestFile }: FtrProviderContext) {
+  describe('Lists plugin', function () {
+    this.tags(['lists']);
+    loadTestFile(require.resolve('./create_exception_list_item'));
+  });
+}

x-pack/test/functional/apps/monitoring/cluster/overview.js

@@ -10,7 +10,8 @@ import { getLifecycleMethods } from '../_get_lifecycle_methods';
 export default function ({ getService, getPageObjects }) {
   const overview = getService('monitoringClusterOverview');
 
-  describe('Cluster overview', () => {
+  // https://github.com/elastic/kibana/issues/71796
+  describe.skip('Cluster overview', () => {
     describe('for Green cluster with Gold license', () => {
       const { setup, tearDown } = getLifecycleMethods(getService, getPageObjects);