From 1cbf9889b062e068fcaaddffb72ec81641d3d748 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Thu, 28 Nov 2024 01:04:15 +1100
Subject: [PATCH] [8.17] [Security Solution] Display cardinality for threshold
 rules (#201162) (#201959)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[Security Solution] Display cardinality for threshold rules
(#201162)](https://github.com/elastic/kibana/pull/201162)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Jacek
Kolezynski","email":"jacek.kolezynski@elastic.co"},"sourceCommit":{"committedDate":"2024-11-27T12:11:41Z","message":"[Security
Solution] Display cardinality for threshold rules
(#201162)\n\n**Resolves #161576**\r\n\r\n## Summary\r\n\r\nThis PR fixes
the description of threshold rules. The problem was that\r\nif a
threshold rule contained 'Count' (cardinality) it wasn't
displayed\r\nneither in a summary while creating the rule, nor in the
rule details\r\npage. This PR fixes these two places, introducing
similar logic to the\r\ntwo places in the code, to display the
cardinality if it is present in\r\nthe threshold object.\r\n\r\n###
BEFORE\r\n1. overview page\r\n<img width=\"1027\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/b927b4e0-f2a0-41ba-87e0-441a53760cce\">\r\n\r\n2.
rule details page\r\n<img width=\"762\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/486f8616-8582-45ea-9422-bfd554e2ae83\">\r\n\r\n\r\n\r\n###
AFTER\r\n1. overview page\r\n<img width=\"1015\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/06a5e0d1-76ef-434e-9c1c-cce6c3ff504f\">\r\n\r\n2.
rule details page\r\n<img width=\"893\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/40acd7d4-4058-40c0-aa19-e5f489c53c2c\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\nDone:
\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7474\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7473\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7476\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7477","sha":"19a2ff81d5a542402a3f0c006d6b4986890d73f9","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.17.0","v8.18.0","v8.16.2"],"title":"[Security
Solution] Display cardinality for threshold
rules","number":201162,"url":"https://github.com/elastic/kibana/pull/201162","mergeCommit":{"message":"[Security
Solution] Display cardinality for threshold rules
(#201162)\n\n**Resolves #161576**\r\n\r\n## Summary\r\n\r\nThis PR fixes
the description of threshold rules. The problem was that\r\nif a
threshold rule contained 'Count' (cardinality) it wasn't
displayed\r\nneither in a summary while creating the rule, nor in the
rule details\r\npage. This PR fixes these two places, introducing
similar logic to the\r\ntwo places in the code, to display the
cardinality if it is present in\r\nthe threshold object.\r\n\r\n###
BEFORE\r\n1. overview page\r\n<img width=\"1027\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/b927b4e0-f2a0-41ba-87e0-441a53760cce\">\r\n\r\n2.
rule details page\r\n<img width=\"762\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/486f8616-8582-45ea-9422-bfd554e2ae83\">\r\n\r\n\r\n\r\n###
AFTER\r\n1. overview page\r\n<img width=\"1015\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/06a5e0d1-76ef-434e-9c1c-cce6c3ff504f\">\r\n\r\n2.
rule details page\r\n<img width=\"893\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/40acd7d4-4058-40c0-aa19-e5f489c53c2c\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\nDone:
\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7474\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7473\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7476\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7477","sha":"19a2ff81d5a542402a3f0c006d6b4986890d73f9"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201162","number":201162,"mergeCommit":{"message":"[Security
Solution] Display cardinality for threshold rules
(#201162)\n\n**Resolves #161576**\r\n\r\n## Summary\r\n\r\nThis PR fixes
the description of threshold rules. The problem was that\r\nif a
threshold rule contained 'Count' (cardinality) it wasn't
displayed\r\nneither in a summary while creating the rule, nor in the
rule details\r\npage. This PR fixes these two places, introducing
similar logic to the\r\ntwo places in the code, to display the
cardinality if it is present in\r\nthe threshold object.\r\n\r\n###
BEFORE\r\n1. overview page\r\n<img width=\"1027\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/b927b4e0-f2a0-41ba-87e0-441a53760cce\">\r\n\r\n2.
rule details page\r\n<img width=\"762\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/486f8616-8582-45ea-9422-bfd554e2ae83\">\r\n\r\n\r\n\r\n###
AFTER\r\n1. overview page\r\n<img width=\"1015\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/06a5e0d1-76ef-434e-9c1c-cce6c3ff504f\">\r\n\r\n2.
rule details page\r\n<img width=\"893\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/40acd7d4-4058-40c0-aa19-e5f489c53c2c\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\nDone:
\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7474\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7473\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7476\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7477","sha":"19a2ff81d5a542402a3f0c006d6b4986890d73f9"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Jacek Kolezynski <jacek.kolezynski@elastic.co>
---
 .../components/description_step/helpers.tsx   | 39 ++++++++------
 .../description_step/index.test.tsx           | 54 ++++++++++++++++++-
 .../description_step/translations.ts          | 18 +++++++
 .../rule_details/rule_definition_section.tsx  | 26 +++++----
 .../prebuilt_rules_preview.cy.ts              |  4 +-
 .../cypress/tasks/prebuilt_rules_preview.ts   | 15 ++++--
 6 files changed, 126 insertions(+), 30 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/helpers.tsx
index 6740e9fc8d014..77ef34664f6e0 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/helpers.tsx
@@ -27,7 +27,6 @@ import { FilterBadgeGroup } from '@kbn/unified-search-plugin/public';
 import { IntervalAbbrScreenReader } from '../../../../common/components/accessibility';
 import type {
   RequiredFieldArray,
-  Threshold,
   AlertSuppressionMissingFieldsStrategy,
 } from '../../../../../common/api/detection_engine/model/rule_schema';
 import { AlertSuppressionMissingFieldsStrategyEnum } from '../../../../../common/api/detection_engine/model/rule_schema';
@@ -50,6 +49,7 @@ import { defaultToEmptyTag } from '../../../../common/components/empty_value';
 import { RequiredFieldIcon } from '../../../rule_management/components/rule_details/required_field_icon';
 import { ThreatEuiFlexGroup } from './threat_description';
 import { AlertSuppressionLabel } from './alert_suppression_label';
+import type { FieldValueThreshold } from '../threshold_input';
 
 const NoteDescriptionContainer = styled(EuiFlexItem)`
   height: 105px;
@@ -490,20 +490,29 @@ export const buildRuleTypeDescription = (label: string, ruleType: Type): ListIte
   }
 };
 
-export const buildThresholdDescription = (label: string, threshold: Threshold): ListItems[] => [
-  {
-    title: label,
-    description: (
-      <>
-        {isEmpty(threshold.field[0])
-          ? `${i18n.THRESHOLD_RESULTS_ALL} >= ${threshold.value}`
-          : `${i18n.THRESHOLD_RESULTS_AGGREGATED_BY} ${
-              Array.isArray(threshold.field) ? threshold.field.join(',') : threshold.field
-            } >= ${threshold.value}`}
-      </>
-    ),
-  },
-];
+export const buildThresholdDescription = (
+  label: string,
+  threshold: FieldValueThreshold
+): ListItems[] => {
+  let thresholdDescription = isEmpty(threshold.field[0])
+    ? `${i18n.THRESHOLD_RESULTS_ALL} >= ${threshold.value}`
+    : `${i18n.THRESHOLD_RESULTS_AGGREGATED_BY} ${threshold.field.join(',')} >= ${threshold.value}`;
+
+  if (threshold.cardinality?.value && threshold.cardinality?.field.length > 0) {
+    thresholdDescription = i18n.THRESHOLD_CARDINALITY(
+      thresholdDescription,
+      threshold.cardinality.field[0],
+      threshold.cardinality.value
+    );
+  }
+
+  return [
+    {
+      title: label,
+      description: <>{thresholdDescription}</>,
+    },
+  ];
+};
 
 export const buildThreatMappingDescription = (
   title: string,
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
index de46d09065f4e..b45f1a50414ac 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
@@ -451,10 +451,62 @@ describe('description_step', () => {
 
         expect(result[0].title).toEqual('Threshold label');
         expect(React.isValidElement(result[0].description)).toBeTruthy();
-        expect(mount(result[0].description as React.ReactElement).html()).toContain(
+        expect(mount(result[0].description as React.ReactElement).html()).toEqual(
+          'Results aggregated by user.name >= 100'
+        );
+      });
+
+      test('returns threshold description when threshold exist, field is set, and cardinality is not set', () => {
+        const mockThreshold = {
+          threshold: {
+            field: ['user.name'],
+            value: 100,
+            cardinality: {
+              field: [],
+              value: 0,
+            },
+          },
+        };
+        const result: ListItems[] = getDescriptionItem(
+          'threshold',
+          'Threshold label',
+          mockThreshold,
+          mockFilterManager,
+          mockLicenseService
+        );
+
+        expect(result[0].title).toEqual('Threshold label');
+        expect(React.isValidElement(result[0].description)).toBeTruthy();
+        expect(mount(result[0].description as React.ReactElement).html()).toEqual(
           'Results aggregated by user.name >= 100'
         );
       });
+
+      test('returns threshold description when threshold exist, field is set and cardinality is set', () => {
+        const mockThreshold = {
+          threshold: {
+            field: ['user.name'],
+            value: 100,
+            cardinality: {
+              field: ['host.test_value'],
+              value: 10,
+            },
+          },
+        };
+        const result: ListItems[] = getDescriptionItem(
+          'threshold',
+          'Threshold label',
+          mockThreshold,
+          mockFilterManager,
+          mockLicenseService
+        );
+
+        expect(result[0].title).toEqual('Threshold label');
+        expect(React.isValidElement(result[0].description)).toBeTruthy();
+        expect(mount(result[0].description as React.ReactElement).html()).toContain(
+          'Results aggregated by user.name >= 100 when unique values count of host.test_value >= 10'
+        );
+      });
     });
 
     describe('references', () => {
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/translations.ts
index 5c43b9181adcb..74a9faa4efd4c 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/translations.ts
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/translations.ts
@@ -126,6 +126,24 @@ export const THRESHOLD_RESULTS_AGGREGATED_BY = i18n.translate(
   }
 );
 
+export const THRESHOLD_CARDINALITY = (
+  thresholdFieldsGroupedBy: string,
+  cardinalityField: string,
+  cardinalityValue: string | number
+) =>
+  i18n.translate(
+    'xpack.securitySolution.detectionEngine.ruleDescription.thresholdResultsCardinalityDescription',
+    {
+      defaultMessage:
+        '{thresholdFieldsGroupedBy} when unique values count of {cardinalityField} >= {cardinalityValue}',
+      values: {
+        thresholdFieldsGroupedBy,
+        cardinalityField,
+        cardinalityValue,
+      },
+    }
+  );
+
 export const EQL_EVENT_CATEGORY_FIELD_LABEL = i18n.translate(
   'xpack.securitySolution.detectionEngine.ruleDescription.eqlEventCategoryFieldLabel',
   {
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
index 623ae20fa484f..0ae98c25020fc 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
@@ -179,15 +179,23 @@ interface ThresholdProps {
   threshold: ThresholdType;
 }
 
-export const Threshold = ({ threshold }: ThresholdProps) => (
-  <div data-test-subj="thresholdPropertyValue">
-    {isEmpty(threshold.field[0])
-      ? `${descriptionStepI18n.THRESHOLD_RESULTS_ALL} >= ${threshold.value}`
-      : `${descriptionStepI18n.THRESHOLD_RESULTS_AGGREGATED_BY} ${
-          Array.isArray(threshold.field) ? threshold.field.join(',') : threshold.field
-        } >= ${threshold.value}`}
-  </div>
-);
+export const Threshold = ({ threshold }: ThresholdProps) => {
+  let thresholdDescription = isEmpty(threshold.field[0])
+    ? `${descriptionStepI18n.THRESHOLD_RESULTS_ALL} >= ${threshold.value}`
+    : `${descriptionStepI18n.THRESHOLD_RESULTS_AGGREGATED_BY} ${
+        Array.isArray(threshold.field) ? threshold.field.join(',') : threshold.field
+      } >= ${threshold.value}`;
+
+  if (threshold.cardinality && threshold.cardinality.length > 0) {
+    thresholdDescription = descriptionStepI18n.THRESHOLD_CARDINALITY(
+      thresholdDescription,
+      threshold.cardinality[0].field,
+      threshold.cardinality[0].value
+    );
+  }
+
+  return <div data-test-subj="thresholdPropertyValue">{thresholdDescription}</div>;
+};
 
 interface AnomalyThresholdProps {
   anomalyThreshold: number;
diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts
index 86291d4eb9c7f..72bb79302537e 100644
--- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts
+++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts
@@ -544,7 +544,7 @@ describe(
           const { threshold } = THRESHOLD_RULE_INDEX_PATTERN['security-rule'] as {
             threshold: Threshold;
           };
-          assertThresholdPropertyShown(threshold.value);
+          assertThresholdPropertyShown(threshold);
 
           const { index } = THRESHOLD_RULE_INDEX_PATTERN['security-rule'] as { index: string[] };
           assertIndexPropertyShown(index);
@@ -952,7 +952,7 @@ describe(
           const { threshold } = UPDATED_THRESHOLD_RULE_INDEX_PATTERN['security-rule'] as {
             threshold: Threshold;
           };
-          assertThresholdPropertyShown(threshold.value);
+          assertThresholdPropertyShown(threshold);
 
           const { index } = UPDATED_THRESHOLD_RULE_INDEX_PATTERN['security-rule'] as {
             index: string[];
diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts b/x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts
index 6617b10ccc219..c67ab29831075 100644
--- a/x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts
+++ b/x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts
@@ -8,7 +8,10 @@
 import { capitalize } from 'lodash';
 import type { ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
 import type { Module } from '@kbn/ml-plugin/common/types/modules';
-import { AlertSuppression } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema';
+import {
+  AlertSuppression,
+  Threshold,
+} from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema';
 import type { Filter } from '@kbn/es-query';
 import type { PrebuiltRuleAsset } from '@kbn/security-solution-plugin/server/lib/detection_engine/prebuilt_rules';
 import {
@@ -312,9 +315,15 @@ export const assertMachineLearningPropertiesShown = (
   });
 };
 
-export const assertThresholdPropertyShown = (thresholdValue: number) => {
+export const assertThresholdPropertyShown = (threshold: Threshold) => {
   cy.get(THRESHOLD_TITLE).should('have.text', 'Threshold');
-  cy.get(THRESHOLD_VALUE).should('contain', thresholdValue);
+  cy.get(THRESHOLD_VALUE).should('contain', threshold.value);
+  if (threshold.cardinality) {
+    cy.get(THRESHOLD_VALUE).should(
+      'contain',
+      `when unique values count of ${threshold.cardinality[0].field} >= ${threshold.cardinality[0].value}`
+    );
+  }
 };
 
 export const assertEqlQueryPropertyShown = (query: string) => {