[Security Solution][Alerts] Alert suppression per rule execution

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -43,6 +43,13 @@ const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
 const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
 const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
+const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const;
+const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const;
+const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const;
+const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const;
+const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const;
+const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const;
+const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const;
 
 // Fields pertaining to the rule associated with the alert
 const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
@@ -167,6 +174,12 @@ const fields = {
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
+  ALERT_SUPPRESSION_TERMS,
+  ALERT_SUPPRESSION_FIELD,
+  ALERT_SUPPRESSION_VALUE,
+  ALERT_SUPPRESSION_START,
+  ALERT_SUPPRESSION_END,
+  ALERT_SUPPRESSION_DOCS_COUNT,
   SPACE_IDS,
   VERSION,
 };
@@ -236,6 +249,12 @@ export {
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
+  ALERT_SUPPRESSION_TERMS,
+  ALERT_SUPPRESSION_FIELD,
+  ALERT_SUPPRESSION_VALUE,
+  ALERT_SUPPRESSION_START,
+  ALERT_SUPPRESSION_END,
+  ALERT_SUPPRESSION_DOCS_COUNT,
   TAGS,
   TIMESTAMP,
   SPACE_IDS,

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts

@@ -196,6 +196,31 @@ it('matches snapshot', () => {
         "required": true,
         "type": "keyword",
       },
+      "kibana.alert.suppression.docs_count": Object {
+        "array": false,
+        "required": false,
+        "type": "long",
+      },
+      "kibana.alert.suppression.end": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.suppression.start": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.suppression.terms.field": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.suppression.terms.value": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.system_status": Object {
         "array": false,
         "required": false,

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts

@@ -189,6 +189,31 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
+  [Fields.ALERT_SUPPRESSION_FIELD]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_VALUE]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_START]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_END]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
 } as const;
 
 export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap;

x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts

@@ -14,6 +14,7 @@ export * from './model/common_attributes/timeline_template';
 
 export * from './model/specific_attributes/eql_attributes';
 export * from './model/specific_attributes/new_terms_attributes';
+export * from './model/specific_attributes/query_attributes';
 export * from './model/specific_attributes/threshold_attributes';
 
 export * from './model/rule_schemas';

x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_response_schema.mock.ts

@@ -75,6 +75,7 @@ export const getRulesSchemaMock = (anchorDate: string = ANCHOR_DATE): QueryRule
   filters: undefined,
   saved_id: undefined,
   response_actions: undefined,
+  alert_suppression: undefined,
 });
 
 export const getSavedQuerySchemaMock = (anchorDate: string = ANCHOR_DATE): SavedQueryRule => ({
@@ -87,6 +88,7 @@ export const getSavedQuerySchemaMock = (anchorDate: string = ANCHOR_DATE): Saved
   data_view_id: undefined,
   filters: undefined,
   response_actions: undefined,
+  alert_suppression: undefined,
 });
 
 export const getRulesMlSchemaMock = (anchorDate: string = ANCHOR_DATE): MachineLearningRule => {

x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_schemas.ts

@@ -85,6 +85,7 @@ import {
 } from './specific_attributes/eql_attributes';
 import { Threshold } from './specific_attributes/threshold_attributes';
 import { HistoryWindowStart, NewTermsFields } from './specific_attributes/new_terms_attributes';
+import { AlertSuppression } from './specific_attributes/query_attributes';
 
 import { buildRuleSchemas } from './build_rule_schemas';
 
@@ -302,6 +303,7 @@ const querySchema = buildRuleSchemas({
     filters: RuleFilterArray,
     saved_id,
     response_actions: ResponseActionArray,
+    alert_suppression: AlertSuppression,
   },
   defaultable: {
     query: RuleQuery,
@@ -340,6 +342,7 @@ const savedQuerySchema = buildRuleSchemas({
     query: RuleQuery,
     filters: RuleFilterArray,
     response_actions: ResponseActionArray,
+    alert_suppression: AlertSuppression,
   },
   defaultable: {
     language: t.keyof({ kuery: null, lucene: null }),

x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_attributes/query_attributes.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+import { LimitedSizeArray } from '@kbn/securitysolution-io-ts-types';
+
+export const AlertSuppressionGroupBy = LimitedSizeArray({
+  codec: t.string,
+  minSize: 1,
+  maxSize: 3,
+});
+
+/**
+ * Schema for fields relating to alert suppression, which enables limiting the number of alerts per entity.
+ * e.g. group_by: ['host.name'] would create only one alert per value of host.name. The created alert
+ * contains metadata about how many other candidate alerts with the same host.name value were suppressed.
+ */
+export type AlertSuppression = t.TypeOf<typeof AlertSuppression>;
+export const AlertSuppression = t.exact(
+  t.type({
+    group_by: AlertSuppressionGroupBy,
+  })
+);
+
+export const minimumLicenseForSuppression = 'platinum';

x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/8.6.0/index.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  ALERT_SUPPRESSION_TERMS,
+  ALERT_SUPPRESSION_START,
+  ALERT_SUPPRESSION_END,
+  ALERT_SUPPRESSION_DOCS_COUNT,
+} from '@kbn/rule-data-utils';
+
+import type { BaseFields840, DetectionAlert840 } from '../8.4.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.6.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.6.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export interface SuppressionFields860 extends BaseFields840 {
+  [ALERT_SUPPRESSION_TERMS]: Array<{ field: string; value: string | number | null }>;
+  [ALERT_SUPPRESSION_START]: Date;
+  [ALERT_SUPPRESSION_END]: Date;
+  [ALERT_SUPPRESSION_DOCS_COUNT]: number;
+}
+
+export type SuppressionAlert860 = AlertWithCommonFields800<SuppressionFields860>;
+
+export type DetectionAlert860 = DetectionAlert840 | SuppressionAlert860;

x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/index.ts

@@ -17,16 +17,19 @@ import type {
   NewTermsFields840,
 } from './8.4.0';
 
+import type { DetectionAlert860, SuppressionFields860 } from './8.6.0';
+
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
-export type DetectionAlert = DetectionAlert800 | DetectionAlert840;
+export type DetectionAlert = DetectionAlert800 | DetectionAlert840 | DetectionAlert860;
 
 export type {
   Ancestor840 as AncestorLatest,
   BaseFields840 as BaseFieldsLatest,
-  DetectionAlert840 as DetectionAlertLatest,
+  DetectionAlert860 as DetectionAlertLatest,
   WrappedFields840 as WrappedFieldsLatest,
   EqlBuildingBlockFields840 as EqlBuildingBlockFieldsLatest,
   EqlShellFields840 as EqlShellFieldsLatest,
   NewTermsFields840 as NewTermsFieldsLatest,
+  SuppressionFields860 as SuppressionFieldsLatest,
 };

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts

@@ -435,6 +435,9 @@ export const formatDefineStepData = (defineStepData: DefineStepRule): DefineStep
         history_window_start: `now-${ruleFields.historyWindowSize}`,
       }
     : {
+        ...(ruleFields.groupByFields.length > 0
+          ? { alert_suppression: { group_by: ruleFields.groupByFields } }
+          : {}),
         index: ruleFields.index,
         filters: ruleFields.queryBar?.filters,
         language: ruleFields.queryBar?.query?.language,

x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts

@@ -30,6 +30,7 @@ import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types';
 
 import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring';
 import {
+  AlertSuppression,
   AlertsIndex,
   BuildingBlockType,
   DataViewId,
@@ -191,6 +192,7 @@ export const RuleSchema = t.intersection([
     uuid: t.string,
     version: RuleVersion,
     execution_summary: RuleExecutionSummary,
+    alert_suppression: AlertSuppression,
   }),
 ]);
 

x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/__mocks__/mock.ts

@@ -167,6 +167,9 @@ export const mockRuleWithEverything = (id: string): Rule => ({
   timestamp_override_fallback_disabled: false,
   note: '# this is some markdown documentation',
   version: 1,
+  alert_suppression: {
+    group_by: ['host.name'],
+  },
   new_terms_fields: ['host.name'],
   history_window_start: 'now-7d',
 });
@@ -226,6 +229,7 @@ export const mockDefineStepRule = (): DefineStepRule => ({
   newTermsFields: ['host.ip'],
   historyWindowSize: '7d',
   shouldLoadQueryDynamically: false,
+  groupByFields: [],
 });
 
 export const mockScheduleStepRule = (): ScheduleStepRule => ({