elastic · vitaliidm · Apr 25, 2023 · Apr 17, 2023 · Apr 18, 2023 · Apr 18, 2023
diff --git a/...olution/common/detection_engine/rule_schema/model/specific_attributes/query_attributes.ts b/...olution/common/detection_engine/rule_schema/model/specific_attributes/query_attributes.ts
@@ -9,8 +9,27 @@ import * as t from 'io-ts';
 import {
   LimitedSizeArray,
   PositiveIntegerGreaterThanZero,
+  enumeration,
 } from '@kbn/securitysolution-io-ts-types';
 
+/**
+ * describes how alerts will be generated for documents with missing suppress by fields
+ */
+export enum AlertSuppressionMissingFieldsStrategy {
+  // per each document a separate alert will be created
+  DoNotSuppress = 'doNotSuppress',
+  // only alert will be created per suppress by bucket
+  Suppress = 'suppress',
+}
+
+export type AlertSuppressionMissingFields = t.TypeOf<typeof AlertSuppressionMissingFields>;
+export const AlertSuppressionMissingFields = enumeration(
+  'AlertSuppressionMissingFields',
+  AlertSuppressionMissingFieldsStrategy
+);
+export const DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY =
+  AlertSuppressionMissingFieldsStrategy.Suppress;
+
 export const AlertSuppressionGroupBy = LimitedSizeArray({
   codec: t.string,
   minSize: 1,
@@ -41,6 +60,7 @@ export const AlertSuppression = t.intersection([
   t.exact(
     t.partial({
       duration: AlertSuppressionDuration,
+      missing_fields_strategy: AlertSuppressionMissingFields,
     })
   ),
 ]);
@@ -55,6 +75,7 @@ export const AlertSuppressionCamel = t.intersection([
   t.exact(
     t.partial({
       duration: AlertSuppressionDuration,
+      missingFieldsStrategy: AlertSuppressionMissingFields,
     })
   ),
 ]);

diff --git a/...security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts b/...security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts
@@ -48,6 +48,7 @@ import {
   GroupByOptions,
 } from '../../../../detections/pages/detection_engine/rules/types';
 import type { RuleCreateProps } from '../../../../../common/detection_engine/rule_schema';
+import { DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY } from '../../../../../common/detection_engine/rule_schema';
 import { stepActionsDefaultValue } from '../../../../detections/components/rules/step_rule_actions';
 
 export const getTimeTypeValue = (time: string): { unit: Unit; value: number } => {
@@ -447,6 +448,9 @@ export const formatDefineStepData = (defineStepData: DefineStepRule): DefineStep
                   ruleFields.groupByRadioSelection === GroupByOptions.PerTimePeriod
                     ? ruleFields.groupByDuration
                     : undefined,
+                missing_fields_strategy:
+                  ruleFields.suppressionMissingFields ||
+                  DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY,
               },
             }
           : {}),

diff --git a/...plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/...plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx
@@ -15,7 +15,6 @@ import {
   EuiIcon,
   EuiToolTip,
   EuiFlexGrid,
-  EuiBetaBadge,
 } from '@elastic/eui';
 import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
 
@@ -37,7 +36,6 @@ import type {
   RequiredFieldArray,
   Threshold,
 } from '../../../../../common/detection_engine/rule_schema';
-import { minimumLicenseForSuppression } from '../../../../../common/detection_engine/rule_schema';
 
 import * as i18n from './translations';
 import type { BuildQueryBarDescription, BuildThreatDescription, ListItems } from './types';
@@ -50,8 +48,9 @@ import type {
 import { GroupByOptions } from '../../../pages/detection_engine/rules/types';
 import { defaultToEmptyTag } from '../../../../common/components/empty_value';
 import { ThreatEuiFlexGroup } from './threat_description';
+import { TechnicalPreviewBadge } from './technical_preview_badge';
 import type { LicenseService } from '../../../../../common/license';
-
+import { AlertSuppressionMissingFieldsStrategy } from '../../../../../common/detection_engine/rule_schema';
 const NoteDescriptionContainer = styled(EuiFlexItem)`
   height: 105px;
   overflow-y: hidden;
@@ -535,21 +534,7 @@ export const buildAlertSuppressionDescription = (
     </EuiFlexGroup>
   );
 
-  const title = (
-    <>
-      {label}
-      <EuiBetaBadge
-        label={i18n.ALERT_SUPPRESSION_TECHNICAL_PREVIEW}
-        style={{ verticalAlign: 'middle', marginLeft: '8px' }}
-        size="s"
-      />
-      {!license.isAtLeast(minimumLicenseForSuppression) && (
-        <EuiToolTip position="top" content={i18n.ALERT_SUPPRESSION_INSUFFICIENT_LICENSE}>
-          <EuiIcon type={'warning'} size="l" color="#BD271E" style={{ marginLeft: '8px' }} />
-        </EuiToolTip>
-      )}
-    </>
-  );
+  const title = <TechnicalPreviewBadge label={label} license={license} />;
   return [
     {
       title,
@@ -569,21 +554,30 @@ export const buildAlertSuppressionWindowDescription = (
       ? `${value.value}${value.unit}`
       : i18n.ALERT_SUPPRESSION_PER_RULE_EXECUTION;
 
-  const title = (
-    <>
-      {label}
-      <EuiBetaBadge
-        label={i18n.ALERT_SUPPRESSION_TECHNICAL_PREVIEW}
-        style={{ verticalAlign: 'middle', marginLeft: '8px' }}
-        size="s"
-      />
-      {!license.isAtLeast(minimumLicenseForSuppression) && (
-        <EuiToolTip position="top" content={i18n.ALERT_SUPPRESSION_INSUFFICIENT_LICENSE}>
-          <EuiIcon type={'warning'} size="l" color="#BD271E" style={{ marginLeft: '8px' }} />
-        </EuiToolTip>
-      )}
-    </>
-  );
+  const title = <TechnicalPreviewBadge label={label} license={license} />;
+  return [
+    {
+      title,
+      description,
+    },
+  ];
+};
+
+export const buildAlertSuppressionMissingFieldsDescription = (
+  label: string,
+  value: AlertSuppressionMissingFieldsStrategy,
+  license: LicenseService
+): ListItems[] => {
+  if (isEmpty(value)) {
+    return [];
+  }
+
+  const description =
+    value === AlertSuppressionMissingFieldsStrategy.Suppress
+      ? i18n.ALERT_SUPPRESSION_SUPPRESS_ON_MISSING_FIELDS
+      : i18n.ALERT_SUPPRESSION_DO_NOT_SUPPRESS_ON_MISSING_FIELDS;
+
+  const title = <TechnicalPreviewBadge label={label} license={license} />;
   return [
     {
       title,

diff --git a/...k/plugins/security_solution/public/detections/components/rules/description_step/index.tsx b/...k/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
@@ -46,6 +46,7 @@ import {
   buildRequiredFieldsDescription,
   buildAlertSuppressionDescription,
   buildAlertSuppressionWindowDescription,
+  buildAlertSuppressionMissingFieldsDescription,
 } from './helpers';
 import { buildMlJobsDescription } from './build_ml_jobs_description';
 import { buildActionsDescription } from './actions_description';
@@ -216,6 +217,13 @@ export const getDescriptionItem = (
     } else {
       return [];
     }
+  } else if (field === 'suppressionMissingFields') {
+    if (get('groupByFields', data).length > 0) {
+      const value = get(field, data);
+      return buildAlertSuppressionMissingFieldsDescription(label, value, license);
+    } else {
+      return [];
+    }
   } else if (field === 'eqlOptions') {
     const eqlOptions: EqlOptionsSelected = get(field, data);
     return buildEqlOptionsDescription(eqlOptions);

diff --git a/..._solution/public/detections/components/rules/description_step/technical_preview_badge.tsx b/..._solution/public/detections/components/rules/description_step/technical_preview_badge.tsx
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { EuiIcon, EuiToolTip, EuiBetaBadge } from '@elastic/eui';
+
+import type { LicenseService } from '../../../../../common/license';
+import { minimumLicenseForSuppression } from '../../../../../common/detection_engine/rule_schema';
+
+import * as i18n from './translations';
+
+interface TechnicalPreviewBadgeProps {
+  label: string;
+  license: LicenseService;
+}
+
+export const TechnicalPreviewBadge = ({ label, license }: TechnicalPreviewBadgeProps) => (
+  <>
+    {label}
+    <EuiBetaBadge
+      label={i18n.ALERT_SUPPRESSION_TECHNICAL_PREVIEW}
+      style={{ verticalAlign: 'middle', marginLeft: '8px' }}
+      size="s"
+    />
+    {!license.isAtLeast(minimumLicenseForSuppression) && (
+      <EuiToolTip position="top" content={i18n.ALERT_SUPPRESSION_INSUFFICIENT_LICENSE}>
+        <EuiIcon type={'warning'} size="l" color="#BD271E" style={{ marginLeft: '8px' }} />
+      </EuiToolTip>
+    )}
+  </>
+);
diff --git a/...ins/security_solution/public/detections/components/rules/description_step/translations.ts b/...ins/security_solution/public/detections/components/rules/description_step/translations.ts
@@ -147,3 +147,17 @@ export const ALERT_SUPPRESSION_PER_RULE_EXECUTION = i18n.translate(
     defaultMessage: 'One rule execution',
   }
 );
+
+export const ALERT_SUPPRESSION_SUPPRESS_ON_MISSING_FIELDS = i18n.translate(
+  'xpack.securitySolution.detectionEngine.ruleDescription.alertSuppressionSuppressOnMissingFieldsDescription',
+  {
+    defaultMessage: 'Suppress on missing field value',
+  }
+);
+
+export const ALERT_SUPPRESSION_DO_NOT_SUPPRESS_ON_MISSING_FIELDS = i18n.translate(
+  'xpack.securitySolution.detectionEngine.ruleDescription.alertSuppressionDoNotSuppressOnMissingFieldsDescription',
+  {
+    defaultMessage: 'Do not suppress',
+  }
+);
diff --git a/...k/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/...k/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@@ -7,6 +7,7 @@
 
 import type { EuiButtonGroupOptionProps } from '@elastic/eui';
 import {
+  EuiAccordion,
   EuiButtonEmpty,
   EuiFlexGroup,
   EuiFlexItem,
@@ -88,7 +89,10 @@ import { defaultCustomQuery } from '../../../pages/detection_engine/rules/utils'
 import { getIsRulePreviewDisabled } from '../rule_preview/helpers';
 import { GroupByFields } from '../group_by_fields';
 import { useLicense } from '../../../../common/hooks/use_license';
-import { minimumLicenseForSuppression } from '../../../../../common/detection_engine/rule_schema';
+import {
+  minimumLicenseForSuppression,
+  AlertSuppressionMissingFieldsStrategy,
+} from '../../../../../common/detection_engine/rule_schema';
 import { DurationInput } from '../duration_input';
 
 const CommonUseField = getUseField({ component: Field });
@@ -179,6 +183,7 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
       'groupByRadioSelection',
       'groupByDuration.value',
       'groupByDuration.unit',
+      'suppressionMissingFields',
     ],
     onChange: (data: DefineStepRule) => {
       if (onRuleDataChange) {
@@ -561,6 +566,34 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     [license, groupByFields]
   );
 
+  const AlertsSuppressionMissingFields = useCallback(
+    ({ suppressionMissingFields }) => (
+      <EuiRadioGroup
+        disabled={
+          !license.isAtLeast(minimumLicenseForSuppression) ||
+          groupByFields == null ||
+          groupByFields.length === 0
+        }
+        idSelected={suppressionMissingFields.value}
+        options={[
+          {
+            id: AlertSuppressionMissingFieldsStrategy.Suppress,
+            label: i18n.ALERT_SUPPRESSION_MISSING_FIELDS_SUPPRESS_OPTION,
+          },
+          {
+            id: AlertSuppressionMissingFieldsStrategy.DoNotSuppress,
+            label: i18n.ALERT_SUPPRESSION_MISSING_FIELDS_DO_NOT_SUPPRESS_OPTION,
+          },
+        ]}
+        onChange={(id: string) => {
+          suppressionMissingFields.setValue(id);
+        }}
+        data-test-subj="suppressionMissingFieldsOptions"
+      />
+    ),
+    [license, groupByFields]
+  );
+
   const dataViewIndexPatternToggleButtonOptions: EuiButtonGroupOptionProps[] = useMemo(
     () => [
       {
@@ -868,41 +901,68 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
             </>
           )}
 
-          <RuleTypeEuiFormRow
-            $isVisible={isQueryRule(ruleType)}
-            data-test-subj="alertSuppressionInput"
+          <EuiSpacer size="l" />
+          <EuiAccordion
+            data-test-subj="alertSuppressionAccordion"
+            id="alertSuppressionAccordion"
+            buttonContent={i18n.ALERT_SUPPRESSION_ACCORDION_BUTTON}
           >
-            <UseField
-              path="groupByFields"
-              component={GroupByFields}
-              componentProps={{
-                browserFields: termsAggregationFields,
-                isDisabled:
-                  !license.isAtLeast(minimumLicenseForSuppression) &&
-                  initialState.groupByFields.length === 0,
-              }}
-            />
-          </RuleTypeEuiFormRow>
-          <RuleTypeEuiFormRow
-            $isVisible={isQueryRule(ruleType)}
-            data-test-subj="alertSuppressionDuration"
-          >
-            <UseMultiFields
-              fields={{
-                groupByRadioSelection: {
-                  path: 'groupByRadioSelection',
-                },
-                groupByDurationValue: {
-                  path: 'groupByDuration.value',
-                },
-                groupByDurationUnit: {
-                  path: 'groupByDuration.unit',
-                },
-              }}
+            <EuiSpacer size="l" />
+
+            <RuleTypeEuiFormRow
+              $isVisible={isQueryRule(ruleType)}
+              data-test-subj="alertSuppressionInput"
             >
-              {GroupByChildren}
-            </UseMultiFields>
-          </RuleTypeEuiFormRow>
+              <UseField
+                path="groupByFields"
+                component={GroupByFields}
+                componentProps={{
+                  browserFields: termsAggregationFields,
+                  isDisabled:
+                    !license.isAtLeast(minimumLicenseForSuppression) &&
+                    initialState.groupByFields.length === 0,
+                }}
+              />
+            </RuleTypeEuiFormRow>
+
+            <RuleTypeEuiFormRow
+              $isVisible={isQueryRule(ruleType)}
+              data-test-subj="alertSuppressionDuration"
+            >
+              <UseMultiFields
+                fields={{
+                  groupByRadioSelection: {
+                    path: 'groupByRadioSelection',
+                  },
+                  groupByDurationValue: {
+                    path: 'groupByDuration.value',
+                  },
+                  groupByDurationUnit: {
+                    path: 'groupByDuration.unit',
+                  },
+                }}
+              >
+                {GroupByChildren}
+              </UseMultiFields>
+            </RuleTypeEuiFormRow>
+
+            <RuleTypeEuiFormRow
+              $isVisible={isQueryRule(ruleType)}
+              data-test-subj="alertSuppressionMissingFields"
+              label={i18n.ALERT_SUPPRESSION_MISSING_FIELDS_FORM_ROW_LABEL}
+            >
+              <UseMultiFields
+                fields={{
+                  suppressionMissingFields: {
+                    path: 'suppressionMissingFields',
+                  },
+                }}
+              >
+                {AlertsSuppressionMissingFields}
+              </UseMultiFields>
+            </RuleTypeEuiFormRow>
+          </EuiAccordion>
+          <EuiSpacer size="l" />
 
           <RuleTypeEuiFormRow $isVisible={isMlRule(ruleType)} fullWidth>
             <>