[Security Solution][Detections] Add alert source to detection rule action context

[marshallmain]

Summary

This PR adds the source of the detection alert documents to the rule action context so notification actions can access fields within the detection alerts. The source alerts are available as an array through Mustache templating at {{context.alerts}}, e.g. {{context.alerts.0.process.name}} would get the process.name field of the first alert.

Docs update: Alert data is now available in detection rule actions at {{context.alerts}} as an array. This array contains each alert generated since the last time the action executed. Mustache templating can be used to iterate over all alerts in the array and capture information from each one. For example, {{#context.alerts}}Detection alert for user: {{user.name}}{{/context.alerts}} would create the string Detection alert for user: <user.name> for every alert in the array. Any alerts that don't have user.name will still generate the string but leave <user.name> blank.

Test process:

1. Go through the rule creation process for a rule type up to step 4 (Rule Actions).
2. Create a webhook connector that POSTs to http://localhost:<some port> with no auth and no http header, ex
   
3. Choose either "On rule execution" or one of the throttled options for when the action should fire. If using the throttled options, change the throttle time in /kibana/x-pack/plugins/security_solution/public/detections/components/rules/throttle_select_field/index.tsx down to 5m or less so you don't have to wait an hour for the action to trigger
4. Use netcat or equivalent to listen on the chosen port. e.g. sudo nc -l 392 on ubuntu listens on port 392.
5. Create a document that triggers the rule. When the action fires, netcat should print out the request it received from the webhook. You may need to restart netcat for it to print further requests even though the process continues to run.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[marshallmain]

@elasticmachine merge upstream

[marshallmain]

jenkins test this

[marshallmain]

@elasticmachine merge upstream

[madirey]

Reviewed, pulled, and tested that notifications fire. Looks good!

[dhurley14]

LGTM

[austinsonger]

So this pull request going to give the ability to add following for context fields?

Source IP
Source Hostname
Destination IP
Destination Hostname

[jamesspi]

@austinsonger Yes, any fields in the document that are present will be able to be used as context for external actions.

[kibanamachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request
• Commit: 6f4171e
• Pipeline Steps (look for red circles / failed steps)
• Interpreting CI Failures

Failed CI Steps

• Execute xpack-kibana-ciGroup4
• Execute kibana-ciGroup1
• Verify NOTICE
• Execute oss-pluginFunctional
• Execute oss-pluginFunctional
• Execute xpack-kibana-ciGroup6
• Execute kibana-ciGroup8
• Execute xpack-kibana-ciGroup3
• Execute kibana-ciGroup4
• Execute xpack-kibana-ciGroup2
• Execute kibana-ciGroup12
• Execute kibana-ciGroup5
• Execute xpack-kibana-ciGroup8
• Execute kibana-ciGroup6
• Execute xpack-kibana-ciGroup7
• Execute kibana-ciGroup3
• Execute kibana-ciGroup9
• Execute kibana-ciGroup10
• Execute xpack-firefox
• Execute kibana-ciGroup11
• Execute xpack-kibana-ciGroup11
• Execute kibana-ciGroup2
• Execute xpack-kibana-ciGroup10
• Execute oss-firefox
• Execute xpack-kibana-ciGroup9
• Jest Integration Tests
• Execute xpack-kibana-ciGroup1

---

Test Failures

Jest Integration Tests.src/core/server/ui_settings/integration_tests.uiSettings/routes doc exists get route returns a 200 and includes userValues

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 4 times on tracked branches: https://github.com/elastic/kibana/issues/51584

Stack Trace

ConnectionError: socket hang up
    at ClientRequest.onError (/dev/shm/workspace/kibana/node_modules/@elastic/elasticsearch/lib/Connection.js:114:16)
    at ClientRequest.emit (events.js:315:20)
    at Socket.socketOnEnd (_http_client.js:493:9)
    at Socket.emit (events.js:327:22)
    at endReadableNT (_stream_readable.js:1327:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

---

Jest Integration Tests.src/core/server/ui_settings/integration_tests.uiSettings/routes doc exists set route returns a 200 and all values including update

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 4 times on tracked branches: https://github.com/elastic/kibana/issues/51585

Stack Trace

Error: unknown error
    at respond (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:351:15)
    at checkRespForFailure (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at ClientRequest.wrapper (/dev/shm/workspace/kibana/node_modules/lodash/lodash.js:4949:19)
    at ClientRequest.emit (events.js:315:20)
    at Socket.socketCloseListener (_http_client.js:443:11)
    at Socket.emit (events.js:327:22)
    at TCP.<anonymous> (net.js:673:12)

---

Jest Integration Tests.src/core/server/ui_settings/integration_tests.uiSettings/routes doc exists set route returns a 400 if trying to set overridden value

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 4 times on tracked branches: https://github.com/elastic/kibana/issues/51586

Stack Trace

Error: unknown error
    at respond (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:351:15)
    at checkRespForFailure (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at ClientRequest.wrapper (/dev/shm/workspace/kibana/node_modules/lodash/lodash.js:4949:19)
    at ClientRequest.emit (events.js:315:20)
    at Socket.socketErrorListener (_http_client.js:469:9)
    at Socket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

---

and 4 more failures, only showing the first 3.

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	8.3MB	8.3MB	+45.0B

Distributable file count

id	before	after	diff
default	47138	47899	+761

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	215.7KB	215.7KB	+47.0B

History

• 💛 Build #94167 was flaky 6f4171e
• 💛 Build #93525 was flaky b155080
• 💔 Build #93367 failed b155080
• 💔 Build #93362 failed aea4201

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream