From 97199322978847293c118e6d238958511d002ae7 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.rey.caldwell@gmail.com>
Date: Sat, 12 Dec 2020 20:36:06 -0500
Subject: [PATCH] [Security Solution][Detections][Threshold Rules] Threshold
 rule exceptions (#85103)

* Threshold rule exceptions

* Clean up

* Disable value lists for threshold rule exceptions

* lint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../components/exceptions/builder/entry_item.tsx      |  4 ++--
 .../timeline_actions/alert_context_menu.tsx           | 11 ++---------
 .../components/rules/step_about_rule/index.tsx        |  5 +----
 .../pages/detection_engine/rules/details/index.tsx    |  4 +---
 .../signals/signal_rule_alert_type.ts                 |  2 +-
 5 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/builder/entry_item.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/builder/entry_item.tsx
index 8b5e0555b57b..badb29e16557 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/builder/entry_item.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/builder/entry_item.tsx
@@ -7,7 +7,7 @@ import React, { useCallback } from 'react';
 import { EuiFormRow, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
 
-import { isEqlRule } from '../../../../../common/detection_engine/utils';
+import { isEqlRule, isThresholdRule } from '../../../../../common/detection_engine/utils';
 import { Type } from '../../../../../common/detection_engine/schemas/common/schemas';
 import { IFieldType, IIndexPattern } from '../../../../../../../../src/plugins/data/common';
 import { FieldComponent } from '../../autocomplete/field';
@@ -149,7 +149,7 @@ export const BuilderEntryItem: React.FC<EntryItemProps> = ({
           entry,
           listType,
           entry.field != null && entry.field.type === 'boolean',
-          isFirst && !isEqlRule(ruleType)
+          isFirst && !isEqlRule(ruleType) && !isThresholdRule(ruleType)
         );
     const comboBox = (
       <OperatorComponent
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
index 9eb0a97a1c9a..f044eb3799c1 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
@@ -19,8 +19,7 @@ import { getOr } from 'lodash/fp';
 import { useAppToasts } from '../../../../common/hooks/use_app_toasts';
 import { TimelineId } from '../../../../../common/types/timeline';
 import { DEFAULT_INDEX_PATTERN } from '../../../../../common/constants';
-import { Status, Type } from '../../../../../common/detection_engine/schemas/common/schemas';
-import { isThresholdRule } from '../../../../../common/detection_engine/utils';
+import { Status } from '../../../../../common/detection_engine/schemas/common/schemas';
 import { timelineActions } from '../../../../timelines/store/timeline';
 import { EventsTd, EventsTdContent } from '../../../../timelines/components/timeline/styles';
 import { DEFAULT_ICON_BUTTON_WIDTH } from '../../../../timelines/components/timeline/helpers';
@@ -323,12 +322,6 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
     setOpenAddExceptionModal('detection');
   }, [closePopover]);
 
-  const areExceptionsAllowed = useMemo((): boolean => {
-    const ruleTypes = getOr([], 'signal.rule.type', ecsRowData);
-    const [ruleType] = ruleTypes as Type[];
-    return !isThresholdRule(ruleType);
-  }, [ecsRowData]);
-
   // eslint-disable-next-line react-hooks/exhaustive-deps
   const addExceptionComponent = (
     <EuiContextMenuItem
@@ -337,7 +330,7 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
       data-test-subj="add-exception-menu-item"
       id="addException"
       onClick={handleAddExceptionClick}
-      disabled={!canUserCRUD || !hasIndexWrite || !areExceptionsAllowed}
+      disabled={!canUserCRUD || !hasIndexWrite}
     >
       <EuiText data-test-subj="addExceptionButton" size="m">
         {i18n.ACTION_ADD_EXCEPTION}
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx
index 65993902d4c2..6fa93f9fb413 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx
@@ -8,7 +8,6 @@ import { EuiAccordion, EuiFlexItem, EuiSpacer, EuiFormRow } from '@elastic/eui';
 import React, { FC, memo, useCallback, useEffect, useState } from 'react';
 import styled from 'styled-components';
 
-import { isThresholdRule } from '../../../../../common/detection_engine/utils';
 import {
   RuleStepProps,
   RuleStep,
@@ -75,8 +74,6 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
   const [severityValue, setSeverityValue] = useState<string>(initialState.severity.value);
   const [indexPatternLoading, { indexPatterns }] = useFetchIndex(defineRuleData?.index ?? []);
 
-  const canUseExceptions = defineRuleData?.ruleType && !isThresholdRule(defineRuleData.ruleType);
-
   const { form } = useForm<AboutStepRule>({
     defaultValue: initialState,
     options: { stripEmptyFields: false },
@@ -282,7 +279,7 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
                   idAria: 'detectionEngineStepAboutRuleAssociatedToEndpointList',
                   'data-test-subj': 'detectionEngineStepAboutRuleAssociatedToEndpointList',
                   euiFieldProps: {
-                    disabled: isLoading || !canUseExceptions,
+                    disabled: isLoading,
                   },
                 }}
               />
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
index 62f0d12fd67b..28c7805e968d 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
@@ -82,7 +82,6 @@ import { DEFAULT_INDEX_PATTERN } from '../../../../../../common/constants';
 import { useFullScreen } from '../../../../../common/containers/use_full_screen';
 import { Display } from '../../../../../hosts/pages/display';
 import { ExceptionListTypeEnum, ExceptionListIdentifiers } from '../../../../../shared_imports';
-import { isThresholdRule } from '../../../../../../common/detection_engine/utils';
 import { useRuleAsync } from '../../../../containers/detection_engine/rules/use_rule_async';
 import { showGlobalFilters } from '../../../../../timelines/components/timeline/helpers';
 import { timelineSelectors } from '../../../../../timelines/store/timeline';
@@ -104,7 +103,6 @@ enum RuleDetailTabs {
 }
 
 const getRuleDetailsTabs = (rule: Rule | null) => {
-  const canUseExceptions = rule && !isThresholdRule(rule.type);
   return [
     {
       id: RuleDetailTabs.alerts,
@@ -115,7 +113,7 @@ const getRuleDetailsTabs = (rule: Rule | null) => {
     {
       id: RuleDetailTabs.exceptions,
       name: i18n.EXCEPTIONS_TAB,
-      disabled: !canUseExceptions,
+      disabled: false,
       dataTestSubj: 'exceptionsTab',
     },
     {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
index 6be4a83d237a..8d4dd877996d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@@ -338,7 +338,7 @@ export const signalRulesAlertType = ({
                     must: [
                       {
                         term: {
-                          [threshold.field ?? 'signal.rule.rule_id']: bucket.key,
+                          [threshold.field || 'signal.rule.rule_id']: bucket.key,
                         },
                       },
                       {