[8.x] [Security Solution] Add `AlertSuppression` and `…

…Investigation Fields` to Rule Upgrade workflow (#195499) (#195924)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Add `AlertSuppression` and
`Investigation Fields` to Rule Upgrade workflow
(#195499)](#195499)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-11T13:44:50Z","message":"[Security
Solution] Add `AlertSuppression` and `Investigation Fields` to Rule
Upgrade workflow (#195499)\n\nResolves:
https://github.com/elastic/kibana/issues/190597\r\n\r\n##
Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to
Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to
DiffableRule schema and diffing\r\nalgorithms in
https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them
to the UI field list so they get displayed in the\r\ndiff\r\n\r\n##
Screenshots\r\n\r\n#### Investigation
Fields\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/bff90832-cbf7-4804-888f-b62db5d08127)\r\n\r\n####
Alert
Suppression\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a46fc2db-53d1-4aab-92fc-c92ff88a60b0)\r\n\r\n\r\n##
Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields,
so no matter\r\nwhich packages you install you wont' see this upgrade.
You'll need to\r\ntinker with the security-rule assets, for
example:\r\n```ts\r\nPOST
.kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n
\"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression']
= [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy':
'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n
\"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n
\"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n
{\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\":
\"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n
\"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n
}\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:prev-minor","v8.16.0"],"title":"[Security Solution] Add
`AlertSuppression` and `Investigation Fields` to Rule Upgrade
workflow","number":195499,"url":"https://github.com/elastic/kibana/pull/195499","mergeCommit":{"message":"[Security
Solution] Add `AlertSuppression` and `Investigation Fields` to Rule
Upgrade workflow (#195499)\n\nResolves:
https://github.com/elastic/kibana/issues/190597\r\n\r\n##
Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to
Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to
DiffableRule schema and diffing\r\nalgorithms in
https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them
to the UI field list so they get displayed in the\r\ndiff\r\n\r\n##
Screenshots\r\n\r\n#### Investigation
Fields\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/bff90832-cbf7-4804-888f-b62db5d08127)\r\n\r\n####
Alert
Suppression\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a46fc2db-53d1-4aab-92fc-c92ff88a60b0)\r\n\r\n\r\n##
Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields,
so no matter\r\nwhich packages you install you wont' see this upgrade.
You'll need to\r\ntinker with the security-rule assets, for
example:\r\n```ts\r\nPOST
.kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n
\"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression']
= [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy':
'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n
\"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n
\"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n
{\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\":
\"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n
\"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n
}\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/195499","number":195499,"mergeCommit":{"message":"[Security
Solution] Add `AlertSuppression` and `Investigation Fields` to Rule
Upgrade workflow (#195499)\n\nResolves:
https://github.com/elastic/kibana/issues/190597\r\n\r\n##
Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to
Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to
DiffableRule schema and diffing\r\nalgorithms in
https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them
to the UI field list so they get displayed in the\r\ndiff\r\n\r\n##
Screenshots\r\n\r\n#### Investigation
Fields\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/bff90832-cbf7-4804-888f-b62db5d08127)\r\n\r\n####
Alert
Suppression\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a46fc2db-53d1-4aab-92fc-c92ff88a60b0)\r\n\r\n\r\n##
Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields,
so no matter\r\nwhich packages you install you wont' see this upgrade.
You'll need to\r\ntinker with the security-rule assets, for
example:\r\n```ts\r\nPOST
.kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n
\"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression']
= [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy':
'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n
\"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n
\"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n
{\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\":
\"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n
\"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n
}\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <[email protected]>

x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/constants.ts

@@ -16,6 +16,7 @@ export const ABOUT_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = [
   'description',
   'author',
   'building_block',
+  'investigation_fields',
   'severity',
   'severity_mapping',
   'risk_score',
@@ -52,6 +53,7 @@ export const DEFINITION_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = [
   'new_terms_fields',
   'history_window_start',
   'max_signals',
+  'alert_suppression',
 ];
 
 export const SCHEDULE_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = ['rule_schedule'];