[Security Solution] Allow users to edit max_signals field for custom rules

test/plugin_functional/test_suites/core_plugins/rendering.ts

@@ -330,6 +330,7 @@ export default function ({ getService }: PluginFunctionalProviderContext) {
         'xpack.stack_connectors.enableExperimental (array)',
         'xpack.trigger_actions_ui.enableExperimental (array)',
         'xpack.trigger_actions_ui.enableGeoTrackingThresholdAlert (boolean)',
+        'xpack.alerting.rules.run.alerts.max (number)',
         'xpack.upgrade_assistant.featureSet.migrateSystemIndices (boolean)',
         'xpack.upgrade_assistant.featureSet.mlSnapshots (boolean)',
         'xpack.upgrade_assistant.featureSet.reindexCorrectiveActions (boolean)',

x-pack/plugins/alerting/public/mocks.ts

@@ -17,6 +17,7 @@ const createSetupContract = (): Setup => ({
 
 const createStartContract = (): Start => ({
   getNavigation: jest.fn(),
+  getMaxAlertsPerRun: jest.fn(),
 });
 
 export const alertingPluginMock = {

x-pack/plugins/alerting/public/plugin.test.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { AlertingPublicPlugin } from './plugin';
+import { AlertingPublicPlugin, AlertingUIConfig } from './plugin';
 import { coreMock } from '@kbn/core/public/mocks';
 import {
   createManagementSectionMock,
@@ -17,7 +17,17 @@ jest.mock('./services/rule_api', () => ({
   loadRuleType: jest.fn(),
 }));
 
-const mockInitializerContext = coreMock.createPluginInitializerContext();
+const mockAlertingUIConfig: AlertingUIConfig = {
+  rules: {
+    run: {
+      alerts: {
+        max: 1000,
+      },
+    },
+  },
+};
+
+const mockInitializerContext = coreMock.createPluginInitializerContext(mockAlertingUIConfig);
 const management = managementPluginMock.createSetupContract();
 const mockSection = createManagementSectionMock();
 

x-pack/plugins/alerting/public/plugin.ts

@@ -57,6 +57,7 @@ export interface PluginSetupContract {
 }
 export interface PluginStartContract {
   getNavigation: (ruleId: Rule['id']) => Promise<string | undefined>;
+  getMaxAlertsPerRun: () => number;
 }
 export interface AlertingPluginSetup {
   management: ManagementSetup;
@@ -69,13 +70,28 @@ export interface AlertingPluginStart {
   data: DataPublicPluginStart;
 }
 
+export interface AlertingUIConfig {
+  rules: {
+    run: {
+      alerts: {
+        max: number;
+      };
+    };
+  };
+}
+
 export class AlertingPublicPlugin
   implements
     Plugin<PluginSetupContract, PluginStartContract, AlertingPluginSetup, AlertingPluginStart>
 {
   private alertNavigationRegistry?: AlertNavigationRegistry;
+  private config: AlertingUIConfig;
+  readonly maxAlertsPerRun: number;
 
-  constructor(private readonly initContext: PluginInitializerContext) {}
+  constructor(private readonly initContext: PluginInitializerContext) {
+    this.config = this.initContext.config.get<AlertingUIConfig>();
+    this.maxAlertsPerRun = this.config.rules.run.alerts.max;
+  }
 
   public setup(core: CoreSetup, plugins: AlertingPluginSetup) {
     this.alertNavigationRegistry = new AlertNavigationRegistry();
@@ -150,6 +166,9 @@ export class AlertingPublicPlugin
           return rule.viewInAppRelativeUrl;
         }
       },
+      getMaxAlertsPerRun: () => {
+        return this.maxAlertsPerRun;
+      },
     };
   }
 }

x-pack/plugins/alerting/server/config.ts

@@ -80,7 +80,7 @@ export type AlertingConfig = TypeOf<typeof configSchema>;
 export type RulesConfig = TypeOf<typeof rulesSchema>;
 export type AlertingRulesConfig = Pick<
   AlertingConfig['rules'],
-  'minimumScheduleInterval' | 'maxScheduledPerMinute'
+  'minimumScheduleInterval' | 'maxScheduledPerMinute' | 'run'
 > & {
   isUsingSecurity: boolean;
 };

x-pack/plugins/alerting/server/index.ts

@@ -7,8 +7,7 @@
 import type { PublicMethodsOf } from '@kbn/utility-types';
 import { PluginConfigDescriptor, PluginInitializerContext } from '@kbn/core/server';
 import { RulesClient as RulesClientClass } from './rules_client';
-import { configSchema } from './config';
-import { AlertsConfigType } from './types';
+import { AlertingConfig, configSchema } from './config';
 
 export type RulesClient = PublicMethodsOf<RulesClientClass>;
 
@@ -79,8 +78,11 @@ export const plugin = async (initContext: PluginInitializerContext) => {
   return new AlertingPlugin(initContext);
 };
 
-export const config: PluginConfigDescriptor<AlertsConfigType> = {
+export const config: PluginConfigDescriptor<AlertingConfig> = {
   schema: configSchema,
+  exposeToBrowser: {
+    rules: { run: { alerts: { max: true } } },
+  },
   deprecations: ({ renameFromRoot, deprecate }) => [
     renameFromRoot('xpack.alerts.healthCheck', 'xpack.alerting.healthCheck', { level: 'warning' }),
     renameFromRoot(

x-pack/plugins/alerting/server/plugin.test.ts

@@ -163,6 +163,7 @@ describe('Alerting Plugin', () => {
             maxScheduledPerMinute: 10000,
             isUsingSecurity: false,
             minimumScheduleInterval: { value: '1m', enforce: false },
+            run: { alerts: { max: 1000 }, actions: { max: 1000 } },
           });
 
           expect(setupContract.frameworkAlerts.enabled()).toEqual(false);

x-pack/plugins/alerting/server/plugin.ts

@@ -458,7 +458,7 @@ export class AlertingPlugin {
       },
       getConfig: () => {
         return {
-          ...pick(this.config.rules, ['minimumScheduleInterval', 'maxScheduledPerMinute']),
+          ...pick(this.config.rules, ['minimumScheduleInterval', 'maxScheduledPerMinute', 'run']),
           isUsingSecurity: this.licenseState ? !!this.licenseState.getIsSecurityEnabled() : false,
         };
       },

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml

@@ -123,7 +123,6 @@ components:
         references:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleReferenceArray'
 
-        # maxSignals not used in ML rules but probably should be used
         max_signals:
           $ref: './common_attributes.schema.yaml#/components/schemas/MaxSignals'
         threat:

x-pack/plugins/security_solution/public/common/lib/kibana/kibana_react.mock.ts

@@ -58,6 +58,7 @@ import { fieldFormatsMock } from '@kbn/field-formats-plugin/common/mocks';
 import { indexPatternFieldEditorPluginMock } from '@kbn/data-view-field-editor-plugin/public/mocks';
 import { UpsellingService } from '@kbn/security-solution-upselling/service';
 import { calculateBounds } from '@kbn/data-plugin/common';
+import { alertingPluginMock } from '@kbn/alerting-plugin/public/mocks';
 
 const mockUiSettings: Record<string, unknown> = {
   [DEFAULT_TIME_RANGE]: { from: 'now-15m', to: 'now', mode: 'quick' },
@@ -128,6 +129,7 @@ export const createStartServicesMock = (
   const cloud = cloudMock.createStart();
   const mockSetHeaderActionMenu = jest.fn();
   const mockTimelineFilterManager = createFilterManagerMock();
+  const alerting = alertingPluginMock.createStartContract();
 
   /*
    * Below mocks are needed by unified field list
@@ -250,6 +252,7 @@ export const createStartServicesMock = (
     dataViewFieldEditor: indexPatternFieldEditorPluginMock.createStartContract(),
     upselling: new UpsellingService(),
     timelineFilterManager: mockTimelineFilterManager,
+    alerting,
   } as unknown as StartServices;
 };
 

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx

@@ -263,7 +263,7 @@ describe('description_step', () => {
         mockLicenseService
       );
 
-      expect(result.length).toEqual(13);
+      expect(result.length).toEqual(14);
     });
   });
 
@@ -768,6 +768,33 @@ describe('description_step', () => {
           });
         });
       });
+
+      describe('maxSignals', () => {
+        test('returns default "max signals" description', () => {
+          const result: ListItems[] = getDescriptionItem(
+            'maxSignals',
+            'Max alerts per run',
+            mockAboutStep,
+            mockFilterManager,
+            mockLicenseService
+          );
+
+          expect(result[0].title).toEqual('Max alerts per run');
+          expect(result[0].description).toEqual(100);
+        });
+
+        test('returns empty array when "value" is a undefined', () => {
+          const result: ListItems[] = getDescriptionItem(
+            'maxSignals',
+            'Max alerts per run',
+            { ...mockAboutStep, maxSignals: undefined },
+            mockFilterManager,
+            mockLicenseService
+          );
+
+          expect(result.length).toEqual(0);
+        });
+      });
     });
   });
 });

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx

@@ -342,6 +342,9 @@ export const getDescriptionItem = (
     return get('isBuildingBlock', data)
       ? [{ title: i18n.BUILDING_BLOCK_LABEL, description: i18n.BUILDING_BLOCK_DESCRIPTION }]
       : [];
+  } else if (field === 'maxSignals') {
+    const value: number | undefined = get(field, data);
+    return value ? [{ title: label, description: value }] : [];
   }
 
   const description: string = get(field, data);

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/max_signals/index.tsx

@@ -0,0 +1,99 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useMemo, useCallback } from 'react';
+import type { EuiFieldNumberProps } from '@elastic/eui';
+import { EuiTextColor, EuiFormRow, EuiFieldNumber, EuiIcon } from '@elastic/eui';
+import type { FieldHook } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
+import { css } from '@emotion/css';
+import { DEFAULT_MAX_SIGNALS } from '../../../../../common/constants';
+import * as i18n from './translations';
+import { useKibana } from '../../../../common/lib/kibana';
+
+interface MaxSignalsFieldProps {
+  dataTestSubj: string;
+  field: FieldHook<number | ''>;
+  idAria: string;
+  isDisabled: boolean;
+  placeholder?: string;
+}
+
+const MAX_SIGNALS_FIELD_WIDTH = 200;
+
+export const MaxSignals: React.FC<MaxSignalsFieldProps> = ({
+  dataTestSubj,
+  field,
+  idAria,
+  isDisabled,
+  placeholder,
+}): JSX.Element => {
+  const { setValue, value } = field;
+  const { alerting } = useKibana().services;
+  const maxAlertsPerRun = alerting.getMaxAlertsPerRun();
+
+  const [isInvalid, error] = useMemo(() => {
+    if (typeof value === 'number' && !isNaN(value) && value <= 0) {
+      return [true, i18n.GREATER_THAN_ERROR];
+    }
+    return [false];
+  }, [value]);
+
+  const hasWarning = useMemo(
+    () => typeof value === 'number' && !isNaN(value) && value > maxAlertsPerRun,
+    [maxAlertsPerRun, value]
+  );
+
+  const handleMaxSignalsChange: EuiFieldNumberProps['onChange'] = useCallback(
+    (e) => {
+      const maxSignalsValue = (e.target as HTMLInputElement).value;
+      // Has to handle an empty string as the field is optional
+      setValue(maxSignalsValue !== '' ? Number(maxSignalsValue.trim()) : '');
+    },
+    [setValue]
+  );
+
+  const helpText = useMemo(() => {
+    const textToRender = [];
+    if (hasWarning) {
+      textToRender.push(
+        <EuiTextColor color="warning">{i18n.LESS_THAN_WARNING(maxAlertsPerRun)}</EuiTextColor>
+      );
+    }
+    textToRender.push(i18n.MAX_SIGNALS_HELP_TEXT(DEFAULT_MAX_SIGNALS));
+    return textToRender;
+  }, [hasWarning, maxAlertsPerRun]);
+
+  return (
+    <EuiFormRow
+      css={css`
+        .euiFormControlLayout {
+          width: ${MAX_SIGNALS_FIELD_WIDTH}px;
+        }
+      `}
+      describedByIds={idAria ? [idAria] : undefined}
+      fullWidth
+      helpText={helpText}
+      label={field.label}
+      labelAppend={field.labelAppend}
+      isInvalid={isInvalid}
+      error={error}
+    >
+      <EuiFieldNumber
+        isInvalid={isInvalid}
+        value={value as EuiFieldNumberProps['value']}
+        onChange={handleMaxSignalsChange}
+        isLoading={field.isValidating}
+        placeholder={placeholder}
+        data-test-subj={dataTestSubj}
+        disabled={isDisabled}
+        append={hasWarning ? <EuiIcon size="s" type="warning" color="warning" /> : undefined}
+      />
+    </EuiFormRow>
+  );
+};
+
+MaxSignals.displayName = 'MaxSignals';

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/max_signals/translations.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const GREATER_THAN_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.maxAlertsFieldGreaterThanError',
+  {
+    defaultMessage: 'Max alerts must be greater than 0.',
+  }
+);
+
+export const LESS_THAN_WARNING = (maxNumber: number) =>
+  i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.maxAlertsFieldLessThanWarning',
+    {
+      values: { maxNumber },
+      defaultMessage:
+        'Kibana only allows a maximum of {maxNumber} {maxNumber, plural, =1 {alert} other {alerts}} per rule run.',
+    }
+  );
+
+export const MAX_SIGNALS_HELP_TEXT = (defaultNumber: number) =>
+  i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldMaxAlertsHelpText',
+    {
+      values: { defaultNumber },
+      defaultMessage:
+        'The maximum number of alerts the rule will create each time it runs. Default is {defaultNumber}.',
+    }
+  );

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/default_value.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { DEFAULT_MAX_SIGNALS } from '../../../../../common/constants';
 import type { AboutStepRule } from '../../../../detections/pages/detection_engine/rules/types';
 import { fillEmptySeverityMappings } from '../../../../detections/pages/detection_engine/rules/helpers';
 
@@ -33,5 +34,6 @@ export const stepAboutDefaultValue: AboutStepRule = {
   timestampOverride: '',
   threat: threatDefault,
   note: '',
+  maxSignals: DEFAULT_MAX_SIGNALS,
   setup: '',
 };