[Entity Analytics][UI] UI changes for Risk Engine to include closed a…

…lerts for risk score calculation (elastic#201909) ## Summary We are introducing a new feature that allows users to include "closed" alerts in risk score calculations. Users can toggle a button to include closed alerts in the risk score calculation and specify a date/time range for the calculation. Additionally, they can preview the data before finalising and saving these changes for the next engine run. ![Image](https://github.com/user-attachments/assets/5f91c990-22d6-46e5-8a7b-9875003867e4) ### **Note : This PR is an extension to the following PRs.** - [API] : elastic#201344 - [API] : elastic#201397 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]>
pgayvallet · Dec 13, 2024 · a95ec61 · a95ec61
1 parent a9f076c
commit a95ec61
Show file tree

Hide file tree

Showing 39 changed files with 1,615 additions and 164 deletions.
diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml
@@ -33545,6 +33545,58 @@ paths:
       tags:
         - Security Entity Analytics API
       x-beta: true
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      description: Configuring the Risk Engine Saved Object
+      operationId: ConfigureRiskEngineSavedObject
+      requestBody:
+        content:
+          application/json; Elastic-Api-Version=2023-10-31:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  items:
+                    type: string
+                  type: array
+                exclude_alert_tags:
+                  items:
+                    type: string
+                  type: array
+                range:
+                  type: object
+                  properties:
+                    end:
+                      type: string
+                    start:
+                      type: string
+        required: true
+      responses:
+        '200':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+          description: Successful response
+        '400':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+          description: Task manager is unavailable
+        default:
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse'
+          description: Unexpected error
+      summary: Configure the Risk Engine Saved Object
+      tags:
+        - Security Entity Analytics API
+      x-beta: true
   /api/risk_score/engine/schedule_now:
     post:
       description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
@@ -46987,6 +47039,27 @@ components:
       required:
         - cleanup_successful
         - errors
+    Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              error:
+                type: string
+              seq:
+                type: integer
+            required:
+              - seq
+              - error
+          type: array
+        risk_engine_saved_object_configured:
+          example: false
+          type: boolean
+      required:
+        - risk_engine_saved_object_configured
+        - errors
     Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
       allOf:
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'

diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml
@@ -36270,6 +36270,57 @@ paths:
       summary: Cleanup the Risk Engine
       tags:
         - Security Entity Analytics API
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      description: Configuring the Risk Engine Saved Object
+      operationId: ConfigureRiskEngineSavedObject
+      requestBody:
+        content:
+          application/json; Elastic-Api-Version=2023-10-31:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  items:
+                    type: string
+                  type: array
+                exclude_alert_tags:
+                  items:
+                    type: string
+                  type: array
+                range:
+                  type: object
+                  properties:
+                    end:
+                      type: string
+                    start:
+                      type: string
+        required: true
+      responses:
+        '200':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+          description: Successful response
+        '400':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+          description: Task manager is unavailable
+        default:
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse'
+          description: Unexpected error
+      summary: Configure the Risk Engine Saved Object
+      tags:
+        - Security Entity Analytics API
   /api/risk_score/engine/schedule_now:
     post:
       description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
@@ -54672,6 +54723,27 @@ components:
       required:
         - cleanup_successful
         - errors
+    Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              error:
+                type: string
+              seq:
+                type: integer
+            required:
+              - seq
+              - error
+          type: array
+        risk_engine_saved_object_configured:
+          example: false
+          type: boolean
+      required:
+        - risk_engine_saved_object_configured
+        - errors
     Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
       allOf:
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'

diff --git a/...lution/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen.ts b/...lution/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen.ts
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Risk Scoring API
+ *   version: 2023-10-31
+ */
+
+import { z } from '@kbn/zod';
+
+export type ConfigureRiskEngineSavedObjectErrorResponse = z.infer<
+  typeof ConfigureRiskEngineSavedObjectErrorResponse
+>;
+export const ConfigureRiskEngineSavedObjectErrorResponse = z.object({
+  risk_engine_saved_object_configured: z.boolean(),
+  errors: z.array(
+    z.object({
+      seq: z.number().int(),
+      error: z.string(),
+    })
+  ),
+});
+
+export type ConfigureRiskEngineSavedObjectRequestBody = z.infer<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+export const ConfigureRiskEngineSavedObjectRequestBody = z.object({
+  exclude_alert_statuses: z.array(z.string()).optional(),
+  range: z
+    .object({
+      start: z.string().optional(),
+      end: z.string().optional(),
+    })
+    .optional(),
+  exclude_alert_tags: z.array(z.string()).optional(),
+});
+export type ConfigureRiskEngineSavedObjectRequestBodyInput = z.input<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+
+export type ConfigureRiskEngineSavedObjectResponse = z.infer<
+  typeof ConfigureRiskEngineSavedObjectResponse
+>;
+export const ConfigureRiskEngineSavedObjectResponse = z.object({
+  risk_engine_saved_object_configured: z.boolean().optional(),
+});
diff --git a/...n/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.schema.yaml b/...n/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.schema.yaml
@@ -0,0 +1,81 @@
+openapi: 3.0.0
+info:
+  version: '2023-10-31'
+  title: Risk Scoring API
+  description: These APIs allow the consumer to configure the Risk Engine Saved Object.
+paths:
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      x-labels: [ess, serverless]
+      x-codegen-enabled: true
+      operationId: ConfigureRiskEngineSavedObject
+      summary: Configure the Risk Engine Saved Object
+      description: Configuring the Risk Engine Saved Object
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  type: array
+                  items:
+                    type: string
+                range:
+                  type: object
+                  properties:
+                    start:
+                      type: string
+                    end:
+                      type: string
+                exclude_alert_tags:
+                  type: array
+                  items:
+                    type: string
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+        '400':
+          description: Task manager is unavailable
+          content:
+            application/json:
+              schema:
+                $ref: '../common/common.schema.yaml#/components/schemas/TaskManagerUnavailableResponse'
+        default:
+          description: Unexpected error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ConfigureRiskEngineSavedObjectErrorResponse'
+
+components:
+  schemas:
+    ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      required:
+        - risk_engine_saved_object_configured
+        - errors
+      properties:
+        risk_engine_saved_object_configured:
+          type: boolean
+          example: false
+        errors:
+          type: array
+          items:
+            type: object
+            required:
+              - seq
+              - error
+            properties:
+              seq:
+                type: integer
+              error:
+                type: string
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/index.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/index.ts
@@ -16,3 +16,4 @@ export * from './preview_route.gen';
 export * from './entity_calculation_route.gen';
 export * from './get_risk_engine_privileges.gen';
 export * from './engine_cleanup_route.gen';
+export * from './engine_configure_saved_object_route.gen';
diff --git a/...ck/plugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.gen.ts b/...ck/plugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.gen.ts
@@ -58,9 +58,11 @@ export const RiskScoresPreviewRequest = z.object({
   /**
    * A list of alert statuses to exclude from the risk score calculation. If unspecified, all alert statuses are included.
    */
-  excludeAlertStatuses: z
-    .array(z.enum(['open', 'closed', 'in-progress', 'acknowledged']))
-    .optional(),
+  exclude_alert_statuses: z.array(z.string()).optional(),
+  /**
+   * A list of alert tags to exclude from the risk score calculation. If unspecified, all alert tags are included.
+   */
+  exclude_alert_tags: z.array(z.string()).optional(),
 });
 
 export type RiskScoresPreviewResponse = z.infer<typeof RiskScoresPreviewResponse>;

diff --git a/...ugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.schema.yaml b/...ugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.schema.yaml
@@ -58,16 +58,16 @@ components:
           description: Defines the time period over which scores will be evaluated. If unspecified, a range of `[now, now-30d]` will be used.
         weights:
           $ref: '../common/common.schema.yaml#/components/schemas/RiskScoreWeights'
-        excludeAlertStatuses:
+        exclude_alert_statuses:
           description: A list of alert statuses to exclude from the risk score calculation. If unspecified, all alert statuses are included.
           type: array
           items:
             type: string
-            enum:
-              - open
-              - closed
-              - in-progress
-              - acknowledged
+        exclude_alert_tags:
+          description: A list of alert tags to exclude from the risk score calculation. If unspecified, all alert tags are included.
+          type: array
+          items:
+            type: string
 
 
     RiskScoresPreviewResponse:

diff --git a/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
@@ -276,6 +276,10 @@ import type {
   GetEntityStoreStatusResponse,
 } from './entity_analytics/entity_store/status.gen';
 import type { CleanUpRiskEngineResponse } from './entity_analytics/risk_engine/engine_cleanup_route.gen';
+import type {
+  ConfigureRiskEngineSavedObjectRequestBodyInput,
+  ConfigureRiskEngineSavedObjectResponse,
+} from './entity_analytics/risk_engine/engine_configure_saved_object_route.gen';
 import type { DisableRiskEngineResponse } from './entity_analytics/risk_engine/engine_disable_route.gen';
 import type { EnableRiskEngineResponse } from './entity_analytics/risk_engine/engine_enable_route.gen';
 import type { InitRiskEngineResponse } from './entity_analytics/risk_engine/engine_init_route.gen';
@@ -602,6 +606,22 @@ If asset criticality records already exist for the specified entities, those rec
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  /**
+   * Configuring the Risk Engine Saved Object
+   */
+  async configureRiskEngineSavedObject(props: ConfigureRiskEngineSavedObjectProps) {
+    this.log.info(`${new Date().toISOString()} Calling API ConfigureRiskEngineSavedObject`);
+    return this.kbnClient
+      .request<ConfigureRiskEngineSavedObjectResponse>({
+        path: '/api/risk_score/engine/saved_object/configure',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
+        },
+        method: 'PATCH',
+        body: props.body,
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   /**
     * Copies and returns a timeline or timeline template.
 
@@ -2295,6 +2315,9 @@ export interface BulkUpsertAssetCriticalityRecordsProps {
 export interface CleanDraftTimelinesProps {
   body: CleanDraftTimelinesRequestBodyInput;
 }
+export interface ConfigureRiskEngineSavedObjectProps {
+  body: ConfigureRiskEngineSavedObjectRequestBodyInput;
+}
 export interface CopyTimelineProps {
   body: CopyTimelineRequestBodyInput;
 }