[CTI][RAC] adds indicator match rule

[ecezalp]

Summary

Updates Indicator Match Rule implementation using Security Base Rule Type.

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[ecezalp]

@elasticmachine merge upstream

[kibanamachine]

💛 Build succeeded, but was flaky

• continuous-integration/kibana-ci/pull-request
• Commit: 88c7fc3
• Storybooks Preview
• Documentation Changes
• Flaky suites:
  • xpack-kibana-ciGroup13

---

Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text·ts.detection engine api security and spaces enabled Detection exceptions data types and operators Rule exception operators for data type text "is not" operator will return 0 results if it cannot find what it is excluding

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 2 times on tracked branches: https://github.com/elastic/kibana/issues/107911

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]           └-: 
[00:00:00]             └-> "before all" hook in ""
[00:00:00]             └-: Detection exceptions data types and operators
[00:00:00]               └-> "before all" hook in "Detection exceptions data types and operators"
[00:00:00]               └-: 
[00:00:00]                 └-> "before all" hook in ""
[00:00:00]                 └-: Rule exception operators for data type text
[00:00:00]                   └-> "before all" hook in "Rule exception operators for data type text"
[00:00:00]                   └-: "is not" operator
[00:00:00]                     └-> "before all" hook for "will return 0 results if it cannot find what it is excluding"
[00:00:00]                     └-> will return 0 results if it cannot find what it is excluding
[00:00:00]                       └-> "before each" hook: global before each for "will return 0 results if it cannot find what it is excluding"
[00:00:00]                       └-> "before each" hook for "will return 0 results if it cannot find what it is excluding"
[00:00:00]                         │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default-migration-cleanup]
[00:00:00]                         │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:00:00]                         │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:00:00]                         │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:00:00]                         │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:00:00]                         │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:00:00]                         │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:00:00]                         │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:00:00]                         │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:00:00]                         │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.lists-default]
[00:00:00]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Loading "mappings.json"
[00:00:00]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Loading "data.json"
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:00:00]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.lists-default]
[00:00:01]                         │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [text] creating index, cause [api], templates [], shards [1]/[1]
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Created index "text"
[00:00:01]                         │ debg [x-pack/test/functional/es_archives/rule_exceptions/text] "text" settings {"index":{"number_of_replicas":"1","number_of_shards":"1"}}
[00:00:01]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.items-default]
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Indexed 4 docs into "text"
[00:00:01]                         │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.items-default]
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Loading "mappings.json"
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Loading "data.json"
[00:00:01]                         │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [text_no_spaces] creating index, cause [api], templates [], shards [1]/[1]
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Created index "text_no_spaces"
[00:00:01]                         │ debg [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] "text_no_spaces" settings {"index":{"number_of_replicas":"1","number_of_shards":"1"}}
[00:00:01]                         │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Indexed 4 docs into "text_no_spaces"
[00:00:01]                       │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/VVebwkg2Sxy4fP2AHPGexA] update_mapping [_doc]
[00:00:06]                       │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/VVebwkg2Sxy4fP2AHPGexA] update_mapping [_doc]
[00:00:07]                       │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/VVebwkg2Sxy4fP2AHPGexA] update_mapping [_doc]
[00:00:10]                       │ proc [kibana]   log   [21:10:57.836] [info][eventLog][plugins] event logged: {"@timestamp":"2021-08-10T21:10:57.834Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-08-10T21:10:57.834Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"7254c3a0-fa1f-11eb-9568-034bf14b2294","type_id":"siem.signals"}],"task":{"scheduled":"2021-08-10T21:10:57.464Z","schedule_delay":370000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"rule":{"id":"7254c3a0-fa1f-11eb-9568-034bf14b2294","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"7254c3a0-fa1f-11eb-9568-034bf14b2294\"","ecs":{"version":"1.8.0"}}
[00:00:11]                       └- ✖ fail: detection engine api security and spaces enabled  Detection exceptions data types and operators  Rule exception operators for data type text "is not" operator will return 0 results if it cannot find what it is excluding
[00:00:11]                       │      Error: expected 200 "OK", got 409 "Conflict"
[00:00:11]                       │       at Test._assertStatus (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:268:12)
[00:00:11]                       │       at Test._assertFunction (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:283:11)
[00:00:11]                       │       at Test.assert (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:173:18)
[00:00:11]                       │       at assert (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:131:12)
[00:00:11]                       │       at /dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:128:5
[00:00:11]                       │       at Test.Request.callback (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:718:3)
[00:00:11]                       │       at /dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:906:18
[00:00:11]                       │       at IncomingMessage.<anonymous> (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/parsers/json.js:19:7)
[00:00:11]                       │       at endReadableNT (internal/streams/readable.js:1317:12)
[00:00:11]                       │       at processTicksAndRejections (internal/process/task_queues.js:82:21)
[00:00:11]                       │ 
[00:00:11]                       │ 

Stack Trace

Error: expected 200 "OK", got 409 "Conflict"
    at Test._assertStatus (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:268:12)
    at Test._assertFunction (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:283:11)
    at Test.assert (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:173:18)
    at assert (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:131:12)
    at /dev/shm/workspace/parallel/22/kibana/node_modules/supertest/lib/test.js:128:5
    at Test.Request.callback (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:718:3)
    at /dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:906:18
    at IncomingMessage.<anonymous> (/dev/shm/workspace/parallel/22/kibana/node_modules/supertest/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at endReadableNT (internal/streams/readable.js:1317:12)
    at processTicksAndRejections (internal/process/task_queues.js:82:21)

---

Metrics [docs]

✅ unchanged

History

• 💔 Build #144124 failed b52d640
• 💚 Build #143893 succeeded 43e8732

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.