[Entity Analytics] [UI] Allow user configure so

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_init_route.gen.ts

@@ -31,6 +31,21 @@ export const InitRiskEngineErrorResponse = z.object({
   full_error: z.string(),
 });
 
+export type InitRiskEngineRequestBody = z.infer<typeof InitRiskEngineRequestBody>;
+export const InitRiskEngineRequestBody = z.object({
+  /**
+   * If true, it will include closed alerts for risk score calculation
+   */
+  includeClosedAlerts: z.boolean().optional().default(false),
+  range: z
+    .object({
+      start: z.string().optional(),
+      end: z.string().optional(),
+    })
+    .optional(),
+});
+export type InitRiskEngineRequestBodyInput = z.input<typeof InitRiskEngineRequestBody>;
+
 export type InitRiskEngineResponse = z.infer<typeof InitRiskEngineResponse>;
 export const InitRiskEngineResponse = z.object({
   result: InitRiskEngineResult,

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_init_route.schema.yaml

@@ -12,6 +12,24 @@ paths:
       operationId: InitRiskEngine
       summary: Initialize the Risk Engine
       description: Initializes the Risk Engine by creating the necessary indices and mappings, removing old transforms, and starting the new risk engine
+      requestBody:
+        description: Schema for the risk score engine initialization
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                includeClosedAlerts:
+                  type: boolean
+                  description: If true, it will include closed alerts for risk score calculation
+                  default: false
+                range:
+                  type: object
+                  properties:
+                    start:
+                      type: string
+                    end:
+                      type: string
       responses:
         '200':
           description: Successful response

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/index.ts

@@ -16,3 +16,4 @@ export * from './preview_route.gen';
 export * from './entity_calculation_route.gen';
 export * from './get_risk_engine_privileges.gen';
 export * from './engine_cleanup_route.gen';
+export * from './so_configure_route.gen';

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/so_configure_route.gen.ts

@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Risk Engine API
+ *   version: 2023-10-31
+ */
+
+import { z } from '@kbn/zod';
+
+export type ConfigureRiskEngineRequest = z.infer<typeof ConfigureRiskEngineRequest>;
+export const ConfigureRiskEngineRequest = z.object({
+  dataViewId: z.string().optional(),
+  enabled: z.boolean().optional(),
+  filter: z.object({}).optional(),
+  identifierType: z.string().optional(),
+  interval: z.string().optional(),
+  pageSize: z.number().int().optional(),
+  alertSampleSizePerShard: z.number().int().optional(),
+  range: z
+    .object({
+      start: z.string().optional(),
+      end: z.string().optional(),
+    })
+    .optional(),
+  excludeAlertStatuses: z
+    .array(z.enum(['open', 'closed', 'in-progress', 'acknowledged']))
+    .optional(),
+  excludeAlertTags: z
+    .array(z.enum(['Duplicate', 'False Positive', 'Futher investigation required']))
+    .optional(),
+  includeClosedAlerts: z.boolean().optional(),
+});
+
+export type ConfigureRiskEngineResponse = z.infer<typeof ConfigureRiskEngineResponse>;
+export const ConfigureRiskEngineResponse = z.object({
+  configuration_successful: z.boolean().optional(),
+});
+
+export type ConfigureRiskEngineSavedObjectRequestBody = z.infer<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+export const ConfigureRiskEngineSavedObjectRequestBody = ConfigureRiskEngineRequest;
+export type ConfigureRiskEngineSavedObjectRequestBodyInput = z.input<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+
+export type ConfigureRiskEngineSavedObjectResponse = z.infer<
+  typeof ConfigureRiskEngineSavedObjectResponse
+>;
+export const ConfigureRiskEngineSavedObjectResponse = ConfigureRiskEngineResponse;

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/so_configure_route.schema.yaml

@@ -0,0 +1,83 @@
+openapi: 3.0.0
+info:
+  version: '2023-10-31'
+  title: Risk Engine API
+  description: These APIs allow the consumer to configure the Risk Engine saved object.
+paths:
+  /api/risk_engine/saved_object/configure:
+    post:
+      x-labels: [ess, serverless]
+      x-internal: false
+      x-codegen-enabled: true
+      operationId: ConfigureRiskEngineSavedObject
+      summary: Configure the Risk Engine as per user requirements
+      requestBody:
+        description: User defined configuration the risk engine
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ConfigureRiskEngineRequest'
+        required: true
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ConfigureRiskEngineResponse'
+        '400':
+          description: Invalid request
+
+components:
+  schemas:
+    ConfigureRiskEngineRequest:
+      type: object
+      properties:
+        dataViewId:
+          type: string
+        enabled:
+          type: boolean
+        filter:
+          type: object 
+        identifierType:
+          type: string
+        interval:
+          type: string
+        pageSize:
+          type: integer
+        alertSampleSizePerShard:
+          type: integer
+        range:
+          type: object
+          properties:
+            start:
+              type: string
+            end:
+              type: string
+        excludeAlertStatuses:
+          type: array
+          items:
+            type: string
+            enum:
+              - open
+              - closed
+              - in-progress
+              - acknowledged
+        excludeAlertTags:
+          type: array
+          items:
+            type: string
+            enum:
+              - 'Duplicate'
+              - 'False Positive'
+              - 'Futher investigation required'
+        includeClosedAlerts:
+          type: boolean
+
+    ConfigureRiskEngineResponse:
+      type: object
+      properties:
+        configuration_successful:
+          type: boolean
+
+

x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts

@@ -278,7 +278,10 @@ import type {
 import type { CleanUpRiskEngineResponse } from './entity_analytics/risk_engine/engine_cleanup_route.gen';
 import type { DisableRiskEngineResponse } from './entity_analytics/risk_engine/engine_disable_route.gen';
 import type { EnableRiskEngineResponse } from './entity_analytics/risk_engine/engine_enable_route.gen';
-import type { InitRiskEngineResponse } from './entity_analytics/risk_engine/engine_init_route.gen';
+import type {
+  InitRiskEngineRequestBodyInput,
+  InitRiskEngineResponse,
+} from './entity_analytics/risk_engine/engine_init_route.gen';
 import type { ScheduleRiskEngineNowResponse } from './entity_analytics/risk_engine/engine_schedule_now_route.gen';
 import type { ReadRiskEngineSettingsResponse } from './entity_analytics/risk_engine/engine_settings_route.gen';
 import type { GetRiskEngineStatusResponse } from './entity_analytics/risk_engine/engine_status_route.gen';
@@ -293,6 +296,10 @@ import type {
   PreviewRiskScoreRequestBodyInput,
   PreviewRiskScoreResponse,
 } from './entity_analytics/risk_engine/preview_route.gen';
+import type {
+  ConfigureRiskEngineSavedObjectRequestBodyInput,
+  ConfigureRiskEngineSavedObjectResponse,
+} from './entity_analytics/risk_engine/so_configure_route.gen';
 import type {
   CleanDraftTimelinesRequestBodyInput,
   CleanDraftTimelinesResponse,
@@ -578,6 +585,19 @@ If asset criticality records already exist for the specified entities, those rec
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  async configureRiskEngineSavedObject(props: ConfigureRiskEngineSavedObjectProps) {
+    this.log.info(`${new Date().toISOString()} Calling API ConfigureRiskEngineSavedObject`);
+    return this.kbnClient
+      .request<ConfigureRiskEngineSavedObjectResponse>({
+        path: '/api/risk_engine/saved_object/configure',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
+        },
+        method: 'POST',
+        body: props.body,
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   /**
     * Copies and returns a timeline or timeline template.
 
@@ -1518,7 +1538,7 @@ finalize it.
   /**
    * Initializes the Risk Engine by creating the necessary indices and mappings, removing old transforms, and starting the new risk engine
    */
-  async initRiskEngine() {
+  async initRiskEngine(props: InitRiskEngineProps) {
     this.log.info(`${new Date().toISOString()} Calling API InitRiskEngine`);
     return this.kbnClient
       .request<InitRiskEngineResponse>({
@@ -1527,6 +1547,7 @@ finalize it.
           [ELASTIC_HTTP_VERSION_HEADER]: '1',
         },
         method: 'POST',
+        body: props.body,
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
@@ -2063,6 +2084,9 @@ export interface BulkUpsertAssetCriticalityRecordsProps {
 export interface CleanDraftTimelinesProps {
   body: CleanDraftTimelinesRequestBodyInput;
 }
+export interface ConfigureRiskEngineSavedObjectProps {
+  body: ConfigureRiskEngineSavedObjectRequestBodyInput;
+}
 export interface CopyTimelineProps {
   body: CopyTimelineRequestBodyInput;
 }
@@ -2225,6 +2249,9 @@ export interface InitEntityEngineProps {
   params: InitEntityEngineRequestParamsInput;
   body: InitEntityEngineRequestBodyInput;
 }
+export interface InitRiskEngineProps {
+  body: InitRiskEngineRequestBodyInput;
+}
 export interface InstallPrepackedTimelinesProps {
   body: InstallPrepackedTimelinesRequestBodyInput;
 }

x-pack/plugins/security_solution/common/entity_analytics/risk_engine/constants.ts

@@ -17,6 +17,8 @@ export const RISK_ENGINE_SETTINGS_URL = `${RISK_ENGINE_URL}/settings` as const;
 export const PUBLIC_RISK_ENGINE_URL = `${PUBLIC_RISK_SCORE_URL}/engine` as const;
 export const RISK_ENGINE_SCHEDULE_NOW_URL = `${RISK_ENGINE_URL}/schedule_now` as const;
 export const RISK_ENGINE_CLEANUP_URL = `${PUBLIC_RISK_ENGINE_URL}/dangerously_delete_data` as const;
+export const RISK_ENGINE_SAVED_OBJECT_CONFIG_URL =
+  `${PUBLIC_RISK_ENGINE_URL}/saved_object/config` as const;
 
 type ClusterPrivilege = 'manage_index_templates' | 'manage_transform';
 export const RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES = [

x-pack/plugins/security_solution/public/entity_analytics/api/api.ts

@@ -10,7 +10,10 @@ import { LIST_ENTITIES_URL } from '../../../common/entity_analytics/entity_store
 import type { UploadAssetCriticalityRecordsResponse } from '../../../common/api/entity_analytics/asset_criticality/upload_asset_criticality_csv.gen';
 import type { DisableRiskEngineResponse } from '../../../common/api/entity_analytics/risk_engine/engine_disable_route.gen';
 import type { RiskEngineStatusResponse } from '../../../common/api/entity_analytics/risk_engine/engine_status_route.gen';
-import type { InitRiskEngineResponse } from '../../../common/api/entity_analytics/risk_engine/engine_init_route.gen';
+import type {
+  InitRiskEngineResponse,
+  InitRiskEngineRequestBody,
+} from '../../../common/api/entity_analytics/risk_engine/engine_init_route.gen';
 import type { EnableRiskEngineResponse } from '../../../common/api/entity_analytics/risk_engine/engine_enable_route.gen';
 import type { RiskEngineScheduleNowResponse } from '../../../common/api/entity_analytics/risk_engine/engine_schedule_now_route.gen';
 import type {
@@ -42,7 +45,9 @@ import {
   API_VERSIONS,
   RISK_ENGINE_CLEANUP_URL,
   RISK_ENGINE_SCHEDULE_NOW_URL,
+  RISK_ENGINE_SAVED_OBJECT_CONFIG_URL,
 } from '../../../common/constants';
+// import { RISK_ENGINE_SAVED_OBJECT_CONFIG_URL } from '../../../server/lib/entity_analytics/risk_engine/saved_object/constants';
 import type { SnakeToCamelCase } from '../common/utils';
 import { useKibana } from '../../common/lib/kibana/kibana_react';
 import type { ReadRiskEngineSettingsResponse } from '../../../common/api/entity_analytics/risk_engine';
@@ -110,10 +115,11 @@ export const useEntityAnalyticsRoutes = () => {
     /**
      * Init risk score engine
      */
-    const initRiskEngine = () =>
+    const initRiskEngine = (params: InitRiskEngineRequestBody) =>
       http.fetch<InitRiskEngineResponse>(RISK_ENGINE_INIT_URL, {
         version: '1',
         method: 'POST',
+        body: JSON.stringify(params),
       });
 
     /**
@@ -276,6 +282,24 @@ export const useEntityAnalyticsRoutes = () => {
         method: 'GET',
       });
 
+    /**
+     * Updates the Risk Engine savedObject Configuration
+     */
+
+    const updateSavedObjectConfiguration = async (params: {
+      includeClosedAlerts: boolean;
+      range: { start: string; end: string };
+    }) => {
+      http.fetch(RISK_ENGINE_SAVED_OBJECT_CONFIG_URL, {
+        version: '2023-10-31',
+        method: 'POST',
+        body: JSON.stringify({
+          range: params.range,
+          includeClosedAlerts: params.includeClosedAlerts,
+        }),
+      });
+    };
+
     /**
      * Deletes Risk engine installation and associated data
      */
@@ -304,6 +328,7 @@ export const useEntityAnalyticsRoutes = () => {
       calculateEntityRiskScore,
       cleanUpRiskEngine,
       fetchEntitiesList,
+      updateSavedObjectConfiguration,
     };
   }, [http]);
 };

x-pack/plugins/security_solution/public/entity_analytics/api/hooks/use_configure_risk_engine.ts

@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { UseMutationOptions } from '@tanstack/react-query';
+import { useMutation } from '@tanstack/react-query';
+import type { TaskManagerUnavailableResponse } from '../../../../common/api/entity_analytics/common';
+import { useEntityAnalyticsRoutes } from '../api';
+import type { ConfigureRiskEngineSavedObjectResponse } from '../../../../common/api/entity_analytics/risk_engine/so_configure_route.gen';
+
+export const INIT_RISK_ENGINE_STATUS_KEY = ['POST', 'INIT_RISK_ENGINE'];
+interface ConfigureRiskEngineParams {
+  includeClosedAlerts: boolean;
+  range: { start: string; end: string };
+}
+
+export const useConfigureSORiskEngineMutation = (
+  options?: UseMutationOptions<
+    ConfigureRiskEngineSavedObjectResponse,
+    { body: ConfigureRiskEngineSavedObjectResponse | TaskManagerUnavailableResponse },
+    ConfigureRiskEngineParams
+  >
+) => {
+  const { updateSavedObjectConfiguration } = useEntityAnalyticsRoutes();
+
+  return useMutation<
+    ConfigureRiskEngineSavedObjectResponse,
+    { body: ConfigureRiskEngineSavedObjectResponse | TaskManagerUnavailableResponse },
+    ConfigureRiskEngineParams
+  >(async (params) => {
+    await updateSavedObjectConfiguration({
+      includeClosedAlerts: params.includeClosedAlerts,
+      range: params.range,
+    });
+    return { configuration_successful: true };
+  });
+};