[Entity Analytics][UI] UI changes for Risk Engine to include closed alerts for risk score calculation

oas_docs/output/kibana.serverless.yaml

@@ -33483,6 +33483,58 @@ paths:
       tags:
         - Security Entity Analytics API
       x-beta: true
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      description: Configuring the Risk Engine Saved Object
+      operationId: ConfigureRiskEngineSavedObject
+      requestBody:
+        content:
+          application/json; Elastic-Api-Version=2023-10-31:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  items:
+                    type: string
+                  type: array
+                exclude_alert_tags:
+                  items:
+                    type: string
+                  type: array
+                range:
+                  type: object
+                  properties:
+                    end:
+                      type: string
+                    start:
+                      type: string
+        required: true
+      responses:
+        '200':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+          description: Successful response
+        '400':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+          description: Task manager is unavailable
+        default:
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse'
+          description: Unexpected error
+      summary: Configure the Risk Engine Saved Object
+      tags:
+        - Security Entity Analytics API
+      x-beta: true
   /api/risk_score/engine/schedule_now:
     post:
       description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
@@ -46925,6 +46977,27 @@ components:
       required:
         - cleanup_successful
         - errors
+    Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              error:
+                type: string
+              seq:
+                type: integer
+            required:
+              - seq
+              - error
+          type: array
+        risk_engine_saved_object_configured:
+          example: false
+          type: boolean
+      required:
+        - risk_engine_saved_object_configured
+        - errors
     Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
       allOf:
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'

oas_docs/output/kibana.yaml

@@ -36208,6 +36208,57 @@ paths:
       summary: Cleanup the Risk Engine
       tags:
         - Security Entity Analytics API
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      description: Configuring the Risk Engine Saved Object
+      operationId: ConfigureRiskEngineSavedObject
+      requestBody:
+        content:
+          application/json; Elastic-Api-Version=2023-10-31:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  items:
+                    type: string
+                  type: array
+                exclude_alert_tags:
+                  items:
+                    type: string
+                  type: array
+                range:
+                  type: object
+                  properties:
+                    end:
+                      type: string
+                    start:
+                      type: string
+        required: true
+      responses:
+        '200':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+          description: Successful response
+        '400':
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+          description: Task manager is unavailable
+        default:
+          content:
+            application/json; Elastic-Api-Version=2023-10-31:
+              schema:
+                $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse'
+          description: Unexpected error
+      summary: Configure the Risk Engine Saved Object
+      tags:
+        - Security Entity Analytics API
   /api/risk_score/engine/schedule_now:
     post:
       description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
@@ -54610,6 +54661,27 @@ components:
       required:
         - cleanup_successful
         - errors
+    Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              error:
+                type: string
+              seq:
+                type: integer
+            required:
+              - seq
+              - error
+          type: array
+        risk_engine_saved_object_configured:
+          example: false
+          type: boolean
+      required:
+        - risk_engine_saved_object_configured
+        - errors
     Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
       allOf:
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen.ts

@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Risk Scoring API
+ *   version: 2023-10-31
+ */
+
+import { z } from '@kbn/zod';
+
+export type ConfigureRiskEngineSavedObjectErrorResponse = z.infer<
+  typeof ConfigureRiskEngineSavedObjectErrorResponse
+>;
+export const ConfigureRiskEngineSavedObjectErrorResponse = z.object({
+  risk_engine_saved_object_configured: z.boolean(),
+  errors: z.array(
+    z.object({
+      seq: z.number().int(),
+      error: z.string(),
+    })
+  ),
+});
+
+export type ConfigureRiskEngineSavedObjectRequestBody = z.infer<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+export const ConfigureRiskEngineSavedObjectRequestBody = z.object({
+  exclude_alert_statuses: z.array(z.string()).optional(),
+  range: z
+    .object({
+      start: z.string().optional(),
+      end: z.string().optional(),
+    })
+    .optional(),
+  exclude_alert_tags: z.array(z.string()).optional(),
+});
+export type ConfigureRiskEngineSavedObjectRequestBodyInput = z.input<
+  typeof ConfigureRiskEngineSavedObjectRequestBody
+>;
+
+export type ConfigureRiskEngineSavedObjectResponse = z.infer<
+  typeof ConfigureRiskEngineSavedObjectResponse
+>;
+export const ConfigureRiskEngineSavedObjectResponse = z.object({
+  risk_engine_saved_object_configured: z.boolean().optional(),
+});

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.schema.yaml

@@ -0,0 +1,81 @@
+openapi: 3.0.0
+info:
+  version: '2023-10-31'
+  title: Risk Scoring API
+  description: These APIs allow the consumer to configure the Risk Engine Saved Object.
+paths:
+  /api/risk_score/engine/saved_object/configure:
+    patch:
+      x-labels: [ess, serverless]
+      x-codegen-enabled: true
+      operationId: ConfigureRiskEngineSavedObject
+      summary: Configure the Risk Engine Saved Object
+      description: Configuring the Risk Engine Saved Object
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                exclude_alert_statuses:
+                  type: array
+                  items:
+                    type: string
+                range:
+                  type: object
+                  properties:
+                    start:
+                      type: string
+                    end:
+                      type: string
+                exclude_alert_tags:
+                  type: array
+                  items:
+                    type: string
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  risk_engine_saved_object_configured:
+                    type: boolean
+        '400':
+          description: Task manager is unavailable
+          content:
+            application/json:
+              schema:
+                $ref: '../common/common.schema.yaml#/components/schemas/TaskManagerUnavailableResponse'
+        default:
+          description: Unexpected error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ConfigureRiskEngineSavedObjectErrorResponse'
+
+components:
+  schemas:
+    ConfigureRiskEngineSavedObjectErrorResponse:
+      type: object
+      required:
+        - risk_engine_saved_object_configured
+        - errors
+      properties:
+        risk_engine_saved_object_configured:
+          type: boolean
+          example: false
+        errors:
+          type: array
+          items:
+            type: object
+            required:
+              - seq
+              - error
+            properties:
+              seq:
+                type: integer
+              error:
+                type: string

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/index.ts

@@ -16,3 +16,4 @@ export * from './preview_route.gen';
 export * from './entity_calculation_route.gen';
 export * from './get_risk_engine_privileges.gen';
 export * from './engine_cleanup_route.gen';
+export * from './engine_configure_saved_object_route.gen';

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.gen.ts

@@ -58,9 +58,11 @@ export const RiskScoresPreviewRequest = z.object({
   /**
    * A list of alert statuses to exclude from the risk score calculation. If unspecified, all alert statuses are included.
    */
-  excludeAlertStatuses: z
-    .array(z.enum(['open', 'closed', 'in-progress', 'acknowledged']))
-    .optional(),
+  exclude_alert_statuses: z.array(z.string()).optional(),
+  /**
+   * A list of alert tags to exclude from the risk score calculation. If unspecified, all alert tags are included.
+   */
+  exclude_alert_tags: z.array(z.string()).optional(),
 });
 
 export type RiskScoresPreviewResponse = z.infer<typeof RiskScoresPreviewResponse>;

x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.schema.yaml

@@ -58,16 +58,16 @@ components:
           description: Defines the time period over which scores will be evaluated. If unspecified, a range of `[now, now-30d]` will be used.
         weights:
           $ref: '../common/common.schema.yaml#/components/schemas/RiskScoreWeights'
-        excludeAlertStatuses:
+        exclude_alert_statuses:
           description: A list of alert statuses to exclude from the risk score calculation. If unspecified, all alert statuses are included.
           type: array
           items:
             type: string
-            enum:
-              - open
-              - closed
-              - in-progress
-              - acknowledged
+        exclude_alert_tags:
+          description: A list of alert tags to exclude from the risk score calculation. If unspecified, all alert tags are included.
+          type: array
+          items:
+            type: string
 
 
     RiskScoresPreviewResponse:

x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts

@@ -276,6 +276,10 @@ import type {
   GetEntityStoreStatusResponse,
 } from './entity_analytics/entity_store/status.gen';
 import type { CleanUpRiskEngineResponse } from './entity_analytics/risk_engine/engine_cleanup_route.gen';
+import type {
+  ConfigureRiskEngineSavedObjectRequestBodyInput,
+  ConfigureRiskEngineSavedObjectResponse,
+} from './entity_analytics/risk_engine/engine_configure_saved_object_route.gen';
 import type { DisableRiskEngineResponse } from './entity_analytics/risk_engine/engine_disable_route.gen';
 import type { EnableRiskEngineResponse } from './entity_analytics/risk_engine/engine_enable_route.gen';
 import type { InitRiskEngineResponse } from './entity_analytics/risk_engine/engine_init_route.gen';
@@ -600,6 +604,22 @@ If asset criticality records already exist for the specified entities, those rec
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  /**
+   * Configuring the Risk Engine Saved Object
+   */
+  async configureRiskEngineSavedObject(props: ConfigureRiskEngineSavedObjectProps) {
+    this.log.info(`${new Date().toISOString()} Calling API ConfigureRiskEngineSavedObject`);
+    return this.kbnClient
+      .request<ConfigureRiskEngineSavedObjectResponse>({
+        path: '/api/risk_score/engine/saved_object/configure',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
+        },
+        method: 'PATCH',
+        body: props.body,
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   /**
     * Copies and returns a timeline or timeline template.
 
@@ -2275,6 +2295,9 @@ export interface BulkUpsertAssetCriticalityRecordsProps {
 export interface CleanDraftTimelinesProps {
   body: CleanDraftTimelinesRequestBodyInput;
 }
+export interface ConfigureRiskEngineSavedObjectProps {
+  body: ConfigureRiskEngineSavedObjectRequestBodyInput;
+}
 export interface CopyTimelineProps {
   body: CopyTimelineRequestBodyInput;
 }