[8.19] [Security Solution][Detection Engine] adds simplified bulk edit for alert suppression (#223090)

oas_docs/output/kibana.yaml

@@ -10325,6 +10325,47 @@ paths:
                               timestamp: '2023-10-31T00:00:00.000Z'
                   ids:
                     - 9e946bfc-3118-4c77-bb25-67d781191921
+              example27:
+                description: The following request set alert suppression to the rules with the specified IDs.
+                summary: Edit - Set alert suppression to rules (idempotent)
+                value:
+                  action: edit
+                  edit:
+                    - type: set_alert_suppression
+                      value:
+                        duration:
+                          unit: h
+                          value: 1
+                        group_by:
+                          - source.ip
+                        missing_fields_strategy: suppress
+                  ids:
+                    - 12345678-1234-1234-1234-1234567890ab
+                    - 87654321-4321-4321-4321-0987654321ba
+              example28:
+                description: The following request set alert suppression to threshold rules with the specified IDs.
+                summary: Edit - Set alert suppression to threshold rules (idempotent)
+                value:
+                  action: edit
+                  edit:
+                    - type: set_alert_suppression_for_threshold
+                      value:
+                        duration:
+                          unit: h
+                          value: 1
+                  ids:
+                    - 12345678-1234-1234-1234-1234567890ab
+                    - 87654321-4321-4321-4321-0987654321ba
+              example29:
+                description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made.
+                summary: Edit - Removes alert suppression from rules (idempotent)
+                value:
+                  action: edit
+                  edit:
+                    - type: delete_alert_suppression
+                  ids:
+                    - 12345678-1234-1234-1234-1234567890ab
+                    - 87654321-4321-4321-4321-0987654321ba
             schema:
               oneOf:
                 - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules'
@@ -35429,6 +35470,21 @@ components:
         - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline'
         - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions'
         - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule'
+        - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression'
+    Security_Detections_API_BulkActionEditPayloadAlertSuppression:
+      anyOf:
+        - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression'
+        - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold'
+        - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression'
+    Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression:
+      type: object
+      properties:
+        type:
+          enum:
+            - delete_alert_suppression
+          type: string
+      required:
+        - type
     Security_Detections_API_BulkActionEditPayloadIndexPatterns:
       description: |
         Edits index patterns of rulesClient.
@@ -35534,6 +35590,30 @@ components:
       required:
         - type
         - value
+    Security_Detections_API_BulkActionEditPayloadSetAlertSuppression:
+      type: object
+      properties:
+        type:
+          enum:
+            - set_alert_suppression
+          type: string
+        value:
+          $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+      required:
+        - type
+        - value
+    Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold:
+      type: object
+      properties:
+        type:
+          enum:
+            - set_alert_suppression_for_threshold
+          type: string
+        value:
+          $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression'
+      required:
+        - type
+        - value
     Security_Detections_API_BulkActionEditPayloadTags:
       description: |
         Edits tags of rules.
@@ -35587,6 +35667,8 @@ components:
         - ESQL_INDEX_PATTERN
         - MANUAL_RULE_RUN_FEATURE
         - MANUAL_RULE_RUN_DISABLED_RULE
+        - THRESHOLD_RULE_TYPE_IN_SUPPRESSION
+        - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD
       type: string
     Security_Detections_API_BulkActionSkipResult:
       type: object

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts

@@ -29,7 +29,9 @@ import {
   InvestigationFields,
   TimelineTemplateId,
   TimelineTemplateTitle,
+  AlertSuppression,
 } from '../../model/rule_schema/common_attributes.gen';
+import { ThresholdAlertSuppression } from '../../model/rule_schema/specific_attributes/threshold_attributes.gen';
 
 export type BulkEditSkipReason = z.infer<typeof BulkEditSkipReason>;
 export const BulkEditSkipReason = z.literal('RULE_NOT_MODIFIED');
@@ -56,6 +58,8 @@ export const BulkActionsDryRunErrCode = z.enum([
   'ESQL_INDEX_PATTERN',
   'MANUAL_RULE_RUN_FEATURE',
   'MANUAL_RULE_RUN_DISABLED_RULE',
+  'THRESHOLD_RULE_TYPE_IN_SUPPRESSION',
+  'UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD',
 ]);
 export type BulkActionsDryRunErrCodeEnum = typeof BulkActionsDryRunErrCode.enum;
 export const BulkActionsDryRunErrCodeEnum = BulkActionsDryRunErrCode.enum;
@@ -233,6 +237,9 @@ export const BulkActionEditType = z.enum([
   'add_investigation_fields',
   'delete_investigation_fields',
   'set_investigation_fields',
+  'delete_alert_suppression',
+  'set_alert_suppression',
+  'set_alert_suppression_for_threshold',
 ]);
 export type BulkActionEditTypeEnum = typeof BulkActionEditType.enum;
 export const BulkActionEditTypeEnum = BulkActionEditType.enum;
@@ -357,13 +364,49 @@ export const BulkActionEditPayloadTimeline = z.object({
   }),
 });
 
+export type BulkActionEditPayloadSetAlertSuppression = z.infer<
+  typeof BulkActionEditPayloadSetAlertSuppression
+>;
+export const BulkActionEditPayloadSetAlertSuppression = z.object({
+  type: z.literal('set_alert_suppression'),
+  value: AlertSuppression,
+});
+
+export type BulkActionEditPayloadSetAlertSuppressionForThreshold = z.infer<
+  typeof BulkActionEditPayloadSetAlertSuppressionForThreshold
+>;
+export const BulkActionEditPayloadSetAlertSuppressionForThreshold = z.object({
+  type: z.literal('set_alert_suppression_for_threshold'),
+  value: ThresholdAlertSuppression,
+});
+
+export type BulkActionEditPayloadDeleteAlertSuppression = z.infer<
+  typeof BulkActionEditPayloadDeleteAlertSuppression
+>;
+export const BulkActionEditPayloadDeleteAlertSuppression = z.object({
+  type: z.literal('delete_alert_suppression'),
+});
+
+export const BulkActionEditPayloadAlertSuppressionInternal = z.union([
+  BulkActionEditPayloadSetAlertSuppression,
+  BulkActionEditPayloadSetAlertSuppressionForThreshold,
+  BulkActionEditPayloadDeleteAlertSuppression,
+]);
+
+export type BulkActionEditPayloadAlertSuppression = z.infer<
+  typeof BulkActionEditPayloadAlertSuppressionInternal
+>;
+export const BulkActionEditPayloadAlertSuppression =
+  BulkActionEditPayloadAlertSuppressionInternal as z.ZodType<BulkActionEditPayloadAlertSuppression>;
+
 export const BulkActionEditPayloadInternal = z.union([
   BulkActionEditPayloadTags,
   BulkActionEditPayloadIndexPatterns,
   BulkActionEditPayloadInvestigationFields,
   BulkActionEditPayloadTimeline,
   BulkActionEditPayloadRuleActions,
   BulkActionEditPayloadSchedule,
+  BulkActionEditPayloadAlertSuppression,
 ]);
 
 export type BulkActionEditPayload = z.infer<typeof BulkActionEditPayloadInternal>;

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.mock.ts

@@ -20,3 +20,13 @@ export const getPerformBulkActionEditSchemaMock = (): PerformRulesBulkActionRequ
   action: BulkActionTypeEnum.edit,
   [BulkActionTypeEnum.edit]: [{ type: BulkActionEditTypeEnum.add_tags, value: ['tag1'] }],
 });
+
+export const getPerformBulkActionEditAlertSuppressionSchemaMock =
+  (): PerformRulesBulkActionRequestBody => ({
+    query: '',
+    ids: undefined,
+    action: BulkActionTypeEnum.edit,
+    [BulkActionTypeEnum.edit]: [
+      { type: BulkActionEditTypeEnum.set_alert_suppression, value: { group_by: ['field1'] } },
+    ],
+  });

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml

@@ -359,6 +359,47 @@ paths:
                               eventAction: trigger
                               timestamp: 2023-10-31T00:00:00Z
                             group: default3
+              example27:
+                summary: Edit - Set alert suppression to rules (idempotent)
+                description: The following request set alert suppression to the rules with the specified IDs.
+                value:
+                  ids:
+                    - '12345678-1234-1234-1234-1234567890ab'
+                    - '87654321-4321-4321-4321-0987654321ba'
+                  action: 'edit'
+                  edit:
+                    - type: 'set_alert_suppression'
+                      value:
+                        group_by:
+                          - 'source.ip'
+                        duration:
+                          value: 1
+                          unit: 'h'
+                        missing_fields_strategy: 'suppress'    
+              example28:
+                summary: Edit - Set alert suppression to threshold rules (idempotent)
+                description: The following request set alert suppression to threshold rules with the specified IDs.
+                value:
+                  ids:
+                    - '12345678-1234-1234-1234-1234567890ab'
+                    - '87654321-4321-4321-4321-0987654321ba'
+                  action: 'edit'
+                  edit:
+                    - type: 'set_alert_suppression_for_threshold'
+                      value:
+                        duration:
+                          value: 1
+                          unit: 'h'
+              example29:
+                summary: Edit - Removes alert suppression from rules (idempotent)
+                description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made.
+                value:
+                  ids:
+                    - '12345678-1234-1234-1234-1234567890ab'
+                    - '87654321-4321-4321-4321-0987654321ba'
+                  action: 'edit'
+                  edit:
+                    - type: 'delete_alert_suppression'
       responses:
         200:
           description: OK
@@ -1040,6 +1081,8 @@ components:
         - ESQL_INDEX_PATTERN
         - MANUAL_RULE_RUN_FEATURE
         - MANUAL_RULE_RUN_DISABLED_RULE
+        - THRESHOLD_RULE_TYPE_IN_SUPPRESSION
+        - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD
 
     NormalizedRuleError:
       type: object
@@ -1286,6 +1329,9 @@ components:
         - add_investigation_fields
         - delete_investigation_fields
         - set_investigation_fields
+        - delete_alert_suppression
+        - set_alert_suppression
+        - set_alert_suppression_for_threshold
 
     # Per rulesClient.bulkEdit rules actions operation contract (x-pack/platform/plugins/shared/alerting/server/rules_client/rules_client.ts) normalized rule action object is expected (NormalizedAlertAction) as value for the edit operation
     NormalizedRuleAction:
@@ -1458,6 +1504,48 @@ components:
         - type
         - value
 
+    BulkActionEditPayloadSetAlertSuppression:
+      type: object
+      properties:
+        type:
+          type: string
+          enum:
+            - set_alert_suppression
+        value:
+          $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/AlertSuppression'
+      required:
+        - type
+        - value
+
+    BulkActionEditPayloadSetAlertSuppressionForThreshold:
+      type: object
+      properties:
+        type:
+          type: string
+          enum:
+            - set_alert_suppression_for_threshold
+        value:
+          $ref: '../../model/rule_schema/specific_attributes/threshold_attributes.schema.yaml#/components/schemas/ThresholdAlertSuppression'
+      required:
+        - type
+        - value
+
+    BulkActionEditPayloadDeleteAlertSuppression:
+      type: object
+      properties:
+        type:
+          type: string
+          enum:
+            - delete_alert_suppression
+      required:
+        - type
+
+    BulkActionEditPayloadAlertSuppression:
+      anyOf:
+        - $ref: '#/components/schemas/BulkActionEditPayloadSetAlertSuppression'
+        - $ref: '#/components/schemas/BulkActionEditPayloadSetAlertSuppressionForThreshold'
+        - $ref: '#/components/schemas/BulkActionEditPayloadDeleteAlertSuppression'
+
     BulkActionEditPayload:
       anyOf:
         - $ref: '#/components/schemas/BulkActionEditPayloadTags'
@@ -1466,6 +1554,8 @@ components:
         - $ref: '#/components/schemas/BulkActionEditPayloadTimeline'
         - $ref: '#/components/schemas/BulkActionEditPayloadRuleActions'
         - $ref: '#/components/schemas/BulkActionEditPayloadSchedule'
+        - $ref: '#/components/schemas/BulkActionEditPayloadAlertSuppression'
+
 
     BulkEditRules:
       allOf: