[Security Solution] Rules managment RBAC subfeatures

oas_docs/output/kibana.serverless.yaml

@@ -76312,6 +76312,7 @@ components:
         - THRESHOLD_RULE_TYPE_IN_SUPPRESSION
         - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD
         - RULE_FILL_GAPS_DISABLED_RULE
+        - USER_INSUFFICIENT_RULE_PRIVILEGES
       type: string
     Security_Detections_API_BulkActionSkipResult:
       type: object

oas_docs/output/kibana.yaml

@@ -87328,6 +87328,7 @@ components:
         - THRESHOLD_RULE_TYPE_IN_SUPPRESSION
         - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD
         - RULE_FILL_GAPS_DISABLED_RULE
+        - USER_INSUFFICIENT_RULE_PRIVILEGES
       type: string
     Security_Detections_API_BulkActionSkipResult:
       type: object

x-pack/platform/plugins/shared/alerting/common/constants/valid_fields_with_read_auth.ts

@@ -5,11 +5,10 @@
  * 2.0.
  */
 
-/**
- * Used by the security solution
- */
 export const validFields = {
   EXCEPTIONS_LIST: 'exceptionsList',
+  NOTE: 'note',
+  INVESTIGATION_FIELDS: 'investigationFields',
   RULE_SOURCE: 'ruleSource',
 } as const;
 

x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_edit_params/schemas/bulk_edit_rule_params_option_schemas.ts

@@ -8,16 +8,23 @@ import { schema } from '@kbn/config-schema';
 import { validFields } from '../../../../../../common/constants';
 
 const bulkEditExceptionListField = schema.literal(validFields.EXCEPTIONS_LIST);
+const bulkEditNoteField = schema.literal(validFields.NOTE);
+const bulkEditInvestigationFieldsField = schema.literal(validFields.INVESTIGATION_FIELDS);
 const bulkEditRuleSourceField = schema.literal(validFields.RULE_SOURCE);
 
 export const bulkEditParamsOperationSchema = schema.object({
   operation: schema.literal('set'),
-  field: schema.oneOf([bulkEditExceptionListField, bulkEditRuleSourceField]),
-  value: schema.any(),
+  field: schema.oneOf([
+    bulkEditExceptionListField,
+    bulkEditNoteField,
+    bulkEditInvestigationFieldsField,
+    bulkEditRuleSourceField,
+  ]),
+  value: schema.maybe(schema.any()),
 });
 
 export const bulkEditParamsOperationsSchema = schema.arrayOf(bulkEditParamsOperationSchema, {
-  minSize: 1,
+  maxSize: 2000,
 });
 
 export const bulkEditRuleParamsOptionsSchema = schema.object({
@@ -27,12 +34,19 @@ export const bulkEditRuleParamsOptionsSchema = schema.object({
 });
 
 const bulkEditExceptionListParamField = schema.literal('params.exceptionsList');
+const bulkEditNoteParamField = schema.literal('params.note');
+const bulkEditInvestigationFieldsParamField = schema.literal('params.investigationFields');
 const bulkEditRuleSourceParamField = schema.literal('params.ruleSource');
 
 export const bulkEditRuleParamsOperationSchema = schema.object({
   operation: schema.literal('set'),
-  field: schema.oneOf([bulkEditExceptionListParamField, bulkEditRuleSourceParamField]),
-  value: schema.any(),
+  field: schema.oneOf([
+    bulkEditExceptionListParamField,
+    bulkEditNoteParamField,
+    bulkEditInvestigationFieldsParamField,
+    bulkEditRuleSourceParamField,
+  ]),
+  value: schema.maybe(schema.any()),
 });
 
 export const bulkEditRuleParamsOperationsSchema = schema.arrayOf(

x-pack/platform/plugins/shared/alerting/server/rules_client/lib/siem_legacy_actions/migrate_legacy_actions.ts

@@ -83,8 +83,14 @@ export const bulkMigrateLegacyActions = async ({
 
       rule.attributes.actions = [...existingActionsWithFrequencies, ...transformedActions];
       rule.references = [...rule.references, ...transformedReferences];
-      rule.attributes.throttle = undefined;
-      rule.attributes.notifyWhen = undefined;
+      // Only clear rule-level throttle when there are actual migrated actions from
+      // the sidecar (throttled sidecars). For no_actions/rule sidecars (empty
+      // transformedActions), the original throttle value should be preserved since
+      // there are no per-action frequencies being migrated from the sidecar.
+      if (transformedActions.length > 0) {
+        rule.attributes.throttle = undefined;
+      }
+      rule.attributes.notifyWhen = null;
     });
     return Object.keys(transformed);
   } catch (e) {

x-pack/platform/plugins/shared/alerting/server/rules_client/lib/siem_legacy_actions/transform_and_delete_legacy_actions.ts

@@ -125,11 +125,15 @@ export const transformAndDeleteLegacyActions: TransformAndDeleteLegacyActions =
         savedObject.attributes.ruleThrottle === 'no_actions' ||
         savedObject.attributes.ruleThrottle === 'rule';
 
+      const ruleId = ruleReference.id;
+
       if (hasNoThrottledActions) {
+        // Still register the rule so that bulkMigrateLegacyActions resets
+        // notifyWhen/throttle and adds per-action frequency to existing actions,
+        // even though there are no new throttled actions to migrate from the sidecar.
+        transformedActionsByRuleId[ruleId] = { transformedActions: [], transformedReferences: [] };
         return;
       }
-
-      const ruleId = ruleReference.id;
       const transformedActions = transformFromLegacyActions(
         savedObject.attributes,
         savedObject.references

x-pack/platform/test/api_integration/apis/features/features/features.ts

@@ -144,7 +144,7 @@ export default function ({ getService }: FtrProviderContext) {
             'securitySolutionCasesV3',
             'securitySolutionTimeline',
             'securitySolutionNotes',
-            'securitySolutionRulesV3',
+            'securitySolutionRulesV4',
             'securitySolutionAlertsV1',
             'securitySolutionSiemMigrations',
             'workflowsManagement',

x-pack/platform/test/api_integration/apis/security/privileges.ts

@@ -350,20 +350,53 @@ export default function ({ getService }: FtrProviderContext) {
       securitySolutionTimeline: ['all', 'read', 'minimal_all', 'minimal_read'],
       securitySolutionNotes: ['all', 'read', 'minimal_all', 'minimal_read'],
       securitySolutionSiemMigrations: ['all', 'read', 'minimal_all', 'minimal_read'],
-      securitySolutionRulesV1: ['all', 'read', 'minimal_all', 'minimal_read'],
+      securitySolutionRulesV1: [
+        'all',
+        'read',
+        'minimal_all',
+        'minimal_read',
+        'security_solution_exceptions_all',
+        'security_solution_investigation_guide_edit',
+        'security_solution_custom_highlighted_fields_edit',
+        'security_solution_enable_disable_rules',
+        'security_solution_manual_run_rules',
+        'security_solution_rules_management_settings',
+      ],
       securitySolutionRulesV2: [
         'all',
         'read',
         'minimal_all',
         'minimal_read',
         'security_solution_exceptions_all',
+        'security_solution_investigation_guide_edit',
+        'security_solution_custom_highlighted_fields_edit',
+        'security_solution_enable_disable_rules',
+        'security_solution_manual_run_rules',
+        'security_solution_rules_management_settings',
       ],
       securitySolutionRulesV3: [
         'all',
         'read',
         'minimal_all',
         'minimal_read',
         'security_solution_exceptions_all',
+        'security_solution_investigation_guide_edit',
+        'security_solution_custom_highlighted_fields_edit',
+        'security_solution_enable_disable_rules',
+        'security_solution_manual_run_rules',
+        'security_solution_rules_management_settings',
+      ],
+      securitySolutionRulesV4: [
+        'all',
+        'read',
+        'minimal_all',
+        'minimal_read',
+        'security_solution_exceptions_all',
+        'security_solution_investigation_guide_edit',
+        'security_solution_custom_highlighted_fields_edit',
+        'security_solution_enable_disable_rules',
+        'security_solution_manual_run_rules',
+        'security_solution_rules_management_settings',
       ],
       securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
       infrastructure: ['all', 'read', 'minimal_all', 'minimal_read'],

x-pack/platform/test/api_integration_basic/apis/security/privileges.ts

@@ -65,6 +65,7 @@ export default function ({ getService }: FtrProviderContext) {
             securitySolutionRulesV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionRulesV2: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionRulesV3: ['all', 'read', 'minimal_all', 'minimal_read'],
+            securitySolutionRulesV4: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'],
@@ -421,20 +422,53 @@ export default function ({ getService }: FtrProviderContext) {
               'minimal_all',
               'minimal_read',
             ],
-            securitySolutionRulesV1: ['all', 'read', 'minimal_all', 'minimal_read'],
+            securitySolutionRulesV1: [
+              'all',
+              'read',
+              'minimal_all',
+              'minimal_read',
+              'security_solution_custom_highlighted_fields_edit',
+              'security_solution_enable_disable_rules',
+              'security_solution_exceptions_all',
+              'security_solution_investigation_guide_edit',
+              'security_solution_manual_run_rules',
+              'security_solution_rules_management_settings',
+            ],
             securitySolutionRulesV2: [
               'all',
               'read',
               'minimal_all',
               'minimal_read',
+              'security_solution_custom_highlighted_fields_edit',
+              'security_solution_enable_disable_rules',
               'security_solution_exceptions_all',
+              'security_solution_investigation_guide_edit',
+              'security_solution_manual_run_rules',
+              'security_solution_rules_management_settings',
             ],
             securitySolutionRulesV3: [
+              'all',
+              'read',
+              'minimal_all',
+              'minimal_read',
+              'security_solution_custom_highlighted_fields_edit',
+              'security_solution_enable_disable_rules',
+              'security_solution_exceptions_all',
+              'security_solution_investigation_guide_edit',
+              'security_solution_manual_run_rules',
+              'security_solution_rules_management_settings',
+            ],
+            securitySolutionRulesV4: [
               'all',
               'read',
               'minimal_all',
               'minimal_read',
               'security_solution_exceptions_all',
+              'security_solution_investigation_guide_edit',
+              'security_solution_custom_highlighted_fields_edit',
+              'security_solution_enable_disable_rules',
+              'security_solution_manual_run_rules',
+              'security_solution_rules_management_settings',
             ],
             securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAssistant: [

x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts

@@ -205,6 +205,7 @@ export default function ({ getService }: FtrProviderContext) {
           "securitySolutionCasesV2",
           "securitySolutionRulesV1",
           "securitySolutionRulesV2",
+          "securitySolutionRulesV3",
           "siem",
           "siemV2",
           "siemV3",

x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts

@@ -93,7 +93,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv
         'securitySolutionAttackDiscovery',
         'securitySolutionCasesV3',
         'securitySolutionNotes',
-        'securitySolutionRulesV3',
+        'securitySolutionRulesV4',
         'securitySolutionSiemMigrations',
         'securitySolutionTimeline',
         'siemV5',

x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts

@@ -95,7 +95,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex
             'securitySolutionAttackDiscovery',
             'securitySolutionCasesV3',
             'securitySolutionNotes',
-            'securitySolutionRulesV3',
+            'securitySolutionRulesV4',
             'securitySolutionSiemMigrations',
             'securitySolutionTimeline',
             'siemV5',

x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts

@@ -85,7 +85,7 @@ const ALL_SPACE_RESULTS: Space[] = [
       'securitySolutionAttackDiscovery',
       'securitySolutionCasesV3',
       'securitySolutionNotes',
-      'securitySolutionRulesV3',
+      'securitySolutionRulesV4',
       'securitySolutionSiemMigrations',
       'securitySolutionTimeline',
       'siemV5',

x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts

@@ -105,6 +105,7 @@ export default function ({ getService }: FtrProviderContext) {
         securitySolutionRulesV1: 0,
         securitySolutionRulesV2: 0,
         securitySolutionRulesV3: 0,
+        securitySolutionRulesV4: 0,
         securitySolutionAlertsV1: 0,
         securitySolutionCases: 0,
         securitySolutionCasesV2: 0,

x-pack/solutions/security/packages/features/product_features.ts

@@ -18,5 +18,10 @@ export { getAttackDiscoveryFeature } from './src/attack_discovery';
 export { getTimelineFeature } from './src/timeline';
 export { getNotesFeature } from './src/notes';
 export { getSiemMigrationsFeature } from './src/siem_migrations';
-export { getRulesFeature, getRulesV2Feature, getRulesV3Feature } from './src/rules';
+export {
+  getRulesFeature,
+  getRulesV2Feature,
+  getRulesV3Feature,
+  getRulesV4Feature,
+} from './src/rules';
 export { getAlertsFeature } from './src/alerts';