[Security Solution][Exceptions] - Tie server and client code together

[yctercero]

Summary

This PR tries to start to tie together the server and client changes for exceptions lists.

• Updates graphql types to allow UI access to a rule's exceptions_list property
• Updates the exception viewer component to now dynamically take the rule exceptions_list, up until now we just had an empty array in it's place
• Updates the viewer logic to check if a rule has an endpoint list associated with it. If it does, then it displays both detections and endpoint UIs (in the viewer), if it does not, then it only displays the detections UI
• Updates the viewer UI to better deal with spacing when an exception list item only has one or two entries (before the and badge with the antennas was stretching passed the exception items to fill the space)
• Updates the detections engine exceptions logic to fetch list items using an exception list's id as opposed to it's list_id, this now aligns with the UI using the same params on its end
• Adds exception list type to information kept by the rule for exception lists
• Updates the exception list type from string to endpoint | detection
• Updates the exception list item type from string to simple
• Adds unit tests for the detection engine server side util that fetches the exception list items

With this PR, you should now be able to use the API to create rules with exception lists and see the alerts filtered in the UI as well as seeing the exceptions show now in the exceptions viewer. See #69715 TO DO section for an explanation on the remaining updates needed to the filtering logic.

Note: This was originally #69939 , but opened new clean PR here.

How to test

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

Add export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true to your bash file.

Use the scripts in x-pack/plugins/lists/server/scripts to create some sample exception lists and items. You can use the following:

If you've previously played around with lists (or if you've never, and need to create the index), run ./hard_reset.sh (this will delete any lists you've created).

Create large value list:

• Create large value list ./post_list.sh
• Create large value list item ./post_list_item.sh (I modified the value to be "value": "10.4.3.11")

Create exception list:

• Create exception list ./post_exception_list.sh
• Create exception list item ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_with_list.json. This makes reference to the large value list created above.

Use the scripts in x-pack/plugins/security_solution/server/lib/detection_engine/scripts to create rule:
Before running script, you'll need to update the referenced exceptions_list id to the one you created

• Run ./post_rule.sh ./rules/queries/query_with_list.json (Makes reference to the exception list created in step above)

In the Alerts table, you should see something like the following where you only see events where the event.module is suricata and source.ip is 10.4.3.11 (or whatever ip you specified).

Go to your newly created rule details and on the Exceptions tab you should see something like this:

What to test

• If you follow the steps outlined above, do you see exception list items show up in the rule's details exception tab? (You should! 😬 )
• Are signals being created as you expect?
  • Remember that as these are exceptions, it is double negative logic
  • If you aren't seeing signals created check to make sure that your exceptions aren't too narrow
  • Keep in mind that the detection engine logic needs updating - see [SIEM][Detection Engine] - Update DE to work with new exceptions schema #69715 TO DO section for an explanation on the remaining updates needed to the filtering logic.
• If you associate both a detection and an endpoint list, are you able to see both and toggle between the lists in the viewer?(You should! 😬 )
  • Create detection type list ./post_exception_list.sh ./exception_lists/new/exception_list_detection.json
  • Create detection type list items ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_detection_auto_id.json - this script auto generates the item_id so you can run it as many times as you like to create multiple items
  • In x-pack/plugins/security_solution/server/lib/detection_engine/scripts update /rules/patches/update_list.json to include your newly created exception list and run ./patch_rule.sh ./rules/patches/update_list.json
• Using API, are you able to create an exception list with a type other than endpoint or detection? (Hopefully not! 🛑 )
• Using API, are you able to create an exception list item with a type other than simple? (Hopefully not! 🛑 )
• If you update the exceptions_list on the rule to just have a detections list, do you see the viewer display a modified view with no toggle options? (You should! 😬 ) Something like:

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser
• This was checked for cross-browser compatibility, including a check against IE11

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[yctercero]

Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.

[yctercero]

Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.

[yctercero]

Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.

[yctercero]

This is a result of both the list and item type being mapped to the same type property in the SO. We can discuss whether to keep this as is (@FrankHassanabad are there downsides to separating these out?) or change.

[yctercero]

Starting to try to not rely on io-ts check where I can given talk of not optimal performance.

[yctercero]

@rylnd this is a new PR I created off of #69939 . Per your feedback, moved to not change namespaceType to namespace_type in the UI.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 293a12b

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	809	+24	785

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[peluja1012]

Tested by integrating with the Exceptions Modal branch. Thank you the hard work you put in to tie it all together!

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)