Merge branch 'master' into ML-74938-fix-spaces-encoding

Author: elasticmachine

docs/developer/best-practices/index.asciidoc

@@ -48,7 +48,7 @@ guidelines]
 * Write all new code on
 {kib-repo}blob/{branch}/src/core/README.md[the
 platform], and following
-{kib-repo}blob/{branch}/src/core/CONVENTIONS.md[conventions]
+{kib-repo}blob/{branch}/src/core/CONVENTIONS.md[conventions].
 * _Always_ use the `SavedObjectClient` for reading and writing Saved
 Objects.
 * Add `README`s to all your plugins and services.

docs/developer/best-practices/stability.asciidoc

@@ -52,15 +52,15 @@ storeinSessions?)
 [discrete]
 === Browser coverage
 
-Refer to the list of browsers and OS {kib} supports
+Refer to the list of browsers and OS {kib} supports:
 https://www.elastic.co/support/matrix
 
 Does the feature work efficiently on the list of supported browsers? 
 
 [discrete]
-=== Upgrade Scenarios - Migration scenarios- 
+=== Upgrade and Migration scenarios
 
-Does the feature affect old
-indices, saved objects ? - Has the feature been tested with {kib}
-aliases - Read/Write privileges of the indices before and after the
+* Does the feature affect old indices or saved objects?
+* Has the feature been tested with {kib} aliases?
+* Read/Write privileges of the indices before and after the
 upgrade?

docs/developer/getting-started/building-kibana.asciidoc

@@ -1,7 +1,7 @@
 [[building-kibana]]
 == Building a {kib} distributable
 
-The following commands will build a {kib} production distributable.
+The following command will build a {kib} production distributable:
 
 [source,bash]
 ----
@@ -36,4 +36,4 @@ To specify a package to build you can add `rpm` or `deb` as an argument.
 yarn build --rpm
 ----
 
-Distributable packages can be found in `target/` after the build completes.
+Distributable packages can be found in `target/` after the build completes.

docs/developer/getting-started/index.asciidoc

@@ -49,7 +49,7 @@ ____
 
 (You can also run `yarn kbn` to see the other available commands. For
 more info about this tool, see
-{kib-repo}tree/{branch}/packages/kbn-pm[{kib-repo}tree/{branch}packages/kbn-pm].)
+{kib-repo}tree/{branch}/packages/kbn-pm[{kib-repo}tree/{branch}/packages/kbn-pm].)
 
 When switching branches which use different versions of npm packages you
 may need to run:
@@ -137,4 +137,4 @@ include::debugging.asciidoc[leveloffset=+1]
 
 include::building-kibana.asciidoc[leveloffset=+1]
 
-include::development-plugin-resources.asciidoc[leveloffset=+1]
+include::development-plugin-resources.asciidoc[leveloffset=+1]

docs/developer/getting-started/running-kibana-advanced.asciidoc

@@ -73,8 +73,8 @@ settings].
 [discrete]
 === Potential Optimization Pitfalls
 
-* Webpack is trying to include a file in the bundle that I deleted and
-is now complaining about it is missing
+* Webpack is trying to include a file in the bundle that was deleted and
+is now complaining about it being missing
 * A module id that used to resolve to a single file now resolves to a
 directory, but webpack isn’t adapting
 * (if you discover other scenarios, please send a PR!)
@@ -84,4 +84,4 @@ directory, but webpack isn’t adapting
 
 {kib} includes self-signed certificates that can be used for
 development purposes in the browser and for communicating with
-{es}: `yarn start --ssl` & `yarn es snapshot --ssl`.
+{es}: `yarn start --ssl` & `yarn es snapshot --ssl`.

x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts

@@ -169,6 +169,7 @@ describe('data generator', () => {
     const childrenPerNode = 3;
     const generations = 3;
     const relatedAlerts = 4;
+
     beforeEach(() => {
       tree = generator.generateTree({
         alwaysGenMaxChildrenPerNode: true,
@@ -182,6 +183,7 @@ describe('data generator', () => {
           { category: RelatedEventCategory.File, count: 2 },
           { category: RelatedEventCategory.Network, count: 1 },
         ],
+        relatedEventsOrdered: true,
         relatedAlerts,
         ancestryArraySize: ANCESTRY_LIMIT,
       });
@@ -212,6 +214,14 @@ describe('data generator', () => {
       }
     };
 
+    it('creates related events in ascending order', () => {
+      // the order should not change since it should already be in ascending order
+      const relatedEventsAsc = _.cloneDeep(tree.origin.relatedEvents).sort(
+        (event1, event2) => event1['@timestamp'] - event2['@timestamp']
+      );
+      expect(tree.origin.relatedEvents).toStrictEqual(relatedEventsAsc);
+    });
+
     it('has ancestry array defined', () => {
       expect(tree.origin.lifecycle[0].process.Ext!.ancestry!.length).toBe(ANCESTRY_LIMIT);
       for (const event of tree.allEvents) {

x-pack/plugins/security_solution/common/endpoint/generate_data.ts

@@ -302,6 +302,12 @@ export interface TreeOptions {
   generations?: number;
   children?: number;
   relatedEvents?: RelatedEventInfo[] | number;
+  /**
+   * If true then the related events will be created with timestamps that preserve the
+   * generation order, meaning the first event will always have a timestamp number less
+   * than the next related event
+   */
+  relatedEventsOrdered?: boolean;
   relatedAlerts?: number;
   percentWithRelated?: number;
   percentTerminated?: number;
@@ -322,6 +328,7 @@ export function getTreeOptionsWithDef(options?: TreeOptions): TreeOptionDefaults
     generations: options?.generations ?? 2,
     children: options?.children ?? 2,
     relatedEvents: options?.relatedEvents ?? 5,
+    relatedEventsOrdered: options?.relatedEventsOrdered ?? false,
     relatedAlerts: options?.relatedAlerts ?? 3,
     percentWithRelated: options?.percentWithRelated ?? 30,
     percentTerminated: options?.percentTerminated ?? 100,
@@ -809,7 +816,8 @@ export class EndpointDocGenerator {
       for (const relatedEvent of this.relatedEventsGenerator(
         node,
         opts.relatedEvents,
-        secBeforeEvent
+        secBeforeEvent,
+        opts.relatedEventsOrdered
       )) {
         eventList.push(relatedEvent);
       }
@@ -877,6 +885,8 @@ export class EndpointDocGenerator {
         addRelatedAlerts(ancestor, numAlertsPerNode, processDuration, events);
       }
     }
+    timestamp = timestamp + 1000;
+
     events.push(
       this.generateAlert(
         timestamp,
@@ -961,7 +971,12 @@ export class EndpointDocGenerator {
         });
       }
       if (this.randomN(100) < opts.percentWithRelated) {
-        yield* this.relatedEventsGenerator(child, opts.relatedEvents, processDuration);
+        yield* this.relatedEventsGenerator(
+          child,
+          opts.relatedEvents,
+          processDuration,
+          opts.relatedEventsOrdered
+        );
         yield* this.relatedAlertsGenerator(child, opts.relatedAlerts, processDuration);
       }
     }
@@ -973,13 +988,17 @@ export class EndpointDocGenerator {
    * @param relatedEvents - can be an array of RelatedEventInfo objects describing the related events that should be generated for each process node
    *  or a number which defines the number of related events and will default to random categories
    * @param processDuration - maximum number of seconds after process event that related event timestamp can be
+   * @param ordered - if true the events will have an increasing timestamp, otherwise their timestamp will be random but
+   *  guaranteed to be greater than or equal to the originating event
    */
   public *relatedEventsGenerator(
     node: Event,
     relatedEvents: RelatedEventInfo[] | number = 10,
-    processDuration: number = 6 * 3600
+    processDuration: number = 6 * 3600,
+    ordered: boolean = false
   ) {
     let relatedEventsInfo: RelatedEventInfo[];
+    let ts = node['@timestamp'] + 1;
     if (typeof relatedEvents === 'number') {
       relatedEventsInfo = [{ category: RelatedEventCategory.Random, count: relatedEvents }];
     } else {
@@ -995,7 +1014,12 @@ export class EndpointDocGenerator {
           eventInfo = OTHER_EVENT_CATEGORIES[event.category];
         }
 
-        const ts = node['@timestamp'] + this.randomN(processDuration) * 1000;
+        if (ordered) {
+          ts += this.randomN(processDuration) * 1000;
+        } else {
+          ts = node['@timestamp'] + this.randomN(processDuration) * 1000;
+        }
+
         yield this.generateEvent({
           timestamp: ts,
           entityID: node.process.entity_id,

x-pack/plugins/security_solution/common/endpoint/schema/resolver.ts

@@ -33,6 +33,11 @@ export const validateEvents = {
     afterEvent: schema.maybe(schema.string()),
     legacyEndpointID: schema.maybe(schema.string({ minLength: 1 })),
   }),
+  body: schema.nullable(
+    schema.object({
+      filter: schema.maybe(schema.string()),
+    })
+  ),
 };
 
 /**
@@ -45,6 +50,11 @@ export const validateAlerts = {
     afterAlert: schema.maybe(schema.string()),
     legacyEndpointID: schema.maybe(schema.string({ minLength: 1 })),
   }),
+  body: schema.nullable(
+    schema.object({
+      filter: schema.maybe(schema.string()),
+    })
+  ),
 };
 
 /**

x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx

@@ -18,7 +18,6 @@ import {
   EuiCheckbox,
   EuiSpacer,
   EuiFormRow,
-  EuiCallOut,
   EuiText,
 } from '@elastic/eui';
 import { Status } from '../../../../../common/detection_engine/schemas/common/schemas';
@@ -28,13 +27,15 @@ import {
   ExceptionListType,
 } from '../../../../../public/lists_plugin_deps';
 import * as i18n from './translations';
+import * as sharedI18n from '../translations';
 import { TimelineNonEcsData, Ecs } from '../../../../graphql/types';
 import { useAppToasts } from '../../../hooks/use_app_toasts';
 import { useKibana } from '../../../lib/kibana';
 import { ExceptionBuilderComponent } from '../builder';
 import { Loader } from '../../loader';
 import { useAddOrUpdateException } from '../use_add_exception';
 import { useSignalIndex } from '../../../../detections/containers/detection_engine/alerts/use_signal_index';
+import { useRuleAsync } from '../../../../detections/containers/detection_engine/rules/use_rule_async';
 import { useFetchOrCreateRuleExceptionList } from '../use_fetch_or_create_rule_exception_list';
 import { AddExceptionComments } from '../add_exception_comments';
 import {
@@ -46,6 +47,7 @@ import {
   entryHasNonEcsType,
   getMappedNonEcsValue,
 } from '../helpers';
+import { ErrorInfo, ErrorCallout } from '../error_callout';
 import { useFetchIndexPatterns } from '../../../../detections/containers/detection_engine/rules';
 
 export interface AddExceptionModalBaseProps {
@@ -107,13 +109,14 @@ export const AddExceptionModal = memo(function AddExceptionModal({
 }: AddExceptionModalProps) {
   const { http } = useKibana().services;
   const [comment, setComment] = useState('');
+  const { rule: maybeRule } = useRuleAsync(ruleId);
   const [shouldCloseAlert, setShouldCloseAlert] = useState(false);
   const [shouldBulkCloseAlert, setShouldBulkCloseAlert] = useState(false);
   const [shouldDisableBulkClose, setShouldDisableBulkClose] = useState(false);
   const [exceptionItemsToAdd, setExceptionItemsToAdd] = useState<
     Array<ExceptionListItemSchema | CreateExceptionListItemSchema>
   >([]);
-  const [fetchOrCreateListError, setFetchOrCreateListError] = useState(false);
+  const [fetchOrCreateListError, setFetchOrCreateListError] = useState<ErrorInfo | null>(null);
   const { addError, addSuccess } = useAppToasts();
   const { loading: isSignalIndexLoading, signalIndexName } = useSignalIndex();
   const [
@@ -164,17 +167,41 @@ export const AddExceptionModal = memo(function AddExceptionModal({
     },
     [onRuleChange]
   );
-  const onFetchOrCreateExceptionListError = useCallback(
-    (error: Error) => {
-      setFetchOrCreateListError(true);
+
+  const handleDissasociationSuccess = useCallback(
+    (id: string): void => {
+      handleRuleChange(true);
+      addSuccess(sharedI18n.DISSASOCIATE_LIST_SUCCESS(id));
+      onCancel();
+    },
+    [handleRuleChange, addSuccess, onCancel]
+  );
+
+  const handleDissasociationError = useCallback(
+    (error: Error): void => {
+      addError(error, { title: sharedI18n.DISSASOCIATE_EXCEPTION_LIST_ERROR });
+      onCancel();
+    },
+    [addError, onCancel]
+  );
+
+  const handleFetchOrCreateExceptionListError = useCallback(
+    (error: Error, statusCode: number | null, message: string | null) => {
+      setFetchOrCreateListError({
+        reason: error.message,
+        code: statusCode,
+        details: message,
+        listListId: null,
+      });
     },
     [setFetchOrCreateListError]
   );
+
   const [isLoadingExceptionList, ruleExceptionList] = useFetchOrCreateRuleExceptionList({
     http,
     ruleId,
     exceptionListType,
-    onError: onFetchOrCreateExceptionListError,
+    onError: handleFetchOrCreateExceptionListError,
     onSuccess: handleRuleChange,
   });
 
@@ -279,7 +306,9 @@ export const AddExceptionModal = memo(function AddExceptionModal({
   ]);
 
   const isSubmitButtonDisabled = useMemo(
-    () => fetchOrCreateListError || exceptionItemsToAdd.every((item) => item.entries.length === 0),
+    () =>
+      fetchOrCreateListError != null ||
+      exceptionItemsToAdd.every((item) => item.entries.length === 0),
     [fetchOrCreateListError, exceptionItemsToAdd]
   );
 
@@ -295,19 +324,27 @@ export const AddExceptionModal = memo(function AddExceptionModal({
           </ModalHeaderSubtitle>
         </ModalHeader>
 
-        {fetchOrCreateListError === true && (
-          <EuiCallOut title={i18n.ADD_EXCEPTION_FETCH_ERROR_TITLE} color="danger" iconType="alert">
-            <p>{i18n.ADD_EXCEPTION_FETCH_ERROR}</p>
-          </EuiCallOut>
+        {fetchOrCreateListError != null && (
+          <EuiModalFooter>
+            <ErrorCallout
+              http={http}
+              errorInfo={fetchOrCreateListError}
+              rule={maybeRule}
+              onCancel={onCancel}
+              onSuccess={handleDissasociationSuccess}
+              onError={handleDissasociationError}
+              data-test-subj="addExceptionModalErrorCallout"
+            />
+          </EuiModalFooter>
         )}
-        {fetchOrCreateListError === false &&
+        {fetchOrCreateListError == null &&
           (isLoadingExceptionList ||
             isIndexPatternLoading ||
             isSignalIndexLoading ||
             isSignalIndexPatternLoading) && (
             <Loader data-test-subj="loadingAddExceptionModal" size="xl" />
           )}
-        {fetchOrCreateListError === false &&
+        {fetchOrCreateListError == null &&
           !isSignalIndexLoading &&
           !isSignalIndexPatternLoading &&
           !isLoadingExceptionList &&
@@ -377,20 +414,21 @@ export const AddExceptionModal = memo(function AddExceptionModal({
               </ModalBodySection>
             </>
           )}
+        {fetchOrCreateListError == null && (
+          <EuiModalFooter>
+            <EuiButtonEmpty onClick={onCancel}>{i18n.CANCEL}</EuiButtonEmpty>
 
-        <EuiModalFooter>
-          <EuiButtonEmpty onClick={onCancel}>{i18n.CANCEL}</EuiButtonEmpty>
-
-          <EuiButton
-            data-test-subj="add-exception-confirm-button"
-            onClick={onAddExceptionConfirm}
-            isLoading={addExceptionIsLoading}
-            isDisabled={isSubmitButtonDisabled}
-            fill
-          >
-            {i18n.ADD_EXCEPTION}
-          </EuiButton>
-        </EuiModalFooter>
+            <EuiButton
+              data-test-subj="add-exception-confirm-button"
+              onClick={onAddExceptionConfirm}
+              isLoading={addExceptionIsLoading}
+              isDisabled={isSubmitButtonDisabled}
+              fill
+            >
+              {i18n.ADD_EXCEPTION}
+            </EuiButton>
+          </EuiModalFooter>
+        )}
       </Modal>
     </EuiOverlayMask>
   );