response actions in eql and esql rules

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts

@@ -117,6 +117,7 @@ export const BaseOptionalFields = z.object({
   meta: RuleMetadata.optional(),
   investigation_fields: InvestigationFields.optional(),
   throttle: RuleActionThrottle.optional(),
+  response_actions: z.array(ResponseAction).optional(),
 });
 
 export type BaseDefaultableFields = z.infer<typeof BaseDefaultableFields>;
@@ -261,7 +262,6 @@ export const QueryRuleOptionalFields = z.object({
   data_view_id: DataViewId.optional(),
   filters: RuleFilterArray.optional(),
   saved_id: SavedQueryId.optional(),
-  response_actions: z.array(ResponseAction).optional(),
   alert_suppression: AlertSuppression.optional(),
 });
 
@@ -312,7 +312,6 @@ export const SavedQueryRuleOptionalFields = z.object({
   index: IndexPatternArray.optional(),
   data_view_id: DataViewId.optional(),
   filters: RuleFilterArray.optional(),
-  response_actions: z.array(ResponseAction).optional(),
   alert_suppression: AlertSuppression.optional(),
   query: RuleQuery.optional(),
 });

x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml

@@ -2,7 +2,7 @@ openapi: 3.0.0
 info:
   title: Security Rule Schema
   version: 'not applicable'
-paths: {}
+paths: { }
 components:
   x-codegen-enabled: true
   schemas:
@@ -70,6 +70,10 @@ components:
         investigation_fields:
           $ref: './common_attributes.schema.yaml#/components/schemas/InvestigationFields'
 
+        response_actions:
+          type: array
+          items:
+            $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
         # Throttle
         throttle:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleActionThrottle'
@@ -262,7 +266,7 @@ components:
       properties:
         type:
           type: string
-          enum: [eql]
+          enum: [ eql ]
           description: Rule type
         query:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleQuery'
@@ -338,7 +342,7 @@ components:
       properties:
         type:
           type: string
-          enum: [query]
+          enum: [ query ]
           description: Rule type
       required:
         - type
@@ -354,10 +358,6 @@ components:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
         saved_id:
           $ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId'
-        response_actions:
-          type: array
-          items:
-            $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
         alert_suppression:
           $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
 
@@ -418,7 +418,7 @@ components:
       properties:
         type:
           type: string
-          enum: [saved_query]
+          enum: [ saved_query ]
           description: Rule type
         saved_id:
           $ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId'
@@ -435,10 +435,6 @@ components:
           $ref: './common_attributes.schema.yaml#/components/schemas/DataViewId'
         filters:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
-        response_actions:
-          type: array
-          items:
-            $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
         alert_suppression:
           $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
         query:
@@ -499,7 +495,7 @@ components:
       properties:
         type:
           type: string
-          enum: [threshold]
+          enum: [ threshold ]
           description: Rule type
         query:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleQuery'
@@ -579,7 +575,7 @@ components:
       properties:
         type:
           type: string
-          enum: [threat_match]
+          enum: [ threat_match ]
           description: Rule type
         query:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleQuery'
@@ -675,7 +671,7 @@ components:
       properties:
         type:
           type: string
-          enum: [machine_learning]
+          enum: [ machine_learning ]
           description: Rule type
         anomaly_threshold:
           $ref: './specific_attributes/ml_attributes.schema.yaml#/components/schemas/AnomalyThreshold'
@@ -737,7 +733,7 @@ components:
       properties:
         type:
           type: string
-          enum: [new_terms]
+          enum: [ new_terms ]
           description: Rule type
         query:
           $ref: './common_attributes.schema.yaml#/components/schemas/RuleQuery'
@@ -823,7 +819,7 @@ components:
       properties:
         type:
           type: string
-          enum: [esql]
+          enum: [ esql ]
           description: Rule type
         language:
           $ref: '#/components/schemas/EsqlQueryLanguage'

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx

@@ -17,7 +17,7 @@ import type {
 import { UseArray } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
 import type { Type } from '@kbn/securitysolution-io-ts-alerting-types';
 import type { RuleObjectId } from '../../../../../common/api/detection_engine/model/rule_schema';
-import { isQueryRule } from '../../../../../common/detection_engine/utils';
+import { isQueryRule, isEsqlRule, isEqlRule } from '../../../../../common/detection_engine/utils';
 import { ResponseActionsForm } from '../../../rule_response_actions/response_actions_form';
 import type {
   RuleStepProps,
@@ -101,7 +101,7 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
     [actionMessageParams, summaryActionMessageParams]
   );
   const displayResponseActionsOptions = useMemo(() => {
-    if (isQueryRule(ruleType)) {
+    if (isQueryRule(ruleType) || isEsqlRule(ruleType) || isEqlRule(ruleType)) {
       return (
         <UseArray path="responseActions" initialNumberOfItems={0}>
           {ResponseActionsForm}

x-pack/plugins/security_solution/public/management/cypress/e2e/automated_response_actions/form.cy.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import {
@@ -12,6 +13,7 @@ import {
   tryAddingDisabledResponseAction,
   validateAvailableCommands,
   visitRuleActions,
+  fillUpNewEsqlRule,
 } from '../../tasks/response_actions';
 import { cleanupRule, generateRandomStringName, loadRule } from '../../tasks/api_fixtures';
 import { ResponseActionTypesEnum } from '../../../../../common/api/detection_engine';
@@ -202,6 +204,31 @@ describe(
       });
     });
 
+    describe('User should be able to add response action to ESQL rule', () => {
+      let ruleId: string;
+      const [ruleName, ruleDescription] = generateRandomStringName(2);
+
+      beforeEach(() => {
+        login(ROLE.soc_manager);
+      });
+      afterEach(() => {
+        if (ruleId) {
+          cleanupRule(ruleId);
+        }
+      });
+
+      it('create and save endpoint response action inside of a rule', () => {
+        fillUpNewEsqlRule(ruleName, ruleDescription);
+        addEndpointResponseAction();
+        focusAndOpenCommandDropdown();
+        validateAvailableCommands();
+        cy.getByTestSubj(`command-type-isolate`).click();
+
+        cy.getByTestSubj('create-enabled-false').click();
+        cy.contains(`${ruleName} was created`);
+      });
+    });
+
     describe('User should not see endpoint action when no rbac', () => {
       const [ruleName, ruleDescription] = generateRandomStringName(2);
 

x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { inputConsoleCommand, submitCommand } from './response_console';
@@ -69,6 +70,28 @@ export const fillUpNewRule = (name = 'Test', description = 'Test') => {
   cy.getByTestSubj('about-continue').click();
   cy.getByTestSubj('schedule-continue').click();
 };
+
+export const fillUpNewEsqlRule = (name = 'Test', description = 'Test') => {
+  loadPage('app/security/rules/management');
+  cy.getByTestSubj('create-new-rule').click();
+  cy.getByTestSubj('stepDefineRule').within(() => {
+    cy.getByTestSubj('esqlRuleType').click();
+    cy.getByTestSubj('globalQueryBar').first().click();
+    cy.getByTestSubj('kibanaCodeEditor').type(
+      'FROM logs-* METADATA _index, _id {backspace}{enter}'
+    );
+  });
+  cy.getByTestSubj('define-continue').click();
+  cy.getByTestSubj('detectionEngineStepAboutRuleName').within(() => {
+    cy.getByTestSubj('input').type(name);
+  });
+  cy.getByTestSubj('detectionEngineStepAboutRuleDescription').within(() => {
+    cy.getByTestSubj('input').type(description);
+  });
+  cy.getByTestSubj('about-continue').click();
+  cy.getByTestSubj('schedule-continue').click();
+};
+
 export const visitRuleActions = (ruleId: string) => {
   loadPage(`app/security/rules/id/${ruleId}/edit`);
   cy.getByTestSubj('edit-rule-actions-tab').should('exist');

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.test.ts

@@ -182,7 +182,7 @@ describe('Create rule route', () => {
     });
     const defaultAction = getResponseAction();
 
-    test('is successful', async () => {
+    test('is successful in query rule', async () => {
       const request = requestMock.create({
         method: 'post',
         path: DETECTION_ENGINE_RULES_URL,
@@ -196,6 +196,33 @@ describe('Create rule route', () => {
       expect(response.status).toEqual(200);
     });
 
+    test('is successful in esql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEsqlRulesSchemaMock('rule-2'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
+    test('is successful in eql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEqlRuleSchemaMock('rule-3'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
+
     test('fails when isolate rbac is set to false', async () => {
       (context.securitySolution.getEndpointAuthz as jest.Mock).mockReturnValue(() => ({
         canIsolateHost: jest.fn().mockReturnValue(false),

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.test.ts

@@ -189,7 +189,7 @@ describe('Update rule route', () => {
     });
     const defaultAction = getResponseAction();
 
-    test('is successful', async () => {
+    test('is successful for query rule', async () => {
       const request = requestMock.create({
         method: 'post',
         path: DETECTION_ENGINE_RULES_URL,
@@ -203,6 +203,34 @@ describe('Update rule route', () => {
       expect(response.status).toEqual(200);
     });
 
+    test('is successful for esql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEsqlRulesSchemaMock('rule-2'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
+
+    test('is successful for eql rule', async () => {
+      const request = requestMock.create({
+        method: 'post',
+        path: DETECTION_ENGINE_RULES_URL,
+        body: {
+          ...getCreateEqlRuleSchemaMock('rule-3'),
+          response_actions: [defaultAction],
+        },
+      });
+
+      const response = await server.inject(request, requestContextMock.convertContext(context));
+      expect(response.status).toEqual(200);
+    });
+
     test('fails when isolate rbac is set to false', async () => {
       (context.securitySolution.getEndpointAuthz as jest.Mock).mockReturnValue(() => ({
         canIsolateHost: jest.fn().mockReturnValue(false),

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { transformAlertToRuleResponseAction } from '../../../../../../../common/detection_engine/transform_actions';
 import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters';
 import type { BaseRuleParams } from '../../../../rule_schema';
 import { migrateLegacyInvestigationFields } from '../../../utils/utils';
@@ -43,5 +44,6 @@ export const commonParamsCamelToSnake = (params: BaseRuleParams) => {
     related_integrations: params.relatedIntegrations ?? [],
     required_fields: params.requiredFields ?? [],
     setup: params.setup ?? '',
+    response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
   };
 };

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts

@@ -93,6 +93,9 @@ export const convertRuleResponseToAlertingRule = (
       note: rule.note,
       version: rule.version,
       exceptionsList: rule.exceptions_list,
+      responseActions: params.response_actions?.map((rule) =>
+        transformRuleToAlertResponseAction(rule)
+      ),
       ...typeSpecificParams,
     },
     schedule: { interval: rule.interval },
@@ -157,9 +160,7 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
         query: params.query ?? '',
         filters: params.filters,
         savedId: params.saved_id,
-        responseActions: params.response_actions?.map((rule) =>
-          transformRuleToAlertResponseAction(rule)
-        ),
+
         alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
       };
     }
@@ -172,9 +173,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
         filters: params.filters,
         savedId: params.saved_id,
         dataViewId: params.data_view_id,
-        responseActions: params.response_actions?.map((rule) =>
-          transformRuleToAlertResponseAction(rule)
-        ),
         alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
       };
     }