[Security Solution][Detections] Hide building block rules in "Securit…

…y/Overview" (#105611) (#115521)

* Hide building block rules in "Security/Overview"

* Add Cypress tests for alerts generated by building block rules

Co-authored-by: Dmitry Shevchenko <[email protected]>

Co-authored-by: Georgii Gorbachev <[email protected]>
Co-authored-by: Dmitry Shevchenko <[email protected]>

x-pack/plugins/security_solution/cypress/integration/detection_alerts/building_block_alerts.spec.ts

@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getBuildingBlockRule } from '../../objects/rule';
+import { OVERVIEW_ALERTS_HISTOGRAM } from '../../screens/overview';
+import { OVERVIEW } from '../../screens/security_header';
+import { goToRuleDetails } from '../../tasks/alerts_detection_rules';
+import { createCustomRuleActivated } from '../../tasks/api_calls/rules';
+import { cleanKibana } from '../../tasks/common';
+import { waitForAlertsToPopulate, waitForTheRuleToBeExecuted } from '../../tasks/create_new_rule';
+import { loginAndWaitForPage } from '../../tasks/login';
+import { navigateFromHeaderTo } from '../../tasks/security_header';
+import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
+
+const EXPECTED_NUMBER_OF_ALERTS = 16;
+
+describe('Alerts generated by building block rules', () => {
+  beforeEach(() => {
+    cleanKibana();
+  });
+
+  it('Alerts should be visible on the Rule Detail page and not visible on the Overview page', () => {
+    createCustomRuleActivated(getBuildingBlockRule());
+    loginAndWaitForPage(DETECTIONS_RULE_MANAGEMENT_URL);
+    goToRuleDetails();
+    waitForTheRuleToBeExecuted();
+
+    // Check that generated events are visible on the Details page
+    waitForAlertsToPopulate(EXPECTED_NUMBER_OF_ALERTS);
+
+    navigateFromHeaderTo(OVERVIEW);
+
+    // Check that generated events are hidden on the Overview page
+    cy.get(OVERVIEW_ALERTS_HISTOGRAM).should('contain.text', 'No data to display');
+  });
+});

x-pack/plugins/security_solution/cypress/objects/rule.ts

@@ -58,6 +58,7 @@ export interface CustomRule {
   lookBack: Interval;
   timeline: CompleteTimeline;
   maxSignals: number;
+  buildingBlockType?: string;
 }
 
 export interface ThresholdRule extends CustomRule {
@@ -188,6 +189,25 @@ export const getNewRule = (): CustomRule => ({
   maxSignals: 100,
 });
 
+export const getBuildingBlockRule = (): CustomRule => ({
+  customQuery: 'host.name: *',
+  index: getIndexPatterns(),
+  name: 'Building Block Rule Test',
+  description: 'The new rule description.',
+  severity: 'High',
+  riskScore: '17',
+  tags: ['test', 'newRule'],
+  referenceUrls: ['http://example.com/', 'https://example.com/'],
+  falsePositivesExamples: ['False1', 'False2'],
+  mitre: [getMitre1(), getMitre2()],
+  note: '# test markdown',
+  runsEvery: getRunsEvery(),
+  lookBack: getLookBack(),
+  timeline: getTimeline(),
+  maxSignals: 100,
+  buildingBlockType: 'default',
+});
+
 export const getUnmappedRule = (): CustomRule => ({
   customQuery: '*:*',
   index: ['unmapped*'],

x-pack/plugins/security_solution/cypress/screens/overview.ts

@@ -166,3 +166,5 @@ export const OVERVIEW_RISKY_HOSTS_VIEW_DASHBOARD_BUTTON =
 export const OVERVIEW_RISKY_HOSTS_TOTAL_EVENT_COUNT = `${OVERVIEW_RISKY_HOSTS_LINKS} [data-test-subj="header-panel-subtitle"]`;
 export const OVERVIEW_RISKY_HOSTS_ENABLE_MODULE_BUTTON =
   '[data-test-subj="risky-hosts-enable-module-button"]';
+
+export const OVERVIEW_ALERTS_HISTOGRAM = '[data-test-subj="alerts-histogram-panel"]';

x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts

@@ -114,6 +114,7 @@ export const createCustomRuleActivated = (
       enabled: true,
       tags: ['rule1'],
       max_signals: maxSignals,
+      building_block_type: rule.buildingBlockType,
     },
     headers: { 'kbn-xsrf': 'cypress-creds' },
     failOnStatusCode: false,

x-pack/plugins/security_solution/public/overview/components/signals_by_category/index.tsx

@@ -7,19 +7,24 @@
 
 import React, { useCallback } from 'react';
 import { useDispatch } from 'react-redux';
+import { Filter, Query } from '@kbn/es-query';
 
 import { AlertsHistogramPanel } from '../../../detections/components/alerts_kpis/alerts_histogram_panel';
 import { useSignalIndex } from '../../../detections/containers/detection_engine/alerts/use_signal_index';
 import { setAbsoluteRangeDatePicker } from '../../../common/store/inputs/actions';
-import { Filter, Query } from '../../../../../../../src/plugins/data/public';
+
 import { InputsModelId } from '../../../common/store/inputs/constants';
-import * as i18n from '../../pages/translations';
 import { UpdateDateRange } from '../../../common/components/charts/common';
+
 import { AlertsStackByField } from '../../../detections/components/alerts_kpis/common/types';
 
+import * as i18n from '../../pages/translations';
+
+import { useFiltersForSignalsByCategory } from './use_filters_for_signals_by_category';
+
 interface Props {
   combinedQueries?: string;
-  filters?: Filter[];
+  filters: Filter[];
   headerChildren?: React.ReactNode;
   /** Override all defaults, and only display this field */
   onlyField?: AlertsStackByField;
@@ -43,6 +48,8 @@ const SignalsByCategoryComponent: React.FC<Props> = ({
 }) => {
   const dispatch = useDispatch();
   const { signalIndexName } = useSignalIndex();
+  const filtersForSignalsByCategory = useFiltersForSignalsByCategory(filters);
+
   const updateDateRangeCallback = useCallback<UpdateDateRange>(
     ({ x }) => {
       if (!x) {
@@ -63,7 +70,7 @@ const SignalsByCategoryComponent: React.FC<Props> = ({
   return (
     <AlertsHistogramPanel
       combinedQueries={combinedQueries}
-      filters={filters}
+      filters={filtersForSignalsByCategory}
       headerChildren={headerChildren}
       legendPosition={'right'}
       onlyField={onlyField}

x-pack/plugins/security_solution/public/overview/components/signals_by_category/use_filters_for_signals_by_category.ts

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useMemo } from 'react';
+import { Filter } from '@kbn/es-query';
+
+import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features';
+import {
+  buildShowBuildingBlockFilter,
+  buildShowBuildingBlockFilterRuleRegistry,
+} from '../../../detections/components/alerts_table/default_config';
+
+// On the Overview page, in the Detection Alert Trend, we never show
+// "building block" alerts to remove noise from the Overview UI.
+// https://www.elastic.co/guide/en/security/current/building-block-rule.html
+const SHOW_BUILDING_BLOCK_ALERTS = false;
+
+export const useFiltersForSignalsByCategory = (baseFilters: Filter[]) => {
+  // TODO: Once we are past experimental phase this code should be removed
+  const ruleRegistryEnabled = useIsExperimentalFeatureEnabled('ruleRegistryEnabled');
+
+  const resultingFilters = useMemo(
+    () => [
+      ...baseFilters,
+      ...(ruleRegistryEnabled
+        ? buildShowBuildingBlockFilterRuleRegistry(SHOW_BUILDING_BLOCK_ALERTS) // TODO: Once we are past experimental phase this code should be removed
+        : buildShowBuildingBlockFilter(SHOW_BUILDING_BLOCK_ALERTS)),
+    ],
+    [baseFilters, ruleRegistryEnabled]
+  );
+
+  return resultingFilters;
+};