[Security Solution][Detections][Threshold Rules] Threshold multiple a…

…ggregations with cardinality (#90826) (#91792)

* Remove unnecessary spreads

* Layout, round 1

* Revert "Layout, round 1"

This reverts commit b73b34a.

* Make threshold field an array

* Add cardinality fields

* Fix validation schema

* Query for multi-aggs

* Finish multi-agg aggregation

* Translate to multi-agg buckets

* Fix existing tests and add new test skeletons

* clean up

* Fix types

* Fix threshold_result data structure

* previous signals filter

* Fix previous signal detection

* Finish previous signal parsing

* tying up loose ends

* Fix timeline view for multi-agg threshold signals

* Fix build_bulk_body tests

* test fixes

* Add test for threshold bucket filters

* Address comments

* Fixing schema errors

* Remove unnecessary comment

* Fix tests

* Fix types

* linting

* linting

* Fixes

* Handle pre-7.12 threshold format in timeline view

* missing null check

* adding in follow-up pr

* Handle pre-7.12 filters

* unnecessary change

* Revert "unnecessary change"

This reverts commit 3edc7f2.

* linting

* Fix rule schemas

* Fix tests

Co-authored-by: Marshall Main <[email protected]>

Co-authored-by: Marshall Main <[email protected]>

x-pack/plugins/osquery/common/ecs/rule/index.ts

@@ -28,7 +28,7 @@ export interface RuleEcs {
   tags?: string[];
   threat?: unknown;
   threshold?: {
-    field: string;
+    field: string | string[];
     value: number;
   };
   type?: string[];

x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts

@@ -459,12 +459,21 @@ export type Threats = t.TypeOf<typeof threats>;
 export const threatsOrUndefined = t.union([threats, t.undefined]);
 export type ThreatsOrUndefined = t.TypeOf<typeof threatsOrUndefined>;
 
-export const threshold = t.exact(
-  t.type({
-    field: t.string,
-    value: PositiveIntegerGreaterThanZero,
-  })
-);
+export const threshold = t.intersection([
+  t.exact(
+    t.type({
+      field: t.union([t.string, t.array(t.string)]),
+      value: PositiveIntegerGreaterThanZero,
+    })
+  ),
+  t.exact(
+    t.partial({
+      cardinality_field: t.union([t.string, t.array(t.string), t.undefined, t.null]),
+      cardinality_value: t.union([PositiveInteger, t.undefined, t.null]), // TODO: cardinality_value should be set if cardinality_field is set
+    })
+  ),
+]);
+// TODO: codec to transform threshold field string to string[] ?
 export type Threshold = t.TypeOf<typeof threshold>;
 
 export const thresholdOrUndefined = t.union([threshold, t.undefined]);

x-pack/plugins/security_solution/common/ecs/rule/index.ts

@@ -27,10 +27,7 @@ export interface RuleEcs {
   severity?: string[];
   tags?: string[];
   threat?: unknown;
-  threshold?: {
-    field: string;
-    value: number;
-  };
+  threshold?: unknown;
   type?: string[];
   size?: string[];
   to?: string[];

x-pack/plugins/security_solution/common/ecs/signal/index.ts

@@ -14,4 +14,5 @@ export interface SignalEcs {
   group?: {
     id?: string[];
   };
+  threshold_result?: unknown;
 }

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/index.ts

@@ -36,7 +36,14 @@ export interface MatrixHistogramRequestOptions extends RequestBasicOptions {
   timerange: TimerangeInput;
   histogramType: MatrixHistogramType;
   stackByField: string;
-  threshold?: { field: string | undefined; value: number } | undefined;
+  threshold?:
+    | {
+        field: string | string[] | undefined;
+        value: number;
+        cardinality_field?: string | undefined;
+        cardinality_value?: number | undefined;
+      }
+    | undefined;
   inspect?: Maybe<Inspect>;
   isPtrIncluded?: boolean;
 }