[Security Solution][Exceptions] - Add exception flyout

[yctercero]

Use cases

• As a detection engineer or analyst I want to be able to add one or more rule exceptions to a single rule.
• As a detection engineer or analyst I want to be able to add one or more rule exceptions to a shared lsit.

To Do

• User can name their exception
• User can add entries (like our existing UI)
• User can assign exception item to default rule list
• User can assign exception to shared exception lists
  • If rule does not have any shared exception lists assigned, option to add to shared list is disabled
• User can add comment
• User can select to bulk close alerts (if conditions met)

Design

Check figma for latest design.

Initial strategy

• Existing flyout can be used and will just need to modify in order to add functionality of assigning to multiple rules and allowing user to add a name
• All necessary APIs exist

[yctercero]

@jethr0null @yiyangliu9286

For my own curiosity - when would a user want to have the ability to assign an exception item to multiple lists, vs assign to multiple rules? Let's say there's a false positive I want applied to all my rules, wouldn't I have some sort of global exceptions list I use to then assign to all my rules vs thinking of it as a single exception item that needs applied to all rules? I was working off of old designs!

Also, items can already have tags, do we want to expose that option to users. I could see us leveraging tags to then do the kind of bulk editing that you were talking about @jethr0null

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[yctercero]

Hey! I've started on this ticket and hitting some edge cases I'd love some input on:

• If user is creating an exception item for a list that has yet to be assigned to a rule - do we allow them to continue adding exceptions, just there's no autocomplete and a warning letting them know?
  • This wasn't a use case prior because you could only access this flow from a rule as opposed to here which a user can access this from all exceptions view
• If user accesses this flow from the all exceptions view, and say the list is assigned to 10 rules - do we then populate the exception options using all fields from all 10 rule indices?

cc: @peluja1012 @jethr0null @yiyangliu9286