[Security Solution][Exceptions] - Update add/edit exception flyouts

[yctercero]

Summary

Addresses #131668, #131671, #143014, #143015.

Updates the exception item add/edit flyout to match new designs and flows. While this can only be tested in our current UI from the rule details page, alerts, alert details flyout, it's been built out for the other cases where it will be used - rule bulk actions and exception list management.

To Do

• Some of the hooks need unit tests
• Update to use the components from the exception package, to start deleting them from the rule_exceptions/components
• Add back in 2 error states - when version conflict (not super common) and list does not exist and user needs to remove association from rule, again, shouldn't be super common error

Breaking down the changes

• packages/kbn-securitysolution-autocomplete/
  • Updates the field combo box to allow user to input a custom option, no longer restricted to selecting a prefilled value
  • There is a boolean added, that is set to default false, so this custom option functionality is optional
• x-pack/plugins/lists/public/exceptions/components/builder/
  • Update UI to show text under field combo box if it accepts a custom option to let user know that this is the case
  • Updates the builder to take an exception item name from user input
• x-pack/plugins/security_solution/cypress/e2e/exceptions/
  • Updates and adds cypress tests related to adding/editing exceptions from the different existing flows
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/add_exception_flyout/
  • Update the add exception flyout to use the new components added in PR
  • Tried to move out submission logic into hook to clean things up a bit
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/edit_exception_flyout/
  • Update the add exception flyout to use the new components added in PR
  • Tried to move out submission logic into hook to clean things up a bit
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/all_exception_items_table/
  • Updates the all items view to take in an array of listTypes since now the table isn't just endpoint exceptions or detection exceptions, it can include rule_default list type
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/exception_item_card
  • Now includes affected rules and affected lists link in the card, so it's easier to tell which items are rule only vs shared list
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/
  • Updated the hooks to try and simplify them and separate concerns a bit
  • TODO: these need updated tests
• x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/use_exception_flyout_data.tsx
  • New hook to try and manage the logic around the add/edit exception flyout indices
    • If a single rule is passed into the flyout, it uses the data_view_id if one is defined or the index to fetch the fields
    • If multiple rules are passed in, it defaults to using the default security data view (right now there's no UI supporting this use case, but it would be part of the bulk rule action flow)
    • If no rules are passed in, it defaults to using the default security data view (right now there's no UI supporting this use case, but it would be part of the create exception item from the list management flow)
• x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/
  • Updates logic around adding exception from alert and alert detail flyout to fit with new add exception modal

Existing questions

• When add modal is dealing with multiple rules (bulk action or when adding an exception from the list management page where you can choose what rules to add the exception to) - should large value lists be allowed with some sort of warning text that any rules of type x, y, z will ignore any exceptions of type list?
  • In this PR, I am allowing large value lists unless a single rule is passed in where we can be sure of whether large value lists are supported by it

Addresses

#127696, #99597, #117289, #99022, #135254, #102460, #116586

Screenshots

Shows exception item that is part of a shared list

Add endpoint exception

Edit endpoint exception

Add rule exception

Edit rule exception

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[maximpn]

@yctercero Rules area LGTM

[dhurley14]

@elasticmachine merge upstream

[dhurley14]

this is excellent! a few comments for us to look at down the line. LGTM!

[dhurley14]

nit: might be possible to remove this if statement and either conditionally pass the props or conditionally modify a props object.

[dhurley14]

nit: could probably remove this commented out code.

[dhurley14]

good to know thanks for commenting this here.

[dhurley14]

This is not great that we have to make sure to remember data views supercede index patterns on rules. If we don't see customers using data views more then we should look into adding a boolean variable on the rule saying which data source to use.

[dhurley14]

better yet if we could encapsulate all this logic determining to select a data view vs an index pattern or if it's an ml rule use an empty array in another hook which could be used here...

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: e6a4c20

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	3170	3196	+26

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
lists	191.2KB	192.3KB	+1.1KB
securitySolution	9.3MB	10.0MB	⚠️ +662.6KB
total			+663.7KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	51.1KB	50.9KB	-191.0B

Unknown metric groups

API count

id	before	after	diff
@kbn/securitysolution-list-utils	192	194	+2

async chunk count

id	before	after	diff
securitySolution	39	36	-3

ESLint disabled in files

id	before	after	diff
securitySolution	73	72	-1

ESLint disabled line counts

id	before	after	diff
lists	13	18	+5

Total ESLint disabled count

id	before	after	diff
lists	18	23	+5
securitySolution	484	483	-1
total			+4

History

• 💔 Build #81476 failed 5a4452d
• 💔 Build #81451 failed 813fe8e
• 💚 Build #80767 succeeded 4b998a1
• 💛 Build #79595 was flaky 980403b
• 💔 Build #79580 failed fe11114

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @yctercero