Add wiring for security detection rules

Author: sdesalas

x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_create/bulk_create_rules.ts

@@ -418,7 +418,6 @@ async function runBatch<Params extends RuleParams>({
     })
   );
 
-  const createTime = Date.now();
   let bulkResponse;
   try {
     bulkResponse = await withSpan(
@@ -456,6 +455,7 @@ async function runBatch<Params extends RuleParams>({
   // Phase B4 per-row outcomes.
   const batchSuccessfulIds: string[] = [];
   const taskIdsToCleanUp: string[] = [];
+  const createTime = Date.now();
   const successfulSavedObjects: Array<SavedObject<RawRule>> = [];
   let perRowFailureOccurred = false;
 

x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts

@@ -22,6 +22,16 @@ export const allowedExperimentalValues = Object.freeze({
    */
   previewTelemetryUrlEnabled: false,
 
+  /**
+   * When enabled, prebuilt rule installation (POST .../prebuilt_rules/installation/_perform)
+   * and rule import (POST .../rules/_import) use the new alerting `rulesClient.bulkCreateRules`
+   * path, which handles both disabled and enabled rules (API key minting + task scheduling)
+   * in a single bulk call instead of the per-rule create loop.
+   *
+   * Release: TBD
+   */
+  bulkCreateRulesEnabled: false,
+
   /**
    * Enables extended rule execution logging to Event Log. When this setting is enabled:
    * - Rules write their console error, info, debug, and trace messages to Event Log,

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_handler.ts

@@ -109,31 +109,40 @@ export const performRuleInstallationHandler = async (
       );
       ruleInstallQueue.push(...(await excludeLicenseRestrictedRules(allInstallableRules, mlAuthz)));
     }
-
     const changeTracking = {
       metadata: {
         bulkCount: ruleInstallQueue.length,
       },
     };
 
-    const BATCH_SIZE = 100;
-    while (ruleInstallQueue.length > 0) {
-      const rulesToInstall = ruleInstallQueue.splice(0, BATCH_SIZE);
-      const ruleAssets = await ruleAssetsClient.fetchAssetsByVersion(rulesToInstall);
-
-      const { results, errors } = await createPrebuiltRules(
-        detectionRulesClient,
-        ruleAssets,
-        changeTracking,
-        logger
-      );
-
-      const batchInstalledRules = results.map(({ result: rule }) =>
-        pick(rule, ['id', 'rule_id', 'version'])
+    const { bulkCreateRulesEnabled } = ctx.securitySolution.getConfig().experimentalFeatures;
+    if (bulkCreateRulesEnabled) {
+      const ruleAssets = await ruleAssetsClient.fetchAssetsByVersion(ruleInstallQueue);
+      const { results, errors } = await detectionRulesClient.bulkCreatePrebuiltRules({
+        rules: ruleAssets,
+      });
+      installedRules.push(
+        ...results.map(({ result: rule }) => pick(rule, ['id', 'rule_id', 'version']))
       );
-
-      installedRules.push(...batchInstalledRules);
       ruleErrors.push(...errors);
+    } else {
+      const BATCH_SIZE = 100;
+      while (ruleInstallQueue.length > 0) {
+        const rulesToInstall = ruleInstallQueue.splice(0, BATCH_SIZE);
+        const ruleAssets = await ruleAssetsClient.fetchAssetsByVersion(rulesToInstall);
+
+        const { results, errors } = await createPrebuiltRules(
+          detectionRulesClient,
+          ruleAssets,
+          changeTracking,
+          logger
+        );
+
+        installedRules.push(
+          ...results.map(({ result: rule }) => pick(rule, ['id', 'rule_id', 'version']))
+        );
+        ruleErrors.push(...errors);
+      }
     }
 
     const { error: timelineInstallationError } = await performTimelinesInstallation(

…n_engine/rule_management/api/timeouts.ts …_engine/rule_management/api/constants.tsx-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/timeouts.ts renamed to x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/constants.ts x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/timeouts.ts renamed to x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/constants.ts

@@ -13,3 +13,6 @@ export const RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS = 3600000 as const;
  * 1 hour = 3600000 ms = 60 minutes * 60 seconds * 1000 ms
  */
 export const RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS = 3600000 as const;
+
+/** Cap concurrent rule imports at 1 to bound heap; mirrors PREBUILT_RULES_OPERATION_CONCURRENCY. */
+export const RULE_MANAGEMENT_IMPORT_CONCURRENCY = 1;

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts

@@ -44,7 +44,7 @@ import {
   validateBulkDuplicateRule,
 } from '../../../logic/bulk_actions/validations';
 import { getExportByObjectIds } from '../../../logic/export/get_export_by_object_ids';
-import { RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS } from '../../timeouts';
+import { RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS } from '../../constants';
 import type { BulkActionError } from './bulk_actions_response';
 import { buildBulkResponse } from './bulk_actions_response';
 import { bulkEnableDisableRules } from './bulk_enable_disable_rules';

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts

@@ -20,7 +20,7 @@ import { getRulesCount } from '../../../logic/search/get_existing_prepackaged_ru
 import { getExportByObjectIds } from '../../../logic/export/get_export_by_object_ids';
 import { getExportAll } from '../../../logic/export/get_export_all';
 import { buildSiemResponse } from '../../../../routes/utils';
-import { RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS } from '../../timeouts';
+import { RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS } from '../../constants';
 
 export const exportRulesRoute = (
   router: SecuritySolutionPluginRouter,

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/import_rules/route.ts

@@ -39,7 +39,11 @@ import {
   getTupleDuplicateErrorsAndUniqueRules,
   migrateLegacyActionsIds,
 } from '../../../utils/utils';
-import { RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS } from '../../timeouts';
+import {
+  RULE_MANAGEMENT_IMPORT_CONCURRENCY,
+  RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS,
+} from '../../constants';
+import { routeLimitedConcurrencyTag } from '../../../../../../utils/route_limited_concurrency_tag';
 import { createPrebuiltRuleObjectsClient } from '../../../../prebuilt_rules/logic/rule_objects/prebuilt_rule_objects_client';
 
 const CHUNK_PARSED_OBJECT_SIZE = 50;
@@ -63,6 +67,7 @@ export const importRulesRoute = (
           maxBytes: config.maxRuleImportPayloadBytes,
           output: 'stream',
         },
+        tags: [routeLimitedConcurrencyTag(RULE_MANAGEMENT_IMPORT_CONCURRENCY)],
         timeout: {
           idleSocket: RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS,
         },
@@ -187,6 +192,7 @@ export const importRulesRoute = (
                 ctx.securitySolution.getCheckOsqueryResponseActionAuthz(),
             });
 
+          const experimentalFeatures = ctx.securitySolution.getConfig().experimentalFeatures;
           const ruleChunks = chunk(CHUNK_PARSED_OBJECT_SIZE, validatedResponseActionsRules);
 
           const importRuleResponse = await importRules({
@@ -200,6 +206,7 @@ export const importRulesRoute = (
             allowMissingConnectorSecrets: !!actionConnectors.length,
             ruleSourceImporter,
             detectionRulesClient,
+            experimentalFeatures,
           });
 
           const parseErrors = parsedRuleErrors.map((error) =>

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/__mocks__/detection_rules_client.ts

@@ -13,6 +13,7 @@ const createDetectionRulesClientMock = () => {
   const mocked: DetectionRulesClientMock = {
     createCustomRule: jest.fn(),
     createPrebuiltRule: jest.fn(),
+    bulkCreatePrebuiltRules: jest.fn().mockResolvedValue({ results: [], errors: [] }),
     updateRule: jest.fn(),
     patchRule: jest.fn(),
     deleteRule: jest.fn(),
@@ -21,6 +22,7 @@ const createDetectionRulesClientMock = () => {
     revertPrebuiltRule: jest.fn(),
     importRule: jest.fn(),
     importRules: jest.fn(),
+    bulkImportRules: jest.fn().mockResolvedValue({ responses: [] }),
     getRuleCustomizationStatus: jest.fn(),
     getHistoryForRule: jest.fn(),
   };

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.bulk_create_prebuilt_rules.test.ts

@@ -0,0 +1,163 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { rulesClientMock } from '@kbn/alerting-plugin/server/mocks';
+import type { ActionsClient } from '@kbn/actions-plugin/server';
+import { savedObjectsClientMock } from '@kbn/core/server/mocks';
+import { licenseMock } from '@kbn/licensing-plugin/common/licensing.mock';
+
+import { SecurityRuleChangeTrackingAction } from '../../../../../../common/detection_engine/rule_management/rule_change_tracking';
+import { getCreateRulesSchemaMock } from '../../../../../../common/api/detection_engine/model/rule_schema/mocks';
+import { buildMlAuthz } from '../../../../machine_learning/authz';
+import { throwAuthzError } from '../../../../machine_learning/validation';
+import { createDetectionRulesClient } from './detection_rules_client';
+import type { IDetectionRulesClient } from './detection_rules_client_interface';
+import { createProductFeaturesServiceMock } from '../../../../product_features_service/mocks';
+import { getMockRulesAuthz } from '../../__mocks__/authz';
+
+jest.mock('../../../../machine_learning/authz');
+jest.mock('../../../../machine_learning/validation');
+
+describe('DetectionRulesClient.bulkCreatePrebuiltRules', () => {
+  let rulesClient: ReturnType<typeof rulesClientMock.create>;
+  let detectionRulesClient: IDetectionRulesClient;
+
+  const mlAuthz = (buildMlAuthz as jest.Mock)();
+  const rulesAuthz = getMockRulesAuthz();
+  const actionsClient: jest.Mocked<ActionsClient> = {
+    isSystemAction: jest.fn(),
+  } as unknown as jest.Mocked<ActionsClient>;
+
+  beforeEach(() => {
+    rulesClient = rulesClientMock.create();
+    (throwAuthzError as jest.Mock).mockReset();
+    detectionRulesClient = createDetectionRulesClient({
+      actionsClient,
+      rulesClient,
+      mlAuthz,
+      rulesAuthz,
+      savedObjectsClient: savedObjectsClientMock.create(),
+      license: licenseMock.createLicenseMock(),
+      productFeaturesService: createProductFeaturesServiceMock(),
+    });
+  });
+
+  it('issues a single bulkCreateRules call with disabled, immutable rules and emits { id, rule_id, version } pairs', async () => {
+    const asset1 = { ...getCreateRulesSchemaMock(), version: 1, rule_id: 'rule-1' };
+    const asset2 = { ...getCreateRulesSchemaMock(), version: 2, rule_id: 'rule-2' };
+
+    rulesClient.bulkCreateRules.mockImplementationOnce(async (args) => {
+      const ids = args.rules.map((r) => (r.options as { id: string }).id);
+      return { successfulIds: ids, errors: [], total: ids.length };
+    });
+
+    const { results, errors } = await detectionRulesClient.bulkCreatePrebuiltRules({
+      rules: [asset1, asset2],
+    });
+
+    expect(rulesClient.bulkCreateRules).toHaveBeenCalledTimes(1);
+    const callArgs = rulesClient.bulkCreateRules.mock.calls[0][0];
+    expect(callArgs.rules).toHaveLength(2);
+    expect(callArgs.rules.every((r) => r.data.enabled === false)).toBe(true);
+    expect(callArgs.rules.every((r) => r.data.params.immutable === true)).toBe(true);
+    expect(errors).toEqual([]);
+    expect(results).toHaveLength(2);
+    const callIds = callArgs.rules.map((r) => (r.options as { id: string }).id);
+    expect(results[0].result).toEqual({ id: callIds[0], rule_id: 'rule-1', version: 1 });
+    expect(results[1].result).toEqual({ id: callIds[1], rule_id: 'rule-2', version: 2 });
+  });
+
+  it('issues a single bulkCreateRules call regardless of input size (alerting batches internally)', async () => {
+    const assets = Array.from({ length: 250 }, (_, i) => ({
+      ...getCreateRulesSchemaMock(),
+      version: 1,
+      rule_id: `rule-${i}`,
+    }));
+
+    rulesClient.bulkCreateRules.mockImplementationOnce(async (args) => ({
+      successfulIds: args.rules.map((r) => (r.options as { id: string }).id),
+      errors: [],
+      total: args.rules.length,
+    }));
+
+    const { results, errors } = await detectionRulesClient.bulkCreatePrebuiltRules({
+      rules: assets,
+    });
+
+    expect(rulesClient.bulkCreateRules).toHaveBeenCalledTimes(1);
+    expect(results).toHaveLength(250);
+    expect(errors).toEqual([]);
+  });
+
+  it('reports per-rule errors from the alerting layer', async () => {
+    const asset = { ...getCreateRulesSchemaMock(), version: 1, rule_id: 'rule-1' };
+
+    rulesClient.bulkCreateRules.mockImplementationOnce(async (args) => {
+      const id = (args.rules[0].options as { id: string }).id;
+      return {
+        successfulIds: [],
+        errors: [{ message: 'boom', status: 500, rule: { id, name: asset.name } }],
+        total: 1,
+      };
+    });
+
+    const { results, errors } = await detectionRulesClient.bulkCreatePrebuiltRules({
+      rules: [asset],
+    });
+
+    expect(results).toEqual([]);
+    expect(errors).toHaveLength(1);
+    expect(errors[0].item).toBe(asset);
+    expect(errors[0].error.message).toBe('boom');
+  });
+
+  it('returns ML-auth failures as per-rule errors without calling bulkCreateRules', async () => {
+    const asset = { ...getCreateRulesSchemaMock(), version: 1, rule_id: 'rule-1' };
+    (throwAuthzError as jest.Mock).mockImplementation(() => {
+      throw new Error('ML auth denied');
+    });
+
+    const { results, errors } = await detectionRulesClient.bulkCreatePrebuiltRules({
+      rules: [asset],
+    });
+
+    expect(rulesClient.bulkCreateRules).not.toHaveBeenCalled();
+    expect(results).toEqual([]);
+    expect(errors[0].error.message).toBe('ML auth denied');
+  });
+
+  it('returns empty result for empty input', async () => {
+    const result = await detectionRulesClient.bulkCreatePrebuiltRules({ rules: [] });
+    expect(result).toEqual({ results: [], errors: [] });
+    expect(rulesClient.bulkCreateRules).not.toHaveBeenCalled();
+  });
+
+  it('forwards ruleInstall action and rules.length as bulkCount to rulesClient.bulkCreateRules', async () => {
+    const assets = Array.from({ length: 3 }, (_, i) => ({
+      ...getCreateRulesSchemaMock(),
+      version: 1,
+      rule_id: `rule-${i}`,
+    }));
+
+    rulesClient.bulkCreateRules.mockResolvedValueOnce({
+      successfulIds: [],
+      errors: [],
+      total: 0,
+    });
+
+    await detectionRulesClient.bulkCreatePrebuiltRules({ rules: assets });
+
+    expect(rulesClient.bulkCreateRules).toHaveBeenCalledWith(
+      expect.objectContaining({
+        changeTracking: {
+          action: SecurityRuleChangeTrackingAction.ruleInstall,
+          metadata: { bulkCount: assets.length },
+        },
+      })
+    );
+  });
+});