[DO NOT MERGE][Security Solution][Attacks/Alerts] POC: Adhoc attacks

x-pack/platform/packages/shared/kbn-elastic-assistant-common/constants.ts

@@ -129,6 +129,12 @@ export const ATTACK_DISCOVERY_AD_HOC_RULE_TYPE_ID = 'attack_discovery_ad_hoc_rul
 export const ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX =
   '.alerts-security.attack.discovery.alerts' as const;
 
+/**
+ * The common prefix for ad hoc Attack discovery alerts indices
+ */
+export const ATTACK_DISCOVERY_ADHOC_ALERTS_COMMON_INDEX_PREFIX =
+  '.adhoc.alerts-security.attack.discovery.alerts' as const;
+
 /**
  * This feature flag disables the InferenceChatModel feature.
  *

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/common_attributes.gen.ts

@@ -276,6 +276,10 @@ export const FindAttackDiscoveryAlertsParams = lazySchema(() =>
      * filter by Attack discovery IDs
      */
     ids: z.array(z.string()).optional(),
+    /**
+     * If `true`, the response will ignore sharing permissions and return all attack discoveries matching other criteria regardless of who created them or if they are shared.
+     */
+    ignoreSharing: z.boolean().optional(),
     page: z.number().int().min(1).optional().default(1),
     perPage: z.number().int().min(0).optional().default(10),
     /**

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/common_attributes.schema.yaml

@@ -265,6 +265,9 @@ components:
           type: array
           items:
             type: string
+        ignoreSharing:
+          description: If `true`, the response will ignore sharing permissions and return all attack discoveries matching other criteria regardless of who created them or if they are shared.
+          type: boolean
         page:
           default: 1
           minimum: 1

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/routes/public/get/find_attack_discoveries_route.gen.ts

@@ -48,6 +48,10 @@ export const AttackDiscoveryFindRequestQuery = lazySchema(() =>
      * Filter results to the Attack discoveries with the specified IDs
      */
     ids: ArrayFromString(z.string()).optional(),
+    /**
+     * If `true`, the response will ignore sharing permissions and return all attack discoveries matching other criteria regardless of who created them or if they are shared.
+     */
+    ignore_sharing: BooleanFromString.optional(),
     /**
      * If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries
      */

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/routes/public/get/find_attack_discoveries_route.schema.yaml

@@ -58,6 +58,12 @@ paths:
             type: array
             items:
               type: string
+        - name: 'ignore_sharing'
+          description: If `true`, the response will ignore sharing permissions and return all attack discoveries matching other criteria regardless of who created them or if they are shared.
+          in: query
+          required: false
+          schema:
+            type: boolean
         - name: 'include_unique_alert_ids'
           description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries
           in: query

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/create_attack_discovery_alerts/index.test.ts

@@ -12,8 +12,11 @@ import { createAttackDiscoveryAlerts } from '.';
 import { mockAuthenticatedUser } from '../../../../__mocks__/mock_authenticated_user';
 import { mockCreateAttackDiscoveryAlertsParams } from '../../../../__mocks__/mock_create_attack_discovery_alerts_params';
 
+import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
+
 const ADHOC_ALERTS_INDEX = 'mock-index' as const;
 const ruleDataClientMock = ruleRegistryMocks.createRuleDataClient(ADHOC_ALERTS_INDEX);
+const esClientMock = elasticsearchServiceMock.createClusterClient().asInternalUser;
 
 describe('createAttackDiscoveryAlerts', () => {
   const mockLogger = loggerMock.create();
@@ -36,6 +39,7 @@ describe('createAttackDiscoveryAlerts', () => {
       adhocAttackDiscoveryDataClient: ruleDataClientMock,
       authenticatedUser: mockAuthenticatedUser,
       createAttackDiscoveryAlertsParams: mockParams,
+      esClient: esClientMock,
       logger: mockLogger,
       spaceId,
     });
@@ -66,6 +70,7 @@ describe('createAttackDiscoveryAlerts', () => {
         adhocAttackDiscoveryDataClient: ruleDataClientMock,
         authenticatedUser: mockAuthenticatedUser,
         createAttackDiscoveryAlertsParams: mockCreateAttackDiscoveryAlertsParams,
+        esClient: esClientMock,
         logger: mockLogger,
         spaceId,
       })
@@ -99,6 +104,7 @@ describe('createAttackDiscoveryAlerts', () => {
         adhocAttackDiscoveryDataClient: ruleDataClientMock,
         authenticatedUser: mockAuthenticatedUser,
         createAttackDiscoveryAlertsParams: mockCreateAttackDiscoveryAlertsParams,
+        esClient: esClientMock,
         logger: mockLogger,
         spaceId,
       })
@@ -117,6 +123,7 @@ describe('createAttackDiscoveryAlerts', () => {
       adhocAttackDiscoveryDataClient: ruleDataClientMock,
       authenticatedUser: mockAuthenticatedUser,
       createAttackDiscoveryAlertsParams: mockCreateAttackDiscoveryAlertsParams,
+      esClient: esClientMock,
       logger: mockLogger,
       spaceId,
     });

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/create_attack_discovery_alerts/index.ts

@@ -5,11 +5,12 @@
  * 2.0.
  */
 
-import type { AuthenticatedUser, Logger } from '@kbn/core/server';
+import type { AuthenticatedUser, Logger, ElasticsearchClient } from '@kbn/core/server';
 import type {
   AttackDiscoveryApiAlert,
   CreateAttackDiscoveryAlertsParams,
 } from '@kbn/elastic-assistant-common';
+import { ALERT_ATTACK_DISCOVERY_ALERT_IDS } from '@kbn/elastic-assistant-common';
 import { ALERT_UUID } from '@kbn/rule-data-utils';
 import { isEmpty } from 'lodash/fp';
 import { v4 as uuidv4 } from 'uuid';
@@ -18,11 +19,13 @@ import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 import { transformToAlertDocuments } from '../transforms/transform_to_alert_documents';
 import { getCreatedDocumentIds } from './get_created_document_ids';
 import { getCreatedAttackDiscoveryAlerts } from './get_created_attack_discovery_alerts';
+import { updateAlertsWithAttackIds } from '../../schedules/register_schedule/updateAlertsWithAttackIds';
 
 interface CreateAttackDiscoveryAlerts {
   adhocAttackDiscoveryDataClient: IRuleDataClient;
   authenticatedUser: AuthenticatedUser;
   createAttackDiscoveryAlertsParams: CreateAttackDiscoveryAlertsParams;
+  esClient: ElasticsearchClient;
   logger: Logger;
   spaceId: string;
 }
@@ -33,6 +36,7 @@ export const createAttackDiscoveryAlerts = async ({
   adhocAttackDiscoveryDataClient,
   authenticatedUser,
   createAttackDiscoveryAlertsParams,
+  esClient,
   logger,
   spaceId,
 }: CreateAttackDiscoveryAlerts): Promise<AttackDiscoveryApiAlert[]> => {
@@ -109,6 +113,25 @@ export const createAttackDiscoveryAlerts = async ({
       throw new Error(`Failed to bulk insert Attack discovery alerts ${allErrorDetails}`);
     }
 
+    const alertIdToAttackIdsMap: Record<string, string[]> = {};
+    for (const alertDocument of alertDocuments) {
+      const alertDocId = alertDocument[ALERT_UUID];
+      if (alertDocId) {
+        const underlyingAlertIds =
+          (alertDocument[ALERT_ATTACK_DISCOVERY_ALERT_IDS] as string[]) ?? [];
+        for (const alertId of underlyingAlertIds) {
+          alertIdToAttackIdsMap[alertId] = alertIdToAttackIdsMap[alertId] ?? [];
+          alertIdToAttackIdsMap[alertId].push(alertDocId);
+        }
+      }
+    }
+
+    await updateAlertsWithAttackIds({
+      esClient,
+      alertIdToAttackIdsMap,
+      spaceId,
+    });
+
     logger.debug(
       () =>
         `Created Attack discovery alerts in index ${attackDiscoveryAlertsIndex} with document ids: ${createdDocumentIds.join(

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/get_combined_filter/index.test.ts

@@ -150,6 +150,40 @@ describe('getCombinedFilter', () => {
   });
 
   describe('getCombinedFilter', () => {
+    describe('when ignoreSharing is true', () => {
+      it('returns only the additional filter when filter is defined', () => {
+        const authenticatedUser = {
+          username: 'test_user',
+          profile_uid: '123',
+        } as AuthenticatedUser;
+
+        const result = getCombinedFilter({
+          authenticatedUser,
+          filter: 'foo: "bar"',
+          shared: false,
+          ignoreSharing: true,
+        });
+
+        expect(result).toBe('foo: "bar"');
+      });
+
+      it('returns empty string when filter is undefined', () => {
+        const authenticatedUser = {
+          username: 'test_user',
+          profile_uid: '123',
+        } as AuthenticatedUser;
+
+        const result = getCombinedFilter({
+          authenticatedUser,
+          filter: undefined,
+          shared: false,
+          ignoreSharing: true,
+        });
+
+        expect(result).toBe('');
+      });
+    });
+
     describe('when shared is undefined', () => {
       const shared = undefined;
 

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/get_combined_filter/index.ts

@@ -20,6 +20,7 @@ interface GetFilterParams {
   authenticatedUser: AuthenticatedUser;
   filter?: string;
   shared?: boolean;
+  ignoreSharing?: boolean;
 }
 
 export const getSharedFilter = (shared?: boolean): string => {
@@ -63,7 +64,12 @@ export const getCombinedFilter = ({
   authenticatedUser,
   filter,
   shared,
+  ignoreSharing,
 }: GetFilterParams): string => {
+  if (ignoreSharing) {
+    return filter ?? '';
+  }
+
   const sharedFilter = getSharedFilter(shared);
   const userFilter = getUserFilter({ authenticatedUser, shared });
   const additionalFilter = getAdditionalFilter(filter);

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/index.ts

@@ -73,10 +73,12 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
     if (this.adhocAttackDiscoveryDataClient === undefined) {
       throw new Error('`adhocAttackDiscoveryDataClient` is required');
     }
+    const esClient = await this.options.elasticsearchClientPromise;
     return createAttackDiscoveryAlerts({
       adhocAttackDiscoveryDataClient: this.adhocAttackDiscoveryDataClient,
       authenticatedUser,
       createAttackDiscoveryAlertsParams,
+      esClient,
       logger: this.options.logger,
       spaceId: this.spaceId,
     });
@@ -138,6 +140,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
       authenticatedUser,
       filter,
       shared,
+      ignoreSharing: findAttackDiscoveryAlertsParams.ignoreSharing,
     });
 
     const result = await findDocuments<AttackDiscoveryAlertDocument>({

x-pack/solutions/security/plugins/elastic_assistant/server/routes/attack_discovery/public/get/find_attack_discoveries.ts

@@ -100,6 +100,7 @@ export const findAttackDiscoveriesRoute = (
               alertIds: query.alert_ids,
               includeUniqueAlertIds: query.include_unique_alert_ids ?? false,
               ids: query.ids,
+              ignoreSharing: query.ignore_sharing,
               search: query.search,
               shared: query.shared,
               status: query.status,

x-pack/solutions/security/plugins/security_solution/common/constants.ts

@@ -48,7 +48,7 @@ export const DEFAULT_INDEX_KEY = 'securitySolution:defaultIndex' as const;
 export const DEFAULT_NUMBER_FORMAT = 'format:number:defaultPattern' as const;
 export const DEFAULT_DATA_VIEW_ID = 'security-solution' as const;
 export const DEFAULT_ALERT_DATA_VIEW_ID = 'security-solution-alert' as const;
-export const DEFAULT_ATTACK_DATA_VIEW_ID = 'security-solution-attack' as const;
+export const DEFAULT_ATTACK_DATA_VIEW_ID = 'security-solution-attack-new' as const;
 export const DEFAULT_TIME_FIELD = '@timestamp' as const;
 export const DEFAULT_TIME_RANGE = 'timepicker:timeDefaults' as const;
 export const DEFAULT_REFRESH_RATE_INTERVAL = 'timepicker:refreshIntervalDefaults' as const;