From fb1394812d88d91bde2cdbabfac95487b73b64bf Mon Sep 17 00:00:00 2001
From: Yara Tercero <yctercero@users.noreply.github.com>
Date: Mon, 1 Mar 2021 17:35:21 -0800
Subject: [PATCH 1/2] [Security Solution][Detections] -Fixes rule edit flow bug
 with max_signals (#92748)

### Summary

Fixes a bug where max_signals was being reverted to it's default value when the rule was edited via the UI.
---
 .../detection_rules/custom_query_rule.spec.ts | 25 +++++++++++++++++++
 .../security_solution/cypress/objects/rule.ts | 10 ++++++++
 .../cypress/tasks/api_calls/rules.ts          |  1 +
 .../cypress/tasks/rule_details.ts             |  5 ----
 .../detection_engine/rules/edit/index.tsx     |  1 +
 .../rules/queries/query_with_max_signals.json |  9 +++++++
 6 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_with_max_signals.json

diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts
index ecfa96d59170f..201a3c3a5563e 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts
@@ -108,6 +108,7 @@ import {
 } from '../../tasks/create_new_rule';
 import { saveEditedRule, waitForKibana } from '../../tasks/edit_rule';
 import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
+import { activatesRule } from '../../tasks/rule_details';
 
 import { DETECTIONS_URL } from '../../urls/navigation';
 
@@ -308,6 +309,21 @@ describe('Custom detection rules deletion and edition', () => {
       reload();
     });
 
+    it('Only modifies rule active status on enable/disable', () => {
+      activatesRule();
+
+      cy.intercept('GET', `/api/detection_engine/rules?id=`).as('fetchRuleDetails');
+
+      goToRuleDetails();
+
+      cy.wait('@fetchRuleDetails').then(({ response }) => {
+        cy.wrap(response!.statusCode).should('eql', 200);
+
+        cy.wrap(response!.body.max_signals).should('eql', existingRule.maxSignals);
+        cy.wrap(response!.body.enabled).should('eql', false);
+      });
+    });
+
     it('Allows a rule to be edited', () => {
       editFirstRule();
       waitForKibana();
@@ -347,8 +363,17 @@ describe('Custom detection rules deletion and edition', () => {
       goToAboutStepTab();
       cy.get(TAGS_CLEAR_BUTTON).click({ force: true });
       fillAboutRule(editedRule);
+
+      cy.intercept('GET', '/api/detection_engine/rules?id').as('getRule');
+
       saveEditedRule();
 
+      cy.wait('@getRule').then(({ response }) => {
+        cy.wrap(response!.statusCode).should('eql', 200);
+        // ensure that editing rule does not modify max_signals
+        cy.wrap(response!.body.max_signals).should('eql', existingRule.maxSignals);
+      });
+
       cy.get(RULE_NAME_HEADER).should('have.text', `${editedRule.name}`);
       cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', editedRule.description);
       cy.get(ABOUT_DETAILS).within(() => {
diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts
index dadcb98cade8d..88dcd998fc06d 100644
--- a/x-pack/plugins/security_solution/cypress/objects/rule.ts
+++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts
@@ -54,6 +54,7 @@ export interface CustomRule {
   runsEvery: Interval;
   lookBack: Interval;
   timeline: CompleteTimeline;
+  maxSignals: number;
 }
 
 export interface ThresholdRule extends CustomRule {
@@ -174,6 +175,7 @@ export const newRule: CustomRule = {
   runsEvery,
   lookBack,
   timeline,
+  maxSignals: 100,
 };
 
 export const existingRule: CustomRule = {
@@ -192,6 +194,9 @@ export const existingRule: CustomRule = {
   runsEvery,
   lookBack,
   timeline,
+  // Please do not change, or if you do, needs
+  // to be any number other than default value
+  maxSignals: 500,
 };
 
 export const newOverrideRule: OverrideRule = {
@@ -213,6 +218,7 @@ export const newOverrideRule: OverrideRule = {
   runsEvery,
   lookBack,
   timeline,
+  maxSignals: 100,
 };
 
 export const newThresholdRule: ThresholdRule = {
@@ -232,6 +238,7 @@ export const newThresholdRule: ThresholdRule = {
   runsEvery,
   lookBack,
   timeline,
+  maxSignals: 100,
 };
 
 export const machineLearningRule: MachineLearningRule = {
@@ -265,6 +272,7 @@ export const eqlRule: CustomRule = {
   runsEvery,
   lookBack,
   timeline,
+  maxSignals: 100,
 };
 
 export const eqlSequenceRule: CustomRule = {
@@ -285,6 +293,7 @@ export const eqlSequenceRule: CustomRule = {
   runsEvery,
   lookBack,
   timeline,
+  maxSignals: 100,
 };
 
 export const newThreatIndicatorRule: ThreatIndicatorRule = {
@@ -304,6 +313,7 @@ export const newThreatIndicatorRule: ThreatIndicatorRule = {
   indicatorMapping: 'agent.id',
   indicatorIndexField: 'agent.threat',
   timeline,
+  maxSignals: 100,
 };
 
 export const severitiesOverride = ['Low', 'Medium', 'High', 'Critical'];
diff --git a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
index 99f5bd9c20230..4bf5508c19aa9 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
@@ -85,6 +85,7 @@ export const createCustomRuleActivated = (rule: CustomRule, ruleId = '1') =>
       language: 'kuery',
       enabled: true,
       tags: ['rule1'],
+      max_signals: 500,
     },
     headers: { 'kbn-xsrf': 'cypress-creds' },
     failOnStatusCode: false,
diff --git a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
index 411f326a0ace6..21a2745395419 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
@@ -34,11 +34,6 @@ export const activatesRule = () => {
   });
 };
 
-export const deactivatesRule = () => {
-  cy.get(RULE_SWITCH).should('be.visible');
-  cy.get(RULE_SWITCH).click();
-};
-
 export const addsException = (exception: Exception) => {
   cy.get(LOADING_SPINNER).should('exist');
   cy.get(LOADING_SPINNER).should('not.exist');
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/edit/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/edit/index.tsx
index 74fe97d0c7210..da5cf720d5315 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/edit/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/edit/index.tsx
@@ -251,6 +251,7 @@ const EditRulePageComponent: FC = () => {
           rule
         ),
         ...(ruleId ? { id: ruleId } : {}),
+        ...(rule != null ? { max_signals: rule.max_signals } : {}),
       });
     }
   }, [
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_with_max_signals.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_with_max_signals.json
new file mode 100644
index 0000000000000..d03eb8e2366ae
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_with_max_signals.json
@@ -0,0 +1,9 @@
+{
+  "name": "Query With Max Signals",
+  "description": "Simplest query with max signals set to something other than default",
+  "risk_score": 1,
+  "severity": "high",
+  "type": "query",
+  "query": "user.name: root or user.name: admin",
+  "max_signals": 500
+}

From 3e026a3c3c983fddba78eca749e17721e58ae619 Mon Sep 17 00:00:00 2001
From: Lisa Cawley <lcawley@elastic.co>
Date: Mon, 1 Mar 2021 18:07:57 -0800
Subject: [PATCH 2/2] [DOCS] Fixes links for machine learning alerts (#92744)

Co-authored-by: Yuliia Naumenko <jo.naumenko@gmail.com>
---
 docs/user/alerting/alert-types.asciidoc              | 2 +-
 docs/user/alerting/alerting-getting-started.asciidoc | 2 +-
 docs/user/alerting/defining-alerts.asciidoc          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc
index 5983804c5c862..5afce8fa6cd93 100644
--- a/docs/user/alerting/alert-types.asciidoc
+++ b/docs/user/alerting/alert-types.asciidoc
@@ -28,7 +28,7 @@ For domain-specific alerts, refer to the documentation for that app.
 * {observability-guide}/create-alerts.html[Observability alerts]
 * {security-guide}/prebuilt-rules.html[Security alerts]
 * <<geo-alerting, Maps alerts>>
-* <<xpack-ml, ML alerts>>
+* {ml-docs}/ml-configuring-alerts.html[{ml-cap} alerts]
 
 [NOTE]
 ==============================================
diff --git a/docs/user/alerting/alerting-getting-started.asciidoc b/docs/user/alerting/alerting-getting-started.asciidoc
index 0a7c17576de3d..8a83a0f8799de 100644
--- a/docs/user/alerting/alerting-getting-started.asciidoc
+++ b/docs/user/alerting/alerting-getting-started.asciidoc
@@ -5,7 +5,7 @@
 
 --
 
-Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <<geo-alerting,*Maps*>> and <<xpack-ml,*ML*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
+Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <<geo-alerting,*Maps*>> and {ml-docs}/ml-configuring-alerts.html[*{ml-app}*], can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
 
 image::images/alerting-overview.png[Alerts and actions UI]
 
diff --git a/docs/user/alerting/defining-alerts.asciidoc b/docs/user/alerting/defining-alerts.asciidoc
index 77a4e5cc41ef2..396896754f2b0 100644
--- a/docs/user/alerting/defining-alerts.asciidoc
+++ b/docs/user/alerting/defining-alerts.asciidoc
@@ -2,7 +2,7 @@
 [[defining-alerts]]
 == Defining alerts
 
-{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
+{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-ml,*{ml-app}*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
 
 [float]
 === Alert flyout