[Serverless][Security Solution][Endpoint] Restrict endpoint exceptions on serverless via plugin sub-features

.eslintrc.js

@@ -1175,6 +1175,7 @@ module.exports = {
       overrides: [
         {
           files: [
+            'x-pack/packages/security-solution/features/**/*.{js,mjs,ts,tsx}',
             'x-pack/packages/security-solution/navigation/**/*.{js,mjs,ts,tsx}',
             'x-pack/plugins/security_solution/**/*.{js,mjs,ts,tsx}',
             'x-pack/plugins/security_solution_ess/**/*.{js,mjs,ts,tsx}',

.github/CODEOWNERS

@@ -599,6 +599,7 @@ x-pack/plugins/searchprofiler @elastic/platform-deployment-management
 x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
 x-pack/plugins/security @elastic/kibana-security
 x-pack/plugins/security_solution_ess @elastic/security-solution
+x-pack/packages/security-solution/features @elastic/security-threat-hunting-explore
 x-pack/test/cases_api_integration/common/plugins/security_solution @elastic/response-ops
 x-pack/packages/security-solution/navigation @elastic/security-threat-hunting-explore
 x-pack/plugins/security_solution @elastic/security-solution

package.json

@@ -603,6 +603,7 @@
     "@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
     "@kbn/security-plugin": "link:x-pack/plugins/security",
     "@kbn/security-solution-ess": "link:x-pack/plugins/security_solution_ess",
+    "@kbn/security-solution-features": "link:x-pack/packages/security-solution/features",
     "@kbn/security-solution-fixtures-plugin": "link:x-pack/test/cases_api_integration/common/plugins/security_solution",
     "@kbn/security-solution-navigation": "link:x-pack/packages/security-solution/navigation",
     "@kbn/security-solution-plugin": "link:x-pack/plugins/security_solution",

packages/kbn-optimizer/limits.yml

@@ -121,7 +121,7 @@ pageLoadAssetSize:
   security: 81771
   securitySolution: 66738
   securitySolutionEss: 16573
-  securitySolutionServerless: 40000
+  securitySolutionServerless: 45000
   serverless: 16573
   serverlessObservability: 68747
   serverlessSearch: 71995

packages/kbn-utility-types/index.ts

@@ -151,3 +151,23 @@ export type ArrayElement<A> = A extends ReadonlyArray<infer T> ? T : never;
 export type WithRequiredProperty<Type, Key extends keyof Type> = Omit<Type, Key> & {
   [Property in Key]-?: Type[Property];
 };
+
+// Recursive partial object type. inspired by EUI RecursivePartial
+export type RecursivePartial<T> = {
+  [P in keyof T]?: T[P] extends NonAny[]
+    ? T[P]
+    : T[P] extends readonly NonAny[]
+    ? T[P]
+    : T[P] extends Array<infer U>
+    ? Array<RecursivePartial<U>>
+    : T[P] extends ReadonlyArray<infer U>
+    ? ReadonlyArray<RecursivePartial<U>>
+    : T[P] extends Set<infer V>
+    ? Set<RecursivePartial<V>>
+    : T[P] extends Map<infer K, infer V>
+    ? Map<K, RecursivePartial<V>>
+    : T[P] extends NonAny
+    ? T[P]
+    : RecursivePartial<T[P]>;
+};
+type NonAny = number | boolean | string | symbol | null;

src/plugins/files/common/index.ts

@@ -6,7 +6,13 @@
  * Side Public License, v 1.
  */
 
-export { FILE_SO_TYPE, PLUGIN_ID, PLUGIN_NAME, ES_FIXED_SIZE_INDEX_BLOB_STORE } from './constants';
+export {
+  PLUGIN_ID,
+  PLUGIN_NAME,
+  ES_FIXED_SIZE_INDEX_BLOB_STORE,
+  FILE_SO_TYPE,
+  FILE_SHARE_SO_TYPE,
+} from './constants';
 
 export type {
   File,

tsconfig.base.json

@@ -1192,6 +1192,8 @@
       "@kbn/security-plugin/*": ["x-pack/plugins/security/*"],
       "@kbn/security-solution-ess": ["x-pack/plugins/security_solution_ess"],
       "@kbn/security-solution-ess/*": ["x-pack/plugins/security_solution_ess/*"],
+      "@kbn/security-solution-features": ["x-pack/packages/security-solution/features"],
+      "@kbn/security-solution-features/*": ["x-pack/packages/security-solution/features/*"],
       "@kbn/security-solution-fixtures-plugin": ["x-pack/test/cases_api_integration/common/plugins/security_solution"],
       "@kbn/security-solution-fixtures-plugin/*": ["x-pack/test/cases_api_integration/common/plugins/security_solution/*"],
       "@kbn/security-solution-navigation": ["x-pack/packages/security-solution/navigation"],

x-pack/packages/security-solution/features/README.mdx

@@ -0,0 +1,4 @@
+## Security Solution App Features
+
+This package provides resources to be used for Security Solution app features
+

x-pack/packages/security-solution/features/index.ts

@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export { AppFeaturesPrivileges } from './src/app_features_privileges';
+export { ASSISTANT_FEATURE_ID, CASES_FEATURE_ID } from './src/constants';
+export * from './src/app_features_keys';
+export * from './src/types';
+
+export { getSecurityFeature } from './src/security';
+export { getCasesFeature } from './src/cases';
+export { getAssistantFeature } from './src/assistant';
+
+export { securityDefaultAppFeaturesConfig } from './src/security/app_feature_config';
+export { getCasesDefaultAppFeaturesConfig } from './src/cases/app_feature_config';
+export { assistantDefaultAppFeaturesConfig } from './src/assistant/app_feature_config';
+
+export { createEnabledAppFeaturesConfigMap } from './src/helpers';

x-pack/packages/security-solution/features/jest.config.js

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../../../..',
+  roots: ['<rootDir>/x-pack/packages/security-solution/features'],
+};

x-pack/packages/security-solution/features/kibana.jsonc

@@ -0,0 +1,5 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/security-solution-features",
+  "owner": "@elastic/security-threat-hunting-explore"
+}

x-pack/packages/security-solution/features/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/security-solution-features",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0"
+}

x-pack/plugins/security_solution/common/types/app_features.ts → x-pack/packages/security-solution/features/src/app_features_keys.ts

@@ -6,60 +6,48 @@
  */
 
 export enum AppFeatureSecurityKey {
-  /**
-   * Enables Advanced Insights (Entity Risk, GenAI)
-   */
+  /** Enables Advanced Insights (Entity Risk, GenAI) */
   advancedInsights = 'advanced_insights',
-
   /**
    * Enables Investigation guide in Timeline
    */
   investigationGuide = 'investigation_guide',
-
   /**
    * Enables access to the Endpoint List and associated views that allows management of hosts
    * running endpoint security
    */
   endpointHostManagement = 'endpoint_host_management',
-
   /**
    * Enables endpoint policy views that enables user to manage endpoint security policies
    */
   endpointPolicyManagement = 'endpoint_policy_management',
-
   /**
    * Enables Endpoint Policy protections (like Malware, Ransomware, etc)
    */
   endpointPolicyProtections = 'endpoint_policy_protections',
-
   /**
    * Enables management of all endpoint related artifacts (ex. Trusted Applications, Event Filters,
    * Host Isolation Exceptions, Blocklist.
    */
   endpointArtifactManagement = 'endpoint_artifact_management',
-
   /**
    * Enables all of endpoint's supported response actions - like host isolation, file operations,
    * process operations, command execution, etc.
    */
   endpointResponseActions = 'endpoint_response_actions',
-
   /**
    * Enables Threat Intelligence
    */
   threatIntelligence = 'threat-intelligence',
-
   /**
    * Enables Osquery Response Actions
    */
   osqueryAutomatedResponseActions = 'osquery_automated_response_actions',
-}
 
-export enum AppFeatureAssistantKey {
   /**
-   * Enables Elastic AI Assistant
+   * Enables managing endpoint exceptions on rules and alerts
    */
-  assistant = 'assistant',
+  endpointExceptions = 'endpointExceptions',
 }
 
 export enum AppFeatureCasesKey {
@@ -69,14 +57,46 @@ export enum AppFeatureCasesKey {
   casesConnectors = 'cases_connectors',
 }
 
-// Merges the two enums.
-export type AppFeatureKey = AppFeatureSecurityKey | AppFeatureCasesKey | AppFeatureAssistantKey;
-export type AppFeatureKeys = AppFeatureKey[];
+export enum AppFeatureAssistantKey {
+  /**
+   * Enables Elastic AI Assistant
+   */
+  assistant = 'assistant',
+}
 
-// We need to merge the value and the type and export both to replicate how enum works.
+// Merges the two enums.
 export const AppFeatureKey = {
   ...AppFeatureSecurityKey,
   ...AppFeatureCasesKey,
   ...AppFeatureAssistantKey,
 };
+// We need to merge the value and the type and export both to replicate how enum works.
+export type AppFeatureKey = AppFeatureSecurityKey | AppFeatureCasesKey | AppFeatureAssistantKey;
+
 export const ALL_APP_FEATURE_KEYS = Object.freeze(Object.values(AppFeatureKey));
+
+/** Sub-features IDs for Security */
+export enum SecuritySubFeatureId {
+  endpointList = 'endpointListSubFeature',
+  endpointExceptions = 'endpointExceptionsSubFeature',
+  trustedApplications = 'trustedApplicationsSubFeature',
+  hostIsolationExceptions = 'hostIsolationExceptionsSubFeature',
+  blocklist = 'blocklistSubFeature',
+  eventFilters = 'eventFiltersSubFeature',
+  policyManagement = 'policyManagementSubFeature',
+  responseActionsHistory = 'responseActionsHistorySubFeature',
+  hostIsolation = 'hostIsolationSubFeature',
+  processOperations = 'processOperationsSubFeature',
+  fileOperations = 'fileOperationsSubFeature',
+  executeAction = 'executeActionSubFeature',
+}
+
+/** Sub-features IDs for Cases */
+export enum CasesSubFeatureId {
+  deleteCases = 'deleteCasesSubFeature',
+}
+
+/** Sub-features IDs for Security Assistant */
+export enum AssistantSubFeatureId {
+  createConversation = 'createConversationSubFeature',
+}

x-pack/packages/security-solution/features/src/app_features_privileges.ts

@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { APP_ID } from './constants';
+
+export enum AppFeaturesPrivilegeId {
+  endpointExceptions = 'endpoint_exceptions',
+}
+
+/**
+ * This is the mapping of the privileges that are registered
+ * using a different Kibana feature configuration (sub-feature, main feature privilege, etc)
+ * in each offering type (ess, serverless)
+ */
+export const AppFeaturesPrivileges = {
+  [AppFeaturesPrivilegeId.endpointExceptions]: {
+    all: {
+      ui: ['showEndpointExceptions', 'crudEndpointExceptions'],
+      api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`],
+    },
+    read: {
+      ui: ['showEndpointExceptions'],
+      api: [`${APP_ID}-showEndpointExceptions`],
+    },
+  },
+};

x-pack/packages/security-solution/features/src/assistant/app_feature_config.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AssistantSubFeatureId } from '../app_features_keys';
+import { AppFeatureAssistantKey } from '../app_features_keys';
+import type { AppFeatureKibanaConfig } from '../types';
+
+/**
+ * App features privileges configuration for the Security Assistant Kibana Feature app.
+ * These are the configs that are shared between both offering types (ess and serverless).
+ * They can be extended on each offering plugin to register privileges using different way on each offering type.
+ *
+ * Privileges can be added in different ways:
+ * - `privileges`: the privileges that will be added directly into the main Security feature.
+ * - `subFeatureIds`: the ids of the sub-features that will be added into the Security subFeatures entry.
+ * - `subFeaturesPrivileges`: the privileges that will be added into the existing Security subFeature with the privilege `id` specified.
+ */
+export const assistantDefaultAppFeaturesConfig: Record<
+  AppFeatureAssistantKey,
+  AppFeatureKibanaConfig<AssistantSubFeatureId>
+> = {
+  [AppFeatureAssistantKey.assistant]: {
+    privileges: {
+      all: {
+        ui: ['ai-assistant'],
+      },
+    },
+  },
+};

x-pack/packages/security-solution/features/src/assistant/index.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { AssistantSubFeatureId } from '../app_features_keys';
+import type { AppFeatureParams } from '../types';
+import { getAssistantBaseKibanaFeature } from './kibana_features';
+import {
+  getAssistantBaseKibanaSubFeatureIds,
+  assistantSubFeaturesMap,
+} from './kibana_sub_features';
+
+export const getAssistantFeature = (): AppFeatureParams<AssistantSubFeatureId> => ({
+  baseKibanaFeature: getAssistantBaseKibanaFeature(),
+  baseKibanaSubFeatureIds: getAssistantBaseKibanaSubFeatureIds(),
+  subFeaturesMap: assistantSubFeaturesMap,
+});

x-pack/packages/security-solution/features/src/assistant/kibana_features.ts

@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
+import { type BaseKibanaFeatureConfig } from '../types';
+import { APP_ID, ASSISTANT_FEATURE_ID } from '../constants';
+
+export const getAssistantBaseKibanaFeature = (): BaseKibanaFeatureConfig => ({
+  id: ASSISTANT_FEATURE_ID,
+  name: i18n.translate(
+    'xpack.securitySolution.featureRegistry.linkSecuritySolutionAssistantTitle',
+    {
+      defaultMessage: 'Elastic AI Assistant',
+    }
+  ),
+  order: 1100,
+  category: DEFAULT_APP_CATEGORIES.security,
+  app: [ASSISTANT_FEATURE_ID, 'kibana'],
+  catalogue: [APP_ID],
+  minimumLicense: 'enterprise',
+  privileges: {
+    all: {
+      api: [],
+      app: [ASSISTANT_FEATURE_ID, 'kibana'],
+      catalogue: [APP_ID],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: [],
+    },
+    read: {
+      // No read-only mode currently supported
+      disabled: true,
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: [],
+    },
+  },
+});