elastic · e40pud · Dec 1, 2023 · Sep 22, 2023 · Sep 22, 2023 · Oct 2, 2023
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts
@@ -32,6 +32,7 @@ import {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -190,6 +191,11 @@ export const alertFieldMap = {
     array: true,
     required: false,
   },
+  [ALERT_WORKFLOW_ASSIGNEE_IDS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
   [EVENT_ACTION]: {
     type: 'keyword',
     array: false,

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts
@@ -98,6 +98,7 @@ const AlertOptional = rt.partial({
   'kibana.alert.start': schemaDate,
   'kibana.alert.time_range': schemaDateRange,
   'kibana.alert.url': schemaString,
+  'kibana.alert.workflow_assignee_ids': schemaStringArray,
   'kibana.alert.workflow_status': schemaString,
   'kibana.alert.workflow_tags': schemaStringArray,
   'kibana.version': schemaString,

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts
@@ -193,6 +193,7 @@ const SecurityAlertOptional = rt.partial({
   ),
   'kibana.alert.time_range': schemaDateRange,
   'kibana.alert.url': schemaString,
+  'kibana.alert.workflow_assignee_ids': schemaStringArray,
   'kibana.alert.workflow_reason': schemaString,
   'kibana.alert.workflow_status': schemaString,
   'kibana.alert.workflow_tags': schemaStringArray,

diff --git a/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts b/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts
@@ -11,6 +11,7 @@ import {
   ALERT_RISK_SCORE,
   ALERT_SEVERITY,
   ALERT_RULE_PARAMETERS,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_TAGS,
 } from '@kbn/rule-data-utils';
 
@@ -46,6 +47,7 @@ export const ALERT_EVENTS_FIELDS = [
   ALERT_RULE_CONSUMER,
   '@timestamp',
   'kibana.alert.ancestors.index',
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   'kibana.alert.workflow_status',
   ALERT_WORKFLOW_TAGS,
   'kibana.alert.group.id',

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -70,6 +70,9 @@ const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 // kibana.alert.workflow_tags - user workflow alert tags
 const ALERT_WORKFLOW_TAGS = `${ALERT_NAMESPACE}.workflow_tags` as const;
 
+// kibana.alert.workflow_assignee_ids - user workflow alert assignees
+const ALERT_WORKFLOW_ASSIGNEE_IDS = `${ALERT_NAMESPACE}.workflow_assignee_ids` as const;
+
 // kibana.alert.rule.category - rule type name for rule that generated this alert
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 
@@ -135,6 +138,7 @@ const fields = {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -174,6 +178,7 @@ export {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,

diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -32,6 +32,7 @@ import {
   ALERT_STATUS,
   ALERT_TIME_RANGE,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -174,6 +175,7 @@ const fields = {
   ALERT_STATUS,
   ALERT_SYSTEM_STATUS,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,

diff --git a/packages/kbn-securitysolution-ecs/src/signal/index.ts b/packages/kbn-securitysolution-ecs/src/signal/index.ts
@@ -24,6 +24,7 @@ export type SignalEcsAAD = Exclude<SignalEcs, 'rule' | 'status'> & {
   building_block_type?: string[];
   workflow_status?: string[];
   workflow_tags?: string[];
+  workflow_assignee_ids?: string[];
   suppression?: {
     docs_count: string[];
   };

diff --git a/x-pack/packages/security-solution/upselling/messages/index.tsx b/x-pack/packages/security-solution/upselling/messages/index.tsx
@@ -14,3 +14,11 @@ export const UPGRADE_INVESTIGATION_GUIDE = (requiredLicense: string) =>
       requiredLicense,
     },
   });
+
+export const UPGRADE_ALERT_ASSIGNMENTS = (requiredLicense: string) =>
+  i18n.translate('securitySolutionPackages.alertAssignments.upsell', {
+    defaultMessage: 'Upgrade to {requiredLicense} to make use of alert assignments',
+    values: {
+      requiredLicense,
+    },
+  });
diff --git a/x-pack/packages/security-solution/upselling/service/types.ts b/x-pack/packages/security-solution/upselling/service/types.ts
@@ -17,4 +17,4 @@ export type UpsellingSectionId =
   | 'osquery_automated_response_actions'
   | 'ruleDetailsEndpointExceptions';
 
-export type UpsellingMessageId = 'investigation_guide';
+export type UpsellingMessageId = 'investigation_guide' | 'alert_assignments';
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -311,6 +311,9 @@ describe('mappingFromFieldMap', () => {
                 workflow_tags: {
                   type: 'keyword',
                 },
+                workflow_assignee_ids: {
+                  type: 'keyword',
+                },
               },
             },
             space_ids: {

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@@ -293,6 +293,11 @@ it('matches snapshot', () => {
         "required": true,
         "type": "keyword",
       },
+      "kibana.alert.workflow_assignee_ids": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.workflow_reason": Object {
         "array": false,
         "required": false,

diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './set_alert_assignees_route.gen';
diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/mocks.ts b/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/mocks.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './set_alert_assignees_route.mock';
diff --git a/...ity_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts b/...ity_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from 'zod';
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ */
+
+import { NonEmptyString } from '../model/rule_schema/common_attributes.gen';
+
+export type AlertAssignees = z.infer<typeof AlertAssignees>;
+export const AlertAssignees = z.object({
+  /**
+   * A list of users ids to assign.
+   */
+  add: z.array(NonEmptyString),
+  /**
+   * A list of users ids to unassign.
+   */
+  remove: z.array(NonEmptyString),
+});
+
+/**
+ * A list of alerts ids.
+ */
+export type AlertIds = z.infer<typeof AlertIds>;
+export const AlertIds = z.array(NonEmptyString).min(1);
+
+export type SetAlertAssigneesRequestBody = z.infer<typeof SetAlertAssigneesRequestBody>;
+export const SetAlertAssigneesRequestBody = z.object({
+  /**
+   * Details about the assignees to assign and unassign.
+   */
+  assignees: AlertAssignees,
+  /**
+   * List of alerts ids to assign and unassign passed assignees.
+   */
+  ids: AlertIds,
+});
+export type SetAlertAssigneesRequestBodyInput = z.input<typeof SetAlertAssigneesRequestBody>;
diff --git a/...ty_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.mock.ts b/...ty_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.mock.ts
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { SetAlertAssigneesRequestBody } from './set_alert_assignees_route.gen';
+
+export const getSetAlertAssigneesRequestMock = (
+  assigneesToAdd: string[] = [],
+  assigneesToRemove: string[] = [],
+  ids: string[] = []
+): SetAlertAssigneesRequestBody => ({
+  assignees: { add: assigneesToAdd, remove: assigneesToRemove },
+  ids,
+});
diff --git a/...olution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml b/...olution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml
@@ -0,0 +1,58 @@
+openapi: 3.0.0
+info:
+  title: Assign alerts API endpoint
+  version: '2023-10-31'
+paths:
+  /api/detection_engine/signals/assignees:
+    summary: Assigns users to alerts
+    post:
+      operationId: SetAlertAssignees
+      x-codegen-enabled: true
+      description: Assigns users to alerts.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - assignees
+                - ids
+              properties:
+                assignees:
+                  $ref: '#/components/schemas/AlertAssignees'
+                  description: Details about the assignees to assign and unassign.
+                ids:
+                  $ref: '#/components/schemas/AlertIds'
+                  description: List of alerts ids to assign and unassign passed assignees.
+      responses:
+        200:
+          description: Indicates a successful call.
+        400:
+          description: Invalid request.
+
+components:
+  schemas:
+    AlertAssignees:
+      type: object
+      required:
+        - add
+        - remove
+      properties:
+        add:
+          type: array
+          items:
+            $ref: '../model/rule_schema/common_attributes.schema.yaml#/components/schemas/NonEmptyString'
+          description: A list of users ids to assign.
+        remove:
+          type: array
+          items:
+            $ref: '../model/rule_schema/common_attributes.schema.yaml#/components/schemas/NonEmptyString'
+          description: A list of users ids to unassign.
+
+    AlertIds:
+      type: array
+      items:
+        $ref: '../model/rule_schema/common_attributes.schema.yaml#/components/schemas/NonEmptyString'
+      minItems: 1
+      description: A list of alerts ids.
diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/index.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+export * from './alert_assignees';
 export * from './alert_tags';
 export * from './fleet_integrations';
 export * from './index_management';

diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/8.12.0/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/8.12.0/index.ts
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ALERT_WORKFLOW_ASSIGNEE_IDS } from '@kbn/rule-data-utils';
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  Ancestor890,
+  BaseFields890,
+  EqlBuildingBlockFields890,
+  EqlShellFields890,
+  NewTermsFields890,
+} from '../8.9.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.12.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.12.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export type { Ancestor890 as Ancestor8120 };
+
+export interface BaseFields8120 extends BaseFields890 {
+  [ALERT_WORKFLOW_ASSIGNEE_IDS]: string[] | undefined;
+}
+
+export interface WrappedFields8120<T extends BaseFields8120> {
+  _id: string;
+  _index: string;
+  _source: T;
+}
+
+export type GenericAlert8120 = AlertWithCommonFields800<BaseFields8120>;
+
+export type EqlShellFields8120 = EqlShellFields890 & BaseFields8120;
+
+export type EqlBuildingBlockFields8120 = EqlBuildingBlockFields890 & BaseFields8120;
+
+export type NewTermsFields8120 = NewTermsFields890 & BaseFields8120;
+
+export type NewTermsAlert8120 = NewTermsFields890 & BaseFields8120;
+
+export type EqlBuildingBlockAlert8120 = AlertWithCommonFields800<EqlBuildingBlockFields890>;
+
+export type EqlShellAlert8120 = AlertWithCommonFields800<EqlShellFields8120>;
+
+export type DetectionAlert8120 =
+  | GenericAlert8120
+  | EqlShellAlert8120
+  | EqlBuildingBlockAlert8120
+  | NewTermsAlert8120;
diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts
@@ -11,15 +11,16 @@ import type { DetectionAlert840 } from './8.4.0';
 import type { DetectionAlert860 } from './8.6.0';
 import type { DetectionAlert870 } from './8.7.0';
 import type { DetectionAlert880 } from './8.8.0';
+import type { DetectionAlert890 } from './8.9.0';
 import type {
-  Ancestor890,
-  BaseFields890,
-  DetectionAlert890,
-  EqlBuildingBlockFields890,
-  EqlShellFields890,
-  NewTermsFields890,
-  WrappedFields890,
-} from './8.9.0';
+  Ancestor8120,
+  BaseFields8120,
+  DetectionAlert8120,
+  EqlBuildingBlockFields8120,
+  EqlShellFields8120,
+  NewTermsFields8120,
+  WrappedFields8120,
+} from './8.12.0';
 
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
@@ -29,14 +30,15 @@ export type DetectionAlert =
   | DetectionAlert860
   | DetectionAlert870
   | DetectionAlert880
-  | DetectionAlert890;
+  | DetectionAlert890
+  | DetectionAlert8120;
 
 export type {
-  Ancestor890 as AncestorLatest,
-  BaseFields890 as BaseFieldsLatest,
-  DetectionAlert890 as DetectionAlertLatest,
-  WrappedFields890 as WrappedFieldsLatest,
-  EqlBuildingBlockFields890 as EqlBuildingBlockFieldsLatest,
-  EqlShellFields890 as EqlShellFieldsLatest,
-  NewTermsFields890 as NewTermsFieldsLatest,
+  Ancestor8120 as AncestorLatest,
+  BaseFields8120 as BaseFieldsLatest,
+  DetectionAlert8120 as DetectionAlertLatest,
+  WrappedFields8120 as WrappedFieldsLatest,
+  EqlBuildingBlockFields8120 as EqlBuildingBlockFieldsLatest,
+  EqlShellFields8120 as EqlShellFieldsLatest,
+  NewTermsFields8120 as NewTermsFieldsLatest,
 };