[Security Solution] Bulk editing rule custom highlighted fields

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts

@@ -26,6 +26,7 @@ import {
   RuleActionAlertsFilter,
   IndexPatternArray,
   RuleTagArray,
+  InvestigationFields,
   TimelineTemplateId,
   TimelineTemplateTitle,
 } from '../../model/rule_schema/common_attributes.gen';
@@ -52,6 +53,7 @@ export const BulkActionsDryRunErrCode = z.enum([
   'MACHINE_LEARNING_AUTH',
   'MACHINE_LEARNING_INDEX_PATTERN',
   'ESQL_INDEX_PATTERN',
+  'INVESTIGATION_FIELDS_FEATURE',
 ]);
 export type BulkActionsDryRunErrCodeEnum = typeof BulkActionsDryRunErrCode.enum;
 export const BulkActionsDryRunErrCodeEnum = BulkActionsDryRunErrCode.enum;
@@ -187,6 +189,9 @@ export const BulkActionEditType = z.enum([
   'add_rule_actions',
   'set_rule_actions',
   'set_schedule',
+  'add_investigation_fields',
+  'delete_investigation_fields',
+  'set_investigation_fields',
 ]);
 export type BulkActionEditTypeEnum = typeof BulkActionEditType.enum;
 export const BulkActionEditTypeEnum = BulkActionEditType.enum;
@@ -239,6 +244,18 @@ export const BulkActionEditPayloadTags = z.object({
   value: RuleTagArray,
 });
 
+export type BulkActionEditPayloadInvestigationFields = z.infer<
+  typeof BulkActionEditPayloadInvestigationFields
+>;
+export const BulkActionEditPayloadInvestigationFields = z.object({
+  type: z.enum([
+    'add_investigation_fields',
+    'delete_investigation_fields',
+    'set_investigation_fields',
+  ]),
+  value: InvestigationFields,
+});
+
 export type BulkActionEditPayloadTimeline = z.infer<typeof BulkActionEditPayloadTimeline>;
 export const BulkActionEditPayloadTimeline = z.object({
   type: z.literal('set_timeline'),
@@ -252,6 +269,7 @@ export type BulkActionEditPayload = z.infer<typeof BulkActionEditPayload>;
 export const BulkActionEditPayload = z.union([
   BulkActionEditPayloadTags,
   BulkActionEditPayloadIndexPatterns,
+  BulkActionEditPayloadInvestigationFields,
   BulkActionEditPayloadTimeline,
   BulkActionEditPayloadRuleActions,
   BulkActionEditPayloadSchedule,

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml

@@ -76,6 +76,7 @@ components:
         - MACHINE_LEARNING_AUTH
         - MACHINE_LEARNING_INDEX_PATTERN
         - ESQL_INDEX_PATTERN
+        - INVESTIGATION_FIELDS_FEATURE
 
     NormalizedRuleError:
       type: object
@@ -281,6 +282,9 @@ components:
         - add_rule_actions
         - set_rule_actions
         - set_schedule
+        - add_investigation_fields
+        - delete_investigation_fields
+        - set_investigation_fields
 
     # Per rulesClient.bulkEdit rules actions operation contract (x-pack/plugins/alerting/server/rules_client/rules_client.ts) normalized rule action object is expected (NormalizedAlertAction) as value for the edit operation
     NormalizedRuleAction:
@@ -381,6 +385,21 @@ components:
         - type
         - value
 
+    BulkActionEditPayloadInvestigationFields:
+      type: object
+      properties:
+        type:
+          type: string
+          enum:
+            - add_investigation_fields
+            - delete_investigation_fields
+            - set_investigation_fields
+        value:
+          $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/InvestigationFields'
+      required:
+        - type
+        - value
+
     BulkActionEditPayloadTimeline:
       type: object
       properties:
@@ -406,6 +425,7 @@ components:
       anyOf:
         - $ref: '#/components/schemas/BulkActionEditPayloadTags'
         - $ref: '#/components/schemas/BulkActionEditPayloadIndexPatterns'
+        - $ref: '#/components/schemas/BulkActionEditPayloadInvestigationFields'
         - $ref: '#/components/schemas/BulkActionEditPayloadTimeline'
         - $ref: '#/components/schemas/BulkActionEditPayloadRuleActions'
         - $ref: '#/components/schemas/BulkActionEditPayloadSchedule'

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.test.ts

@@ -187,7 +187,7 @@ describe('Perform bulk action request schema', () => {
         expectParseError(result);
 
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 9 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 11 more"`
         );
       });
 
@@ -249,7 +249,7 @@ describe('Perform bulk action request schema', () => {
         expectParseError(result);
 
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 9 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 11 more"`
         );
       });
 
@@ -299,6 +299,62 @@ describe('Perform bulk action request schema', () => {
       });
     });
 
+    describe('investigation_fields', () => {
+      test('valid request: set_investigation_fields edit action', () => {
+        const payload: PerformBulkActionRequestBody = {
+          query: 'name: test',
+          action: BulkActionTypeEnum.edit,
+          [BulkActionTypeEnum.edit]: [
+            {
+              type: BulkActionEditTypeEnum.set_investigation_fields,
+              value: { field_names: ['field-1'] },
+            },
+          ],
+        };
+
+        const result = PerformBulkActionRequestBody.safeParse(payload);
+
+        expectParseSuccess(result);
+        expect(result.data).toEqual(payload);
+      });
+
+      test('valid request: add_investigation_fields edit action', () => {
+        const payload: PerformBulkActionRequestBody = {
+          query: 'name: test',
+          action: BulkActionTypeEnum.edit,
+          [BulkActionTypeEnum.edit]: [
+            {
+              type: BulkActionEditTypeEnum.add_investigation_fields,
+              value: { field_names: ['field-2'] },
+            },
+          ],
+        };
+
+        const result = PerformBulkActionRequestBody.safeParse(payload);
+
+        expectParseSuccess(result);
+        expect(result.data).toEqual(payload);
+      });
+
+      test('valid request: delete_investigation_fields edit action', () => {
+        const payload: PerformBulkActionRequestBody = {
+          query: 'name: test',
+          action: BulkActionTypeEnum.edit,
+          [BulkActionTypeEnum.edit]: [
+            {
+              type: BulkActionEditTypeEnum.delete_investigation_fields,
+              value: { field_names: ['field-3'] },
+            },
+          ],
+        };
+
+        const result = PerformBulkActionRequestBody.safeParse(payload);
+
+        expectParseSuccess(result);
+        expect(result.data).toEqual(payload);
+      });
+    });
+
     describe('timeline', () => {
       test('invalid request: wrong timeline payload type', () => {
         const payload = {
@@ -311,7 +367,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 7 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 9 more"`
         );
       });
 
@@ -333,7 +389,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 10 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 12 more"`
         );
       });
 
@@ -371,7 +427,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 7 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 9 more"`
         );
       });
 
@@ -416,7 +472,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 10 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 12 more"`
         );
       });
 
@@ -438,7 +494,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 10 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 12 more"`
         );
       });
 
@@ -476,7 +532,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 7 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 9 more"`
         );
       });
 
@@ -498,7 +554,7 @@ describe('Perform bulk action request schema', () => {
 
         expectParseError(result);
         expect(stringifyZodError(result.error)).toMatchInlineSnapshot(
-          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 11 more"`
+          `"action: Invalid literal value, expected \\"delete\\", action: Invalid literal value, expected \\"disable\\", action: Invalid literal value, expected \\"enable\\", action: Invalid literal value, expected \\"export\\", action: Invalid literal value, expected \\"duplicate\\", and 13 more"`
         );
       });
 

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_types.ts

@@ -7,6 +7,7 @@
 
 import type {
   BulkActionEditPayloadIndexPatterns,
+  BulkActionEditPayloadInvestigationFields,
   BulkActionEditPayloadRuleActions,
   BulkActionEditPayloadSchedule,
   BulkActionEditPayloadTags,
@@ -26,5 +27,6 @@ export type BulkActionEditForRuleAttributes =
  */
 export type BulkActionEditForRuleParams =
   | BulkActionEditPayloadIndexPatterns
+  | BulkActionEditPayloadInvestigationFields
   | BulkActionEditPayloadTimeline
   | BulkActionEditPayloadSchedule;

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_get_sources/bulk_get_sources_route.gen.ts

@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from 'zod';
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Get Rules Sources API endpoint
+ *   version: 2023-10-31
+ */
+
+export type BulkGetRulesSourcesRequestBody = z.infer<typeof BulkGetRulesSourcesRequestBody>;
+export const BulkGetRulesSourcesRequestBody = z.object({
+  /**
+   * Query to filter rules
+   */
+  query: z.string().optional(),
+  /**
+   * Array of rule IDs
+   */
+  ids: z.array(z.string()).min(1).optional(),
+});
+export type BulkGetRulesSourcesRequestBodyInput = z.input<typeof BulkGetRulesSourcesRequestBody>;
+
+export type BulkGetRulesSourcesResponse = z.infer<typeof BulkGetRulesSourcesResponse>;
+export const BulkGetRulesSourcesResponse = z.object({
+  /**
+   * Array of index patterns
+   */
+  indexPatterns: z.array(z.string()).optional(),
+  /**
+   * Array of data view ids
+   */
+  dataViewIds: z.array(z.string()).optional(),
+});

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_get_sources/bulk_get_sources_route.mock.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { BulkGetRulesSourcesRequestBody } from './bulk_get_sources_route.gen';
+
+export const getPerformBulkGetSourcesSchemaMock = (): BulkGetRulesSourcesRequestBody => ({
+  query: '',
+  ids: undefined,
+});

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_get_sources/bulk_get_sources_route.schema.yaml

@@ -0,0 +1,48 @@
+openapi: 3.0.0
+info:
+  title: Get Rules Sources API endpoint
+  version: '2023-10-31'
+paths:
+  /api/detection_engine/rules/_bulk_get_sources:
+    summary: Returns rules sources
+    post:
+      operationId: BulkGetRulesSources
+      x-codegen-enabled: true
+      summary: Get rules sources
+      description: Returns rules sources.
+      tags:
+        - Bulk API
+      requestBody:
+        content:
+          application/json:
+            schema:
+              x-inline: true
+              type: object
+              properties:
+                query:
+                  type: string
+                  description: Query to filter rules
+                ids:
+                  type: array
+                  description: Array of rule IDs
+                  minItems: 1
+                  items:
+                    type: string
+      responses:
+        200:
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  indexPatterns:
+                    type: array
+                    description: Array of index patterns
+                    items:
+                      type: string
+                  dataViewIds:
+                    type: array
+                    description: Array of data view ids
+                    items:
+                      type: string