elastic
diff --git a/‎x-pack/plugins/security_solution/public/alerts/components/alerts_table/default_config.tsx‎
Lines changed: 28 additions & 13 deletions b/‎x-pack/plugins/security_solution/public/alerts/components/alerts_table/default_config.tsx‎
Lines changed: 28 additions & 13 deletions
diff --git a/‎x-pack/plugins/security_solution/public/alerts/components/alerts_table/index.tsx‎
Lines changed: 13 additions & 7 deletions b/‎x-pack/plugins/security_solution/public/alerts/components/alerts_table/index.tsx‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx‎
Lines changed: 27 additions & 5 deletions b/‎x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx‎
Lines changed: 27 additions & 5 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/index.tsx‎
Lines changed: 10 additions & 2 deletions b/‎x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/index.tsx‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/translations.ts‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/translations.ts‎
Lines changed: 1 addition & 1 deletion
@@ -36,7 +36,7 @@ import {
   SetEventsLoadingProps,
   UpdateTimelineLoading,
 } from './types';
-import { Ecs } from '../../../graphql/types';
+import { Ecs, TimelineNonEcsData } from '../../../graphql/types';
 import { AddExceptionOnClick } from '../../../common/components/exceptions/add_exception_modal';
 import { getMappedNonEcsValue } from '../../../common/components/exceptions/helpers';
 
@@ -174,6 +174,8 @@ export const requiredFieldsForActions = [
   'signal.rule.query',
   'signal.rule.to',
   'signal.rule.id',
+  'signal.original_event.kind',
+  'signal.original_event.module',
 
   // Endpoint exception fields
   'file.path',
@@ -189,6 +191,7 @@ interface AlertActionArgs {
   createTimeline: CreateTimeline;
   dispatch: Dispatch;
   ecsRowData: Ecs;
+  nonEcsRowData: TimelineNonEcsData[];
   hasIndexWrite: boolean;
   onAlertStatusUpdateFailure: (status: Status, error: Error) => void;
   onAlertStatusUpdateSuccess: (count: number, status: Status) => void;
@@ -211,6 +214,7 @@ export const getAlertActions = ({
   createTimeline,
   dispatch,
   ecsRowData,
+  nonEcsRowData,
   hasIndexWrite,
   onAlertStatusUpdateFailure,
   onAlertStatusUpdateSuccess,
@@ -281,6 +285,18 @@ export const getAlertActions = ({
     width: DEFAULT_ICON_BUTTON_WIDTH,
   };
 
+  const isEndpointAlert = () => {
+    const [module] = getMappedNonEcsValue({
+      data: nonEcsRowData,
+      fieldName: 'signal.original_event.module',
+    });
+    const [kind] = getMappedNonEcsValue({
+      data: nonEcsRowData,
+      fieldName: 'signal.original_event.kind',
+    });
+    return module === 'endpoint' && kind === 'alert';
+  };
+
   return [
     {
       ...getInvestigateInResolverAction({ dispatch, timelineId }),
@@ -305,15 +321,14 @@ export const getAlertActions = ({
     ...(FILTER_OPEN !== status ? [openAlertActionComponent] : []),
     ...(FILTER_CLOSED !== status ? [closeAlertActionComponent] : []),
     ...(FILTER_IN_PROGRESS !== status ? [inProgressAlertActionComponent] : []),
-    // TODO: disable this option if the alert is not an Endpoint alert
     {
       onClick: ({ ecsData, data }: TimelineRowActionOnClick) => {
-        const ruleNameValue = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
-        const ruleId = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
-        if (ruleId !== undefined && ruleId.length > 0) {
+        const [ruleName] = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
+        const [ruleId] = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
+        if (ruleId !== undefined) {
           openAddExceptionModal({
-            ruleName: ruleNameValue ? ruleNameValue[0] : '',
-            ruleId: ruleId[0],
+            ruleName: ruleName ?? '',
+            ruleId,
             exceptionListType: 'endpoint',
             alertData: {
               ecsData,
@@ -323,20 +338,20 @@ export const getAlertActions = ({
         }
       },
       id: 'addEndpointException',
-      isActionDisabled: () => !canUserCRUD || !hasIndexWrite,
+      isActionDisabled: () => !canUserCRUD || !hasIndexWrite || !isEndpointAlert(),
       dataTestSubj: 'add-endpoint-exception-menu-item',
       ariaLabel: 'Add Endpoint Exception',
       content: <EuiText size="m">{i18n.ACTION_ADD_ENDPOINT_EXCEPTION}</EuiText>,
       displayType: 'contextMenu',
     },
     {
       onClick: ({ ecsData, data }: TimelineRowActionOnClick) => {
-        const ruleNameValue = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
-        const ruleId = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
-        if (ruleId !== undefined && ruleId.length > 0) {
+        const [ruleName] = getMappedNonEcsValue({ data, fieldName: 'signal.rule.name' });
+        const [ruleId] = getMappedNonEcsValue({ data, fieldName: 'signal.rule.id' });
+        if (ruleId !== undefined) {
           openAddExceptionModal({
-            ruleName: ruleNameValue ? ruleNameValue[0] : '',
-            ruleId: ruleId[0],
+            ruleName: ruleName ?? '',
+            ruleId,
             exceptionListType: 'detection',
             alertData: {
               ecsData,
 
@@ -22,7 +22,10 @@ import { inputsSelectors, State, inputsModel } from '../../../common/store';
 import { timelineActions, timelineSelectors } from '../../../timelines/store/timeline';
 import { TimelineModel } from '../../../timelines/store/timeline/model';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
-import { useManageTimeline } from '../../../timelines/components/manage_timeline';
+import {
+  useManageTimeline,
+  TimelineRowActionArgs,
+} from '../../../timelines/components/manage_timeline';
 import { useApolloClient } from '../../../common/utils/apollo_context';
 
 import { updateAlertStatusAction } from './actions';
@@ -48,7 +51,6 @@ import {
   displaySuccessToast,
   displayErrorToast,
 } from '../../../common/components/toasters';
-import { Ecs } from '../../../graphql/types';
 import { getInvestigateInResolverAction } from '../../../timelines/components/timeline/body/helpers';
 import {
   AddExceptionModal,
@@ -321,12 +323,13 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
 
   // Send to Timeline / Update Alert Status Actions for each table row
   const additionalActions = useMemo(
-    () => (ecsRowData: Ecs) =>
+    () => ({ ecsData, nonEcsData }: TimelineRowActionArgs) =>
       getAlertActions({
         apolloClient,
         canUserCRUD,
         createTimeline: createTimelineCallback,
-        ecsRowData,
+        ecsRowData: ecsData,
+        nonEcsRowData: nonEcsData,
         dispatch,
         hasIndexWrite,
         onAlertStatusUpdateFailure,
@@ -401,9 +404,12 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
     closeAddExceptionModal();
   }, [closeAddExceptionModal]);
 
-  const onAddExceptionConfirm = useCallback(() => {
-    closeAddExceptionModal();
-  }, [closeAddExceptionModal]);
+  const onAddExceptionConfirm = useCallback(
+    (didCloseAlert: boolean) => {
+      closeAddExceptionModal();
+    },
+    [closeAddExceptionModal]
+  );
 
   if (loading || isEmpty(signalsIndex)) {
     return (
 
@@ -43,6 +43,7 @@ import {
   defaultEndpointExceptionItems,
   entryHasListType,
   entryHasNonEcsType,
+  getMappedNonEcsValue,
 } from '../helpers';
 import { useFetchIndexPatterns } from '../../../../alerts/containers/detection_engine/rules';
 
@@ -65,7 +66,7 @@ interface AddExceptionModalProps {
     nonEcsData: TimelineNonEcsData[];
   };
   onCancel: () => void;
-  onConfirm: () => void;
+  onConfirm: (didCloseAlert: boolean) => void;
 }
 
 const Modal = styled(EuiModal)`
@@ -130,8 +131,8 @@ export const AddExceptionModal = memo(function AddExceptionModal({
   );
   const onSuccess = useCallback(() => {
     displaySuccessToast(i18n.ADD_EXCEPTION_SUCCESS, dispatchToaster);
-    onConfirm();
-  }, [dispatchToaster, onConfirm]);
+    onConfirm(shouldCloseAlert);
+  }, [dispatchToaster, onConfirm, shouldCloseAlert]);
 
   const [{ isLoading: addExceptionIsLoading }, addOrUpdateExceptionItems] = useAddOrUpdateException(
     {
@@ -193,6 +194,12 @@ export const AddExceptionModal = memo(function AddExceptionModal({
     indexPatterns,
   ]);
 
+  useEffect(() => {
+    if (shouldDisableBulkClose === true) {
+      setShouldBulkCloseAlert(false);
+    }
+  }, [shouldDisableBulkClose]);
+
   const onCommentChange = useCallback(
     (value: string) => {
       setComment(value);
@@ -214,18 +221,33 @@ export const AddExceptionModal = memo(function AddExceptionModal({
     [setShouldBulkCloseAlert]
   );
 
+  const retrieveAlertOsTypes = useCallback(() => {
+    const osDefaults = ['windows', 'macos', 'linux'];
+    if (alertData) {
+      const osTypes = getMappedNonEcsValue({
+        data: alertData.nonEcsData,
+        fieldName: 'host.os.family',
+      });
+      if (osTypes.length === 0) {
+        return osDefaults;
+      }
+      return osTypes;
+    }
+    return osDefaults;
+  }, [alertData]);
+
   const enrichExceptionItems = useCallback(() => {
     let enriched: Array<ExceptionListItemSchema | CreateExceptionListItemSchema> = [];
     enriched =
       comment !== ''
         ? enrichExceptionItemsWithComments(exceptionItemsToAdd, [{ comment }])
         : exceptionItemsToAdd;
     if (exceptionListType === 'endpoint') {
-      const osTypes = alertData ? ['windows'] : ['windows', 'macos', 'linux'];
+      const osTypes = retrieveAlertOsTypes();
       enriched = enrichExceptionItemsWithOS(enriched, osTypes);
     }
     return enriched;
-  }, [comment, exceptionItemsToAdd, exceptionListType, alertData]);
+  }, [comment, exceptionItemsToAdd, exceptionListType, retrieveAlertOsTypes]);
 
   const onAddExceptionConfirm = useCallback(() => {
     if (addOrUpdateExceptionItems !== null) {
 
@@ -37,7 +37,7 @@ import { AddExceptionComments } from '../add_exception_comments';
 import {
   enrichExceptionItemsWithComments,
   enrichExceptionItemsWithOS,
-  getOsTagValues,
+  getOperatingSystems,
   entryHasListType,
   entryHasNonEcsType,
 } from '../helpers';
@@ -135,6 +135,12 @@ export const EditExceptionModal = memo(function EditExceptionModal({
     indexPatterns,
   ]);
 
+  useEffect(() => {
+    if (shouldDisableBulkClose === true) {
+      setShouldBulkCloseAlert(false);
+    }
+  }, [shouldDisableBulkClose]);
+
   const handleBuilderOnChange = useCallback(
     ({
       exceptionItems,
@@ -167,7 +173,7 @@ export const EditExceptionModal = memo(function EditExceptionModal({
       ...(comment !== '' ? [{ comment }] : []),
     ]);
     if (exceptionListType === 'endpoint') {
-      const osTypes = exceptionItem._tags ? getOsTagValues(exceptionItem._tags) : ['windows'];
+      const osTypes = exceptionItem._tags ? getOperatingSystems(exceptionItem._tags) : [];
       enriched = enrichExceptionItemsWithOS(enriched, osTypes);
     }
     return enriched;
@@ -199,6 +205,8 @@ export const EditExceptionModal = memo(function EditExceptionModal({
         {!isSignalIndexLoading && (
           <>
             <ModalBodySection className="builder-section">
+              <EuiText>{i18n.EXCEPTION_BUILDER_INFO}</EuiText>
+              <EuiSpacer />
               <ExceptionBuilder
                 exceptionListItems={[exceptionItem]}
                 listType={exceptionListType}
 
@@ -47,7 +47,7 @@ export const ENDPOINT_QUARANTINE_TEXT = i18n.translate(
 );
 
 export const EXCEPTION_BUILDER_INFO = i18n.translate(
-  'xpack.securitySolution.exceptions.addException.infoLabel',
+  'xpack.securitySolution.exceptions.editException.infoLabel',
   {
     defaultMessage: "Alerts are generated when the rule's conditions are met, except when:",
   }
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ export const ENDPOINT_QUARANTINE_TEXT = i18n.translate(`
`47`	`47`	`);`
`48`	`48`
`49`	`49`	`export const EXCEPTION_BUILDER_INFO = i18n.translate(`
`50`		`- 'xpack.securitySolution.exceptions.addException.infoLabel',`
	`50`	`+ 'xpack.securitySolution.exceptions.editException.infoLabel',`
`51`	`51`	`{`
`52`	`52`	`defaultMessage: "Alerts are generated when the rule's conditions are met, except when:",`
`53`	`53`	`}`