[Actions] Introduce the isSystemAction property to actions

[cnasikas]

Summary

This PR introduces the isSystemAction: boolean to the ActionResult type. It also, adds the same to the ActionType type. I added validation to verify that system actions cannot be registered at the moment. More PRs are going to follow to incrementally build the feature.

Related: #160367

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[cnasikas]

@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/uptime (Team:uptime)

[shahzad31]

is it possible to move this util to actions plugin? or reuse?

[cnasikas]

I think it is better if the action plugin exposes a function that does the API call and the transformation as we do in cases. I think the recommendation is to not call the APIs of other plugins directly but use a thin client. This way the team can do changes in the API without affecting other teams. This will also be helpful when versioning our endpoints. @pmuellr Is there any issue for that?

[pmuellr]

I'm not aware of explicit issues covering this - sounds like a nice addition to the client-side actions plugin. If I understand correctly. Open an issue?

[cnasikas]

Ok, I will open an issue. @shahzad31 What do you think of this approach (addressing it on another PR)?

[cnasikas]

Done #160902

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: ee5df7b
• Storybooks Preview

Failed CI Steps

• Explore - Security Solution Tests #1

Test Failures

• [job] [logs] Explore - Security Solution Tests #1 / Overflow items Network stats and tables Shows Hover actions for more items in the popover

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
actions	263	265	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
stackConnectors	440.7KB	440.7KB	+18.0B
synthetics	907.1KB	907.2KB	+36.0B
triggersActionsUi	1.4MB	1.4MB	+18.0B
uptime	518.8KB	518.8KB	+36.0B
total			+108.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
triggersActionsUi	49	50	+1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
cases	143.2KB	143.3KB	+25.0B
triggersActionsUi	86.7KB	86.8KB	+108.0B
total			+133.0B

Unknown metric groups

API count

id	before	after	diff
actions	268	270	+2

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	14	16	+2
securitySolution	413	417	+4
total			+6

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	15	17	+2
securitySolution	492	496	+4
total			+6

History

• 💔 Build #138998 failed a8e7143
• 💔 Build #138982 failed b070bd9
• 💔 Build #138973 failed 45e260503c20396d9f01be2e235ca27280fe1047
• 💔 Build #138943 failed 85ca6a4
• 💔 Build #138905 failed 774b389

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @cnasikas

[shahzad31]

LGTM !!

Probably a follow up to discuss using client to fetch list of connector !!

[shahzad31]

LGTM !!

Probably a follow up to discuss using client to fetch list of connector !!

[machadoum]

security-threat-hunting-explore changes LGTM!

[ymao1]

LGTM! Verified upgrading existing connectors still loads, exporting/importing works and listing all connectors via the API shows the new property.

[banderror]

Hey @cnasikas, could you please provide links to product tickets or any other context for what this change is related to and what does isSystemAction property mean?

[cnasikas]

Hey @cnasikas, could you please provide links to product tickets or any other context for what this change is related to and what does isSystemAction property mean?

Hey @banderror! Sorry my mistake, I should have put them in the description. This is one of many PRs to support System (Response) actions in the actions' framework like OsQuery, Isolating a host, etc. Here is the issue #160367. At the bottom, you can find all related tickets.

[pmuellr]

If you imagine we end up changing isPreconfigured to isInMemory or similiar, we'd end up probably wanting isPreconfigured to be true, whenever isSystemAction is true. That way, we won't have to change any of our current isPreconfigured checks, that are typically to check if it's persisted as an SO or not.

[cnasikas]

I don't know how this will play out in the UI yet. I suspect that we would like to have the separation. I will keep your suggestion in mind when the time comes. In the backend, we should have the separation as we treat the preconfigured and the system actions a bit differently.

[pmuellr]

LGTM

[banderror]

Detection Rule Management changes LGTM 👍

Thanks for providing the context info, I read the #160367 ticket and have a few questions.

1. Do you or @patrykkopycinski already have a plan for migrating Response Actions from Security Solution to the Framework? Or is this on any team's roadmap? I saw #155644 but it doesn't have any version labels etc.

2. Is there any clarity around exporting/importing system actions? In Security Solution, we have our own Detection API endpoints for exporting and importing rules. With rules, we also export and import connectors, if any of the rules have actions related to them. Do you have any recommendations for how should we handle system actions in these endpoints? I'd assume we should skip exporting them and ignore them or return an error on import.

Here's a function that is called when the detection rule export endpoint gets the connectors to be exported:

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_rule_action_connectors.ts

Lines 46 to 57 in df408bd

	const filterOutPredefinedActionConnectorsIds = async (
	actionsClient: ActionsClient,
	actionsIdsToExport: string[]
	): Promise<string[]> => {
	const allActions = await actionsClient.getAll();
	const predefinedActionsIds = allActions
	.filter(({ isPreconfigured }) => isPreconfigured)
	.map(({ id }) => id);
	if (predefinedActionsIds.length)
	return actionsIdsToExport.filter((id) => !predefinedActionsIds.includes(id));
	return actionsIdsToExport;
	};

[banderror]

It would be great to start documenting at least public interfaces that are exported from the Framework -- for us on the solution side it's often hard to navigate the Framework's code, but we need to do it from time to time.

Here we could add a JSDoc comment with a description of the field and a link to #160367.

[cnasikas]

Good point! I will do it in the following PRs as I will probably introduce more types.

[cnasikas]

Thank you @banderror! We target 8.10 for the system actions. The migration should be handled by the Security solution team. @patrykkopycinski and the team are aware of our work. We are working with @kobelb to find a seamless backward compatibility migration path. We will let you know about it soon.

Regarding, import/export we will not support it for system actions as they should always be available in every deployment (they are created on Kibana startup on the fly). I was not aware of this functionality in Security Solution. I will address it myself in the following PRs when I do the same for the import/export from the stack management. Thanks for letting me know!