[AI4DSOC] Add possibility to disable Stack Rules, Rules Settings and Maintenance window based on Serverless Tier

[tomsonpl]

Description

Disable Rules Settings, Maintenance Window, and Rules UI in Search AI Lake Tier (AI for the SOC product).

This PR adds configuration options to disable Rules Settings, Maintenance Window, and Rules UI in the Search AI Lake tier. These changes are part of the effort to streamline the feature set available in this specific tier.

---

Changes

• Added configuration flags in serverless.security.search_ai_lake.yml:

  xpack.alerting.maintenanceWindow.enabled: false
  xpack.alerting.rulesSettings.enabled: false
  xpack.trigger_actions_ui.rules.enabled: false

• Modified the alerting plugin to support enabling/disabling rule settings and maintenance window features

• Modified the triggers_actions_ui plugin to support enabling/disabling the Stack Rules UI

---

Testing

• Verified that when these settings are disabled in the Search AI Lake tier:
  • Maintenance Window UI is not accessible
  • Stack Rules is not registered in the management section
  • Rules Settings UI is not accessible (can this exist without Stack Rules) ?

Please add the following configuration to your serverless.security.dev.yml file:

xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]

---

Closes: https://github.com/elastic/security-team/issues/12099
Closes: https://github.com/elastic/security-team/issues/12100

Partially Closes: https://github.com/elastic/security-team/issues/12396

[tomsonpl]

/ci

[tomsonpl]

/ci

[tomsonpl]

/ci

[tomsonpl]

/ci

[azasypkin]

note: If I understand correctly these two entries don't disable plugins, they look more like feature flags of the alerting plugin that's enabled, so maybe you should place them under something other than the ## Disable plugins section?

I know we don't do this frequently, but it'd super helpful to future readers if the comments in the config file would clarify why exactly you set what you set.

[tomsonpl]

Hmm, do you mean something like ## Disable features next to plugins? Since these 2 are part of a plugin's features and not a plugin itself?

[tomsonpl]

Added a comment :) Thanks @azasypkin !

[pmuellr]

@cnasikas I'm wondering a couple things regarding not registering the feature:

• do we have other scenarios where we don't register certain features? I'm not sure we do, and wondering what the effects would be
• how will routes respond when the feature is not enabled? There's nothing directly here about the routes, so I assume you can still use them, but wondering what's going to happen. I think ideally, the routes would all respond with a "not authorized" sort of response (feels like and looks like that's what it should/will do)
• I think we probably want a FT for this scenario to make sure we get the right response for MW and settings when the features are disabled; I think hitting a single API for each is fine, presumably we have auth tests for all this anyway so one API should be good enough to test for this scenario
• BWC / ZDT issues - there doesn't seem to be any issues of that sort directly in this code, but where we run into issues with config changes is when older versions end up seeing new config - like kibana controller adding settings before all the running kibanas can accept the change. I think if the changes to use these new settings are confined to config/serverless.security.search_ai_lake.yml and nowhere outside of Kibana (eg, the controller), we should be good.

@tomsonpl - could you try using some of the mw routes with a Kibana instance with these features disabled to see what the results are? They aren't doc'd but you can find them under
x-pack/platform/plugins/shared/alerting/server/routes/maintenance_window/apis

[tomsonpl]

Hey @pmuellr thanks for your comment, these are totally valid concerns.

I tested API routes to create a new MW:

POST kbn:/internal/alerting/rules/maintenance_window
{
    "title": "test",
    "duration": 1000,
    "r_rule": {
        "dtstart": "1743775356936"
    }
}

which returned a validation error, so the route is registered anyway - my hope was that the routes are not being registered.

When I enter http://0.0.0.0:5601/app/management/insightsAndAlerting/maintenanceWindows with feature being not enabled it shows Management main page (without changing url).

[tomsonpl]

Is there anything I can do here to help review this? :) Thanks!
cc: @cnasikas @pmuellr

[mgiota]

I am in the process of backporting my PR into 8.19 and while resolving some conflicts in my PR, I noticed this PR was not backported. @pmuellr Here's a Slack thread with more info on the topic of backporting stuff into 8.19

[kibanamachine]

Starting backport for target branches: 8.19

https://github.com/elastic/kibana/actions/runs/15273422197

[kibanamachine]

Starting backport for target branches: 8.19

https://github.com/elastic/kibana/actions/runs/15273422284

[tomsonpl]

Hey, thanks for raising this! I looked for some more detailed information on what should be merged, and I think you're right, in the end this one should be backported.
I'll try to get it done today.

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - [ftr] split x-pack discover config (#217483)

Manual backport

To create the backport manually run:

node scripts/backport --pr 214586

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - [ftr] split x-pack discover config (#217483)

Manual backport

To create the backport manually run:

node scripts/backport --pr 214586

Questions ?

Please refer to the Backport tool documentation

[tomsonpl]

💚 All backports created successfully

Status	Branch	Result
✅	8.19

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

[tomsonpl]

I created a backport manually where I kept all the alerting code changes, but did not include the AI SOC parts. Since the functionality is dependent on other PRs, not merged to 8.19.

[kibanamachine]

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.
cc: @tomsonpl

[kibanamachine]

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.
cc: @tomsonpl

[tomsonpl]

💚 All backports created successfully

Status	Branch	Result
✅	8.19

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.
cc: @tomsonpl