[SIEM][Detection Engine] - Update UI to read rule exceptions_list

[yctercero]

Summary

This PR tries to start to tie together the recent server and client changes for exceptions lists.

• Updates graphql types to allow UI access to a rule's exceptions_list property
• Updates the exception viewer component to now dynamically take the rule exceptions_list, up until now we just had an empty array in it's place
• Updates the viewer UI to better deal with spacing when an exception list item only has one or two entries (before the and badge with the antennas was stretching passed the exception items to fill the space)
• Updates the detections engine exceptions logic to fetch list items using an exception list's id as opposed to it's list_id, this now aligns with the UI using the same params on its end
• Adds unit tests for the detection engine server side util that fetches the exception list items

With this PR, you should now be able to use the API to create rules with exception lists and see the alerts filtered in the UI as well as seeing the exceptions show now in the exceptions viewer. See #69715 TO DO section for an explanation on the remaining updates needed to the filtering logic.

Testing

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

Add export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true to your bash file.

Use the scripts in x-pack/plugins/lists/server/scripts to create some sample exception lists and items. You can use the following:

If you've previously played around with lists, run ./hard_reset.sh (this will delete any lists you've created).

Create large value list:

• Create large value list ./post_list.sh
• Create large value list item ./post_list_item.sh (I modified the value to be "value": "10.4.2.140")

Create exception list:

• Create exception list ./post_exception_list.sh
• Create exception list item ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_with_list.json

Use the scripts in x-pack/plugins/security_solution/server/lib/detection_engine/scripts to create rule:
Before running script, you'll need to update the referenced exceptions_list id to the one you created

• Run ./post_rule.sh ./rules/queries/query_with_list.json (Makes reference to the exception list created in step above)

In the Alerts table, you should see something like the following where you only see events where the event.module is zeek and source.ip is 10.4.2.140 (or whatever ip you specified).

Go to your newly created rule details and on the Exceptions tab you should see something like this:

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser
• This was checked for cross-browser compatibility, including a check against IE11

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[rylnd]

Was this changed to snake case to match the request body? I would expect it to be namespaceType everywhere except the API call, which sends namespace_type: namespaceType

[yctercero]

Yea it was. Would I specify that change from namespace_type to namespaceType in the graphql types?

[yctercero]

Working to update this and a found bug.

[yctercero]

Ideally, we'd be transforming all of the rule params to camel case when we fetch them in use_rule / use_rules. This is a temporary workaround.

[elasticmachine]

Pinging @elastic/apm-ui (Team:apm)

[kibanamachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request
• Commit: 372c32f
• Pipeline Steps (look for red circles / failed steps)
• Interpreting CI Failures

Failed CI Steps

• Execute kibana-intake

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	815	+24	791

History

• 💔 Build #58523 failed 4f65a02
• 💔 Build #58505 failed 001be67
• 💔 Build #58424 failed ff28bac
• 💚 Build #56329 succeeded 223869e

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)