[Security Solution][Exceptions] - Add exception list duplication options with and without expired items

[yctercero]

Summary

Adds the following:

• Add the option to duplicate from the shared exception list management actions dropdowns
  • User can select to include exception items with expired TTL
  • User can select to not include exception items with expired TTL
  • Cypress tests added for both options

• Add the option to duplicate from the shared exception list details header actions dropdowns
  • User can select to include exception items with expired TTL
  • User can select to not include exception items with expired TTL
  • On duplicate, user is redirected to newly created list
  • Cypress tests added for both options

• Add the option to include or exclude exception items with expired TTL when bulk duplicating rules from rules management page
  • Cypress tests added for both options

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[dplumlee]

Pulled down and tested all three scenarios, looks good from an alert area pov. Great test coverage!

[dplumlee]

This isn't necessarily a comment for your PR but we should perhaps centralize this filter string since it's used just about every place we have to filter for/against expired exceptions and probably will be going forward. I know we have this for an array of SavedObjectType's but nothing else.

[yctercero]

Good point! I can probably do a follow up with this. My only hesitation doing it here is trying not to increase the number of files touched since it's already much more than anticipated.

[nastasha-solomon]

Thanks for tagging the docs team for the UI copy, @yctercero! Please find my suggestions below.

Confirmation prompt to duplicate expired exception items

Does this prompt only appear after users choose to duplicate a shared exception list with expired exception items? If it does, I recommend some minor tweaks:

• Title: Duplicate expired exceptions?
• Body text: This exception list has expired exceptions. Switch the toggle off if you don't want to duplicate them.
• Button: Duplicate

If this prompt appears after users choose to duplicate a shared exception list or it appears regardless of whether the list contains expired exception items, I'd suggest something different. I'll hold off on that for now though.

Confirmation prompt to duplicate rule

Title
To clarify, does this prompt appear regardless of whether the rule has an exception? If that's the case, I think the title should reflect the primary action the user is taking, which is duplicating the rule. With that in mind, here's my suggestion for the title:
Duplicate the rule?

Body
My recommendations for the body text if the user is only duplicating one rule:
You're duplicating 1 rule. Choose what to duplicate:

If the user is duplicating multiple rules:
You're duplicating 2 rules. Choose what to duplicate:

Options
My recs for the options if the user is only duplicating one rule:

• Only the rule
• The rule and its active exceptions
• The rule and all of its exceptions (active and expired)

If the user is duplicating multiple rules:

• Only the rules
• The rules and their active exceptions
• The rules and all of their exceptions (active and expired)

[spong]

nit: Maybe have useBulkDuplicateExceptionsConfirmation's showBulkDuplicateConfirmation return object also include include_exceptions/include_expired_exceptions bools thus encapsulating this logic?

Was just thinking how to DRY this out since it's used a few places, no biggie either way.

[spong]

Reviewed rules area code changes, checked out, tested locally and LGTM! 👍 🚀

Great stuff here @yctercero 🎉 I left a few nits, but nothing major. Really appreciate the thorough test coverage you added here .

I tested both the Rules Table/Details bulk_editing paths, along with the Shared Exceptions UI duplication as well. Didn't find any issues, and everything looked as expected (even when duplicating lists with only expired exception items :).

[nkhristinin]

LGTM! Nice work @yctercero

I only have one question, currently the rule duplication modal window looks like that.

And for me, options is more confusing than it was here

[michaelolo24]

Thanks for the comments. Really helpful!

[michaelolo24]

Investigations changes - Seems like they were only cypress tests, so might be worth updating codeowners or re-organizing the files later on as most of these don't affect us

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 68042a4

Failed CI Steps

• FTR Configs #8
• Security Solution Tests #3

Test Failures

• [job] [logs] FTR Configs #8 / AIOps POST /internal/aiops/explain_log_rate_spikes - groups only with ecommerce should return group only in chunks with streaming without compression with flushFix
• [job] [logs] Security Solution Tests #3 / timeline flyout button the (+) button popover menu owns focus

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
lists	259	260	+1
securitySolution	3831	3832	+1
total			+2

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/securitysolution-io-ts-list-types	503	515	+12
@kbn/securitysolution-list-api	64	65	+1
@kbn/securitysolution-list-hooks	47	49	+2
total			+15

Any counts in public APIs

Total count of every any typed public API. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats any for more detailed information.

id	before	after	diff
@kbn/securitysolution-io-ts-list-types	1	0	-1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
lists	157.2KB	157.3KB	+78.0B
securitySolution	9.1MB	9.1MB	+7.0KB
total			+7.1KB

Unknown metric groups

API count

id	before	after	diff
@kbn/securitysolution-io-ts-list-types	516	528	+12
@kbn/securitysolution-list-api	67	69	+2
@kbn/securitysolution-list-hooks	60	62	+2
total			+16

ESLint disabled line counts

id	before	after	diff
securitySolution	394	397	+3

Total ESLint disabled count

id	before	after	diff
securitySolution	474	477	+3

History

• 💔 Build #122190 failed 68d49ef
• 💔 Build #121791 failed 0539797
• 💔 Build #121761 failed 3dfab5a
• 💚 Build #120072 succeeded c6e0949
• 💔 Build #120067 failed ff0e13c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @yctercero