[9.0] [ResponseOps][Security][Rules] Fix fields missing from Cases ac…

…tion in Security Solution rule form (#210547) (#211944)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[ResponseOps][Security][Rules] Fix fields missing from Cases action
in Security Solution rule form
(#210547)](#210547)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Umberto
Pepato","email":"umbopepato@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-02-20T17:36:39Z","message":"[ResponseOps][Security][Rules]
Fix fields missing from Cases action in Security Solution rule form
(#210547)\n\n## Summary\n\nCorrectly forwards the selected rule type id
to the actions form section\nin the Security Solution rule
creation/update flow.\nAdds a functional test case to cover the
bug.\n\n## To verify\n\n1. Navigate to `Security > Rules > Detection
rules > Create new rule`\n2. Fill in the first 3 steps\n3. In the
Actions step, select the Cases action\n4. Check that the `Group by alert
field` dropdown shows the correct\nalert fields\n5. Create the rule,
then repeat point 5 in the rule editing UI\n\n## References\n\nFixes
#210209","sha":"0abbd173b124bcb5f83a377c3923f57120f144e9","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v9.0.0","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[ResponseOps][Security][Rules]
Fix fields missing from Cases action in Security Solution rule
form","number":210547,"url":"https://github.com/elastic/kibana/pull/210547","mergeCommit":{"message":"[ResponseOps][Security][Rules]
Fix fields missing from Cases action in Security Solution rule form
(#210547)\n\n## Summary\n\nCorrectly forwards the selected rule type id
to the actions form section\nin the Security Solution rule
creation/update flow.\nAdds a functional test case to cover the
bug.\n\n## To verify\n\n1. Navigate to `Security > Rules > Detection
rules > Create new rule`\n2. Fill in the first 3 steps\n3. In the
Actions step, select the Cases action\n4. Check that the `Group by alert
field` dropdown shows the correct\nalert fields\n5. Create the rule,
then repeat point 5 in the rule editing UI\n\n## References\n\nFixes
#210209","sha":"0abbd173b124bcb5f83a377c3923f57120f144e9"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/210547","number":210547,"mergeCommit":{"message":"[ResponseOps][Security][Rules]
Fix fields missing from Cases action in Security Solution rule form
(#210547)\n\n## Summary\n\nCorrectly forwards the selected rule type id
to the actions form section\nin the Security Solution rule
creation/update flow.\nAdds a functional test case to cover the
bug.\n\n## To verify\n\n1. Navigate to `Security > Rules > Detection
rules > Create new rule`\n2. Fill in the first 3 steps\n3. In the
Actions step, select the Cases action\n4. Check that the `Group by alert
field` dropdown shows the correct\nalert fields\n5. Create the rule,
then repeat point 5 in the rule editing UI\n\n## References\n\nFixes
#210209","sha":"0abbd173b124bcb5f83a377c3923f57120f144e9"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Umberto Pepato <umbopepato@users.noreply.github.com>

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/rule_actions_field/index.tsx

@@ -78,6 +78,7 @@ const NOTIFY_WHEN_OPTIONS: NotifyWhenSelectOptions[] = [
 ];
 
 interface Props {
+  ruleTypeId?: string;
   field: FieldHook;
   messageVariables: ActionVariables;
   summaryMessageVariables: ActionVariables;
@@ -113,6 +114,7 @@ const ContainerActions = styled.div.attrs(
 `;
 
 export const RuleActionsField: React.FC<Props> = ({
+  ruleTypeId,
   field,
   messageVariables,
   summaryMessageVariables,
@@ -246,6 +248,7 @@ export const RuleActionsField: React.FC<Props> = ({
         setActionAlertsFilterProperty,
         featureId: SecurityConnectorFeatureId,
         producerId: AlertConsumers.SIEM,
+        ruleTypeId,
         defaultActionMessage: FORM_FOR_EACH_ALERT_BODY_MESSAGE,
         defaultSummaryMessage: FORM_SUMMARY_BODY_MESSAGE,
         hideActionHeader: true,
@@ -255,15 +258,16 @@ export const RuleActionsField: React.FC<Props> = ({
         disableErrorMessages: !isFormValidated,
       }),
     [
-      actions,
       getActionForm,
+      actions,
       messageVariables,
       summaryMessageVariables,
-      setActionFrequency,
       setActionIdByIndex,
-      setActionParamsProperty,
       setAlertActionsProperty,
+      setActionParamsProperty,
+      setActionFrequency,
       setActionAlertsFilterProperty,
+      ruleTypeId,
       isFormValidated,
     ]
   );

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx

@@ -35,6 +35,7 @@ import { ResponseAction } from './response_action';
 
 interface StepRuleActionsProps extends RuleStepProps {
   ruleId?: RuleObjectId; // Rule SO's id (not ruleId)
+  ruleTypeId?: string;
   actionMessageParams: ActionVariables;
   summaryActionMessageParams: ActionVariables;
   form: FormHook<ActionsStepRule>;
@@ -72,6 +73,7 @@ const DisplayActionsHeader = () => {
 
 const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
   ruleId,
+  ruleTypeId,
   isUpdateView = false,
   actionMessageParams,
   summaryActionMessageParams,
@@ -90,11 +92,12 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
           componentProps={{
             messageVariables: actionMessageParams,
             summaryMessageVariables: summaryActionMessageParams,
+            ruleTypeId,
           }}
         />
       </>
     ),
-    [actionMessageParams, summaryActionMessageParams]
+    [actionMessageParams, ruleTypeId, summaryActionMessageParams]
   );
   const displayResponseActionsOptions = useMemo(() => {
     return (

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx

@@ -19,6 +19,7 @@ import {
 import React, { memo, useCallback, useRef, useState, useMemo, useEffect } from 'react';
 import styled from 'styled-components';
 
+import { ruleTypeMappings } from '@kbn/securitysolution-rules';
 import { useAppToasts } from '../../../../common/hooks/use_app_toasts';
 import {
   isMlRule,
@@ -731,6 +732,7 @@ const CreateRulePageComponent: React.FC = () => {
           }}
         >
           <StepRuleActions
+            ruleTypeId={ruleTypeMappings[ruleType]}
             isLoading={isCreateRuleLoading || loading || isStartingJobs}
             actionMessageParams={actionMessageParams}
             summaryActionMessageParams={actionMessageParams}
@@ -785,6 +787,7 @@ const CreateRulePageComponent: React.FC = () => {
       isCreateRuleLoading,
       isStartingJobs,
       loading,
+      ruleType,
       submitRuleDisabled,
       submitRuleEnabled,
     ]

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx

@@ -22,6 +22,7 @@ import type { FC } from 'react';
 import React, { memo, useCallback, useMemo, useRef, useState } from 'react';
 import { useParams } from 'react-router-dom';
 
+import { ruleTypeMappings } from '@kbn/securitysolution-rules';
 import { useConfirmValidationErrorsModal } from '../../../../common/hooks/use_confirm_validation_errors_modal';
 import { useAppToasts } from '../../../../common/hooks/use_app_toasts';
 import { isEsqlRule } from '../../../../../common/detection_engine/utils';
@@ -336,6 +337,7 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
               {actionsStepData != null && (
                 <StepRuleActions
                   ruleId={rule?.id}
+                  ruleTypeId={ruleTypeMappings[rule?.type]}
                   isLoading={isLoading}
                   isUpdateView
                   actionMessageParams={actionMessageParams}
@@ -370,6 +372,7 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
       esqlQueryForAboutStep,
       rule.rule_source,
       rule?.id,
+      rule?.type,
       scheduleStepData,
       scheduleStepForm,
       actionsStepData,

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_actions/rule_actions.cy.ts

@@ -5,6 +5,10 @@
  * 2.0.
  */
 
+import {
+  CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_OPTIONS_LIST,
+  CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_SELECTOR,
+} from '../../../../screens/common/rule_actions';
 import { RULE_NAME_HEADER } from '../../../../screens/rule_details';
 import { getIndexConnector } from '../../../../objects/connector';
 import { getSimpleCustomQueryRule } from '../../../../objects/rule';
@@ -21,6 +25,7 @@ import {
 } from '../../../../tasks/api_calls/common';
 import {
   createAndEnableRule,
+  createCasesAction,
   fillAboutRuleAndContinue,
   fillDefineCustomRuleAndContinue,
   fillRuleAction,
@@ -106,5 +111,23 @@ describe(
       // UI redirects to rule creation page of a created rule
       cy.get(RULE_NAME_HEADER).should('contain', rule.name);
     });
+
+    it('Forwards the correct rule type id to the Cases system action', () => {
+      visit(CREATE_RULE_URL);
+      fillDefineCustomRuleAndContinue(rule);
+      fillAboutRuleAndContinue(rule);
+      fillScheduleRuleAndContinue(rule);
+      createCasesAction();
+
+      cy.get(CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_SELECTOR).click();
+      cy.get(CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_OPTIONS_LIST).should('be.visible');
+      cy.waitUntil(() => {
+        return cy
+          .get(`${CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_OPTIONS_LIST} button[role=option]`)
+          .then(($items) => {
+            return $items.length > 0;
+          });
+      });
+    });
   }
 );

x-pack/test/security_solution_cypress/cypress/screens/common/rule_actions.ts

@@ -48,6 +48,12 @@ export const EMAIL_CONNECTOR_PASSWORD_INPUT = '[data-test-subj="emailPasswordInp
 
 export const EMAIL_CONNECTOR_SERVICE_SELECTOR = '[data-test-subj="emailServiceSelectInput"]';
 
+export const CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_SELECTOR =
+  '[data-test-subj=group-by-alert-field-combobox]';
+
+export const CASES_CONNECTOR_GROUP_BY_ALERT_FIELD_OPTIONS_LIST =
+  '[data-test-subj~=group-by-alert-field-combobox-optionsList]';
+
 export const FORM_VALIDATION_ERROR = '.euiFormErrorText';
 
 export const JSON_EDITOR = "[data-test-subj='documentToIndex']";

x-pack/test/security_solution_cypress/cypress/tasks/create_new_rule.ts

@@ -147,6 +147,7 @@ import {
   ACTIONS_ALERTS_TIMEFRAME_START_INPUT,
   ACTIONS_ALERTS_TIMEFRAME_END_INPUT,
   ACTIONS_ALERTS_TIMEFRAME_TIMEZONE_INPUT,
+  CASES_SYSTEM_ACTION_BTN,
 } from '../screens/common/rule_actions';
 import { fillIndexConnectorForm, fillEmailConnectorForm } from './common/rule_actions';
 import { TOAST_ERROR } from '../screens/shared';
@@ -540,6 +541,10 @@ export const fillRuleAction = (actions: Actions) => {
   });
 };
 
+export const createCasesAction = () => {
+  cy.get(CASES_SYSTEM_ACTION_BTN).click();
+};
+
 export const fillRuleActionFilters = (alertsFilter: AlertsFilter) => {
   cy.get(ACTIONS_ALERTS_QUERY_FILTER_BUTTON).click();
   cy.get(ACTIONS_ALERTS_QUERY_FILTER_INPUT()).type(alertsFilter.query.kql);