[Security Solution] Changes default role for serverless from admin to…

… platform_engineer (#183608)

## Summary

Addresses: #184140

In this PR we are addressing the short-term solution of
#184135 where we are moving from
using for serverless `admin` role for MKI environments and
`system_indices_superuser` for stateless environments to
`platform_engineer`.

To make the above change happen, some adjustments have been introduced
to make the tests work:

### Rename of custom indexes

The `admin` or `system_indices_superuser` has access to any index on the
system, but built-in roles in security serverless projects just have
access to some or all the security default indexes, so they cannot
access custom indexes.

To make the tests work with the `platform_engineer` all the custom
indexes that we use for testing purposes have been renamed to match
ours.

### `waitForTheRuleToBeExecuted` removed from some tests

`waitForTheRuleToBeExecuted` waits for the rule status to be `succeeded`
but the `platform_engineer` does not have access to all the indexes, so
instead the final status result will be `warning` so this method will
timeout.

Originally that method was created in order to make sure that some
alerts are going to be displayed but, after it, we are calling
`waitForAlertsToPopulate` that makes sure that we have alerts.

### Some tests have been skipped from serverless executions
- Entity analytics tests exercising the legacy risk score have been
removed from serverless executions, since it is not used on serverless
projects.
- Maintenance window callout test has been skipped in serverless due to
the following reason: #184160
- One of the users tabs test has been skipped as well due to the
following reason: #184201

---------

Co-authored-by: Devin Hurley <[email protected]>
Co-authored-by: Georgii Gorbachev <[email protected]>

x-pack/test/functional/es_archives/security_solution/no_at_timestamp_field/data.json

@@ -1,7 +1,7 @@
 {
   "type": "doc",
   "value": {
-    "index": "no_at_timestamp_field",
+    "index": "auditbeat-no_at_timestamp_field",
     "source": {
       "locale": "pt",
       "event.category": "configuration",
@@ -14,7 +14,7 @@
 {
   "type": "doc",
   "value": {
-    "index": "no_at_timestamp_field",
+    "index": "auditbeat-no_at_timestamp_field",
     "source": {
       "locale": "es",
       "event.category": "configuration",
@@ -27,7 +27,7 @@
 {
   "type": "doc",
   "value": {
-    "index": "no_at_timestamp_field",
+    "index": "auditbeat-no_at_timestamp_field",
     "source": {
       "locale": "ua",
       "event.category": "configuration",

x-pack/test/functional/es_archives/security_solution/no_at_timestamp_field/mappings.json

@@ -1,7 +1,7 @@
 {
   "type": "index",
   "value": {
-    "index": "no_at_timestamp_field",
+    "index": "auditbeat-no_at_timestamp_field",
     "mappings": {
       "dynamic": "strict",
       "properties": {

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/eql.ts

@@ -867,7 +867,7 @@ export default ({ getService }: FtrProviderContext) => {
 
       it('specifying only timestamp_field results in a warning, and no alerts are generated', async () => {
         const rule: EqlRuleCreateProps = {
-          ...getEqlRuleForAlertTesting(['no_at_timestamp_field']),
+          ...getEqlRuleForAlertTesting(['auditbeat-no_at_timestamp_field']),
           timestamp_field: 'event.ingested',
         };
 
@@ -878,7 +878,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         expect(_log.errors).to.be.empty();
         expect(_log.warnings).to.contain(
-          'The following indices are missing the timestamp field "@timestamp": ["no_at_timestamp_field"]'
+          'The following indices are missing the timestamp field "@timestamp": ["auditbeat-no_at_timestamp_field"]'
         );
 
         const previewAlerts = await getPreviewAlerts({ es, previewId });
@@ -887,7 +887,7 @@ export default ({ getService }: FtrProviderContext) => {
 
       it('specifying only timestamp_override results in an error, and no alerts are generated', async () => {
         const rule: EqlRuleCreateProps = {
-          ...getEqlRuleForAlertTesting(['no_at_timestamp_field']),
+          ...getEqlRuleForAlertTesting(['auditbeat-no_at_timestamp_field']),
           timestamp_override: 'event.ingested',
         };
 
@@ -906,7 +906,7 @@ export default ({ getService }: FtrProviderContext) => {
 
       it('specifying both timestamp_override and timestamp_field results in alert creation with no warnings or errors', async () => {
         const rule: EqlRuleCreateProps = {
-          ...getEqlRuleForAlertTesting(['no_at_timestamp_field']),
+          ...getEqlRuleForAlertTesting(['auditbeat-no_at_timestamp_field']),
           timestamp_field: 'event.ingested',
           timestamp_override: 'event.ingested',
         };

x-pack/test/security_solution_cypress/cypress/README.md

@@ -350,11 +350,15 @@ Store the saved key on `~/.elastic/cloud.json` using the following format:
 }
 ```
 
-Store the email and password of the account you used to login in the QA Environment at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format:
+By default all our Serverless tests are executed with the `platform_engineer` role. 
+
+So you need to add to your organization a new user that has the required role. You can achieve that by using email aliases.
+
+Store the email and password of the account of the `platform_engineer` user at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format:
 
 ```json
 {
-  "admin": {
+  "platform_engineer": {
     "email": "<email>",
     "password": "<password>"
   }
@@ -380,7 +384,7 @@ If you want to execute a test using Cypress on visual mode with MKI, you need to
 
 ```json
 {
-  "admin": {
+  "platform_engineer": {
     "email": "<email>",
     "password": "<password>"
   },

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/closing_all_matching_alerts.cy.ts

@@ -36,11 +36,11 @@ describe('Close matching Alerts ', { tags: ['@ess', '@serverless'] }, () => {
     cy.task('esArchiverLoad', { archiveName: 'exceptions' });
 
     login();
-    postDataView('exceptions-*');
+    postDataView('auditbeat-exceptions-*');
     createRule(
       getNewRule({
         query: 'agent.name:*',
-        data_view_id: 'exceptions-*',
+        data_view_id: 'auditbeat-exceptions-*',
         interval: '1m',
         rule_id: 'rule_testing',
       })

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/entry/match_any.cy.ts

@@ -15,7 +15,6 @@ import {
   openExceptionFlyoutFromEmptyViewerPrompt,
   visitRuleDetailsPage,
   clickEnableRuleSwitch,
-  waitForTheRuleToBeExecuted,
   goToAlertsTab,
 } from '../../../../../tasks/rule_details';
 import {
@@ -43,7 +42,7 @@ describe('Exceptions match_any', { tags: ['@ess', '@serverless'] }, () => {
     login();
     createRule(
       getNewRule({
-        index: ['exceptions-*'],
+        index: ['auditbeat-exceptions-*'],
         enabled: false,
         query: '*',
         from: 'now-438300h',
@@ -77,7 +76,6 @@ describe('Exceptions match_any', { tags: ['@ess', '@serverless'] }, () => {
 
     goToAlertsTab();
 
-    waitForTheRuleToBeExecuted();
     waitForAlertsToPopulate();
 
     // Will match document with value "foo" and document with value "FOO"

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_exception_data_view.cy.ts

@@ -27,7 +27,6 @@ import {
   openEditException,
   removeException,
   visitRuleDetailsPage,
-  waitForTheRuleToBeExecuted,
 } from '../../../../../tasks/rule_details';
 
 import {
@@ -46,7 +45,7 @@ import {
 } from '../../../../../screens/exceptions';
 import { waitForAlertsToPopulate } from '../../../../../tasks/create_new_rule';
 
-const DATAVIEW = 'exceptions-*';
+const DATAVIEW = 'auditbeat-exceptions-*';
 
 describe(
   'Add exception using data views from rule details',
@@ -131,7 +130,6 @@ describe(
       // now that there are no more exceptions, the docs should match and populate alerts
       goToAlertsTab();
       goToOpenedAlertsOnRuleDetailsPage();
-      waitForTheRuleToBeExecuted();
       waitForAlertsToPopulate();
 
       cy.get(ALERTS_COUNT).should('exist');

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/eql_rule.cy.ts

@@ -42,7 +42,7 @@ import {
   INTERVAL_ABBR_VALUE,
 } from '../../../../screens/rule_details';
 
-import { getDetails, waitForTheRuleToBeExecuted } from '../../../../tasks/rule_details';
+import { getDetails } from '../../../../tasks/rule_details';
 import { expectNumberOfRules, goToRuleDetailsOf } from '../../../../tasks/alerts_detection_rules';
 import { deleteAlertsAndRules } from '../../../../tasks/api_calls/common';
 import {
@@ -138,7 +138,6 @@ describe('EQL rules', { tags: ['@ess', '@serverless'] }, () => {
           .should('have.text', `${humanizedDuration}`);
       });
 
-      waitForTheRuleToBeExecuted();
       waitForAlertsToPopulate();
 
       cy.get(ALERTS_COUNT).should('have.text', expectedNumberOfAlerts);
@@ -175,7 +174,6 @@ describe('EQL rules', { tags: ['@ess', '@serverless'] }, () => {
       createAndEnableRule();
       openRuleManagementPageViaBreadcrumbs();
       goToRuleDetailsOf(rule.name);
-      waitForTheRuleToBeExecuted();
       waitForAlertsToPopulate();
 
       cy.get(ALERTS_COUNT).should('have.text', expectedNumberOfSequenceAlerts);
@@ -203,7 +201,7 @@ describe('EQL rules', { tags: ['@ess', '@serverless'] }, () => {
       visit(CREATE_RULE_URL);
       selectEqlRuleType();
       getIndexPatternClearButton().click();
-      getRuleIndexInput().type(`no_at_timestamp_field{enter}`);
+      getRuleIndexInput().type(`auditbeat-no_at_timestamp_field{enter}`);
 
       cy.get(RULES_CREATION_FORM).find(EQL_QUERY_INPUT).should('exist');
       cy.get(RULES_CREATION_FORM).find(EQL_QUERY_INPUT).should('be.visible');

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/new_terms_rule.cy.ts

@@ -47,7 +47,7 @@ import {
   INTERVAL_ABBR_VALUE,
 } from '../../../../screens/rule_details';
 
-import { getDetails, waitForTheRuleToBeExecuted } from '../../../../tasks/rule_details';
+import { getDetails } from '../../../../tasks/rule_details';
 import { expectNumberOfRules, goToRuleDetailsOf } from '../../../../tasks/alerts_detection_rules';
 import { deleteAlertsAndRules } from '../../../../tasks/api_calls/common';
 import {
@@ -149,7 +149,6 @@ describe(
             .should('have.text', `${humanizedDuration}`);
         });
 
-        waitForTheRuleToBeExecuted();
         waitForAlertsToPopulate();
 
         cy.get(ALERT_DATA_GRID)

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/override.cy.ts

@@ -63,7 +63,7 @@ import {
 } from '../../../../tasks/create_new_rule';
 import { login } from '../../../../tasks/login';
 import { visit } from '../../../../tasks/navigation';
-import { getDetails, waitForTheRuleToBeExecuted } from '../../../../tasks/rule_details';
+import { getDetails } from '../../../../tasks/rule_details';
 import { CREATE_RULE_URL } from '../../../../urls/navigation';
 import { openRuleManagementPageViaBreadcrumbs } from '../../../../tasks/rules_management';
 
@@ -149,7 +149,6 @@ describe('Rules override', { tags: ['@ess', '@serverless'] }, () => {
         .should('have.text', `${humanizedDuration}`);
     });
 
-    waitForTheRuleToBeExecuted();
     waitForAlertsToPopulate();
 
     cy.get(ALERTS_COUNT)

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/threshold_rule.cy.ts

@@ -61,11 +61,7 @@ import {
 } from '../../../../tasks/create_new_rule';
 import { login } from '../../../../tasks/login';
 import { visit } from '../../../../tasks/navigation';
-import {
-  getDetails,
-  assertDetailsNotExist,
-  waitForTheRuleToBeExecuted,
-} from '../../../../tasks/rule_details';
+import { getDetails, assertDetailsNotExist } from '../../../../tasks/rule_details';
 import { openRuleManagementPageViaBreadcrumbs } from '../../../../tasks/rules_management';
 import { CREATE_RULE_URL } from '../../../../urls/navigation';
 
@@ -147,7 +143,6 @@ describe(
           .should('have.text', `${humanizedDuration}`);
       });
 
-      waitForTheRuleToBeExecuted();
       waitForAlertsToPopulate();
 
       cy.get(ALERTS_COUNT).should(($count) => expect(+$count.text().split(' ')[0]).to.be.lt(100));

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/maintenance_windows/maintenance_window_callout.cy.ts

@@ -12,9 +12,10 @@ import { login } from '../../../../tasks/login';
 import { visit } from '../../../../tasks/navigation';
 import { RULES_MANAGEMENT_URL } from '../../../../urls/rules_management';
 
+// https://github.com/elastic/kibana/issues/184160
 describe(
   'Maintenance window callout on Rule Management page',
-  { tags: ['@ess', '@serverless'] },
+  { tags: ['@ess', '@serverless', '@skipInServerless'] },
   () => {
     let maintenanceWindowId = '';