got em runnin

.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh

@@ -90,7 +90,9 @@ FORMATTED_KB_URL="${KB_URL/https:\/\//}"
 # This is used in order to wait for the environment to be ready.
 sleep 150
 
-TEST_CLOUD=1 TEST_ES_URL="https://elastic:$PASSWORD@$FORMATTED_ES_URL:443" TEST_KIBANA_URL="https://elastic:$PASSWORD@$FORMATTED_KB_URL:443" yarn run $1
+echo "uername: $USERNAME"
+
+TEST_CLOUD=1 TEST_ES_URL="https://$USERNAME:$PASSWORD@$FORMATTED_ES_URL:443" TEST_KIBANA_URL="https://$USERNAME:$PASSWORD@$FORMATTED_KB_URL:443" yarn run $1
 cmd_status=$?
 echo "Exit code with status: $cmd_status"
 

packages/kbn-es/src/serverless_resources/security_roles.json

@@ -104,6 +104,7 @@
             "logs-*",
             "packetbeat-*",
             "winlogbeat-*",
+            "logstash-*",
             ".asset-criticality.asset-criticality-*"
           ],
           "privileges": ["read", "write"]
@@ -117,7 +118,7 @@
           "privileges": ["read", "write"]
         },
         {
-          "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"],
+          "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*", "risk-score.risk-score-*"],
           "privileges": ["read"]
         }
       ],
@@ -143,9 +144,14 @@
             "file_operations_all"
           ],
           "securitySolutionCases": ["all"],
+          "securitySolutionAssistant": ["all"],
           "actions": ["read"],
           "builtInAlerts": ["all"],
-          "osquery": ["all"]
+          "osquery": ["all"],
+          "discover": ["all"],
+          "dashboard": ["all"],
+          "maps": ["all"],
+          "visualize": ["all"]
         },
         "spaces": ["*"],
         "base": []

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts

@@ -72,7 +72,6 @@ export default ({ getService }: FtrProviderContext) => {
         await createAlertsIndex(supertest, log);
       });
       after(async () => {
-        // await esArchiver.unload('x-pack/test/functional/es_archives/endpoint/resolver/signals');
         await deleteAllAlerts(supertest, log, es);
       });
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts

@@ -74,8 +74,7 @@ export default ({ getService }: FtrProviderContext) => {
   const log = getService('log');
   const es = getService('es');
 
-  // @skipInQA purposefully - only running tests in MKI whose failure should block release
-  describe('@serverless @ess @skipInQA create_endpoint_exceptions', () => {
+  describe('@serverless @ess create_endpoint_exceptions', () => {
     before(async () => {
       await esArchiver.load(
         'x-pack/test/functional/es_archives/rule_exceptions/endpoint_without_host_type'

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts

@@ -48,8 +48,7 @@ export default ({ getService }: FtrProviderContext) => {
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
-  // @skipInQA purposefully - only running tests in MKI whose failure should block release
-  describe('@serverless @ess @skipInQA create_rule_exception_route', () => {
+  describe('@serverless @ess create "rule_default" exceptions', () => {
     before(async () => {
       await createAlertsIndex(supertest, log);
     });

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts → x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_ess.ts

@@ -30,7 +30,7 @@ export default ({ getService }: FtrProviderContext) => {
   const log = getService('log');
   const supertestWithoutAuth = getService('supertestWithoutAuth');
 
-  describe('@ess role_based_add_edit_comments', () => {
+  describe('@ess exception item comments', () => {
     const socManager = ROLES.soc_manager;
     const detectionAdmin = ROLES.detections_admin;
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts → x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_serverless.ts

@@ -19,10 +19,6 @@ import { ROLES } from '@kbn/security-solution-plugin/common/test';
 import { getUpdateMinimalExceptionListItemSchemaMock } from '@kbn/lists-plugin/common/schemas/request/update_exception_list_item_schema.mock';
 import { UpdateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils';
-import {
-  createUserAndRole,
-  deleteUserAndRole,
-} from '../../../../../../../common/services/security_solution';
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
 
 export default ({ getService }: FtrProviderContext) => {
@@ -31,84 +27,70 @@ export default ({ getService }: FtrProviderContext) => {
   const supertestWithoutAuth = getService('supertestWithoutAuth');
 
   // @skipInQA purposefully - only running tests in MKI whose failure should block release
-  describe('@serverless @skipInQA role_based_add_edit_comments', () => {
-    const socManager = ROLES.detections_admin;
-    const detectionAdmin = ROLES.t3_analyst;
-
+  describe('@serverless @skipInQA exception item comments - serverless specific behavior', () => {
     describe('Rule Exceptions', () => {
-      beforeEach(async () => {
-        await createUserAndRole(getService, detectionAdmin);
-        await createUserAndRole(getService, socManager);
-      });
-
       afterEach(async () => {
-        await deleteUserAndRole(getService, detectionAdmin);
-        await deleteUserAndRole(getService, socManager);
         await deleteAllExceptions(supertest, log);
       });
 
       it('Add comment on a new exception, add another comment has unicode from a different user', async () => {
-        await supertestWithoutAuth
+        await supertest
           .post(EXCEPTION_LIST_URL)
-          .auth(detectionAdmin, 'changeme')
           .set('kbn-xsrf', 'true')
           .send(getCreateExceptionListDetectionSchemaMock())
           .expect(200);
 
         const { os_types, ...ruleException } = getCreateExceptionListItemMinimalSchemaMock();
 
-        // Add comment by the Detection Admin
+        // Add comment by another user
         await supertestWithoutAuth
           .post(EXCEPTION_LIST_ITEM_URL)
-          .auth(detectionAdmin, 'changeme')
+          .auth(ROLES.t3_analyst, 'changeme')
           .set('kbn-xsrf', 'true')
           .send({
             ...ruleException,
-            comments: [{ comment: 'Comment by user@detections_admin' }],
+            comments: [{ comment: 'Comment by user@t3_analyst' }],
           })
           .expect(200);
-
-        const { body: items } = await supertestWithoutAuth
+        const { body: items } = await supertest
           .get(
             `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${
               getCreateExceptionListMinimalSchemaMock().list_id
             }`
           )
-          .auth(detectionAdmin, 'changeme')
           .set('kbn-xsrf', 'true')
           .send()
           .expect(200);
 
         // Validate the first user comment
         expect(items.total).toEqual(1);
         const [item] = items.data;
-        const detectionAdminComments = item.comments;
-        expect(detectionAdminComments.length).toEqual(1);
+        const t3AnalystComments = item.comments;
+        expect(t3AnalystComments.length).toEqual(1);
 
-        expect(detectionAdminComments[0]).toEqual(
+        expect(t3AnalystComments[0]).toEqual(
           expect.objectContaining({
-            created_by: 'detections_admin',
-            comment: 'Comment by user@detections_admin',
+            created_by: 't3_analyst',
+            comment: 'Comment by user@t3_analyst',
           })
         );
 
         const expectedId = item.id;
 
-        // Update exception comment by different user Soc-manager
+        // Update exception comment by different user
         const { item_id: _, ...updateItemWithoutItemId } =
           getUpdateMinimalExceptionListItemSchemaMock();
 
         const updatePayload: UpdateExceptionListItemSchema = {
           ...updateItemWithoutItemId,
           comments: [
             ...(updateItemWithoutItemId.comments || []),
-            { comment: 'Comment by user@soc_manager' },
+            { comment: 'Comment by elastic_serverless' },
           ],
           id: expectedId,
         };
-        await supertestWithoutAuth
+        await supertest
           .put(EXCEPTION_LIST_ITEM_URL)
-          .auth(socManager, 'changeme')
           .set('kbn-xsrf', 'true')
           .send(updatePayload)
           .expect(200);
@@ -119,101 +101,91 @@ export default ({ getService }: FtrProviderContext) => {
               getCreateExceptionListMinimalSchemaMock().list_id
             }`
           )
-          .auth(socManager, 'changeme')
           .set('kbn-xsrf', 'true')
           .send()
           .expect(200);
+
         const [itemAfterUpdate] = itemsAfterUpdate.data;
-        const detectionAdminAndSocManagerComments = itemAfterUpdate.comments;
+        const comments = itemAfterUpdate.comments;
 
-        expect(detectionAdminAndSocManagerComments.length).toEqual(2);
+        expect(comments.length).toEqual(2);
 
-        expect(detectionAdminAndSocManagerComments).toEqual(
+        expect(comments).toEqual(
           expect.arrayContaining([
             expect.objectContaining({
-              created_by: 'detections_admin',
-              comment: 'Comment by user@detections_admin',
+              created_by: 't3_analyst',
+              comment: 'Comment by user@t3_analyst',
             }),
             expect.objectContaining({
-              created_by: 'soc_manager',
-              comment: 'Comment by user@soc_manager',
+              created_by: 'elastic_serverless',
+              comment: 'Comment by elastic_serverless',
             }),
           ])
         );
       });
     });
     describe('Endpoint Exceptions', () => {
-      beforeEach(async () => {
-        await createUserAndRole(getService, detectionAdmin);
-        await createUserAndRole(getService, socManager);
-      });
-
       afterEach(async () => {
-        await deleteUserAndRole(getService, detectionAdmin);
-        await deleteUserAndRole(getService, socManager);
         await deleteAllExceptions(supertest, log);
       });
 
       it('Add comment on a new exception, add another comment has unicode from a different user', async () => {
-        await supertestWithoutAuth
+        await supertest
           .post(EXCEPTION_LIST_URL)
-          .auth(detectionAdmin, 'changeme')
           .set('kbn-xsrf', 'true')
           .send(getCreateExceptionListMinimalSchemaMock())
           .expect(200);
 
-        // Add comment by the Detection Admin
+        // Add comment by the t3 analyst
         await supertestWithoutAuth
           .post(EXCEPTION_LIST_ITEM_URL)
-          .auth(detectionAdmin, 'changeme')
+          .auth(ROLES.t3_analyst, 'changeme')
           .set('kbn-xsrf', 'true')
           .send({
             ...getCreateExceptionListItemMinimalSchemaMock(),
-            comments: [{ comment: 'Comment by user@detections_admin' }],
+            comments: [{ comment: 'Comment by user@t3_analyst' }],
           })
           .expect(200);
 
-        const { body: items } = await supertestWithoutAuth
+        const { body: items } = await supertest
           .get(
             `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${
               getCreateExceptionListMinimalSchemaMock().list_id
             }`
           )
-          .auth(detectionAdmin, 'changeme')
           .set('kbn-xsrf', 'true')
           .send()
           .expect(200);
 
         // Validate the first user comment
         expect(items.total).toEqual(1);
         const [item] = items.data;
-        const detectionAdminComments = item.comments;
-        expect(detectionAdminComments.length).toEqual(1);
+        const t3AnalystComments = item.comments;
+        expect(t3AnalystComments.length).toEqual(1);
 
-        expect(detectionAdminComments[0]).toEqual(
+        expect(t3AnalystComments[0]).toEqual(
           expect.objectContaining({
-            created_by: 'detections_admin',
-            comment: 'Comment by user@detections_admin',
+            created_by: 't3_analyst',
+            comment: 'Comment by user@t3_analyst',
           })
         );
 
         const expectedId = item.id;
 
-        // Update exception comment by different user Soc-manager
+        // Update exception comment by different user
         const { item_id: _, ...updateItemWithoutItemId } =
           getUpdateMinimalExceptionListItemSchemaMock();
 
         const updatePayload: UpdateExceptionListItemSchema = {
           ...updateItemWithoutItemId,
           comments: [
             ...(updateItemWithoutItemId.comments || []),
-            { comment: 'Comment by user@soc_manager' },
+            { comment: 'Comment by elastic_serverless' },
           ],
           id: expectedId,
         };
-        await supertestWithoutAuth
+        await supertest
           .put(EXCEPTION_LIST_ITEM_URL)
-          .auth(socManager, 'changeme')
           .set('kbn-xsrf', 'true')
           .send(updatePayload)
           .expect(200);
@@ -224,24 +196,23 @@ export default ({ getService }: FtrProviderContext) => {
               getCreateExceptionListMinimalSchemaMock().list_id
             }`
           )
-          .auth(socManager, 'changeme')
           .set('kbn-xsrf', 'true')
           .send()
           .expect(200);
         const [itemAfterUpdate] = itemsAfterUpdate.data;
-        const detectionAdminAndSocManagerComments = itemAfterUpdate.comments;
+        const comments = itemAfterUpdate.comments;
 
-        expect(detectionAdminAndSocManagerComments.length).toEqual(2);
+        expect(comments.length).toEqual(2);
 
-        expect(detectionAdminAndSocManagerComments).toEqual(
+        expect(comments).toEqual(
           expect.arrayContaining([
             expect.objectContaining({
-              created_by: 'detections_admin',
-              comment: 'Comment by user@detections_admin',
+              created_by: 't3_analyst',
+              comment: 'Comment by user@t3_analyst',
             }),
             expect.objectContaining({
-              created_by: 'soc_manager',
-              comment: 'Comment by user@soc_manager',
+              created_by: 'elastic_serverless',
+              comment: 'Comment by elastic_serverless',
             }),
           ])
         );

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts

@@ -36,19 +36,18 @@ export default ({ getService }: FtrProviderContext) => {
   const log = getService('log');
   const es = getService('es');
 
-  // @skipInQA purposefully - only running tests in MKI whose failure should block release
-  describe('@serverless @ess @skipInQA find_rule_exception_references', () => {
+  describe('@serverless @ess find_rule_exception_references', () => {
     before(async () => {
       await createAlertsIndex(supertest, log);
     });
 
     after(async () => {
       await deleteAllAlerts(supertest, log, es);
-      await deleteAllRules(supertest, log);
     });
 
     afterEach(async () => {
       await deleteAllExceptions(supertest, log);
+      await deleteAllRules(supertest, log);
     });
 
     it('returns empty array per list_id if no references are found', async () => {
@@ -68,6 +67,7 @@ export default ({ getService }: FtrProviderContext) => {
         .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL)
         .set('kbn-xsrf', 'true')
         .set('elastic-api-version', '1')
+        .set('X-Elastic-Internal-Origin', 'Kibana')
         .query({
           ids: `${exceptionList.id}`,
           list_ids: `${exceptionList.list_id}`,
@@ -122,6 +122,7 @@ export default ({ getService }: FtrProviderContext) => {
         .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL)
         .set('kbn-xsrf', 'true')
         .set('elastic-api-version', '1')
+        .set('X-Elastic-Internal-Origin', 'Kibana')
         .query({
           ids: `1234`,
           list_ids: `i_dont_exist`,
@@ -169,6 +170,7 @@ export default ({ getService }: FtrProviderContext) => {
         .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL)
         .set('kbn-xsrf', 'true')
         .set('elastic-api-version', '1')
+        .set('X-Elastic-Internal-Origin', 'Kibana')
         .query({
           ids: `${exceptionList.id},${exceptionList2.id}`,
           list_ids: `${exceptionList.list_id},${exceptionList2.list_id}`,
@@ -218,6 +220,7 @@ export default ({ getService }: FtrProviderContext) => {
         .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL)
         .set('kbn-xsrf', 'true')
         .set('elastic-api-version', '1')
+        .set('X-Elastic-Internal-Origin', 'Kibana')
         .query({
           namespace_types: 'single,agnostic',
         })