[8.7] [Defend Workflows] Osquery UI fixes (elastic#152079) (elastic#1…

…52736)

# Backport

This will backport the following commits from `main` to `8.7`:
- [[Defend Workflows] Osquery UI fixes
(elastic#152079)](elastic#152079)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-03-06T16:34:22Z","message":"[Defend
Workflows] Osquery UI fixes
(elastic#152079)","sha":"8216f80f0b46a045338a7cacee63f2f180011066","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Defend
Workflows","Feature:Osquery","v8.7.0","v8.8.0"],"number":152079,"url":"https://github.com/elastic/kibana/pull/152079","mergeCommit":{"message":"[Defend
Workflows] Osquery UI fixes
(elastic#152079)","sha":"8216f80f0b46a045338a7cacee63f2f180011066"}},"sourceBranch":"main","suggestedTargetBranches":["8.7"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/152079","number":152079,"mergeCommit":{"message":"[Defend
Workflows] Osquery UI fixes
(elastic#152079)","sha":"8216f80f0b46a045338a7cacee63f2f180011066"}}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>

x-pack/plugins/osquery/public/live_queries/form/pack_queries_status_table.tsx

@@ -346,7 +346,7 @@ const PackQueriesStatusTableComponent: React.FC<PackQueriesStatusTableProps> = (
         name: i18n.translate('xpack.osquery.pack.queriesTable.viewResultsColumnTitle', {
           defaultMessage: 'View results',
         }),
-        width: '90px',
+        width: '120px',
         render: renderResultActions,
       },
       {

x-pack/plugins/osquery/public/results/results_table.tsx

@@ -6,6 +6,7 @@
  */
 
 import { get, isEmpty, isArray, isObject, isEqual, keys, map, reduce } from 'lodash/fp';
+import { css } from '@emotion/react';
 import type {
   EuiDataGridSorting,
   EuiDataGridProps,
@@ -391,6 +392,10 @@ const ResultsTableComponent: React.FC<ResultsTableComponentProps> = ({
     ]
   );
 
+  if (isLoading) {
+    return <EuiLoadingContent lines={5} />;
+  }
+
   if (!hasActionResultsPrivileges) {
     return (
       <EuiCallOut
@@ -418,13 +423,17 @@ const ResultsTableComponent: React.FC<ResultsTableComponentProps> = ({
     );
   }
 
-  if (isLoading) {
-    return <EuiLoadingContent lines={5} />;
-  }
-
   return (
     <>
-      {isLive && <EuiProgress color="primary" size="xs" />}
+      {isLive && (
+        <EuiProgress
+          color="primary"
+          size="xs"
+          css={css`
+            margin-top: -2px;
+          `}
+        />
+      )}
 
       {!allResultsData?.edges.length ? (
         <EuiPanel hasShadow={false}>

x-pack/plugins/osquery/public/shared_components/osquery_results/index.tsx

@@ -19,7 +19,6 @@ import type { OsqueryActionResultsProps } from './types';
 import { OsqueryResult } from './osquery_result';
 
 const OsqueryActionResultsComponent: React.FC<OsqueryActionResultsProps> = ({
-  agentIds,
   ruleName,
   actionItems,
   ecsData,
@@ -37,7 +36,6 @@ const OsqueryActionResultsComponent: React.FC<OsqueryActionResultsProps> = ({
           queryId={queryId}
           startDate={startDate}
           ruleName={ruleName}
-          agentIds={agentIds}
           ecsData={ecsData}
         />
       );

x-pack/plugins/osquery/public/shared_components/osquery_results/osquery_result.tsx

@@ -6,7 +6,7 @@
  */
 
 import { EuiComment, EuiSpacer } from '@elastic/eui';
-import React from 'react';
+import React, { useLayoutEffect, useState } from 'react';
 import { FormattedRelative } from '@kbn/i18n-react';
 
 import type { OsqueryActionResultsProps } from './types';
@@ -22,11 +22,17 @@ interface OsqueryResultProps extends OsqueryActionResultsProps {
 }
 
 export const OsqueryResult = React.memo<OsqueryResultProps>(
-  ({ actionId, ruleName, agentIds, startDate, ecsData }) => {
+  ({ actionId, ruleName, startDate, ecsData }) => {
+    const [isLive, setIsLive] = useState(false);
     const { data } = useLiveQueryDetails({
       actionId,
+      isLive,
     });
 
+    useLayoutEffect(() => {
+      setIsLive(() => !(data?.status === 'completed'));
+    }, [data?.status]);
+
     return (
       <AlertAttachmentContext.Provider value={ecsData}>
         <EuiSpacer size="s" />
@@ -38,11 +44,10 @@ export const OsqueryResult = React.memo<OsqueryResultProps>(
         >
           <PackQueriesStatusTable
             actionId={actionId}
-            // queryId={queryId}
             data={data?.queries}
             startDate={data?.['@timestamp']}
             expirationDate={data?.expiration}
-            agentIds={agentIds}
+            agentIds={data?.agents}
           />
         </EuiComment>
         <EuiSpacer size="s" />

x-pack/plugins/osquery/public/shared_components/osquery_results/osquery_results.test.tsx

@@ -32,7 +32,6 @@ const enablePrivileges = () => {
 };
 
 const defaultProps: OsqueryActionResultsProps = {
-  agentIds: ['agent1'],
   ruleName: ['Test-rule'],
   actionItems: [
     {
@@ -82,10 +81,6 @@ describe('Osquery Results', () => {
       .mockImplementation(() => defaultLiveQueryDetails);
   });
 
-  it('should validate permissions', async () => {
-    const { queryByText } = renderWithContext(<OsqueryActionResults {...defaultProps} />);
-    expect(queryByText(PERMISSION_DENIED)).toBeInTheDocument();
-  });
   it('return results table', async () => {
     enablePrivileges();
     const { getByText, queryByText, getByTestId } = renderWithContext(

x-pack/plugins/osquery/public/shared_components/osquery_results/types.ts

@@ -9,7 +9,6 @@ import type { Ecs } from '../../../common/ecs';
 import type { ActionEdges } from '../../../common/search_strategy';
 
 export interface OsqueryActionResultsProps {
-  agentIds?: string[];
   ruleName?: string[];
   ecsData: Ecs;
   actionItems?: ActionEdges;

x-pack/plugins/security_solution/public/common/components/event_details/osquery_tab.tsx

@@ -117,7 +117,6 @@ export const useOsqueryTab = ({
   const actionItems = actionsData?.data.items || [];
 
   const ruleName = expandedEventFieldsObject.kibana?.alert?.rule?.name;
-  const agentIds = expandedEventFieldsObject.agent?.id;
 
   return {
     id: EventsViewType.osqueryView,
@@ -135,12 +134,7 @@ export const useOsqueryTab = ({
             emptyPrompt
           ) : (
             <>
-              <OsqueryResults
-                agentIds={agentIds}
-                ruleName={ruleName}
-                actionItems={actionItems}
-                ecsData={ecsData}
-              />
+              <OsqueryResults ruleName={ruleName} actionItems={actionItems} ecsData={ecsData} />
               <EuiSpacer size="s" />
             </>
           )}