add policy details and update SO limit requests (#71789)

Author: michaelolo24

x-pack/plugins/security_solution/server/usage/collector.ts

@@ -66,8 +66,8 @@ export const registerCollector: RegisterCollector = ({
         },
         policies: {
           malware: {
-            success: { type: 'long' },
-            warning: { type: 'long' },
+            active: { type: 'long' },
+            inactive: { type: 'long' },
             failure: { type: 'long' },
           },
         },

x-pack/plugins/security_solution/server/usage/endpoints/endpoint.mocks.ts

@@ -76,6 +76,108 @@ export const mockFleetObjectsResponse = (
   ],
 });
 
+const mockPolicyPayload = (malwareStatus: 'success' | 'warning' | 'failure') =>
+  JSON.stringify({
+    'endpoint-security': {
+      Endpoint: {
+        configuration: {
+          inputs: [
+            {
+              id: '0d466df0-c60f-11ea-a5c5-151665e785c4',
+              policy: {
+                linux: {
+                  events: {
+                    file: true,
+                    network: true,
+                    process: true,
+                  },
+                  logging: {
+                    file: 'info',
+                  },
+                },
+                mac: {
+                  events: {
+                    file: true,
+                    network: true,
+                    process: true,
+                  },
+                  logging: {
+                    file: 'info',
+                  },
+                  malware: {
+                    mode: 'prevent',
+                  },
+                },
+                windows: {
+                  events: {
+                    dll_and_driver_load: true,
+                    dns: true,
+                    file: true,
+                    network: true,
+                    process: true,
+                    registry: true,
+                    security: true,
+                  },
+                  logging: {
+                    file: 'info',
+                  },
+                  malware: {
+                    mode: 'prevent',
+                  },
+                },
+              },
+            },
+          ],
+        },
+        policy: {
+          applied: {
+            id: '0d466df0-c60f-11ea-a5c5-151665e785c4',
+            response: {
+              configurations: {
+                malware: {
+                  concerned_actions: [
+                    'load_config',
+                    'workflow',
+                    'download_global_artifacts',
+                    'download_user_artifacts',
+                    'configure_malware',
+                    'read_malware_config',
+                    'load_malware_model',
+                    'read_kernel_config',
+                    'configure_kernel',
+                    'detect_process_events',
+                    'detect_file_write_events',
+                    'connect_kernel',
+                    'detect_file_open_events',
+                    'detect_sync_image_load_events',
+                  ],
+                  status: `${malwareStatus}`,
+                },
+              },
+            },
+            status: `${malwareStatus}`,
+          },
+        },
+      },
+      agent: {
+        id: 'testAgentId',
+        version: '8.0.0-SNAPSHOT',
+      },
+      host: {
+        architecture: 'x86_64',
+        id: 'a4148b63-1758-ab1f-a6d3-f95075cb1a9c',
+        os: {
+          Ext: {
+            variant: 'Windows 10 Pro',
+          },
+          full: 'Windows 10 Pro 2004 (10.0.19041.329)',
+          name: 'Windows',
+          version: '2004 (10.0.19041.329)',
+        },
+      },
+    },
+  });
+
 /**
  *
  * @param running - allows us to set whether the mocked endpoint is in an active or disabled/failed state
@@ -102,6 +204,7 @@ export const mockFleetEventsObjectsResponse = (
           message: `Application: endpoint-security--8.0.0[d8f7f6e8-9375-483c-b456-b479f1d7a4f2]: State changed to ${
             running ? 'RUNNING' : 'FAILED'
           }: `,
+          payload: mockPolicyPayload(running ? 'success' : 'failure'),
           config_id: testConfigId,
         },
         references: [],

x-pack/plugins/security_solution/server/usage/endpoints/endpoint.test.ts

@@ -20,12 +20,12 @@ import * as fleetSavedObjects from './fleet_saved_objects';
 describe('test security solution endpoint telemetry', () => {
   let mockSavedObjectsRepository: jest.Mocked<ISavedObjectsRepository>;
   let getFleetSavedObjectsMetadataSpy: jest.SpyInstance<Promise<SavedObjectsFindResponse<Agent>>>;
-  let getFleetEventsSavedObjectsSpy: jest.SpyInstance<Promise<
+  let getLatestFleetEndpointEventSpy: jest.SpyInstance<Promise<
     SavedObjectsFindResponse<AgentEventSOAttributes>
   >>;
 
   beforeAll(() => {
-    getFleetEventsSavedObjectsSpy = jest.spyOn(fleetSavedObjects, 'getFleetEventsSavedObjects');
+    getLatestFleetEndpointEventSpy = jest.spyOn(fleetSavedObjects, 'getLatestFleetEndpointEvent');
     getFleetSavedObjectsMetadataSpy = jest.spyOn(fleetSavedObjects, 'getFleetSavedObjectsMetadata');
     mockSavedObjectsRepository = savedObjectsRepositoryMock.create();
   });
@@ -39,6 +39,13 @@ describe('test security solution endpoint telemetry', () => {
       Object {
         "active_within_last_24_hours": 0,
         "os": Array [],
+        "policies": Object {
+          "malware": Object {
+            "active": 0,
+            "failure": 0,
+            "inactive": 0,
+          },
+        },
         "total_installed": 0,
       }
     `);
@@ -58,6 +65,13 @@ describe('test security solution endpoint telemetry', () => {
         total_installed: 0,
         active_within_last_24_hours: 0,
         os: [],
+        policies: {
+          malware: {
+            failure: 0,
+            active: 0,
+            inactive: 0,
+          },
+        },
       });
     });
   });
@@ -67,7 +81,7 @@ describe('test security solution endpoint telemetry', () => {
       getFleetSavedObjectsMetadataSpy.mockImplementation(() =>
         Promise.resolve(mockFleetObjectsResponse())
       );
-      getFleetEventsSavedObjectsSpy.mockImplementation(() =>
+      getLatestFleetEndpointEventSpy.mockImplementation(() =>
         Promise.resolve(mockFleetEventsObjectsResponse())
       );
 
@@ -85,14 +99,21 @@ describe('test security solution endpoint telemetry', () => {
             count: 1,
           },
         ],
+        policies: {
+          malware: {
+            failure: 1,
+            active: 0,
+            inactive: 0,
+          },
+        },
       });
     });
 
     it('should show one endpoint installed and it is active', async () => {
       getFleetSavedObjectsMetadataSpy.mockImplementation(() =>
         Promise.resolve(mockFleetObjectsResponse())
       );
-      getFleetEventsSavedObjectsSpy.mockImplementation(() =>
+      getLatestFleetEndpointEventSpy.mockImplementation(() =>
         Promise.resolve(mockFleetEventsObjectsResponse(true))
       );
 
@@ -110,6 +131,13 @@ describe('test security solution endpoint telemetry', () => {
             count: 1,
           },
         ],
+        policies: {
+          malware: {
+            failure: 0,
+            active: 1,
+            inactive: 0,
+          },
+        },
       });
     });
   });

x-pack/plugins/security_solution/server/usage/endpoints/fleet_saved_objects.ts

@@ -19,17 +19,19 @@ export const getFleetSavedObjectsMetadata = async (savedObjectsClient: ISavedObj
     type: AGENT_SAVED_OBJECT_TYPE,
     fields: ['packages', 'last_checkin', 'local_metadata'],
     filter: `${AGENT_SAVED_OBJECT_TYPE}.attributes.packages: ${FLEET_ENDPOINT_PACKAGE_CONSTANT}`,
+    perPage: 10000,
     sortField: 'enrolled_at',
     sortOrder: 'desc',
   });
 
-export const getFleetEventsSavedObjects = async (
+export const getLatestFleetEndpointEvent = async (
   savedObjectsClient: ISavedObjectsRepository,
   agentId: string
 ) =>
   savedObjectsClient.find<AgentEventSOAttributes>({
     type: AGENT_EVENT_SAVED_OBJECT_TYPE,
     filter: `${AGENT_EVENT_SAVED_OBJECT_TYPE}.attributes.agent_id: ${agentId} and ${AGENT_EVENT_SAVED_OBJECT_TYPE}.attributes.message: "${FLEET_ENDPOINT_PACKAGE_CONSTANT}"`,
+    perPage: 1, // Get the most recent endpoint event.
     sortField: 'timestamp',
     sortOrder: 'desc',
     search: agentId,