[Osquery] Add default osquery_saved_query objects

x-pack/plugins/fleet/.storybook/context/fixtures/integration.nginx.ts

@@ -255,6 +255,7 @@ export const item: GetInfoResponse['item'] = {
       csp_rule_template: [],
       tag: [],
       osquery_pack_asset: [],
+      osquery_saved_query: [],
     },
     elasticsearch: {
       ingest_pipeline: [

x-pack/plugins/fleet/.storybook/context/fixtures/integration.okta.ts

@@ -105,6 +105,7 @@ export const item: GetInfoResponse['item'] = {
       lens: [],
       ml_module: [],
       osquery_pack_asset: [],
+      osquery_saved_query: [],
       security_rule: [],
       csp_rule_template: [],
       tag: [],

x-pack/plugins/fleet/common/services/package_to_package_policy.test.ts

@@ -36,6 +36,7 @@ describe('Fleet - packageToPackagePolicy', () => {
         security_rule: [],
         tag: [],
         osquery_pack_asset: [],
+        osquery_saved_query: [],
       },
       elasticsearch: {
         ingest_pipeline: [],

x-pack/plugins/fleet/common/types/models/epm.ts

@@ -72,6 +72,7 @@ export enum KibanaAssetType {
   mlModule = 'ml_module',
   tag = 'tag',
   osqueryPackAsset = 'osquery_pack_asset',
+  osquerySavedQuery = 'osquery_saved_query',
 }
 
 /*
@@ -89,6 +90,7 @@ export enum KibanaSavedObjectType {
   cloudSecurityPostureRuleTemplate = 'csp-rule-template',
   tag = 'tag',
   osqueryPackAsset = 'osquery-pack-asset',
+  osquerySavedQuery = 'osquery-saved-query',
 }
 
 export enum ElasticsearchAssetType {

x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/assets_facet_group.stories.tsx

@@ -39,6 +39,7 @@ export const AssetsFacetGroup = ({ width }: Args) => {
             ml_module: [],
             tag: [],
             osquery_pack_asset: [],
+            osquery_saved_query: [],
           },
           elasticsearch: {
             component_template: [],

x-pack/plugins/fleet/public/applications/integrations/sections/epm/constants.tsx

@@ -62,9 +62,12 @@ export const AssetTitleMap: Record<DisplayedAssetType, string> = {
   security_rule: i18n.translate('xpack.fleet.epm.assetTitles.securityRules', {
     defaultMessage: 'Security rules',
   }),
-  osquery_pack_asset: i18n.translate('xpack.fleet.epm.assetTitles.osqueryPackAsset', {
+  osquery_pack_asset: i18n.translate('xpack.fleet.epm.assetTitles.osqueryPackAssets', {
     defaultMessage: 'Osquery packs',
   }),
+  osquery_saved_query: i18n.translate('xpack.fleet.epm.assetTitles.osquerySavedQuery', {
+    defaultMessage: 'Osquery saved queries',
+  }),
   ml_module: i18n.translate('xpack.fleet.epm.assetTitles.mlModules', {
     defaultMessage: 'ML modules',
   }),
@@ -102,6 +105,7 @@ export const AssetIcons: Record<KibanaAssetType, IconType> = {
   ml_module: 'mlApp',
   tag: 'tagApp',
   osquery_pack_asset: 'osqueryApp',
+  osquery_saved_query: 'osqueryApp',
 };
 
 export const ServiceIcons: Record<ServiceName, IconType> = {

x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts

@@ -58,6 +58,7 @@ const KibanaSavedObjectTypeMapping: Record<KibanaAssetType, KibanaSavedObjectTyp
     KibanaSavedObjectType.cloudSecurityPostureRuleTemplate,
   [KibanaAssetType.tag]: KibanaSavedObjectType.tag,
   [KibanaAssetType.osqueryPackAsset]: KibanaSavedObjectType.osqueryPackAsset,
+  [KibanaAssetType.osquerySavedQuery]: KibanaSavedObjectType.osquerySavedQuery,
 };
 
 const AssetFilters: Record<string, (kibanaAssets: ArchiveAsset[]) => ArchiveAsset[]> = {

x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts

@@ -70,6 +70,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
           ml_module: [],
           tag: [],
           osquery_pack_asset: [],
+          osquery_saved_query: [],
         },
         elasticsearch: {
           component_template: [],
@@ -184,6 +185,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
           ml_module: [],
           tag: [],
           osquery_pack_asset: [],
+          osquery_saved_query: [],
         },
         elasticsearch: {
           component_template: [],
@@ -278,6 +280,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
           ml_module: [],
           tag: [],
           osquery_pack_asset: [],
+          osquery_saved_query: [],
         },
         elasticsearch: {
           component_template: [],
@@ -404,6 +407,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
           ml_module: [],
           tag: [],
           osquery_pack_asset: [],
+          osquery_saved_query: [],
         },
         elasticsearch: {
           component_template: [],

x-pack/plugins/osquery/cypress/integration/all/add_integration.spec.ts

@@ -5,11 +5,11 @@
  * 2.0.
  */
 
-import { FLEET_AGENT_POLICIES, OLD_OSQUERY_MANAGER } from '../../tasks/navigation';
+import { FLEET_AGENT_POLICIES, navigateTo, OLD_OSQUERY_MANAGER } from '../../tasks/navigation';
 import { addIntegration, closeModalIfVisible } from '../../tasks/integrations';
 
 import { login } from '../../tasks/login';
-// import { findAndClickButton, findFormFieldByRowsLabelAndType } from '../../tasks/live_query';
+import { findAndClickButton, findFormFieldByRowsLabelAndType } from '../../tasks/live_query';
 import { ArchiverMethod, runKbnArchiverScript } from '../../tasks/archiver';
 import { DEFAULT_POLICY } from '../../screens/fleet';
 
@@ -76,53 +76,58 @@ describe('ALL - Add Integration', () => {
     addIntegration();
     cy.contains('osquery_manager-');
   });
-  // it('should have integration and packs copied when upgrading integration', () => {
-  //   const packageName = 'osquery_manager';
-  //   const oldVersion = '0.7.4';
-  //   const newVersion = '0.8.1';
-  //
-  //   cy.visit(`app/integrations/detail/${packageName}-${oldVersion}/overview`);
-  //   cy.contains('Add Osquery Manager').click();
-  //   cy.contains('Save and continue').click();
-  //   cy.contains('Add Elastic Agent later').click();
-  //   cy.contains('Upgrade');
-  //   cy.contains('Default policy').click();
-  //   cy.get('tr')
-  //     .should('contain', 'osquery_manager-2')
-  //     .and('contain', 'Osquery Manager')
-  //     .and('contain', `v${oldVersion}`);
-  //   cy.contains('Actions').click();
-  //   cy.contains('View policy').click();
-  //   cy.contains('name: osquery_manager-2');
-  //   cy.contains(`version: ${oldVersion}`);
-  //   cy.contains('Close').click();
-  //   navigateTo('app/osquery/packs');
-  //   findAndClickButton('Add pack');
-  //   findFormFieldByRowsLabelAndType('Name', 'Integration');
-  //   findFormFieldByRowsLabelAndType('Scheduled agent policies (optional)', '{downArrow} {enter}');
-  //   findAndClickButton('Add query');
-  //   cy.react('EuiComboBox', { props: { placeholder: 'Search for saved queries' } })
-  //     .click()
-  //     .type('{downArrow} {enter}');
-  //   cy.contains(/^Save$/).click();
-  //   cy.contains(/^Save pack$/).click();
-  //   cy.visit('app/fleet/policies');
-  //   cy.contains('Default policy').click();
-  //   cy.contains('Upgrade').click();
-  //   cy.contains(/^Advanced$/).click();
-  //   cy.contains('"Integration":');
-  //   cy.contains(/^Upgrade integration$/).click();
-  //   cy.contains(/^osquery_manager-2$/).click();
-  //   cy.contains(/^Advanced$/).click();
-  //   cy.contains('"Integration":');
-  //   cy.contains('Cancel').click();
-  //   cy.get('tr')
-  //     .should('contain', 'osquery_manager-2')
-  //     .and('contain', 'Osquery Manager')
-  //     .and('contain', `v${newVersion}`);
-  //   cy.contains('Actions').click();
-  //   cy.contains('View policy').click();
-  //   cy.contains('name: osquery_manager-2');
-  //   cy.contains(`version: ${newVersion}`);
-  // });
+  it('should have integration and packs copied when upgrading integration', () => {
+    const packageName = 'osquery_manager';
+    const oldVersion = '1.2.0';
+    const newVersion = '1.3.0';
+
+    cy.visit(`app/integrations/detail/${packageName}-${oldVersion}/overview`);
+    cy.contains('Add Osquery Manager').click();
+    cy.contains('Save and continue').click();
+    cy.contains('Add Elastic Agent later').click();
+    cy.contains('Upgrade');
+    cy.contains('Agent policy 1').click();
+    cy.get('tr')
+      .should('contain', 'osquery_manager-2')
+      .and('contain', 'Osquery Manager')
+      .and('contain', `v${oldVersion}`);
+    cy.contains('Actions').click();
+    cy.contains('View policy').click();
+    cy.contains('name: osquery_manager-2');
+    cy.contains(`version: ${oldVersion}`);
+    cy.contains('Close').click();
+    navigateTo('app/osquery/packs');
+    findAndClickButton('Add pack');
+    findFormFieldByRowsLabelAndType('Name', 'Integration');
+    findFormFieldByRowsLabelAndType('Scheduled agent policies (optional)', '{downArrow} {enter}');
+    findAndClickButton('Add query');
+    cy.react('EuiComboBox', { props: { placeholder: 'Search for saved queries' } })
+      .click()
+      .type('{downArrow} {enter}');
+    cy.contains(/^Save$/).click();
+    cy.contains(/^Save pack$/).click();
+    cy.visit('app/fleet/policies');
+    cy.contains('Agent policy 1').click();
+    cy.contains('Upgrade').click();
+    cy.contains(/^Advanced$/).click();
+    cy.contains('"Integration":');
+    cy.contains(/^Upgrade integration$/).click();
+    cy.contains(/^osquery_manager-2$/).click();
+    cy.contains(/^Advanced$/).click();
+    cy.contains('"Integration":');
+    cy.contains('Cancel').click();
+    cy.get('tr')
+      .should('contain', 'osquery_manager-2')
+      .and('contain', 'Osquery Manager')
+      .and('contain', `v${newVersion}`);
+    cy.contains('Actions').click();
+    cy.contains('View policy').click();
+    cy.contains('name: osquery_manager-2');
+    cy.contains(`version: ${newVersion}`);
+
+    // test list of prebuilt queries
+    navigateTo('/app/osquery/saved_queries');
+    cy.waitForReact();
+    cy.react('EuiTableRow').should('have.length.above', 5);
+  });
 });

x-pack/plugins/osquery/public/routes/saved_queries/edit/index.tsx

@@ -12,18 +12,24 @@ import {
   EuiFlexItem,
   EuiConfirmModal,
   EuiText,
+  EuiCallOut,
 } from '@elastic/eui';
 import { isEmpty } from 'lodash/fp';
 import React, { useCallback, useMemo, useState } from 'react';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { useParams } from 'react-router-dom';
 
+import styled from 'styled-components';
 import { useKibana, useRouterNavigate } from '../../../common/lib/kibana';
 import { WithHeaderLayout } from '../../../components/layouts';
 import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs';
 import { EditSavedQueryForm } from './form';
 import { useDeleteSavedQuery, useUpdateSavedQuery, useSavedQuery } from '../../../saved_queries';
 
+const StyledEuiCallOut = styled(EuiCallOut)`
+  margin: 10px;
+`;
+
 const EditSavedQueryPageComponent = () => {
   const permissions = useKibana().services.application.capabilities.osquery;
 
@@ -37,7 +43,14 @@ const EditSavedQueryPageComponent = () => {
 
   useBreadcrumbs('saved_query_edit', { savedQueryName: savedQueryDetails?.attributes?.id ?? '' });
 
-  const viewMode = useMemo(() => !permissions.writeSavedQueries, [permissions.writeSavedQueries]);
+  const elasticPrebuiltQuery = useMemo(
+    () => savedQueryDetails?.attributes?.version,
+    [savedQueryDetails]
+  );
+  const viewMode = useMemo(
+    () => !permissions.writeSavedQueries || elasticPrebuiltQuery,
+    [permissions.writeSavedQueries, elasticPrebuiltQuery]
+  );
 
   const handleCloseDeleteConfirmationModal = useCallback(() => {
     setIsDeleteModalVisible(false);
@@ -68,14 +81,24 @@ const EditSavedQueryPageComponent = () => {
           <EuiText>
             <h1>
               {viewMode ? (
-                <FormattedMessage
-                  id="xpack.osquery.viewSavedQuery.pageTitle"
-                  defaultMessage='"{savedQueryId}" details'
-                  // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop
-                  values={{
-                    savedQueryId: savedQueryDetails?.attributes?.id ?? '',
-                  }}
-                />
+                <>
+                  <FormattedMessage
+                    id="xpack.osquery.viewSavedQuery.pageTitle"
+                    defaultMessage='"{savedQueryId}" details'
+                    // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop
+                    values={{
+                      savedQueryId: savedQueryDetails?.attributes?.id ?? '',
+                    }}
+                  />
+                  {elasticPrebuiltQuery && (
+                    <StyledEuiCallOut size="s">
+                      <FormattedMessage
+                        id="xpack.osquery.viewSavedQuery.prebuiltInfo"
+                        defaultMessage="This is a prebuilt Elastic query, and it cannot be edited."
+                      />
+                    </StyledEuiCallOut>
+                  )}
+                </>
               ) : (
                 <FormattedMessage
                   id="xpack.osquery.editSavedQuery.pageTitle"
@@ -91,7 +114,7 @@ const EditSavedQueryPageComponent = () => {
         </EuiFlexItem>
       </EuiFlexGroup>
     ),
-    [savedQueryDetails?.attributes?.id, savedQueryListProps, viewMode]
+    [elasticPrebuiltQuery, savedQueryDetails?.attributes?.id, savedQueryListProps, viewMode]
   );
 
   const RightColumn = useMemo(

x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx

@@ -14,6 +14,7 @@ import {
   EuiFlexItem,
   EuiText,
   EuiBasicTableColumn,
+  EuiToolTip,
 } from '@elastic/eui';
 import React, { useCallback, useMemo, useState } from 'react';
 import { i18n } from '@kbn/i18n';
@@ -145,6 +146,16 @@ const SavedQueriesPageComponent = () => {
     return updatedAt ? `${moment(updatedAt).fromNow()}${updatedBy}` : '-';
   }, []);
 
+  const renderDescriptionColumn = useCallback((description?: string) => {
+    const content =
+      description && description.length > 80 ? `${description?.substring(0, 80)}...` : description;
+
+    return (
+      <EuiToolTip content={<EuiFlexItem>{description}</EuiFlexItem>}>
+        <EuiFlexItem grow={false}>{content}</EuiFlexItem>
+      </EuiToolTip>
+    );
+  }, []);
   const columns: Array<EuiBasicTableColumn<SavedQuerySO>> = useMemo(
     () => [
       {
@@ -154,19 +165,22 @@ const SavedQueriesPageComponent = () => {
         }),
         sortable: (item) => item.attributes.id.toLowerCase(),
         truncateText: true,
+        width: '15%',
       },
       {
         field: 'attributes.description',
         name: i18n.translate('xpack.osquery.savedQueries.table.descriptionColumnTitle', {
           defaultMessage: 'Description',
         }),
-        truncateText: true,
+        render: renderDescriptionColumn,
+        width: '50%',
       },
       {
         field: 'attributes.created_by',
         name: i18n.translate('xpack.osquery.savedQueries.table.createdByColumnTitle', {
           defaultMessage: 'Created by',
         }),
+        width: '15%',
         sortable: true,
         truncateText: true,
       },
@@ -175,6 +189,7 @@ const SavedQueriesPageComponent = () => {
         name: i18n.translate('xpack.osquery.savedQueries.table.updatedAtColumnTitle', {
           defaultMessage: 'Last updated at',
         }),
+        width: '10%',
         sortable: (item) =>
           item.attributes.updated_at ? Date.parse(item.attributes.updated_at) : 0,
         truncateText: true,
@@ -187,7 +202,7 @@ const SavedQueriesPageComponent = () => {
         actions: [{ render: renderPlayAction }, { render: renderEditAction }],
       },
     ],
-    [renderEditAction, renderPlayAction, renderUpdatedAt]
+    [renderDescriptionColumn, renderEditAction, renderPlayAction, renderUpdatedAt]
   );
 
   const onTableChange = useCallback(({ page = {}, sort = {} }) => {

x-pack/plugins/osquery/public/saved_queries/form/code_editor_field.tsx

@@ -36,7 +36,7 @@ const CodeEditorFieldComponent: React.FC<CodeEditorFieldProps> = ({ euiFieldProp
       error={error}
       fullWidth
     >
-      {euiFieldProps?.disabled ? (
+      {euiFieldProps?.isDisabled ? (
         <StyledEuiCodeBlock
           language="sql"
           fontSize="m"