[Security Solution][Endpoint] Cypress test to validate that Endpoint can stream alerts to ES/Kibana

x-pack/plugins/security_solution/public/common/components/endpoint/endpoint_agent_status/endpoint_agent_status.test.tsx

@@ -344,7 +344,7 @@ describe('When showing Endpoint Agent Status', () => {
     });
 
     it('should keep agent status up to date when autoRefresh is true', async () => {
-      renderProps.autoFresh = true;
+      renderProps.autoRefresh = true;
       apiMocks.responseProvider.metadataDetails.mockReturnValueOnce(endpointDetails);
 
       const { getByTestId } = render();

x-pack/plugins/security_solution/public/common/components/endpoint/endpoint_agent_status/endpoint_agent_status.tsx

@@ -138,7 +138,7 @@ export interface EndpointAgentStatusByIdProps {
    * If set to `true` (Default), then the endpoint status and isolation/action counts will
    * be kept up to date by querying the API periodically
    */
-  autoFresh?: boolean;
+  autoRefresh?: boolean;
   'data-test-subj'?: string;
 }
 
@@ -150,9 +150,9 @@ export interface EndpointAgentStatusByIdProps {
  * instead in order to avoid duplicate API calls.
  */
 export const EndpointAgentStatusById = memo<EndpointAgentStatusByIdProps>(
-  ({ endpointAgentId, autoFresh, 'data-test-subj': dataTestSubj }) => {
+  ({ endpointAgentId, autoRefresh, 'data-test-subj': dataTestSubj }) => {
     const { data } = useGetEndpointDetails(endpointAgentId, {
-      refetchInterval: autoFresh ? DEFAULT_POLL_INTERVAL : false,
+      refetchInterval: autoRefresh ? DEFAULT_POLL_INTERVAL : false,
     });
 
     const emptyValue = (
@@ -169,7 +169,7 @@ export const EndpointAgentStatusById = memo<EndpointAgentStatusByIdProps>(
       <EndpointAgentStatus
         endpointHostInfo={data}
         data-test-subj={dataTestSubj}
-        autoRefresh={autoFresh}
+        autoRefresh={autoRefresh}
       />
     );
   }

x-pack/plugins/security_solution/public/management/cypress/cypress.d.ts

@@ -10,6 +10,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
 import type { CasePostRequest } from '@kbn/cases-plugin/common/api';
+import type { DeleteAllEndpointDataResponse } from '../../../scripts/endpoint/common/delete_all_endpoint_data';
 import type { IndexedEndpointPolicyResponse } from '../../../common/endpoint/data_loaders/index_endpoint_policy_response';
 import type {
   HostPolicyResponse,
@@ -56,6 +57,20 @@ declare global {
         ...args: Parameters<Cypress.Chainable<E>['find']>
       ): Chainable<JQuery<E>>;
 
+      /**
+       * Continuously call provided callback function until it either return `true`
+       * or fail if `timeout` is reached.
+       * @param fn
+       * @param options
+       */
+      waitUntil(
+        fn: (subject?: any) => boolean | Promise<boolean> | Chainable<boolean>,
+        options?: Partial<{
+          interval: number;
+          timeout: number;
+        }>
+      ): Chainable<Subject>;
+
       task(
         name: 'indexFleetEndpointPolicy',
         arg: {
@@ -124,6 +139,12 @@ declare global {
         arg: HostActionResponse,
         options?: Partial<Loggable & Timeoutable>
       ): Chainable<LogsEndpointActionResponse>;
+
+      task(
+        name: 'deleteAllEndpointData',
+        arg: { endpointAgentIds: string[] },
+        options?: Partial<Loggable & Timeoutable>
+      ): Chainable<DeleteAllEndpointDataResponse>;
     }
   }
 }

x-pack/plugins/security_solution/public/management/cypress/e2e/endpoint/endpoint_alerts.cy.ts

@@ -0,0 +1,107 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { deleteAllLoadedEndpointData } from '../../tasks/delete_all_endpoint_data';
+import { getAlertsTableRows, navigateToAlertsList } from '../../screens/alerts';
+import { waitForEndpointAlerts } from '../../tasks/alerts';
+import { request } from '../../tasks/common';
+import { getEndpointIntegrationVersion } from '../../tasks/fleet';
+import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy';
+import { enableAllPolicyProtections } from '../../tasks/endpoint_policy';
+import type { PolicyData, ResponseActionApiResponse } from '../../../../../common/endpoint/types';
+import type { CreateAndEnrollEndpointHostResponse } from '../../../../../scripts/endpoint/common/endpoint_host_services';
+import { login } from '../../tasks/login';
+import { EXECUTE_ROUTE } from '../../../../../common/endpoint/constants';
+import { waitForActionToComplete } from '../../tasks/response_actions';
+
+describe('Endpoint generated alerts', () => {
+  let indexedPolicy: IndexedFleetEndpointPolicyResponse;
+  let policy: PolicyData;
+  let createdHost: CreateAndEnrollEndpointHostResponse;
+
+  before(() => {
+    getEndpointIntegrationVersion().then((version) => {
+      const policyName = `alerts test ${Math.random().toString(36).substring(2, 7)}`;
+
+      cy.task<IndexedFleetEndpointPolicyResponse>('indexFleetEndpointPolicy', {
+        policyName,
+        endpointPackageVersion: version,
+        agentPolicyName: policyName,
+      }).then((data) => {
+        indexedPolicy = data;
+        policy = indexedPolicy.integrationPolicies[0];
+
+        return enableAllPolicyProtections(policy.id).then(() => {
+          // Create and enroll a new Endpoint host
+          return cy
+            .task(
+              'createEndpointHost',
+              {
+                agentPolicyId: policy.policy_id,
+              },
+              { timeout: 180000 }
+            )
+            .then((host) => {
+              createdHost = host as CreateAndEnrollEndpointHostResponse;
+            });
+        });
+      });
+    });
+  });
+
+  after(() => {
+    if (createdHost) {
+      cy.task('destroyEndpointHost', createdHost).then(() => {});
+    }
+
+    if (indexedPolicy) {
+      cy.task('deleteIndexedFleetEndpointPolicies', indexedPolicy);
+    }
+
+    if (createdHost) {
+      deleteAllLoadedEndpointData({ endpointAgentIds: [createdHost.agentId] });
+    }
+  });
+
+  beforeEach(() => {
+    login();
+  });
+
+  it('should create a Detection Engine alert from an endpoint alert', () => {
+    // Triggers a Malicious Behaviour alert on Linux system (`grep *` was added only to identify this specific alert)
+    const executeMaliciousCommand = `bash -c cat /dev/tcp/foo | grep ${Math.random()
+      .toString(16)
+      .substring(2)}`;
+
+    // Send `execute` command that triggers malicious behaviour using the `execute` response action
+    request<ResponseActionApiResponse>({
+      method: 'POST',
+      url: EXECUTE_ROUTE,
+      body: {
+        endpoint_ids: [createdHost.agentId],
+        parameters: {
+          command: executeMaliciousCommand,
+        },
+      },
+    })
+      .then((response) => waitForActionToComplete(response.body.data.id))
+      .then(() => {
+        return waitForEndpointAlerts(createdHost.agentId, [
+          {
+            term: { 'process.group_leader.args': executeMaliciousCommand },
+          },
+        ]);
+      })
+      .then(() => {
+        return navigateToAlertsList(
+          `query=(language:kuery,query:'agent.id: "${createdHost.agentId}" ')`
+        );
+      });
+
+    getAlertsTableRows().should('have.length.greaterThan', 0);
+  });
+});

x-pack/plugins/security_solution/public/management/cypress/screens/alerts.ts

@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { APP_ALERTS_PATH } from '../../../../common/constants';
+
+export const navigateToAlertsList = (urlQueryParams: string = '') => {
+  cy.visit(`${APP_ALERTS_PATH}${urlQueryParams ? `?${urlQueryParams}` : ''}`);
+};
+
+export const clickAlertListRefreshButton = (): Cypress.Chainable => {
+  return cy.getByTestSubj('querySubmitButton').click().should('be.enabled');
+};
+
+/**
+ * Waits until the Alerts list has alerts data and return the number of rows that are currently displayed
+ * @param timeout
+ */
+export const getAlertsTableRows = (timeout?: number): Cypress.Chainable<JQuery<HTMLDivElement>> => {
+  let $rows: JQuery<HTMLDivElement> = Cypress.$();
+
+  return cy
+    .waitUntil(
+      () => {
+        clickAlertListRefreshButton();
+
+        return cy
+          .getByTestSubj('alertsTable')
+          .find<HTMLDivElement>('.euiDataGridRow')
+          .then(($rowsFound) => {
+            $rows = $rowsFound;
+            return Boolean($rows);
+          });
+      },
+      { timeout }
+    )
+    .then(() => $rows);
+};

x-pack/plugins/security_solution/public/management/cypress/screens/endpoints.ts

@@ -6,7 +6,7 @@
  */
 
 import { APP_PATH } from '../../../../common/constants';
-import { getEndpointDetailsPath } from '../../common/routing';
+import { getEndpointDetailsPath, getEndpointListPath } from '../../common/routing';
 
 export const AGENT_HOSTNAME_CELL = 'hostnameCellLink';
 export const AGENT_POLICY_CELL = 'policyNameCellLink';
@@ -21,3 +21,7 @@ export const navigateToEndpointPolicyResponse = (
       getEndpointDetailsPath({ name: 'endpointPolicyResponse', selected_endpoint: endpointAgentId })
   );
 };
+
+export const navigateToEndpointList = (): Cypress.Chainable<Cypress.AUTWindow> => {
+  return cy.visit(APP_PATH + getEndpointListPath({ name: 'endpointList' }));
+};

x-pack/plugins/security_solution/public/management/cypress/support/data_loaders.ts

@@ -9,6 +9,13 @@
 
 import type { CasePostRequest } from '@kbn/cases-plugin/common/api';
 import { sendEndpointActionResponse } from '../../../../scripts/endpoint/agent_emulator/services/endpoint_response_actions';
+import type { DeleteAllEndpointDataResponse } from '../../../../scripts/endpoint/common/delete_all_endpoint_data';
+import { deleteAllEndpointData } from '../../../../scripts/endpoint/common/delete_all_endpoint_data';
+import { waitForEndpointToStreamData } from '../../../../scripts/endpoint/common/endpoint_metadata_services';
+import type {
+  CreateAndEnrollEndpointHostOptions,
+  CreateAndEnrollEndpointHostResponse,
+} from '../../../../scripts/endpoint/common/endpoint_host_services';
 import type { IndexedEndpointPolicyResponse } from '../../../../common/endpoint/data_loaders/index_endpoint_policy_response';
 import {
   deleteIndexedEndpointPolicyResponse,
@@ -39,6 +46,10 @@ import {
   deleteIndexedEndpointRuleAlerts,
   indexEndpointRuleAlerts,
 } from '../../../../common/endpoint/data_loaders/index_endpoint_rule_alerts';
+import {
+  createAndEnrollEndpointHost,
+  destroyEndpointHost,
+} from '../../../../scripts/endpoint/common/endpoint_host_services';
 
 /**
  * Cypress plugin for adding data loading related `task`s
@@ -155,5 +166,47 @@ export const dataLoaders = (
       const { esClient } = await stackServicesPromise;
       return sendEndpointActionResponse(esClient, data.action, { state: data.state.state });
     },
+
+    deleteAllEndpointData: async ({
+      endpointAgentIds,
+    }: {
+      endpointAgentIds: string[];
+    }): Promise<DeleteAllEndpointDataResponse> => {
+      const { esClient } = await stackServicesPromise;
+      return deleteAllEndpointData(esClient, endpointAgentIds);
+    },
+  });
+};
+
+export const dataLoadersForRealEndpoints = (
+  on: Cypress.PluginEvents,
+  config: Cypress.PluginConfigOptions
+): void => {
+  const stackServicesPromise = createRuntimeServices({
+    kibanaUrl: config.env.KIBANA_URL,
+    elasticsearchUrl: config.env.ELASTICSEARCH_URL,
+    username: config.env.ELASTICSEARCH_USERNAME,
+    password: config.env.ELASTICSEARCH_PASSWORD,
+    asSuperuser: true,
+  });
+
+  on('task', {
+    createEndpointHost: async (
+      options: Omit<CreateAndEnrollEndpointHostOptions, 'log' | 'kbnClient'>
+    ): Promise<CreateAndEnrollEndpointHostResponse> => {
+      const { kbnClient, log } = await stackServicesPromise;
+      return createAndEnrollEndpointHost({ ...options, log, kbnClient }).then((newHost) => {
+        return waitForEndpointToStreamData(kbnClient, newHost.agentId, 120000).then(() => {
+          return newHost;
+        });
+      });
+    },
+
+    destroyEndpointHost: async (
+      createdHost: CreateAndEnrollEndpointHostResponse
+    ): Promise<null> => {
+      const { kbnClient } = await stackServicesPromise;
+      return destroyEndpointHost(kbnClient, createdHost).then(() => null);
+    },
   });
 };

x-pack/plugins/security_solution/public/management/cypress/support/e2e.ts

@@ -50,4 +50,42 @@ Cypress.Commands.addQuery<'findByTestSubj'>(
   }
 );
 
+Cypress.Commands.add(
+  'waitUntil',
+  { prevSubject: 'optional' },
+  (subject, fn, { interval = 500, timeout = 30000 } = {}) => {
+    let attempts = Math.floor(timeout / interval);
+
+    const completeOrRetry = (result: boolean) => {
+      if (result) {
+        return result;
+      }
+      if (attempts < 1) {
+        throw new Error(`Timed out while retrying, last result was: {${result}}`);
+      }
+      cy.wait(interval, { log: false }).then(() => {
+        attempts--;
+        return evaluate();
+      });
+    };
+
+    const evaluate = () => {
+      const result = fn(subject);
+
+      if (typeof result === 'boolean') {
+        return completeOrRetry(result);
+      } else if ('then' in result) {
+        // @ts-expect-error
+        return result.then(completeOrRetry);
+      } else {
+        throw new Error(
+          `Unknown return type from callback: ${Object.prototype.toString.call(result)}`
+        );
+      }
+    };
+
+    return evaluate();
+  }
+);
+
 Cypress.on('uncaught:exception', () => false);