[EDR Workflows] Add runscript from Microsoft Defender for Endpoint support to Response Console

x-pack/platform/plugins/shared/stack_connectors/common/microsoft_defender_endpoint/schema.ts

@@ -219,12 +219,7 @@ export const GetActionsParamsSchema = schema.object({
 });
 
 export const GetActionResultsParamsSchema = schema.object({
-  id: schema.maybe(
-    schema.oneOf([
-      schema.string({ minLength: 1 }),
-      schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }),
-    ])
-  ),
+  id: schema.string({ minLength: 1 }),
 });
 
 export const MSDefenderLibraryFileSchema = schema.object(
@@ -249,6 +244,8 @@ export const GetLibraryFilesResponse = schema.object(
   { unknowns: 'allow' }
 );
 
+export const DownloadActionResultsResponseSchema = schema.stream();
+
 // ----------------------------------
 // Connector Sub-Actions
 // ----------------------------------

x-pack/platform/plugins/shared/stack_connectors/common/microsoft_defender_endpoint/types.ts

@@ -64,7 +64,7 @@ export interface MicrosoftDefenderEndpointGetActionsResponse {
 
 export interface MicrosoftDefenderEndpointGetActionResultsResponse {
   '@odata.context': string;
-  value: string[]; // Downloadable link
+  value: string; // Downloadable link
 }
 
 /**

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/microsoft_defender_endpoint/microsoft_defender_endpoint.test.ts

@@ -211,4 +211,121 @@ describe('Microsoft Defender for Endpoint Connector', () => {
       );
     });
   });
+
+  describe('#getActionResults()', () => {
+    it('should call Microsoft Defender API to retrieve action results download link', async () => {
+      const actionId = 'test-action-123';
+      const mockDownloadUrl = 'https://download.microsoft.com/mock-download-url/results.json';
+
+      // Mock only the external download URL (Microsoft Defender API is mocked in mocks.ts)
+      connectorMock.apiMock[mockDownloadUrl] = () =>
+        microsoftDefenderEndpointConnectorMocks.createAxiosResponseMock({
+          pipe: jest.fn(),
+          on: jest.fn(),
+          read: jest.fn(),
+        });
+
+      await connectorMock.instanceMock.getActionResults(
+        { id: actionId },
+        connectorMock.usageCollector
+      );
+
+      expect(connectorMock.instanceMock.request).toHaveBeenCalledWith(
+        expect.objectContaining({
+          url: `https://api.mock__microsoft.com/api/machineactions/${actionId}/GetLiveResponseResultDownloadLink(index=0)`,
+          method: 'GET',
+        }),
+        connectorMock.usageCollector
+      );
+
+      expect(connectorMock.instanceMock.request).toHaveBeenCalledWith(
+        expect.objectContaining({
+          url: mockDownloadUrl,
+          method: 'get',
+          responseType: 'stream',
+        }),
+        connectorMock.usageCollector
+      );
+    });
+
+    it('should return a Stream for downloading the file', async () => {
+      const actionId = 'test-action-123';
+      const mockDownloadUrl = 'https://download.microsoft.com/mock-download-url/results.json';
+
+      // Mock external download URL to return a stream (Microsoft Defender API uses default mock)
+      const mockStream = { pipe: jest.fn(), on: jest.fn(), read: jest.fn() };
+      connectorMock.apiMock[mockDownloadUrl] = () =>
+        microsoftDefenderEndpointConnectorMocks.createAxiosResponseMock(mockStream);
+
+      const result = await connectorMock.instanceMock.getActionResults(
+        { id: actionId },
+        connectorMock.usageCollector
+      );
+
+      expect(result).toEqual(mockStream);
+      expect(connectorMock.instanceMock.request).toHaveBeenCalledWith(
+        expect.objectContaining({
+          url: mockDownloadUrl,
+          method: 'get',
+          responseType: 'stream',
+        }),
+        connectorMock.usageCollector
+      );
+    });
+
+    it('should error if download URL is not found in API response', async () => {
+      const actionId = 'test-action-123';
+
+      // Override the default mock to return null
+      connectorMock.apiMock[
+        `https://api.mock__microsoft.com/api/machineactions/${actionId}/GetLiveResponseResultDownloadLink(index=0)`
+      ] = () => microsoftDefenderEndpointConnectorMocks.createAxiosResponseMock({ value: null });
+
+      await expect(
+        connectorMock.instanceMock.getActionResults({ id: actionId }, connectorMock.usageCollector)
+      ).rejects.toThrow(`Download URL for script results of machineId [${actionId}] not found`);
+    });
+
+    it('should error if download URL is empty string in API response', async () => {
+      const actionId = 'test-action-123';
+
+      // Override the default mock to return empty string
+      connectorMock.apiMock[
+        `https://api.mock__microsoft.com/api/machineactions/${actionId}/GetLiveResponseResultDownloadLink(index=0)`
+      ] = () => microsoftDefenderEndpointConnectorMocks.createAxiosResponseMock({ value: '' });
+
+      await expect(
+        connectorMock.instanceMock.getActionResults({ id: actionId }, connectorMock.usageCollector)
+      ).rejects.toThrow(`Download URL for script results of machineId [${actionId}] not found`);
+    });
+
+    it('should handle Microsoft Defender API errors for download link retrieval', async () => {
+      const actionId = 'test-action-123';
+
+      // Override the default mock to throw an error
+      connectorMock.apiMock[
+        `https://api.mock__microsoft.com/api/machineactions/${actionId}/GetLiveResponseResultDownloadLink(index=0)`
+      ] = () => {
+        throw new Error('Microsoft Defender API error');
+      };
+
+      await expect(
+        connectorMock.instanceMock.getActionResults({ id: actionId }, connectorMock.usageCollector)
+      ).rejects.toThrow('Microsoft Defender API error');
+    });
+
+    it('should handle file download errors', async () => {
+      const actionId = 'test-action-123';
+      const mockDownloadUrl = 'https://download.microsoft.com/mock-download-url/results.json';
+
+      // Mock external download URL to throw an error (Microsoft Defender API uses default mock)
+      connectorMock.apiMock[mockDownloadUrl] = () => {
+        throw new Error('File download failed');
+      };
+
+      await expect(
+        connectorMock.instanceMock.getActionResults({ id: actionId }, connectorMock.usageCollector)
+      ).rejects.toThrow('File download failed');
+    });
+  });
 });

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/microsoft_defender_endpoint/microsoft_defender_endpoint.ts

@@ -10,6 +10,7 @@ import { SubActionConnector } from '@kbn/actions-plugin/server';
 import type { AxiosError, AxiosResponse } from 'axios';
 import type { SubActionRequestParams } from '@kbn/actions-plugin/server/sub_action_framework/types';
 import type { ConnectorUsageCollector } from '@kbn/actions-plugin/server/types';
+import type { Stream } from 'stream';
 import { OAuthTokenManager } from './o_auth_token_manager';
 import { MICROSOFT_DEFENDER_ENDPOINT_SUB_ACTION } from '../../../common/microsoft_defender_endpoint/constants';
 import {
@@ -23,6 +24,7 @@ import {
   RunScriptParamsSchema,
   MicrosoftDefenderEndpointEmptyParamsSchema,
   GetActionResultsParamsSchema,
+  DownloadActionResultsResponseSchema,
 } from '../../../common/microsoft_defender_endpoint/schema';
 import type {
   MicrosoftDefenderEndpointAgentDetailsParams,
@@ -450,16 +452,36 @@ export class MicrosoftDefenderEndpointConnector extends SubActionConnector<
   public async getActionResults(
     { id }: MicrosoftDefenderEndpointGetActionsParams,
     connectorUsageCollector: ConnectorUsageCollector
-  ): Promise<MicrosoftDefenderEndpointGetActionResultsResponse> {
+  ): Promise<Stream> {
     // API Reference: https://learn.microsoft.com/en-us/defender-endpoint/api/get-live-response-result
 
-    return this.fetchFromMicrosoft<MicrosoftDefenderEndpointGetActionResultsResponse>(
+    const resultDownloadLink =
+      await this.fetchFromMicrosoft<MicrosoftDefenderEndpointGetActionResultsResponse>(
+        {
+          url: `${this.urls.machineActions}/${id}/GetLiveResponseResultDownloadLink(index=0)`, // We want to download the first result
+          method: 'GET',
+        },
+        connectorUsageCollector
+      );
+    this.logger.debug(
+      () => `script results for machineId [${id}]:\n${JSON.stringify(resultDownloadLink)}`
+    );
+
+    const fileUrl = resultDownloadLink.value;
+
+    if (!fileUrl) {
+      throw new Error(`Download URL for script results of machineId [${id}] not found`);
+    }
+    const downloadConnection = await this.request(
       {
-        url: `${this.urls.machineActions}/${id}/GetLiveResponseResultDownloadLink(index=0)`, // We want to download the first result
-        method: 'GET',
+        url: fileUrl,
+        method: 'get',
+        responseType: 'stream',
+        responseSchema: DownloadActionResultsResponseSchema,
       },
       connectorUsageCollector
     );
+    return downloadConnection.data;
   }
 
   public async getLibraryFiles(

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/microsoft_defender_endpoint/mocks.ts

@@ -154,6 +154,13 @@ const createMicrosoftDefenderConnectorMock = (): CreateMicrosoftDefenderConnecto
         '@odata.context': 'https://api-us3.securitycenter.microsoft.com/api/$metadata#Machines',
         value: [createMicrosoftMachineMock()],
       }),
+
+    // GetActionResults - GetLiveResponseResultDownloadLink (default for test action IDs)
+    [`${apiUrl}/api/machineactions/test-action-123/GetLiveResponseResultDownloadLink(index=0)`]:
+      () =>
+        createAxiosResponseMock({
+          value: 'https://download.microsoft.com/mock-download-url/results.json',
+        }),
   };
 
   instanceMock.request.mockImplementation(