[9.3] [Entity Analytics] Adding license check to privileged user monitoring routes. (#247986)

.buildkite/ftr_security_serverless_configs.yml

@@ -116,6 +116,7 @@ disabled:
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/lists_and_exception_lists/exception_lists_items/trial_license_complete_tier/configs/serverless.config.ts

.buildkite/ftr_security_stateful_configs.yml

@@ -101,6 +101,7 @@ enabled:
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/lists_and_exception_lists/exception_lists_items/trial_license_complete_tier/configs/ess.config.ts

x-pack/solutions/security/plugins/security_solution/common/entity_analytics/privileged_user_monitoring/constants.ts

@@ -16,6 +16,7 @@ export const PRIVMON_USERS_CSV_MAX_SIZE_BYTES_WITH_TOLERANCE =
   PRIVMON_USERS_CSV_MAX_SIZE_BYTES + PRIVMON_USERS_CSV_SIZE_TOLERANCE_BYTES;
 
 const MONITORING_URL = `/api/entity_analytics/monitoring` as const;
+const PAD_URL = `/api/entity_analytics/privileged_user_monitoring/pad` as const;
 
 // Monitoring users URLs
 export const MONITORING_USERS_URL = `${MONITORING_URL}/users` as const;
@@ -40,3 +41,7 @@ export const MONITORING_ENGINE_INIT_URL = `${MONITORING_ENGINE_URL}/init` as con
 export const MONITORING_ENGINE_SCHEDULE_NOW_URL = `${MONITORING_ENGINE_URL}/schedule_now` as const;
 export const MONITORING_ENGINE_DELETE_URL = `${MONITORING_ENGINE_URL}/delete` as const;
 export const MONITORING_ENGINE_DISABLE_URL = `${MONITORING_ENGINE_URL}/disable` as const;
+
+// Privileged Access Detection (PAD) URLs
+export const PAD_INSTALL_URL = `${PAD_URL}/install` as const;
+export const PAD_STATUS_URL = `${PAD_URL}/status` as const;

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/engine/initialisation_service.test.ts

@@ -54,6 +54,7 @@ jest.mock('../saved_objects', () => {
     })),
   };
 });
+
 describe('Privileged User Monitoring: Index Sync Service', () => {
   const mockSavedObjectClient = savedObjectsClientMock.create();
   const clusterClientMock = elasticsearchServiceMock.createScopedClusterClient();

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/create_index.ts

@@ -15,6 +15,7 @@ import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { createDataSourcesService } from '../data_sources/data_sources_service';
 import { PrivilegeMonitoringApiKeyType } from '../auth/saved_object';
 import { monitoringEntitySourceType } from '../saved_objects';
+import { withMinimumLicense } from '../../utils/with_minimum_license';
 
 export const createPrivilegeMonitoringIndicesRoute = (
   router: EntityAnalyticsRoutesDeps['router'],
@@ -40,7 +41,7 @@ export const createPrivilegeMonitoringIndicesRoute = (
         },
       },
 
-      async (context, request, response): Promise<IKibanaResponse<{}>> => {
+      withMinimumLicense(async (context, request, response): Promise<IKibanaResponse<{}>> => {
         const secSol = await context.securitySolution;
         const siemResponse = buildSiemResponse(response);
         const indexName = request.body.name;
@@ -68,6 +69,6 @@ export const createPrivilegeMonitoringIndicesRoute = (
             body: error.message,
           });
         }
-      }
+      }, 'platinum')
     );
 };

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/delete.ts

@@ -21,6 +21,7 @@ import {
 } from '../../../../../common/constants';
 import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { createEngineCrudService } from '../engine/crud_service';
+import { withMinimumLicense } from '../../utils/with_minimum_license';
 
 export const deletePrivilegeMonitoringEngineRoute = (
   router: EntityAnalyticsRoutesDeps['router'],
@@ -51,29 +52,31 @@ export const deletePrivilegeMonitoringEngineRoute = (
           },
         },
       },
+      withMinimumLicense(
+        async (
+          context,
+          request,
+          response
+        ): Promise<IKibanaResponse<DeleteMonitoringEngineResponse>> => {
+          const siemResponse = buildSiemResponse(response);
+          const secSol = await context.securitySolution;
 
-      async (
-        context,
-        request,
-        response
-      ): Promise<IKibanaResponse<DeleteMonitoringEngineResponse>> => {
-        const siemResponse = buildSiemResponse(response);
-        const secSol = await context.securitySolution;
-
-        try {
-          const dataClient = secSol.getPrivilegeMonitoringDataClient();
-          const soClient = dataClient.getScopedSoClient(request);
-          const service = createEngineCrudService(dataClient, soClient);
-          const body = await service.delete(request.query.data);
-          return response.ok({ body });
-        } catch (e) {
-          const error = transformError(e);
-          logger.error(`Error deleting privilege monitoring engine: ${error.message}`);
-          return siemResponse.error({
-            statusCode: error.statusCode,
-            body: error.message,
-          });
-        }
-      }
+          try {
+            const dataClient = secSol.getPrivilegeMonitoringDataClient();
+            const soClient = dataClient.getScopedSoClient(request);
+            const service = createEngineCrudService(dataClient, soClient);
+            const body = await service.delete(request.query.data);
+            return response.ok({ body });
+          } catch (e) {
+            const error = transformError(e);
+            logger.error(`Error deleting privilege monitoring engine: ${error.message}`);
+            return siemResponse.error({
+              statusCode: error.statusCode,
+              body: error.message,
+            });
+          }
+        },
+        'platinum'
+      )
     );
 };

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/disable.ts

@@ -16,6 +16,7 @@ import {
 } from '../../../../../common/constants';
 import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { createEngineStatusService } from '../engine/status_service';
+import { withMinimumLicense } from '../../utils/with_minimum_license';
 
 export const disablePrivilegeMonitoringEngineRoute = (
   router: EntityAnalyticsRoutesDeps['router'],
@@ -42,29 +43,31 @@ export const disablePrivilegeMonitoringEngineRoute = (
         version: API_VERSIONS.public.v1,
         validate: {},
       },
+      withMinimumLicense(
+        async (
+          context,
+          request,
+          response
+        ): Promise<IKibanaResponse<DisableMonitoringEngineResponse>> => {
+          const siemResponse = buildSiemResponse(response);
+          const secSol = await context.securitySolution;
 
-      async (
-        context,
-        request,
-        response
-      ): Promise<IKibanaResponse<DisableMonitoringEngineResponse>> => {
-        const siemResponse = buildSiemResponse(response);
-        const secSol = await context.securitySolution;
-
-        try {
-          const dataClient = secSol.getPrivilegeMonitoringDataClient();
-          const soClient = dataClient.getScopedSoClient(request);
-          const statusService = createEngineStatusService(dataClient, soClient);
-          const body = await statusService.disable();
-          return response.ok({ body });
-        } catch (e) {
-          const error = transformError(e);
-          logger.error(`Error disabling privilege monitoring engine: ${error.message}`);
-          return siemResponse.error({
-            statusCode: error.statusCode,
-            body: error.message,
-          });
-        }
-      }
+          try {
+            const dataClient = secSol.getPrivilegeMonitoringDataClient();
+            const soClient = dataClient.getScopedSoClient(request);
+            const statusService = createEngineStatusService(dataClient, soClient);
+            const body = await statusService.disable();
+            return response.ok({ body });
+          } catch (e) {
+            const error = transformError(e);
+            logger.error(`Error disabling privilege monitoring engine: ${error.message}`);
+            return siemResponse.error({
+              statusCode: error.statusCode,
+              body: error.message,
+            });
+          }
+        },
+        'platinum'
+      )
     );
 };

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/health.ts

@@ -13,6 +13,7 @@ import { API_VERSIONS, APP_ID, PRIVMON_HEALTH_URL } from '../../../../../common/
 import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { createEngineStatusService } from '../engine/status_service';
 import { PRIVILEGE_MONITORING_ENGINE_STATUS } from '../constants';
+import { withMinimumLicense } from '../../utils/with_minimum_license';
 
 export const healthCheckPrivilegeMonitoringRoute = (
   router: EntityAnalyticsRoutesDeps['router'],
@@ -34,45 +35,48 @@ export const healthCheckPrivilegeMonitoringRoute = (
         validate: {},
       },
 
-      async (context, request, response): Promise<IKibanaResponse<PrivMonHealthResponse>> => {
-        const siemResponse = buildSiemResponse(response);
-        const secSol = await context.securitySolution;
+      withMinimumLicense(
+        async (context, request, response): Promise<IKibanaResponse<PrivMonHealthResponse>> => {
+          const siemResponse = buildSiemResponse(response);
+          const secSol = await context.securitySolution;
 
-        const dataClient = secSol.getPrivilegeMonitoringDataClient();
-        const soClient = dataClient.getScopedSoClient(request);
-        const config = secSol.getConfig();
-        const maxUsersAllowed =
-          config.entityAnalytics.monitoring.privileges.users.maxPrivilegedUsersAllowed;
+          const dataClient = secSol.getPrivilegeMonitoringDataClient();
+          const soClient = dataClient.getScopedSoClient(request);
+          const config = secSol.getConfig();
+          const maxUsersAllowed =
+            config.entityAnalytics.monitoring.privileges.users.maxPrivilegedUsersAllowed;
 
-        const statusService = createEngineStatusService(dataClient, soClient);
+          const statusService = createEngineStatusService(dataClient, soClient);
 
-        try {
-          const body = await statusService.get();
+          try {
+            const body = await statusService.get();
 
-          // Only include user count if engine status is "started"
-          if (body.status === PRIVILEGE_MONITORING_ENGINE_STATUS.STARTED) {
-            const userCountResponse = await statusService.getCurrentUserCount();
-            return response.ok({
-              body: {
-                ...body,
-                users: {
-                  current_count: userCountResponse.count,
-                  max_allowed: maxUsersAllowed,
+            // Only include user count if engine status is "started"
+            if (body.status === PRIVILEGE_MONITORING_ENGINE_STATUS.STARTED) {
+              const userCountResponse = await statusService.getCurrentUserCount();
+              return response.ok({
+                body: {
+                  ...body,
+                  users: {
+                    current_count: userCountResponse.count,
+                    max_allowed: maxUsersAllowed,
+                  },
                 },
-              },
+              });
+            } else {
+              return response.ok({ body });
+            }
+          } catch (e) {
+            const error = transformError(e);
+
+            logger.error(`Error checking privilege monitoring health: ${error.message}`);
+            return siemResponse.error({
+              statusCode: error.statusCode,
+              body: error.message,
             });
-          } else {
-            return response.ok({ body });
           }
-        } catch (e) {
-          const error = transformError(e);
-
-          logger.error(`Error checking privilege monitoring health: ${error.message}`);
-          return siemResponse.error({
-            statusCode: error.statusCode,
-            body: error.message,
-          });
-        }
-      }
+        },
+        'platinum'
+      )
     );
 };

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/init.ts

@@ -15,6 +15,7 @@ import { createInitialisationService } from '../engine/initialisation_service';
 import { PrivilegeMonitoringApiKeyType } from '../auth/saved_object';
 import { monitoringEntitySourceType } from '../saved_objects';
 import { PRIVILEGE_MONITORING_ENGINE_STATUS } from '../constants';
+import { withMinimumLicense } from '../../utils/with_minimum_license';
 
 export const initPrivilegeMonitoringEngineRoute = (
   router: EntityAnalyticsRoutesDeps['router'],
@@ -36,40 +37,42 @@ export const initPrivilegeMonitoringEngineRoute = (
         version: API_VERSIONS.public.v1,
         validate: {},
       },
+      withMinimumLicense(
+        async (
+          context,
+          request,
+          response
+        ): Promise<IKibanaResponse<InitMonitoringEngineResponse>> => {
+          const siemResponse = buildSiemResponse(response);
+          const secSol = await context.securitySolution;
 
-      async (
-        context,
-        request,
-        response
-      ): Promise<IKibanaResponse<InitMonitoringEngineResponse>> => {
-        const siemResponse = buildSiemResponse(response);
-        const secSol = await context.securitySolution;
+          const dataClient = secSol.getPrivilegeMonitoringDataClient();
+          const soClient = dataClient.getScopedSoClient(request, {
+            includedHiddenTypes: [
+              PrivilegeMonitoringApiKeyType.name,
+              monitoringEntitySourceType.name,
+            ],
+          });
+          const service = createInitialisationService(dataClient, soClient);
 
-        const dataClient = secSol.getPrivilegeMonitoringDataClient();
-        const soClient = dataClient.getScopedSoClient(request, {
-          includedHiddenTypes: [
-            PrivilegeMonitoringApiKeyType.name,
-            monitoringEntitySourceType.name,
-          ],
-        });
-        const service = createInitialisationService(dataClient, soClient);
+          try {
+            const initResult = await service.init();
 
-        try {
-          const initResult = await service.init();
+            if (initResult.status === PRIVILEGE_MONITORING_ENGINE_STATUS.ERROR) {
+              return siemResponse.error({ statusCode: 500, body: initResult });
+            }
 
-          if (initResult.status === PRIVILEGE_MONITORING_ENGINE_STATUS.ERROR) {
-            return siemResponse.error({ statusCode: 500, body: initResult });
+            return response.ok({ body: initResult });
+          } catch (e) {
+            const error = transformError(e);
+            logger.error(`Error initializing privilege monitoring engine: ${error.message}`);
+            return siemResponse.error({
+              statusCode: error.statusCode,
+              body: error.message,
+            });
           }
-
-          return response.ok({ body: initResult });
-        } catch (e) {
-          const error = transformError(e);
-          logger.error(`Error initializing privilege monitoring engine: ${error.message}`);
-          return siemResponse.error({
-            statusCode: error.statusCode,
-            body: error.message,
-          });
-        }
-      }
+        },
+        'platinum'
+      )
     );
 };