[ML] API integration tests - security_linux and security_windows modules (elastic#85743)

This PR adds API integration tests to create and setup the security_linux and security_windows modules.

Author: pheyos

x-pack/test/api_integration/apis/ml/index.ts

@@ -34,6 +34,7 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
       await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_packetbeat');
       await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_winlogbeat');
       await ml.testResources.deleteIndexPatternByTitle('ft_farequote');
+      await ml.testResources.deleteIndexPatternByTitle('ft_logs-endpoint.events.*');
 
       await esArchiver.unload('ml/ecommerce');
       await esArchiver.unload('ml/categorization');
@@ -45,6 +46,7 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
       await esArchiver.unload('ml/module_nginx');
       await esArchiver.unload('ml/module_sample_ecommerce');
       await esArchiver.unload('ml/module_sample_logs');
+      await esArchiver.unload('ml/module_security_endpoint');
       await esArchiver.unload('ml/module_siem_auditbeat');
       await esArchiver.unload('ml/module_siem_packetbeat');
       await esArchiver.unload('ml/module_siem_winlogbeat');

x-pack/test/api_integration/apis/ml/modules/recognize_module.ts

@@ -135,6 +135,16 @@ export default ({ getService }: FtrProviderContext) => {
         moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'],
       },
     },
+    {
+      testTitleSuffix: 'for security endpoint dataset',
+      sourceDataArchive: 'ml/module_security_endpoint',
+      indexPattern: 'ft_logs-endpoint.events.*',
+      user: USER.ML_POWERUSER,
+      expected: {
+        responseCode: 200,
+        moduleIds: ['security_linux', 'security_windows'],
+      },
+    },
   ];
 
   async function executeRecognizeModuleRequest(indexPattern: string, user: USER, rspCode: number) {

x-pack/test/api_integration/apis/ml/modules/setup_module.ts

@@ -520,6 +520,134 @@ export default ({ getService }: FtrProviderContext) => {
         ] as string[],
       },
     },
+    {
+      testTitleSuffix:
+        'for security_linux with prefix, startDatafeed true and estimateModelMemory true',
+      sourceDataArchive: 'ml/module_security_endpoint',
+      indexPattern: { name: 'ft_logs-endpoint.events.*', timeField: '@timestamp' },
+      module: 'security_linux',
+      user: USER.ML_POWERUSER,
+      requestBody: {
+        prefix: 'pf15_',
+        indexPatternName: 'ft_logs-endpoint.events.*',
+        startDatafeed: true,
+        end: Date.now(),
+      },
+      expected: {
+        responseCode: 200,
+        jobs: [
+          {
+            jobId: 'pf15_v2_rare_process_by_host_linux_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf15_v2_linux_rare_metadata_user',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf15_v2_linux_rare_metadata_process',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf15_v2_linux_anomalous_user_name_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf15_v2_linux_anomalous_process_all_hosts_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf15_v2_linux_anomalous_network_port_activity_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+        ],
+        searches: [] as string[],
+        visualizations: [] as string[],
+        dashboards: [] as string[],
+      },
+    },
+    {
+      testTitleSuffix:
+        'for security_windows with prefix, startDatafeed true and estimateModelMemory true',
+      sourceDataArchive: 'ml/module_security_endpoint',
+      indexPattern: { name: 'ft_logs-endpoint.events.*', timeField: '@timestamp' },
+      module: 'security_windows',
+      user: USER.ML_POWERUSER,
+      requestBody: {
+        prefix: 'pf16_',
+        indexPatternName: 'ft_logs-endpoint.events.*',
+        startDatafeed: true,
+        end: Date.now(),
+      },
+      expected: {
+        responseCode: 200,
+        jobs: [
+          {
+            jobId: 'pf16_v2_rare_process_by_host_windows_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_anomalous_network_activity_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_anomalous_path_activity_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '10mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_anomalous_process_all_hosts_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_anomalous_process_creation',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_anomalous_user_name_ecs',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_rare_metadata_process',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+          {
+            jobId: 'pf16_v2_windows_rare_metadata_user',
+            jobState: JOB_STATE.CLOSED,
+            datafeedState: DATAFEED_STATE.STOPPED,
+            modelMemoryLimit: '11mb',
+          },
+        ],
+        searches: [] as string[],
+        visualizations: [] as string[],
+        dashboards: [] as string[],
+      },
+    },
   ];
 
   const testDataListNegative = [