Risk engine initialisation, update from legacy risk engine workflow and status change

packages/kbn-check-mappings-update-cli/current_mappings.json

@@ -2938,6 +2938,16 @@
       }
     }
   },
+  "risk-engine-configuration": {
+    "properties": {
+      "enabled": {
+        "type": "boolean"
+      },
+      "last_updated_by": {
+        "type": "keyword"
+      }
+    }
+  },
   "infrastructure-ui-source": {
     "dynamic": false,
     "properties": {}

packages/kbn-test/src/kbn_client/kbn_client_saved_objects.ts

@@ -8,7 +8,10 @@
 
 import { chunk } from 'lodash';
 import type { ToolingLog } from '@kbn/tooling-log';
-import type { SavedObjectsBulkDeleteResponse } from '@kbn/core-saved-objects-api-server';
+import type {
+  SavedObjectsBulkDeleteResponse,
+  SavedObjectsFindResponse,
+} from '@kbn/core-saved-objects-api-server';
 
 import { KbnClientRequester, uriencode } from './kbn_client_requester';
 
@@ -30,6 +33,11 @@ interface SavedObjectResponse<Attributes extends Record<string, any>> {
   version?: string;
 }
 
+interface GetFindOptions {
+  type: string;
+  space?: string;
+}
+
 interface GetOptions {
   type: string;
   id: string;
@@ -152,6 +160,22 @@ export class KbnClientSavedObjects {
     return data;
   }
 
+  /**
+   * Find saved objects
+   */
+  public async find<Attributes extends Record<string, any>>(options: GetFindOptions) {
+    this.log.debug('Find saved objects: %j', options);
+
+    const { data } = await this.requester.request<SavedObjectsFindResponse<Attributes>>({
+      description: 'find saved objects',
+      path: options.space
+        ? uriencode`/s/${options.space}/internal/ftr/kbn_client_so/_find?type=${options.type}`
+        : uriencode`/internal/ftr/kbn_client_so/_find?type=${options.type}`,
+      method: 'GET',
+    });
+    return data;
+  }
+
   /**
    * Create a saved object
    */

src/core/server/integration_tests/saved_objects/migrations/group2/check_registered_types.test.ts

@@ -126,6 +126,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "osquery-pack-asset": "b14101d3172c4b60eb5404696881ce5275c84152",
         "osquery-saved-query": "44f1161e165defe3f9b6ad643c68c542a765fcdb",
         "query": "8db5d48c62d75681d80d82a42b5642f60d068202",
+        "risk-engine-configuration": "4dbbc5fd0d1bacc4d76e9c63dfb7887fb6d57079",
         "rules-settings": "892a2918ebaeba809a612b8d97cec0b07c800b5f",
         "sample-data-telemetry": "37441b12f5b0159c2d6d5138a494c9f440e950b5",
         "search": "8d5184dd5b986d57250b6ffd9ae48a1925e4c7a3",

src/core/server/integration_tests/saved_objects/migrations/group3/type_registrations.test.ts

@@ -104,6 +104,7 @@ const previouslyRegisteredTypes = [
   'search-telemetry',
   'security-rule',
   'security-solution-signals-migration',
+  'risk-engine-configuration',
   'server',
   'siem-detection-engine-rule-actions',
   'siem-detection-engine-rule-execution-info',

src/core/server/integration_tests/saved_objects/migrations/group5/dot_kibana_split.test.ts

@@ -246,6 +246,7 @@ describe('split .kibana index into multiple system indices', () => {
             "osquery-pack-asset",
             "osquery-saved-query",
             "query",
+            "risk-engine-configuration",
             "rules-settings",
             "sample-data-telemetry",
             "search-session",

x-pack/plugins/security_solution/common/constants.ts

@@ -253,6 +253,12 @@ export const RISK_SCORE_CREATE_STORED_SCRIPT = `${INTERNAL_RISK_SCORE_URL}/store
 export const RISK_SCORE_DELETE_STORED_SCRIPT = `${INTERNAL_RISK_SCORE_URL}/stored_scripts/delete`;
 export const RISK_SCORE_PREVIEW_URL = `${INTERNAL_RISK_SCORE_URL}/preview`;
 
+export const RISK_ENGINE_URL = `${INTERNAL_RISK_SCORE_URL}/engine`;
+export const RISK_ENGINE_STATUS_URL = `${RISK_ENGINE_URL}/status`;
+export const RISK_ENGINE_INIT_URL = `${RISK_ENGINE_URL}/init`;
+export const RISK_ENGINE_ENABLE_URL = `${RISK_ENGINE_URL}/enable`;
+export const RISK_ENGINE_DISABLE_URL = `${RISK_ENGINE_URL}/disable`;
+
 /**
  * Public Risk Score routes
  */

x-pack/plugins/security_solution/common/risk_engine/types.ts

@@ -9,3 +9,17 @@ export enum RiskScoreEntity {
   host = 'host',
   user = 'user',
 }
+
+export enum RiskEngineStatus {
+  NOT_INSTALLED = 'NOT_INSTALLED',
+  DISABLED = 'DISABLED',
+  ENABLED = 'ENABLED',
+}
+
+export interface InitRiskEngineResult {
+  legacyRiskEngineDisabled: boolean;
+  riskEngineResourcesInstalled: boolean;
+  riskEngineConfigurationCreated: boolean;
+  riskEngineEnabled: boolean;
+  errors: string[];
+}

x-pack/plugins/security_solution/cypress/e2e/entity_analytics/entity_analytics_management_page.cy.ts

@@ -24,71 +24,75 @@ import { createRule } from '../../tasks/api_calls/rules';
 import { updateDateRangeInLocalDatePickers } from '../../tasks/date_picker';
 import { fillLocalSearchBar, submitLocalSearch } from '../../tasks/search_bar';
 
-describe('Entity analytics management page', () => {
-  before(() => {
-    cleanKibana();
-    cy.task('esArchiverLoad', 'all_users');
-  });
-
-  beforeEach(() => {
-    login();
-    visitWithoutDateRange(ALERTS_URL);
-    createRule(getNewRule({ query: 'user.name:* or host.name:*', risk_score: 70 }));
-    visit(ENTITY_ANALYTICS_MANAGEMENT_URL);
-  });
-
-  after(() => {
-    cy.task('esArchiverUnload', 'all_users');
-  });
-
-  it('renders page as expected', () => {
-    cy.get(PAGE_TITLE).should('have.text', 'Entity Risk Score');
-  });
-
-  describe('Risk preview', () => {
-    it('risk scores reacts on change in datepicker', () => {
-      const START_DATE = 'Jan 18, 2019 @ 20:33:29.186';
-      const END_DATE = 'Jan 19, 2019 @ 20:33:29.186';
-
-      cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
-      cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
-
-      updateDateRangeInLocalDatePickers(LOCAL_QUERY_BAR_SELECTOR, START_DATE, END_DATE);
-
-      cy.get(HOST_RISK_PREVIEW_TABLE).contains('No items found');
-      cy.get(USER_RISK_PREVIEW_TABLE).contains('No items found');
+describe(
+  'Entity analytics management page',
+  { env: { ftrConfig: { enableExperimental: ['riskScoringRoutesEnabled'] } } },
+  () => {
+    before(() => {
+      cleanKibana();
+      cy.task('esArchiverLoad', 'all_users');
     });
 
-    it('risk scores reacts on change in search bar query', () => {
-      cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
-      cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
+    beforeEach(() => {
+      login();
+      visitWithoutDateRange(ALERTS_URL);
+      createRule(getNewRule({ query: 'user.name:* or host.name:*', risk_score: 70 }));
+      visit(ENTITY_ANALYTICS_MANAGEMENT_URL);
+    });
 
-      fillLocalSearchBar('host.name: "test-host1"');
-      submitLocalSearch(LOCAL_QUERY_BAR_SELECTOR);
+    after(() => {
+      cy.task('esArchiverUnload', 'all_users');
+    });
 
-      cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 1);
-      cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).contains('test-host1');
-      cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 1);
-      cy.get(USER_RISK_PREVIEW_TABLE_ROWS).contains('test1');
+    it('renders page as expected', () => {
+      cy.get(PAGE_TITLE).should('have.text', 'Entity Risk Score');
     });
 
-    it('show error panel if API returns error and then try to refetch data', () => {
-      cy.intercept('POST', '/internal/risk_score/preview', {
-        statusCode: 500,
+    describe('Risk preview', () => {
+      it('risk scores reacts on change in datepicker', () => {
+        const START_DATE = 'Jan 18, 2019 @ 20:33:29.186';
+        const END_DATE = 'Jan 19, 2019 @ 20:33:29.186';
+
+        cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
+        cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
+
+        updateDateRangeInLocalDatePickers(LOCAL_QUERY_BAR_SELECTOR, START_DATE, END_DATE);
+
+        cy.get(HOST_RISK_PREVIEW_TABLE).contains('No items found');
+        cy.get(USER_RISK_PREVIEW_TABLE).contains('No items found');
       });
 
-      cy.get(RISK_PREVIEW_ERROR).contains('Preview failed');
+      it('risk scores reacts on change in search bar query', () => {
+        cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
+        cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 5);
 
-      cy.intercept('POST', '/internal/risk_score/preview', {
-        statusCode: 200,
-        body: {
-          scores: { host: [], user: [] },
-        },
+        fillLocalSearchBar('host.name: "test-host1"');
+        submitLocalSearch(LOCAL_QUERY_BAR_SELECTOR);
+
+        cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).should('have.length', 1);
+        cy.get(HOST_RISK_PREVIEW_TABLE_ROWS).contains('test-host1');
+        cy.get(USER_RISK_PREVIEW_TABLE_ROWS).should('have.length', 1);
+        cy.get(USER_RISK_PREVIEW_TABLE_ROWS).contains('test1');
       });
 
-      cy.get(RISK_PREVIEW_ERROR_BUTTON).click();
+      it('show error panel if API returns error and then try to refetch data', () => {
+        cy.intercept('POST', '/internal/risk_score/preview', {
+          statusCode: 500,
+        });
+
+        cy.get(RISK_PREVIEW_ERROR).contains('Preview failed');
+
+        cy.intercept('POST', '/internal/risk_score/preview', {
+          statusCode: 200,
+          body: {
+            scores: { host: [], user: [] },
+          },
+        });
 
-      cy.get(RISK_PREVIEW_ERROR).should('not.exist');
+        cy.get(RISK_PREVIEW_ERROR_BUTTON).click();
+
+        cy.get(RISK_PREVIEW_ERROR).should('not.exist');
+      });
     });
-  });
-});
+  }
+);

x-pack/plugins/security_solution/public/entity_analytics/api/api.ts

@@ -5,10 +5,22 @@
  * 2.0.
  */
 
-import { RISK_SCORE_PREVIEW_URL } from '../../../common/constants';
+import {
+  RISK_ENGINE_STATUS_URL,
+  RISK_SCORE_PREVIEW_URL,
+  RISK_ENGINE_ENABLE_URL,
+  RISK_ENGINE_DISABLE_URL,
+  RISK_ENGINE_INIT_URL,
+} from '../../../common/constants';
 
 import { KibanaServices } from '../../common/lib/kibana';
-import type { CalculateScoresResponse } from '../../../server/lib/risk_engine/types';
+import type {
+  CalculateScoresResponse,
+  GetRiskEngineEnableResponse,
+  GetRiskEngineStatusResponse,
+  InitRiskEngineResponse,
+  GetRiskEngineDisableResponse,
+} from '../../../server/lib/risk_engine/types';
 import type { RiskScorePreviewRequestSchema } from '../../../common/risk_engine/risk_score_preview/request_schema';
 
 /**
@@ -27,3 +39,44 @@ export const fetchRiskScorePreview = async ({
     signal,
   });
 };
+
+/**
+ * Fetches risks engine status
+ */
+export const fetchRiskEngineStatus = async ({
+  signal,
+}: {
+  signal?: AbortSignal;
+}): Promise<GetRiskEngineStatusResponse> => {
+  return KibanaServices.get().http.fetch<GetRiskEngineStatusResponse>(RISK_ENGINE_STATUS_URL, {
+    method: 'GET',
+    signal,
+  });
+};
+
+/**
+ * Init risk score engine
+ */
+export const initRiskEngine = async (): Promise<InitRiskEngineResponse> => {
+  return KibanaServices.get().http.fetch<InitRiskEngineResponse>(RISK_ENGINE_INIT_URL, {
+    method: 'POST',
+  });
+};
+
+/**
+ * Enable risk score engine
+ */
+export const enableRiskEngine = async (): Promise<GetRiskEngineEnableResponse> => {
+  return KibanaServices.get().http.fetch<GetRiskEngineEnableResponse>(RISK_ENGINE_ENABLE_URL, {
+    method: 'POST',
+  });
+};
+
+/**
+ * Disable risk score engine
+ */
+export const disableRiskEngine = async (): Promise<GetRiskEngineDisableResponse> => {
+  return KibanaServices.get().http.fetch<GetRiskEngineDisableResponse>(RISK_ENGINE_DISABLE_URL, {
+    method: 'POST',
+  });
+};

x-pack/plugins/security_solution/public/entity_analytics/api/hooks/use_disable_risk_engine_mutation.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { UseMutationOptions } from '@tanstack/react-query';
+import { useMutation } from '@tanstack/react-query';
+import { disableRiskEngine } from '../api';
+import { useInvalidateRiskEngineStatusQuery } from './use_risk_engine_status';
+import type {
+  GetRiskEngineDisableResponse,
+  EnableDisableRiskEngineResponse,
+} from '../../../../server/lib/risk_engine/types';
+
+export const DISABLE_RISK_ENGINE_MUTATION_KEY = ['POST', 'DISABLE_RISK_ENGINE'];
+
+export const useDisableRiskEngineMutation = (options?: UseMutationOptions<{}>) => {
+  const invalidateRiskEngineStatusQuery = useInvalidateRiskEngineStatusQuery();
+
+  return useMutation<GetRiskEngineDisableResponse, EnableDisableRiskEngineResponse>(
+    () => disableRiskEngine(),
+    {
+      ...options,
+      mutationKey: DISABLE_RISK_ENGINE_MUTATION_KEY,
+      onSettled: (...args) => {
+        invalidateRiskEngineStatusQuery();
+
+        if (options?.onSettled) {
+          options.onSettled(...args);
+        }
+      },
+    }
+  );
+};

x-pack/plugins/security_solution/public/entity_analytics/api/hooks/use_enable_risk_engine_mutation.ts

@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { UseMutationOptions } from '@tanstack/react-query';
+import { useMutation } from '@tanstack/react-query';
+import { enableRiskEngine } from '../api';
+import { useInvalidateRiskEngineStatusQuery } from './use_risk_engine_status';
+import type {
+  GetRiskEngineEnableResponse,
+  EnableDisableRiskEngineResponse,
+} from '../../../../server/lib/risk_engine/types';
+export const ENABLE_RISK_ENGINE_MUTATION_KEY = ['POST', 'ENABLE_RISK_ENGINE'];
+
+export const useEnableRiskEngineMutation = (options?: UseMutationOptions<{}>) => {
+  const invalidateRiskEngineStatusQuery = useInvalidateRiskEngineStatusQuery();
+
+  return useMutation<GetRiskEngineEnableResponse, EnableDisableRiskEngineResponse>(
+    () => enableRiskEngine(),
+    {
+      ...options,
+      mutationKey: ENABLE_RISK_ENGINE_MUTATION_KEY,
+      onSettled: (...args) => {
+        invalidateRiskEngineStatusQuery();
+
+        if (options?.onSettled) {
+          options.onSettled(...args);
+        }
+      },
+    }
+  );
+};