From 36dfa5286c1418755eabc2d121457f84b91072ca Mon Sep 17 00:00:00 2001
From: Pablo Machado <pablo.nevesmachado@elastic.co>
Date: Fri, 2 Feb 2024 12:24:34 +0100
Subject: [PATCH] [Security Solution] Only query security alerts with the
 current user (#175903)

## Summary

Fix risk score query to only search security alerts with the current
user.

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .github/CODEOWNERS                            |  1 +
 .../factory/risk_score/all/index.test.ts      | 22 +++++++++++++------
 .../factory/risk_score/all/index.ts           | 14 ++++++++----
 3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index b07f76b9683f..187a398f1e20 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1499,6 +1499,7 @@ x-pack/test/security_solution_api_integration/test_suites/entity_analytics @elas
 x-pack/test/security_solution_cypress/cypress/e2e/entity_analytics @elastic/security-entity-analytics
 x-pack/plugins/security_solution/public/flyout/entity_details @elastic/security-entity-analytics
 x-pack/plugins/security_solution/common/api/entity_analytics @elastic/security-entity-analytics
+x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score @elastic/security-entity-analytics
 
 # Security Defend Workflows - OSQuery Ownership
 /x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions @elastic/security-defend-workflows
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.test.ts
index 2f3b8fbf3125..7501ce076b66 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.test.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.test.ts
@@ -69,19 +69,21 @@ export const mockSearchStrategyResponse: IEsSearchResponse<HostRiskScore> = {
 };
 
 const searchMock = jest.fn();
-
+const ALERT_INDEX_PATTERN = '.test-alerts-security.alerts';
+const TEST_SPACE_ID = 'test-default';
 const mockDeps = {
-  esClient: {} as IScopedClusterClient,
-  ruleDataClient: {
-    ...(ruleRegistryMocks.createRuleDataClient('.alerts-security.alerts') as IRuleDataClient),
-    getReader: jest.fn((_options?: { namespace?: string }) => ({
+  esClient: {
+    asCurrentUser: {
       search: searchMock,
-      getDynamicIndexPattern: jest.fn(),
-    })),
+    },
+  } as unknown as IScopedClusterClient,
+  ruleDataClient: {
+    ...(ruleRegistryMocks.createRuleDataClient(ALERT_INDEX_PATTERN) as IRuleDataClient),
   },
   savedObjectsClient: {} as SavedObjectsClientContract,
   endpointContext: createMockEndpointAppContext(),
   request: {} as KibanaRequest,
+  spaceId: TEST_SPACE_ID,
 };
 
 export const mockOptions: RiskScoreRequestOptions = {
@@ -115,6 +117,12 @@ describe('buildRiskScoreQuery search strategy', () => {
     expect(get('data[0].alertsCount', result)).toBeUndefined();
   });
 
+  test('should search alerts on the alerts index pattern', async () => {
+    await riskScore.parse(mockOptions, mockSearchStrategyResponse, mockDeps);
+
+    expect(searchMock.mock.calls[0][0].index).toEqual(`${ALERT_INDEX_PATTERN}${TEST_SPACE_ID}`);
+  });
+
   test('should enhance data with alerts count', async () => {
     const alertsCunt = 9999;
     searchMock.mockReturnValue({
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.ts
index 82836855b852..f4a5b48952af 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/risk_score/all/index.ts
@@ -9,6 +9,7 @@ import type { IEsSearchResponse, SearchRequest, TimeRange } from '@kbn/data-plug
 import { get, getOr } from 'lodash/fp';
 import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 import type { AggregationsMinAggregate } from '@elastic/elasticsearch/lib/api/types';
+import type { IScopedClusterClient } from '@kbn/core-elasticsearch-server';
 import type { SecuritySolutionFactory } from '../../types';
 import type {
   RiskQueries,
@@ -37,6 +38,7 @@ export const riskScore: SecuritySolutionFactory<
     response: IEsSearchResponse,
     deps?: {
       spaceId?: string;
+      esClient: IScopedClusterClient;
       ruleDataClient?: IRuleDataClient | null;
     }
   ) => {
@@ -56,6 +58,7 @@ export const riskScore: SecuritySolutionFactory<
             data,
             names,
             nameField,
+            deps.esClient,
             deps.ruleDataClient,
             deps.spaceId,
             options.alertsTimerange
@@ -79,13 +82,14 @@ async function enhanceData(
   data: Array<HostRiskScore | UserRiskScore>,
   names: string[],
   nameField: string,
+  esClient: IScopedClusterClient,
   ruleDataClient?: IRuleDataClient | null,
   spaceId?: string,
   timerange?: TimeRange
 ): Promise<Array<HostRiskScore | UserRiskScore>> {
-  const ruleDataReader = ruleDataClient?.getReader({ namespace: spaceId });
-  const query = getAlertsQueryForEntity(names, nameField, timerange);
-  const response = await ruleDataReader?.search(query);
+  const indexPattern = ruleDataClient?.indexNameWithNamespace(spaceId ?? 'default');
+  const query = getAlertsQueryForEntity(names, nameField, timerange, indexPattern);
+  const response = await esClient.asCurrentUser.search(query);
   const buckets: EnhancedDataBucket[] = getOr([], 'aggregations.alertsByEntity.buckets', response);
 
   const enhancedAlertsDataByEntityName = buckets.reduce<
@@ -106,10 +110,12 @@ async function enhanceData(
 const getAlertsQueryForEntity = (
   names: string[],
   nameField: string,
-  timerange: TimeRange | undefined
+  timerange: TimeRange | undefined,
+  indexPattern: string | undefined
 ): SearchRequest => {
   return {
     size: 0,
+    index: indexPattern,
     query: {
       bool: {
         filter: [