[8.10] [Defend Workflows][Osquery] New live query policy lookup (#166615

) (#166926)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Defend Workflows][Osquery] New live query policy lookup
(#166615)](#166615)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-09-21T10:47:14Z","message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Defend
Workflows","Osquery","v8.11.0","v8.10.3"],"number":166615,"url":"https://github.com/elastic/kibana/pull/166615","mergeCommit":{"message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc"}},"sourceBranch":"main","suggestedTargetBranches":["8.10"],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/166615","number":166615,"mergeCommit":{"message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc"}},{"branch":"8.10","label":"v8.10.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Kibana Machine <[email protected]>

x-pack/plugins/osquery/cypress/e2e/all/timelines.cy.ts

@@ -5,11 +5,10 @@
  * 2.0.
  */
 
-import { tag } from '../../tags';
 import { takeOsqueryActionWithParams } from '../../tasks/live_query';
 import { ServerlessRoleName } from '../../support/roles';
 
-describe('ALL - Timelines', { tags: [tag.ESS] }, () => {
+describe('ALL - Timelines', { tags: ['@ess'] }, () => {
   beforeEach(() => {
     cy.login(ServerlessRoleName.SOC_MANAGER);
   });

x-pack/plugins/osquery/public/agents/agents_table.tsx

@@ -7,10 +7,20 @@
 
 import { find } from 'lodash/fp';
 import React, { useCallback, useEffect, useRef, useState } from 'react';
-import { EuiComboBox, EuiHealth, EuiFormRow, EuiHighlight, EuiSpacer } from '@elastic/eui';
+import {
+  EuiComboBox,
+  EuiHealth,
+  EuiFormRow,
+  EuiHighlight,
+  EuiSpacer,
+  EuiCallOut,
+  EuiLink,
+} from '@elastic/eui';
 import deepEqual from 'fast-deep-equal';
 
 import useDebounce from 'react-use/lib/useDebounce';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { useKibana } from '../common/lib/kibana';
 import { useAllAgents } from './use_all_agents';
 import { useAgentGroups } from './use_agent_groups';
 import { AgentGrouper } from './agent_grouper';
@@ -27,6 +37,7 @@ import {
   ALL_AGENTS_LABEL,
   AGENT_POLICY_LABEL,
   AGENT_SELECTION_LABEL,
+  NO_AGENT_AVAILABLE_TITLE,
 } from './translations';
 
 import type { SelectedGroups, AgentOptionValue, GroupOption, AgentSelection } from './types';
@@ -42,6 +53,7 @@ const perPage = 10;
 const DEBOUNCE_DELAY = 300; // ms
 
 const AgentsTableComponent: React.FC<AgentsTableProps> = ({ agentSelection, onChange, error }) => {
+  const { docLinks } = useKibana().services;
   // search related
   const [searchValue, setSearchValue] = useState<string>('');
   const [modifyingSearch, setModifyingSearch] = useState<boolean>(false);
@@ -148,17 +160,23 @@ const AgentsTableComponent: React.FC<AgentsTableProps> = ({ agentSelection, onCh
 
   useEffect(() => {
     if (agentsFetched && groupsFetched && agentGroupsData) {
+      // Cap policies to 10 on init dropdown
+      const policies = (agentGroupsData?.groups.policies || []).slice(
+        0,
+        searchValue === '' ? 10 : undefined
+      );
+
       const grouper = new AgentGrouper();
       // update the groups when groups or agents have changed
       grouper.setTotalAgents(agentGroupsData?.total);
       grouper.updateGroup(AGENT_GROUP_KEY.Platform, agentGroupsData?.groups.platforms);
-      grouper.updateGroup(AGENT_GROUP_KEY.Policy, agentGroupsData?.groups.policies);
+      grouper.updateGroup(AGENT_GROUP_KEY.Policy, policies);
       // @ts-expect-error update types
       grouper.updateGroup(AGENT_GROUP_KEY.Agent, agents);
       const newOptions = grouper.generateOptions();
       setOptions((prevOptions) => (!deepEqual(prevOptions, newOptions) ? newOptions : prevOptions));
     }
-  }, [groupsLoading, agents, agentsFetched, groupsFetched, agentGroupsData]);
+  }, [groupsLoading, agents, agentsFetched, groupsFetched, agentGroupsData, searchValue]);
 
   const renderOption = useCallback((option, searchVal, contentClassName) => {
     const { label, value } = option;
@@ -183,22 +201,58 @@ const AgentsTableComponent: React.FC<AgentsTableProps> = ({ agentSelection, onCh
     setModifyingSearch(v !== '');
     setSearchValue(v);
   }, []);
+  const isFetched = groupsFetched && agentsFetched && agentGroupsData;
+
+  const renderNoAgentAvailableWarning = () => {
+    if (isFetched && !options.length) {
+      return (
+        <>
+          <EuiCallOut color="danger" size="s" iconType="warning" title={NO_AGENT_AVAILABLE_TITLE}>
+            <FormattedMessage
+              id="xpack.osquery.agents.noAgentAvailableDescription"
+              defaultMessage="Before you can query agents, they must be enrolled in an agent policy with the Osquery integration installed. Refer to {docsLink} for more information."
+              // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop
+              values={{
+                docsLink: (
+                  <EuiLink
+                    href={`${docLinks.links.fleet.agentPolicy}#apply-a-policy`}
+                    target={'_blank'}
+                  >
+                    <FormattedMessage
+                      id="xpack.osquery.agents.noAgentAvailableDescription.docsLink"
+                      defaultMessage="Apply a policy"
+                    />
+                  </EuiLink>
+                ),
+              }}
+            />
+          </EuiCallOut>
+          <EuiSpacer size="s" />
+        </>
+      );
+    }
+
+    return null;
+  };
 
   return (
     <div>
       <EuiFormRow label={AGENT_SELECTION_LABEL} fullWidth isInvalid={!!error} error={error}>
-        <EuiComboBox
-          data-test-subj="agentSelection"
-          placeholder={SELECT_AGENT_LABEL}
-          isLoading={modifyingSearch || groupsLoading || agentsLoading}
-          options={options}
-          isClearable={true}
-          fullWidth={true}
-          onSearchChange={onSearchChange}
-          selectedOptions={selectedOptions}
-          onChange={onSelection}
-          renderOption={renderOption}
-        />
+        <>
+          {renderNoAgentAvailableWarning()}
+          <EuiComboBox
+            data-test-subj="agentSelection"
+            placeholder={SELECT_AGENT_LABEL}
+            isLoading={groupsLoading || agentsLoading || modifyingSearch}
+            options={options}
+            isClearable={true}
+            fullWidth={true}
+            onSearchChange={onSearchChange}
+            selectedOptions={selectedOptions}
+            onChange={onSelection}
+            renderOption={renderOption}
+          />
+        </>
       </EuiFormRow>
       <EuiSpacer size="xs" />
       {numAgentsSelected > 0 ? <span>{generateSelectedAgentsMessage(numAgentsSelected)}</span> : ''}

x-pack/plugins/osquery/public/agents/translations.ts

@@ -42,6 +42,14 @@ export const AGENT = i18n.translate('xpack.osquery.agents.agent', {
 export const AGENT_SELECTION_LABEL = i18n.translate('xpack.osquery.agents.selectionLabel', {
   defaultMessage: `Agents`,
 });
+
+export const NO_AGENT_AVAILABLE_TITLE = i18n.translate(
+  'xpack.osquery.agents.noAgentAvailableTitle',
+  {
+    defaultMessage: `No agents available`,
+  }
+);
+
 export const AGENT_QUERY = i18n.translate('xpack.osquery.agents.query', {
   defaultMessage: `Query`,
 });

x-pack/plugins/osquery/public/agents/use_agent_groups.ts

@@ -45,17 +45,11 @@ export const useAgentGroups = () => {
                 terms: {
                   field: 'local_metadata.os.platform',
                 },
-                aggs: {
-                  policies: {
-                    terms: {
-                      field: 'policy_id',
-                    },
-                  },
-                },
               },
               policies: {
                 terms: {
                   field: 'policy_id',
+                  size: 2000,
                 },
               },
             },

x-pack/plugins/osquery/server/search_strategy/osquery/factory/agents/query.all_agents.dsl.ts

@@ -12,7 +12,7 @@ import { createQueryFilterClauses } from '../../../../../common/utils/build_quer
 
 export const buildAgentsQuery = ({
   filterQuery,
-  pagination: { cursorStart, querySize },
+  pagination: { cursorStart },
   sort,
   aggregations,
 }: AgentsRequestOptions): ISearchRequestParams => {
@@ -21,7 +21,7 @@ export const buildAgentsQuery = ({
     ...createQueryFilterClauses(filterQuery),
   ];
 
-  const dslQuery = {
+  return {
     allow_no_indices: true,
     index: AGENTS_INDEX,
     ignore_unavailable: true,
@@ -40,10 +40,8 @@ export const buildAgentsQuery = ({
           },
         },
       ],
-      size: querySize,
+      size: 0,
       from: cursorStart,
     },
   };
-
-  return dslQuery;
 };