[EDR Workflows][Osquery] Action results namespace awareness (elastic#225617)

# Add Namespace Awareness to Osquery Live Query and Action Results

## Dependencies

Depends on elastic/elasticsearch#130824

## Summary

Adds namespace awareness to osquery live query and action results to
ensure proper space isolation. Refactors frontend hooks to use API
endpoints as a necessary step to implement server-side namespace
filtering.

**Removed constraint requiring user to have access to
logs.osquery_manager.results-default index. Now user can use results
index from any namespace**

## Changes Made

### Namespace Awareness Implementation
- Added space-scoped integration namespace retrieval for osquery results
- Enhanced DSL queries to support space-aware index patterns
- Implemented proper space isolation to prevent cross-space data leakage
- Extended `OsqueryAppContextService` with namespace-aware capabilities

### Frontend Hook Refactoring (Required for Namespace Support)
- `use_all_results.ts`: Refactored to call API endpoint instead of
direct search strategy
- `use_action_results.ts`: Refactored to call new API endpoint instead
of direct search strategy
- Moved complex namespace logic to server-side for proper space
isolation
- Maintained backward compatibility for consuming components

### New API Infrastructure
- Created `action_results/get_action_results_route.ts` endpoint with
namespace support
- Enhanced existing live query results endpoint with namespace filtering
- Added proper request/response validation and route registration

### Server-Side Utilities
- New utility: `get_integration_namespaces.ts` for space-scoped
namespace retrieval
- New utility: `build_index_name_with_namespace.ts` for consistent index
pattern building
- Enhanced action results DSL with `integrationNamespaces` parameter
support
- Improved live query results DSL namespace handling

### Elasticsearch:
- Added `logs-osquery_manager.result-*` to `kibana_system` role so that
we can use internal es client (which in the end uses user with
`kibana_system` role) to query all indices but filter by user accessible
namespaces in our own services.

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>

Author: 3 people

x-pack/platform/plugins/private/translations/translations/de-DE.json

@@ -31670,8 +31670,6 @@
     "xpack.osquery.live_queries_all.fetchError": "Fehler beim Abrufen von Live-Abfragen",
     "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "Neue Live-Abfrage",
     "xpack.osquery.liveQueriesHistory.pageTitle": "Verlauf der Live-Abfragen",
-    "xpack.osquery.liveQuery.permissionDeniedPromptBody": "Um die Abfrageergebnisse anzuzeigen, bitten Sie Ihren Administrator, Ihre Nutzerrolle so zu aktualisieren, dass Sie die Index {read}-Berechtigungen für den Index {logs} haben.",
-    "xpack.osquery.liveQuery.permissionDeniedPromptTitle": "Zugriff verweigert",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeDescription": "Führen Sie einen Satz von Abfragen in einem Paket aus.",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeLabel": "Pack",
     "xpack.osquery.liveQuery.queryForm.singleQueryTypeDescription": "Führen Sie eine gespeicherte Abfrage oder eine neue aus.",
@@ -31824,7 +31822,6 @@
     "xpack.osquery.queryPlaygroundFlyout.title": "Testabfrage",
     "xpack.osquery.results.errorSearchDescription": "Bei der Suche nach allen Ergebnissen ist ein Fehler aufgetreten",
     "xpack.osquery.results.failSearchDescription": "Ergebnisse konnten nicht abgerufen werden",
-    "xpack.osquery.results.fetchError": "Fehler beim Abrufen von Ergebnissen",
     "xpack.osquery.results.multipleAgentsResponded": "{agentsResponded, plural, one {# agent has} other {# agents have}} geantwortet, es wurden keine Osquery-Daten gemeldet.",
     "xpack.osquery.results.permissionDenied": "Um auf diese Ergebnisse zuzugreifen, bitten Sie Ihren Administrator um {osquery} Kibana-Berechtigungen.",
     "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "Abfrage",

x-pack/platform/plugins/private/translations/translations/fr-FR.json

@@ -31735,8 +31735,6 @@
     "xpack.osquery.live_queries_all.fetchError": "Erreur lors de la récupération des recherches en direct",
     "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "Nouvelle recherche en direct",
     "xpack.osquery.liveQueriesHistory.pageTitle": "Historique des recherches en direct",
-    "xpack.osquery.liveQuery.permissionDeniedPromptBody": "Pour pouvoir consulter les résultats de requête, demandez à votre administrateur de mettre à jour votre rôle utilisateur de sorte à disposer des privilèges de {read} pour les index {logs}.",
-    "xpack.osquery.liveQuery.permissionDeniedPromptTitle": "Autorisation refusée",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeDescription": "Exécutez un ensemble de requêtes en un pack.",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeLabel": "Pack",
     "xpack.osquery.liveQuery.queryForm.singleQueryTypeDescription": "Exécutez une requête enregistrée ou une nouvelle requête.",
@@ -31889,7 +31887,6 @@
     "xpack.osquery.queryPlaygroundFlyout.title": "Tester la recherche",
     "xpack.osquery.results.errorSearchDescription": "Une erreur s'est produite lors de la recherche de tous les résultats",
     "xpack.osquery.results.failSearchDescription": "Impossible de récupérer les résultats",
-    "xpack.osquery.results.fetchError": "Erreur lors de la récupération des résultats",
     "xpack.osquery.results.multipleAgentsResponded": "{agentsResponded, plural, one {# agent has} other {# agents ont}} répondu, aucune donnée osquery n'a été signalée.",
     "xpack.osquery.results.permissionDenied": "Pour accéder à ces résultats, demandez à votre administrateur vos privilèges Kibana pour {osquery}.",
     "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "Requête",

x-pack/platform/plugins/private/translations/translations/ja-JP.json

@@ -31774,8 +31774,6 @@
     "xpack.osquery.live_queries_all.fetchError": "ライブクエリーの取得エラー",
     "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "新しいライブクエリー",
     "xpack.osquery.liveQueriesHistory.pageTitle": "ライブクエリー履歴",
-    "xpack.osquery.liveQuery.permissionDeniedPromptBody": "クエリー結果を表示するには、ユーザーロールを更新して、{logs}インデックスに対する{read}権限を付与するように、管理者に依頼してください。",
-    "xpack.osquery.liveQuery.permissionDeniedPromptTitle": "パーミッションが拒否されました",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeDescription": "パックでクエリーのセットを実行します。",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeLabel": "パック",
     "xpack.osquery.liveQuery.queryForm.singleQueryTypeDescription": "保存されたクエリーまたは新しいクエリーを実行します。",
@@ -31929,7 +31927,6 @@
     "xpack.osquery.queryPlaygroundFlyout.title": "クエリーのテスト",
     "xpack.osquery.results.errorSearchDescription": "すべての結果検索でエラーが発生しました",
     "xpack.osquery.results.failSearchDescription": "結果を取得できませんでした",
-    "xpack.osquery.results.fetchError": "結果の取得中にエラーが発生しました",
     "xpack.osquery.results.multipleAgentsResponded": "{agentsResponded, plural, one {# agent has} other {# エージェント}}が応答しましたが、osqueryデータは報告されていません。",
     "xpack.osquery.results.permissionDenied": "これらの結果にアクセスするには、{osquery} Kibana権限について管理者に確認してください。",
     "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "クエリー",

x-pack/platform/plugins/private/translations/translations/zh-CN.json

@@ -31756,8 +31756,6 @@
     "xpack.osquery.live_queries_all.fetchError": "提取实时查询时出错",
     "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "新建实时查询",
     "xpack.osquery.liveQueriesHistory.pageTitle": "实时查询历史记录",
-    "xpack.osquery.liveQuery.permissionDeniedPromptBody": "要查看查询结果，请要求管理员将您的角色更新为具有 {logs} 索引的索引 {read} 权限。",
-    "xpack.osquery.liveQuery.permissionDeniedPromptTitle": "权限被拒绝",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeDescription": "打包运行一组查询。",
     "xpack.osquery.liveQuery.queryForm.packQueryTypeLabel": "包",
     "xpack.osquery.liveQuery.queryForm.singleQueryTypeDescription": "运行已保存查询或新查询。",
@@ -31911,7 +31909,6 @@
     "xpack.osquery.queryPlaygroundFlyout.title": "测试查询",
     "xpack.osquery.results.errorSearchDescription": "搜索所有结果时发生错误",
     "xpack.osquery.results.failSearchDescription": "无法获取结果",
-    "xpack.osquery.results.fetchError": "提取结果时出错",
     "xpack.osquery.results.multipleAgentsResponded": "{agentsResponded, plural, one {# 个代理已} other {# 个代理已}}响应，未报告任何 osquery 数据。",
     "xpack.osquery.results.permissionDenied": "要访问这些结果，请联系管理员获取 {osquery} Kibana 权限。",
     "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "查询",

x-pack/platform/plugins/shared/osquery/common/api/action_results/get_action_results_route.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+import { toNumberRt } from '@kbn/io-ts-utils';
+import { Direction } from '../../search_strategy';
+
+export const getActionResultsRequestQuerySchema = t.type({
+  startDate: t.union([t.string, t.undefined]),
+  page: t.union([toNumberRt, t.undefined]),
+  pageSize: t.union([toNumberRt, t.undefined]),
+  sort: t.union([t.string, t.undefined]),
+  sortOrder: t.union([t.literal(Direction.asc), t.literal(Direction.desc), t.undefined]),
+  kuery: t.union([t.string, t.undefined]),
+  agentIds: t.union([t.string, t.undefined]),
+});
+
+export type GetActionResultsRequestQuerySchema = t.OutputOf<
+  typeof getActionResultsRequestQuerySchema
+>;
+
+export const getActionResultsRequestParamsSchema = t.type({
+  actionId: t.string,
+});
+
+export type GetActionResultsRequestParamsSchema = t.OutputOf<
+  typeof getActionResultsRequestParamsSchema
+>;

x-pack/platform/plugins/shared/osquery/common/api/live_query/get_live_query_results_route.ts

@@ -15,6 +15,7 @@ export const getLiveQueryResultsRequestQuerySchema = t.type({
   pageSize: t.union([toNumberRt, t.undefined]),
   sort: t.union([t.string, t.undefined]),
   sortOrder: t.union([t.literal(Direction.asc), t.literal(Direction.desc), t.undefined]),
+  startDate: t.union([t.string, t.undefined]),
 });
 
 export type GetLiveQueryResultsRequestQuerySchema = t.OutputOf<

x-pack/platform/plugins/shared/osquery/common/search_strategy/osquery/actions/index.ts

@@ -88,4 +88,5 @@ export interface ActionResultsRequestOptions extends RequestOptionsPaginated {
   actionId: string;
   startDate?: string;
   useNewDataStream?: boolean;
+  integrationNamespaces?: string[];
 }

x-pack/platform/plugins/shared/osquery/common/search_strategy/osquery/results/index.ts

@@ -23,4 +23,5 @@ export interface ResultsRequestOptions extends Omit<RequestOptionsPaginated, 'so
   agentId?: string;
   startDate?: string;
   sort: SortField[];
+  integrationNamespaces?: string[];
 }

x-pack/platform/plugins/shared/osquery/public/action_results/action_results_summary.tsx

@@ -12,7 +12,6 @@ import React, { useCallback, useEffect, useMemo, useState } from 'react';
 import { AgentIdToName } from '../agents/agent_id_to_name';
 import { useActionResults } from './use_action_results';
 import { Direction } from '../../common/search_strategy';
-import { useActionResultsPrivileges } from './use_action_privileges';
 
 interface ActionResultsSummaryProps {
   actionId: string;
@@ -42,9 +41,7 @@ const ActionResultsSummaryComponent: React.FC<ActionResultsSummaryProps> = ({
     [expirationDate]
   );
   const [isLive, setIsLive] = useState(true);
-  const { data: hasActionResultsPrivileges } = useActionResultsPrivileges();
   const {
-    // @ts-expect-error update types
     data: { aggregations, edges },
   } = useActionResults({
     actionId,
@@ -55,7 +52,6 @@ const ActionResultsSummaryComponent: React.FC<ActionResultsSummaryProps> = ({
     direction: Direction.asc,
     sortField: '@timestamp',
     isLive,
-    skip: !hasActionResultsPrivileges,
   });
 
   useEffect(() => {

x-pack/platform/plugins/shared/osquery/public/action_results/use_action_results.ts

@@ -5,30 +5,25 @@
  * 2.0.
  */
 
-import type { estypes } from '@elastic/elasticsearch';
-import { flatten, reverse, uniqBy } from 'lodash/fp';
 import { useQuery } from '@tanstack/react-query';
 import { i18n } from '@kbn/i18n';
-import { lastValueFrom } from 'rxjs';
 import type { InspectResponse } from '../common/helpers';
-import { getInspectResponse, generateTablePaginationOptions } from '../common/helpers';
 import { useKibana } from '../common/lib/kibana';
-import type {
-  ResultEdges,
-  ActionResultsRequestOptions,
-  ActionResultsStrategyResponse,
-  Direction,
-} from '../../common/search_strategy';
-import { OsqueryQueries } from '../../common/search_strategy';
-import { queryClient } from '../query_client';
+import type { ResultEdges, Direction } from '../../common/search_strategy';
+import { API_VERSIONS } from '../../common/constants';
 
 import { useErrorToast } from '../common/hooks/use_error_toast';
 
-export interface ResultsArgs {
-  results: ResultEdges;
-  id: string;
+export interface ActionResultsArgs {
+  edges: ResultEdges;
+  aggregations: {
+    totalRowCount: number;
+    totalResponded: number;
+    successful: number;
+    failed: number;
+    pending: number;
+  };
   inspect: InspectResponse;
-  isInspected: boolean;
 }
 
 export interface UseActionResults {
@@ -40,10 +35,22 @@ export interface UseActionResults {
   limit: number;
   sortField: string;
   kuery?: string;
-  skip?: boolean;
   isLive?: boolean;
 }
 
+interface ActionResultsResponse {
+  edges: ResultEdges;
+  total: number;
+  aggregations: {
+    totalRowCount: number;
+    totalResponded: number;
+    successful: number;
+    failed: number;
+    pending: number;
+  };
+  inspect?: InspectResponse;
+}
+
 export const useActionResults = ({
   actionId,
   activePage,
@@ -53,78 +60,47 @@ export const useActionResults = ({
   sortField,
   kuery,
   startDate,
-  skip = false,
   isLive = false,
 }: UseActionResults) => {
-  const { data } = useKibana().services;
+  const { http } = useKibana().services;
   const setErrorToast = useErrorToast();
 
-  return useQuery<{}, Error, ActionResultsStrategyResponse>(
-    ['actionResults', { actionId }],
-    async () => {
-      const responseData = await lastValueFrom(
-        data.search.search<ActionResultsRequestOptions, ActionResultsStrategyResponse>(
-          {
-            actionId,
-            startDate,
-            factoryQueryType: OsqueryQueries.actionResults,
-            kuery,
-            pagination: generateTablePaginationOptions(activePage, limit),
-            sort: {
-              direction,
-              field: sortField,
-            },
-          },
-          {
-            strategy: 'osquerySearchStrategy',
-          }
-        )
-      );
-
-      const totalResponded =
-        responseData.rawResponse?.aggregations?.aggs.responses_by_action_id?.doc_count ?? 0;
-      const totalRowCount =
-        responseData.rawResponse?.aggregations?.aggs.responses_by_action_id?.rows_count?.value ?? 0;
-      const aggsBuckets =
-        responseData.rawResponse?.aggregations?.aggs.responses_by_action_id?.responses.buckets;
-
-      const cachedData = queryClient.getQueryData<ActionResultsStrategyResponse>([
-        'actionResults',
-        { actionId },
-      ]);
-
-      const previousEdges = cachedData?.edges.length
-        ? cachedData?.edges
-        : agentIds?.map(
-            (agentId) =>
-              ({ fields: { agent_id: [agentId] } } as unknown as estypes.SearchHit<object>)
-          ) ?? [];
-
-      return {
-        ...responseData,
-        edges: reverse(uniqBy('fields.agent_id[0]', flatten([responseData.edges, previousEdges]))),
-        aggregations: {
-          totalRowCount,
-          totalResponded,
-          successful: aggsBuckets?.find((bucket) => bucket.key === 'success')?.doc_count ?? 0,
-          failed: aggsBuckets?.find((bucket) => bucket.key === 'error')?.doc_count ?? 0,
+  return useQuery<ActionResultsResponse, Error, ActionResultsArgs>(
+    ['actionResults', { actionId, activePage, limit, direction, sortField }],
+    () =>
+      http.get<ActionResultsResponse>(`/api/osquery/action_results/${actionId}`, {
+        version: API_VERSIONS.public.v1,
+        query: {
+          page: activePage,
+          pageSize: limit,
+          sort: sortField,
+          sortOrder: direction,
+          ...(kuery && { kuery }),
+          ...(startDate && { startDate }),
+          ...(agentIds?.length && { agentIds: agentIds.join(',') }),
         },
-        inspect: getInspectResponse(responseData, {} as InspectResponse),
-      };
-    },
+      }),
     {
+      select: (response) => ({
+        edges: response.edges,
+        aggregations: response.aggregations,
+        inspect: response.inspect || { dsl: [], response: [] },
+      }),
       initialData: {
         edges: [],
+        total: 0,
         aggregations: {
+          totalRowCount: 0,
           totalResponded: 0,
           successful: 0,
           pending: agentIds?.length ?? 0,
           failed: 0,
         },
+        inspect: { dsl: [], response: [] },
       },
       refetchInterval: isLive ? 5000 : false,
       keepPreviousData: true,
-      enabled: !skip && !!agentIds?.length,
+      enabled: !!agentIds?.length,
       onSuccess: () => setErrorToast(),
       onError: (error) =>
         setErrorToast(error, {