[8.18] [Security Solutio][Diagnostic Queries] Improve ILM checks for serverless (elastic#236166) (elastic#236179)

# Backport

This will backport the following commits from `main` to `8.18`:
- [[Security Solutio][Diagnostic Queries] Improve ILM checks for
serverless (elastic#236166)](elastic#236166)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Sebastián
Zaffarano","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-23T19:33:02Z","message":"[Security
Solutio][Diagnostic Queries] Improve ILM checks for serverless
(elastic#236166)\n\n## Summary\n\nImprove error handling when querying
non-existent ILM APIs in\nserverless.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"3b22aaf18c96b804b42c016a018de81c2da261b5","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","backport:all-open","v9.2.0"],"title":"[Security
Solutio][Diagnostic Queries] Improve ILM checks for
serverless","number":236166,"url":"https://github.com/elastic/kibana/pull/236166","mergeCommit":{"message":"[Security
Solutio][Diagnostic Queries] Improve ILM checks for serverless
(elastic#236166)\n\n## Summary\n\nImprove error handling when querying
non-existent ILM APIs in\nserverless.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"3b22aaf18c96b804b42c016a018de81c2da261b5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/236166","number":236166,"mergeCommit":{"message":"[Security
Solutio][Diagnostic Queries] Improve ILM checks for serverless
(elastic#236166)\n\n## Summary\n\nImprove error handling when querying
non-existent ILM APIs in\nserverless.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"3b22aaf18c96b804b42c016a018de81c2da261b5"}}]}]
BACKPORT-->

Co-authored-by: Sebastián Zaffarano <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>

Author: 3 people

x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/diagnostic/health_diagnostic_receiver.test.ts

@@ -362,5 +362,192 @@ describe('Security Solution - Health Diagnostic Queries - CircuitBreakingQueryEx
         done
       );
     });
+
+    test('should handle ILM API errors and assume serverless', (done) => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot', 'warm'] });
+      const circuitBreaker = createMockCircuitBreaker(true);
+
+      const ilmError = new Error(
+        'no handler found for uri [/.alerts-security.alerts*/_ilm/explain?only_managed=false&filter_path=indices.*.phase] and method [GET]'
+      );
+      mockEsClient.ilm.explainLifecycle.mockRejectedValue(ilmError);
+      setupPointInTime(mockEsClient);
+      mockEsClient.search.mockResolvedValue(createMockSearchResponse([]));
+
+      executeObservableTest(
+        queryExecutor.search({ query, circuitBreakers: [circuitBreaker] }),
+        () => {
+          expect(mockEsClient.ilm.explainLifecycle).toHaveBeenCalledWith({
+            index: 'test-index',
+            only_managed: false,
+            filter_path: ['indices.*.phase'],
+          });
+          expect(mockEsClient.openPointInTime).toHaveBeenCalledWith({
+            index: ['test-index'],
+            keep_alive: '1m',
+          });
+          done();
+        },
+        done
+      );
+    });
+
+    test('should handle network errors during ILM checks', (done) => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+      const circuitBreaker = createMockCircuitBreaker(true);
+
+      const networkError = new Error('ECONNREFUSED');
+      mockEsClient.ilm.explainLifecycle.mockRejectedValue(networkError);
+      setupPointInTime(mockEsClient);
+      mockEsClient.search.mockResolvedValue(createMockSearchResponse([]));
+
+      executeObservableTest(
+        queryExecutor.search({ query, circuitBreakers: [circuitBreaker] }),
+        () => {
+          expect(mockEsClient.openPointInTime).toHaveBeenCalledWith({
+            index: ['test-index'],
+            keep_alive: '1m',
+          });
+          done();
+        },
+        done
+      );
+    });
+
+    test('should handle malformed ILM responses', (done) => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+      const circuitBreaker = createMockCircuitBreaker(true);
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({});
+      setupPointInTime(mockEsClient);
+      mockEsClient.search.mockResolvedValue(createMockSearchResponse([]));
+
+      executeObservableTest(
+        queryExecutor.search({ query, circuitBreakers: [circuitBreaker] }),
+        () => {
+          expect(mockEsClient.openPointInTime).toHaveBeenCalledWith({
+            index: ['test-index'],
+            keep_alive: '1m',
+          });
+          done();
+        },
+        done
+      );
+    });
+  });
+
+  describe('indicesFor method', () => {
+    test('should return original index when no tiers are specified', async () => {
+      const query = createMockQuery(QueryType.DSL);
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index']);
+      expect(mockEsClient.ilm.explainLifecycle).not.toHaveBeenCalled();
+    });
+
+    test('should filter indices by tiers when ILM is available', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot', 'warm'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({
+        indices: {
+          'test-index-000001': { phase: 'hot' },
+          'test-index-000002': { phase: 'warm' },
+          'test-index-000003': { phase: 'cold' },
+          'test-index-000004': { phase: 'hot' },
+        },
+      });
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index-000001', 'test-index-000002', 'test-index-000004']);
+      expect(mockEsClient.ilm.explainLifecycle).toHaveBeenCalledWith({
+        index: 'test-index',
+        only_managed: false,
+        filter_path: ['indices.*.phase'],
+      });
+    });
+
+    test('should handle serverless environment (undefined indices)', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({ indices: undefined });
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index']);
+    });
+
+    test('should handle empty ILM response', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({});
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index']);
+    });
+
+    test('should handle indices without phase information', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({
+        indices: {
+          'test-index-000001': { phase: 'hot' },
+          'test-index-000002': {},
+          'test-index-000003': { other_field: 'value' },
+        },
+      });
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index-000001']);
+    });
+
+    test('should filter out indices not in specified tiers', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({
+        indices: {
+          'test-index-000001': { phase: 'hot' },
+          'test-index-000002': { phase: 'warm' },
+          'test-index-000003': { phase: 'cold' },
+        },
+      });
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index-000001']);
+    });
+
+    test('should handle ILM API errors by falling back to original index', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      const serverlessError = new Error(
+        'no handler found for uri [/.alerts-security.alerts*/_ilm/explain?only_managed=false&filter_path=indices.*.phase] and method [GET]'
+      );
+      mockEsClient.ilm.explainLifecycle.mockRejectedValue(serverlessError);
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index']);
+    });
+
+    test('should handle authorization errors gracefully', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['hot'] });
+
+      const authError = new Error('security_exception');
+      mockEsClient.ilm.explainLifecycle.mockRejectedValue(authError);
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual(['test-index']);
+    });
+
+    test('should return empty array when no indices match tiers', async () => {
+      const query = createMockQuery(QueryType.DSL, { tiers: ['frozen'] });
+
+      mockEsClient.ilm.explainLifecycle.mockResolvedValue({
+        indices: {
+          'test-index-000001': { phase: 'hot' },
+          'test-index-000002': { phase: 'warm' },
+          'test-index-000003': { phase: 'cold' },
+        },
+      });
+
+      const result = await queryExecutor.indicesFor(query);
+      expect(result).toEqual([]);
+    });
   });
 });

x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/diagnostic/health_diagnostic_receiver.ts

@@ -203,52 +203,57 @@ export class CircuitBreakingQueryExecutorImpl implements CircuitBreakingQueryExe
     }
     const tiers = query.tiers;
 
-    return (
-      await this.client.ilm
-        .explainLifecycle({
-          index: query.index,
-          only_managed: false,
-          filter_path: ['indices.*.phase'],
-        })
-        .then((response) => {
-          if (response.indices === undefined) {
-            this.logger.debug(
-              'Got an empty response while explaining lifecycle. Asumming serverless.',
-              {
-                index: query.index,
-              } as LogMeta
-            );
-            return [query.index];
-          } else {
-            const indices = Object.entries(response.indices).map(([indexName, stats]) => {
-              if ('phase' in stats && stats.phase) {
-                if (tiers.includes(stats.phase)) {
-                  return indexName;
-                } else {
-                  this.logger.debug('Index is not in the expected phases', {
-                    phase: stats.phase,
-                    index: indexName,
-                    tiers,
-                  } as LogMeta);
-                  return '';
-                }
+    return this.client.ilm
+      .explainLifecycle({
+        index: query.index,
+        only_managed: false,
+        filter_path: ['indices.*.phase'],
+      })
+      .then((response) => {
+        if (response.indices === undefined) {
+          this.logger.debug(
+            'Got an empty response while explaining lifecycle. Asumming serverless.',
+            {
+              index: query.index,
+            } as LogMeta
+          );
+          return [query.index];
+        } else {
+          const indices = Object.entries(response.indices).map(([indexName, stats]) => {
+            if ('phase' in stats && stats.phase) {
+              if (tiers.includes(stats.phase)) {
+                return indexName;
               } else {
-                // should not happen, but just in case
-                this.logger.debug('Index is not managed by an ILM', {
+                this.logger.debug('Index is not in the expected phases', {
+                  phase: stats.phase,
                   index: indexName,
                   tiers,
                 } as LogMeta);
                 return '';
               }
-            });
-            this.logger.debug('Indices managed by ILM', {
-              queryName: query.name,
-              tiers: query.tiers,
-              indices,
-            } as LogMeta);
-            return indices;
-          }
-        })
-    ).filter((indexName) => indexName !== '');
+            } else {
+              // should not happen, but just in case
+              this.logger.debug('Index is not managed by an ILM', {
+                index: indexName,
+                tiers,
+              } as LogMeta);
+              return '';
+            }
+          });
+          this.logger.debug('Indices managed by ILM', {
+            queryName: query.name,
+            tiers: query.tiers,
+            indices,
+          } as LogMeta);
+          return indices;
+        }
+      })
+      .then((indices) => {
+        return indices.filter((indexName) => indexName !== '');
+      })
+      .catch((error) => {
+        this.logger.info('Error while checking ILM status, assuming serverless', { error });
+        return [query.index];
+      });
   }
 }