[EDR Workflows] Enable PLI for Osquery Response Actions (#163057)

x-pack/plugins/security_solution/common/types/app_features.ts

@@ -48,6 +48,11 @@ export enum AppFeatureSecurityKey {
    * Enables Threat Intelligence
    */
   threatIntelligence = 'threat-intelligence',
+
+  /**
+   * Enables Osquery Response Actions
+   */
+  osqueryAutomatedResponseActions = 'osquery_automated_response_actions',
 }
 
 export enum AppFeatureCasesKey {

x-pack/plugins/security_solution/public/common/lib/upsellings/types.ts

@@ -11,6 +11,9 @@ export type PageUpsellings = Partial<Record<SecurityPageName, React.ComponentTyp
 export type MessageUpsellings = Partial<Record<UpsellingMessageId, string>>;
 export type SectionUpsellings = Partial<Record<UpsellingSectionId, React.ComponentType>>;
 
-export type UpsellingSectionId = 'entity_analytics_panel' | 'endpointPolicyProtections';
+export type UpsellingSectionId =
+  | 'entity_analytics_panel'
+  | 'endpointPolicyProtections'
+  | 'osquery_automated_response_actions';
 
 export type UpsellingMessageId = 'investigation_guide';

x-pack/plugins/security_solution/public/detection_engine/rule_response_actions/osquery/osquery_response_action.tsx

@@ -9,6 +9,8 @@ import React, { useMemo } from 'react';
 import { EuiCode, EuiEmptyPrompt } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { useIsMounted } from '@kbn/securitysolution-hook-utils';
+import { useUpsellingComponent } from '../../../common/hooks/use_upselling';
+import { AppFeatureKey } from '../../../../common';
 import { ResponseActionFormField } from './osquery_response_action_form_field';
 import type { ArrayItem } from '../../../shared_imports';
 import { useKibana } from '../../../common/lib/kibana';
@@ -29,6 +31,9 @@ export const OsqueryResponseAction = React.memo((props: OsqueryResponseActionPro
   );
   const isMounted = useIsMounted();
 
+  // serverless component that is returned when users do not have Endpoint.Complete tier
+  const UpsellingComponent = useUpsellingComponent(AppFeatureKey.osqueryAutomatedResponseActions);
+
   if (osquery) {
     const { disabled, permissionDenied } = osquery.fetchInstallationStatus();
     const disabledOsqueryPermission = !(
@@ -38,6 +43,10 @@ export const OsqueryResponseAction = React.memo((props: OsqueryResponseActionPro
           application?.capabilities?.osquery?.readPacks))
     );
 
+    if (UpsellingComponent) {
+      return <UpsellingComponent />;
+    }
+
     if (permissionDenied || disabledOsqueryPermission) {
       return (
         <>

x-pack/plugins/security_solution/server/lib/app_features/security_kibana_features.ts

@@ -227,5 +227,7 @@ export const getSecurityAppFeaturesConfig = (
         },
       ],
     },
+
+    [AppFeatureSecurityKey.osqueryAutomatedResponseActions]: {},
   };
 };

x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts

@@ -29,7 +29,10 @@ export const PLI_APP_FEATURES: PliAppFeatures = {
       AppFeatureKey.endpointPolicyProtections,
       AppFeatureKey.endpointArtifactManagement,
     ],
-    complete: [AppFeatureKey.endpointResponseActions],
+    complete: [
+      AppFeatureKey.endpointResponseActions,
+      AppFeatureKey.osqueryAutomatedResponseActions,
+    ],
   },
   cloud: {
     essentials: [],

x-pack/plugins/security_solution_serverless/public/upselling/pages/osquery_automated_response_actions.tsx

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { EuiEmptyPrompt, EuiIcon } from '@elastic/eui';
+import { FormattedMessage } from '@kbn/i18n-react';
+import React from 'react';
+import type { AppFeatureKey } from '@kbn/security-solution-plugin/common';
+import { getProductTypeByPLI } from '../hooks/use_product_type_by_pli';
+
+const OsqueryResponseActionsUpsellingSection: React.FC<{ requiredPLI: AppFeatureKey }> = React.memo(
+  ({ requiredPLI }) => {
+    const productTypeRequired = getProductTypeByPLI(requiredPLI);
+
+    return (
+      <EuiEmptyPrompt
+        icon={<EuiIcon type="logoSecurity" size="xl" />}
+        color="subdued"
+        title={
+          <h2>
+            <FormattedMessage
+              id="xpack.securitySolutionServerless.osquery.paywall.title"
+              defaultMessage="Do more with Security!"
+            />
+          </h2>
+        }
+        body={
+          <p>
+            <FormattedMessage
+              id="xpack.securitySolutionServerless.osquery.paywall.body"
+              defaultMessage="Upgrade your license to {productTypeRequired} to use Osquery Response Actions."
+              values={{ productTypeRequired }}
+            />
+          </p>
+        }
+      />
+    );
+  }
+);
+
+OsqueryResponseActionsUpsellingSection.displayName = 'OsqueryResponseActionsUpsellingSection';
+
+// eslint-disable-next-line import/no-default-export
+export { OsqueryResponseActionsUpsellingSection as default };

x-pack/plugins/security_solution_serverless/public/upselling/register_upsellings.tsx

@@ -20,6 +20,7 @@ import { EndpointPolicyProtectionsLazy } from './sections/endpoint_management';
 import type { SecurityProductTypes } from '../../common/config';
 import { getProductAppFeatures } from '../../common/pli/pli_features';
 import investigationGuideUpselling from './pages/investigation_guide_upselling';
+
 const ThreatIntelligencePaywallLazy = lazy(async () => {
   const ThreatIntelligencePaywall = (await import('./pages/threat_intelligence_paywall')).default;
 
@@ -27,6 +28,21 @@ const ThreatIntelligencePaywallLazy = lazy(async () => {
     default: () => <ThreatIntelligencePaywall requiredPLI={AppFeatureKey.threatIntelligence} />,
   };
 });
+
+const OsqueryResponseActionsUpsellingSectionlLazy = lazy(async () => {
+  const OsqueryResponseActionsUpsellingSection = (
+    await import('./pages/osquery_automated_response_actions')
+  ).default;
+
+  return {
+    default: () => (
+      <OsqueryResponseActionsUpsellingSection
+        requiredPLI={AppFeatureKey.osqueryAutomatedResponseActions}
+      />
+    ),
+  };
+});
+
 interface UpsellingsConfig {
   pli: AppFeatureKey;
   component: React.LazyExoticComponent<React.ComponentType>;
@@ -108,6 +124,11 @@ export const upsellingSections: UpsellingSections = [
   //   pli: AppFeatureKey.advancedInsights,
   //   component: () => <GenericUpsellingSectionLazy requiredPLI={AppFeatureKey.advancedInsights} />,
   // },
+  {
+    id: 'osquery_automated_response_actions',
+    pli: AppFeatureKey.osqueryAutomatedResponseActions,
+    component: OsqueryResponseActionsUpsellingSectionlLazy,
+  },
 
   {
     id: 'endpointPolicyProtections',

x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml

@@ -52,6 +52,11 @@ t1_analyst:
       privileges:
         - all
       resources: "*"
+    - application: osquery
+      privileges:
+        - read
+        - run_saved_queries
+      resources: "*"
 
 t2_analyst:
   cluster:
@@ -106,6 +111,11 @@ t2_analyst:
       privileges:
         - all
       resources: "*"
+    - application: osquery
+      privileges:
+        - read
+        - run_saved_queries
+      resources: "*"
 
 t3_analyst:
   cluster:
@@ -239,6 +249,10 @@ threat_intelligence_analyst:
       privileges:
         - all
       resources: "*"
+    - application: osquery
+      privileges:
+        - all
+      resources: "*"
 
 rule_author:
   cluster:
@@ -386,6 +400,10 @@ soc_manager:
       privileges:
         - all
       resources: "*"
+    - application: osquery
+      privileges:
+        - all
+      resources: "*"
 
 detections_admin:
   cluster:
@@ -510,6 +528,10 @@ platform_engineer:
       privileges:
         - all
       resources: "*"
+    - application: osquery
+      privileges:
+        - all
+      resources: "*"
 
 endpoint_operations_analyst:
   cluster: