[Security Solution][Endpoint] Migration for artifacts in support of space awareness (#222700)

## Summary PR adds migration of Response Actions and Artifacts when the space awareness feature flag is enabled. Changes include: - New saved object type (`security:reference-data`) to keep internal data/information used by security solution. Currently being used to keep migration state for both the Artifacts and Response actions migrations - Two records will be populated in this new saved object related to the migration being introduced here: - ID: `SPACE-AWARENESS-ARTIFACT-MIGRATION` - keeps state information about migration of Artifacts (see below for example) - ID: `SPACE-AWARENESS-RESPONSE-ACTIONS-MIGRATION` - keeps state information about migration of response actions (see below for example) - NOTE: my goal was to also introduce a `client` for working with internal reference data, but due to timing constraints, that will be done at a later time - Adds migration for Endpoint artifacts (Trusted applications, Event filters, Blocklists, Host isolation exceptions and Endpoint exceptions) to add the `spaceOwnerId:default` to all artifact records - Adds migration for Response Action Requests (both Elastic Defend and external EDRs) to populate `originSpaceId` as well `agent.policy.*` fields. - NOTE: when populating the `agent.policy.*` data, it may be possible that the agent that the response action was sent to is no longer available (ex. unenrolled). In such cases, the migration will populate any field that it is not able to retrieve information for with the text `MIGRATION:NOT-FOUND` > [!IMPORTANT] > The migration currently assumes that the `9.1.0` endpoint package is already installed, which will not be the case with a real migration. To test this PR, you should start a 9.1 stack with the feature flags disabled... Install the `9.1.0` endpoint package, and then enable the feature flags. > We will be working on a solution handling this data condition in a subsequent PR
2025-06-27 10:40:07 -04:00 · 2025-06-16 13:41:41 -04:00 · 2025-06-16 13:41:41 -04:00 · 3671c7385c
commit 3671c7385c
parent 5377a5d55e
30 changed files with 1430 additions and 55 deletions
--- a/packages/kbn-check-mappings-update-cli/current_fields.json
+++ b/packages/kbn-check-mappings-update-cli/current_fields.json
@ -991,6 +991,11 @@
    "updated",
    "version"
  ],
+  "security:reference-data": [
+    "id",
+    "owner",
+    "type"
+  ],
  "siem-detection-engine-rule-actions": [
    "actions",
    "actions.actionRef",
--- a/packages/kbn-check-mappings-update-cli/current_mappings.json
+++ b/packages/kbn-check-mappings-update-cli/current_mappings.json
@ -1079,7 +1079,7 @@
      "managed": {
        "type": "boolean"
      },
-        "matchers": {
+      "matchers": {
        "dynamic": false,
        "type": "object"
      },
@ -3219,6 +3219,20 @@
      }
    }
  },
+  "security:reference-data": {
+    "dynamic": false,
+    "properties": {
+      "id": {
+        "type": "keyword"
+      },
+      "owner": {
+        "type": "keyword"
+      },
+      "type": {
+        "type": "keyword"
+      }
+    }
+  },
  "siem-detection-engine-rule-actions": {
    "properties": {
      "actions": {