[SecuritySolution] Security Solution API integration test files relocation (#181605)

## Summary

https://github.com/elastic/kibana/issues/181683

This PR moves the existing Security Solution API integration tests from
`x-pack/test/api_integration/apis` to
`x-pack/test/security_solution_api_integration` and apply tags for each
scenario.
(x-pack/test/timeline is not included in this PR as this PR is already
big)

## Todo in the follow up PR:
move `x-pack/test/timeline` to
`x-pack/test/security_solution_api_integration` (as this PR is already
big)

## What to review?
1. Please review if the codeowner is assigned  correctly.
2. Please review if the test cases are still valid.

## How to run the tests: 

Here we use explore/hosts with trial license as an example:
```
cd ./x-pack/test/security_solution_api_integration
```


**Start ESS server:**
```
node ./scripts/index.js server explore trial_license_complete_tier hosts ess

```

When the server is started, open another terminal

```
cd ./x-pack/test/security_solution_api_integration

node ../../../scripts/functional_test_runner --config=test_suites/explore/hosts/trial_license_complete_tier/configs/ess.config.ts

```





**Start Serverless server:**
```
node ./scripts/index.js server explore trial_license_complete_tier hosts serverless

```

When the server is started, open another terminal

```
cd ./x-pack/test/security_solution_api_integration

node ../../../scripts/functional_test_runner --config=test_suites/explore/hosts/trial_license_complete_tier/configs/serverless.config.ts

```

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

.buildkite/ftr_configs.yml

@@ -215,7 +215,6 @@ enabled:
   - x-pack/test/api_integration/apis/search/config.ts
   - x-pack/test/api_integration/apis/searchprofiler/config.ts
   - x-pack/test/api_integration/apis/security/config.ts
-  - x-pack/test/api_integration/apis/security_solution/config.ts
   - x-pack/test/api_integration/apis/spaces/config.ts
   - x-pack/test/api_integration/apis/stats/config.ts
   - x-pack/test/api_integration/apis/status/config.ts
@@ -551,3 +550,17 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/exception_lists_items/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/configs/serverless.config.ts

.github/CODEOWNERS

@@ -1378,6 +1378,9 @@ x-pack/plugins/cloud_integrations/cloud_full_story/server/config.ts @elastic/kib
 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils @elastic/security-detections-response
 x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry @elastic/security-detections-response
 x-pack/test/security_solution_api_integration/test_suites/detections_response/user_roles @elastic/security-detections-response
+x-pack/test/security_solution_api_integration/test_suites/explore @elastic/security-threat-hunting-explore
+x-pack/test/security_solution_api_integration/test_suites/investigations @elastic/security-threat-hunting-investigations
+x-pack/test/security_solution_api_integration/test_suites/sources @elastic/security-detections-response
 
 # Security Solution sub teams
 

x-pack/test/api_integration/apis/security_solution/index.js

@@ -1,30 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export default function ({ loadTestFile }) {
-  describe('SecuritySolution Endpoints', () => {
-    loadTestFile(require.resolve('./authentications'));
-    loadTestFile(require.resolve('./events'));
-    loadTestFile(require.resolve('./hosts'));
-    loadTestFile(require.resolve('./host_details'));
-    loadTestFile(require.resolve('./network_details'));
-    loadTestFile(require.resolve('./network_dns'));
-    loadTestFile(require.resolve('./network_top_n_flow'));
-    loadTestFile(require.resolve('./overview_host'));
-    loadTestFile(require.resolve('./overview_network'));
-    loadTestFile(require.resolve('./saved_objects/notes'));
-    loadTestFile(require.resolve('./saved_objects/pinned_events'));
-    loadTestFile(require.resolve('./saved_objects/timeline'));
-    loadTestFile(require.resolve('./sources'));
-    loadTestFile(require.resolve('./timeline'));
-    loadTestFile(require.resolve('./timeline_migrations'));
-    loadTestFile(require.resolve('./timeline_details'));
-    loadTestFile(require.resolve('./uncommon_processes'));
-    loadTestFile(require.resolve('./users'));
-    loadTestFile(require.resolve('./tls'));
-  });
-}

x-pack/test/functional/es_archives/auditbeat/hosts/mappings.json

@@ -2601,10 +2601,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "auditbeat-8.0.0",
-          "rollover_alias": "auditbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/auditbeat/kpi_hosts/data.json

@@ -1,194 +0,0 @@
-{
-  "type": "doc",
-  "value": {
-    "index": "auditbeat-7.0.0-alpha1-2018.11.27",
-    "type": "doc",
-    "id": "Rs93UmcBTFzn_XoLWT6M",
-    "source": {
-      "@timestamp": "2018-11-27T00:00:11.544Z",
-      "process": {
-        "pid": "31964",
-        "exe": "/usr/sbin/sshd"
-      },
-      "source": {
-        "ip": "128.199.87.213"
-      },
-      "network": {
-        "direction": "incoming"
-      },
-      "beat": {
-        "name": "demo-stack-nginx-01",
-        "hostname": "demo-stack-nginx-01",
-        "version": "7.0.0-alpha1"
-      },
-      "host": {
-        "name": "demo-stack-nginx-01"
-      },
-      "auditd": {
-        "session": "unset",
-        "data": {
-          "hostname": "128.199.87.213",
-          "terminal": "ssh",
-          "op": "PAM:bad_ident"
-        },
-        "summary": {
-          "object": {
-            "primary": "ssh",
-            "secondary": "128.199.87.213",
-            "type": "user-session"
-          },
-          "how": "/usr/sbin/sshd",
-          "actor": {
-            "primary": "unset",
-            "secondary": "root"
-          }
-        },
-        "sequence": 192383,
-        "result": "fail"
-      },
-      "event": {
-        "category": "user-login",
-        "type": "user_err",
-        "action": "error",
-        "module": "auditd"
-      },
-      "user": {
-        "name_map": {
-          "uid": "root"
-        },
-        "auid": "unset",
-        "uid": "0"
-      }
-    }
-  }
-}
-
-{
-  "type": "doc",
-  "value": {
-    "index": "auditbeat-7.0.0-alpha1-2018.11.27",
-    "type": "doc",
-    "id": "6Nr4UmcBTFzn_XoL4l6d",
-    "source": {
-      "@timestamp": "2018-11-27T02:21:40.914Z",
-      "host": {
-        "name": "demo-stack-haproxy-01"
-      },
-      "user": {
-        "auid": "unset",
-        "uid": "0",
-        "name_map": {
-          "uid": "root"
-        }
-      },
-      "process": {
-        "pid": "20001",
-        "exe": "/usr/sbin/sshd"
-      },
-      "source": {
-        "ip": "82.62.233.163"
-      },
-      "network": {
-        "direction": "incoming"
-      },
-      "auditd": {
-        "sequence": 142431,
-        "result": "fail",
-        "session": "unset",
-        "data": {
-          "acct": "(unknown user)",
-          "op": "login",
-          "terminal": "sshd"
-        },
-        "summary": {
-          "actor": {
-            "primary": "unset",
-            "secondary": "(unknown user)"
-          },
-          "object": {
-            "primary": "sshd",
-            "secondary": "82.62.233.163",
-            "type": "user-session"
-          },
-          "how": "/usr/sbin/sshd"
-        }
-      },
-      "event": {
-        "category": "user-login",
-        "type": "user_login",
-        "action": "logged-in",
-        "module": "auditd"
-      },
-      "beat": {
-        "name": "demo-stack-haproxy-01",
-        "hostname": "demo-stack-haproxy-01",
-        "version": "7.0.0-alpha1"
-      }
-    }
-  }
-}
-
-{
-  "type": "doc",
-  "value": {
-    "index": "auditbeat-7.0.0-alpha1-2018.11.27",
-    "type": "doc",
-    "id": "sdwQU2cBTFzn_XoLA1gL",
-    "source": {
-      "@timestamp": "2018-11-27T02:46:56.545Z",
-      "process": {
-        "pid": "26473",
-        "exe": "/usr/sbin/sshd"
-      },
-      "source": {
-        "ip": "35.243.183.165"
-      },
-      "network": {
-        "direction": "incoming"
-      },
-      "beat": {
-        "name": "demo-stack-apache-01",
-        "hostname": "demo-stack-apache-01",
-        "version": "7.0.0-alpha1"
-      },
-      "host": {
-        "name": "demo-stack-apache-01"
-      },
-      "auditd": {
-        "session": "unset",
-        "data": {
-          "op": "login",
-          "acct": "(unknown user)",
-          "terminal": "sshd"
-        },
-        "summary": {
-          "actor": {
-            "primary": "unset",
-            "secondary": "(unknown user)"
-          },
-          "object": {
-            "primary": "sshd",
-            "secondary": "35.243.183.165",
-            "type": "user-session"
-          },
-          "how": "/usr/sbin/sshd"
-        },
-        "sequence": 184472,
-        "result": "fail"
-      },
-      "event": {
-        "type": "user_login",
-        "action": "logged-in",
-        "module": "auditd",
-        "category": "user-login"
-      },
-      "user": {
-        "name_map": {
-          "uid": "root"
-        },
-        "uid": "0",
-        "auid": "unset"
-      }
-    }
-  }
-}

x-pack/test/functional/es_archives/auditbeat/overview/mappings.json

@@ -2601,10 +2601,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "auditbeat-8.0.0",
-          "rollover_alias": "auditbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/auditbeat/uncommon_processes/mappings.json

@@ -2601,10 +2601,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "auditbeat-8.0.0",
-          "rollover_alias": "auditbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/filebeat/default/mappings.json

@@ -5419,10 +5419,6 @@
     "settings": {
       "index": {
         "auto_expand_replicas": "0-1",
-        "lifecycle": {
-          "name": "filebeat-7.0.0",
-          "rollover_alias": "filebeat-7.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/filebeat/kpi_hosts/mappings.json

@@ -5419,10 +5419,6 @@
     "settings": {
       "index": {
         "auto_expand_replicas": "0-1",
-        "lifecycle": {
-          "name": "filebeat-7.0.0",
-          "rollover_alias": "filebeat-7.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/filebeat/threat_intel/mappings.json

@@ -226,10 +226,6 @@
     "settings": {
       "index": {
         "auto_expand_replicas": "0-1",
-        "lifecycle": {
-          "name": "filebeat-8.0.0",
-          "rollover_alias": "filebeat-filebeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/packetbeat/default/mappings.json

@@ -2849,10 +2849,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "packetbeat-8.0.0",
-          "rollover_alias": "packetbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"
@@ -3285,4 +3281,4 @@
       }
     }
   }
-}
+}

x-pack/test/functional/es_archives/packetbeat/dns/mappings.json

@@ -3092,10 +3092,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "packetbeat-7.0.0",
-          "rollover_alias": "packetbeat-7.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"
@@ -3528,4 +3524,4 @@
       }
     }
   }
-}
+}

x-pack/test/functional/es_archives/packetbeat/overview/mappings.json

@@ -2849,10 +2849,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "name": "packetbeat-8.0.0",
-          "rollover_alias": "packetbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"

x-pack/test/functional/es_archives/packetbeat/tls/mappings.json

@@ -4679,11 +4679,6 @@
     },
     "settings": {
       "index": {
-        "lifecycle": {
-          "indexing_complete": "true",
-          "name": "packetbeat",
-          "rollover_alias": "packetbeat-7.6.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"
@@ -9052,10 +9047,6 @@
       "index": {
         "auto_expand_replicas": "0-1",
         "codec": "best_compression",
-        "lifecycle": {
-          "name": "packetbeat-8.0.0",
-          "rollover_alias": "packetbeat-8.0.0"
-        },
         "mapping": {
           "total_fields": {
             "limit": "10000"
@@ -9580,4 +9571,4 @@
       }
     }
   }
-}
+}

x-pack/test/security_solution_api_integration/config/ess/services.ts

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { SpacesServiceProvider } from '../../../common/services/spaces';
+import { services as essServices } from '../../../api_integration/services';
+
+export const services = {
+  ...essServices,
+  spaces: SpacesServiceProvider,
+};

x-pack/test/security_solution_api_integration/config/serverless/config.base.ts

@@ -5,14 +5,15 @@
  * 2.0.
  */
 import { FtrConfigProviderContext } from '@kbn/test';
+import { services } from './services';
+import { PRECONFIGURED_ACTION_CONNECTORS } from '../shared';
+
 export interface CreateTestConfigOptions {
   testFiles: string[];
   junit: { reportName: string };
   kbnTestServerArgs?: string[];
   kbnTestServerEnv?: Record<string, string>;
 }
-import { services } from '../../../../test_serverless/api_integration/services';
-import { PRECONFIGURED_ACTION_CONNECTORS } from '../shared';
 
 export function createTestConfig(options: CreateTestConfigOptions) {
   return async ({ readConfigFile }: FtrConfigProviderContext) => {

x-pack/test/security_solution_api_integration/config/serverless/services.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { SpacesServiceProvider } from '../../../common/services/spaces';
+import { BsearchSecureService } from '../../../../test_serverless/shared/services/bsearch_secure';
+import { services as serverlessServices } from '../../../../test_serverless/api_integration/services';
+
+export const services = {
+  ...serverlessServices,
+  spaces: SpacesServiceProvider,
+  secureBsearch: BsearchSecureService,
+};

x-pack/test/security_solution_api_integration/ftr_provider_context.d.ts

@@ -6,6 +6,6 @@
  */
 import { GenericFtrProviderContext } from '@kbn/test';
 
-import { services } from '../../test_serverless/api_integration/services';
+import { services } from './config/serverless/services';
 
 export type FtrProviderContext = GenericFtrProviderContext<typeof services, {}>;

x-pack/test/security_solution_api_integration/ftr_provider_context_with_spaces.d.ts

@@ -5,12 +5,6 @@
  * 2.0.
  */
 import { GenericFtrProviderContext } from '@kbn/test';
+import { services } from './config/ess/services';
 
-import { SpacesServiceProvider } from '../common/services/spaces';
-import { services as serverlessServices } from '../../test_serverless/api_integration/services';
-
-const services = {
-  ...serverlessServices,
-  spaces: SpacesServiceProvider,
-};
 export type FtrProviderContextWithSpaces = GenericFtrProviderContext<typeof services, {}>;

x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_scoring_task/task_execution_nondefault_spaces.ts

@@ -20,7 +20,7 @@ import {
   deleteRiskScoreIndices,
 } from '../../../utils';
 
-import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import type { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 export default ({ getService }: FtrProviderContextWithSpaces): void => {
   const supertest = getService('supertest');

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/configs/ess.config.ts

@@ -8,10 +8,15 @@
 import { FtrConfigProviderContext } from '@kbn/test';
 
 export default async function ({ readConfigFile }: FtrConfigProviderContext) {
-  const baseIntegrationTestsConfig = await readConfigFile(require.resolve('../../config.ts'));
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
 
   return {
-    ...baseIntegrationTestsConfig.getAll(),
-    testFiles: [require.resolve('.')],
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('../ess')],
+    junit: {
+      reportName: 'Explore - Hosts Integration Tests - ESS Env - Trial License',
+    },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('../serverless')],
+  junit: {
+    reportName: 'Explore - Hosts Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/ess/host_details.ts

@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  HostDetailsStrategyResponse,
+  HostsQueries,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import { hostDetailsFilebeatExpectedResult } from '../mocks/host_details';
+
+export default function ({ getService }: FtrProviderContextWithSpaces) {
+  const esArchiver = getService('esArchiver');
+  const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
+
+  describe('Host Details', () => {
+    describe('With filebeat', () => {
+      before(
+        async () => await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default')
+      );
+      after(
+        async () => await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default')
+      );
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+
+      it('Make sure that we get HostDetails data', async () => {
+        const { hostDetails } = await bsearch.send<HostDetailsStrategyResponse>({
+          supertest,
+          options: {
+            factoryQueryType: HostsQueries.details,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            defaultIndex: ['filebeat-*'],
+            hostName: 'raspberrypi',
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(hostDetails).to.eql(hostDetailsFilebeatExpectedResult.hostDetails);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/ess/hosts.ts

@@ -16,7 +16,7 @@ import {
   FirstLastSeenStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const FROM = '2000-01-01T00:00:00.000Z';
 const TO = '3000-01-01T00:00:00.000Z';
@@ -27,7 +27,7 @@ const TOTAL_COUNT = 7;
 const EDGE_LENGTH = 1;
 const CURSOR_ID = '2ab45fc1c41e4c84bbd02202a7e5761f';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
   const bsearch = getService('bsearch');

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/ess/index.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile }: FtrProviderContextWithSpaces) {
+  describe('@ess SecuritySolution Explore Hosts', () => {
+    loadTestFile(require.resolve('./hosts'));
+    loadTestFile(require.resolve('./host_details'));
+    loadTestFile(require.resolve('./uncommon_processes'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/ess/uncommon_processes.ts

@@ -11,7 +11,7 @@ import {
   HostsQueries,
   HostsUncommonProcessesStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const FROM = '2000-01-01T00:00:00.000Z';
 const TO = '3000-01-01T00:00:00.000Z';
@@ -19,20 +19,18 @@ const TO = '3000-01-01T00:00:00.000Z';
 // typical values that have to change after an update from "scripts/es_archiver"
 const TOTAL_COUNT = 3;
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
-  describe('uncommon_processes', () => {
-    before(
-      async () =>
-        await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/uncommon_processes')
-    );
-    after(
-      async () =>
-        await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/uncommon_processes')
-    );
+  describe('hosts', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/uncommon_processes');
+    });
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/uncommon_processes');
+    });
 
     it('should return an edge of length 1 when given a pagination of length 1', async () => {
       const response = await bsearch.send<HostsUncommonProcessesStrategyResponse>({
@@ -56,6 +54,7 @@ export default function ({ getService }: FtrProviderContext) {
         },
         strategy: 'securitySolutionSearchStrategy',
       });
+
       expect(response.edges.length).to.be(1);
     });
 

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/serverless/host_details.ts

@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  HostDetailsStrategyResponse,
+  HostsQueries,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+import { hostDetailsFilebeatExpectedResult } from '../mocks/host_details';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('Host Details', () => {
+    describe('With filebeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+
+      it('Make sure that we get HostDetails data', async () => {
+        const { hostDetails } = await secureBsearch.send<HostDetailsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: HostsQueries.details,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            defaultIndex: ['filebeat-*'],
+            hostName: 'raspberrypi',
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(hostDetails).to.eql(hostDetailsFilebeatExpectedResult.hostDetails);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/serverless/hosts.ts

@@ -0,0 +1,188 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  HostsQueries,
+  Direction,
+  HostsFields,
+  HostsStrategyResponse,
+  HostDetailsStrategyResponse,
+  FirstLastSeenQuery,
+  FirstLastSeenStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const FROM = '2000-01-01T00:00:00.000Z';
+const TO = '3000-01-01T00:00:00.000Z';
+
+// typical values that have to change after an update from "scripts/es_archiver"
+const HOST_NAME = 'Ubuntu';
+const TOTAL_COUNT = 7;
+const EDGE_LENGTH = 1;
+const CURSOR_ID = '2ab45fc1c41e4c84bbd02202a7e5761f';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('hosts', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
+
+    it('Make sure that we get Hosts Table data', async () => {
+      const hosts = await secureBsearch.send<HostsStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: HostsQueries.hosts,
+          timerange: {
+            interval: '12h',
+            to: TO,
+            from: FROM,
+          },
+          defaultIndex: ['auditbeat-*'],
+          sort: {
+            field: HostsFields.lastSeen,
+            direction: Direction.asc,
+          },
+          pagination: {
+            activePage: 0,
+            cursorStart: 0,
+            fakePossibleCount: 3,
+            querySize: 1,
+          },
+          inspect: false,
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+
+      expect(hosts.edges.length).to.be(EDGE_LENGTH);
+      expect(hosts.totalCount).to.be(TOTAL_COUNT);
+      expect(hosts.pageInfo.fakeTotalCount).to.equal(3);
+    });
+
+    it('Make sure that pagination is working in Hosts Table query', async () => {
+      const hosts = await secureBsearch.send<HostsStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: HostsQueries.hosts,
+          timerange: {
+            interval: '12h',
+            to: TO,
+            from: FROM,
+          },
+          sort: {
+            field: HostsFields.lastSeen,
+            direction: Direction.asc,
+          },
+          defaultIndex: ['auditbeat-*'],
+          pagination: {
+            activePage: 2,
+            cursorStart: 1,
+            fakePossibleCount: 5,
+            querySize: 2,
+          },
+          inspect: false,
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+      expect(hosts.edges.length).to.be(EDGE_LENGTH);
+      expect(hosts.totalCount).to.be(TOTAL_COUNT);
+      expect(hosts.edges[0].node.host?.os?.name).to.eql([HOST_NAME]);
+    });
+
+    it('Make sure that we get Host details data', async () => {
+      const { hostDetails } = await secureBsearch.send<HostDetailsStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: HostsQueries.details,
+          hostName: 'zeek-sensor-san-francisco',
+          timerange: {
+            interval: '12h',
+            to: TO,
+            from: FROM,
+          },
+          defaultIndex: ['auditbeat-*'],
+          inspect: false,
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+      expect(hostDetails).to.eql({
+        _id: 'zeek-sensor-san-francisco',
+        host: {
+          architecture: ['x86_64'],
+          id: [CURSOR_ID],
+          name: ['zeek-sensor-san-francisco'],
+          os: {
+            family: ['debian'],
+            name: [HOST_NAME],
+            platform: ['ubuntu'],
+            version: ['18.04.2 LTS (Bionic Beaver)'],
+          },
+        },
+        cloud: {
+          instance: {
+            id: ['132972452'],
+          },
+          provider: ['digitalocean'],
+          region: ['sfo2'],
+        },
+      });
+    });
+
+    it('Make sure that we get First Seen for a Host', async () => {
+      const firstLastSeenHost = await secureBsearch.send<FirstLastSeenStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: FirstLastSeenQuery,
+          defaultIndex: ['auditbeat-*'],
+          field: 'host.name',
+          value: 'zeek-sensor-san-francisco',
+          order: 'asc',
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+      expect(firstLastSeenHost.firstSeen).to.eql('2019-02-19T19:36:23.561Z');
+    });
+
+    it('Make sure that we get Last Seen for a Host', async () => {
+      const firstLastSeenHost = await secureBsearch.send<FirstLastSeenStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: FirstLastSeenQuery,
+          defaultIndex: ['auditbeat-*'],
+          field: 'host.name',
+          value: 'zeek-sensor-san-francisco',
+          order: 'desc',
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+      expect(firstLastSeenHost.lastSeen).to.eql('2019-02-19T20:42:33.561Z');
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/serverless/index.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile, getService }: FtrProviderContextWithSpaces) {
+  describe('@serverless SecuritySolution Explore Hosts', () => {
+    loadTestFile(require.resolve('./hosts'));
+    loadTestFile(require.resolve('./host_details'));
+    loadTestFile(require.resolve('./uncommon_processes'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/hosts/trial_license_complete_tier/serverless/uncommon_processes.ts

@@ -0,0 +1,154 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+
+import {
+  HostsQueries,
+  HostsUncommonProcessesStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const FROM = '2019-01-01T00:00:00.000Z';
+const TO = '3000-01-01T00:00:00.000Z';
+
+// typical values that have to change after an update from "scripts/es_archiver"
+const TOTAL_COUNT = 3;
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('hosts', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/uncommon_processes');
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/uncommon_processes');
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
+
+    it('should return an edge of length 1 when given a pagination of length 1', async () => {
+      const response = await secureBsearch.send<HostsUncommonProcessesStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          factoryQueryType: HostsQueries.uncommonProcesses,
+          sourceId: 'default',
+          timerange: {
+            interval: '12h',
+            to: TO,
+            from: FROM,
+          },
+          pagination: {
+            activePage: 0,
+            cursorStart: 0,
+            fakePossibleCount: 3,
+            querySize: 1,
+          },
+          defaultIndex: ['auditbeat-uncommon-processes'],
+          inspect: false,
+        },
+        strategy: 'securitySolutionSearchStrategy',
+      });
+
+      expect(response.edges.length).to.be(1);
+    });
+
+    describe('when given a pagination of length 2', () => {
+      it('should return an edge of length 2 ', async () => {
+        const response = await secureBsearch.send<HostsUncommonProcessesStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: HostsQueries.uncommonProcesses,
+            sourceId: 'default',
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 3,
+              querySize: 2,
+            },
+            defaultIndex: ['auditbeat-uncommon-processes'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(response.edges.length).to.be(2);
+      });
+    });
+
+    describe('when given a pagination of length 1', () => {
+      let response: HostsUncommonProcessesStrategyResponse | null = null;
+      before(async () => {
+        response = await secureBsearch.send<HostsUncommonProcessesStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: HostsQueries.uncommonProcesses,
+            sourceId: 'default',
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 3,
+              querySize: 1,
+            },
+            defaultIndex: ['auditbeat-uncommon-processes'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+      });
+
+      it('should return an edge of length 1 ', () => {
+        expect(response?.edges.length).to.be(1);
+      });
+
+      it('should return a total count of elements', () => {
+        expect(response?.totalCount).to.be(TOTAL_COUNT);
+      });
+
+      it('should return a single data set with pagination of 1', () => {
+        const expected = {
+          _id: 'HCFxB2kBR346wHgnL4ik',
+          instances: 1,
+          process: {
+            name: ['kworker/u2:0'],
+          },
+          user: {
+            id: ['0'],
+            name: ['root'],
+          },
+          hosts: [
+            {
+              id: ['zeek-sensor-san-francisco'],
+              name: ['zeek-sensor-san-francisco'],
+            },
+          ],
+        };
+        expect(response?.edges[0].node).to.eql(expected);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('../ess')],
+    junit: {
+      reportName: 'Explore - Network Integration Tests - ESS Env - Trial License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('../serverless')],
+  junit: {
+    reportName: 'Explore - Network Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/ess/index.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile }: FtrProviderContextWithSpaces) {
+  describe('@ess SecuritySolution Explore Network', () => {
+    loadTestFile(require.resolve('./network_details'));
+    loadTestFile(require.resolve('./network_dns'));
+    loadTestFile(require.resolve('./network_top_n_flow'));
+    loadTestFile(require.resolve('./tls'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/ess/network_details.ts

@@ -11,12 +11,12 @@ import {
   NetworkQueries,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Network details', () => {
     describe('With filebeat', () => {

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/ess/network_dns.ts

@@ -14,12 +14,12 @@ import {
   NetworkDnsStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Network DNS', () => {
     describe('With packetbeat', () => {

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/ess/network_top_n_flow.ts

@@ -15,14 +15,14 @@ import {
   NetworkTopNFlowStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const EDGE_LENGTH = 10;
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Network Top N Flow', () => {
     describe('With filebeat', () => {
@@ -36,26 +36,6 @@ export default function ({ getService }: FtrProviderContext) {
       const FROM = '2019-02-09T01:57:24.870Z';
       const TO = '2019-02-12T01:57:24.870Z';
 
-      it('should get Source NetworkTopNFlowCount total count', async () => {
-        const networkTopNFlow = await bsearch.send<NetworkTopNFlowStrategyResponse>({
-          supertest,
-          options: {
-            defaultIndex: ['filebeat-*'],
-            factoryQueryType: NetworkQueries.topNFlowCount,
-            flowTarget: FlowTargetSourceDest.source,
-            timerange: {
-              interval: '12h',
-              to: TO,
-              from: FROM,
-            },
-            inspect: false,
-          },
-          strategy: 'securitySolutionSearchStrategy',
-        });
-
-        expect(networkTopNFlow.totalCount).to.be(121);
-      });
-
       it('should get Source NetworkTopNFlow data with bytes_in descending sort', async () => {
         const networkTopNFlow = await bsearch.send<NetworkTopNFlowStrategyResponse>({
           supertest,

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/ess/tls.ts

@@ -14,7 +14,7 @@ import {
   NetworkTlsStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const FROM = '2000-01-01T00:00:00.000Z';
 const TO = '3000-01-01T00:00:00.000Z';
@@ -81,7 +81,7 @@ const expectedOverviewSourceResult = {
   totalCount: 3,
 };
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
   const bsearch = getService('bsearch');

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/serverless/index.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('@serverless SecuritySolution Explore Network', () => {
+    loadTestFile(require.resolve('./network_details'));
+    loadTestFile(require.resolve('./network_dns'));
+    loadTestFile(require.resolve('./network_top_n_flow'));
+    loadTestFile(require.resolve('./tls'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/serverless/network_details.ts

@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkDetailsStrategyResponse,
+  NetworkQueries,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('Network details', () => {
+    describe('With filebeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      it('Make sure that we get Network details data', async () => {
+        const body = await secureBsearch.send<NetworkDetailsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            ip: '151.205.0.17',
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: NetworkQueries.details,
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(body.networkDetails.source?.geo.continent_name).to.eql(['North America']);
+        expect(body.networkDetails.source?.geo.location?.lat!).to.eql([37.751]);
+        expect(body.networkDetails.host?.os?.platform).to.eql(['raspbian']);
+      });
+    });
+
+    describe('With packetbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/packetbeat/default');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/packetbeat/default');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      it('Make sure that we get Network details data', async () => {
+        const body = await secureBsearch.send<NetworkDetailsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            ip: '185.53.91.88',
+            defaultIndex: ['packetbeat-*'],
+            factoryQueryType: NetworkQueries.details,
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(body.networkDetails.host?.id).to.eql(['2ce8b1e7d69e4a1d9c6bcddc473da9d9']);
+        expect(body.networkDetails.host?.name).to.eql(['zeek-sensor-amsterdam']);
+        expect(body.networkDetails.host?.os?.platform!).to.eql(['ubuntu']);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/serverless/network_dns.ts

@@ -0,0 +1,109 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkQueries,
+  NetworkDnsEdges,
+  Direction,
+  NetworkDnsFields,
+  NetworkDnsStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+
+  describe('Network DNS', () => {
+    describe('With packetbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/packetbeat/dns');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/packetbeat/dns');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+
+      it('Make sure that we get Dns data and sorting by uniqueDomains ascending', async () => {
+        const networkDns = await secureBsearch.send<NetworkDnsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['packetbeat-*'],
+            factoryQueryType: NetworkQueries.dns,
+            filterQuery:
+              '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+            isPtrIncluded: false,
+            pagination: { activePage: 0, cursorStart: 0, fakePossibleCount: 30, querySize: 10 },
+            sort: { field: NetworkDnsFields.uniqueDomains, direction: Direction.asc },
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkDns.edges.length).to.be(10);
+        expect(networkDns.totalCount).to.be(44);
+        expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be(
+          'aaplimg.com,adgrx.com,akadns.net,akamaiedge.net,amazonaws.com,cbsistatic.com,cdn-apple.com,connman.net,d1oxlq5h9kq8q5.cloudfront.net,d3epxf4t8a32oh.cloudfront.net'
+        );
+        expect(networkDns.pageInfo.fakeTotalCount).to.equal(30);
+      });
+
+      it('Make sure that we get Dns data and sorting by uniqueDomains descending', async () => {
+        const networkDns = await secureBsearch.send<NetworkDnsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+
+          internalOrigin: 'Kibana',
+          options: {
+            ip: '151.205.0.17',
+            defaultIndex: ['packetbeat-*'],
+            factoryQueryType: NetworkQueries.dns,
+            inspect: false,
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            sort: { field: NetworkDnsFields.uniqueDomains, direction: Direction.desc },
+            stackByField: 'dns.question.registered_domain',
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkDns.edges.length).to.be(10);
+        expect(networkDns.totalCount).to.be(44);
+        expect(networkDns.edges.map((i: NetworkDnsEdges) => i.node.dnsName).join(',')).to.be(
+          'nflxvideo.net,apple.com,netflix.com,samsungcloudsolution.com,samsungqbe.com,samsungelectronics.com,internetat.tv,samsungcloudsolution.net,samsungosp.com,cbsnews.com'
+        );
+        expect(networkDns.pageInfo.fakeTotalCount).to.equal(30);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/serverless/network_top_n_flow.ts

@@ -0,0 +1,186 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkQueries,
+  NetworkTopNFlowEdges,
+  Direction,
+  FlowTargetSourceDest,
+  NetworkTopTablesFields,
+  NetworkTopNFlowStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const EDGE_LENGTH = 10;
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('Network Top N Flow', () => {
+    describe('With filebeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2019-02-09T01:57:24.870Z';
+      const TO = '2019-02-12T01:57:24.870Z';
+
+      it('should get Source NetworkTopNFlow data with bytes_in descending sort', async () => {
+        const networkTopNFlow = await secureBsearch.send<NetworkTopNFlowStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: NetworkQueries.topNFlow,
+            flowTarget: FlowTargetSourceDest.source,
+            sort: { field: NetworkTopTablesFields.bytes_in, direction: Direction.desc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 0,
+              querySize: 10,
+            },
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH);
+        expect(
+          networkTopNFlow.edges.map((i: NetworkTopNFlowEdges) => i.node.source!.ip).join(',')
+        ).to.be(
+          '10.100.7.196,10.100.7.199,10.100.7.197,10.100.7.198,3.82.33.170,17.249.172.100,10.100.4.1,8.248.209.244,8.248.211.247,8.248.213.244'
+        );
+        expect(networkTopNFlow.edges[0].node.destination).to.be(undefined);
+        expect(networkTopNFlow.edges[0].node.source!.flows).to.be(498);
+        expect(networkTopNFlow.edges[0].node.source!.destination_ips).to.be(132);
+      });
+
+      it('should get Source NetworkTopNFlow data with bytes_in ascending sort ', async () => {
+        const networkTopNFlow = await secureBsearch.send<NetworkTopNFlowStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: NetworkQueries.topNFlow,
+            filterQuery:
+              '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+            flowTarget: FlowTargetSourceDest.source,
+            sort: { field: NetworkTopTablesFields.bytes_in, direction: Direction.asc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 0,
+              querySize: 10,
+            },
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH);
+        expect(
+          networkTopNFlow.edges.map((i: NetworkTopNFlowEdges) => i.node.source!.ip).join(',')
+        ).to.be(
+          '8.248.209.244,8.248.211.247,8.248.213.244,8.248.223.246,8.250.107.245,8.250.121.236,8.250.125.244,8.253.38.231,8.253.157.112,8.253.157.240'
+        );
+        expect(networkTopNFlow.edges[0].node.destination).to.be(undefined);
+        expect(networkTopNFlow.edges[0].node.source!.flows).to.be(12);
+        expect(networkTopNFlow.edges[0].node.source!.destination_ips).to.be(1);
+      });
+
+      it('should get Destination NetworkTopNFlow data', async () => {
+        const networkTopNFlow = await secureBsearch.send<NetworkTopNFlowStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: 'topNFlow',
+            filterQuery:
+              '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+            sort: { field: NetworkTopTablesFields.bytes_in, direction: Direction.desc },
+            flowTarget: FlowTargetSourceDest.destination,
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 0,
+              querySize: 10,
+            },
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH);
+        expect(networkTopNFlow.edges[0].node.destination!.flows).to.be(19);
+        expect(networkTopNFlow.edges[0].node.destination!.source_ips).to.be(1);
+        expect(networkTopNFlow.edges[0].node.source).to.be(undefined);
+      });
+
+      it('should paginate NetworkTopNFlow query', async () => {
+        const networkTopNFlow = await secureBsearch.send<NetworkTopNFlowStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: 'topNFlow',
+            filterQuery:
+              '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+            sort: { field: NetworkTopTablesFields.bytes_in, direction: Direction.desc },
+            flowTarget: FlowTargetSourceDest.source,
+            pagination: {
+              activePage: 1,
+              cursorStart: 10,
+              fakePossibleCount: 0,
+              querySize: 20,
+            },
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH);
+        expect(networkTopNFlow.edges[0].node.source!.ip).to.be('8.248.223.246');
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/network/trial_license_complete_tier/serverless/tls.ts

@@ -0,0 +1,239 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkQueries,
+  Direction,
+  NetworkTlsFields,
+  FlowTarget,
+  NetworkTlsStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const FROM = '2000-01-01T00:00:00.000Z';
+const TO = '3000-01-01T00:00:00.000Z';
+const SOURCE_IP = '10.128.0.35';
+const DESTINATION_IP = '74.125.129.95';
+
+const expectedResult = {
+  _id: '16989191B1A93ECECD5FE9E63EBD4B5C3B606D26',
+  subjects: ['CN=edgecert.googleapis.com,O=Google LLC,L=Mountain View,ST=California,C=US'],
+  issuers: ['CN=GTS CA 1O1,O=Google Trust Services,C=US'],
+  ja3: ['bd12d76eb0b6787e6a78a14d2ff96c2b'],
+  notAfter: ['2020-05-06T11:52:15.000Z'],
+};
+
+const expectedOverviewDestinationResult = {
+  edges: [
+    {
+      cursor: {
+        tiebreaker: null,
+        value: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
+      },
+      node: {
+        _id: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
+        subjects: [
+          'CN=*.cdn.mozilla.net,OU=Cloud Services,O=Mozilla Corporation,L=Mountain View,ST=California,C=US',
+        ],
+        issuers: ['CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'],
+        ja3: ['b20b44b18b853ef29ab773e921b03422'],
+        notAfter: ['2020-12-09T12:00:00.000Z'],
+      },
+    },
+  ],
+  pageInfo: {
+    activePage: 0,
+    fakeTotalCount: 3,
+    showMorePagesIndicator: false,
+  },
+  totalCount: 3,
+};
+
+const expectedOverviewSourceResult = {
+  edges: [
+    {
+      cursor: {
+        tiebreaker: null,
+        value: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
+      },
+      node: {
+        _id: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
+        subjects: [
+          'CN=*.cdn.mozilla.net,OU=Cloud Services,O=Mozilla Corporation,L=Mountain View,ST=California,C=US',
+        ],
+        issuers: ['CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'],
+        ja3: ['b20b44b18b853ef29ab773e921b03422'],
+        notAfter: ['2020-12-09T12:00:00.000Z'],
+      },
+    },
+  ],
+  pageInfo: {
+    activePage: 0,
+    fakeTotalCount: 3,
+    showMorePagesIndicator: false,
+  },
+  totalCount: 3,
+};
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const secureBsearch = getService('secureBsearch');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+
+  describe('Tls Test with Packetbeat', () => {
+    describe('Tls Test', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/packetbeat/tls');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/packetbeat/tls');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      it('Ensure data is returned for FlowTarget.Source', async () => {
+        const tls = await secureBsearch.send<NetworkTlsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: NetworkQueries.tls,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            ip: SOURCE_IP,
+            flowTarget: FlowTarget.source,
+            sort: { field: NetworkTlsFields._id, direction: Direction.desc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            defaultIndex: ['packetbeat-*'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(tls.edges.length).to.be(1);
+        expect(tls.totalCount).to.be(1);
+        expect(tls.edges[0].node).to.eql(expectedResult);
+      });
+
+      it('Ensure data is returned for FlowTarget.Destination', async () => {
+        const tls = await secureBsearch.send<NetworkTlsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: NetworkQueries.tls,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            ip: DESTINATION_IP,
+            flowTarget: FlowTarget.destination,
+            sort: { field: NetworkTlsFields._id, direction: Direction.desc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            defaultIndex: ['packetbeat-*'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(tls.edges.length).to.be(1);
+        expect(tls.totalCount).to.be(1);
+        expect(tls.edges[0].node).to.eql(expectedResult);
+      });
+    });
+
+    describe('Tls Overview Test', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/packetbeat/tls');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/packetbeat/tls');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      it('Ensure data is returned for FlowTarget.Source', async () => {
+        const tls = await secureBsearch.send<NetworkTlsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: NetworkQueries.tls,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            ip: '',
+            flowTarget: FlowTarget.source,
+            sort: { field: NetworkTlsFields._id, direction: Direction.desc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            defaultIndex: ['packetbeat-*'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(tls.pageInfo).to.eql(expectedOverviewSourceResult.pageInfo);
+        expect(tls.edges[0]).to.eql(expectedOverviewSourceResult.edges[0]);
+      });
+
+      it('Ensure data is returned for FlowTarget.Destination', async () => {
+        const tls = await secureBsearch.send<NetworkTlsStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: NetworkQueries.tls,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            ip: '',
+            flowTarget: FlowTarget.destination,
+            sort: { field: NetworkTlsFields._id, direction: Direction.desc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            defaultIndex: ['packetbeat-*'],
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+
+        expect(tls.pageInfo).to.eql(expectedOverviewDestinationResult.pageInfo);
+        expect(tls.edges[0]).to.eql(expectedOverviewDestinationResult.edges[0]);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('../ess')],
+    junit: {
+      reportName: 'Explore - Overview Integration Tests - ESS Env - Trial License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('../serverless')],
+  junit: {
+    reportName: 'Explore - Overview Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/ess/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile }: FtrProviderContextWithSpaces) {
+  describe('@ess SecuritySolution Explore Overview', () => {
+    loadTestFile(require.resolve('./overview_host'));
+    loadTestFile(require.resolve('./overview_network'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/ess/overview_host.ts

@@ -11,12 +11,12 @@ import {
   HostsQueries,
   HostsOverviewStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Overview Host', () => {
     describe('With auditbeat', () => {

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/ess/overview_network.ts

@@ -10,12 +10,12 @@ import {
   NetworkOverviewStrategyResponse,
   NetworkQueries,
 } from '@kbn/security-solution-plugin/common/search_strategy';
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Overview Network', () => {
     describe('With filebeat', () => {

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/serverless/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+
+export default function ({ loadTestFile, getService }: FtrProviderContext) {
+  describe('@serverless SecuritySolution Explore Overview', () => {
+    loadTestFile(require.resolve('./overview_host'));
+    loadTestFile(require.resolve('./overview_network'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/serverless/overview_host.ts

@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+
+import {
+  HostsQueries,
+  HostsOverviewStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('Overview Host', () => {
+    describe('With auditbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/overview');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/overview');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+      const expectedResult = {
+        auditbeatAuditd: 2194,
+        auditbeatFIM: 4,
+        auditbeatLogin: 2810,
+        auditbeatPackage: 3,
+        auditbeatProcess: 7,
+        auditbeatUser: 6,
+        endgameDns: 1,
+        endgameFile: 2,
+        endgameImageLoad: 1,
+        endgameNetwork: 4,
+        endgameProcess: 2,
+        endgameRegistry: 1,
+        endgameSecurity: 4,
+        filebeatSystemModule: 0,
+        winlogbeatSecurity: 0,
+        winlogbeatMWSysmonOperational: 0,
+      };
+
+      it('Make sure that we get OverviewHost data', async () => {
+        const { overviewHost } = await secureBsearch.send<HostsOverviewStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['auditbeat-*'],
+            factoryQueryType: HostsQueries.overview,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(overviewHost).to.eql(expectedResult);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/overview/trial_license_complete_tier/serverless/overview_network.ts

@@ -0,0 +1,160 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkOverviewStrategyResponse,
+  NetworkQueries,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+
+  describe('Overview Network', () => {
+    describe('With filebeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+
+      const expectedResult = {
+        auditbeatSocket: 0,
+        filebeatCisco: 0,
+        filebeatNetflow: 1273,
+        filebeatPanw: 0,
+        filebeatSuricata: 4547,
+        filebeatZeek: 0,
+        packetbeatDNS: 0,
+        packetbeatFlow: 0,
+        packetbeatTLS: 0,
+      };
+
+      it('Make sure that we get OverviewNetwork data', async () => {
+        const { overviewNetwork } = await secureBsearch.send<NetworkOverviewStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['filebeat-*'],
+            factoryQueryType: NetworkQueries.overview,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(overviewNetwork).to.eql(expectedResult);
+      });
+    });
+
+    describe('With packetbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/packetbeat/overview');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/packetbeat/overview');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+      const expectedResult = {
+        auditbeatSocket: 0,
+        filebeatCisco: 0,
+        filebeatNetflow: 0,
+        filebeatPanw: 0,
+        filebeatSuricata: 0,
+        filebeatZeek: 0,
+        packetbeatDNS: 44,
+        packetbeatFlow: 588,
+        packetbeatTLS: 0,
+      };
+
+      it('Make sure that we get OverviewNetwork data', async () => {
+        const { overviewNetwork } = await secureBsearch.send<NetworkOverviewStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['packetbeat-*'],
+            factoryQueryType: NetworkQueries.overview,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(overviewNetwork).to.eql(expectedResult);
+      });
+    });
+
+    describe('With auditbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/overview');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/overview');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      const FROM = '2000-01-01T00:00:00.000Z';
+      const TO = '3000-01-01T00:00:00.000Z';
+      const expectedResult = {
+        auditbeatSocket: 45,
+        filebeatCisco: 0,
+        filebeatNetflow: 0,
+        filebeatPanw: 0,
+        filebeatSuricata: 0,
+        filebeatZeek: 0,
+        packetbeatDNS: 0,
+        packetbeatFlow: 0,
+        packetbeatTLS: 0,
+      };
+
+      it('Make sure that we get OverviewNetwork data', async () => {
+        const { overviewNetwork } = await secureBsearch.send<NetworkOverviewStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            defaultIndex: ['auditbeat-*'],
+            factoryQueryType: NetworkQueries.overview,
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(overviewNetwork).to.eql(expectedResult);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('../ess')],
+    junit: {
+      reportName: 'Explore - Users Integration Tests - ESS Env - Trial License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('../serverless')],
+  junit: {
+    reportName: 'Explore - Users Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/ess/authentications.ts

@@ -14,7 +14,7 @@ import {
 } from '@kbn/security-solution-plugin/common/search_strategy';
 import type { UserAuthenticationsRequestOptions } from '@kbn/security-solution-plugin/common/api/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const FROM = '2000-01-01T00:00:00.000Z';
 const TO = '3000-01-01T00:00:00.000Z';
@@ -25,10 +25,10 @@ const LAST_SUCCESS_SOURCE_IP = '8.42.77.171';
 const TOTAL_COUNT = 3;
 const EDGE_LENGTH = 1;
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('authentications', () => {
     before(async () => await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'));

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/ess/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile }: FtrProviderContextWithSpaces) {
+  describe('@ess SecuritySolution Explore Users', () => {
+    loadTestFile(require.resolve('./authentications'));
+    loadTestFile(require.resolve('./users'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/ess/users.ts

@@ -14,16 +14,16 @@ import {
   NetworkUsersStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 const FROM = '2000-01-01T00:00:00.000Z';
 const TO = '3000-01-01T00:00:00.000Z';
 const IP = '0.0.0.0';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   describe('Users', () => {
     describe('With auditbeat', () => {

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/serverless/authentications.ts

@@ -0,0 +1,115 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  AuthStackByField,
+  Direction,
+  UserAuthenticationsStrategyResponse,
+  UsersQueries,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import type { UserAuthenticationsRequestOptions } from '@kbn/security-solution-plugin/common/api/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const FROM = '2000-01-01T00:00:00.000Z';
+const TO = '3000-01-01T00:00:00.000Z';
+
+// typical values that have to change after an update from "scripts/es_archiver"
+const HOST_NAME = 'zeek-newyork-sha-aa8df15';
+const LAST_SUCCESS_SOURCE_IP = '8.42.77.171';
+const TOTAL_COUNT = 3;
+const EDGE_LENGTH = 1;
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  describe('authentications', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
+
+    it('Make sure that we get Authentication data', async () => {
+      const requestOptions: UserAuthenticationsRequestOptions = {
+        factoryQueryType: UsersQueries.authentications,
+        timerange: {
+          interval: '12h',
+          to: TO,
+          from: FROM,
+        },
+        pagination: {
+          activePage: 0,
+          cursorStart: 0,
+          fakePossibleCount: 3,
+          querySize: 1,
+        },
+        defaultIndex: ['auditbeat-*'],
+        stackByField: AuthStackByField.userName,
+        sort: { field: 'timestamp', direction: Direction.asc },
+        filterQuery: '',
+      };
+
+      const authentications = await secureBsearch.send<UserAuthenticationsStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: requestOptions,
+        strategy: 'securitySolutionSearchStrategy',
+      });
+
+      expect(authentications.edges.length).to.be(EDGE_LENGTH);
+      expect(authentications.totalCount).to.be(TOTAL_COUNT);
+      expect(authentications.pageInfo.fakeTotalCount).to.equal(3);
+    });
+
+    it('Make sure that pagination is working in Authentications query', async () => {
+      const requestOptions: UserAuthenticationsRequestOptions = {
+        factoryQueryType: UsersQueries.authentications,
+        timerange: {
+          interval: '12h',
+          to: TO,
+          from: FROM,
+        },
+        pagination: {
+          activePage: 2,
+          cursorStart: 1,
+          fakePossibleCount: 5,
+          querySize: 2,
+        },
+        defaultIndex: ['auditbeat-*'],
+        stackByField: AuthStackByField.userName,
+        sort: { field: 'timestamp', direction: Direction.asc },
+        filterQuery: '',
+      };
+
+      const authentications = await secureBsearch.send<UserAuthenticationsStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: requestOptions,
+        strategy: 'securitySolutionSearchStrategy',
+      });
+
+      expect(authentications.edges.length).to.be(EDGE_LENGTH);
+      expect(authentications.totalCount).to.be(TOTAL_COUNT);
+      expect(authentications.edges[0].node.lastSuccess?.source?.ip).to.eql([
+        LAST_SUCCESS_SOURCE_IP,
+      ]);
+      expect(authentications.edges[0].node.lastSuccess?.host?.name).to.eql([HOST_NAME]);
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/serverless/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('@serverless SecuritySolution Explore Users', () => {
+    loadTestFile(require.resolve('./authentications'));
+    loadTestFile(require.resolve('./users'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/explore/users/trial_license_complete_tier/serverless/users.ts

@@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  NetworkQueries,
+  Direction,
+  NetworkUsersFields,
+  FlowTarget,
+  NetworkUsersStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const FROM = '2000-01-01T00:00:00.000Z';
+const TO = '3000-01-01T00:00:00.000Z';
+const IP = '0.0.0.0';
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+
+  describe('Users', () => {
+    describe('With auditbeat', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/users');
+        roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/users');
+        await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+      });
+
+      it('Ensure data is returned from auditbeat', async () => {
+        const users = await secureBsearch.send<NetworkUsersStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: NetworkQueries.users,
+            sourceId: 'default',
+            timerange: {
+              interval: '12h',
+              to: TO,
+              from: FROM,
+            },
+            defaultIndex: ['auditbeat-users'],
+            ip: IP,
+            flowTarget: FlowTarget.destination,
+            sort: { field: NetworkUsersFields.name, direction: Direction.asc },
+            pagination: {
+              activePage: 0,
+              cursorStart: 0,
+              fakePossibleCount: 30,
+              querySize: 10,
+            },
+            inspect: false,
+          },
+          strategy: 'securitySolutionSearchStrategy',
+        });
+        expect(users.edges.length).to.be(1);
+        expect(users.totalCount).to.be(1);
+        expect(users.edges[0].node.user?.id).to.eql(['0']);
+        expect(users.edges[0].node.user?.name).to.be('root');
+        expect(users.edges[0].node.user?.groupId).to.eql(['0']);
+        expect(users.edges[0].node.user?.groupName).to.eql(['root']);
+        expect(users.edges[0].node.user?.count).to.be(1);
+      });
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.basic')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    kbnTestServer: {
+      ...functionalConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...functionalConfig.get('kbnTestServer.serverArgs'),
+        `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+      ],
+    },
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName: 'Saved Objects Integration Tests - ESS Env - Basic License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'essentials' },
+      { product_line: 'endpoint', product_tier: 'essentials' },
+      { product_line: 'cloud', product_tier: 'essentials' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('..')],
+  junit: {
+    reportName: 'Saved Objects Integration Tests - Serverless Env - Essentials Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/draft_timeline.ts

@@ -7,7 +7,7 @@
 
 import expect from '@kbn/expect';
 
-import { FtrProviderContext } from '../../../ftr_provider_context';
+import { FtrProviderContext } from '../../../../../api_integration/ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const kibanaServer = getService('kibanaServer');

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/index.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('@ess @serverless SecuritySolution Saved Objects', () => {
+    loadTestFile(require.resolve('./notes'));
+    loadTestFile(require.resolve('./pinned_events'));
+    loadTestFile(require.resolve('./timeline'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/notes.ts

@@ -7,7 +7,7 @@
 
 import expect from '@kbn/expect';
 
-import { FtrProviderContext } from '../../../ftr_provider_context';
+import { FtrProviderContext } from '../../../../../api_integration/ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const kibanaServer = getService('kibanaServer');

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/pinned_events.ts

@@ -7,7 +7,7 @@
 
 import expect from '@kbn/expect';
 
-import { FtrProviderContext } from '../../../ftr_provider_context';
+import { FtrProviderContext } from '../../../../../api_integration/ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const kibanaServer = getService('kibanaServer');

x-pack/test/security_solution_api_integration/test_suites/investigation/saved_objects/trial_license_complete_tier/timeline.ts

@@ -7,7 +7,7 @@
 
 import expect from '@kbn/expect';
 import { TimelineResult, TimelineType } from '@kbn/security-solution-plugin/common/api/timeline';
-import { FtrProviderContext } from '../../../ftr_provider_context';
+import { FtrProviderContext } from '../../../../../api_integration/ftr_provider_context';
 
 import { createBasicTimeline } from './helpers';
 

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    kbnTestServer: {
+      ...functionalConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...functionalConfig.get('kbnTestServer.serverArgs'),
+        `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+      ],
+    },
+    testFiles: [require.resolve('../ess')],
+    junit: {
+      reportName: 'Timeline Integration Tests - ESS Env - Basic License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('../serverless')],
+  junit: {
+    reportName: 'Timeline Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/ess/events.ts

@@ -13,8 +13,8 @@ import {
   TimelineEventsQueries,
   TimelineEventsAllStrategyResponse,
 } from '@kbn/security-solution-plugin/common/search_strategy';
-import { FtrProviderContext } from '../../ftr_provider_context';
-import { getFieldsToRequest, getFilterValue } from './utils';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import { getFieldsToRequest, getFilterValue } from '../../../../utils';
 
 const TO = '3000-01-01T00:00:00.000Z';
 const FROM = '2000-01-01T00:00:00.000Z';
@@ -27,10 +27,10 @@ const ACTIVE_PAGE = 0;
 const PAGE_SIZE = 25;
 const LIMITED_PAGE_SIZE = 2;
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
   const bsearch = getService('bsearch');
+  const supertest = getService('supertest');
 
   const getPostBody = (): JsonObject => ({
     defaultIndex: ['auditbeat-*'],
@@ -74,7 +74,6 @@ export default function ({ getService }: FtrProviderContext) {
         },
         strategy: 'timelineSearchStrategy',
       });
-
       expect(timeline.edges.length).to.be(EDGE_LENGTH);
       expect(timeline.edges[0].node.data.length).to.be(DATA_COUNT);
       expect(timeline.totalCount).to.be(TOTAL_COUNT);

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/ess/index.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+
+export default function ({ loadTestFile }: FtrProviderContextWithSpaces) {
+  describe('@ess SecuritySolution Timeline', () => {
+    loadTestFile(require.resolve('./events'));
+    loadTestFile(require.resolve('./timeline_details'));
+    loadTestFile(require.resolve('./timeline'));
+    loadTestFile(require.resolve('./timeline_migrations'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/ess/timeline.ts

@@ -8,10 +8,13 @@
 import expect from '@kbn/expect';
 import { SavedTimeline, TimelineType } from '@kbn/security-solution-plugin/common/api/timeline';
 
-import { FtrProviderContext } from '../../ftr_provider_context';
-import { createBasicTimeline, createBasicTimelineTemplate } from './saved_objects/helpers';
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import {
+  createBasicTimeline,
+  createBasicTimelineTemplate,
+} from '../../../saved_objects/trial_license_complete_tier/helpers';
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const supertest = getService('supertest');
   const esArchiver = getService('esArchiver');
 
@@ -72,7 +75,6 @@ export default function ({ getService }: FtrProviderContext) {
         const resp = await supertest
           .get('/api/timeline/resolve')
           .query({ id: '8dc70950-1012-11ec-9ad3-2d7c6600c0f7' });
-
         expect(resp.body.data.outcome).to.be('exactMatch');
         expect(resp.body.data.alias_target_id).to.be(undefined);
         expect(resp.body.data.timeline.title).to.be('Awesome Timeline');

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/ess/timeline_details.ts

@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { sortBy } from 'lodash';
+import {
+  TimelineEventsQueries,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineKpiStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import { timelineDetailsFilebeatExpectedResults as EXPECTED_DATA } from '../mocks/timeline_details';
+
+// typical values that have to change after an update from "scripts/es_archiver"
+const INDEX_NAME = 'filebeat-7.0.0-iot-2019.06';
+const ID = 'QRhG1WgBqd-n62SwZYDT';
+
+const EXPECTED_KPI_COUNTS = {
+  destinationIpCount: 154,
+  hostCount: 1,
+  processCount: 0,
+  sourceIpCount: 121,
+  userCount: 0,
+};
+
+export default function ({ getService }: FtrProviderContextWithSpaces) {
+  const esArchiver = getService('esArchiver');
+  const supertest = getService('supertest');
+  const bsearch = getService('bsearch');
+
+  describe('Timeline Details', () => {
+    before(
+      async () => await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default')
+    );
+    after(
+      async () => await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default')
+    );
+
+    it('Make sure that we get Event Details data', async () => {
+      const { data: detailsData } = await bsearch.send<TimelineEventsDetailsStrategyResponse>({
+        supertest,
+        options: {
+          factoryQueryType: TimelineEventsQueries.details,
+          indexName: INDEX_NAME,
+          inspect: false,
+          eventId: ID,
+        },
+        strategy: 'timelineSearchStrategy',
+      });
+      expect(sortBy(detailsData, 'field')).to.eql(sortBy(EXPECTED_DATA, 'field'));
+    });
+
+    it('Make sure that we get kpi data', async () => {
+      const { destinationIpCount, hostCount, processCount, sourceIpCount, userCount } =
+        await bsearch.send<TimelineKpiStrategyResponse>({
+          supertest,
+          options: {
+            factoryQueryType: TimelineEventsQueries.kpi,
+            indexName: INDEX_NAME,
+            inspect: false,
+            eventId: ID,
+          },
+          strategy: 'timelineSearchStrategy',
+        });
+      expect({ destinationIpCount, hostCount, processCount, sourceIpCount, userCount }).to.eql(
+        EXPECTED_KPI_COUNTS
+      );
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/ess/timeline_migrations.ts

@@ -16,8 +16,8 @@ import {
   BarePinnedEventWithoutExternalRefs,
   TimelineWithoutExternalRefs,
 } from '@kbn/security-solution-plugin/common/api/timeline';
-import { FtrProviderContext } from '../../ftr_provider_context';
-import { getSavedObjectFromES } from './utils';
+import type { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import { getSavedObjectFromES } from '../../../../utils';
 
 interface TimelineWithoutSavedQueryId {
   [timelineSavedObjectType]: TimelineWithoutExternalRefs;
@@ -31,7 +31,7 @@ interface PinnedEventWithoutTimelineId {
   [pinnedEventSavedObjectType]: BarePinnedEventWithoutExternalRefs;
 }
 
-export default function ({ getService }: FtrProviderContext) {
+export default function ({ getService }: FtrProviderContextWithSpaces) {
   const supertest = getService('supertest');
 
   describe('Timeline migrations', () => {

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/mocks/timeline_details.ts

@@ -4,21 +4,7 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-
-import expect from '@kbn/expect';
-import { sortBy } from 'lodash';
-import {
-  TimelineEventsQueries,
-  TimelineEventsDetailsStrategyResponse,
-  TimelineKpiStrategyResponse,
-} from '@kbn/security-solution-plugin/common/search_strategy';
-
-import { FtrProviderContext } from '../../ftr_provider_context';
-
-// typical values that have to change after an update from "scripts/es_archiver"
-const INDEX_NAME = 'filebeat-7.0.0-iot-2019.06';
-const ID = 'QRhG1WgBqd-n62SwZYDT';
-const EXPECTED_DATA = [
+export const timelineDetailsFilebeatExpectedResults = [
   {
     category: 'base',
     field: '@timestamp',
@@ -649,56 +635,3 @@ const EXPECTED_DATA = [
     isObjectArray: false,
   },
 ];
-const EXPECTED_KPI_COUNTS = {
-  destinationIpCount: 154,
-  hostCount: 1,
-  processCount: 0,
-  sourceIpCount: 121,
-  userCount: 0,
-};
-
-export default function ({ getService }: FtrProviderContext) {
-  const esArchiver = getService('esArchiver');
-  const supertest = getService('supertest');
-  const bsearch = getService('bsearch');
-
-  describe('Timeline Details', () => {
-    before(
-      async () => await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default')
-    );
-    after(
-      async () => await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default')
-    );
-
-    it('Make sure that we get Event Details data', async () => {
-      const { data: detailsData } = await bsearch.send<TimelineEventsDetailsStrategyResponse>({
-        supertest,
-        options: {
-          factoryQueryType: TimelineEventsQueries.details,
-          indexName: INDEX_NAME,
-          inspect: false,
-          eventId: ID,
-        },
-        strategy: 'timelineSearchStrategy',
-      });
-      expect(sortBy(detailsData, 'field')).to.eql(sortBy(EXPECTED_DATA, 'field'));
-    });
-
-    it('Make sure that we get kpi data', async () => {
-      const { destinationIpCount, hostCount, processCount, sourceIpCount, userCount } =
-        await bsearch.send<TimelineKpiStrategyResponse>({
-          supertest,
-          options: {
-            factoryQueryType: TimelineEventsQueries.kpi,
-            indexName: INDEX_NAME,
-            inspect: false,
-            eventId: ID,
-          },
-          strategy: 'timelineSearchStrategy',
-        });
-      expect({ destinationIpCount, hostCount, processCount, sourceIpCount, userCount }).to.eql(
-        EXPECTED_KPI_COUNTS
-      );
-    });
-  });
-}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/serverless/events.ts

@@ -0,0 +1,112 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { JsonObject } from '@kbn/utility-types';
+
+import {
+  Direction,
+  TimelineEventsQueries,
+  TimelineEventsAllStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { getFieldsToRequest, getFilterValue } from '../../../../utils';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+
+const TO = '3000-01-01T00:00:00.000Z';
+const FROM = '2000-01-01T00:00:00.000Z';
+// typical values that have to change after an update from "scripts/es_archiver"
+const DATA_COUNT = 7;
+const HOST_NAME = 'suricata-sensor-amsterdam';
+const TOTAL_COUNT = 96;
+const EDGE_LENGTH = 25;
+const ACTIVE_PAGE = 0;
+const PAGE_SIZE = 25;
+const LIMITED_PAGE_SIZE = 2;
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+  const getPostBody = (): JsonObject => ({
+    defaultIndex: ['auditbeat-*'],
+    factoryQueryType: TimelineEventsQueries.all,
+    entityType: 'events',
+    fieldRequested: getFieldsToRequest(),
+    fields: [],
+    filterQuery: getFilterValue(HOST_NAME, FROM, TO),
+    pagination: {
+      activePage: 0,
+      querySize: 25,
+    },
+    language: 'kuery',
+    sort: [
+      {
+        field: '@timestamp',
+        direction: Direction.desc,
+        esTypes: ['date'],
+      },
+    ],
+    timerange: {
+      from: FROM,
+      to: TO,
+      interval: '12h',
+    },
+  });
+
+  describe('Timeline', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
+
+    it('returns Timeline data', async () => {
+      const timeline = await secureBsearch.send<TimelineEventsAllStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          ...getPostBody(),
+        },
+        strategy: 'timelineSearchStrategy',
+      });
+
+      expect(timeline.edges.length).to.be(EDGE_LENGTH);
+      expect(timeline.edges[0].node.data.length).to.be(DATA_COUNT);
+      expect(timeline.totalCount).to.be(TOTAL_COUNT);
+      expect(timeline.pageInfo.activePage).to.equal(ACTIVE_PAGE);
+      expect(timeline.pageInfo.querySize).to.equal(PAGE_SIZE);
+    });
+
+    it('returns paginated Timeline query', async () => {
+      const timeline = await secureBsearch.send<TimelineEventsAllStrategyResponse>({
+        supertestWithoutAuth,
+        apiKeyHeader: roleAuthc.apiKeyHeader,
+        internalOrigin: 'Kibana',
+        options: {
+          ...getPostBody(),
+          pagination: {
+            activePage: 0,
+            querySize: LIMITED_PAGE_SIZE,
+          },
+        },
+        strategy: 'timelineSearchStrategy',
+      });
+      expect(timeline.edges.length).to.be(LIMITED_PAGE_SIZE);
+      expect(timeline.edges[0].node.data.length).to.be(DATA_COUNT);
+      expect(timeline.totalCount).to.be(TOTAL_COUNT);
+      expect(timeline.edges[0].node.data.length).to.be(DATA_COUNT);
+      expect(timeline.edges[0]!.node.ecs.host!.name).to.eql([HOST_NAME]);
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/serverless/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('@serverless SecuritySolution Timeline', () => {
+    loadTestFile(require.resolve('./events'));
+    loadTestFile(require.resolve('./timeline_details'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/investigation/timeline/trial_license_complete_tier/serverless/timeline_details.ts

@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { sortBy } from 'lodash';
+import {
+  TimelineEventsQueries,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineKpiStrategyResponse,
+} from '@kbn/security-solution-plugin/common/search_strategy';
+
+import { FtrProviderContext } from '../../../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../../../../test_serverless/shared/services';
+import { timelineDetailsFilebeatExpectedResults as EXPECTED_DATA } from '../mocks/timeline_details';
+
+// typical values that have to change after an update from "scripts/es_archiver"
+const INDEX_NAME = 'filebeat-7.0.0-iot-2019.06';
+const ID = 'QRhG1WgBqd-n62SwZYDT';
+
+const EXPECTED_KPI_COUNTS = {
+  destinationIpCount: 154,
+  hostCount: 1,
+  processCount: 0,
+  sourceIpCount: 121,
+  userCount: 0,
+};
+
+export default function ({ getService }: FtrProviderContext) {
+  const esArchiver = getService('esArchiver');
+  const secureBsearch = getService('secureBsearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const svlUserManager = getService('svlUserManager');
+  let roleAuthc: RoleCredentials;
+
+  describe('Timeline Details', () => {
+    before(async () => {
+      await esArchiver.load('x-pack/test/functional/es_archives/filebeat/default');
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/default');
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
+
+    it('Make sure that we get Event Details data', async () => {
+      const { data: detailsData } = await secureBsearch.send<TimelineEventsDetailsStrategyResponse>(
+        {
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: TimelineEventsQueries.details,
+            indexName: INDEX_NAME,
+            inspect: false,
+            eventId: ID,
+          },
+          strategy: 'timelineSearchStrategy',
+        }
+      );
+      expect(sortBy(detailsData, 'field')).to.eql(sortBy(EXPECTED_DATA, 'field'));
+    });
+
+    it('Make sure that we get kpi data', async () => {
+      const { destinationIpCount, hostCount, processCount, sourceIpCount, userCount } =
+        await secureBsearch.send<TimelineKpiStrategyResponse>({
+          supertestWithoutAuth,
+          apiKeyHeader: roleAuthc.apiKeyHeader,
+          internalOrigin: 'Kibana',
+          options: {
+            factoryQueryType: TimelineEventsQueries.kpi,
+            indexName: INDEX_NAME,
+            inspect: false,
+            eventId: ID,
+          },
+          strategy: 'timelineSearchStrategy',
+        });
+      expect({ destinationIpCount, hostCount, processCount, sourceIpCount, userCount }).to.eql(
+        EXPECTED_KPI_COUNTS
+      );
+    });
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts

@@ -9,7 +9,7 @@ import expect from '@kbn/expect';
 
 import { LIST_PRIVILEGES_URL } from '@kbn/securitysolution-list-constants';
 import { getReadPrivilegeMock } from '@kbn/lists-plugin/server/routes/list_privileges/read_list_privileges_route.mock';
-import { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
+import type { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces';
 
 export default ({ getService }: FtrProviderContextWithSpaces) => {
   const supertest = getService('supertest');

x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/configs/ess.config.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    kbnTestServer: {
+      ...functionalConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...functionalConfig.get('kbnTestServer.serverArgs'),
+        `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+      ],
+    },
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName: 'Sources Integration Tests - ESS Env - Basic License',
+    },
+  };
+}

x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/configs/serverless.config.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  kbnTestServerArgs: [
+    `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
+    `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+      { product_line: 'security', product_tier: 'complete' },
+      { product_line: 'endpoint', product_tier: 'complete' },
+      { product_line: 'cloud', product_tier: 'complete' },
+    ])}`,
+  ],
+  testFiles: [require.resolve('..')],
+  junit: {
+    reportName: 'Sources Integration Tests - Serverless Env - Complete Tier',
+  },
+});

x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/index.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { FtrProviderContext } from '../../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('@ess SecuritySolution Sources', () => {
+    loadTestFile(require.resolve('./sources'));
+  });
+}

x-pack/test/security_solution_api_integration/test_suites/sources/indices/trial_license_complete_tier/sources.ts

@@ -8,7 +8,7 @@
 import expect from '@kbn/expect';
 
 import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
-import { FtrProviderContext } from '../../ftr_provider_context';
+import { FtrProviderContext } from '../../../../../api_integration/ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');

x-pack/test/security_solution_api_integration/tsconfig.json

@@ -43,5 +43,6 @@
     "@kbn/ftr-common-functional-services",
     "@kbn/actions-plugin",
     "@kbn/task-manager-plugin",
+    "@kbn/utility-types",
   ]
 }

x-pack/test_serverless/shared/services/bsearch_secure.ts

@@ -0,0 +1,133 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// NOTE: This is pretty much a copy/paste from test/common/services/bsearch.ts but with the ability
+// to provide custom auth
+
+import expect from '@kbn/expect';
+import { GenericFtrService } from '@kbn/test';
+import request from 'superagent';
+import type SuperTest from 'supertest';
+import type { IEsSearchResponse } from '@kbn/search-types';
+import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import { BFETCH_ROUTE_VERSION_LATEST } from '@kbn/bfetch-plugin/common';
+import { FtrProviderContext } from '../../functional/ftr_provider_context';
+
+const parseBfetchResponse = (resp: request.Response): Array<Record<string, any>> => {
+  return resp.text
+    .trim()
+    .split('\n')
+    .map((item) => JSON.parse(item));
+};
+
+interface SendOptions {
+  supertestWithoutAuth: SuperTest.SuperTest<SuperTest.Test>;
+  apiKeyHeader: { Authorization: string };
+  referer?: string;
+  kibanaVersion?: string;
+  options: object;
+  strategy: string;
+  space?: string;
+  internalOrigin: string;
+}
+
+export class BsearchSecureService extends GenericFtrService<FtrProviderContext> {
+  private readonly retry = this.ctx.getService('retry');
+
+  async send<T extends IEsSearchResponse>({
+    supertestWithoutAuth,
+    apiKeyHeader,
+    referer,
+    kibanaVersion,
+    internalOrigin,
+    options,
+    strategy,
+    space,
+  }: SendOptions) {
+    const { body } = await this.retry.try(async () => {
+      let result;
+      const url = `/internal/search/${strategy}`;
+      if (referer && kibanaVersion) {
+        result = await supertestWithoutAuth
+          .post(url)
+          .set(apiKeyHeader)
+          .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+          .set('referer', referer)
+          .set('kbn-version', kibanaVersion)
+          .set('kbn-xsrf', 'true')
+          .send(options);
+      } else if (referer) {
+        result = await supertestWithoutAuth
+          .post(url)
+          .set(apiKeyHeader)
+          .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+          .set('referer', referer)
+          .set('kbn-xsrf', 'true')
+          .send(options);
+      } else if (kibanaVersion) {
+        result = await supertestWithoutAuth
+          .post(url)
+          .set(apiKeyHeader)
+          .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+          .set('kbn-version', kibanaVersion)
+          .set('kbn-xsrf', 'true')
+          .send(options);
+      } else if (internalOrigin) {
+        result = await supertestWithoutAuth
+          .post(url)
+          .set(apiKeyHeader)
+          .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+          .set('x-elastic-internal-origin', internalOrigin)
+          .set('kbn-xsrf', 'true')
+          .send(options);
+      } else {
+        result = await supertestWithoutAuth
+          .post(url)
+          .set(apiKeyHeader)
+          .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+          .set('kbn-xsrf', 'true')
+          .send(options);
+      }
+      if ((result.status === 500 || result.status === 200) && result.body) {
+        return result;
+      }
+      throw new Error('try again');
+    });
+
+    if (!body.isRunning) {
+      return body as T;
+    }
+
+    const result = await this.retry.try(async () => {
+      const resp = await supertestWithoutAuth
+        .post(`/internal/bsearch`)
+        .set(apiKeyHeader)
+        .set('kbn-xsrf', 'true')
+        .set('x-elastic-internal-origin', 'Kibana')
+        .set(ELASTIC_HTTP_VERSION_HEADER, BFETCH_ROUTE_VERSION_LATEST)
+        .send({
+          batch: [
+            {
+              request: {
+                id: body.id,
+                ...options,
+              },
+              options: {
+                strategy,
+              },
+            },
+          ],
+        })
+        .expect(200);
+      const [parsedResponse] = parseBfetchResponse(resp);
+      expect(parsedResponse.result.isRunning).equal(false);
+      return parsedResponse.result;
+    });
+
+    return result as T;
+  }
+}

x-pack/test_serverless/tsconfig.json

@@ -98,6 +98,7 @@
     "@kbn/es-query",
     "@kbn/utility-types",
     "@kbn/synthetics-plugin",
-    "@kbn/dataset-quality-plugin"
+    "@kbn/dataset-quality-plugin",
+    "@kbn/search-types"
   ]
 }