[Security Solution][Endpoint] Search responses without a specific namespace to show pending actions (#123741)

* search responses without a specific namespace to show pending actions

fixes elastic/kibana/issues/123707

* search over all endpoint response indices irrespective of namespace suffix

fixes elastic/kibana/issues/123707

* match namespace suffixes for endpoint action and response indices

fixes elastic/kibana/issues/123707

x-pack/plugins/security_solution/common/endpoint/constants.ts

@@ -11,6 +11,8 @@ export const ENDPOINT_ACTIONS_DS = '.logs-endpoint.actions';
 export const ENDPOINT_ACTIONS_INDEX = `${ENDPOINT_ACTIONS_DS}-default`;
 export const ENDPOINT_ACTION_RESPONSES_DS = '.logs-endpoint.action.responses';
 export const ENDPOINT_ACTION_RESPONSES_INDEX = `${ENDPOINT_ACTION_RESPONSES_DS}-default`;
+// search in all namespaces and not only in default
+export const ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN = `${ENDPOINT_ACTION_RESPONSES_DS}-*`;
 
 export const eventsIndexPattern = 'logs-endpoint.events.*';
 export const alertsIndexPattern = 'logs-endpoint.alerts-*';

x-pack/plugins/security_solution/server/endpoint/services/actions.ts

@@ -9,7 +9,7 @@ import { ElasticsearchClient, Logger } from 'kibana/server';
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { TransportResult } from '@elastic/elasticsearch';
 import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common';
-import { ENDPOINT_ACTION_RESPONSES_INDEX } from '../../../common/endpoint/constants';
+import { ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN } from '../../../common/endpoint/constants';
 import { SecuritySolutionRequestHandlerContext } from '../../types';
 import {
   ActivityLog,
@@ -293,7 +293,7 @@ const hasEndpointResponseDoc = async ({
   const response = await esClient
     .search<LogsEndpointActionResponse>(
       {
-        index: ENDPOINT_ACTION_RESPONSES_INDEX,
+        index: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
         size: 10000,
         body: {
           query: {

x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts

@@ -12,7 +12,7 @@ import { TransportResult } from '@elastic/elasticsearch';
 import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common';
 import {
   ENDPOINT_ACTIONS_INDEX,
-  ENDPOINT_ACTION_RESPONSES_INDEX,
+  ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
   failedFleetActionErrorCode,
 } from '../../../common/endpoint/constants';
 import { SecuritySolutionRequestHandlerContext } from '../../types';
@@ -32,10 +32,12 @@ import {
 import { doesLogsEndpointActionsIndexExist } from '../utils';
 
 const actionsIndices = [AGENT_ACTIONS_INDEX, ENDPOINT_ACTIONS_INDEX];
-const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX];
+// search all responses indices irrelevant of namespace
+const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN];
 export const logsEndpointActionsRegex = new RegExp(`(^\.ds-\.logs-endpoint\.actions-default-).+`);
+// matches index names like .ds-.logs-endpoint.action.responses-name_space---suffix-2022.01.25-000001
 export const logsEndpointResponsesRegex = new RegExp(
-  `(^\.ds-\.logs-endpoint\.action\.responses-default-).+`
+  `(^\.ds-\.logs-endpoint\.action\.responses-\\w+-).+`
 );
 const queryOptions = {
   headers: {
@@ -231,7 +233,7 @@ export const getActionResponsesResult = async ({
   const hasLogsEndpointActionResponsesIndex = await doesLogsEndpointActionsIndexExist({
     context,
     logger,
-    indexName: ENDPOINT_ACTION_RESPONSES_INDEX,
+    indexName: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
   });
 
   const responsesSearchQuery: SearchRequest = {