[EDR Workflows] Workflow Insights - insights generating script (elastic#213094)

This PR introduces a new script for loading parameterized workflow
insights into a data stream. It enables UI/UX testing without requiring
an agent installation or generating insights manually.

Arguments

```
--endpointId       Required. The endpoint ID to use for generating workflow insights.
--elasticsearch    Optional. The URL to Elasticsearch. Default: http://localhost:9200
--username         Optional. The username to use for authentication. Default: elastic
--password         Optional. The password to use for authentication. Default: changeme
--count            Optional. The number of workflow insights to generate. Default: 5
--os               Optional. The OS to use for generating workflow insights. Default: linux
--antivirus        Optional. The antivirus to use for generating workflow insights. Default: ClamAV
--path             Optional. The executable path of the AV to use for generating workflow insights. Default: /usr/bin/clamscan
```
Example usage:

* Load 5 workflow insights, using the default values - Linux, ClamAV,
/usr/bin/clamscan on the endpoint with ID
8ee2a3a4-ca2b-4884-ae20-8b17d31837b6
 
`node ./load_workflow_insights.js --endpointId
8ee2a3a4-ca2b-4884-ae20-8b17d31837b6`
 
* Load 10 workflow insights for Malwarebytes with path of C:\\Program
Files\\Malwarebytes\\Anti-Malware\\mbam.exe on Windows endpoint with ID
8ee2a3a4-ca2b-4884-ae20-8b17d31837b6
        
`node ./load_workflow_insights.js --endpointId
8ee2a3a4-ca2b-4884-ae20-8b17d31837b6 --count 10 --os windows --antivirus
Malwarebytes --path 'C:\\Program
Files\\Malwarebytes\\Anti-Malware\\mbam.exe'`

Author: szwarckonrad

x-pack/solutions/security/plugins/security_solution/common/endpoint/data_loaders/index_workflow_insights.ts

@@ -0,0 +1,199 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import moment from 'moment';
+
+import type { ToolingLog } from '@kbn/tooling-log';
+import type { Client, estypes } from '@elastic/elasticsearch';
+import {
+  ActionType,
+  Category,
+  type SecurityWorkflowInsight,
+  SourceType,
+  TargetType,
+} from '../types/workflow_insights';
+
+export interface IndexedWorkflowInsights {
+  data: estypes.BulkResponse;
+  cleanup: () => Promise<DeletedWorkflowInsights>;
+}
+
+export interface DeletedWorkflowInsights {
+  data: estypes.BulkResponse;
+}
+
+export const indexWorkflowInsights = async ({
+  esClient,
+  log,
+  endpointId,
+  os,
+  count,
+  antivirus,
+  path,
+}: {
+  esClient: Client;
+  log: ToolingLog;
+  endpointId: string;
+  os: 'windows' | 'macos' | 'linux';
+  count: number;
+  antivirus: string;
+  path: string;
+}): Promise<IndexedWorkflowInsights> => {
+  log.debug(`Indexing ${count} workflow insights`);
+
+  const operations = Array.from({ length: count }).flatMap((_, i) => {
+    return [
+      {
+        index: {
+          _index: '.edr-workflow-insights-default',
+          op_type: 'create',
+        },
+      },
+      generateWorkflowInsightsDoc({ endpointId, os, runNumber: i, antivirus, path }),
+    ];
+  });
+
+  const response = await esClient.bulk({
+    refresh: 'wait_for',
+    operations,
+  });
+
+  if (response.errors) {
+    log.error(
+      `There was an error indexing workflow insights ${JSON.stringify(response.items, null, 2)}`
+    );
+  } else {
+    log.debug(`Indexed ${count} workflow insights successfully`);
+  }
+
+  return {
+    data: response,
+    cleanup: deleteIndexedWorkflowInsights.bind(null, esClient, response, log),
+  };
+};
+
+const deleteIndexedWorkflowInsights = async (
+  esClient: Client,
+  indexedWorkflowInsights: IndexedWorkflowInsights['data'],
+  log: ToolingLog
+): Promise<DeletedWorkflowInsights> => {
+  log.debug(`Deleting ${indexedWorkflowInsights.items.length} indexed workflow insights`);
+  let response: estypes.BulkResponse = {
+    took: 0,
+    errors: false,
+    items: [],
+  };
+
+  if (indexedWorkflowInsights.items.length) {
+    const idsToDelete = indexedWorkflowInsights.items
+      .filter((item) => item.create)
+      .map((item) => ({
+        delete: {
+          _index: item.create?._index,
+          _id: item.create?._id,
+        },
+      }));
+
+    if (idsToDelete.length) {
+      response = await esClient.bulk({
+        operations: idsToDelete,
+      });
+      log.debug('Indexed workflow insights deleted successfully');
+    }
+  }
+
+  return {
+    data: response,
+  };
+};
+
+const generateWorkflowInsightsDoc = ({
+  endpointId,
+  os,
+  runNumber,
+  antivirus,
+  path,
+}: {
+  endpointId: string;
+  os: 'linux' | 'windows' | 'macos';
+  runNumber: number;
+  antivirus: string;
+  path: string;
+}): SecurityWorkflowInsight => {
+  const currentTime = moment();
+  const signatureField =
+    os === 'linux'
+      ? undefined
+      : os === 'windows'
+      ? 'process.Ext.code_signature'
+      : 'process.code_signature';
+
+  const signatureValue = os === 'linux' ? undefined : 'Elastic';
+  return {
+    remediation: {
+      exception_list_items: [
+        {
+          entries: [
+            {
+              field: 'process.executable.caseless',
+              type: 'match',
+              value:
+                os !== 'windows'
+                  ? `/${runNumber}${path}`
+                  : (() => {
+                      const parts = path.split('\\'); // Split by Windows path separator
+                      const lastPart = parts.pop(); // Get the last part (executable)
+                      return `${parts.join('\\')}\\${runNumber}\\${lastPart}`; // Reconstruct the path
+                    })(),
+              operator: 'included',
+            },
+            ...(signatureField && signatureValue
+              ? [
+                  {
+                    field: signatureField,
+                    operator: 'included' as const,
+                    type: 'match' as const,
+                    value: signatureValue,
+                  },
+                ]
+              : []),
+          ],
+          list_id: 'endpoint_trusted_apps',
+          name: `${antivirus}`,
+          os_types: [os],
+          description: 'Suggested by Security Workflow Insights',
+          tags: ['policy:all'],
+        },
+      ],
+    },
+    metadata: {
+      notes: {
+        llm_model: '',
+      },
+      display_name: `${antivirus}`,
+    },
+    '@timestamp': currentTime,
+    action: {
+      type: ActionType.Refreshed,
+      timestamp: currentTime,
+    },
+    source: {
+      data_range_end: currentTime.clone().add(24, 'hours'),
+      id: '7184ab52-c318-4c91-b765-805f889e34e2',
+      type: SourceType.LlmConnector,
+      data_range_start: currentTime,
+    },
+    message: 'Incompatible antiviruses detected',
+    category: Category.Endpoint,
+    type: 'incompatible_antivirus',
+    value: `${antivirus} ${path}${signatureValue ? ` ${signatureValue}` : ''}`,
+    target: {
+      ids: [endpointId],
+      type: TargetType.Endpoint,
+    },
+  };
+};

x-pack/solutions/security/plugins/security_solution/scripts/endpoint/load_workflow_insights.js

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+require('../../../../../../../src/setup_node_env');
+require('./workflow_isnights').cli();

x-pack/solutions/security/plugins/security_solution/scripts/endpoint/workflow_isnights/index.ts

@@ -0,0 +1,94 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RunFn } from '@kbn/dev-cli-runner';
+import { run } from '@kbn/dev-cli-runner';
+import { createFailError } from '@kbn/dev-cli-errors';
+import { ok } from 'assert';
+import { indexWorkflowInsights } from '../../../common/endpoint/data_loaders/index_workflow_insights';
+import { createEsClient } from '../common/stack_services';
+
+export const cli = () => {
+  run(
+    async (options) => {
+      try {
+        const totalCount = options.flags.count;
+        options.log.success(`Loading ${totalCount} workflow insights`);
+
+        const startTime = new Date().getTime();
+        await workflowInsightsLoader(options);
+        const endTime = new Date().getTime();
+
+        options.log.success(`${totalCount} workflow insights loaded`);
+        options.log.info(`Loading ${totalCount} workflow insights took ${endTime - startTime}ms`);
+      } catch (e) {
+        options.log.error(e);
+        throw createFailError(e.message);
+      }
+    },
+    {
+      description: 'Workflow Insights ES Loader',
+      flags: {
+        string: [
+          'elasticsearch',
+          'username',
+          'password',
+          'endpointId',
+          'count',
+          'os',
+          'antivirus',
+          'path',
+        ],
+        default: {
+          elasticsearch: 'http://localhost:9200',
+          username: 'elastic',
+          password: 'changeme',
+          count: 5,
+          os: 'linux',
+          antivirus: 'ClamAV',
+          path: '/usr/bin/clamscan',
+        },
+        help: `
+        --endpointId       Required. The endpoint ID to use for generating workflow insights.
+        --elasticsearch    Optional. The URL to Elasticsearch. Default: http://localhost:9200
+        --username         Optional. The username to use for authentication. Default: elastic
+        --password         Optional. The password to use for authentication. Default: changeme
+        --count            Optional. The number of workflow insights to generate. Default: 5
+        --os               Optional. The OS to use for generating workflow insights. Default: linux
+        --antivirus        Optional. The antivirus to use for generating workflow insights. Default: ClamAV
+        --path             Optional. The executable path of the AV to use for generating workflow insights. Default: /usr/bin/clamscan
+        `,
+        examples: `
+        Load 5 workflow insights, using the default values - Linux, ClamAV, /usr/bin/clamscan on the endpoint with ID 8ee2a3a4-ca2b-4884-ae20-8b17d31837b6
+        node ./load_workflow_insights.js --endpointId 8ee2a3a4-ca2b-4884-ae20-8b17d31837b6
+        Load 10 workflow insights for Malwarebytes with path of C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbam.exe on Windows endpoint with ID 8ee2a3a4-ca2b-4884-ae20-8b17d31837b6
+        node ./load_workflow_insights.js --endpointId 8ee2a3a4-ca2b-4884-ae20-8b17d31837b6 --count 10 --os windows --antivirus Malwarebytes --path 'C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbam.exe'
+        `,
+      },
+    }
+  );
+};
+
+const workflowInsightsLoader: RunFn = async ({ flags, log }) => {
+  const url = flags.elasticsearch as string;
+  const username = flags.username as string;
+  const password = flags.password as string;
+  const endpointId = flags.endpointId as string;
+  const os = flags.os as 'linux' | 'windows' | 'macos';
+  const antivirus = flags.antivirus as string;
+  const path = flags.path as string;
+  const count = Number(flags.count);
+
+  const getRequiredArgMessage = (argName: string) => `${argName} argument is required`;
+
+  ok(endpointId, getRequiredArgMessage('endpointId'));
+  if (os) ok(['linux', 'windows', 'macos'].includes(os), getRequiredArgMessage('os'));
+
+  const esClient = createEsClient({ url, username, password });
+
+  await indexWorkflowInsights({ esClient, log, endpointId, os, count, antivirus, path });
+};