[8.19] [EDR Workflows] Show error when fetching scripts fails (#226532) (#229252)

Author: kibanamachine

x-pack/platform/plugins/shared/stack_connectors/common/microsoft_defender_endpoint/types.ts

@@ -151,8 +151,8 @@ export interface MicrosoftDefenderEndpointMachineAction {
   externalID?: string;
   /** The name of the user/application that submitted the action. */
   requestSource: string;
-  /** Commands to run. Allowed values are PutFile, RunScript, GetFile. */
-  commands: Array<'PutFile' | 'RunScript' | 'GetFile'>;
+  /** Array of command execution details for this action. */
+  commands: MicrosoftDefenderCommandEntry[];
   /** Identity of the person that canceled the action. */
   cancellationRequestor: string;
   /** Comment that was written when issuing the action. */
@@ -198,3 +198,24 @@ export interface MicrosoftDefenderEndpointApiTokenResponse {
 }
 
 export type MicrosoftDefenderGetLibraryFilesResponse = TypeOf<typeof GetLibraryFilesResponse>;
+
+/**
+ * Represents a single command execution entry as returned by Microsoft Defender API.
+ */
+export interface MicrosoftDefenderCommandEntry {
+  /** The index of the command in the sequence. */
+  index: number;
+  /** The UTC start time (ISO string) of the command execution. */
+  startTime: string;
+  /** The UTC end time (ISO string) of the command execution. */
+  endTime: string;
+  /** Status of the command execution. */
+  commandStatus: string;
+  /** Array of error messages (if any) for the command execution. */
+  errors: string[];
+  /** The command details (type and params). */
+  command: {
+    type: 'PutFile' | 'RunScript' | 'GetFile';
+    params: Array<{ key: string; value: string }>;
+  };
+}

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/microsoft_defender_endpoint/microsoft_defender_endpoint.test.ts

@@ -131,7 +131,22 @@ describe('Microsoft Defender for Endpoint Connector', () => {
             cancellationComment: '',
             cancellationDateTimeUtc: '',
             cancellationRequestor: '',
-            commands: ['RunScript'],
+            commands: [
+              {
+                index: 0,
+                startTime: '2025-07-07T18:50:10.186354Z',
+                endTime: '2025-07-07T18:50:21.811356Z',
+                commandStatus: 'Completed',
+                errors: [],
+                command: {
+                  type: 'RunScript',
+                  params: [
+                    { key: 'ScriptName', value: 'hello.sh' },
+                    { key: 'Args', value: '--noargs' },
+                  ],
+                },
+              },
+            ],
             computerDnsName: 'desktop-test',
             creationDateTimeUtc: '2019-01-02T14:39:38.2262283Z',
             externalID: 'abc',

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/microsoft_defender_endpoint/mocks.ts

@@ -237,7 +237,22 @@ const createMicrosoftMachineAction = (
     creationDateTimeUtc: '2019-01-02T14:39:38.2262283Z',
     lastUpdateDateTimeUtc: '2019-01-02T14:40:44.6596267Z',
     externalID: 'abc',
-    commands: ['RunScript'],
+    commands: [
+      {
+        index: 0,
+        startTime: '2025-07-07T18:50:10.186354Z',
+        endTime: '2025-07-07T18:50:21.811356Z',
+        commandStatus: 'Completed',
+        errors: [],
+        command: {
+          type: 'RunScript',
+          params: [
+            { key: 'ScriptName', value: 'hello.sh' },
+            { key: 'Args', value: '--noargs' },
+          ],
+        },
+      },
+    ],
     cancellationRequestor: '',
     cancellationComment: '',
     cancellationDateTimeUtc: '',

x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_script_selector.test.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_scripts_selector/custom_script_selector.test.tsx

@@ -7,14 +7,20 @@
 
 import React from 'react';
 import { render, screen, fireEvent, waitFor, act } from '@testing-library/react';
-import { CustomScriptSelector } from './custom_script_selector';
-import { useGetCustomScripts } from '../../hooks/custom_scripts/use_get_custom_scripts';
-import { useConsoleStateDispatch } from '../console/hooks/state_selectors/use_console_state_dispatch';
-import type { CommandArgumentValueSelectorProps } from '../console/types';
-import type { CustomScript } from '../../../../server/endpoint/services';
+import type { KibanaReactContextValue } from '@kbn/kibana-react-plugin/public';
 
-jest.mock('../../hooks/custom_scripts/use_get_custom_scripts');
-jest.mock('../console/hooks/state_selectors/use_console_state_dispatch');
+import { CustomScriptSelector } from './custom_script_selector';
+import { useGetCustomScripts } from '../../../hooks/custom_scripts/use_get_custom_scripts';
+import { useConsoleStateDispatch } from '../../console/hooks/state_selectors/use_console_state_dispatch';
+import { useCustomScriptsErrorToast } from './use_custom_scripts_error_toast';
+import { useKibana } from '../../../../common/lib/kibana';
+import type { CommandArgumentValueSelectorProps } from '../../console/types';
+import type { CustomScript } from '../../../../../server/endpoint/services';
+
+jest.mock('../../../hooks/custom_scripts/use_get_custom_scripts');
+jest.mock('../../console/hooks/state_selectors/use_console_state_dispatch');
+jest.mock('./use_custom_scripts_error_toast');
+jest.mock('../../../../common/lib/kibana');
 
 // Mock setTimeout to execute immediately in tests
 jest.useFakeTimers();
@@ -26,6 +32,10 @@ describe('CustomScriptSelector', () => {
   const mockUseConsoleStateDispatch = useConsoleStateDispatch as jest.MockedFunction<
     typeof useConsoleStateDispatch
   >;
+  const mockUseCustomScriptsErrorToast = useCustomScriptsErrorToast as jest.MockedFunction<
+    typeof useCustomScriptsErrorToast
+  >;
+  const mockUseKibana = useKibana as jest.MockedFunction<typeof useKibana>;
   const mockOnChange = jest.fn();
   const mockDispatch = jest.fn();
   const mockScripts: CustomScript[] = [
@@ -53,6 +63,23 @@ describe('CustomScriptSelector', () => {
 
     // Mock the dispatch function
     mockUseConsoleStateDispatch.mockReturnValue(mockDispatch);
+
+    // Mock the error toast hook
+    mockUseCustomScriptsErrorToast.mockImplementation(() => {});
+
+    // Mock useKibana
+    mockUseKibana.mockReturnValue({
+      services: {
+        notifications: {
+          toasts: {
+            add: jest.fn(),
+            addSuccess: jest.fn(),
+            addWarning: jest.fn(),
+            addDanger: jest.fn(),
+          },
+        },
+      },
+    } as unknown as KibanaReactContextValue<never>);
   });
 
   afterEach(() => {

x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_script_selector.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_scripts_selector/custom_script_selector.tsx

@@ -18,12 +18,15 @@ import {
 import { css } from '@emotion/react';
 
 import { i18n } from '@kbn/i18n';
+import { FormattedMessage } from '@kbn/i18n-react';
 import type { EuiSelectableOption } from '@elastic/eui/src/components/selectable/selectable_option';
-import type { CustomScript } from '../../../../server/endpoint/services';
-import { useConsoleStateDispatch } from '../console/hooks/state_selectors/use_console_state_dispatch';
-import type { ResponseActionAgentType } from '../../../../common/endpoint/service/response_actions/constants';
-import { useGetCustomScripts } from '../../hooks/custom_scripts/use_get_custom_scripts';
-import type { CommandArgumentValueSelectorProps } from '../console/types';
+import type { CustomScript } from '../../../../../server/endpoint/services';
+import { useConsoleStateDispatch } from '../../console/hooks/state_selectors/use_console_state_dispatch';
+import type { ResponseActionAgentType } from '../../../../../common/endpoint/service/response_actions/constants';
+import { useGetCustomScripts } from '../../../hooks/custom_scripts/use_get_custom_scripts';
+import { useKibana } from '../../../../common/lib/kibana';
+import type { CommandArgumentValueSelectorProps } from '../../console/types';
+import { useCustomScriptsErrorToast } from './use_custom_scripts_error_toast';
 
 // Css to have a tooltip in place with a one line truncated description
 const truncationStyle = css({
@@ -60,6 +63,10 @@ export const CustomScriptSelector = (agentType: ResponseActionAgentType) => {
     CommandArgumentValueSelectorProps<string, CustomScriptSelectorState>
   >(({ value, valueText, onChange, store: _store }) => {
     const dispatch = useConsoleStateDispatch();
+    const {
+      services: { notifications },
+    } = useKibana();
+
     const state = useMemo<CustomScriptSelectorState>(() => {
       return _store ?? { isPopoverOpen: true };
     }, [_store]);
@@ -77,7 +84,12 @@ export const CustomScriptSelector = (agentType: ResponseActionAgentType) => {
       [onChange, state, value, valueText]
     );
 
-    const { data = [], isLoading: isLoadingScripts } = useGetCustomScripts(agentType);
+    const {
+      data = [],
+      isLoading: isLoadingScripts,
+      error: scriptsError,
+    } = useGetCustomScripts(agentType);
+
     const scriptsOptions: SelectableOption[] = useMemo(() => {
       return data.map((script: CustomScript) => {
         const isChecked = script.name === value;
@@ -160,7 +172,11 @@ export const CustomScriptSelector = (agentType: ResponseActionAgentType) => {
       [onChange, state]
     );
 
-    if (isAwaitingRenderDelay || isLoadingScripts) {
+    // notifications comes from useKibana() and is of type NotificationsStart
+    // which is compatible with our updated useCustomScriptsErrorToast function
+    useCustomScriptsErrorToast(scriptsError, notifications);
+
+    if (isAwaitingRenderDelay || (isLoadingScripts && !scriptsError)) {
       return <EuiLoadingSpinner />;
     }
 
@@ -206,6 +222,14 @@ export const CustomScriptSelector = (agentType: ResponseActionAgentType) => {
               showIcons: true,
               textWrap: 'truncate',
             }}
+            errorMessage={
+              scriptsError ? (
+                <FormattedMessage
+                  id="xpack.securitySolution.endpoint.customScriptSelector.errorLoading"
+                  defaultMessage="Error loading scripts"
+                />
+              ) : undefined
+            }
           >
             {(list, search) => (
               <>

x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_scripts_selector/use_custom_scripts_error_toast.test.tsx

@@ -0,0 +1,115 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { renderHook } from '@testing-library/react';
+import type { NotificationsStart } from '@kbn/core-notifications-browser';
+import type { IHttpFetchError } from '@kbn/core/public';
+import type { ActionTypeExecutorResult } from '@kbn/actions-plugin/common';
+import { useCustomScriptsErrorToast } from './use_custom_scripts_error_toast';
+import type { CustomScriptsErrorType } from '../../../hooks/custom_scripts/use_get_custom_scripts';
+
+describe('useCustomScriptsErrorToast', () => {
+  const mockToastDanger = jest.fn();
+  const mockNotifications = {
+    toasts: {
+      addDanger: mockToastDanger,
+      addSuccess: jest.fn(),
+      addWarning: jest.fn(),
+      add: jest.fn(),
+    },
+  } as unknown as NotificationsStart;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  test('does not show toast when no error is provided', () => {
+    renderHook(() => useCustomScriptsErrorToast(null, mockNotifications));
+
+    expect(mockToastDanger).not.toHaveBeenCalled();
+  });
+
+  test('shows toast with full error message from err.body.message', () => {
+    const mockError: IHttpFetchError<CustomScriptsErrorType> = {
+      name: 'HttpFetchError',
+      message: 'HTTP Error',
+      body: {
+        statusCode: 403,
+        message: 'Response body: {"error":{"code":"Forbidden","message":"Access denied"}}',
+        meta: {} as ActionTypeExecutorResult<unknown>,
+      },
+      request: {} as unknown as Request,
+      response: {} as unknown as Response,
+    };
+
+    renderHook(() => useCustomScriptsErrorToast(mockError, mockNotifications));
+
+    expect(mockToastDanger).toHaveBeenCalledWith({
+      title: 'Error: 403',
+      text: expect.any(String),
+    });
+  });
+
+  test('shows toast with status code when no parsed error is available', () => {
+    const mockError: IHttpFetchError<CustomScriptsErrorType> = {
+      name: 'HttpFetchError',
+      message: 'HTTP Error',
+      body: {
+        statusCode: 500,
+        message: 'Internal server error',
+        meta: {} as ActionTypeExecutorResult<unknown>,
+      },
+      request: {} as unknown as Request,
+      response: {} as unknown as Response,
+    };
+
+    renderHook(() => useCustomScriptsErrorToast(mockError, mockNotifications));
+
+    expect(mockToastDanger).toHaveBeenCalledWith({
+      title: 'Error: 500',
+      text: expect.any(String),
+    });
+  });
+
+  test('shows toast with error message when no body is available', () => {
+    const mockError: IHttpFetchError<CustomScriptsErrorType> = {
+      name: 'HttpFetchError',
+      message: 'Network error',
+      body: undefined,
+      request: {} as unknown as Request,
+      response: {} as unknown as Response,
+    };
+
+    renderHook(() => useCustomScriptsErrorToast(mockError, mockNotifications));
+
+    expect(mockToastDanger).toHaveBeenCalledWith({
+      title: 'Error: Error',
+      text: expect.any(String),
+    });
+  });
+
+  test('only shows toast once per error instance', () => {
+    const mockError: IHttpFetchError<CustomScriptsErrorType> = {
+      name: 'HttpFetchError',
+      message: 'HTTP Error',
+      body: {
+        statusCode: 403,
+        message: 'Access denied',
+        meta: {} as ActionTypeExecutorResult<unknown>,
+      },
+      request: {} as unknown as Request,
+      response: {} as unknown as Response,
+    };
+
+    const { rerender } = renderHook(() => useCustomScriptsErrorToast(mockError, mockNotifications));
+
+    // Rerender with the same error - should not show toast again
+    rerender();
+
+    expect(mockToastDanger).toHaveBeenCalledTimes(1);
+  });
+});

x-pack/solutions/security/plugins/security_solution/public/management/components/console_argument_selectors/custom_scripts_selector/use_custom_scripts_error_toast.tsx

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useEffect } from 'react';
+import type { IHttpFetchError } from '@kbn/core/public';
+import type { NotificationsStart } from '@kbn/core-notifications-browser';
+import type { CustomScriptsErrorType } from '../../../hooks/custom_scripts/use_get_custom_scripts';
+
+/**
+ * Shows a danger toast with details if scriptsError is present.
+ * @param scriptsError Error object from custom scripts fetch
+ * @param notifications Kibana notifications service
+ */
+export const useCustomScriptsErrorToast = (
+  scriptsError: IHttpFetchError<CustomScriptsErrorType> | null,
+  notifications: NotificationsStart
+) => {
+  useEffect(() => {
+    if (scriptsError) {
+      let code = 'Error';
+      let message: string | undefined;
+
+      const err = scriptsError;
+      if (err?.body?.message) {
+        message = err.body.message;
+        code = String(err.body.statusCode ?? code);
+      } else {
+        message = err?.message || String(err);
+      }
+
+      if (message) {
+        notifications.toasts.addDanger({
+          title: `Error: ${code}`,
+          text: message,
+        });
+      }
+    }
+  }, [scriptsError, notifications]);
+};

x-pack/solutions/security/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts

@@ -6,7 +6,7 @@
  */
 
 import { i18n } from '@kbn/i18n';
-import { CustomScriptSelector } from '../../console_argument_selectors/custom_script_selector';
+import { CustomScriptSelector } from '../../console_argument_selectors/custom_scripts_selector/custom_script_selector';
 import { RunScriptActionResult } from '../command_render_components/run_script_action';
 import type { CommandArgDefinition } from '../../console/types';
 import { isAgentTypeAndActionSupported } from '../../../../common/lib/endpoint';

x-pack/solutions/security/plugins/security_solution/public/management/components/endpoint_response_actions_list/components/action_log_expanded_tray.tsx

@@ -226,6 +226,7 @@ const OutputContent = memo<{
               data-test-subj={getTestId('actionsLogTray')}
               hideFile={action.agentType === 'crowdstrike'}
               hideContext={true}
+              showPasscode={action.agentType !== 'microsoft_defender_endpoint'}
             />
           </div>
         ))}