[Security Solution][Endpoint] Add runscript command to the Response Console for SentinelOne hosts (#230310)

## Summary

The following changes are in support of `runscript` response action for
SentinelOne hosts - currently behind feature flag
`responseActionsSentinelOneRunScriptEnabled`:

- Adds `runscript` command for SentinelOne hosts to the Response Console
- Accepts `--script` argument, which triggers a popup that displays the
available scripts from SentinelOne, as well as `--inputParams`
- For now, the `runscript` response action will remain `pending`. A
follow up PR will add logic to check and complete these actions
- Added support to the custom scripts internal API for retrieving
SentinelOne list of scripts
- Returned data was also enhanced so that each script can optionally
defined a `meta` property with additional information about the script
that may exists for 3rd party EDRs
- a new optional API parameter was added to allow for filtering by OS
type (`osType: string`)
- Console component was enhanced with:
- `exampleUsage` property of a command's definition can now be defined
as a callback that returns a `string`. This allows for specific usage
information to be displayed for SentinelOne when a script is selected.
The callback is provided (if available) the information about what has
been entered in the console (`Command`).

Author: paul-tavares

x-pack/solutions/security/plugins/security_solution/common/api/endpoint/custom_scripts/get_custom_scripts_route.ts

@@ -6,6 +6,7 @@
  */
 
 import { schema, type TypeOf } from '@kbn/config-schema';
+import type { DeepMutable } from '../../../endpoint/types';
 import { AgentTypeSchemaLiteral, HostOsTypeSchemaLiteral } from '..';
 
 export const CustomScriptsRequestSchema = {
@@ -30,4 +31,6 @@ export const CustomScriptsRequestSchema = {
   }),
 };
 
-export type CustomScriptsRequestQueryParams = TypeOf<typeof CustomScriptsRequestSchema.query>;
+export type CustomScriptsRequestQueryParams = DeepMutable<
+  TypeOf<typeof CustomScriptsRequestSchema.query>
+>;

x-pack/solutions/security/plugins/security_solution/common/endpoint/types/actions.ts

@@ -9,11 +9,11 @@ import type { TypeOf } from '@kbn/config-schema';
 import type { EcsError } from '@elastic/ecs';
 import type { BaseFileMetadata, FileCompression, FileJSON } from '@kbn/files-plugin/common';
 import type {
-  UploadActionApiRequestBody,
   ActionStatusRequestSchema,
   KillProcessRequestBody,
-  SuspendProcessRequestBody,
   RunScriptActionRequestBody,
+  SuspendProcessRequestBody,
+  UploadActionApiRequestBody,
 } from '../../api/endpoint';
 
 import type {
@@ -612,3 +612,34 @@ export interface ResponseActionUploadOutputContent {
   /** The free space available (after saving the file) of the drive where the file was saved to, In Bytes  */
   disk_free_space: number;
 }
+
+/**
+ * A Response Action script
+ */
+export interface ResponseActionScript<TMeta extends {} = {}> {
+  /**
+   * Unique identifier for the script
+   */
+  id: string;
+  /**
+   * Display name of the script
+   */
+  name: string;
+  /**
+   * Description of what the script does
+   */
+  description: string;
+
+  /**
+   * Additional meta info. about the script. Can be used to store EDR specific
+   * information about the script for use in the UI
+   */
+  meta?: TMeta;
+}
+
+/**
+ * API response with list of Response Actions scripts available on the system
+ */
+export interface ResponseActionScriptsApiResponse<TMeta extends {} = {}> {
+  data: ResponseActionScript<TMeta>[];
+}

x-pack/solutions/security/plugins/security_solution/common/endpoint/types/sentinel_one.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { SentinelOneGetRemoteScriptsResponse } from '@kbn/stack-connectors-plugin/common/sentinelone/types';
+
 /**
  * The `activity` document ingested from SentinelOne via the integration
  *
@@ -175,3 +177,17 @@ export interface SentinelOneRunScriptResponseMeta {
   /** The SentinelOne task ID associated with the completion of the run script action */
   taskId: string;
 }
+
+/**
+ * A subset of properties from the SentinelOne Script API response
+ */
+export type SentinelOneScript = Pick<
+  SentinelOneGetRemoteScriptsResponse['data'][number],
+  | 'id'
+  | 'scriptDescription'
+  | 'osTypes'
+  | 'inputInstructions'
+  | 'inputExample'
+  | 'inputRequired'
+  | 'shortFileName'
+>;

x-pack/solutions/security/plugins/security_solution/public/common/lib/endpoint/utils/is_agent_type_and_action_supported.test.ts

@@ -24,6 +24,7 @@ describe('isAgentTypeAndActionSupported() util', () => {
       responseActionsSentinelOneGetFileEnabled: true,
       responseActionsCrowdstrikeManualHostIsolationEnabled: true,
       responseActionsMSDefenderEndpointEnabled: true,
+      responseActionsSentinelOneRunScriptEnabled: true,
       ...overrides,
     });
   };
@@ -37,6 +38,9 @@ describe('isAgentTypeAndActionSupported() util', () => {
   const disableMicrosoftIsolationFeature = () => {
     enableFeatures({ responseActionsMSDefenderEndpointEnabled: false });
   };
+  const disableS1RunScript = () => {
+    enableFeatures({ responseActionsSentinelOneRunScriptEnabled: false });
+  };
 
   const resetFeatures = (): void => {
     (ExperimentalFeaturesService.get as jest.Mock).mockReturnValue({
@@ -53,21 +57,24 @@ describe('isAgentTypeAndActionSupported() util', () => {
   });
 
   it.each`
-    agentType                        | actionName    | actionType     | expectedValue | runSetup
-    ${'endpoint'}                    | ${undefined}  | ${undefined}   | ${true}       | ${undefined}
-    ${'endpoint'}                    | ${'isolate'}  | ${'manual'}    | ${true}       | ${undefined}
-    ${'endpoint'}                    | ${'isolate'}  | ${'automated'} | ${true}       | ${undefined}
-    ${'sentinel_one'}                | ${undefined}  | ${undefined}   | ${true}       | ${undefined}
-    ${'sentinel_one'}                | ${'isolate'}  | ${'manual'}    | ${true}       | ${undefined}
-    ${'sentinel_one'}                | ${'get-file'} | ${'manual'}    | ${true}       | ${undefined}
-    ${'sentinel_one'}                | ${'get-file'} | ${undefined}   | ${false}      | ${disableS1GetFileFeature}
-    ${'crowdstrike'}                 | ${undefined}  | ${undefined}   | ${true}       | ${undefined}
-    ${'crowdstrike'}                 | ${'isolate'}  | ${'manual'}    | ${true}       | ${undefined}
-    ${'crowdstrike'}                 | ${'isolate'}  | ${undefined}   | ${false}      | ${disableCSIsolateFeature}
-    ${'microsoft_defender_endpoint'} | ${undefined}  | ${undefined}   | ${true}       | ${undefined}
-    ${'microsoft_defender_endpoint'} | ${'isolate'}  | ${'manual'}    | ${true}       | ${undefined}
-    ${'microsoft_defender_endpoint'} | ${'isolate'}  | ${'automated'} | ${false}      | ${undefined}
-    ${'microsoft_defender_endpoint'} | ${'isolate'}  | ${undefined}   | ${false}      | ${disableMicrosoftIsolationFeature}
+    agentType                        | actionName     | actionType     | expectedValue | runSetup
+    ${'endpoint'}                    | ${undefined}   | ${undefined}   | ${true}       | ${undefined}
+    ${'endpoint'}                    | ${'isolate'}   | ${'manual'}    | ${true}       | ${undefined}
+    ${'endpoint'}                    | ${'isolate'}   | ${'automated'} | ${true}       | ${undefined}
+    ${'sentinel_one'}                | ${undefined}   | ${undefined}   | ${true}       | ${undefined}
+    ${'sentinel_one'}                | ${'isolate'}   | ${'manual'}    | ${true}       | ${undefined}
+    ${'sentinel_one'}                | ${'get-file'}  | ${'manual'}    | ${true}       | ${undefined}
+    ${'sentinel_one'}                | ${'get-file'}  | ${undefined}   | ${false}      | ${disableS1GetFileFeature}
+    ${'sentinel_one'}                | ${'runscript'} | ${'manual'}    | ${true}       | ${undefined}
+    ${'sentinel_one'}                | ${'runscript'} | ${'automated'} | ${false}      | ${undefined}
+    ${'sentinel_one'}                | ${'runscript'} | ${undefined}   | ${false}      | ${disableS1RunScript}
+    ${'crowdstrike'}                 | ${undefined}   | ${undefined}   | ${true}       | ${undefined}
+    ${'crowdstrike'}                 | ${'isolate'}   | ${'manual'}    | ${true}       | ${undefined}
+    ${'crowdstrike'}                 | ${'isolate'}   | ${undefined}   | ${false}      | ${disableCSIsolateFeature}
+    ${'microsoft_defender_endpoint'} | ${undefined}   | ${undefined}   | ${true}       | ${undefined}
+    ${'microsoft_defender_endpoint'} | ${'isolate'}   | ${'manual'}    | ${true}       | ${undefined}
+    ${'microsoft_defender_endpoint'} | ${'isolate'}   | ${'automated'} | ${false}      | ${undefined}
+    ${'microsoft_defender_endpoint'} | ${'isolate'}   | ${undefined}   | ${false}      | ${disableMicrosoftIsolationFeature}
   `(
     'should return `$expectedValue` for $agentType $actionName ($actionType)',
     ({

x-pack/solutions/security/plugins/security_solution/public/common/lib/endpoint/utils/is_agent_type_and_action_supported.ts

@@ -25,6 +25,7 @@ export const isAgentTypeAndActionSupported = (
   const features = ExperimentalFeaturesService.get();
   const isSentinelOneV1Enabled = features.responseActionsSentinelOneV1Enabled;
   const isSentinelOneGetFileEnabled = features.responseActionsSentinelOneGetFileEnabled;
+  const isSentinelOneRunScriptEnabled = features.responseActionsSentinelOneRunScriptEnabled;
   const isCrowdstrikeHostIsolationEnabled =
     features.responseActionsCrowdstrikeManualHostIsolationEnabled;
   const isMicrosoftDefenderEndpointEnabled = features.responseActionsMSDefenderEndpointEnabled;
@@ -48,6 +49,10 @@ export const isAgentTypeAndActionSupported = (
               isActionNameSupported = false;
             }
             break;
+          case 'runscript':
+            if (!isSentinelOneRunScriptEnabled) {
+              isActionNameSupported = false;
+            }
         }
 
         break;

x-pack/solutions/security/plugins/security_solution/public/management/components/console/components/command_input/command_input.tsx

@@ -153,10 +153,10 @@ export const CommandInput = memo<CommandInputProps>(({ prompt = '', focusRef, ..
 
   const handleInputCapture = useCallback<InputCaptureProps['onCapture']>(
     ({ value, selection, eventDetails }) => {
-      const keyCode = eventDetails.keyCode;
+      const key = eventDetails.code;
 
       // UP arrow key
-      if (keyCode === 38) {
+      if (key === 'ArrowUp') {
         dispatch({ type: 'removeFocusFromKeyCapture' });
         dispatch({ type: 'updateInputPopoverState', payload: { show: 'input-history' } });
 
@@ -193,19 +193,19 @@ export const CommandInput = memo<CommandInputProps>(({ prompt = '', focusRef, ..
 
           inputText.addValue(processedValue ?? '', selection);
 
-          switch (keyCode) {
+          switch (key) {
             // BACKSPACE
-            case 8:
+            case 'Backspace':
               inputText.backspaceChar(selection);
               break;
 
             // DELETE
-            case 46:
+            case 'Delete':
               inputText.deleteChar(selection);
               break;
 
-            // ENTER  = Execute command and blank out the input area
-            case 13:
+            // ENTER = Execute command and blank out the input area
+            case 'Enter':
               setCommandToExecute({
                 input: inputText.getFullText(true),
                 enteredCommand: prevEnteredCommand as ConsoleDataState['input']['enteredCommand'],
@@ -215,22 +215,22 @@ export const CommandInput = memo<CommandInputProps>(({ prompt = '', focusRef, ..
               break;
 
             // ARROW LEFT
-            case 37:
+            case 'ArrowLeft':
               inputText.moveCursorTo('left');
               break;
 
             // ARROW RIGHT
-            case 39:
+            case 'ArrowRight':
               inputText.moveCursorTo('right');
               break;
 
             // HOME
-            case 36:
+            case 'Home':
               inputText.moveCursorTo('home');
               break;
 
             // END
-            case 35:
+            case 'End':
               inputText.moveCursorTo('end');
               break;
           }

x-pack/solutions/security/plugins/security_solution/public/management/components/console/components/command_input/components/argument_selector_wrapper.tsx

@@ -5,17 +5,13 @@
  * 2.0.
  */
 
-import React, { memo, useCallback, useMemo } from 'react';
+import React, { memo, useCallback } from 'react';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
+import { useInputCommand } from '../../../hooks/state_selectors/use_input_command';
 import { useConsoleStateDispatch } from '../../../hooks/state_selectors/use_console_state_dispatch';
 import { useWithCommandArgumentState } from '../../../hooks/state_selectors/use_with_command_argument_state';
-import { useConsoleStore } from '../../console_state/console_state';
-import type {
-  CommandArgDefinition,
-  CommandArgumentValueSelectorProps,
-  Command,
-} from '../../../types';
+import type { CommandArgDefinition, CommandArgumentValueSelectorProps } from '../../../types';
 
 const ArgumentSelectorWrapperContainer = styled.span`
   border: ${({ theme: { eui } }) => eui.euiBorderThin};
@@ -64,24 +60,13 @@ export interface ArgumentSelectorWrapperProps {
 export const ArgumentSelectorWrapper = memo<ArgumentSelectorWrapperProps>(
   ({ argName, argIndex, argDefinition: { SelectorComponent } }) => {
     const dispatch = useConsoleStateDispatch();
+    const command = useInputCommand();
     const { valueText, value, store } = useWithCommandArgumentState(argName, argIndex);
-    const { state: consoleState } = useConsoleStore();
 
-    // Construct the Command object from console state
-    const command = useMemo<Command>(() => {
-      const { enteredCommand } = consoleState.input;
-      if (!enteredCommand) {
-        throw new Error('ArgumentSelectorWrapper should only be used when a command is entered');
-      }
-
-      // Construct the full Command object needed by selectors
-      return {
-        input: consoleState.input.leftOfCursorText + consoleState.input.rightOfCursorText,
-        inputDisplay: consoleState.input.leftOfCursorText + consoleState.input.rightOfCursorText,
-        args: consoleState.input.parsedInput,
-        commandDefinition: enteredCommand.commandDefinition,
-      };
-    }, [consoleState.input]);
+    if (!command) {
+      // FIXME: PT we should not throw here as that would likely crash the UI.
+      throw new Error('ArgumentSelectorWrapper should only be used when a command is entered');
+    }
 
     // Create requestFocus callback that uses proper console dispatch instead of direct state manipulation
     const requestFocus = useCallback(() => {

x-pack/solutions/security/plugins/security_solution/public/management/components/console/components/command_input/components/input_capture.tsx

@@ -82,7 +82,7 @@ export type InputCaptureProps = PropsWithChildren<{
     /** Keyboard control keys from the keyboard event */
     eventDetails: Pick<
       KeyboardEvent,
-      'key' | 'altKey' | 'ctrlKey' | 'keyCode' | 'metaKey' | 'repeat' | 'shiftKey'
+      'key' | 'altKey' | 'ctrlKey' | 'keyCode' | 'metaKey' | 'repeat' | 'shiftKey' | 'code'
     >;
   }) => void;
   /** Sets an interface that allows interactions with this component's focus/blur states */
@@ -164,6 +164,7 @@ export const InputCapture = memo<InputCaptureProps>(
           'metaKey',
           'repeat',
           'shiftKey',
+          'code',
         ]);
 
         onCapture({
@@ -198,6 +199,7 @@ export const InputCapture = memo<InputCaptureProps>(
           metaKey: true,
           repeat: false,
           shiftKey: false,
+          code: 'MetaLeft',
         };
 
         onCapture({

x-pack/solutions/security/plugins/security_solution/public/management/components/console/components/command_input/hooks/use_input_hints.ts

@@ -7,6 +7,7 @@
 
 import { useEffect, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
+import { useInputCommand } from '../../../hooks/state_selectors/use_input_command';
 import { useWithInputTextEntered } from '../../../hooks/state_selectors/use_with_input_text_entered';
 import { getArgumentsForCommand } from '../../../service/parsed_command_input';
 import type { CommandDefinition } from '../../..';
@@ -36,23 +37,27 @@ export const UP_ARROW_ACCESS_HISTORY_HINT = i18n.translate(
 export const useInputHints = () => {
   const dispatch = useConsoleStateDispatch();
   const isInputPopoverOpen = Boolean(useWithInputShowPopover());
-  const commandEntered = useWithInputCommandEntered();
+  const commandNameEntered = useWithInputCommandEntered();
   const commandList = useWithCommandList();
+  const inputCommand = useInputCommand();
   const { leftOfCursorText } = useWithInputTextEntered();
 
   const commandEnteredDefinition = useMemo<CommandDefinition | undefined>(() => {
-    if (commandEntered) {
-      return commandList.find((commandDef) => commandDef.name === commandEntered);
+    if (commandNameEntered) {
+      return commandList.find((commandDef) => commandDef.name === commandNameEntered);
     }
-  }, [commandEntered, commandList]);
+  }, [commandNameEntered, commandList]);
 
   useEffect(() => {
     // If we know the command name and the input popover is not opened, then show hints (if any)
-    if (commandEntered && !isInputPopoverOpen) {
+    if (commandNameEntered && !isInputPopoverOpen) {
       // Is valid command name? ==> show usage
       if (commandEnteredDefinition && commandEnteredDefinition.helpHidden !== true) {
         const exampleInstruction = commandEnteredDefinition?.exampleInstruction ?? '';
-        const exampleUsage = commandEnteredDefinition?.exampleUsage ?? '';
+        const exampleUsage =
+          typeof commandEnteredDefinition?.exampleUsage === 'function'
+            ? commandEnteredDefinition?.exampleUsage(inputCommand)
+            : commandEnteredDefinition?.exampleUsage ?? '';
 
         let hint = exampleInstruction ?? '';
 
@@ -95,7 +100,7 @@ export const useInputHints = () => {
         dispatch({
           type: 'updateFooterContent',
           payload: {
-            value: UNKNOWN_COMMAND_HINT(commandEntered),
+            value: UNKNOWN_COMMAND_HINT(commandNameEntered),
           },
         });
 
@@ -110,5 +115,12 @@ export const useInputHints = () => {
       });
       dispatch({ type: 'setInputState', payload: { value: undefined } });
     }
-  }, [commandEntered, commandEnteredDefinition, dispatch, isInputPopoverOpen, leftOfCursorText]);
+  }, [
+    commandNameEntered,
+    commandEnteredDefinition,
+    dispatch,
+    isInputPopoverOpen,
+    leftOfCursorText,
+    inputCommand,
+  ]);
 };