[Security Solution][Endpoint] Update response action creation so that it store policy information when action is created #218175
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ng the `agent.policy` info only if FF is enabled
…e-policy-id-in-action-request-for-spaces
This reverts commit 7366645.
… Endpoint to use it when returning agent info.
unable to test it at this time - role needs additional privileges
… against specific indexes rather than index patterns
paul-tavares
added
release_note:skip
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
…gating to core server
…n-action-request-for-spaces' into task/olm-11225-store-policy-id-in-action-request-for-spaces
paul-tavares
added a commit
to paul-tavares/kibana
that referenced
this pull request
Apr 17, 2025
szwarckonrad
approved these changes
Apr 22, 2025
Contributor
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
Code and logic behind it LGTM!
| }; | ||
| microsoft: { | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||
| defender_endpoint: Record<string, any>; |
Contributor
There was a problem hiding this comment.
Maybe we can go with an unknown?
Contributor
Author
There was a problem hiding this comment.
I'll check if unknown will work as well.
x-pack/solutions/security/plugins/security_solution/server/endpoint/mocks/utils.mock.ts
Outdated
Show resolved
Hide resolved
...tion/server/endpoint/services/actions/clients/crowdstrike/crowdstrike_actions_client.test.ts
Outdated
Show resolved
Hide resolved
...curity_solution/server/endpoint/services/actions/clients/endpoint/endpoint_actions_client.ts
Show resolved
Hide resolved
...solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts
Outdated
Show resolved
Hide resolved
...solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts
Outdated
Show resolved
Hide resolved
| connectorActions.setup(SENTINELONE_CONNECTOR_ID); | ||
| } | ||
|
|
||
| private async fetchSentinelOneAgentIndexNames(): Promise<string[]> { |
Contributor
There was a problem hiding this comment.
Feels like this could be abstracted in the base class — just caching and retrieving, right? I think you're already doing something similar for other connectors. Ignore this if that’s not the case.
Contributor
Author
There was a problem hiding this comment.
I usually push methods/logic to the base class only if its something that applies to all EDR types (generic). In this case, the index names will be different depending on the EDR type, so I felt like it was most appropriate for it to live in each respective sub-class.
From konrad Co-authored-by: Konrad Szwarc <[email protected]>
…e-policy-id-in-action-request-for-spaces
ashokaditya
approved these changes
Apr 23, 2025
|
|
||
| // Kibana CORE will take care of `500` errors when the handler `throw`'s, including logging the error | ||
| throw error; | ||
| // Kibana core server handling of `500` errors does not actually return the `error.message` encountered, |
| const doc: LogsEndpointAction<TParameters, TOutputContent, TMeta> = { | ||
| '@timestamp': new Date().toISOString(), | ||
| // Need to suppress this TS error around `agent.policy` not supporting `undefined`. | ||
| // It will be removed once we enable the feature and delete the feature flag checks. |
Member
There was a problem hiding this comment.
Maybe add a // TODO here for visibility
| ], | ||
| crowdstrike: ['device.id'], | ||
| microsoft_defender_endpoint: [ | ||
| 'cloud.instance.id', |
Contributor
Author
There was a problem hiding this comment.
😄
FYI:
I actually did not sort it on purpose. I only moved cloud.instance.id up so that it is the first one we try to find in MS documents. thats because I'm still not 100% sure of the other fields defined below because we never really set up the M365 integration. I got these values from an Env. that Raquel has where she did setup M365.
Member
There was a problem hiding this comment.
Ah I see. Well, sorted values are always nice to maintain. 🌞
...ions/security/plugins/security_solution/common/endpoint/types/microsoft_defender_endpoint.ts
Outdated
Show resolved
Hide resolved
x-pack/solutions/security/plugins/security_solution/common/endpoint/types/sentinel_one.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Ash <[email protected]>
…point/types/sentinel_one.ts
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]Unknown metric groupsESLint disabled in files
Total ESLint disabled count
History
|
paul-tavares
deleted the
task/olm-11225-store-policy-id-in-action-request-for-spaces
branch
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
… it store policy information when action is created (elastic#218175) ## Summary The following changes are in support of space awareness for response actions (currently behind feature flag: `endpointManagementSpaceAwarenessEnabled`). All response actions will now start to store agent policy information. - A new property will be stored in the Action Request document that captures policy information about each agent the action was sent to (`agent.policy: []`). - All response action client instances must now be initiated with a `spaceId` - A new method was added to the internal Fleet Services to retrieve all `namespace`'s in use by a given integration type in the active space - The SentinelOne and Microsoft run host scripts were enhaced so that the host VM name includes the space id
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The following changes are in support of space awareness for response actions (currently behind feature flag:
endpointManagementSpaceAwarenessEnabled). All response actions will now start to store agent policy information.agent.policy: []).spaceIdnamespace's in use by a given integration type in the active spaceTesting space awareness setup
Warning
Microsoft Defender response actions will fail with a message indicating that it was unable to find elastic agens for the MS agent ids provided on input. This error will persist until a new build of Elsaticsearch is released. A change was needed to the
kibana_systemroleEnable feature flags
Switch Fleet to Space aware
Add additional mappings for response actions
Note
Only needed until the Endpoint Package is updated with these mappings
Ensure that the Endpoint package is installed
Best way to do this is to create at least one integration policy in fleet.
Add mappings if not already included in index mapping
Tip
These instructions can be done from the Kibana Dev tools console
Ensure index exists:
Check to see if the mapping is already present:
If the response returns an empty
mappings, then mappings need to be addedAdd mappings to the index:
Add data
You should now be all setup to load data for testing. Remember that space data visibility is mostly driven by Fleet and how Policies are setup and shared between spaces - Agent Policies now have a Space ID field to manage this.
Our scripts that run live VMs for each type o9f EDR have been updated to support a
--spaceIdCLI argument and thus can be used to target specific spaces.Checklist