[9.0] [EDR Workflows] Workflow Insights - Proper Windows Signer field handling (elastic#209117) (elastic#210137)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[EDR Workflows] Workflow Insights - Proper Windows Signer field
handling (elastic#209117)](elastic#209117)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-07T08:26:10Z","message":"[EDR
Workflows] Workflow Insights - Proper Windows Signer field handling
(elastic#209117)\n\nThis PR fixes an issue where the Signer was not properly
propagated\nduring Trusted Apps creation from Insights. With these
changes, we\nexpect process.Ext.code_signature on Windows to be an array
(ESS, ESS\nCloud) containing signatures, or a single object
(Serverless). On macOS,\nit will continue to be an object.\n\nPlease
refer to the corresponding GitHub issue for the
recordings.","sha":"b750d46c8bc043dbc4d50e01f7ece6fa8ec48e39","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:prev-minor","ci:cloud-deploy","ci:cloud-redeploy","ci:project-deploy-security","ci:project-redeploy","v9.1.0"],"title":"[EDR
Workflows] Workflow Insights - Proper Windows Signer field
handling","number":209117,"url":"https://github.com/elastic/kibana/pull/209117","mergeCommit":{"message":"[EDR
Workflows] Workflow Insights - Proper Windows Signer field handling
(elastic#209117)\n\nThis PR fixes an issue where the Signer was not properly
propagated\nduring Trusted Apps creation from Insights. With these
changes, we\nexpect process.Ext.code_signature on Windows to be an array
(ESS, ESS\nCloud) containing signatures, or a single object
(Serverless). On macOS,\nit will continue to be an object.\n\nPlease
refer to the corresponding GitHub issue for the
recordings.","sha":"b750d46c8bc043dbc4d50e01f7ece6fa8ec48e39"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/209117","number":209117,"mergeCommit":{"message":"[EDR
Workflows] Workflow Insights - Proper Windows Signer field handling
(elastic#209117)\n\nThis PR fixes an issue where the Signer was not properly
propagated\nduring Trusted Apps creation from Insights. With these
changes, we\nexpect process.Ext.code_signature on Windows to be an array
(ESS, ESS\nCloud) containing signatures, or a single object
(Serverless). On macOS,\nit will continue to be an object.\n\nPlease
refer to the corresponding GitHub issue for the
recordings.","sha":"b750d46c8bc043dbc4d50e01f7ece6fa8ec48e39"}}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/builders/incompatible_antivirus.test.ts

@@ -25,9 +25,13 @@ import type { EndpointMetadataService } from '../../metadata';
 import { groupEndpointIdsByOS } from '../helpers';
 import { buildIncompatibleAntivirusWorkflowInsights } from './incompatible_antivirus';
 
-jest.mock('../helpers', () => ({
-  groupEndpointIdsByOS: jest.fn(),
-}));
+jest.mock('../helpers', () => {
+  const actualHelpers = jest.requireActual('../helpers');
+  return {
+    ...actualHelpers,
+    groupEndpointIdsByOS: jest.fn(),
+  };
+});
 
 describe('buildIncompatibleAntivirusWorkflowInsights', () => {
   const mockEndpointAppContextService = createMockEndpointAppContext().service;
@@ -154,6 +158,45 @@ describe('buildIncompatibleAntivirusWorkflowInsights', () => {
     });
     const params = generateParams('test.com');
 
+    params.esClient.search = jest.fn().mockResolvedValue({
+      hits: {
+        hits: [
+          {
+            _id: 'lqw5opMB9Ke6SNgnxRSZ',
+            _source: {
+              process: {
+                Ext: {
+                  code_signature: [
+                    {
+                      trusted: true,
+                      subject_name: 'test.com',
+                    },
+                  ],
+                },
+              },
+            },
+          },
+        ],
+      },
+    });
+
+    const result = await buildIncompatibleAntivirusWorkflowInsights(params);
+
+    expect(result).toEqual([
+      buildExpectedInsight('windows', 'process.Ext.code_signature', 'test.com'),
+    ]);
+    expect(groupEndpointIdsByOS).toHaveBeenCalledWith(
+      ['endpoint-1'],
+      params.endpointMetadataService
+    );
+  });
+
+  it('should correctly build workflow insights for Windows with signerId provided as object', async () => {
+    (groupEndpointIdsByOS as jest.Mock).mockResolvedValue({
+      windows: ['endpoint-1'],
+    });
+    const params = generateParams('test.com');
+
     params.esClient.search = jest.fn().mockResolvedValue({
       hits: {
         hits: [
@@ -185,6 +228,68 @@ describe('buildIncompatibleAntivirusWorkflowInsights', () => {
     );
   });
 
+  it('should fallback to createRemediation without signer field when no valid signatures exist for Windows', async () => {
+    (groupEndpointIdsByOS as jest.Mock).mockResolvedValue({
+      windows: ['endpoint-1'],
+    });
+
+    const params = generateParams('test.com');
+    params.esClient.search = jest.fn().mockResolvedValue({
+      hits: {
+        hits: [
+          {
+            _id: 'lqw5opMB9Ke6SNgnxRSZ',
+            _source: {
+              process: {
+                Ext: {
+                  code_signature: [{ trusted: false, subject_name: 'Untrusted Publisher' }],
+                },
+              },
+            },
+          },
+        ],
+      },
+    });
+
+    const result = await buildIncompatibleAntivirusWorkflowInsights(params);
+    expect(result).toEqual([buildExpectedInsight('windows')]);
+  });
+
+  it('should skip Microsoft Windows Hardware Compatibility Publisher and use the next trusted signature for Windows', async () => {
+    (groupEndpointIdsByOS as jest.Mock).mockResolvedValue({
+      windows: ['endpoint-1'],
+    });
+
+    const params = generateParams();
+    params.esClient.search = jest.fn().mockResolvedValue({
+      hits: {
+        hits: [
+          {
+            _id: 'lqw5opMB9Ke6SNgnxRSZ',
+            _source: {
+              process: {
+                Ext: {
+                  code_signature: [
+                    {
+                      trusted: true,
+                      subject_name: 'Microsoft Windows Hardware Compatibility Publisher',
+                    },
+                    { trusted: true, subject_name: 'Next Trusted Publisher' },
+                  ],
+                },
+              },
+            },
+          },
+        ],
+      },
+    });
+
+    const result = await buildIncompatibleAntivirusWorkflowInsights(params);
+    expect(result).toEqual([
+      buildExpectedInsight('windows', 'process.Ext.code_signature', 'Next Trusted Publisher'),
+    ]);
+  });
+
   it('should correctly build workflow insights for MacOS with signerId provided', async () => {
     (groupEndpointIdsByOS as jest.Mock).mockResolvedValue({
       macos: ['endpoint-1'],
@@ -218,4 +323,27 @@ describe('buildIncompatibleAntivirusWorkflowInsights', () => {
       params.endpointMetadataService
     );
   });
+
+  it('should fallback to createRemediation without signer field for macOS when no code_signature exists', async () => {
+    (groupEndpointIdsByOS as jest.Mock).mockResolvedValue({
+      macos: ['endpoint-1'],
+    });
+
+    const params = generateParams();
+    params.esClient.search = jest.fn().mockResolvedValue({
+      hits: {
+        hits: [
+          {
+            _id: 'lqw5opMB9Ke6SNgnxRSZ',
+            _source: {
+              process: {},
+            },
+          },
+        ],
+      },
+    });
+
+    const result = await buildIncompatibleAntivirusWorkflowInsights(params);
+    expect(result).toEqual([buildExpectedInsight('macos')]);
+  });
 });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/builders/incompatible_antivirus.ts

@@ -6,7 +6,7 @@
  */
 
 import moment from 'moment';
-import { get as _get, uniqBy } from 'lodash';
+import { uniqBy } from 'lodash';
 
 import type { DefendInsight } from '@kbn/elastic-assistant-common';
 
@@ -23,22 +23,8 @@ import {
   SourceType,
   TargetType,
 } from '../../../../../common/endpoint/types/workflow_insights';
-import { groupEndpointIdsByOS } from '../helpers';
-
-interface FileEventDoc {
-  process: {
-    code_signature?: {
-      subject_name: string;
-      trusted: boolean;
-    };
-    Ext?: {
-      code_signature?: {
-        subject_name: string;
-        trusted: boolean;
-      };
-    };
-  };
-}
+import type { FileEventDoc } from '../helpers';
+import { getValidCodeSignature, groupEndpointIdsByOS } from '../helpers';
 
 export async function buildIncompatibleAntivirusWorkflowInsights(
   params: BuildWorkflowInsightParams
@@ -163,14 +149,10 @@ export async function buildIncompatibleAntivirusWorkflowInsights(
             const codeSignatureSearchHit = codeSignaturesHits.find((hit) => hit._id === id);
 
             if (codeSignatureSearchHit) {
-              const extPath = os === 'windows' ? '.Ext' : '';
-              const field = `process${extPath}.code_signature`;
-              const value = _get(
-                codeSignatureSearchHit,
-                `_source.${field}.subject_name`,
-                'invalid subject name'
-              );
-              return createRemediation(filePath, os, field, value);
+              const signature = getValidCodeSignature(os, codeSignatureSearchHit._source);
+              if (signature) {
+                return createRemediation(filePath, os, signature.field, signature.value);
+              }
             }
           }
 

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/helpers.test.ts

@@ -28,13 +28,15 @@ import {
   TargetType,
 } from '../../../../common/endpoint/types/workflow_insights';
 import type { EndpointMetadataService } from '../metadata';
+import type { FileEventDoc } from './helpers';
 import {
   buildEsQueryParams,
   checkIfRemediationExists,
   createDatastream,
   createPipeline,
   generateInsightId,
   generateTrustedAppsFilter,
+  getValidCodeSignature,
   groupEndpointIdsByOS,
 } from './helpers';
 import {
@@ -369,6 +371,7 @@ describe('helpers', () => {
       expect(filter).toBe('');
     });
   });
+
   describe('checkIfRemediationExists', () => {
     it('should return false for non-incompatible_antivirus types', async () => {
       const insight = getDefaultInsight({
@@ -421,4 +424,155 @@ describe('helpers', () => {
       expect(result).toBe(true);
     });
   });
+
+  describe('getValidCodeSignature', () => {
+    it('should return the first trusted signature for Windows', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: [{ subject_name: 'Valid Cert', trusted: true }],
+          },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toEqual({
+        field: 'process.Ext.code_signature',
+        value: 'Valid Cert',
+      });
+    });
+
+    it('should return null if no trusted signatures', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: [{ subject_name: 'Valid Cert', trusted: false }],
+          },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toBeNull();
+    });
+
+    it('should return null if all Windows code signatures are untrusted', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: [
+              { subject_name: 'Cert 1', trusted: false },
+              { subject_name: 'Cert 2', trusted: false },
+            ],
+          },
+        },
+      };
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toBeNull();
+    });
+
+    it('should correctly process a single object code signature for Windows', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: { subject_name: 'Valid Cert', trusted: true },
+          },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toEqual({
+        field: 'process.Ext.code_signature',
+        value: 'Valid Cert',
+      });
+    });
+
+    it('should return the first trusted signature for Windows, skipping Microsoft Windows Hardware Compatibility Publisher', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: [
+              { subject_name: 'Microsoft Windows Hardware Compatibility Publisher', trusted: true },
+              { subject_name: 'Valid Cert', trusted: false },
+              { subject_name: 'Valid Cert2', trusted: true },
+            ],
+          },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toEqual({
+        field: 'process.Ext.code_signature',
+        value: 'Valid Cert2',
+      });
+    });
+
+    it('should return Windows publisher if this is the only signer', () => {
+      const os = 'windows';
+      const codeSignatureSearchHit = {
+        process: {
+          Ext: {
+            code_signature: [
+              { subject_name: 'Microsoft Windows Hardware Compatibility Publisher', trusted: true },
+            ],
+          },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toEqual({
+        field: 'process.Ext.code_signature',
+        value: 'Microsoft Windows Hardware Compatibility Publisher',
+      });
+    });
+
+    it('should return the subject name for macOS when code signature is present', () => {
+      const os = 'macos';
+      const codeSignatureSearchHit = {
+        process: {
+          code_signature: { subject_name: 'Apple Inc.', trusted: true },
+        },
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toEqual({ field: 'process.code_signature', value: 'Apple Inc.' });
+    });
+
+    it('should return null if no code signature is present for macOS', () => {
+      const os = 'macos';
+      const codeSignatureSearchHit = {
+        process: {},
+      };
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toBeNull();
+    });
+
+    it('should return null if code_signature field is empty for macOS', () => {
+      const os = 'macos';
+      const codeSignatureSearchHit = {
+        process: {
+          code_signature: {},
+        },
+      } as FileEventDoc;
+
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toBeNull();
+    });
+
+    it('should return null for non-Windows when code signature is untrusted', () => {
+      const os = 'macos';
+      const codeSignatureSearchHit = {
+        process: {
+          code_signature: { subject_name: 'Apple Inc.', trusted: false },
+        },
+      };
+      const result = getValidCodeSignature(os, codeSignatureSearchHit);
+      expect(result).toBeNull();
+    });
+  });
 });