Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint][Host Isolation] Remove agent status for non endpoint alerts #102976

Merged
merged 6 commits into from
Jun 24, 2021
Merged

[Security Solution][Endpoint][Host Isolation] Remove agent status for non endpoint alerts #102976

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
58e2baf
check if alert is from endpoint
parkiino Jun 22, 2021
c542baf
Merge remote-tracking branch 'upstream/master' into bug/remove-agent-…
parkiino Jun 22, 2021
9c3d27f
change host.status to agent.status
parkiino Jun 22, 2021
7226770
unit test wip
parkiino Jun 22, 2021
8cb45fc
added mock to test
parkiino Jun 23, 2021
ce1f4be
Merge remote-tracking branch 'upstream/master' into bug/remove-agent-…
parkiino Jun 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions ...k/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import { SummaryView } from './summary_view';
import { AlertSummaryRow, getSummaryColumns, SummaryRow } from './helpers';
import { useRuleAsync } from '../../../detections/containers/detection_engine/rules/use_rule_async';
import { LineClamp } from '../line_clamp';
import { endpointAlertCheck } from '../../utils/endpoint_alert_check';

const StyledEuiDescriptionList = styled(EuiDescriptionList)`
padding: 24px 4px 4px;
Expand All @@ -53,7 +54,7 @@ const fields = [
{ id: 'signal.rule.severity', label: ALERTS_HEADERS_SEVERITY },
{ id: 'signal.rule.risk_score', label: ALERTS_HEADERS_RISK_SCORE },
{ id: 'host.name' },
{ id: 'host.status' },
{ id: 'agent.status' },
{ id: 'user.name' },
{ id: SOURCE_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE },
{ id: DESTINATION_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE },
Expand Down Expand Up @@ -178,6 +179,10 @@ const AlertSummaryViewComponent: React.FC<{
timelineId,
]);

const isEndpointAlert = useMemo(() => {
return endpointAlertCheck({ data });
}, [data]);

const agentId = useMemo(() => {
const findAgentId = find({ category: 'agent', field: 'agent.id' }, data)?.values;
return findAgentId ? findAgentId[0] : '';
Expand All @@ -188,7 +193,7 @@ const AlertSummaryViewComponent: React.FC<{
description: {
contextId: timelineId,
eventId,
fieldName: 'host.status',
fieldName: 'agent.status',
value: agentId,
linkValue: undefined,
},
Expand All @@ -209,7 +214,7 @@ const AlertSummaryViewComponent: React.FC<{
<EuiSpacer size="l" />
<SummaryView
summaryColumns={summaryColumns}
summaryRows={summaryRowsWithAgentStatus}
summaryRows={isEndpointAlert ? summaryRowsWithAgentStatus : summaryRows}
title={title}
/>
{maybeRule?.note && (
Expand Down
14 changes: 14 additions & 0 deletions x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { find } from 'lodash/fp';
import { TimelineEventsDetailsItem } from '../../../common/search_strategy';

export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] | null }) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we already have something like this somewhere? @dasansol92 implemented something in detections for showing the ability to create an Event Filter from an Endpoint alert only.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, can you add some tests to this with various timeline events - sone that are endpoint and others that are not

const findEndpointAlert = find({ category: 'agent', field: 'agent.type' }, data)?.values;
return findEndpointAlert ? findEndpointAlert[0] === 'endpoint' : false;
};
4 changes: 2 additions & 2 deletions .../plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import {
} from '../../../../detections/components/host_isolation/translations';
import { ALERT_DETAILS } from './translations';
import { useIsolationPrivileges } from '../../../../common/hooks/endpoint/use_isolate_privileges';
import { endpointAlertCheck } from '../../../../common/utils/endpoint_alert_check';

const StyledEuiFlyoutBody = styled(EuiFlyoutBody)`
.euiFlyoutBody__overflow {
Expand Down Expand Up @@ -92,8 +93,7 @@ const EventDetailsPanelComponent: React.FC<EventDetailsPanelProps> = ({
const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData);

const isEndpointAlert = useMemo(() => {
const findEndpointAlert = find({ category: 'agent', field: 'agent.type' }, detailsData)?.values;
return findEndpointAlert ? findEndpointAlert[0] === 'endpoint' : false;
return endpointAlertCheck({ data: detailsData });
}, [detailsData]);

const agentId = useMemo(() => {
Expand Down
2 changes: 1 addition & 1 deletion ...ugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ export const REFERENCE_URL_FIELD_NAME = 'reference.url';
export const EVENT_URL_FIELD_NAME = 'event.url';
export const SIGNAL_RULE_NAME_FIELD_NAME = 'signal.rule.name';
export const SIGNAL_STATUS_FIELD_NAME = 'signal.status';
export const HOST_STATUS_FIELD_NAME = 'host.status';
export const AGENT_STATUS_FIELD_NAME = 'agent.status';
4 changes: 2 additions & 2 deletions ...security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ import {
REFERENCE_URL_FIELD_NAME,
EVENT_URL_FIELD_NAME,
SIGNAL_STATUS_FIELD_NAME,
HOST_STATUS_FIELD_NAME,
AGENT_STATUS_FIELD_NAME,
GEO_FIELD_TYPE,
} from './constants';
import { RenderRuleName, renderEventModule, renderUrl } from './formatted_field_helpers';
Expand Down Expand Up @@ -120,7 +120,7 @@ const FormattedFieldValueComponent: React.FC<{
return (
<RuleStatus contextId={contextId} eventId={eventId} fieldName={fieldName} value={value} />
);
} else if (fieldName === HOST_STATUS_FIELD_NAME) {
} else if (fieldName === AGENT_STATUS_FIELD_NAME) {
return (
<AgentStatuses
contextId={contextId}
Expand Down