[Security Solution][Endpoint] Host Isolation API changes #113621
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashokaditya
added
auto-backport
and then the fleet index. Else do as usual. fixes elastic/security-team/issues/1704
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
academo
reviewed
Oct 6, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
|
I am not fully familiar with the way the indices work. I only had nitpick comments about improving the code. Better if someone else that understand that logic also approves it. |
academo
approved these changes
Oct 6, 2021
review changes refs elastic/security-team/issues/1704
|
@elasticmachine merge upstream |
pzl
reviewed
Oct 11, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts
Show resolved
Hide resolved
| { index: string; body: EndpointAction } | ||
| ] = [ | ||
| (ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock).mock.calls[0][0], | ||
| (ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock).mock.calls[1][0], |
There was a problem hiding this comment.
So this is getting the first argument of the second call to asInternalUser.index(). What's the first thing we index as internal user via this path? Are we guaranteeing that it will always happen in that order?
There was a problem hiding this comment.
The first thing that is indexed is .logs-endpoint.actions and then .fleet-actions. This is because of the way I mocked the client to use internalUser when the index exists.
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
…et-actions` review comments
ashokaditya
commented
Oct 12, 2021
Comment on lines
14
to
18
| code: string; | ||
| id: string; | ||
| code?: string; | ||
| id?: string; | ||
| message: string; | ||
| stack_trace: string; | ||
| type: string; | ||
| stack_trace?: string; | ||
| type?: string; |
There was a problem hiding this comment.
would be nice to know if some of these can be more specific! ECS doesn't tell much more than some of them being keywords. Can we decide on some error codes for the failed action request errors that we discussed? @pzl
https://www.elastic.co/guide/en/ecs/current/ecs-error.html#field-error-code
ashokaditya
commented
Oct 12, 2021
| body: { | ||
| ...doc, | ||
| error: { | ||
| code: '424', |
There was a problem hiding this comment.
This translates to a Failed Dependency http error code. Using a code would be nice to filter out these records quickly
There was a problem hiding this comment.
What do you think @pzl
There was a problem hiding this comment.
Do the error codes in these responses correlate to HTTP error elsewhere? If we don't have that established, 424 won't mean much the next time we see it until we look it up
There was a problem hiding this comment.
Well, not in Kibana that I know of. Should I add a comment here about the specific code? Or should I remove it altogether?
There was a problem hiding this comment.
doesn't have a big impact, just leave it
pzl
reviewed
Oct 12, 2021
x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Outdated
Show resolved
Hide resolved
review comment
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
pzl
approved these changes
Oct 12, 2021
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: cc @ashokaditya |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 13, 2021
) * Use the new data stream (if exists) to write action request to and then the fleet index. Else do as usual. fixes elastic/security-team/issues/1704 * fix legacy tests * add relevant additional tests * remove duplicate test * update tests * cleanup review changes refs elastic/security-team/issues/1704 * fix lint * Use correct mapping keys when writing to index * write record on new index when action request fails to write to `.fleet-actions` review comments * better error message review comment Co-authored-by: Kibana Machine <[email protected]>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
kibanamachine
added a commit
that referenced
this pull request
Oct 13, 2021
…114757) * Use the new data stream (if exists) to write action request to and then the fleet index. Else do as usual. fixes elastic/security-team/issues/1704 * fix legacy tests * add relevant additional tests * remove duplicate test * update tests * cleanup review changes refs elastic/security-team/issues/1704 * fix lint * Use correct mapping keys when writing to index * write record on new index when action request fails to write to `.fleet-actions` review comments * better error message review comment Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ashokaditya <[email protected]>
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Oct 13, 2021
…ide-users-to-saving-ux * 'master' of github.com:elastic/kibana: (133 commits) [DOCS] Indicate reports are a subscription feature (elastic#114653) Update namespace for indices (elastic#114612) [DOCS] Adds Logstash pipeline settings (elastic#114648) Bump EPR snapshot version used for tests (elastic#114529) [Security Solution] [Endpoint] Fleet summary card adjustments (elastic#114291) skip flaky suite (elastic#68400) [Visualizations] fix usage of optional dependencies (elastic#114286) [Security Solution] [Detections] Improves custom query rule upgrade test (elastic#114454) [fleet] Add Integration Preference selector (elastic#114432) [Reporting] Add new `data-render-error` attribute (elastic#114472) Replace EuiCodeEditor with CodeEditor in app-services code (elastic#114316) [data views] add getDefaultDataView method (elastic#113891) [Security Solution] [Endpoint] Event filters uses the new card design (elastic#114126) [fleet] Tweak Header UI (elastic#114704) [APM] Filter on tx metrics for instance stats (elastic#114758) [APM] Fix typo in linting docs (elastic#114764) [Discover] Removing SavedObject usage for savedSearch (elastic#112983) [Fleet] Add Integration Policy Page Improvements (elastic#114556) [Lens] Keep the custom label when transitioning to/from Formula (elastic#114270) [Security Solution][Endpoint] Host Isolation API changes (elastic#113621) ...
ashokaditya
added a commit
that referenced
this pull request
Oct 19, 2021
* rename legacy actions/responses fixes elastic/security-team/issues/1702 * use correct name for responses index refs /pull/113621 * extract helper method to utils * append endpoint responses docs to activity log * Show completed responses on activity log fixes elastic/security-team/issues/1703 * remove width restriction on date picker * add a simple test to verify endpoint responses fixes elastic/security-team/issues/1702 * find unique action_ids from `.fleet-actions` and `.logs-endpoint.actions-default` indices fixes elastic/security-team/issues/1702 * do not filter out endpoint only actions/responses that did not make it to Fleet review comments * use a constant to manage various doc types review comments * refactor `getActivityLog` Simplify `getActivityLog` so it is easier to reason with. review comments * skip this for now will mock this better in a new PR * improve types * display endpoint actions similar to fleet actions, but with success icon color * Correctly do mocks for tests * Include only errored endpoint actions, remove successful duplicates fixes elastic/security-team/issues/1703 * Update tests to use non duplicate action_ids review comments fixes elastic/security-team/issues/1703 * show correct action title review fixes * statusCode constant review change * rename review changes * Update translations.ts refs 74a8340 Co-authored-by: Kibana Machine <[email protected]>
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 19, 2021
) * rename legacy actions/responses fixes elastic/security-team/issues/1702 * use correct name for responses index refs elastic/pull/113621 * extract helper method to utils * append endpoint responses docs to activity log * Show completed responses on activity log fixes elastic/security-team/issues/1703 * remove width restriction on date picker * add a simple test to verify endpoint responses fixes elastic/security-team/issues/1702 * find unique action_ids from `.fleet-actions` and `.logs-endpoint.actions-default` indices fixes elastic/security-team/issues/1702 * do not filter out endpoint only actions/responses that did not make it to Fleet review comments * use a constant to manage various doc types review comments * refactor `getActivityLog` Simplify `getActivityLog` so it is easier to reason with. review comments * skip this for now will mock this better in a new PR * improve types * display endpoint actions similar to fleet actions, but with success icon color * Correctly do mocks for tests * Include only errored endpoint actions, remove successful duplicates fixes elastic/security-team/issues/1703 * Update tests to use non duplicate action_ids review comments fixes elastic/security-team/issues/1703 * show correct action title review fixes * statusCode constant review change * rename review changes * Update translations.ts refs elastic@74a8340 Co-authored-by: Kibana Machine <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Oct 19, 2021
…115492) * rename legacy actions/responses fixes elastic/security-team/issues/1702 * use correct name for responses index refs /pull/113621 * extract helper method to utils * append endpoint responses docs to activity log * Show completed responses on activity log fixes elastic/security-team/issues/1703 * remove width restriction on date picker * add a simple test to verify endpoint responses fixes elastic/security-team/issues/1702 * find unique action_ids from `.fleet-actions` and `.logs-endpoint.actions-default` indices fixes elastic/security-team/issues/1702 * do not filter out endpoint only actions/responses that did not make it to Fleet review comments * use a constant to manage various doc types review comments * refactor `getActivityLog` Simplify `getActivityLog` so it is easier to reason with. review comments * skip this for now will mock this better in a new PR * improve types * display endpoint actions similar to fleet actions, but with success icon color * Correctly do mocks for tests * Include only errored endpoint actions, remove successful duplicates fixes elastic/security-team/issues/1703 * Update tests to use non duplicate action_ids review comments fixes elastic/security-team/issues/1703 * show correct action title review fixes * statusCode constant review change * rename review changes * Update translations.ts refs 74a8340 Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ashokaditya <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Host isolation API changes that take into account if the new endpoint data streams are present.
If yes then add an action request doc to the new data stream as the user before writing to the
.fleet-actionsindex as Kibana.If no then the host isolation API works as usual.
Checklist
Delete any items that are not applicable to this PR.