[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight #207378
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
szwarckonrad
changed the title
szwarckonrad
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
szwarckonrad
commented
Jan 23, 2025
| @@ -127,7 +133,7 @@ export const WorkflowInsightsResults = ({ | |||
| <EuiText size={'s'} color={'subdued'}> | |||
| {insight.message} | |||
| </EuiText> | |||
| <EuiText size={'xs'} color={'subdued'}> | |||
| <EuiText size={'xs'} color={'subdued'} css={'word-break: break-word'}> | |||
There was a problem hiding this comment.
longs paths were stretching out the container
| @@ -31,6 +31,7 @@ export const useFetchInsights = ({ endpointId, onSuccess }: UseFetchInsightsConf | |||
| query: { | |||
| actionTypes: JSON.stringify([ActionType.Refreshed]), | |||
| targetIds: JSON.stringify([endpointId]), | |||
| size: 100, | |||
There was a problem hiding this comment.
Without it the es' default 10 is being used, we expect more results than that with certain AVs
| @@ -57,6 +57,7 @@ export async function buildIncompatibleAntivirusWorkflowInsights( | |||
| const codeSignaturesHits = ( | |||
| await esClient.search<FileEventDoc>({ | |||
| index: FILE_EVENTS_INDEX_PATTERN, | |||
| size: eventIds.length, | |||
There was a problem hiding this comment.
This was also defaulting to 10 causing instances of paths with no matched signers.
There was a problem hiding this comment.
are eventIds always defined?
| (entry.field === 'process.Ext.code_signature' && typeof entry.value === 'string') | ||
| ) { | ||
| const sanitizedValue = (entry.value as string) | ||
| .replace(/[)(<>}{":\\]/gm, '\\$&') |
There was a problem hiding this comment.
This section aligns with the approach already implemented for the search bar in Trusted Applications - https://github.com/szwarckonrad/kibana/blob/da25d13a2ac5be97216e202bf5d6bda6ff920b3b/x-pack/solutions/security/plugins/security_solution/public/management/common/utils.ts#L10-L26
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
tomsonpl
approved these changes
Jan 23, 2025
| @@ -31,6 +31,7 @@ export const useFetchInsights = ({ endpointId, onSuccess }: UseFetchInsightsConf | |||
| query: { | |||
| actionTypes: JSON.stringify([ActionType.Refreshed]), | |||
| targetIds: JSON.stringify([endpointId]), | |||
| size: 100, | |||
| @@ -57,6 +57,7 @@ export async function buildIncompatibleAntivirusWorkflowInsights( | |||
| const codeSignaturesHits = ( | |||
| await esClient.search<FileEventDoc>({ | |||
| index: FILE_EVENTS_INDEX_PATTERN, | |||
| size: eventIds.length, | |||
There was a problem hiding this comment.
are eventIds always defined?
| (entry.field === 'process.Ext.code_signature' && typeof entry.value === 'string') | ||
| ) { | ||
| const sanitizedValue = (entry.value as string) | ||
| .replace(/[)(<>}{":\\]/gm, '\\$&') |
There was a problem hiding this comment.
I was hoping you could add a comment explaining the regex a bit? :)
| }); | ||
|
|
||
| if (remediationExists) { | ||
| return; |
There was a problem hiding this comment.
would it be useful to add a logger here or something?
|
Starting backport for target branches: 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 24, 2025
…re creating an insight (elastic#207378) This PR ensures that prepared insights are checked for an existing path and signer already added to the trusted app. If such insights are found, the execution is stopped. This resolves the issue of displaying insights to the user that have already been remediated. (cherry picked from commit 910b9c5)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 24, 2025
…s before creating an insight (#207378) (#208153) # Backport This will backport the following commits from `main` to `8.x`: - [[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight (#207378)](#207378) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-24T09:24:33Z","message":"[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight (#207378)\n\nThis PR ensures that prepared insights are checked for an existing path\nand signer already added to the trusted app. If such insights are found,\nthe execution is stopped. This resolves the issue of displaying insights\nto the user that have already been remediated.","sha":"910b9c521b5768ec004c887021d6a04184579416","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","backport:prev-minor","v8.18.0"],"title":"[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight","number":207378,"url":"https://github.com/elastic/kibana/pull/207378","mergeCommit":{"message":"[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight (#207378)\n\nThis PR ensures that prepared insights are checked for an existing path\nand signer already added to the trusted app. If such insights are found,\nthe execution is stopped. This resolves the issue of displaying insights\nto the user that have already been remediated.","sha":"910b9c521b5768ec004c887021d6a04184579416"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207378","number":207378,"mergeCommit":{"message":"[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight (#207378)\n\nThis PR ensures that prepared insights are checked for an existing path\nand signer already added to the trusted app. If such insights are found,\nthe execution is stopped. This resolves the issue of displaying insights\nto the user that have already been remediated.","sha":"910b9c521b5768ec004c887021d6a04184579416"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Konrad Szwarc <[email protected]>
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Jan 27, 2025
…re creating an insight (elastic#207378) This PR ensures that prepared insights are checked for an existing path and signer already added to the trusted app. If such insights are found, the execution is stopped. This resolves the issue of displaying insights to the user that have already been remediated.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR ensures that prepared insights are checked for an existing path and signer already added to the trusted app. If such insights are found, the execution is stopped. This resolves the issue of displaying insights to the user that have already been remediated.