check trusted apps before saving an insight

x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_hosts/view/details/components/insights/workflow_insights_results.tsx

@@ -42,6 +42,12 @@ const CustomEuiCallOut = styled(EuiCallOut)`
   }
 `;
 
+const ScrollableContainer = styled(EuiPanel)`
+  max-height: 500px;
+  overflow-y: auto;
+  padding: 0;
+`;
+
 export const WorkflowInsightsResults = ({
   results,
   scanCompleted,
@@ -127,7 +133,7 @@ export const WorkflowInsightsResults = ({
                     <EuiText size={'s'} color={'subdued'}>
                       {insight.message}
                     </EuiText>
-                    <EuiText size={'xs'} color={'subdued'}>
+                    <EuiText size={'xs'} color={'subdued'} css={'word-break: break-word'}>
                       {item.entries[0].type === 'match' &&
                         item.entries[0].field === 'process.executable.caseless' &&
                         item.entries[0].value}
@@ -173,7 +179,7 @@ export const WorkflowInsightsResults = ({
           <EuiSpacer size={'s'} />
         </>
       ) : null}
-      {insights}
+      <ScrollableContainer hasBorder>{insights}</ScrollableContainer>
     </>
   );
 };

x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/insights/use_fetch_insights.ts

@@ -31,6 +31,7 @@ export const useFetchInsights = ({ endpointId, onSuccess }: UseFetchInsightsConf
           query: {
             actionTypes: JSON.stringify([ActionType.Refreshed]),
             targetIds: JSON.stringify([endpointId]),
+            size: 100,
           },
         });
         onSuccess();

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/builders/incompatible_antivirus.ts

@@ -57,6 +57,7 @@ export async function buildIncompatibleAntivirusWorkflowInsights(
       const codeSignaturesHits = (
         await esClient.search<FileEventDoc>({
           index: FILE_EVENTS_INDEX_PATTERN,
+          size: eventIds.length,
           query: {
             bool: {
               must: [

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/helpers.test.ts

@@ -311,7 +311,7 @@ describe('helpers', () => {
       const filter = generateTrustedAppsFilter(insight);
 
       expect(filter).toContain(
-        'exception-list-agnostic.attributes.entries.entries.value:(*Example*Inc.*)'
+        'exception-list-agnostic.attributes.entries.entries.value:(*Example,*Inc.*)'
       );
     });
 
@@ -342,7 +342,7 @@ describe('helpers', () => {
       const filter = generateTrustedAppsFilter(insight);
 
       expect(filter).toContain(
-        'exception-list-agnostic.attributes.entries.entries.value:(*Example*Inc.*http//example.com*[example]*) AND exception-list-agnostic.attributes.entries.value:"example-value"'
+        'exception-list-agnostic.attributes.entries.entries.value:(*Example,*\\(Inc.\\)*http\\://example.com*[example]*) AND exception-list-agnostic.attributes.entries.value:"example-value"'
       );
     });
 

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/workflow_insights/helpers.ts

@@ -178,7 +178,7 @@ export const generateTrustedAppsFilter = (insight: SecurityWorkflowInsight): str
           (entry.field === 'process.Ext.code_signature' && typeof entry.value === 'string')
         ) {
           const sanitizedValue = (entry.value as string)
-            .replace(/[\)\(\<\>\}\{\"\:\\,]/gm, '')
+            .replace(/[)(<>}{":\\]/gm, '\\$&')
             .replace(/\s/gm, '*');
           return `exception-list-agnostic.attributes.entries.entries.value:(*${sanitizedValue}*)`;
         }