Merge branch 'master' into search/telemetry

x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts

@@ -16,6 +16,7 @@ import {
 } from '../../common/schemas';
 
 import { getExceptionListClient } from './utils/get_exception_list_client';
+import { endpointDisallowedFields } from './endpoint_disallowed_fields';
 
 export const createExceptionListItemRoute = (router: IRouter): void => {
  router.post(
@@ -70,6 +71,22 @@ export const createExceptionListItemRoute = (router: IRouter): void => {
  statusCode: 409,
  });
  } else {
+ if (exceptionList.type === 'endpoint') {
+ for (const entry of entries) {
+ if (entry.type === 'list') {
+ return siemResponse.error({
+ body: `cannot add exception item with entry of type "list" to endpoint exception list`,
+ statusCode: 400,
+ });
+ }
+ if (endpointDisallowedFields.includes(entry.field)) {
+ return siemResponse.error({
+ body: `cannot add endpoint exception item on field ${entry.field}`,
+ statusCode: 400,
+ });
+ }
+ }
+ }
  const createdList = await exceptionLists.createExceptionListItem({
  _tags,
  comments,

x-pack/plugins/lists/server/routes/endpoint_disallowed_fields.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const endpointDisallowedFields = [
+ 'file.Ext.quarantine_path',
+ 'file.Ext.quarantine_result',
+ 'process.entity_id',
+ 'process.parent.entity_id',
+ 'process.ancestry',
+];

x-pack/plugins/reporting/server/export_types/csv_from_savedobject/execute_job.ts

@@ -10,7 +10,6 @@ import { CONTENT_TYPE_CSV, CSV_FROM_SAVEDOBJECT_JOB_TYPE } from '../../../common
 import { RunTaskFnFactory, ScheduledTaskParams, TaskRunResult } from '../../types';
 import { createGenerateCsv } from '../csv/generate_csv';
 import { JobParamsPanelCsv, SearchPanel } from './types';
-import { getFakeRequest } from './lib/get_fake_request';
 import { getGenerateCsvParams } from './lib/get_csv_job';
 
 /*
@@ -44,19 +43,10 @@ export const runTaskFnFactory: RunTaskFnFactory<ImmediateExecuteFn> = function e
  const { jobParams } = jobPayload;
  const jobLogger = logger.clone([jobId === null ? 'immediate' : jobId]);
  const generateCsv = createGenerateCsv(jobLogger);
- const { isImmediate, panel, visType } = jobParams as JobParamsPanelCsv & {
- panel: SearchPanel;
- };
+ const { panel, visType } = jobParams as JobParamsPanelCsv & { panel: SearchPanel };
 
  jobLogger.debug(`Execute job generating [${visType}] csv`);
 
- if (isImmediate && req) {
- jobLogger.info(`Executing job from Immediate API using request context`);
- } else {
- jobLogger.info(`Executing job async using encrypted headers`);
- req = await getFakeRequest(jobPayload, config.get('encryptionKey')!, jobLogger);
- }
-
  const savedObjectsClient = context.core.savedObjects.client;
 
  const uiConfig = await reporting.getUiSettingsServiceFactory(savedObjectsClient);

x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx

@@ -23,6 +23,8 @@ import { BuilderButtonOptions } from './builder_button_options';
 import { getNewExceptionItem, filterExceptionItems } from '../helpers';
 import { ExceptionsBuilderExceptionItem, CreateExceptionListItemBuilderSchema } from '../types';
 import { Loader } from '../../loader';
+// eslint-disable-next-line @kbn/eslint/no-restricted-paths
+import exceptionableFields from '../exceptionable_fields.json';
 
 const MyInvisibleAndBadge = styled(EuiFlexItem)`
  visibility: hidden;
@@ -172,6 +174,17 @@ export const ExceptionBuilder = ({
  );
  }, [exceptions]);
 
+ // Filters index pattern fields by exceptionable fields if list type is endpoint
+ const filterIndexPatterns = useCallback(() => {
+ if (listType === 'endpoint') {
+ return {
+ ...indexPatterns,
+ fields: indexPatterns.fields.filter(({ name }) => exceptionableFields.includes(name)),
+ };
+ }
+ return indexPatterns;
+ }, [indexPatterns, listType]);
+
  // The builder can have existing exception items, or new exception items that have yet
  // to be created (and thus lack an id), this was creating some React bugs with relying
  // on the index, as a result, created a temporary id when new exception items are first
@@ -216,7 +229,7 @@ export const ExceptionBuilder = ({
  key={getExceptionListItemId(exceptionListItem, index)}
  exceptionItem={exceptionListItem}
  exceptionId={getExceptionListItemId(exceptionListItem, index)}
- indexPattern={indexPatterns}
+ indexPattern={filterIndexPatterns()}
  isLoading={indexPatternLoading}
  exceptionItemIndex={index}
  andLogicIncluded={andLogicIncluded}

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json

@@ -0,0 +1,127 @@
+[
+ "Endpoint.policy.applied.id",
+ "Target.process.Ext.code_signature.status",
+ "Target.process.Ext.code_signature.subject_name",
+ "Target.process.Ext.code_signature.trusted",
+ "Target.process.Ext.code_signature.valid",
+ "Target.process.Ext.services",
+ "Target.process.Ext.user",
+ "Target.process.command_line",
+ "Target.process.executable",
+ "Target.process.hash.md5",
+ "Target.process.hash.sha1",
+ "Target.process.hash.sha256",
+ "Target.process.hash.sha512",
+ "Target.process.name",
+ "Target.process.parent.Ext.code_signature.status",
+ "Target.process.parent.Ext.code_signature.subject_name",
+ "Target.process.parent.Ext.code_signature.trusted",
+ "Target.process.parent.Ext.code_signature.valid",
+ "Target.process.parent.command_line",
+ "Target.process.parent.executable",
+ "Target.process.parent.hash.md5",
+ "Target.process.parent.hash.sha1",
+ "Target.process.parent.hash.sha256",
+ "Target.process.parent.hash.sha512",
+ "Target.process.parent.name",
+ "Target.process.parent.pgid",
+ "Target.process.parent.working_directory",
+ "Target.process.pe.company",
+ "Target.process.pe.description",
+ "Target.process.pe.file_version",
+ "Target.process.pe.original_file_name",
+ "Target.process.pe.product",
+ "Target.process.pgid",
+ "Target.process.working_directory",
+ "agent.id",
+ "agent.type",
+ "agent.version",
+ "elastic.agent.id",
+ "event.action",
+ "event.category",
+ "event.code",
+ "event.hash",
+ "event.kind",
+ "event.module",
+ "event.outcome",
+ "event.provider",
+ "event.type",
+ "file.Ext.code_signature.status",
+ "file.Ext.code_signature.subject_name",
+ "file.Ext.code_signature.trusted",
+ "file.Ext.code_signature.valid",
+ "file.attributes",
+ "file.device",
+ "file.directory",
+ "file.drive_letter",
+ "file.extension",
+ "file.gid",
+ "file.group",
+ "file.hash.md5",
+ "file.hash.sha1",
+ "file.hash.sha256",
+ "file.hash.sha512",
+ "file.inode",
+ "file.mime_type",
+ "file.mode",
+ "file.name",
+ "file.owner",
+ "file.path",
+ "file.pe.company",
+ "file.pe.description",
+ "file.pe.file_version",
+ "file.pe.original_file_name",
+ "file.pe.product",
+ "file.size",
+ "file.target_path",
+ "file.type",
+ "file.uid",
+ "group.Ext.real.id",
+ "group.domain",
+ "group.id",
+ "host.architecture",
+ "host.domain",
+ "host.id",
+ "host.os.Ext.variant",
+ "host.os.family",
+ "host.os.full",
+ "host.os.kernel",
+ "host.os.name",
+ "host.os.platform",
+ "host.os.version",
+ "host.type",
+ "process.Ext.code_signature.status",
+ "process.Ext.code_signature.subject_name",
+ "process.Ext.code_signature.trusted",
+ "process.Ext.code_signature.valid",
+ "process.Ext.services",
+ "process.Ext.user",
+ "process.command_line",
+ "process.executable",
+ "process.hash.md5",
+ "process.hash.sha1",
+ "process.hash.sha256",
+ "process.hash.sha512",
+ "process.name",
+ "process.parent.Ext.code_signature.status",
+ "process.parent.Ext.code_signature.subject_name",
+ "process.parent.Ext.code_signature.trusted",
+ "process.parent.Ext.code_signature.valid",
+ "process.parent.command_line",
+ "process.parent.executable",
+ "process.parent.hash.md5",
+ "process.parent.hash.sha1",
+ "process.parent.hash.sha256",
+ "process.parent.hash.sha512",
+ "process.parent.name",
+ "process.parent.pgid",
+ "process.parent.working_directory",
+ "process.pe.company",
+ "process.pe.description",
+ "process.pe.file_version",
+ "process.pe.original_file_name",
+ "process.pe.product",
+ "process.pgid",
+ "process.working_directory",
+ "rule.uuid"
+]

x-pack/plugins/security_solution/public/detections/components/alerts_histogram_panel/index.tsx

@@ -83,7 +83,7 @@ const NO_LEGEND_DATA: LegendItem[] = [];
 export const AlertsHistogramPanel = memo<AlertsHistogramPanelProps>(
  ({
  chartHeight,
- defaultStackByOption = alertsHistogramOptions[0],
+ defaultStackByOption = alertsHistogramOptions[8], // signal.rule.name
  deleteQuery,
  filters,
  headerChildren,

x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/ml_card_description.tsx

@@ -5,7 +5,8 @@
  */
 
 import { FormattedMessage } from '@kbn/i18n/react';
-import { EuiText, EuiLink } from '@elastic/eui';
+import { EuiLink } from '@elastic/eui';
+import styled from 'styled-components';
 import React from 'react';
 
 import { ML_TYPE_DESCRIPTION } from './translations';
@@ -15,11 +16,15 @@ interface MlCardDescriptionProps {
  hasValidLicense?: boolean;
 }
 
+const SmallText = styled.span`
+ font-size: ${({ theme }) => theme.eui.euiFontSizeS};
+`;
+
 const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
  subscriptionUrl,
  hasValidLicense = false,
 }) => (
- <EuiText size="s">
+ <SmallText>
  {hasValidLicense ? (
  ML_TYPE_DESCRIPTION
  ) : (
@@ -38,7 +43,7 @@ const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
  }}
  />
  )}
- </EuiText>
+ </SmallText>
 );
 
 MlCardDescriptionComponent.displayName = 'MlCardDescriptionComponent';

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts

@@ -18,6 +18,7 @@ export const stepAboutDefaultValue: AboutStepRule = {
  author: [],
  name: '',
  description: '',
+ isAssociatedToEndpointList: false,
  isBuildingBlock: false,
  isNew: true,
  severity: { value: 'low', mapping: [] },

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx

@@ -165,6 +165,7 @@ describe('StepAboutRuleComponent', () => {
  await wait();
  const expected: Omit<AboutStepRule, 'isNew'> = {
  author: [],
+ isAssociatedToEndpointList: false,
  isBuildingBlock: false,
  license: '',
  ruleNameOverride: '',
@@ -223,6 +224,7 @@ describe('StepAboutRuleComponent', () => {
  await wait();
  const expected: Omit<AboutStepRule, 'isNew'> = {
  author: [],
+ isAssociatedToEndpointList: false,
  isBuildingBlock: false,
  license: '',
  ruleNameOverride: '',

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx

@@ -282,7 +282,20 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  }}
  />
  <EuiSpacer size="l" />
- <EuiFormRow label={I18n.BUILDING_BLOCK} isInvalid={false} fullWidth>
+ <EuiFormRow label={I18n.GLOBAL_ENDPOINT_EXCEPTION_LIST} fullWidth>
+ <CommonUseField
+ path="isAssociatedToEndpointList"
+ componentProps={{
+ idAria: 'detectionEngineStepAboutRuleAssociatedToEndpointList',
+ 'data-test-subj': 'detectionEngineStepAboutRuleAssociatedToEndpointList',
+ euiFieldProps: {
+ fullWidth: true,
+ isDisabled: isLoading,
+ },
+ }}
+ />
+ </EuiFormRow>
+ <EuiFormRow label={I18n.BUILDING_BLOCK} fullWidth>
  <CommonUseField
  path="isBuildingBlock"
  componentProps={{
@@ -291,7 +304,6 @@ const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({
  euiFieldProps: {
  fullWidth: true,
  isDisabled: isLoading,
- placeholder: '',
  },
  }}
  />