Skip to content

Commit

Permalink
[Security Solution][Endpoint] Search responses without a specific nam…
Browse files Browse the repository at this point in the history
…espace to show pending actions (#123741)

* search responses without a specific namespace to show pending actions

fixes /issues/123707

* search over all endpoint response indices irrespective of namespace suffix

fixes /issues/123707

* match namespace suffixes for endpoint action and response indices

fixes /issues/123707
  • Loading branch information
ashokaditya authored Jan 25, 2022
1 parent 7f7dbbb commit dfd8bfb
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 6 deletions.
2 changes: 2 additions & 0 deletions x-pack/plugins/security_solution/common/endpoint/constants.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ export const ENDPOINT_ACTIONS_DS = '.logs-endpoint.actions';
export const ENDPOINT_ACTIONS_INDEX = `${ENDPOINT_ACTIONS_DS}-default`;
export const ENDPOINT_ACTION_RESPONSES_DS = '.logs-endpoint.action.responses';
export const ENDPOINT_ACTION_RESPONSES_INDEX = `${ENDPOINT_ACTION_RESPONSES_DS}-default`;
// search in all namespaces and not only in default
export const ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN = `${ENDPOINT_ACTION_RESPONSES_DS}-*`;

export const eventsIndexPattern = 'logs-endpoint.events.*';
export const alertsIndexPattern = 'logs-endpoint.alerts-*';
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import { ElasticsearchClient, Logger } from 'kibana/server';
import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
import { TransportResult } from '@elastic/elasticsearch';
import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common';
import { ENDPOINT_ACTION_RESPONSES_INDEX } from '../../../common/endpoint/constants';
import { ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN } from '../../../common/endpoint/constants';
import { SecuritySolutionRequestHandlerContext } from '../../types';
import {
ActivityLog,
Expand Down Expand Up @@ -293,7 +293,7 @@ const hasEndpointResponseDoc = async ({
const response = await esClient
.search<LogsEndpointActionResponse>(
{
index: ENDPOINT_ACTION_RESPONSES_INDEX,
index: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
size: 10000,
body: {
query: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import { TransportResult } from '@elastic/elasticsearch';
import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common';
import {
ENDPOINT_ACTIONS_INDEX,
ENDPOINT_ACTION_RESPONSES_INDEX,
ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
failedFleetActionErrorCode,
} from '../../../common/endpoint/constants';
import { SecuritySolutionRequestHandlerContext } from '../../types';
Expand All @@ -32,10 +32,12 @@ import {
import { doesLogsEndpointActionsIndexExist } from '../utils';

const actionsIndices = [AGENT_ACTIONS_INDEX, ENDPOINT_ACTIONS_INDEX];
const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX];
// search all responses indices irrelevant of namespace
const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN];
export const logsEndpointActionsRegex = new RegExp(`(^\.ds-\.logs-endpoint\.actions-default-).+`);
// matches index names like .ds-.logs-endpoint.action.responses-name_space---suffix-2022.01.25-000001
export const logsEndpointResponsesRegex = new RegExp(
`(^\.ds-\.logs-endpoint\.action\.responses-default-).+`
`(^\.ds-\.logs-endpoint\.action\.responses-\\w+-).+`
);
const queryOptions = {
headers: {
Expand Down Expand Up @@ -231,7 +233,7 @@ export const getActionResponsesResult = async ({
const hasLogsEndpointActionResponsesIndex = await doesLogsEndpointActionsIndexExist({
context,
logger,
indexName: ENDPOINT_ACTION_RESPONSES_INDEX,
indexName: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN,
});

const responsesSearchQuery: SearchRequest = {
Expand Down

0 comments on commit dfd8bfb

Please sign in to comment.