diff --git a/x-pack/plugins/security_solution/common/endpoint/constants.ts b/x-pack/plugins/security_solution/common/endpoint/constants.ts index c8af729ec3a68..cf579f7ea5a90 100644 --- a/x-pack/plugins/security_solution/common/endpoint/constants.ts +++ b/x-pack/plugins/security_solution/common/endpoint/constants.ts @@ -11,6 +11,8 @@ export const ENDPOINT_ACTIONS_DS = '.logs-endpoint.actions'; export const ENDPOINT_ACTIONS_INDEX = `${ENDPOINT_ACTIONS_DS}-default`; export const ENDPOINT_ACTION_RESPONSES_DS = '.logs-endpoint.action.responses'; export const ENDPOINT_ACTION_RESPONSES_INDEX = `${ENDPOINT_ACTION_RESPONSES_DS}-default`; +// search in all namespaces and not only in default +export const ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN = `${ENDPOINT_ACTION_RESPONSES_DS}-*`; export const eventsIndexPattern = 'logs-endpoint.events.*'; export const alertsIndexPattern = 'logs-endpoint.alerts-*'; diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions.ts index fb9348d3f05bc..93a3da27a7d5a 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/actions.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/actions.ts @@ -9,7 +9,7 @@ import { ElasticsearchClient, Logger } from 'kibana/server'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { TransportResult } from '@elastic/elasticsearch'; import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common'; -import { ENDPOINT_ACTION_RESPONSES_INDEX } from '../../../common/endpoint/constants'; +import { ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN } from '../../../common/endpoint/constants'; import { SecuritySolutionRequestHandlerContext } from '../../types'; import { ActivityLog, @@ -293,7 +293,7 @@ const hasEndpointResponseDoc = async ({ const response = await esClient .search( { - index: ENDPOINT_ACTION_RESPONSES_INDEX, + index: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN, size: 10000, body: { query: { diff --git a/x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts b/x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts index df28c7ca02dc2..4d548141e9819 100644 --- a/x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts +++ b/x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts @@ -12,7 +12,7 @@ import { TransportResult } from '@elastic/elasticsearch'; import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '../../../../fleet/common'; import { ENDPOINT_ACTIONS_INDEX, - ENDPOINT_ACTION_RESPONSES_INDEX, + ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN, failedFleetActionErrorCode, } from '../../../common/endpoint/constants'; import { SecuritySolutionRequestHandlerContext } from '../../types'; @@ -32,10 +32,12 @@ import { import { doesLogsEndpointActionsIndexExist } from '../utils'; const actionsIndices = [AGENT_ACTIONS_INDEX, ENDPOINT_ACTIONS_INDEX]; -const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX]; +// search all responses indices irrelevant of namespace +const responseIndices = [AGENT_ACTIONS_RESULTS_INDEX, ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN]; export const logsEndpointActionsRegex = new RegExp(`(^\.ds-\.logs-endpoint\.actions-default-).+`); +// matches index names like .ds-.logs-endpoint.action.responses-name_space---suffix-2022.01.25-000001 export const logsEndpointResponsesRegex = new RegExp( - `(^\.ds-\.logs-endpoint\.action\.responses-default-).+` + `(^\.ds-\.logs-endpoint\.action\.responses-\\w+-).+` ); const queryOptions = { headers: { @@ -231,7 +233,7 @@ export const getActionResponsesResult = async ({ const hasLogsEndpointActionResponsesIndex = await doesLogsEndpointActionsIndexExist({ context, logger, - indexName: ENDPOINT_ACTION_RESPONSES_INDEX, + indexName: ENDPOINT_ACTION_RESPONSES_INDEX_PATTERN, }); const responsesSearchQuery: SearchRequest = {