[Defend Workflows] Defend Insights - Check existing Trusted Apps before creating an insight #207378
Conversation
szwarckonrad
changed the title
szwarckonrad
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
| @@ -127,7 +133,7 @@ export const WorkflowInsightsResults = ({ | |||
| <EuiText size={'s'} color={'subdued'}> | |||
| {insight.message} | |||
| </EuiText> | |||
| <EuiText size={'xs'} color={'subdued'}> | |||
| <EuiText size={'xs'} color={'subdued'} css={'word-break: break-word'}> | |||
There was a problem hiding this comment.
longs paths were stretching out the container
| @@ -31,6 +31,7 @@ export const useFetchInsights = ({ endpointId, onSuccess }: UseFetchInsightsConf | |||
| query: { | |||
| actionTypes: JSON.stringify([ActionType.Refreshed]), | |||
| targetIds: JSON.stringify([endpointId]), | |||
| size: 100, | |||
There was a problem hiding this comment.
Without it the es' default 10 is being used, we expect more results than that with certain AVs
| @@ -57,6 +57,7 @@ export async function buildIncompatibleAntivirusWorkflowInsights( | |||
| const codeSignaturesHits = ( | |||
| await esClient.search<FileEventDoc>({ | |||
| index: FILE_EVENTS_INDEX_PATTERN, | |||
| size: eventIds.length, | |||
There was a problem hiding this comment.
This was also defaulting to 10 causing instances of paths with no matched signers.
There was a problem hiding this comment.
are eventIds always defined?
| (entry.field === 'process.Ext.code_signature' && typeof entry.value === 'string') | ||
| ) { | ||
| const sanitizedValue = (entry.value as string) | ||
| .replace(/[)(<>}{":\\]/gm, '\\$&') |
There was a problem hiding this comment.
This section aligns with the approach already implemented for the search bar in Trusted Applications - https://github.com/szwarckonrad/kibana/blob/da25d13a2ac5be97216e202bf5d6bda6ff920b3b/x-pack/solutions/security/plugins/security_solution/public/management/common/utils.ts#L10-L26
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
| @@ -31,6 +31,7 @@ export const useFetchInsights = ({ endpointId, onSuccess }: UseFetchInsightsConf | |||
| query: { | |||
| actionTypes: JSON.stringify([ActionType.Refreshed]), | |||
| targetIds: JSON.stringify([endpointId]), | |||
| size: 100, | |||
| @@ -57,6 +57,7 @@ export async function buildIncompatibleAntivirusWorkflowInsights( | |||
| const codeSignaturesHits = ( | |||
| await esClient.search<FileEventDoc>({ | |||
| index: FILE_EVENTS_INDEX_PATTERN, | |||
| size: eventIds.length, | |||
There was a problem hiding this comment.
are eventIds always defined?
| (entry.field === 'process.Ext.code_signature' && typeof entry.value === 'string') | ||
| ) { | ||
| const sanitizedValue = (entry.value as string) | ||
| .replace(/[)(<>}{":\\]/gm, '\\$&') |
There was a problem hiding this comment.
I was hoping you could add a comment explaining the regex a bit? :)
| }); | ||
|
|
||
| if (remediationExists) { | ||
| return; |
There was a problem hiding this comment.
would it be useful to add a logger here or something?
This PR ensures that prepared insights are checked for an existing path and signer already added to the trusted app. If such insights are found, the execution is stopped. This resolves the issue of displaying insights to the user that have already been remediated.