-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM][Security Solution][Endpoint] Endpoint Artifact Manifest Management + Artifact Download and Distribution #67707
Conversation
Pinging @elastic/endpoint-app-team (Feature:Endpoint) |
Pinging @elastic/endpoint-response (Team:Endpoint Response) |
78a918c
to
e304959
Compare
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/lib/artifacts/task.ts
Outdated
Show resolved
Hide resolved
…nto exception-list-packager
} from '../../schemas'; | ||
import { ArtifactConstants } from './common'; | ||
|
||
export async function buildArtifact( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this needs to be async
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we forgot to remove async when we removed the lzma compression this morning.
|
||
do { | ||
const response = await eClient.findExceptionListItem({ | ||
listId: 'endpoint_list', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should move this out into a common place because we'll need to use it in the UI too, I think
schemaVersion: string, | ||
entry: Entry | EntryNested | ||
): TranslatedEntry | undefined { | ||
let translatedEntry; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you could give the variable a type of TranslatedEntry
here and then you won't need to do as TranslatedEntry
below.
return buildAndValidateResponse(req.params.identifier, cacheResp); | ||
} else { | ||
logger.debug(`Cache MISS artifact ${id}`); | ||
return scopedSOClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could use awaits here too, I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* master: (46 commits) [Visualize] Add missing advanced settings and custom label for pipeline aggs (elastic#69688) Use dynamic: false for config saved object mappings (elastic#70436) [Ingest Pipelines] Error messages (elastic#70167) [APM] Show transaction rate per minute on Observability Overview page (elastic#70336) Filter out error when calculating a label (elastic#69934) [Visualizations] Each visType returns its supported triggers (elastic#70177) [Telemetry] Report data shippers (elastic#64935) Reduce SavedObjects mappings for Application Usage (elastic#70475) [Lens] fix dimension label performance issues (elastic#69978) Skip failing endgame tests (elastic#70548) [SIEM] Reenabling Cypress tests (elastic#70397) [SIEM][Security Solution][Endpoint] Endpoint Artifact Manifest Management + Artifact Download and Distribution (elastic#67707) [Security] Adds field mapping support to rule creation (elastic#70288) SECURITY-ENDPOINT: add fields for events to metadata document (elastic#70491) Fixed assertion in hybrid index pattern test to iterate through indices (elastic#70130) [SIEM][Exceptions] - Exception builder component (elastic#67013) [Ingest Manager] Rename data sources to package configs (elastic#70259) skip suites blocking es snapshot promomotion (elastic#70532) [Metrics UI] Fix asynchronicity and error handling in Snapshot API (elastic#70503) fix export response (elastic#70473) ...
💔 Build Failed
Failed CI StepsTest FailuresKibana Pipeline / kibana-xpack-agent / X-Pack API Integration Tests.x-pack/test/api_integration/apis/fleet/setup·ts.apis Fleet Endpoints fleet_setup should create a fleet_enroll user and roleStandard Out
Stack Trace
Kibana Pipeline / kibana-xpack-agent / X-Pack API Integration Tests.x-pack/test/api_integration/apis/fleet/setup·ts.apis Fleet Endpoints fleet_setup should create a fleet_enroll user and roleStandard Out
Stack Trace
Kibana Pipeline / kibana-xpack-agent / X-Pack Endpoint Functional Tests.x-pack/test/security_solution_endpoint/apps/endpoint.endpoint "before all" hook in "endpoint"Standard Out
Stack Trace
Build metrics
History
To update your PR or re-run it, just comment with: |
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
…ment + Artifact Download and Distribution (#67707) (#70758) * stub out task for the exceptions list packager * Hits list code and pages * refactor * Begin adding saved object and type definitions * Transforms to endpoint exceptions * Get internal SO client * update messaging * cleanup * Integrating with task manager * Integrated with task manager properly * Begin adding schemas * Add multiple OS and schema version support * filter by OS * Fixing sort * Move to security_solutions * siem -> securitySolution * Progress on downloads, cleanup * Add config, update artifact creation, add TODOs * Fixing buffer serialization problem * Adding cleanup to task * Handle HEAD req * proper header * More robust task management * single -> agnostic * Fix OS filtering * Scaffolding digital signatures / tests * Adds rotue for creating endpoint user * Cleanup * persisting user * Adding route to fetch created user * Addings tests for translating exceptions * Adding test for download API * Download tweaks + artifact generation fixes * reorganize * fix imports * Fixing test * Changes id of SO * integration tests setup * Add first integration tests * Cache layer * more schema validation * Set up for manifest update * minor change * remove setup code * add manifest schema * refactoring * manifest rewrite (partial) * finish scaffolding new manifest logic * syntax errors * more refactoring * Move to endpoint directory * minor cleanup * clean up old artifacts * Use diff appropriately * Fix download * schedule task on interval * Split up into client/manager * more mocks * config interval * Fixing download tests and adding cache tests * lint * mo money, mo progress * Converting to io-ts * More tests and mocks * even more tests and mocks * Merging both refactors * Adding more tests for the convertion layer * fix conflicts * Adding lzma types * Bug fixes * lint * resolve some type errors * Adding back in cache * Fixing download test * Changing cache to be sized * Fix manifest manager initialization * Hook up datasource service * Fix download tests * Incremental progress * Adds integration with ingest manager for auth * Update test fixture * Add manifest dispatch * Refactoring to use the same SO Client from ingest * bug fixes * build renovate config * Fix endpoint_app_context_services tests * Only index the fields that are necessary for searching * Integ test progress * mock and test city * Add task tests * Tests for artifact_client and manifest_client * Add manifest_manager tests * minor refactor * Finish manifest_manager tests * Type errors * Update integ test * Type errors, final cleanup * Fix integration test and add test for invalid api key * minor fixup * Remove compression * Update task interval * Removing .text suffix from translated list * Fixes hashes for unit tests * clean up yarn.lock * Remove lzma-native from package.json * missed updating one of the tests Co-authored-by: Alex Kahan <alexander.kahan@elastic.co> Co-authored-by: Alex Kahan <alexander.kahan@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Summary
This PR manages the entire lifecycle of exception list artifacts which will be delivered to the Elastic Endpoint. Major features include:
A periodic task runner that
compresses them(compression TBD in next PR), and computes hashesA new Kibana endpoint for downloading the artifacts
Properties
Eventual Consistency from
lists
toingest_manager
The feature has been designed to run seamlessly in a multi-Kibana environment. The manifest SO that is committed is intended as a kind of "ack" to indicate that a manifest has been dispatched (written to ingest manager datasource). In the event of an unexpected server crash, it's possible that a manifest can be dispatched more than once, however it should never be possible for a manifest change to be lost.
There is one potential edge case... on the callback for datasource create, we're unable to verify that the change is actually committed at the ingest manager layer. A crash after we return could result in a manifest update being lost. Revisit this?
Consistency of the Artifact Manifest
The TaskManager plugin is leveraged for maintenance of the artifacts and the manifest commit records. This should ensure that only one task is running at once, however we do also have the ingestManager callback that runs when a datasource is created. In order to prevent race conditions and therefore consistency issues on the manifest, we utilize the
version
that is returned using the SavedObjectsClient APIs. If two clients attempt to make simultaneous updates against the same base version, a conflict (409) will be encountered, and the manifest will be updated on the next task run (within 60 seconds) if necessary.Scale Considerations
The artifact manifest is now sent to the endpoint via the config/policy mechanism. The manifest can only be updated every 60 seconds, with the exception of when a new datasource is created, which could result in an out-of-band manifest update.
Artifacts are saved using a pre-calculated document ID, which encapsulates the schema version, operating system, artifact identifier, and fingerprint (a sha256 hash). Though downloads are currently managed through a Kibana API, we try to make the lookup as quickly as possible by utilizing a direct
get
by ID, and by utilizing an in-memory FIFO cache per client.Testing
artifact_manifest
is also now contained in the Endpoint datasourceTo Do
add manifest endpointetag to cache manifest downloaddigitally sign manifest using RSA keypairTo be addressed in follow-up PR
async/await
tothen
(SO client abstractions should returnnull
to avoid try/catch when possible)@ts-ignore
type errorsif(someType.is(...))
toas
)Checklist
Delete any items that are not applicable to this PR.
Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n supportDocumentation was added for features that require explanation or tutorialsThis was checked for keyboard-only and screenreader accessibilityThis renders correctly on smaller devices using a responsive layout. (You can test this in your browserThis was checked for cross-browser compatibility, including a check against IE11For maintainers