From e0669f99f2d0c5b450921a99cbc99db589671eb6 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 20 Nov 2024 14:16:42 -0500 Subject: [PATCH 1/5] Enhance Command about info so that the tooltip text can be passed on input --- .../lib/get_command_about_info.tsx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx index ddb5e345acc21..a7603662e91d7 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx @@ -6,6 +6,7 @@ */ import React from 'react'; +import type { EuiToolTipProps } from '@elastic/eui'; import { EuiIconTip } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; @@ -17,23 +18,20 @@ const UNSUPPORTED_COMMAND_INFO = i18n.translate( } ); -const DisabledTooltip = React.memo(() => { - return ; -}); -DisabledTooltip.displayName = 'DisabledTooltip'; - export const getCommandAboutInfo = ({ aboutInfo, isSupported, + tooltipContent = UNSUPPORTED_COMMAND_INFO, }: { - aboutInfo: string; + aboutInfo: React.ReactNode; isSupported: boolean; + tooltipContent?: EuiToolTipProps['content']; }) => { return isSupported ? ( aboutInfo ) : ( <> - {aboutInfo} + {aboutInfo} ); }; From 11bf716c738581df31ffbcf3868576b43a9b831a Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 20 Nov 2024 14:17:25 -0500 Subject: [PATCH 2/5] Display not supported indicator on `processes` command for sentinelone --- .../lib/console_commands_definition.ts | 23 ++++++++++++++++++- .../hooks/use_with_show_responder.tsx | 1 + 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts index c81674bd4f7b8..4e94c84099113 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts @@ -153,6 +153,8 @@ export interface GetEndpointConsoleCommandsOptions { /** Applicable only for Endpoint Agents */ endpointCapabilities: ImmutableArray; endpointPrivileges: EndpointPrivileges; + /** Host's platform: windows, linux, macos */ + platform: string; } export const getEndpointConsoleCommands = ({ @@ -160,6 +162,7 @@ export const getEndpointConsoleCommands = ({ agentType, endpointCapabilities, endpointPrivileges, + platform, }: GetEndpointConsoleCommandsOptions): CommandDefinition[] => { const featureFlags = ExperimentalFeaturesService.get(); @@ -523,7 +526,7 @@ export const getEndpointConsoleCommands = ({ switch (agentType) { case 'sentinel_one': - return adjustCommandsForSentinelOne({ commandList: consoleCommands }); + return adjustCommandsForSentinelOne({ commandList: consoleCommands, platform }); case 'crowdstrike': return adjustCommandsForCrowdstrike({ commandList: consoleCommands }); default: @@ -543,8 +546,10 @@ const disableCommand = (command: CommandDefinition, agentType: ResponseActionAge /** @private */ const adjustCommandsForSentinelOne = ({ commandList, + platform, }: { commandList: CommandDefinition[]; + platform: string; }): CommandDefinition[] => { const featureFlags = ExperimentalFeaturesService.get(); const isKillProcessEnabled = featureFlags.responseActionsSentinelOneKillProcessEnabled; @@ -580,6 +585,22 @@ const adjustCommandsForSentinelOne = ({ ) ) { disableCommand(command, 'sentinel_one'); + } else { + // processes is not currently supported for Windows hosts + if (command.name === 'processes' && platform.toLowerCase() === 'windows') { + command.helpDisabled = true; + command.about = getCommandAboutInfo({ + aboutInfo: command.about, + isSupported: false, + tooltipContent: i18n.translate( + 'xpack.securitySolution.consoleCommandsDefinition.sentineloneProcessesWindowRestriction', + { + defaultMessage: + 'Processes command is not currently supported for SentinelOne hosts running on Windows', + } + ), + }); + } } return command; diff --git a/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx b/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx index f7622681112bd..e3e830efcb047 100644 --- a/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx +++ b/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx @@ -71,6 +71,7 @@ export const useWithShowResponder = (): ShowResponseActionsConsole => { endpointAgentId: agentId, endpointCapabilities: capabilities, endpointPrivileges, + platform, }), 'data-test-subj': `${agentType}ResponseActionsConsole`, storagePrefix: 'xpack.securitySolution.Responder', From 749c8e2262d039a044fed4d36a656891d5cb2d0b Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 20 Nov 2024 14:21:54 -0500 Subject: [PATCH 3/5] Adjust all calls to `getEndpointConsoleCommands()` to pass in new `platform` prop --- .../integration_tests/execute_action.test.tsx | 1 + .../integration_tests/get_file_action.test.tsx | 1 + .../integration_tests/get_processes_action.test.tsx | 1 + .../integration_tests/isolate_action.test.tsx | 1 + .../integration_tests/kill_process_action.test.tsx | 1 + .../integration_tests/release_action.test.tsx | 1 + .../integration_tests/scan_action.test.tsx | 1 + .../integration_tests/status_action.test.tsx | 1 + .../integration_tests/suspend_process_action.test.tsx | 1 + .../integration_tests/upload_action.test.tsx | 1 + .../lib/integration_tests/console_commands_definition.test.tsx | 3 +++ 11 files changed, 13 insertions(+) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx index 7e2a5bf622233..cd125348a688b 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx @@ -73,6 +73,7 @@ describe('When using execute action from response actions console', () => { endpointAgentId: 'a.b.c', endpointCapabilities: [...capabilities], endpointPrivileges, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx index 101c24c84e678..11fa0213394ce 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx @@ -71,6 +71,7 @@ describe('When using get-file action from response actions console', () => { endpointAgentId: 'a.b.c', endpointCapabilities: [...ENDPOINT_CAPABILITIES], endpointPrivileges, + platform: 'linux', }; render = async (capabilities: EndpointCapabilities[] = [...ENDPOINT_CAPABILITIES]) => { diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx index d1922a7bf6e59..48a837a574432 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx @@ -59,6 +59,7 @@ describe('When using processes action from response actions console', () => { canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx index b022fe15d5ed2..d702bfca9945d 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx @@ -67,6 +67,7 @@ describe('When using isolate action from response actions console', () => { loading: false, canIsolateHost: true, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx index f1cf6937eef06..5f4a40b50d8a3 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx @@ -63,6 +63,7 @@ describe.skip('When using the kill-process action from response actions console' canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx index 75278dd0f2c01..8e98d05247947 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx @@ -46,6 +46,7 @@ const prepareTest = () => { canUnIsolateHost: true, loading: false, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx index e0fde4a2133d2..f82ad0aa19b68 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx @@ -83,6 +83,7 @@ describe('When using scan action from response actions console', () => { endpointAgentId: 'agent-a', endpointCapabilities: [...ENDPOINT_CAPABILITIES], endpointPrivileges, + platform: 'linux', }; render = async (capabilities: EndpointCapabilities[] = [...ENDPOINT_CAPABILITIES]) => { diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx index 47f1c0b9a47e3..b1367ee132eeb 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx @@ -111,6 +111,7 @@ describe.skip('When using processes action from response actions console', () => ...getEndpointAuthzInitialState(), loading: false, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx index 1492acd862879..dd69a31ad36ed 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx @@ -73,6 +73,7 @@ describe('When using the suspend-process action from response actions console', canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx index a6493430615ff..ced1ea4d0e0ad 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx @@ -88,6 +88,7 @@ describe.skip('When using `upload` response action', () => { endpointAgentId: 'a.b.c', endpointCapabilities, endpointPrivileges, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx index 7c1e5cf118df0..8df540af6279a 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx @@ -52,6 +52,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); @@ -96,6 +97,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); @@ -130,6 +132,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); From a97c304bf6257c3aa64236fc80de94c7b125f443 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Wed, 20 Nov 2024 14:35:39 -0500 Subject: [PATCH 4/5] Tests for S1 showing tooltip for processes for windows --- .../lib/console_commands_definition.ts | 1 + .../lib/get_command_about_info.tsx | 10 ++++++- .../console_commands_definition.test.tsx | 27 +++++++++++++++++-- 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts index 4e94c84099113..0c297ddfddab2 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts @@ -592,6 +592,7 @@ const adjustCommandsForSentinelOne = ({ command.about = getCommandAboutInfo({ aboutInfo: command.about, isSupported: false, + dataTestSubj: 'sentineloneProcessesWindowsWarningTooltip', tooltipContent: i18n.translate( 'xpack.securitySolution.consoleCommandsDefinition.sentineloneProcessesWindowRestriction', { diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx index a7603662e91d7..2b22d0067dc5b 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx @@ -22,16 +22,24 @@ export const getCommandAboutInfo = ({ aboutInfo, isSupported, tooltipContent = UNSUPPORTED_COMMAND_INFO, + dataTestSubj, }: { aboutInfo: React.ReactNode; isSupported: boolean; tooltipContent?: EuiToolTipProps['content']; + dataTestSubj?: string; }) => { return isSupported ? ( aboutInfo ) : ( <> - {aboutInfo} + {aboutInfo}{' '} + ); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx index 8df540af6279a..caf33de458f83 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx @@ -90,6 +90,8 @@ describe('When displaying Endpoint Response Actions', () => { responseActionsCrowdstrikeManualHostIsolationEnabled: true, responseActionsSentinelOneV1Enabled: true, responseActionsSentinelOneGetFileEnabled: true, + responseActionsSentinelOneKillProcessEnabled: true, + responseActionsSentinelOneProcessesEnabled: true, }); commands = getEndpointConsoleCommands({ @@ -112,13 +114,34 @@ describe('When displaying Endpoint Response Actions', () => { }); it('should display response action commands in the help panel in expected order', () => { - render({ commands }); + const { queryByTestId } = render({ commands }); consoleSelectors.openHelpPanel(); const commandsInPanel = helpPanelSelectors.getHelpCommandNames( HELP_GROUPS.responseActions.label ); - expect(commandsInPanel).toEqual(['isolate', 'release', 'get-file --path']); + expect(commandsInPanel).toEqual([ + 'isolate', + 'release', + 'processes', + 'kill-process --processName', + 'get-file --path', + ]); + expect(queryByTestId('sentineloneProcessesWindowsWarningTooltip')).toBeNull(); + }); + + it('should display warning icon on processes command if host is running on windows', () => { + commands = getEndpointConsoleCommands({ + agentType: 'sentinel_one', + endpointAgentId: '123', + endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], + endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'windows', + }); + const { getByTestId } = render({ commands }); + consoleSelectors.openHelpPanel(); + + expect(getByTestId('sentineloneProcessesWindowsWarningTooltip')).not.toBeNull(); }); }); From 1c2204bcd5115ad721278e4be14c5260642569d8 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 2 Dec 2024 11:21:53 -0500 Subject: [PATCH 5/5] Add validation to `processes` command if user trys to use it on windows host --- .../lib/console_commands_definition.ts | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts index 0c297ddfddab2..efc52fd59c326 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts @@ -588,19 +588,24 @@ const adjustCommandsForSentinelOne = ({ } else { // processes is not currently supported for Windows hosts if (command.name === 'processes' && platform.toLowerCase() === 'windows') { + const message = i18n.translate( + 'xpack.securitySolution.consoleCommandsDefinition.sentineloneProcessesWindowRestriction', + { + defaultMessage: + 'Processes command is not currently supported for SentinelOne hosts running on Windows', + } + ); + command.helpDisabled = true; command.about = getCommandAboutInfo({ aboutInfo: command.about, isSupported: false, dataTestSubj: 'sentineloneProcessesWindowsWarningTooltip', - tooltipContent: i18n.translate( - 'xpack.securitySolution.consoleCommandsDefinition.sentineloneProcessesWindowRestriction', - { - defaultMessage: - 'Processes command is not currently supported for SentinelOne hosts running on Windows', - } - ), + tooltipContent: message, }); + command.validate = () => { + return message; + }; } }