From 2e67a2c538ada4d06820fc09ceabfc5d55a47ab1 Mon Sep 17 00:00:00 2001 From: Paul Tavares <56442535+paul-tavares@users.noreply.github.com> Date: Mon, 2 Dec 2024 16:59:35 -0500 Subject: [PATCH] [Security Solution][Endpoint] Show tooltip icon on `processes` response console command for SentinelOne Windows hosts (#201030) ## Summary - Displays a tooltip icon for the `processes` command on the Response Console for SentinelOne Windows hosts indicating that `processes` is not supported on those types of hosts (cherry picked from commit 40905c14ad7383cc9abf046b0fb44e98da1e448e) --- .../integration_tests/execute_action.test.tsx | 1 + .../get_file_action.test.tsx | 1 + .../get_processes_action.test.tsx | 1 + .../integration_tests/isolate_action.test.tsx | 1 + .../kill_process_action.test.tsx | 1 + .../integration_tests/release_action.test.tsx | 1 + .../integration_tests/scan_action.test.tsx | 1 + .../integration_tests/status_action.test.tsx | 1 + .../suspend_process_action.test.tsx | 1 + .../integration_tests/upload_action.test.tsx | 1 + .../lib/console_commands_definition.ts | 29 +++++++++++++++++- .../lib/get_command_about_info.tsx | 20 ++++++++----- .../console_commands_definition.test.tsx | 30 +++++++++++++++++-- .../hooks/use_with_show_responder.tsx | 1 + 14 files changed, 80 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx index 7e2a5bf622233..cd125348a688b 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/execute_action.test.tsx @@ -73,6 +73,7 @@ describe('When using execute action from response actions console', () => { endpointAgentId: 'a.b.c', endpointCapabilities: [...capabilities], endpointPrivileges, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx index 101c24c84e678..11fa0213394ce 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_file_action.test.tsx @@ -71,6 +71,7 @@ describe('When using get-file action from response actions console', () => { endpointAgentId: 'a.b.c', endpointCapabilities: [...ENDPOINT_CAPABILITIES], endpointPrivileges, + platform: 'linux', }; render = async (capabilities: EndpointCapabilities[] = [...ENDPOINT_CAPABILITIES]) => { diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx index d1922a7bf6e59..48a837a574432 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/get_processes_action.test.tsx @@ -59,6 +59,7 @@ describe('When using processes action from response actions console', () => { canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx index b022fe15d5ed2..d702bfca9945d 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/isolate_action.test.tsx @@ -67,6 +67,7 @@ describe('When using isolate action from response actions console', () => { loading: false, canIsolateHost: true, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx index f1cf6937eef06..5f4a40b50d8a3 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/kill_process_action.test.tsx @@ -63,6 +63,7 @@ describe.skip('When using the kill-process action from response actions console' canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx index 75278dd0f2c01..8e98d05247947 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/release_action.test.tsx @@ -46,6 +46,7 @@ const prepareTest = () => { canUnIsolateHost: true, loading: false, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx index e0fde4a2133d2..f82ad0aa19b68 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/scan_action.test.tsx @@ -83,6 +83,7 @@ describe('When using scan action from response actions console', () => { endpointAgentId: 'agent-a', endpointCapabilities: [...ENDPOINT_CAPABILITIES], endpointPrivileges, + platform: 'linux', }; render = async (capabilities: EndpointCapabilities[] = [...ENDPOINT_CAPABILITIES]) => { diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx index 47f1c0b9a47e3..b1367ee132eeb 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/status_action.test.tsx @@ -111,6 +111,7 @@ describe.skip('When using processes action from response actions console', () => ...getEndpointAuthzInitialState(), loading: false, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx index 1492acd862879..dd69a31ad36ed 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/suspend_process_action.test.tsx @@ -73,6 +73,7 @@ describe('When using the suspend-process action from response actions console', canSuspendProcess: true, canGetRunningProcesses: true, }, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx index a6493430615ff..ced1ea4d0e0ad 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/command_render_components/integration_tests/upload_action.test.tsx @@ -88,6 +88,7 @@ describe.skip('When using `upload` response action', () => { endpointAgentId: 'a.b.c', endpointCapabilities, endpointPrivileges, + platform: 'linux', }), }, }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts index c81674bd4f7b8..efc52fd59c326 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts @@ -153,6 +153,8 @@ export interface GetEndpointConsoleCommandsOptions { /** Applicable only for Endpoint Agents */ endpointCapabilities: ImmutableArray; endpointPrivileges: EndpointPrivileges; + /** Host's platform: windows, linux, macos */ + platform: string; } export const getEndpointConsoleCommands = ({ @@ -160,6 +162,7 @@ export const getEndpointConsoleCommands = ({ agentType, endpointCapabilities, endpointPrivileges, + platform, }: GetEndpointConsoleCommandsOptions): CommandDefinition[] => { const featureFlags = ExperimentalFeaturesService.get(); @@ -523,7 +526,7 @@ export const getEndpointConsoleCommands = ({ switch (agentType) { case 'sentinel_one': - return adjustCommandsForSentinelOne({ commandList: consoleCommands }); + return adjustCommandsForSentinelOne({ commandList: consoleCommands, platform }); case 'crowdstrike': return adjustCommandsForCrowdstrike({ commandList: consoleCommands }); default: @@ -543,8 +546,10 @@ const disableCommand = (command: CommandDefinition, agentType: ResponseActionAge /** @private */ const adjustCommandsForSentinelOne = ({ commandList, + platform, }: { commandList: CommandDefinition[]; + platform: string; }): CommandDefinition[] => { const featureFlags = ExperimentalFeaturesService.get(); const isKillProcessEnabled = featureFlags.responseActionsSentinelOneKillProcessEnabled; @@ -580,6 +585,28 @@ const adjustCommandsForSentinelOne = ({ ) ) { disableCommand(command, 'sentinel_one'); + } else { + // processes is not currently supported for Windows hosts + if (command.name === 'processes' && platform.toLowerCase() === 'windows') { + const message = i18n.translate( + 'xpack.securitySolution.consoleCommandsDefinition.sentineloneProcessesWindowRestriction', + { + defaultMessage: + 'Processes command is not currently supported for SentinelOne hosts running on Windows', + } + ); + + command.helpDisabled = true; + command.about = getCommandAboutInfo({ + aboutInfo: command.about, + isSupported: false, + dataTestSubj: 'sentineloneProcessesWindowsWarningTooltip', + tooltipContent: message, + }); + command.validate = () => { + return message; + }; + } } return command; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx index ddb5e345acc21..2b22d0067dc5b 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/get_command_about_info.tsx @@ -6,6 +6,7 @@ */ import React from 'react'; +import type { EuiToolTipProps } from '@elastic/eui'; import { EuiIconTip } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; @@ -17,23 +18,28 @@ const UNSUPPORTED_COMMAND_INFO = i18n.translate( } ); -const DisabledTooltip = React.memo(() => { - return ; -}); -DisabledTooltip.displayName = 'DisabledTooltip'; - export const getCommandAboutInfo = ({ aboutInfo, isSupported, + tooltipContent = UNSUPPORTED_COMMAND_INFO, + dataTestSubj, }: { - aboutInfo: string; + aboutInfo: React.ReactNode; isSupported: boolean; + tooltipContent?: EuiToolTipProps['content']; + dataTestSubj?: string; }) => { return isSupported ? ( aboutInfo ) : ( <> - {aboutInfo} + {aboutInfo}{' '} + ); }; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx index 7c1e5cf118df0..caf33de458f83 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx @@ -52,6 +52,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); @@ -89,6 +90,8 @@ describe('When displaying Endpoint Response Actions', () => { responseActionsCrowdstrikeManualHostIsolationEnabled: true, responseActionsSentinelOneV1Enabled: true, responseActionsSentinelOneGetFileEnabled: true, + responseActionsSentinelOneKillProcessEnabled: true, + responseActionsSentinelOneProcessesEnabled: true, }); commands = getEndpointConsoleCommands({ @@ -96,6 +99,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); @@ -110,13 +114,34 @@ describe('When displaying Endpoint Response Actions', () => { }); it('should display response action commands in the help panel in expected order', () => { - render({ commands }); + const { queryByTestId } = render({ commands }); consoleSelectors.openHelpPanel(); const commandsInPanel = helpPanelSelectors.getHelpCommandNames( HELP_GROUPS.responseActions.label ); - expect(commandsInPanel).toEqual(['isolate', 'release', 'get-file --path']); + expect(commandsInPanel).toEqual([ + 'isolate', + 'release', + 'processes', + 'kill-process --processName', + 'get-file --path', + ]); + expect(queryByTestId('sentineloneProcessesWindowsWarningTooltip')).toBeNull(); + }); + + it('should display warning icon on processes command if host is running on windows', () => { + commands = getEndpointConsoleCommands({ + agentType: 'sentinel_one', + endpointAgentId: '123', + endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], + endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'windows', + }); + const { getByTestId } = render({ commands }); + consoleSelectors.openHelpPanel(); + + expect(getByTestId('sentineloneProcessesWindowsWarningTooltip')).not.toBeNull(); }); }); @@ -130,6 +155,7 @@ describe('When displaying Endpoint Response Actions', () => { endpointAgentId: '123', endpointCapabilities: endpointMetadata.Endpoint.capabilities ?? [], endpointPrivileges: getEndpointPrivilegesInitialStateMock(), + platform: 'linux', }); }); diff --git a/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx b/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx index f7622681112bd..e3e830efcb047 100644 --- a/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx +++ b/x-pack/plugins/security_solution/public/management/hooks/use_with_show_responder.tsx @@ -71,6 +71,7 @@ export const useWithShowResponder = (): ShowResponseActionsConsole => { endpointAgentId: agentId, endpointCapabilities: capabilities, endpointPrivileges, + platform, }), 'data-test-subj': `${agentType}ResponseActionsConsole`, storagePrefix: 'xpack.securitySolution.Responder',