[EDR Workflows] Add RunScript API route (supporting CrowdStrike) #203101
Conversation
tomsonpl
added
Team:Defend Workflows
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
tomsonpl
requested review from
szwarckonrad and
paul-tavares
and removed request for
pzl and
parkiino
| schema.string({ | ||
| minLength: 1, | ||
| validate: (value) => { | ||
| if (!value.trim().length) { | ||
| return 'Raw cannot be an empty string'; | ||
| } | ||
| }, | ||
| }) |
There was a problem hiding this comment.
nit: extract to const nullableNonEmptyString = schema.maybe(schema.string...). We have those defined in multiple places too, maybe try looking for existing one
| @@ -73,7 +74,9 @@ describe('When displaying Endpoint Response Actions', () => { | |||
| HELP_GROUPS.responseActions.label | |||
| ); | |||
|
|
|||
| const expectedCommands: string[] = [...CONSOLE_RESPONSE_ACTION_COMMANDS]; | |||
| const expectedCommands: string[] = [ | |||
| ...CONSOLE_RESPONSE_ACTION_COMMANDS.filter((command) => command !== 'runscript'), | |||
There was a problem hiding this comment.
filter returns new array, I don`t see the need to spread
| /** | ||
| * The script to run | ||
| */ | ||
| Raw: schema.maybe( |
There was a problem hiding this comment.
I believe the other side expects properties with capital letters, but that’s not how we handle things. Since this endpoint is maintained by us, I’d suggest sticking to our standards and introducing a mapper or transformation to align with the standards of the next API we’ll be calling.
| @@ -299,6 +299,13 @@ const CODES = Object.freeze({ | |||
| 'xpack.securitySolution.endpointActionResponseCodes.scan.success', | |||
| { defaultMessage: 'Scan complete' } | |||
| ), | |||
|
|
|||
| // Dev: | |||
| // runscript success/competed | |||
There was a problem hiding this comment.
| // runscript success/competed | |
| // runscript success/completed |
# Conflicts: # x-pack/plugins/security_solution/common/endpoint/data_generators/endpoint_action_generator.ts # x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx # x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts # x-pack/plugins/security_solution/server/endpoint/services/actions/action_list.test.ts
|
@szwarckonrad thanks for the review, I applied all the suggestions - besides the CapitalCase change to lowerCase in API params. We discussed this offline and it would be requiring transformations multiple times to reflect CrowdStrike UI and API, eg. UI Capital > Kibana API camel > CS Capital. For now we decided to go with the CapitalCase. Hope this is fine 👍 |
|
/ci |
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsReferences to deprecated APIs
History
cc @tomsonpl |
|
Starting backport for target branches: 8.x |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…stic#203101) (cherry picked from commit e993f23) # Conflicts: # x-pack/plugins/security_solution/server/endpoint/routes/actions/response_actions.ts
kibanamachine
added
the
backport missing
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
#203101) (#203722) # Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)](#203101) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Tomasz Ciecierski","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-11T08:18:35Z","message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team:Defend Workflows","release_note:feature","backport:version","v8.18.0"],"number":203101,"url":"https://github.com/elastic/kibana/pull/203101","mergeCommit":{"message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203101","number":203101,"mergeCommit":{"message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
Summary
This PR introduces support for the CrowdStrike
runscriptAPI route. Below are detailed highlights of the changes.Key Changes
runscriptroute at/api/endpoint//action/run_scriptrunscriptis only enabled forCrowdStrikehosts--Raw--HostPath--CloudFile--CommandLine--TimeoutPrevious Steps
Next Steps
runscripton CrowdStrike host