From ffb60a1fee2c10fbb78b6c9be3301c475e9be1d8 Mon Sep 17 00:00:00 2001 From: Tomasz Ciecierski Date: Wed, 4 Oct 2023 21:52:46 +0200 Subject: [PATCH] [EDR Workflows] Use internal user to fetch automated actions and results (#167989) --- .../endpoint/response_actions/types.ts | 3 +- .../server/search_strategy/endpoint/index.ts | 36 +++++++++---------- 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/x-pack/plugins/security_solution/common/search_strategy/endpoint/response_actions/types.ts b/x-pack/plugins/security_solution/common/search_strategy/endpoint/response_actions/types.ts index b7b5ca63a0b75..ae9de843f4dac 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/endpoint/response_actions/types.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/endpoint/response_actions/types.ts @@ -17,8 +17,7 @@ export enum SortOrder { } export interface RequestBasicOptions extends IEsSearchRequest { - factoryQueryType?: ResponseActionsQueries; - aggregations?: Record; + factoryQueryType: ResponseActionsQueries; } export type ResponseActionsSearchHit = estypes.SearchHit< diff --git a/x-pack/plugins/security_solution/server/search_strategy/endpoint/index.ts b/x-pack/plugins/security_solution/server/search_strategy/endpoint/index.ts index 9638c44ee1775..ef7f6e6ae0dfa 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/endpoint/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/endpoint/index.ts @@ -8,7 +8,6 @@ import { map, mergeMap } from 'rxjs/operators'; import type { ISearchStrategy, PluginStart } from '@kbn/data-plugin/server'; import { shimHitsTotal } from '@kbn/data-plugin/server'; -import { ENHANCED_ES_SEARCH_STRATEGY } from '@kbn/data-plugin/common'; import { from } from 'rxjs'; import type { EndpointStrategyParseResponseType, @@ -21,38 +20,35 @@ import type { EndpointFactory } from './factory/types'; import type { EndpointAppContext } from '../../endpoint/types'; import { endpointFactory } from './factory'; -function isObj(req: unknown): req is Record { - return typeof req === 'object' && req !== null; -} - -function assertValidRequestType( - req: unknown -): asserts req is EndpointStrategyRequestType & { factoryQueryType: EndpointFactoryQueryTypes } { - if (!isObj(req) || req.factoryQueryType == null) { - throw new Error('factoryQueryType is required'); - } -} - export const endpointSearchStrategyProvider = ( data: PluginStart, endpointContext: EndpointAppContext ): ISearchStrategy, EndpointStrategyResponseType> => { - const es = data.search.getSearchStrategy( - ENHANCED_ES_SEARCH_STRATEGY - ) as unknown as ISearchStrategy< + const es = data.search.searchAsInternalUser as unknown as ISearchStrategy< EndpointStrategyRequestType, EndpointStrategyParseResponseType >; return { search: (request, options, deps) => { - assertValidRequestType(request); - + if (request.factoryQueryType == null) { + throw new Error('factoryQueryType is required'); + } return from(endpointContext.service.getEndpointAuthz(deps.request)).pipe( mergeMap((authz) => { const queryFactory: EndpointFactory = endpointFactory[request.factoryQueryType]; - const dsl = queryFactory.buildDsl(request, { authz }); - return es.search({ ...request, params: dsl }, options, deps).pipe( + const strictRequest = { + factoryQueryType: request.factoryQueryType, + sort: request.sort, + ...('alertIds' in request ? { alertIds: request.alertIds } : {}), + ...('agentId' in request ? { agentId: request.agentId } : {}), + ...('expiration' in request ? { expiration: request.expiration } : {}), + ...('actionId' in request ? { actionId: request.actionId } : {}), + ...('agents' in request ? { agents: request.agents } : {}), + } as EndpointStrategyRequestType; + const dsl = queryFactory.buildDsl(strictRequest, { authz }); + + return es.search({ ...strictRequest, params: dsl }, options, deps).pipe( map((response) => { return { ...response,