From efe466b47bc6f002a5d256c795b95be2f0d4399c Mon Sep 17 00:00:00 2001 From: Paul Tavares <56442535+paul-tavares@users.noreply.github.com> Date: Fri, 26 Apr 2024 10:31:44 -0400 Subject: [PATCH] [8.14] [Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765) (#181839) # Backport This will backport the following commits from `main` to `8.14`: - [[Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765)](https://github.com/elastic/kibana/pull/181765) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) --- .../data_generators/sentinelone_data_generator.ts | 4 ++-- .../endpoint/service/response_actions/sentinel_one.ts | 4 ++-- x-pack/plugins/security_solution/common/index.ts | 2 +- .../sentinelone/sentinel_one_actions_client.test.ts | 8 ++++---- .../clients/sentinelone/sentinel_one_actions_client.ts | 6 +++--- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts b/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts index 54862b4a51549..43384ec5bc947 100644 --- a/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts +++ b/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts @@ -9,7 +9,7 @@ import type { DeepPartial } from 'utility-types'; import { merge } from 'lodash'; import type { SearchResponse, SearchHit } from '@elastic/elasticsearch/lib/api/types'; import { EndpointActionGenerator } from './endpoint_action_generator'; -import { SENTINEL_ONE_ACTIVITY_INDEX } from '../..'; +import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../..'; import type { LogsEndpointAction, SentinelOneActivityEsDoc, @@ -61,7 +61,7 @@ export class SentinelOneDataGenerator extends EndpointActionGenerator { ): SearchHit { const hit = this.toEsSearchHit( this.generateActivityEsDoc(overrides), - SENTINEL_ONE_ACTIVITY_INDEX + SENTINEL_ONE_ACTIVITY_INDEX_PATTERN ); hit.inner_hits = { diff --git a/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts b/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts index 761e1de67cd28..786e43dae61ac 100644 --- a/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts +++ b/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts @@ -6,6 +6,6 @@ */ /** - * Index name where the SentinelOne activity log is written to by the SentinelOne integration + * Index pattern where the SentinelOne activity log is written to by the SentinelOne integration */ -export const SENTINEL_ONE_ACTIVITY_INDEX = 'logs-sentinel_one.activity-default'; +export const SENTINEL_ONE_ACTIVITY_INDEX_PATTERN = 'logs-sentinel_one.activity-*'; diff --git a/x-pack/plugins/security_solution/common/index.ts b/x-pack/plugins/security_solution/common/index.ts index 46dfd562ee8a6..fb5caa2268f3b 100644 --- a/x-pack/plugins/security_solution/common/index.ts +++ b/x-pack/plugins/security_solution/common/index.ts @@ -22,7 +22,7 @@ export { export { ELASTIC_SECURITY_RULE_ID } from './detection_engine/constants'; export { ENABLED_FIELD } from './detection_engine/rule_management/rule_fields'; export { allowedExperimentalValues, type ExperimentalFeatures } from './experimental_features'; -export { SENTINEL_ONE_ACTIVITY_INDEX } from './endpoint/service/response_actions/sentinel_one'; +export { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from './endpoint/service/response_actions/sentinel_one'; // Careful of exporting anything from this file as any file(s) you export here will cause your page bundle size to increase. // If you're using functions/types/etc... internally it's best to import directly from their paths than expose the functions/types/etc... here. diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts index 9d96ca462c53d..049e35cb52042 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts @@ -19,7 +19,7 @@ import { } from '../../../../../../common/endpoint/constants'; import type { NormalizedExternalConnectorClient } from '../../..'; import { applyEsClientSearchMock } from '../../../../mocks/utils.mock'; -import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common'; +import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common'; import { SentinelOneDataGenerator } from '../../../../../../common/endpoint/data_generators/sentinelone_data_generator'; import type { EndpointActionResponse, @@ -412,7 +412,7 @@ describe('SentinelOneActionsClient class', () => { applyEsClientSearchMock({ esClientMock: classConstructorOptions.esClient, - index: SENTINEL_ONE_ACTIVITY_INDEX, + index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN, response: s1ActivitySearchResponse, }); }); @@ -493,7 +493,7 @@ describe('SentinelOneActionsClient class', () => { sort: [{ 'sentinel_one.activity.updated_at': 'asc' }], }, }, - index: SENTINEL_ONE_ACTIVITY_INDEX, + index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN, query: { bool: { minimum_should_match: 1, @@ -533,7 +533,7 @@ describe('SentinelOneActionsClient class', () => { sort: [{ 'sentinel_one.activity.updated_at': 'asc' }], }, }, - index: SENTINEL_ONE_ACTIVITY_INDEX, + index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN, query: { bool: { minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts index f70305e4bac07..7a6ea0f071a4c 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts @@ -24,7 +24,7 @@ import type { NormalizedExternalConnectorClientExecuteOptions, NormalizedExternalConnectorClient, } from '../lib/normalized_external_connector_client'; -import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common'; +import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common'; import { catchAndWrapError } from '../../../../utils'; import type { CommonResponseActionMethodOptions, @@ -473,7 +473,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl { }; const searchRequestOptions: SearchRequest = { - index: SENTINEL_ONE_ACTIVITY_INDEX, + index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN, query, // There may be many documents for each host/agent, so we collapse it and only get back the // first one that came in after the isolate request was sent @@ -493,7 +493,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl { }; this.log.debug( - `searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX}] index with:\n${stringify( + `searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX_PATTERN}] index with:\n${stringify( searchRequestOptions, 15 )}`