forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Endpoint] Change SentinelOne response actions to …
…use `agent.id` instead of `observer.serial_number` (elastic#189535) ## Summary ### Security Solution impacts PR updates the SentinelOne response actions to: - use `sentinel_one.[data_type].agent.id` field to identify the host ID - With this change, our uses are no longer restricted to creating SIEM alerts only from the `logs-sentinel_one.alert*` index - Indexes that currently include the `*.agent.id` field: - `logs-sentinel_one.alert*` - `logs-sentinel_one.threat*` - `logs-sentinel_one.activity*` - `logs-sentinel_one.agent*` - ❗ IMPORTANT ❗ : - Environments with a SIEM rule that looks for `observable.serial_number` field _(the field used prior to this PR to identify the agent id in the SentinelOne document)_ should update the rule to use one of the new fields (see screen capture below) - The following impacts were identified during testing for existing deployments that may already be using the SentinelOne bi-directional response actions (currently in Tech. Preview): 1. User will no longer be able to download the output from a previous `get-file` command (this was just release 2 weeks ago to serverless). 2. After an upgrade, if a user opens the console and clicks on the "Response actions history" button to display the host's response actions, they will **not** see the response actions in the list that were submitted prior to the upgrade. Those, however, will still be displayed in the (global) Response Actions History Log page. - Dev script was updated to create a SIEM rule that looks at both `*.alert*` and `*.threat*` indexes - Fixed the output for `processes` for SentinelOne to NOT display a Zip file passcode for the download (not needed) - Fixed bug that prevented the Host's OS platform icon (linux, windows, macos) from being displayed in the console. ### Connector impacts - SentinelOne connector sub-actions were updated to take in `agentId` as an argument instead of `agentUUID`
- Loading branch information
1 parent
017a9fd
commit 9aa3910
Showing
37 changed files
with
630 additions
and
345 deletions.
There are no files selected for viewing
4 changes: 2 additions & 2 deletions
4
x-pack/plugins/actions/server/integration_tests/__snapshots__/connector_types.test.ts.snap
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
...urity_solution/public/common/lib/endpoint/utils/get_agent_type_for_agent_id_field.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { getAgentTypeForAgentIdField } from './get_agent_type_for_agent_id_field'; | ||
import { RESPONSE_ACTIONS_ALERT_AGENT_ID_FIELDS } from '../../../../../common/endpoint/service/response_actions/constants'; | ||
|
||
describe('getAgentTypeForAgentIdField()', () => { | ||
it('should return default agent type (endpoint) when field is unknown', () => { | ||
expect(getAgentTypeForAgentIdField('foo.bar')).toEqual('endpoint'); | ||
}); | ||
|
||
// A flat map of `Array<[agentType, field]>` | ||
const testConditions = Object.entries(RESPONSE_ACTIONS_ALERT_AGENT_ID_FIELDS) | ||
.map(([agentType, fields]) => { | ||
return fields.map((field) => [agentType, field]); | ||
}) | ||
.flat(); | ||
|
||
it.each(testConditions)('should return `%s` for field `%s`', (agentType, field) => { | ||
expect(getAgentTypeForAgentIdField(field)).toEqual(agentType); | ||
}); | ||
}); |
26 changes: 26 additions & 0 deletions
26
...s/security_solution/public/common/lib/endpoint/utils/get_agent_type_for_agent_id_field.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { ResponseActionAgentType } from '../../../../../common/endpoint/service/response_actions/constants'; | ||
import { RESPONSE_ACTIONS_ALERT_AGENT_ID_FIELDS } from '../../../../../common/endpoint/service/response_actions/constants'; | ||
|
||
/** | ||
* Checks the provided `agentIdEcsField` path provided to see if it is being used by one | ||
* of the agent types that supports response actions and returns that agent type. | ||
* Defaults to `endpoint` if no match is found | ||
* @param agentIdEcsField | ||
*/ | ||
export const getAgentTypeForAgentIdField = (agentIdEcsField: string): ResponseActionAgentType => { | ||
for (const [fieldAgentType, fieldValues] of Object.entries( | ||
RESPONSE_ACTIONS_ALERT_AGENT_ID_FIELDS | ||
)) { | ||
if (fieldValues.includes(agentIdEcsField)) { | ||
return fieldAgentType as ResponseActionAgentType; | ||
} | ||
} | ||
return 'endpoint'; | ||
}; |
Oops, something went wrong.