[Security Solution][Exceptions] - Fixes bug for prepopulated endpoint exceptions (#94025)
### Summary Addresses #93559 In a previous PR where we added id to exception entries, this case was missed where the exceptions are prepopulated for endpoint alerts.
This commit is contained in:
parent
89b23c06da
commit
37c9c5cc24
|
@ -723,15 +723,16 @@ describe('Exception helpers', () => {
|
|||
expect(prepopulatedItem.entries).toEqual([
|
||||
{
|
||||
entries: [
|
||||
{ field: 'subject_name', operator: 'included', type: 'match', value: '' },
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: '' },
|
||||
{ id: '123', field: 'subject_name', operator: 'included', type: 'match', value: '' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: '' },
|
||||
],
|
||||
field: 'file.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{ field: 'file.path.caseless', operator: 'included', type: 'match', value: '' },
|
||||
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: '' },
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: '' },
|
||||
{ id: '123', field: 'file.path.caseless', operator: 'included', type: 'match', value: '' },
|
||||
{ id: '123', field: 'file.hash.sha256', operator: 'included', type: 'match', value: '' },
|
||||
{ id: '123', field: 'event.code', operator: 'included', type: 'match', value: '' },
|
||||
]);
|
||||
});
|
||||
|
||||
|
@ -748,24 +749,39 @@ describe('Exception helpers', () => {
|
|||
{
|
||||
entries: [
|
||||
{
|
||||
id: '123',
|
||||
field: 'subject_name',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'someSubjectName',
|
||||
},
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
],
|
||||
field: 'file.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.path.caseless',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some-file-path',
|
||||
},
|
||||
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some-hash' },
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: 'some-event-code' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.hash.sha256',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some-hash',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'event.code',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some-event-code',
|
||||
},
|
||||
]);
|
||||
});
|
||||
});
|
||||
|
@ -943,47 +959,77 @@ describe('Exception helpers', () => {
|
|||
{
|
||||
entries: [
|
||||
{
|
||||
id: '123',
|
||||
field: 'subject_name',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some_subject',
|
||||
},
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
],
|
||||
field: 'file.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.path.caseless',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some file path',
|
||||
},
|
||||
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: 'some event code' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.hash.sha256',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some hash',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'event.code',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some event code',
|
||||
},
|
||||
]);
|
||||
expect(defaultItems[1].entries).toEqual([
|
||||
{
|
||||
entries: [
|
||||
{
|
||||
id: '123',
|
||||
field: 'subject_name',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some_subject_2',
|
||||
},
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: 'true' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'true' },
|
||||
],
|
||||
field: 'file.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.path.caseless',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some file path',
|
||||
},
|
||||
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: 'some event code' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'file.hash.sha256',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some hash',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'event.code',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some event code',
|
||||
},
|
||||
]);
|
||||
});
|
||||
|
||||
|
@ -1014,59 +1060,91 @@ describe('Exception helpers', () => {
|
|||
{
|
||||
entries: [
|
||||
{
|
||||
id: '123',
|
||||
field: 'subject_name',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some_subject',
|
||||
},
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
|
||||
],
|
||||
field: 'process.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'process.executable',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some file path',
|
||||
},
|
||||
{ field: 'process.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'process.hash.sha256',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some hash',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'Ransomware.feature',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some ransomware feature',
|
||||
},
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: 'ransomware' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'event.code',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'ransomware',
|
||||
},
|
||||
]);
|
||||
expect(defaultItems[1].entries).toEqual([
|
||||
{
|
||||
entries: [
|
||||
{
|
||||
id: '123',
|
||||
field: 'subject_name',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some_subject_2',
|
||||
},
|
||||
{ field: 'trusted', operator: 'included', type: 'match', value: 'true' },
|
||||
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'true' },
|
||||
],
|
||||
field: 'process.Ext.code_signature',
|
||||
type: 'nested',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'process.executable',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some file path',
|
||||
},
|
||||
{ field: 'process.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'process.hash.sha256',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some hash',
|
||||
},
|
||||
{
|
||||
id: '123',
|
||||
field: 'Ransomware.feature',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'some ransomware feature',
|
||||
},
|
||||
{ field: 'event.code', operator: 'included', type: 'match', value: 'ransomware' },
|
||||
{
|
||||
id: '123',
|
||||
field: 'event.code',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'ransomware',
|
||||
},
|
||||
]);
|
||||
});
|
||||
});
|
||||
|
|
|
@ -38,6 +38,7 @@ import {
|
|||
UpdateExceptionListItemSchema,
|
||||
EntryNested,
|
||||
OsTypeArray,
|
||||
EntriesArray,
|
||||
} from '../../../shared_imports';
|
||||
import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
|
||||
import { validate } from '../../../../common/validate';
|
||||
|
@ -46,6 +47,19 @@ import { CodeSignature } from '../../../../common/ecs/file';
|
|||
import { WithCopyToClipboard } from '../../lib/clipboard/with_copy_to_clipboard';
|
||||
import { addIdToItem, removeIdFromItem } from '../../../../common';
|
||||
|
||||
export const addIdToEntries = (entries: EntriesArray): EntriesArray => {
|
||||
return entries.map((singleEntry) => {
|
||||
if (singleEntry.type === 'nested') {
|
||||
return addIdToItem({
|
||||
...singleEntry,
|
||||
entries: singleEntry.entries.map((nestedEntry) => addIdToItem(nestedEntry)),
|
||||
});
|
||||
} else {
|
||||
return addIdToItem(singleEntry);
|
||||
}
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns the operator type, may not need this if using io-ts types
|
||||
*
|
||||
|
@ -150,14 +164,14 @@ export const getNewExceptionItem = ({
|
|||
return {
|
||||
comments: [],
|
||||
description: `${ruleName} - exception list item`,
|
||||
entries: [
|
||||
addIdToItem({
|
||||
entries: addIdToEntries([
|
||||
{
|
||||
field: '',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: '',
|
||||
}),
|
||||
],
|
||||
},
|
||||
]),
|
||||
item_id: undefined,
|
||||
list_id: listId,
|
||||
meta: {
|
||||
|
@ -464,7 +478,7 @@ export const getPrepopulatedEndpointException = ({
|
|||
const sha256Hash = file?.hash?.sha256 ?? '';
|
||||
return {
|
||||
...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
|
||||
entries: [
|
||||
entries: addIdToEntries([
|
||||
{
|
||||
field: 'file.Ext.code_signature',
|
||||
type: 'nested',
|
||||
|
@ -501,7 +515,7 @@ export const getPrepopulatedEndpointException = ({
|
|||
type: 'match',
|
||||
value: eventCode ?? '',
|
||||
},
|
||||
],
|
||||
]),
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -529,7 +543,7 @@ export const getPrepopulatedRansomwareException = ({
|
|||
const ransomwareFeature = Ransomware?.feature ?? '';
|
||||
return {
|
||||
...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
|
||||
entries: [
|
||||
entries: addIdToEntries([
|
||||
{
|
||||
field: 'process.Ext.code_signature',
|
||||
type: 'nested',
|
||||
|
@ -572,7 +586,7 @@ export const getPrepopulatedRansomwareException = ({
|
|||
type: 'match',
|
||||
value: eventCode ?? '',
|
||||
},
|
||||
],
|
||||
]),
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue