[SecuritySolution-Endpoint]: add filter of default Elastic Agent ids for Endpoint Agent initial state (#71478)

[SecuritySolution-Endpoint]: add filter of default Elastic Agent ids for Endpoint Agent initial state
2020-07-13 16:57:04 -04:00 · 2020-07-13 16:57:04 -04:00 · f86c0792a1
parent 1b1962f18c
commit f86c0792a1
2 changed files with 34 additions and 3 deletions
--- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
@ -37,6 +37,16 @@ const HOST_STATUS_MAPPING = new Map<AgentStatus, HostStatus>([
  ['offline', HostStatus.OFFLINE],
 ]);

+/**
+ * 00000000-0000-0000-0000-000000000000 is initial Elastic Agent id sent by Endpoint before policy is configured
+ * 11111111-1111-1111-1111-111111111111 is Elastic Agent id sent by Endpoint when policy does not contain an id
+ */
+
+const IGNORED_ELASTIC_AGENT_IDS = [
+  '00000000-0000-0000-0000-000000000000',
+  '11111111-1111-1111-1111-111111111111',
+];
+
 const getLogger = (endpointAppContext: EndpointAppContext): Logger => {
  return endpointAppContext.logFactory.get('metadata');
 };
@ -97,7 +107,7 @@ export function registerEndpointRoutes(router: IRouter, endpointAppContext: Endp
          endpointAppContext,
          metadataIndexPattern,
          {
-            unenrolledAgentIds,
+            unenrolledAgentIds: unenrolledAgentIds.concat(IGNORED_ELASTIC_AGENT_IDS),
          }
        );

--- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts
@ -138,7 +138,16 @@ describe('test endpoint route', () => {

    expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1);
    expect(mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query).toEqual({
-      match_all: {},
+      bool: {
+        must_not: {
+          terms: {
+            'elastic.agent.id': [
+              '00000000-0000-0000-0000-000000000000',
+              '11111111-1111-1111-1111-111111111111',
+            ],
+          },
+        },
+      },
    });
    expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'] });
    expect(mockResponse.ok).toBeCalled();
@ -184,11 +193,22 @@ describe('test endpoint route', () => {
    expect(mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query).toEqual({
      bool: {
        must: [
+          {
+            bool: {
+              must_not: {
+                terms: {
+                  'elastic.agent.id': [
+                    '00000000-0000-0000-0000-000000000000',
+                    '11111111-1111-1111-1111-111111111111',
+                  ],
+                },
+              },
+            },
+          },
          {
            bool: {
              must_not: {
                bool: {
-                  minimum_should_match: 1,
                  should: [
                    {
                      match: {
@ -196,6 +216,7 @@ describe('test endpoint route', () => {
                      },
                    },
                  ],
+                  minimum_should_match: 1,
                },
              },
            },