[Security Solution] action not allowed (405) is shown for Duplicating Shared Exception Lists (#177814)#178674
Conversation
… Shared Exception Lists (elastic#177814)
e40pud
added
release_note:fix
Team: SecuritySolution
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
| formData.append('file', file as Blob); | ||
|
|
||
| const res = await http.post<ImportExceptionsResponseSchema>(`${EXCEPTION_LIST_URL}/_import`, { | ||
| version: '2023-10-31', |
There was a problem hiding this comment.
I think it's worth mentioning in the description that this PR also addresses an issue with a missed version header.
| const hasEndpointArtifactListOrListItems = [...data.lists, ...data.items].some((item) => { | ||
| if ('list_id' in item) { | ||
| return ALL_ENDPOINT_ARTIFACT_LIST_IDS.includes(item.list_id); | ||
| return ( |
There was a problem hiding this comment.
@approksiu @elastic/security-defend-workflows just want to confirm this is indeed the desired behavior. I thought I recalled that exception lists of type endpoint were never supposed to be able to be imported as it's considered an "internal" exception list maintained by us.
This fix would mean that users cannot:
- Import an exception list of type
endpoint - Import rules with exception lists of type
endpoint(pretty sure the rule import would succeed but the exception portion would fail)
There was a problem hiding this comment.
Pinging @elastic/security-defend-workflows any feedback here?
There was a problem hiding this comment.
Thanks for looking into this @yctercero. Indeed this change would disable the ability for importing exception list of type endpoint. While digging around I found that this change that was introduced a while ago is causing the bug that is attached to this PR. That change is gating which list types can be duplicated (including endpoint list type). I'm not sure if that was an intentional change. If it was, then it does make sense with the changes here.
If not then we need to fix the original source of error, i.e. to exclude the endpoint list type from lists that can not be duplicated.
cc @dasansol92
There was a problem hiding this comment.
After discussing this with Ash, here are some questions which would be nice to answer in order to understand how to solve this issue:
- When we import
endpoint list, what is the expected behaviour of the "Overwrite the existing list" and "Create new list"?
- Are we allowed to override
Endpoint Security Exception List? - If we allow to "Create new list" out of the endpoint list, right now we end-up with a new list which has a
list_idnot equal toendpoint_listbut still hastype='endpoint'. - Is there a possibility of newly created endpoint list from step 3 to collide in some way with the original endpoint list?
- If we allow to import endpoint list, what operations are allowed on the newly created endpoint list (edit, duplicate etc.)? If duplication is allowed, why would we then disable duplication on original endpoint list?
There was a problem hiding this comment.
Thanks for the questions, @e40pud ! I think most of them would be for product to determine. From what I remember way back during initial implementation was that the endpoint security exception list was an internally maintained list that users could add/remove exceptions from, but not delete or modify the parent list at all. If that is still the case, then I would assume that the behaviors for endpoint list would be:
- User cannot delete
- User cannot duplicate
- User can export
- User can import and select to override in the sense of "replace the existing items in this list with the items I'm importing" - nothing would be modified of the parent list
This is going off of maybe outdated thinking though (back from initial implementation when there were a lot of restriction around the endpoint list). @caitlinbetz @approksiu can you confirm what the expected behaviors should be for the endpoint exception list?
There was a problem hiding this comment.
per conversations with @approksiu - I think we are okay to prevent users from selecting "Create new list" in this scenario. This aligns with existing functionality where we prevent users from duplicating this list. If possible we should make it clear why this option is unavailable for this list.
There was a problem hiding this comment.
Thank for the reply @caitlinbetz. Would this work?
I disabled Create new list checkbox and added a tooltip describing the reason.
There was a problem hiding this comment.
thanks @e40pud ! Perhaps for now we can say - "We only allow one Exception List for Endpoint Security." to make it clear as to why they cannot create a new list.
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
Code LGTM and I don't see any reason why would it interfere with logic from EDR Workflows side. Have a look @ashokaditya though, you know more about artifacts than I do :)
|
@elasticmachine merge upstream |
| export const IMPORT_EXCEPTION_ENDPOINT_LIST_WARNING = i18n.translate( | ||
| 'xpack.securitySolution.exceptionsTable.importExceptionEndpointListWarning', | ||
| { | ||
| defaultMessage: 'We only allow one Exception List for Endpoint Security.', |
There was a problem hiding this comment.
This text maybe needs a review from the docs team. I think this needs to be rephrased to adhere to writing guidelines
There was a problem hiding this comment.
@caitlinbetz @nastasha-solomon any suggestions on how to adjust this message?
There was a problem hiding this comment.
Hey, thanks for the ping! Do you have any objections to removing the pronoun (we) in the message? Our current guidelines indicate that "we" is more appropriate in situations when we're taking an action for the user (i.e., helping them) or making a suggestion. In this situation, we're not helping users along. Instead, we're blocking them from doing what they want to do and then telling them that we are the ones blocking them. If you're ok with removing the pronoun, here are a few options to consider:
- Multiple exception lists for Endpoint Security are not allowed.
- Only one Endpoint Security Exception list is allowed.
- Additional exception lists for Endpoint Security are not supported.
Let me know if these work, or if they're not quite what you're looking for.
There was a problem hiding this comment.
This looks great! I will go with the first option.
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @e40pud |
e40pud
added
v8.14.0
and removed
backport:skip
e40pud
added
v8.14.0
and removed
backport:skip
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
… Shared Exception Lists (elastic#177814) (elastic#178674) ## Summary Addresses elastic#177814 This PR fixes the issue where user is able to import Endpoint lists. Right now endpoint lists (with `endpoint_trusted_apps`, `endpoint_event_filters`, `endpoint_host_isolation_exceptions` or `endpoint_blocklists` id) are not allowed to be imported. [Here we check](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lists_integration/endpoint/handlers/exceptions_pre_import_handler.ts#L17) lists and throw an exception if user tries to import one of the mentioned lists. However, it is possible to import container endpoint lists with `endpoint_list` id. This leads to the issue that user can import such a list with the newly generated ID and thus we will treat it as a detection engine list. Since the type of the list is still says `endpoint` we would not allow to duplicate such a list later [here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/lists/server/services/exception_lists/duplicate_exception_list.ts#L46). To fix the issue, I added addition list id check to prevent users from importing lists with the `endpoint_list` id. **UPDATE**: As discussed below, we will disable the "Create new list" checkbox when user tries to import Endpoint Security Exception List and will show a tooltip saying "We only allow one Exception List for Endpoint Security." **NOTE**: as part of this PR, I also added a fix for missing version header in `importExceptionList` API call. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit 7cbd396)
…icating Shared Exception Lists (#177814) (#178674) (#181738) # Backport This will backport the following commits from `main` to `8.14`: - [[Security Solution] action not allowed (405) is shown for Duplicating Shared Exception Lists (#177814) (#178674)](#178674) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2024-04-25T09:42:43Z","message":"[Security Solution] action not allowed (405) is shown for Duplicating Shared Exception Lists (#177814) (#178674)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/177814\r\n\r\nThis PR fixes the issue where user is able to import Endpoint lists.\r\nRight now endpoint lists (with `endpoint_trusted_apps`,\r\n`endpoint_event_filters`, `endpoint_host_isolation_exceptions` or\r\n`endpoint_blocklists` id) are not allowed to be imported. [Here we\r\ncheck](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lists_integration/endpoint/handlers/exceptions_pre_import_handler.ts#L17)\r\nlists and throw an exception if user tries to import one of the\r\nmentioned lists.\r\n\r\nHowever, it is possible to import container endpoint lists with\r\n`endpoint_list` id. This leads to the issue that user can import such a\r\nlist with the newly generated ID and thus we will treat it as a\r\ndetection engine list. Since the type of the list is still says\r\n`endpoint` we would not allow to duplicate such a list later\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/lists/server/services/exception_lists/duplicate_exception_list.ts#L46).\r\n\r\nTo fix the issue, I added addition list id check to prevent users from\r\nimporting lists with the `endpoint_list` id.\r\n\r\n**UPDATE**: As discussed below, we will disable the \"Create new list\"\r\ncheckbox when user tries to import Endpoint Security Exception List and\r\nwill show a tooltip saying \"We only allow one Exception List for\r\nEndpoint Security.\"\r\n\r\n**NOTE**: as part of this PR, I also added a fix for missing version\r\nheader in `importExceptionList` API call.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Yara Tercero <yctercero@users.noreply.github.com>","sha":"7cbd39636835b3b65e4734bb568901f19d494a30","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team: SecuritySolution","Team:Detection Engine","v8.14.0","v8.15.0"],"number":178674,"url":"https://github.com/elastic/kibana/pull/178674","mergeCommit":{"message":"[Security Solution] action not allowed (405) is shown for Duplicating Shared Exception Lists (#177814) (#178674)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/177814\r\n\r\nThis PR fixes the issue where user is able to import Endpoint lists.\r\nRight now endpoint lists (with `endpoint_trusted_apps`,\r\n`endpoint_event_filters`, `endpoint_host_isolation_exceptions` or\r\n`endpoint_blocklists` id) are not allowed to be imported. [Here we\r\ncheck](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lists_integration/endpoint/handlers/exceptions_pre_import_handler.ts#L17)\r\nlists and throw an exception if user tries to import one of the\r\nmentioned lists.\r\n\r\nHowever, it is possible to import container endpoint lists with\r\n`endpoint_list` id. This leads to the issue that user can import such a\r\nlist with the newly generated ID and thus we will treat it as a\r\ndetection engine list. Since the type of the list is still says\r\n`endpoint` we would not allow to duplicate such a list later\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/lists/server/services/exception_lists/duplicate_exception_list.ts#L46).\r\n\r\nTo fix the issue, I added addition list id check to prevent users from\r\nimporting lists with the `endpoint_list` id.\r\n\r\n**UPDATE**: As discussed below, we will disable the \"Create new list\"\r\ncheckbox when user tries to import Endpoint Security Exception List and\r\nwill show a tooltip saying \"We only allow one Exception List for\r\nEndpoint Security.\"\r\n\r\n**NOTE**: as part of this PR, I also added a fix for missing version\r\nheader in `importExceptionList` API call.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Yara Tercero <yctercero@users.noreply.github.com>","sha":"7cbd39636835b3b65e4734bb568901f19d494a30"}},"sourceBranch":"main","suggestedTargetBranches":["8.14"],"targetPullRequestStates":[{"branch":"8.14","label":"v8.14.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/178674","number":178674,"mergeCommit":{"message":"[Security Solution] action not allowed (405) is shown for Duplicating Shared Exception Lists (#177814) (#178674)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/177814\r\n\r\nThis PR fixes the issue where user is able to import Endpoint lists.\r\nRight now endpoint lists (with `endpoint_trusted_apps`,\r\n`endpoint_event_filters`, `endpoint_host_isolation_exceptions` or\r\n`endpoint_blocklists` id) are not allowed to be imported. [Here we\r\ncheck](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lists_integration/endpoint/handlers/exceptions_pre_import_handler.ts#L17)\r\nlists and throw an exception if user tries to import one of the\r\nmentioned lists.\r\n\r\nHowever, it is possible to import container endpoint lists with\r\n`endpoint_list` id. This leads to the issue that user can import such a\r\nlist with the newly generated ID and thus we will treat it as a\r\ndetection engine list. Since the type of the list is still says\r\n`endpoint` we would not allow to duplicate such a list later\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/lists/server/services/exception_lists/duplicate_exception_list.ts#L46).\r\n\r\nTo fix the issue, I added addition list id check to prevent users from\r\nimporting lists with the `endpoint_list` id.\r\n\r\n**UPDATE**: As discussed below, we will disable the \"Create new list\"\r\ncheckbox when user tries to import Endpoint Security Exception List and\r\nwill show a tooltip saying \"We only allow one Exception List for\r\nEndpoint Security.\"\r\n\r\n**NOTE**: as part of this PR, I also added a fix for missing version\r\nheader in `importExceptionList` API call.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Yara Tercero <yctercero@users.noreply.github.com>","sha":"7cbd39636835b3b65e4734bb568901f19d494a30"}}]}] BACKPORT-->
… Shared Exception Lists (elastic#177814) (elastic#178674) ## Summary Addresses elastic#177814 This PR fixes the issue where user is able to import Endpoint lists. Right now endpoint lists (with `endpoint_trusted_apps`, `endpoint_event_filters`, `endpoint_host_isolation_exceptions` or `endpoint_blocklists` id) are not allowed to be imported. [Here we check](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lists_integration/endpoint/handlers/exceptions_pre_import_handler.ts#L17) lists and throw an exception if user tries to import one of the mentioned lists. However, it is possible to import container endpoint lists with `endpoint_list` id. This leads to the issue that user can import such a list with the newly generated ID and thus we will treat it as a detection engine list. Since the type of the list is still says `endpoint` we would not allow to duplicate such a list later [here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/lists/server/services/exception_lists/duplicate_exception_list.ts#L46). To fix the issue, I added addition list id check to prevent users from importing lists with the `endpoint_list` id. **UPDATE**: As discussed below, we will disable the "Create new list" checkbox when user tries to import Endpoint Security Exception List and will show a tooltip saying "We only allow one Exception List for Endpoint Security." **NOTE**: as part of this PR, I also added a fix for missing version header in `importExceptionList` API call. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
10 participants
Summary
Addresses #177814
This PR fixes the issue where user is able to import Endpoint lists. Right now endpoint lists (with
endpoint_trusted_apps,endpoint_event_filters,endpoint_host_isolation_exceptionsorendpoint_blocklistsid) are not allowed to be imported. Here we check lists and throw an exception if user tries to import one of the mentioned lists.However, it is possible to import container endpoint lists with
endpoint_listid. This leads to the issue that user can import such a list with the newly generated ID and thus we will treat it as a detection engine list. Since the type of the list is still saysendpointwe would not allow to duplicate such a list later here.To fix the issue, I added addition list id check to prevent users from importing lists with the
endpoint_listid.UPDATE: As discussed below, we will disable the "Create new list" checkbox when user tries to import Endpoint Security Exception List and will show a tooltip saying "We only allow one Exception List for Endpoint Security."
NOTE: as part of this PR, I also added a fix for missing version header in
importExceptionListAPI call.