[EDR Workflows] Add RunScript API route (supporting CrowdStrike)#203101
[EDR Workflows] Add RunScript API route (supporting CrowdStrike)#203101tomsonpl merged 15 commits intoelastic:mainfrom
Conversation
tomsonpl
added
Team:Defend Workflows
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
/ci |
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
tomsonpl
requested review from
paul-tavares and
szwarckonrad
and removed request for
parkiino and
pzl
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
I’ve reviewed the code but will leave the design/implementation review to Paul since I’m not too familiar with the response actions part of our codebase. Overall, it looks good -I’ve left some comments for you to consider.
| schema.string({ | ||
| minLength: 1, | ||
| validate: (value) => { | ||
| if (!value.trim().length) { | ||
| return 'Raw cannot be an empty string'; | ||
| } | ||
| }, | ||
| }) |
There was a problem hiding this comment.
nit: extract to const nullableNonEmptyString = schema.maybe(schema.string...). We have those defined in multiple places too, maybe try looking for existing one
|
|
||
| const expectedCommands: string[] = [...CONSOLE_RESPONSE_ACTION_COMMANDS]; | ||
| const expectedCommands: string[] = [ | ||
| ...CONSOLE_RESPONSE_ACTION_COMMANDS.filter((command) => command !== 'runscript'), |
There was a problem hiding this comment.
filter returns new array, I don`t see the need to spread
| /** | ||
| * The script to run | ||
| */ | ||
| Raw: schema.maybe( |
There was a problem hiding this comment.
I believe the other side expects properties with capital letters, but that’s not how we handle things. Since this endpoint is maintained by us, I’d suggest sticking to our standards and introducing a mapper or transformation to align with the standards of the next API we’ll be calling.
| ), | ||
|
|
||
| // Dev: | ||
| // runscript success/competed |
There was a problem hiding this comment.
| // runscript success/competed | |
| // runscript success/completed |
# Conflicts: # x-pack/plugins/security_solution/common/endpoint/data_generators/endpoint_action_generator.ts # x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/integration_tests/console_commands_definition.test.tsx # x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts # x-pack/plugins/security_solution/server/endpoint/services/actions/action_list.test.ts
|
@szwarckonrad thanks for the review, I applied all the suggestions - besides the CapitalCase change to lowerCase in API params. We discussed this offline and it would be requiring transformations multiple times to reflect CrowdStrike UI and API, eg. UI Capital > Kibana API camel > CS Capital. For now we decided to go with the CapitalCase. Hope this is fine 👍 |
|
/ci |
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsReferences to deprecated APIs
History
cc @tomsonpl |
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/12272304321 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…stic#203101) (cherry picked from commit e993f23) # Conflicts: # x-pack/plugins/security_solution/server/endpoint/routes/actions/response_actions.ts
kibanamachine
added
the
backport missing
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
#203101) (#203722) # Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)](#203101) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Tomasz Ciecierski","email":"tomasz.ciecierski@elastic.co"},"sourceCommit":{"committedDate":"2024-12-11T08:18:35Z","message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team:Defend Workflows","release_note:feature","backport:version","v8.18.0"],"number":203101,"url":"https://github.com/elastic/kibana/pull/203101","mergeCommit":{"message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203101","number":203101,"mergeCommit":{"message":"[EDR Workflows] Add RunScript API route (supporting CrowdStrike) (#203101)","sha":"e993f2388111cf16798014e7c857f23df5ab7cdb"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
4 participants
Summary
This PR introduces support for the CrowdStrike
runscriptAPI route. Below are detailed highlights of the changes.Key Changes
runscriptroute at/api/endpoint//action/run_scriptrunscriptis only enabled forCrowdStrikehosts--Raw--HostPath--CloudFile--CommandLine--TimeoutPrevious Steps
Next Steps
runscripton CrowdStrike host