[EDR Workflows] Scripts selector component in Response Console#204965
[EDR Workflows] Scripts selector component in Response Console#204965tomsonpl merged 53 commits intoelastic:mainfrom
Conversation
tomsonpl
added
Team:Defend Workflows
… runscript-cs-fetch-scripts
|
/ci |
|
/ci |
|
/ci |
|
/ci |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a custom scripts API and integrates a new SelectorComponent into the UI for cloud file selection. Key changes include the addition of server routes and API schemas for custom scripts, updates to the crowdstrike connector to support script retrieval, and comprehensive UI and test updates to integrate the new custom scripts selector.
Reviewed Changes
Copilot reviewed 30 out of 30 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/crowdstrike/utils.test.ts | Adjusted test expectations for command output formatting |
| x-pack/solutions/security/plugins/security_solution/server/endpoint/routes/custom_scripts/* | Added new routes, handlers, and tests for custom scripts API |
| x-pack/solutions/security/plugins/security_solution/public/management/* | Integrated the CustomScriptSelector into console commands and related hooks/tests |
| x-pack/platform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.ts | Updated the crowdstrike connector to retrieve scripts with a renamed endpoint and adjusted payload type |
| Other related files | Updated types, constants, API schemas, and tests to support the new custom scripts feature |
Comments suppressed due to low confidence (1)
x-pack/platform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.ts:99
- The endpoint name has changed from 'getRTRCloudScriptsDetails' to 'getRTRCloudScripts'. Ensure that corresponding client code, documentation, and tests are updated to reflect this naming change consistently.
getRTRCloudScripts: `${this.config.url}/real-time-response/entities/scripts/v1`,
| commandLine: 'echo Hello World', | ||
| }); | ||
| expect(result).toBe('runscript --CommandLine=```echo Hello World```'); | ||
| expect(result).toBe(`runscript --CommandLine='echo Hello World'`); |
There was a problem hiding this comment.
Clarify in the test documentation whether the use of single quotes for the CommandLine parameter is the intended format compared to triple backticks for other parameters, to ensure consistency in expected output.
...k/platform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.ts
Outdated
Show resolved
Hide resolved
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
I've a few questions and suggestions but it looks good to go. Tested it out with you and we found some issues that might need a fix.
| @@ -360,7 +360,7 @@ describe('EndpointActionsClient', () => { | |||
| type ResponseActionsMethodsOnly = keyof Omit< | |||
| ResponseActionsClient, | |||
| // TODO: not yet implemented | |||
There was a problem hiding this comment.
Is this TODO still relevant?
There was a problem hiding this comment.
not relevant, thanks!
| // TODO: for now just for testing purposes, will be a part of a following PR | ||
| public async getRTRCloudScripts( | ||
| payload: CrowdstrikeGetAgentsParams, | ||
| payload: {}, |
There was a problem hiding this comment.
Consider removing the payload param. I don't see that it is being used anywhwere.
There was a problem hiding this comment.
I decided to keep it to have the same structure as other actions, especially that maybe we'll need some payload in the end when filtering data or something. Is it ok?
| name: SUB_ACTION.GET_RTR_CLOUD_SCRIPTS, | ||
| method: 'getRTRCloudScripts', | ||
| schema: CrowdstrikeGetScriptsParamsSchema, | ||
| schema: CrowdstrikeRTRCommandParamsSchema, // Empty schema - this request do not have any parameters |
There was a problem hiding this comment.
Q: Is there a reason we don't use schema: null when we register this and all above actions if the request schema is empty?
There was a problem hiding this comment.
schema:null for RTR is is fine 👍 Thx! The other above still need to be adjusted. I'll try to do it when there's more time to work on CrowdStrike.
| test('sets search value based on valueText prop', async () => { | ||
| const SelectorComponent = CustomScriptSelector('endpoint'); | ||
| await renderAndWaitForComponent( | ||
| <SelectorComponent | ||
| {...defaultProps} | ||
| value="Script 1" | ||
| valueText="Script 1" | ||
| store={{ isPopoverOpen: true }} | ||
| /> | ||
| ); | ||
|
|
||
| const searchbox = screen.getByRole('searchbox', { name: 'Filter options' }); | ||
| expect(searchbox).toHaveValue('Script 1'); | ||
| }); | ||
|
|
||
| test('filters options based on valueText prop', async () => { |
There was a problem hiding this comment.
These two test descriptions should be contextual to the UX. valueText prop seems like a EUI specific test which looking at the test doesn't look like that it is. Consider updating the description.
There was a problem hiding this comment.
Hmm, I think it's our custom props - not EUI specific. How would you suggest to change it ?
… runscript-cs-fetch-scripts
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
Unknown metric groupsReferences to deprecated APIs
History
cc @tomsonpl |
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/15412432726 |
…ic#204965) (cherry picked from commit 4390ea8)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ic#204965) (cherry picked from commit 4390ea8)
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
2 similar comments
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
kibanamachine
removed
the
backport missing
Description
This PR implements a custom scripts selector component for the Security Solution console, with initial support for CrowdStrike integration. The component allows users to select custom scripts that can be executed as part of response actions.
Changes
1. Custom Scripts API Implementation
http://localhost:5601//internal/api/endpoint/action/custom_scripts2. UI Component Development
CustomScriptSelectorcomponent that can be used as a command argument selectorEuiSelectable3. Type Safety & Schema Validation
4. Testing
UI:
Screen.Recording.2025-05-23.at.10.32.02.mov
Testing
Please contact @tomsonpl to get CS credentials