Skip to content

[EDR Workflows] Scripts selector component in Response Console #204965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tomsonpl merged 53 commits into from
Jun 3, 2025
Merged

[EDR Workflows] Scripts selector component in Response Console #204965

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
4d46ad6
WIP custom scripts
tomsonpl Dec 19, 2024
f01f3c4
fix
tomsonpl Dec 19, 2024
070450d
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl Jan 7, 2025
548873c
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl Jan 15, 2025
91016ea
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 18, 2025
8e9c4f0
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl May 18, 2025
cfb35cb
add types, schemas, logic
tomsonpl May 19, 2025
f685c41
fix styles
tomsonpl May 19, 2025
bf735e1
fix styles
tomsonpl May 19, 2025
67d995d
fix type
tomsonpl May 19, 2025
560c344
rename scripts to custom_scripts
tomsonpl May 19, 2025
7f5ed49
add tests
tomsonpl May 19, 2025
425652a
fix types and convert cs to customscripts schema
tomsonpl May 19, 2025
e43250f
adjust the tests
tomsonpl May 19, 2025
8848a10
change to selectable, add inputref, initial css
tomsonpl May 20, 2025
f39c367
fix css
tomsonpl May 20, 2025
16eae98
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 20, 2025
f628cfe
fix tests
tomsonpl May 21, 2025
a172281
tooltip
tomsonpl May 21, 2025
19054ed
fix
tomsonpl May 23, 2025
94bfe8a
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 23, 2025
a1ab2e0
fix
tomsonpl May 23, 2025
42bfac1
fix
tomsonpl May 23, 2025
3e0de66
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl May 23, 2025
bf0b6d7
remove selectesscript and fix offset
tomsonpl May 23, 2025
a3804ee
margin
tomsonpl May 23, 2025
8e69019
Update x-pack/platform/plugins/shared/stack_connectors/server/connect…
tomsonpl May 24, 2025
c1207f6
clean up
tomsonpl May 26, 2025
62bc537
default value, workaround with delayed loading
tomsonpl May 26, 2025
4af329c
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl May 26, 2025
16c5591
rename
tomsonpl May 26, 2025
b45c085
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 26, 2025
1d568ac
fix
tomsonpl May 26, 2025
ed28820
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl May 26, 2025
8da516c
fix
tomsonpl May 26, 2025
95fef35
revert input ref changes, use dispatch
tomsonpl May 28, 2025
58940ed
remove custom_scripts_client and use response_actions_client instead
tomsonpl May 28, 2025
eaf8a5d
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 28, 2025
dde69e0
fix types, add tests
tomsonpl May 28, 2025
019cc8f
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl May 28, 2025
43aaa43
fix
tomsonpl May 28, 2025
938d8bb
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 29, 2025
d41bb48
fix tests
tomsonpl May 29, 2025
56c3362
fix
tomsonpl May 29, 2025
5838c20
fix
tomsonpl May 29, 2025
151165a
fix
tomsonpl May 29, 2025
37d45e4
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl May 29, 2025
4110e5b
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl Jun 2, 2025
528cc50
fix
tomsonpl Jun 2, 2025
b45cbb9
Merge remote-tracking branch 'origin/runscript-cs-fetch-scripts' into…
tomsonpl Jun 2, 2025
afa36a2
fix
tomsonpl Jun 2, 2025
c480990
fix
tomsonpl Jun 2, 2025
4454753
Merge branch 'main' into runscript-cs-fetch-scripts
tomsonpl Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 42 additions & 2 deletions x-pack/platform/plugins/shared/stack_connectors/common/crowdstrike/schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,5 +348,45 @@ export const CrowdstrikeExecuteRTRResponseSchema = schema.object(
{ unknowns: 'allow' }
);

// TODO: will be part of a next PR
export const CrowdstrikeGetScriptsParamsSchema = schema.any({});
export const CrowdstrikeGetScriptsResponseSchema = schema.object(
{
meta: schema.maybe(
schema.object(
{
query_time: schema.maybe(schema.number()),
powered_by: schema.maybe(schema.string()),
trace_id: schema.maybe(schema.string()),
},
{ unknowns: 'allow' }
)
),
resources: schema.maybe(
schema.arrayOf(
schema.object(
{
content: schema.maybe(schema.string()),
created_by: schema.maybe(schema.string()),
created_by_uuid: schema.maybe(schema.string()),
created_timestamp: schema.maybe(schema.string()),
file_type: schema.maybe(schema.string()),
id: schema.maybe(schema.string()),
description: schema.maybe(schema.string()),
modified_by: schema.maybe(schema.string()),
modified_timestamp: schema.maybe(schema.string()),
name: schema.maybe(schema.string()),
permission_type: schema.maybe(schema.string()),
platform: schema.maybe(schema.arrayOf(schema.string())),
run_attempt_count: schema.maybe(schema.number()),
run_success_count: schema.maybe(schema.number()),
sha256: schema.maybe(schema.string()),
size: schema.maybe(schema.number()),
write_access: schema.maybe(schema.boolean()),
},
{ unknowns: 'allow' }
)
)
),
errors: schema.maybe(schema.arrayOf(schema.any())),
},
{ unknowns: 'allow' }
);
2 changes: 2 additions & 0 deletions x-pack/platform/plugins/shared/stack_connectors/common/crowdstrike/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import type {
RelaxedCrowdstrikeBaseApiResponseSchema,
CrowdstrikeInitRTRParamsSchema,
CrowdstrikeExecuteRTRResponseSchema,
CrowdstrikeGetScriptsResponseSchema,
} from './schema';

export type CrowdstrikeConfig = TypeOf<typeof CrowdstrikeConfigSchema>;
Expand All @@ -42,3 +43,4 @@ export type CrowdstrikeActionParams = TypeOf<typeof CrowdstrikeActionParamsSchem
export type CrowdstrikeInitRTRParams = TypeOf<typeof CrowdstrikeInitRTRParamsSchema>;

export type CrowdStrikeExecuteRTRResponse = TypeOf<typeof CrowdstrikeExecuteRTRResponseSchema>;
export type CrowdstrikeGetScriptsResponse = TypeOf<typeof CrowdstrikeGetScriptsResponseSchema>;
5 changes: 1 addition & 4 deletions ...rm/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -458,10 +458,7 @@ describe('CrowdstrikeConnector', () => {
mockedRequest.mockResolvedValueOnce({ data: { access_token: 'testToken' } });
mockedRequest.mockResolvedValueOnce(mockResponse);

const result = await connector.getRTRCloudScripts(
{ ids: ['script1', 'script2'] },
connectorUsageCollector
);
const result = await connector.getRTRCloudScripts({}, connectorUsageCollector);

expect(mockedRequest).toHaveBeenNthCalledWith(
1,
Expand Down
22 changes: 10 additions & 12 deletions ...latform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,17 @@ import type {
CrowdstrikeGetAgentOnlineStatusResponse,
RelaxedCrowdstrikeBaseApiResponse,
CrowdStrikeExecuteRTRResponse,
CrowdstrikeGetScriptsResponse,
} from '../../../common/crowdstrike/types';
import type { CrowdstrikeGetTokenResponseSchema } from '../../../common/crowdstrike/schema';
import { CrowdstrikeGetScriptsResponseSchema } from '../../../common/crowdstrike/schema';
import {
CrowdstrikeHostActionsParamsSchema,
CrowdstrikeGetAgentsParamsSchema,
CrowdstrikeHostActionsResponseSchema,
RelaxedCrowdstrikeBaseApiResponseSchema,
CrowdstrikeRTRCommandParamsSchema,
CrowdstrikeExecuteRTRResponseSchema,
CrowdstrikeGetScriptsParamsSchema,
CrowdstrikeApiDoNotValidateResponsesSchema,
} from '../../../common/crowdstrike/schema';
import { SUB_ACTION } from '../../../common/crowdstrike/constants';
Expand Down Expand Up @@ -76,7 +77,7 @@ export class CrowdstrikeConnector extends SubActionConnector<
batchExecuteRTR: string;
batchActiveResponderExecuteRTR: string;
batchAdminExecuteRTR: string;
getRTRCloudScriptsDetails: string;
getRTRCloudScripts: string;
};

constructor(
Expand All @@ -95,7 +96,7 @@ export class CrowdstrikeConnector extends SubActionConnector<
batchExecuteRTR: `${this.config.url}/real-time-response/combined/batch-command/v1`,
batchActiveResponderExecuteRTR: `${this.config.url}/real-time-response/combined/batch-active-responder-command/v1`,
batchAdminExecuteRTR: `${this.config.url}/real-time-response/combined/batch-admin-command/v1`,
getRTRCloudScriptsDetails: `${this.config.url}/real-time-response/entities/scripts/v1`,
getRTRCloudScripts: `${this.config.url}/real-time-response/entities/scripts/v1`,
};

if (!CrowdstrikeConnector.base64encodedToken) {
Expand Down Expand Up @@ -146,11 +147,10 @@ export class CrowdstrikeConnector extends SubActionConnector<
method: 'batchAdminExecuteRTR',
schema: CrowdstrikeRTRCommandParamsSchema, // Define a proper schema for the command
});
// temporary to fetch scripts and help testing
this.registerSubAction({
name: SUB_ACTION.GET_RTR_CLOUD_SCRIPTS,
method: 'getRTRCloudScripts',
schema: CrowdstrikeGetScriptsParamsSchema,
schema: CrowdstrikeRTRCommandParamsSchema, // Empty schema - this request do not have any parameters
Copy link
Copy Markdown
Member

@ashokaditya ashokaditya Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Is there a reason we don't use schema: null when we register this and all above actions if the request schema is empty?

Copy link
Copy Markdown
Contributor Author

@tomsonpl tomsonpl Jun 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

schema:null for RTR is is fine 👍 Thx! The other above still need to be adjusted. I'll try to do it when there's more time to work on CrowdStrike.

});
}
}
Expand Down Expand Up @@ -371,18 +371,16 @@ export class CrowdstrikeConnector extends SubActionConnector<
);
}

// TODO: for now just for testing purposes, will be a part of a following PR
public async getRTRCloudScripts(
payload: CrowdstrikeGetAgentsParams,
payload: {},
Copy link
Copy Markdown
Member

@ashokaditya ashokaditya Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider removing the payload param. I don't see that it is being used anywhwere.

Copy link
Copy Markdown
Contributor Author

@tomsonpl tomsonpl Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided to keep it to have the same structure as other actions, especially that maybe we'll need some payload in the end when filtering data or something. Is it ok?

connectorUsageCollector: ConnectorUsageCollector
): Promise<CrowdstrikeGetAgentOnlineStatusResponse> {
// @ts-expect-error will be a part of the next PR
return this.crowdstrikeApiRequest(
): Promise<CrowdstrikeGetScriptsResponse> {
return await this.crowdstrikeApiRequest(
{
url: this.urls.getRTRCloudScriptsDetails,
url: this.urls.getRTRCloudScripts,
method: 'GET',
paramsSerializer,
responseSchema: RelaxedCrowdstrikeBaseApiResponseSchema,
responseSchema: CrowdstrikeGetScriptsResponseSchema,
},
connectorUsageCollector
);
Expand Down
25 changes: 25 additions & 0 deletions .../plugins/security_solution/common/api/endpoint/custom_scripts/get_custom_scripts_route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { schema, type TypeOf } from '@kbn/config-schema';
import { AgentTypeSchemaLiteral } from '..';

export const CustomScriptsRequestSchema = {
query: schema.object({
agentType: schema.maybe(
schema.oneOf(
// @ts-expect-error TS2769: No overload matches this call
AgentTypeSchemaLiteral,
{
defaultValue: 'endpoint',
}
)
),
}),
};

export type CustomScriptsRequestQueryParams = TypeOf<typeof CustomScriptsRequestSchema.query>;
1 change: 1 addition & 0 deletions x-pack/solutions/security/plugins/security_solution/common/endpoint/constants.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ export const EXECUTE_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/execute`;
export const UPLOAD_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/upload`;
export const SCAN_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/scan`;
export const RUN_SCRIPT_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/run_script`;
export const CUSTOM_SCRIPTS_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/custom_scripts`;

/** Endpoint Actions Routes */
export const ENDPOINT_ACTION_LOG_ROUTE = `${BASE_ENDPOINT_ROUTE}/action_log/{agent_id}`;
Expand Down
Loading