From 1f92eec606e6a19db1232a384ee24578ee9bd20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 3 Feb 2025 14:15:17 +0100 Subject: [PATCH] [EDR Workflows] Fix invalid event filter for cloud workloads (#208974) ## Summary Fixes the bug of the invalid event filter created automatically when creating a cloud workloads endpoint integration. The issue was a type issue: `undefined` or an object is expected, instead an array was passed. To make sure this does not happen again, the type for the `meta` field was updated from the deprecated `t.object` to `t.UnknownRecord`, which is able to catch similar issues as a type error: ca0c01b63beb40fb19188deae2257d89d8b3ba90 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine (cherry picked from commit 158a0777319175b64311c3344dc5cf12e1e6ccc7) --- .../src/common/meta/index.ts | 2 +- .../fleet_integration.test.ts | 10 +++++++--- .../handlers/create_event_filters.ts | 18 +++++++----------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts b/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts index 07f329819fc12..f4500c7543d62 100644 --- a/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts +++ b/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts @@ -9,7 +9,7 @@ import * as t from 'io-ts'; -export const meta = t.object; +export const meta = t.UnknownRecord; export type Meta = t.TypeOf; export const metaOrUndefined = t.union([meta, t.undefined]); export type MetaOrUndefined = t.TypeOf; diff --git a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts index 80337d1a927b8..09a82212d9284 100644 --- a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts +++ b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts @@ -69,7 +69,7 @@ import type { } from '@kbn/fleet-plugin/common'; import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks'; import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants'; -import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import * as PolicyConfigHelpers from '../../common/endpoint/models/policy_config_helpers'; import { disableProtections } from '../../common/endpoint/models/policy_config_helpers'; import type { ProductFeaturesService } from '../lib/product_features_service/product_features_service'; @@ -403,12 +403,15 @@ describe('Fleet integrations', () => { ); expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith( - expect.objectContaining({ listId: ENDPOINT_EVENT_FILTERS_LIST_ID }) + expect.objectContaining({ + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + meta: undefined, + }) ); expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith( expect.objectContaining({ - listId: ENDPOINT_EVENT_FILTERS_LIST_ID, + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, tags: [`policy:${postCreatedPolicyConfig.id}`], osTypes: ['linux'], entries: [ @@ -421,6 +424,7 @@ describe('Fleet integrations', () => { ], itemId: 'NEW_UUID', namespaceType: 'agnostic', + meta: undefined, }) ); }); diff --git a/x-pack/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts b/x-pack/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts index 5e5cefd5d2a90..bd9aa21045d17 100644 --- a/x-pack/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts +++ b/x-pack/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts @@ -6,11 +6,7 @@ */ import { v4 as uuidv4 } from 'uuid'; import { i18n } from '@kbn/i18n'; -import { - ENDPOINT_EVENT_FILTERS_LIST_ID, - ENDPOINT_EVENT_FILTERS_LIST_NAME, - ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION, -} from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import type { Logger } from '@kbn/core/server'; @@ -37,10 +33,10 @@ export const createEventFilters = async ( // Attempt to Create the Event Filter List. It won't create the list if it already exists. // So we can skip the validation and ignore the conflict error await exceptionsClient.createExceptionList({ - name: ENDPOINT_EVENT_FILTERS_LIST_NAME, + name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name, namespaceType: 'agnostic', - description: ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION, - listId: ENDPOINT_EVENT_FILTERS_LIST_ID, + description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description, + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, type: ExceptionListTypeEnum.ENDPOINT_EVENTS, immutable: false, meta: undefined, @@ -61,14 +57,14 @@ export const createEventFilters = async ( /** * Create an Event Filter for non-interactive sessions and attach it to the policy */ -export const createNonInteractiveSessionEventFilter = async ( +const createNonInteractiveSessionEventFilter = async ( logger: Logger, exceptionsClient: ExceptionListClient, packagePolicy: PackagePolicy ): Promise => { try { await exceptionsClient.createExceptionListItem({ - listId: ENDPOINT_EVENT_FILTERS_LIST_ID, + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, description: i18n.translate( 'xpack.securitySolution.fleetIntegration.elasticDefend.eventFilter.nonInteractiveSessions.description', { @@ -95,7 +91,7 @@ export const createNonInteractiveSessionEventFilter = async ( }, ], itemId: uuidv4(), - meta: [], + meta: undefined, comments: [], expireTime: undefined, });