elastic · kibanamachine · Apr 14, 2025 · Apr 14, 2025
@@ -188,7 +188,6 @@ export class EndpointAppContextService {
         this.setupDependencies.securitySolutionRequestContextFactory,
         alerting,
         licenseService,
-        exceptionListsClient,
         this.setupDependencies.cloud,
         productFeaturesService,
         telemetryConfigProvider

@@ -191,7 +191,6 @@ describe('Fleet integrations', () => {
         requestContextFactoryMock.create(),
         endpointAppContextStartContract.alerting,
         licenseService,
-        exceptionListClient,
         cloudService,
         productFeaturesService,
         telemetryConfigProviderMock

@@ -47,7 +47,7 @@ import type { NewPolicyData, PolicyConfig } from '../../common/endpoint/types';
 import type { LicenseService } from '../../common/license';
 import type { ManifestManager } from '../endpoint/services';
 import type { IRequestContextFactory } from '../request_context_factory';
-import { installPrepackagedRules } from './handlers/install_prepackaged_rules';
+import { installEndpointSecurityPrebuiltRule } from '../lib/detection_engine/prebuilt_rules/logic/rules_package/install_endpoint_security_prebuilt_rule';
 import { createPolicyArtifactManifest } from './handlers/create_policy_artifact_manifest';
 import { createDefaultPolicy } from './handlers/create_default_policy';
 import { validatePolicyAgainstLicense } from './handlers/validate_policy_against_license';
@@ -122,7 +122,6 @@ export const getPackagePolicyCreateCallback = (
   securitySolutionRequestContextFactory: IRequestContextFactory,
   alerts: AlertingServerStart,
   licenseService: LicenseService,
-  exceptionsClient: ExceptionListClient | undefined,
   cloud: CloudSetup,
   productFeatures: ProductFeaturesService,
   telemetryConfigProvider: TelemetryConfigProvider
@@ -176,15 +175,13 @@ export const getPackagePolicyCreateCallback = (
 
     // perform these operations in parallel in order to help in not delaying the API response too much
     const [, manifestValue] = await Promise.all([
-      // Install Detection Engine prepackaged rules
-      exceptionsClient &&
-        installPrepackagedRules({
-          logger,
-          context: securitySolutionContext,
-          request,
-          alerts,
-          exceptionsClient,
-        }),
+      installEndpointSecurityPrebuiltRule({
+        logger,
+        context: securitySolutionContext,
+        request,
+        alerts,
+        soClient,
+      }),
 
       // create the Artifact Manifest for this policy
       createPolicyArtifactManifest(logger, manifestManager),

@@ -0,0 +1,84 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { KibanaRequest, Logger, SavedObjectsClientContract } from '@kbn/core/server';
+import type { AlertingServerStart } from '@kbn/alerting-plugin/server';
+import { createDetectionIndex } from '../../../routes/index/create_index_route';
+import type { SecuritySolutionApiRequestHandlerContext } from '../../../../../types';
+import { ELASTIC_SECURITY_RULE_ID } from '../../../../../../common';
+import { createPrebuiltRuleObjectsClient } from '../rule_objects/prebuilt_rule_objects_client';
+import { createPrebuiltRuleAssetsClient } from '../rule_assets/prebuilt_rule_assets_client';
+import { createPrebuiltRules } from '../rule_objects/create_prebuilt_rules';
+
+export interface InstallEndpointSecurityPrebuiltRuleProps {
+  logger: Logger;
+  context: SecuritySolutionApiRequestHandlerContext;
+  request: KibanaRequest;
+  alerts: AlertingServerStart;
+  soClient: SavedObjectsClientContract;
+}
+
+/**
+ * As part of a user taking advantage of the Elastic Defend (formerly Endpoint
+ * Security) integration from within fleet, we attempt to install the `Endpoint
+ * Security (Elastic Defend)` prebuilt rule which will be enabled by default.
+ */
+export const installEndpointSecurityPrebuiltRule = async ({
+  logger,
+  context,
+  request,
+  alerts,
+  soClient,
+}: InstallEndpointSecurityPrebuiltRuleProps): Promise<void> => {
+  // Create detection index & rules (if necessary). move past any failure, this is just a convenience
+  try {
+    await createDetectionIndex(context);
+  } catch (err) {
+    if (err.statusCode !== 409) {
+      // 409 -> detection index already exists, which is fine
+      logger.warn(
+        `Possible problem creating detection signals index (${err.statusCode}): ${err.message}`
+      );
+    }
+  }
+  try {
+    const rulesClient = await alerts.getRulesClientWithRequest(request);
+    const detectionRulesClient = context.getDetectionRulesClient();
+    const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
+    const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
+    const exceptionsListClient = context.getExceptionListClient();
+
+    const elasticDefendRule = await ruleObjectsClient.fetchInstalledRulesByIds({
+      ruleIds: [ELASTIC_SECURITY_RULE_ID],
+    });
+    if (elasticDefendRule.length > 0) {
+      // Elastic Defend rule already installed
+      return;
+    }
+    // Elastic Defend rule not installed, find the latest version in the
+    // prebuilt rule assets and install it
+
+    // This will create the endpoint list if it does not exist yet
+    await exceptionsListClient?.createEndpointList();
+
+    const latestRuleVersion = await ruleAssetsClient.fetchLatestVersions([
+      ELASTIC_SECURITY_RULE_ID,
+    ]);
+    if (latestRuleVersion.length === 0) {
+      logger.error(
+        `Unable to find Elastic Defend rule in the prebuilt rule assets (rule_id: ${ELASTIC_SECURITY_RULE_ID})`
+      );
+      return;
+    }
+    const ruleAssetsToInstall = await ruleAssetsClient.fetchAssetsByVersion(latestRuleVersion);
+    await createPrebuiltRules(detectionRulesClient, ruleAssetsToInstall);
+  } catch (err) {
+    logger.error(
+      `Unable to create Endpoint Security rule automatically (${err.statusCode}): ${err.message}`
+    );
+  }
+};