[EDR Workflows][Device Control] Trusted Devices artifacts#231167
Merged
szwarckonrad merged 127 commits intoelastic:mainfrom Aug 21, 2025
Merged
[EDR Workflows][Device Control] Trusted Devices artifacts#231167szwarckonrad merged 127 commits intoelastic:mainfrom
szwarckonrad merged 127 commits intoelastic:mainfrom
Conversation
…/kibana into device-control-rbac
szwarckonrad
added a commit
that referenced
this pull request
Aug 19, 2025
Prerequisite #229921 Followup #231167 This PR introduces the Trusted Devices functionality. With these changes, users can: 1. Create Trusted Devices using filters and matching patterns 2. Update existing Trusted Devices 3. Delete Trusted Devices 4. Assign a Trusted Device either globally or to specific policies All functionality is gated behind a feature flag. **Note:** The next PR will introduce artifact creation for Trusted Devices. These artifacts will be consumed by the Endpoint. <img width="1590" height="902" alt="Screenshot 2025-08-08 at 16 19 25" src="https://github.com/user-attachments/assets/e2c0c3e7-e324-49b3-a79a-0e89c232727a" /> <img width="1589" height="932" alt="Screenshot 2025-08-08 at 16 21 28" src="https://github.com/user-attachments/assets/7d508aca-f8dc-40fb-8f45-cac548869960" /> <details><summary>More screenshots</summary> <img width="1591" height="930" alt="Screenshot 2025-08-08 at 16 24 48" src="https://github.com/user-attachments/assets/07bfab25-68ed-4de3-8b8e-7d657d4b5fe3" /> <img width="1563" height="862" alt="Screenshot 2025-08-08 at 16 25 08" src="https://github.com/user-attachments/assets/a4170927-dcb4-4d9a-9327-e26098851532" /> <img width="1589" height="933" alt="Screenshot 2025-08-08 at 16 25 27" src="https://github.com/user-attachments/assets/b43862f3-23f2-48cc-80e8-a8a6f219cf48" /> <img width="731" height="813" alt="Screenshot 2025-08-08 at 16 26 12" src="https://github.com/user-attachments/assets/65334d91-c4e2-4868-924d-e202793dd38d" /> <img width="1309" height="750" alt="Screenshot 2025-08-08 at 16 26 44" src="https://github.com/user-attachments/assets/43e7ae73-f3cb-49ce-a499-7a7587c249c2" /> </details> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
gergoabraham
approved these changes
Aug 21, 2025
Contributor
gergoabraham
left a comment
gergoabraham
left a comment
There was a problem hiding this comment.
looking good, and working well! 🚀
| data: TrustedDevice[]; | ||
| } | ||
|
|
||
| export type PutTrustedDevicesRequestParams = TypeOf< |
Contributor
There was a problem hiding this comment.
q: what's the point of these types? i don't see them being used anywhere. will it be used? the trusted apps counterpart PutTrustedAppsRequestParams is also unused.
q: just out of curiosity, do you know maybe why don't we have these types for event filters, host isolation exceptions, or blocklists?
Contributor
Author
There was a problem hiding this comment.
This is me copying too much from Trusted Applications patterns, will clean up :)
Contributor
There was a problem hiding this comment.
Just FYI: TrustedApps should (for the most part) not be copied as it was built with a very different approach than the rest of the artifacts we have. We have since then attempted to drive away from its design patterns and embraced instead the ExceptionsListItem types and Lists plugin API types. Sorry I missed providing this comment in the past - perhaps it is too late to adjust the implementation (if needed).
paul-tavares
approved these changes
Aug 21, 2025
| data: TrustedDevice[]; | ||
| } | ||
|
|
||
| export type PutTrustedDevicesRequestParams = TypeOf< |
Contributor
There was a problem hiding this comment.
Just FYI: TrustedApps should (for the most part) not be copied as it was built with a very different approach than the rest of the artifacts we have. We have since then attempted to drive away from its design patterns and embraced instead the ExceptionsListItem types and Lists plugin API types. Sorry I missed providing this comment in the past - perhaps it is too late to adjust the implementation (if needed).
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
szwarckonrad
added a commit
that referenced
this pull request
Aug 26, 2025
Prerequisite #231167 Followup #232269 This PR implements server-side validation for trusted devices in the Kibana by extending the existing list plugin extension points system. The implementation follows established patterns from trusted apps but supports trusted device-specific requirements, including allowing both Windows and Mac OS types (unlike other artifact types that only support single OS per entry) and validating the 5 supported device fields (`username`, `host`, `device ID`, `manufacturer`, `product ID`). The changes include a new `TrustedDeviceValidator` class, integration across all 9 exception list handlers, and comprehensive API integration tests to ensure proper validation and authorization. Key changes: - New `TrustedDeviceValidator` class extending BaseValidator with full space awareness - Updated all 9 list plugin extension point handlers to include trusted device validation - Added comprehensive integration tests covering unique trusted device validation requirements - Maintains consistency with existing artifact validation patterns while supporting device-specific schema --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
Prerequisite elastic#229921 Followup elastic#231167 This PR introduces the Trusted Devices functionality. With these changes, users can: 1. Create Trusted Devices using filters and matching patterns 2. Update existing Trusted Devices 3. Delete Trusted Devices 4. Assign a Trusted Device either globally or to specific policies All functionality is gated behind a feature flag. **Note:** The next PR will introduce artifact creation for Trusted Devices. These artifacts will be consumed by the Endpoint. <img width="1590" height="902" alt="Screenshot 2025-08-08 at 16 19 25" src="https://github.com/user-attachments/assets/e2c0c3e7-e324-49b3-a79a-0e89c232727a" /> <img width="1589" height="932" alt="Screenshot 2025-08-08 at 16 21 28" src="https://github.com/user-attachments/assets/7d508aca-f8dc-40fb-8f45-cac548869960" /> <details><summary>More screenshots</summary> <img width="1591" height="930" alt="Screenshot 2025-08-08 at 16 24 48" src="https://github.com/user-attachments/assets/07bfab25-68ed-4de3-8b8e-7d657d4b5fe3" /> <img width="1563" height="862" alt="Screenshot 2025-08-08 at 16 25 08" src="https://github.com/user-attachments/assets/a4170927-dcb4-4d9a-9327-e26098851532" /> <img width="1589" height="933" alt="Screenshot 2025-08-08 at 16 25 27" src="https://github.com/user-attachments/assets/b43862f3-23f2-48cc-80e8-a8a6f219cf48" /> <img width="731" height="813" alt="Screenshot 2025-08-08 at 16 26 12" src="https://github.com/user-attachments/assets/65334d91-c4e2-4868-924d-e202793dd38d" /> <img width="1309" height="750" alt="Screenshot 2025-08-08 at 16 26 44" src="https://github.com/user-attachments/assets/43e7ae73-f3cb-49ce-a499-7a7587c249c2" /> </details> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
…1167) Prerequisite elastic#230174 Followup elastic#231888 This PR introduces trusted devices as a new artifact type in the Security Solution, enabling device-based allow-listing for endpoint security policies. ### Flow: <details><summary>User enables Device Control in policy settings 🖼️ </summary> <img width="985" height="356" alt="Screenshot 2025-08-11 at 12 53 59" src="https://github.com/user-attachments/assets/6da861ca-4b78-4704-ab12-9bd7cc602d05" /> </details> <details><summary>User adds Trusted Device that will add a whitelist condition to otherwise block policy 🖼️ </summary> <img width="1028" height="530" alt="Screenshot 2025-08-11 at 12 54 10" src="https://github.com/user-attachments/assets/bb801d77-398f-43ff-963a-d91e1c2372f9" /> </details> <details><summary>Artifact is being generated and can be viewed in Agent policy 🖼️ </summary> <img width="620" height="724" alt="Screenshot 2025-08-11 at 12 59 40" src="https://github.com/user-attachments/assets/ac36b3ed-ac1e-4931-8441-d85945629417" /> </details> <details><summary>Artifact can be decoded from index storage 🖼️ </summary> <img width="658" height="684" alt="Screenshot 2025-08-11 at 12 57 38" src="https://github.com/user-attachments/assets/5b6337dc-59e1-4598-8b37-196ece4af5c3" /> </details> <details><summary>Artifact can be decoded from fleet server API 🖼️ </summary> <img width="1253" height="368" alt="Screenshot 2025-08-12 at 12 02 21" src="https://github.com/user-attachments/assets/80229167-25f3-4413-be4e-a127d99faa99" /> </details> ### New Functionality: - **Trusted devices schema and types** - Complete validation schemas for device identification fields (USERNAME, HOST, DEVICE_ID, MANUFACTURER, PRODUCT_ID) - **Artifact integration** - Trusted devices now build and distribute alongside other artifact types (trusted apps, blocklists, etc.) - **Feature flag gating** - Controlled rollout via `trustedDevices` experimental feature - **OS support** - Windows and macOS (Linux support planned for future) ### Key Components: - **API schemas** - GET, POST, PUT request validation with proper field restrictions - **Manifest manager integration** - `buildTrustedDevicesArtifacts()` method following established patterns - **Artifact constants** - Support for `endpoint-trusteddevicelist-{os}-v1` naming convention - **Effect scopes** - Global and policy-specific device trust configurations - **Unit test coverage** - extended existing test coverage as well as introduced new test files where needed --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prerequisite #230174
Followup #231888
This PR introduces trusted devices as a new artifact type in the Security Solution, enabling device-based allow-listing for endpoint security policies.
Flow:
User enables Device Control in policy settings 🖼️
User adds Trusted Device that will add a whitelist condition to otherwise block policy 🖼️
Artifact is being generated and can be viewed in Agent policy 🖼️
Artifact can be decoded from index storage 🖼️
Artifact can be decoded from fleet server API 🖼️
New Functionality:
trustedDevicesexperimental featureKey Components:
buildTrustedDevicesArtifacts()method following established patternsendpoint-trusteddevicelist-{os}-v1naming convention