[EDR Workflows] Fix osquery pack results display when agent clock is skewed#251417
Conversation
szwarckonrad
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
| startDate={startDate} | ||
| endDate={endDate} | ||
| mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} | ||
| mode={lastResultsData?.lastResultTime?.[0] ? 'absolute' : 'relative'} |
There was a problem hiding this comment.
is it possible that we have no lastResultTime (asking about the optional chaining)
There was a problem hiding this comment.
Yeah why is this line of code is lastResultTime?.[0] and the ones for start and end date are lastResultTime[0]? I suspect lastResultTime is of any type?
There was a problem hiding this comment.
Good catch, removed the unnecessary optional chaining and simplified the mode check in f05c152.
There was a problem hiding this comment.
Fixed in f05c152 - simplified the mode check to match startDate/endDate guards.
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
Did code review only and I have a few questions.
| const startDate = lastResultsData?.['@timestamp'] | ||
| ? moment(lastResultsData?.['@timestamp'][0]).subtract(interval, 'seconds').toISOString() | ||
| const startDate = lastResultsData?.lastResultTime | ||
| ? moment(lastResultsData?.lastResultTime[0]).subtract(interval, 'seconds').toISOString() |
There was a problem hiding this comment.
nit: Since lastResultsData?.lastResultTime is true here the code here should be:
| ? moment(lastResultsData?.lastResultTime[0]).subtract(interval, 'seconds').toISOString() | |
| ? moment(lastResultsData.lastResultTime[0]).subtract(interval, 'seconds').toISOString() |
Same applies to all ternary checks throughout changes in the PR.
Also I suspect lastResultsData doesn't have a specific type? Is that something that should also be fixed?
There was a problem hiding this comment.
Fixed in f05c152 - removed the redundant ?. in all ternary truthy branches; the type is inferred from useQuery so it's not any, but adding an explicit interface could be a follow-up.
There was a problem hiding this comment.
Yeah I think adding a return type to when we call await lastValueFrom(...) should help.
| startDate={startDate} | ||
| endDate={endDate} | ||
| mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} | ||
| mode={lastResultsData?.lastResultTime?.[0] ? 'absolute' : 'relative'} |
There was a problem hiding this comment.
Yeah why is this line of code is lastResultTime?.[0] and the ones for start and end date are lastResultTime[0]? I suspect lastResultTime is of any type?
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
Thanks for cleaning up the ternary checks.
💔 Build Failed
Failed CI StepsHistory
|
* commit '7dcc1fe3c205d2de0c3ca3f65804f21de09013c3': (285 commits) Enrich kbn-check-saved-objects-cli README with CI and manual usage docs (elastic#252557) [Discover] Add feature flag to make ESQL the default query mode (elastic#252268) Add maskProps.headerZindexLocation above to inspect component flyout (elastic#252543) [Security Solution][Atack/Alerts] Flyout header: Assignees (elastic#252190) Upgrade EUI to v112.3.0 (elastic#252315) [Fleet] Make save_knowledge_base async in streaming state machine (elastic#252328) Upgrade @smithy/config-resolver 4.3.0 → 4.4.6 (elastic#252457) [Lens as API] Add colorMapping support for XY charts (ES|QL data layers) (elastic#252051) [WorkplaceAI] Add Google Drive data source and connector (elastic#250677) [Scout] Move GlobalSearch FTR tests to Scout (elastic#252201) [EDR Workflows] Fix osquery pack results display when agent clock is skewed (elastic#251417) [Observability Onboarding] Apply integrations limit after dedup in parseIntegrationsTSV (elastic#252486) [Entity Analytics] Update `host.ip` aggregation to remove painless script (elastic#252426) Address `@elastic/eui/require-table-caption` lint violations across `@elastic/obs-presentation-team` files (elastic#251050) Consolidate JSON stringify dependencies (elastic#251890) [index mgmt] Use esql instead of query dsl to get the index count (elastic#252422) Add Usage API Plugin (elastic#252434) Cases All Templates page (elastic#250372) [Agent Builder] Default value for optional params in ESQL tools (elastic#238472) [Fleet] Add upgrade_details.metadata.reason to AgentResponseSchema (elastic#252485) ...
5 participants
Summary
When an agent's system clock is set to a future date, the osquery Pack status table would show incorrect data - only displaying results from the clock-skewed agent while hiding results from all other agents with correct timestamps.
Root cause: The "Last Results" queries sorted by
@timestamp(set by the agent) instead ofevent.ingested(set by Elasticsearch at indexing time). A future timestamp would become the "latest" globally, and time range filters would exclude all results from properly-clocked agents.Fix:
event.ingestedfor sorting and time range filteringevent.ingestedas its time field@timestamptolastResultTimefor semantic clarityCloses https://github.com/elastic/security-team/issues/15072
Testing
Manually tested with two Linux agents: