[Security Solution][Endpoint] Fix artifacts display of "Applied to x policies" on policy details tabs (#226461)

paul-tavares · web-flow · commit 1ea5d11cabf0 · 2025-07-07T11:57:22.000-04:00
## Summary

- Fixes the `Applied to {count} policies` popup only showing policy
names for the first 1k policies
- API call was changed to use `fleet/package_policies/_bulk_get` instead
of the `find` api
- Fixes the creation of Microsoft Defender integration policy when run
from dev scripts
- Improves the create endpoint policy dev script to be more robust and
prevent less run failures
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/artifacts/list/policy_artifacts_list.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/artifacts/list/policy_artifacts_list.test.tsx
@@ -21,6 +21,8 @@ import { SEARCHABLE_FIELDS } from '../../../../event_filters/constants';
 import { getEndpointPrivilegesInitialStateMock } from '../../../../../../common/components/user_privileges/endpoint/mocks';
 import { POLICY_ARTIFACT_LIST_LABELS } from './translations';
 import { EventFiltersApiClient } from '../../../../event_filters/service/api_client';
+import { ExceptionsListItemGenerator } from '../../../../../../../common/endpoint/data_generators/exceptions_list_item_generator';
+import { buildPerPolicyTag } from '../../../../../../../common/endpoint/service/artifacts/utils';
 
 const endpointGenerator = new EndpointDocGenerator('seed');
 const getDefaultQueryParameters = (customFilter: string | undefined = '') => ({
@@ -183,6 +185,33 @@ describe('Policy details artifacts list', () => {
     expect(history.location.search).not.toMatch('page_size');
   });
 
+  it('should retrieve all policies using getById api', async () => {
+    const generator = new ExceptionsListItemGenerator('seed');
+
+    mockedApi.responseProvider.eventFiltersList.mockReturnValue({
+      data: [
+        generator.generateEventFilter({
+          tags: [buildPerPolicyTag('policy-1'), buildPerPolicyTag('policy-2')],
+        }),
+        generator.generateEventFilter({
+          tags: [buildPerPolicyTag('policy-3'), buildPerPolicyTag('policy-2')],
+        }),
+      ],
+      page: 1,
+      per_page: 1,
+      total: 1,
+    });
+    await render();
+
+    expect(mockedContext.coreStart.http.post).toHaveBeenCalledWith(
+      '/api/fleet/package_policies/_bulk_get',
+      {
+        body: '{"ids":["policy-1","policy-2","policy-3"],"ignoreMissing":true}',
+        version: expect.any(String),
+      }
+    );
+  });
+
   describe('without external privileges', () => {
     it('should not display the delete action, do show the full details', async () => {
       mockedApi.responseProvider.eventFiltersList.mockReturnValue(
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/artifacts/list/policy_artifacts_list.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/artifacts/list/policy_artifacts_list.tsx
@@ -9,6 +9,7 @@ import React, { useCallback, useMemo, useState } from 'react';
 import type { Pagination } from '@elastic/eui';
 import { EuiSpacer, EuiText } from '@elastic/eui';
 import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
+import { useBulkFetchFleetIntegrationPolicies } from '../../../../../hooks/policy/use_bulk_fetch_fleet_integration_policies';
 import type { ArtifactEntryCardDecoratorProps } from '../../../../../components/artifact_entry_card';
 import { useAppUrl } from '../../../../../../common/lib/kibana';
 import { APP_UI_ID } from '../../../../../../../common/constants';
@@ -17,13 +18,15 @@ import { SearchExceptions } from '../../../../../components/search_exceptions';
 import { useEndpointPoliciesToArtifactPolicies } from '../../../../../components/artifact_entry_card/hooks/use_endpoint_policies_to_artifact_policies';
 import { useUrlParams } from '../../../../../hooks/use_url_params';
 import { useUrlPagination } from '../../../../../hooks/use_url_pagination';
-import { useGetEndpointSpecificPolicies } from '../../../../../services/policies/hooks';
 import { useOldUrlSearchPaginationReplace } from '../../../../../hooks/use_old_url_search_pagination_replace';
 import type { ArtifactCardGridProps } from '../../../../../components/artifact_card_grid';
 import { ArtifactCardGrid } from '../../../../../components/artifact_card_grid';
 import { usePolicyDetailsArtifactsNavigateCallback } from '../../policy_hooks';
 import type { ImmutableObject, PolicyData } from '../../../../../../../common/endpoint/types';
-import { isArtifactGlobal } from '../../../../../../../common/endpoint/service/artifacts';
+import {
+  getPolicyIdsFromArtifact,
+  isArtifactGlobal,
+} from '../../../../../../../common/endpoint/service/artifacts';
 import { useUserPrivileges } from '../../../../../../common/components/user_privileges';
 import { useGetLinkTo } from '../empty/use_policy_artifacts_empty_hooks';
 import type { ExceptionsListApiClient } from '../../../../../services/exceptions_list/exceptions_list_api_client';
@@ -58,7 +61,6 @@ export const PolicyArtifactsList = React.memo<PolicyArtifactsListProps>(
     useOldUrlSearchPaginationReplace();
     const { getAppUrl } = useAppUrl();
     const { canCreateArtifactsByPolicy } = useUserPrivileges().endpointPrivileges;
-    const policiesRequest = useGetEndpointSpecificPolicies({ perPage: 1000 });
     const navigateCallback = usePolicyDetailsArtifactsNavigateCallback(apiClient.listId);
     const { urlParams } = useUrlParams();
     const [expandedItemsMap, setExpandedItemsMap] = useState<Map<string, boolean>>(new Map());
@@ -82,6 +84,23 @@ export const PolicyArtifactsList = React.memo<PolicyArtifactsListProps>(
       searchableFields
     );
 
+    const allArtifactReferencedPolicyIds: string[] = useMemo(() => {
+      const ids = new Set<string>();
+
+      if (artifacts?.data) {
+        for (const artifact of artifacts.data) {
+          getPolicyIdsFromArtifact(artifact).forEach((policyId) => ids.add(policyId));
+        }
+      }
+
+      return Array.from(ids);
+    }, [artifacts?.data]);
+
+    const policiesRequest = useBulkFetchFleetIntegrationPolicies<PolicyData>(
+      { ids: allArtifactReferencedPolicyIds },
+      { enabled: allArtifactReferencedPolicyIds.length > 0, keepPreviousData: false }
+    );
+
     const pagination: Pagination = useMemo(
       () => ({
         pageSize: urlPagination.pageSize,
diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/fleet_services.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/fleet_services.ts
@@ -1126,6 +1126,7 @@ export const addMicrosoftDefenderForEndpointIntegrationToAgentPolicy = async ({
                 value: clientId,
               },
               enable_request_tracer: {
+                value: false,
                 type: 'bool',
               },
               client_secret: {
@@ -1136,9 +1137,13 @@ export const addMicrosoftDefenderForEndpointIntegrationToAgentPolicy = async ({
                 type: 'text',
                 value: tenantId,
               },
+              initial_interval: {
+                value: '5m',
+                type: 'text',
+              },
               interval: {
+                value: '5m',
                 type: 'text',
-                value: '30s',
               },
               scopes: {
                 value: [],
@@ -1209,6 +1214,170 @@ export const addMicrosoftDefenderForEndpointIntegrationToAgentPolicy = async ({
           },
         ],
       },
+      {
+        type: 'cel',
+        policy_template: 'microsoft_defender_endpoint',
+        enabled: false,
+        streams: [
+          {
+            enabled: false,
+            data_stream: {
+              type: 'logs',
+              dataset: 'microsoft_defender_endpoint.machine',
+            },
+            vars: {
+              interval: {
+                value: '24h',
+                type: 'text',
+              },
+              batch_size: {
+                value: 1000,
+                type: 'text',
+              },
+              http_client_timeout: {
+                value: '30s',
+                type: 'text',
+              },
+              enable_request_tracer: {
+                value: false,
+                type: 'bool',
+              },
+              tags: {
+                value: ['forwarded', 'microsoft_defender_endpoint-machine'],
+                type: 'text',
+              },
+              preserve_original_event: {
+                value: false,
+                type: 'bool',
+              },
+              preserve_duplicate_custom_fields: {
+                type: 'bool',
+              },
+              processors: {
+                type: 'yaml',
+              },
+            },
+          },
+          {
+            enabled: false,
+            data_stream: {
+              type: 'logs',
+              dataset: 'microsoft_defender_endpoint.machine_action',
+            },
+            vars: {
+              initial_interval: {
+                value: '24h',
+                type: 'text',
+              },
+              interval: {
+                value: '5m',
+                type: 'text',
+              },
+              batch_size: {
+                value: 1000,
+                type: 'text',
+              },
+              http_client_timeout: {
+                value: '30s',
+                type: 'text',
+              },
+              enable_request_tracer: {
+                value: false,
+                type: 'bool',
+              },
+              tags: {
+                value: ['forwarded', 'microsoft_defender_endpoint-machine_action'],
+                type: 'text',
+              },
+              preserve_original_event: {
+                value: false,
+                type: 'bool',
+              },
+              preserve_duplicate_custom_fields: {
+                type: 'bool',
+              },
+              processors: {
+                type: 'yaml',
+              },
+            },
+          },
+          {
+            enabled: false,
+            data_stream: {
+              type: 'logs',
+              dataset: 'microsoft_defender_endpoint.vulnerability',
+            },
+            vars: {
+              interval: {
+                value: '4h',
+                type: 'text',
+              },
+              batch_size: {
+                value: 8000,
+                type: 'integer',
+              },
+              affected_machines_only: {
+                value: true,
+                type: 'bool',
+              },
+              enable_request_tracer: {
+                value: false,
+                type: 'bool',
+              },
+              preserve_original_event: {
+                value: false,
+                type: 'bool',
+              },
+              tags: {
+                value: ['forwarded', 'microsoft_defender_endpoint-vulnerability'],
+                type: 'text',
+              },
+              http_client_timeout: {
+                value: '30s',
+                type: 'text',
+              },
+              preserve_duplicate_custom_fields: {
+                value: false,
+                type: 'bool',
+              },
+              processors: {
+                type: 'yaml',
+              },
+            },
+          },
+        ],
+        vars: {
+          client_id: {
+            type: 'text',
+          },
+          client_secret: {
+            type: 'password',
+          },
+          login_url: {
+            value: 'https://login.microsoftonline.com',
+            type: 'text',
+          },
+          url: {
+            value: 'https://api.security.microsoft.com',
+            type: 'text',
+          },
+          tenant_id: {
+            type: 'text',
+          },
+          token_scopes: {
+            value: ['https://securitycenter.onmicrosoft.com/windowsatpservice/.default'],
+            type: 'text',
+          },
+          proxy_url: {
+            type: 'text',
+          },
+          ssl: {
+            value:
+              '#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n',
+            type: 'yaml',
+          },
+        },
+      },
     ],
     package: {
       name: packageName,
diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts
@@ -14,18 +14,22 @@ import { BaseDataGenerator } from '../../../common/endpoint/data_generators/base
 import { getEndpointPackageInfo } from '../../../common/endpoint/utils/package';
 
 class EndpointPolicyGenerator extends BaseDataGenerator {
+  private counter = 1;
+
   public policyName(preFix: string | number = '') {
-    return `${preFix}${preFix ? ' ' : ''}${this.randomString(5)} Endpoint Policy`;
+    return `${preFix}${preFix ? ' ' : ''}${this.randomString(5)}-${this.counter++} Endpoint Policy`;
   }
 }
 
 const generate = new EndpointPolicyGenerator();
 
-export const cli = () => {
-  run(
+export const cli = async () => {
+  await run(
     async ({ log, flags: { kibana, count } }) => {
       const kbn = new KbnClient({ log, url: kibana as string });
       const max = Number(count);
+      const maxErrors = 10; // Max errors encountered until the script exits
+      const errors: string[] = [];
       let created = 0;
 
       log.info(`Creating ${count} endpoint policies...`);
@@ -35,16 +39,24 @@ export const cli = () => {
         const endpointPackage = await getEndpointPackageInfo(kbn);
 
         while (created < max) {
-          created++;
           await indexFleetEndpointPolicy(
             kbn,
             generate.policyName(created),
             endpointPackage.version
           );
+          created++;
         }
       } catch (error) {
-        log.error(error);
-        throw createFailError(error.message);
+        error.push(error.message);
+
+        if (errors.length >= maxErrors) {
+          log.error(
+            `${errors.length} errors were encountered: ${JSON.stringify(errors, null, 2)}\n`
+          );
+          throw createFailError(
+            `Too many errors encountered (${errors.length}. Only ${created} policies were created`
+          );
+        }
       }
 
       log.success(`Done!`);
