updated automated response actions to use alert space id when creating actions and spaces is enabled

paul-tavares · paul-tavares · commit 3e6d582e45b1 · 2025-05-02T15:19:04.000-04:00
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/endpoint_response_action.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/endpoint_response_action.ts
@@ -7,6 +7,7 @@
 
 import { each } from 'lodash';
 import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
+import { EndpointError } from '../../../../common/endpoint/errors';
 import { stringify } from '../../../endpoint/utils/stringify';
 import type {
   RuleResponseEndpointAction,
@@ -31,13 +32,29 @@ export const endpointResponseAction = async (
   );
   const ruleId = alerts[0].kibana.alert?.rule.uuid;
   const ruleName = alerts[0].kibana.alert?.rule.name;
-  const logMsgPrefix = `Rule [${ruleName}][${ruleId}]:`;
-  const { comment, command } = responseAction.params;
   const errors: string[] = [];
+  let spaceId = (alerts[0].kibana.space_ids ?? [])[0];
+
+  if (endpointAppContextService.experimentalFeatures.endpointManagementSpaceAwarenessEnabled) {
+    if (!spaceId) {
+      logger.error(
+        new EndpointError(
+          `Unable to identify the space ID from alert data ('kibana.space_ids') for rule [${ruleName}][${ruleId}]`
+        )
+      );
+      return;
+    }
+  } else {
+    // force the space to `default` when space awareness is not enabled
+    spaceId = DEFAULT_SPACE_ID;
+  }
+
+  const logMsgPrefix = `Rule [${ruleName}][${ruleId}][${spaceId}]:`;
+  const { comment, command } = responseAction.params;
   const responseActionsClient = endpointAppContextService.getInternalResponseActionsClient({
     agentType: 'endpoint',
     username: 'unknown',
-    spaceId: DEFAULT_SPACE_ID, // TODO:PT Will be updated with team issue #12312
+    spaceId,
   });
 
   const automatedProcessActionsEnabled =
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.test.ts
@@ -8,39 +8,42 @@
 import { getScheduleNotificationResponseActionsService } from './schedule_notification_response_actions';
 import type { RuleResponseAction } from '../../../../common/api/detection_engine';
 import { ResponseActionTypesEnum } from '../../../../common/api/detection_engine';
-import { ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils';
+import { ALERT_RULE_NAME, ALERT_RULE_UUID, SPACE_IDS } from '@kbn/rule-data-utils';
 import { createMockEndpointAppContextService } from '../../../endpoint/mocks';
 import { responseActionsClientMock } from '../../../endpoint/services/actions/clients/mocks';
+import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
 
 describe('ScheduleNotificationResponseActions', () => {
-  const signalOne = {
-    agent: { id: 'agent-id-1', type: 'endpoint' },
-    _id: 'alert-id-1',
-    user: { id: 'S-1-5-20' },
-    process: {
-      pid: 123,
+  const getSignals = () => [
+    {
+      agent: { id: 'agent-id-1', type: 'endpoint' },
+      _id: 'alert-id-1',
+      user: { id: 'S-1-5-20' },
+      process: {
+        pid: 123,
+      },
+      [ALERT_RULE_UUID]: 'rule-id-1',
+      [ALERT_RULE_NAME]: 'rule-name-1',
+      [SPACE_IDS]: [DEFAULT_SPACE_ID],
     },
-    [ALERT_RULE_UUID]: 'rule-id-1',
-    [ALERT_RULE_NAME]: 'rule-name-1',
-  };
-  const signalTwo = { agent: { id: 'agent-id-2', type: 'endpoint' }, _id: 'alert-id-2' };
-  const getSignals = () => [signalOne, signalTwo];
+    { agent: { id: 'agent-id-2', type: 'endpoint' }, _id: 'alert-id-2' },
+  ];
 
   const osqueryActionMock = {
     create: jest.fn(),
     stop: jest.fn(),
   };
   let mockedResponseActionsClient = responseActionsClientMock.create();
-  const endpointActionMock = createMockEndpointAppContextService();
-  (endpointActionMock.getInternalResponseActionsClient as jest.Mock).mockImplementation(() => {
+  const endpointServiceMock = createMockEndpointAppContextService();
+  (endpointServiceMock.getInternalResponseActionsClient as jest.Mock).mockImplementation(() => {
     return mockedResponseActionsClient;
   });
   // @ts-expect-error assignment to readonly property
-  endpointActionMock.experimentalFeatures.automatedProcessActionsEnabled = true;
+  endpointServiceMock.experimentalFeatures.automatedProcessActionsEnabled = true;
 
   const scheduleNotificationResponseActions = getScheduleNotificationResponseActionsService({
     osqueryCreateActionService: osqueryActionMock,
-    endpointAppContextService: endpointActionMock,
+    endpointAppContextService: endpointServiceMock,
   });
 
   describe('Osquery', () => {
@@ -143,7 +146,7 @@ describe('ScheduleNotificationResponseActions', () => {
   });
   describe('Endpoint', () => {
     beforeEach(() => {
-      (endpointActionMock.getInternalResponseActionsClient as jest.Mock).mockClear();
+      (endpointServiceMock.getInternalResponseActionsClient as jest.Mock).mockClear();
       mockedResponseActionsClient = responseActionsClientMock.create();
     });
 
@@ -165,10 +168,11 @@ describe('ScheduleNotificationResponseActions', () => {
         responseActions,
       });
       expect(response).not.toBeUndefined();
-      expect(endpointActionMock.getInternalResponseActionsClient).toHaveBeenCalledTimes(1);
-      expect(endpointActionMock.getInternalResponseActionsClient).toHaveBeenCalledWith({
+      expect(endpointServiceMock.getInternalResponseActionsClient).toHaveBeenCalledTimes(1);
+      expect(endpointServiceMock.getInternalResponseActionsClient).toHaveBeenCalledWith({
         agentType: 'endpoint',
         username: 'unknown',
+        spaceId: 'default',
       });
       expect(mockedResponseActionsClient.isolate).toHaveBeenCalledTimes(signals.length);
       expect(mockedResponseActionsClient.isolate).toHaveBeenNthCalledWith(
@@ -277,5 +281,80 @@ describe('ScheduleNotificationResponseActions', () => {
 
       expect(response).toBeUndefined();
     });
+
+    it('should use default space id when space awareness is disabled', async () => {
+      await scheduleNotificationResponseActions({
+        signals: getSignals(),
+        signalsCount: 2,
+        responseActions: [
+          {
+            actionTypeId: ResponseActionTypesEnum['.endpoint'],
+            params: {
+              command: 'isolate',
+              comment: 'test process comment',
+            },
+          },
+        ],
+      });
+
+      expect(endpointServiceMock.getInternalResponseActionsClient).toHaveBeenCalledWith(
+        expect.objectContaining({ spaceId: DEFAULT_SPACE_ID })
+      );
+    });
+
+    describe('and when space awareness is enabled', () => {
+      beforeEach(() => {
+        // @ts-expect-error
+        endpointServiceMock.experimentalFeatures.endpointManagementSpaceAwarenessEnabled = true;
+      });
+
+      it('should initialize a response action client with the alert space id when space awareness is enabled', async () => {
+        const signals = getSignals();
+        signals[0][SPACE_IDS] = ['foo'];
+        await scheduleNotificationResponseActions({
+          signals,
+          signalsCount: 2,
+          responseActions: [
+            {
+              actionTypeId: ResponseActionTypesEnum['.endpoint'],
+              params: {
+                command: 'isolate',
+                comment: 'test process comment',
+              },
+            },
+          ],
+        });
+
+        expect(endpointServiceMock.getInternalResponseActionsClient).toHaveBeenCalledWith(
+          expect.objectContaining({ spaceId: 'foo' })
+        );
+      });
+
+      it('should log error if unable to determine space id for alerts', async () => {
+        const signals = getSignals();
+        signals[0][SPACE_IDS] = undefined;
+        await scheduleNotificationResponseActions({
+          signals,
+          signalsCount: 2,
+          responseActions: [
+            {
+              actionTypeId: ResponseActionTypesEnum['.endpoint'],
+              params: {
+                command: 'isolate',
+                comment: 'test process comment',
+              },
+            },
+          ],
+        });
+
+        expect(endpointServiceMock.createLogger().error).toHaveBeenCalledWith(
+          expect.objectContaining({
+            message:
+              "Unable to identify the space ID from alert data ('kibana.space_ids') for rule [rule-name-1][rule-id-1]",
+          })
+        );
+        expect(endpointServiceMock.getInternalResponseActionsClient).not.toHaveBeenCalled();
+      });
+    });
   });
 });
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/types.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/types.ts
@@ -26,6 +26,7 @@ export type Alert = ParsedTechnicalFields & {
         name: string;
       };
     };
+    space_ids?: string[];
   };
 };
 
