Skip to content

Commit efe466b

Browse files
paul-tavarespaul-tavares
authored
[8.14] [Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765) (#181839)
# Backport This will backport the following commits from `main` to `8.14`: - [[Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765)](#181765) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Paul Tavares","email":"56442535+paul-tavares@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-04-26T12:30:02Z","message":"[Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765)\n\n## Summary\r\n\r\n- Changes the names of the Activity and Agents indexes to `*` patterns\r\nin order to account for when the SentinelOne integration is configured\r\nwith a namespace other than `default`","sha":"22faf26bb2326beeb3bdbdbbc67f730781aeedc8","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["backport","release_note:skip","Team:Defend Workflows","v8.14.0","v8.15.0"],"number":181765,"url":"https://github.com/elastic/kibana/pull/181765","mergeCommit":{"message":"[Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765)\n\n## Summary\r\n\r\n- Changes the names of the Activity and Agents indexes to `*` patterns\r\nin order to account for when the SentinelOne integration is configured\r\nwith a namespace other than `default`","sha":"22faf26bb2326beeb3bdbdbbc67f730781aeedc8"}},"sourceBranch":"main","suggestedTargetBranches":["8.14"],"targetPullRequestStates":[{"branch":"8.14","label":"v8.14.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/181765","number":181765,"mergeCommit":{"message":"[Security Solution][Endpoint] Fix index names used to query agents and activity indexes for SentinelOne response actions (#181765)\n\n## Summary\r\n\r\n- Changes the names of the Activity and Agents indexes to `*` patterns\r\nin order to account for when the SentinelOne integration is configured\r\nwith a namespace other than `default`","sha":"22faf26bb2326beeb3bdbdbbc67f730781aeedc8"}}]}] BACKPORT-->
1 parent 087133a commit efe466b

5 files changed

Lines changed: 12 additions & 12 deletions

File tree

x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import type { DeepPartial } from 'utility-types';
99
import { merge } from 'lodash';
1010
import type { SearchResponse, SearchHit } from '@elastic/elasticsearch/lib/api/types';
1111
import { EndpointActionGenerator } from './endpoint_action_generator';
12-
import { SENTINEL_ONE_ACTIVITY_INDEX } from '../..';
12+
import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../..';
1313
import type {
1414
LogsEndpointAction,
1515
SentinelOneActivityEsDoc,
@@ -61,7 +61,7 @@ export class SentinelOneDataGenerator extends EndpointActionGenerator {
6161
): SearchHit<SentinelOneActivityEsDoc> {
6262
const hit = this.toEsSearchHit<SentinelOneActivityEsDoc>(
6363
this.generateActivityEsDoc(overrides),
64-
SENTINEL_ONE_ACTIVITY_INDEX
64+
SENTINEL_ONE_ACTIVITY_INDEX_PATTERN
6565
);
6666

6767
hit.inner_hits = {

x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,6 @@
66
*/
77

88
/**
9-
* Index name where the SentinelOne activity log is written to by the SentinelOne integration
9+
* Index pattern where the SentinelOne activity log is written to by the SentinelOne integration
1010
*/
11-
export const SENTINEL_ONE_ACTIVITY_INDEX = 'logs-sentinel_one.activity-default';
11+
export const SENTINEL_ONE_ACTIVITY_INDEX_PATTERN = 'logs-sentinel_one.activity-*';

x-pack/plugins/security_solution/common/index.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ export {
2222
export { ELASTIC_SECURITY_RULE_ID } from './detection_engine/constants';
2323
export { ENABLED_FIELD } from './detection_engine/rule_management/rule_fields';
2424
export { allowedExperimentalValues, type ExperimentalFeatures } from './experimental_features';
25-
export { SENTINEL_ONE_ACTIVITY_INDEX } from './endpoint/service/response_actions/sentinel_one';
25+
export { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from './endpoint/service/response_actions/sentinel_one';
2626

2727
// Careful of exporting anything from this file as any file(s) you export here will cause your page bundle size to increase.
2828
// If you're using functions/types/etc... internally it's best to import directly from their paths than expose the functions/types/etc... here.

x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ import {
1919
} from '../../../../../../common/endpoint/constants';
2020
import type { NormalizedExternalConnectorClient } from '../../..';
2121
import { applyEsClientSearchMock } from '../../../../mocks/utils.mock';
22-
import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common';
22+
import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common';
2323
import { SentinelOneDataGenerator } from '../../../../../../common/endpoint/data_generators/sentinelone_data_generator';
2424
import type {
2525
EndpointActionResponse,
@@ -412,7 +412,7 @@ describe('SentinelOneActionsClient class', () => {
412412

413413
applyEsClientSearchMock({
414414
esClientMock: classConstructorOptions.esClient,
415-
index: SENTINEL_ONE_ACTIVITY_INDEX,
415+
index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
416416
response: s1ActivitySearchResponse,
417417
});
418418
});
@@ -493,7 +493,7 @@ describe('SentinelOneActionsClient class', () => {
493493
sort: [{ 'sentinel_one.activity.updated_at': 'asc' }],
494494
},
495495
},
496-
index: SENTINEL_ONE_ACTIVITY_INDEX,
496+
index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
497497
query: {
498498
bool: {
499499
minimum_should_match: 1,
@@ -533,7 +533,7 @@ describe('SentinelOneActionsClient class', () => {
533533
sort: [{ 'sentinel_one.activity.updated_at': 'asc' }],
534534
},
535535
},
536-
index: SENTINEL_ONE_ACTIVITY_INDEX,
536+
index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
537537
query: {
538538
bool: {
539539
minimum_should_match: 1,

x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ import type {
2424
NormalizedExternalConnectorClientExecuteOptions,
2525
NormalizedExternalConnectorClient,
2626
} from '../lib/normalized_external_connector_client';
27-
import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common';
27+
import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common';
2828
import { catchAndWrapError } from '../../../../utils';
2929
import type {
3030
CommonResponseActionMethodOptions,
@@ -473,7 +473,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl {
473473
};
474474

475475
const searchRequestOptions: SearchRequest = {
476-
index: SENTINEL_ONE_ACTIVITY_INDEX,
476+
index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
477477
query,
478478
// There may be many documents for each host/agent, so we collapse it and only get back the
479479
// first one that came in after the isolate request was sent
@@ -493,7 +493,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl {
493493
};
494494

495495
this.log.debug(
496-
`searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX}] index with:\n${stringify(
496+
`searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX_PATTERN}] index with:\n${stringify(
497497
searchRequestOptions,
498498
15
499499
)}`

0 commit comments

Comments
 (0)