filter by OS

elastic · Jun 3, 2020 · 78a918c · 78a918c
1 parent f2e6843
commit 78a918c
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 11 deletions.
diff --git a/...ns/siem/server/lib/detection_engine/routes/exceptions/download_endpoint_exception_list.ts b/...ns/siem/server/lib/detection_engine/routes/exceptions/download_endpoint_exception_list.ts
@@ -5,9 +5,10 @@
  */
 
 import { IRouter } from '../../../../../../../../src/core/server';
+import { ArtifactConstants } from '../../../exceptions';
+import { DownloadExceptionListRequestParams } from '../../exceptions/types';
 import { buildRouteValidation } from '../utils';
 import { downloadExceptionListSchema } from '../schemas/download_exception_list_schema';
-import { DownloadExceptionListRequestParams } from '../../exceptions/types';
 
 const allowlistBaseRoute: string = '/api/endpoint/allowlist';
 
@@ -36,7 +37,7 @@ async function handleEndpointExceptionDownload(context, req, res) {
   try {
     const soClient = context.core.savedObjects.client;
     const resp = await soClient.find({
-      type: 'siem-exceptions-artifact',
+      type: ArtifactConstants.SAVED_OBJECT_TYPE,
       search: req.params.sha256,
       searchFields: ['sha256'],
     });

diff --git a/...iem/server/lib/detection_engine/routes/exceptions/get_endpoint_exception_list_manifest.ts b/...iem/server/lib/detection_engine/routes/exceptions/get_endpoint_exception_list_manifest.ts
@@ -5,6 +5,7 @@
  */
 
 import { IRouter } from '../../../../../../../../src/core/server';
+import { ArtifactConstants } from '../../../exceptions';
 
 const allowlistBaseRoute: string = '/api/endpoint/allowlist';
 
@@ -56,11 +57,11 @@ async function getAllowlistManifest(ctx, schemaVersion) {
   const soClient = ctx.core.savedObjects.client;
 
   const manifestResp = soClient.find({
-    type: 'siem-exceptions-artifact', // TODO: use exported const
+    type: ArtifactConstants.SAVED_OBJECT_TYPE,
     fields: ['name', 'schemaVersion', 'sha256', 'encoding', 'size', 'created'],
     search: schemaVersion,
     searchFields: ['schemaVersion'],
-    sortField: 'updated_at',
+    sortField: 'created_at',
     sortOrder: 'desc',
   });
 

diff --git a/x-pack/plugins/siem/server/lib/exceptions/fetch_endpoint_exceptions.ts b/x-pack/plugins/siem/server/lib/exceptions/fetch_endpoint_exceptions.ts
@@ -39,13 +39,13 @@ export async function GetFullEndpointExceptionList(
 
   do {
     const response = await eClient.findExceptionListItem({
-      listId: 'endpoint_list', // TODO
-      namespaceType: 'single', // ?
-      filter: `exception-list-item.attributes.sensor_os:${os}`,
+      listId: 'endpoint_list',
+      namespaceType: 'agnostic',
+      filter: `_tags:"sensor:${os}"`,
       perPage: 100,
       page,
-      sortField: undefined,
-      sortOrder: undefined,
+      sortField: 'created_at',
+      sortOrder: 'desc',
     });
 
     if (response?.data !== undefined) {

diff --git a/x-pack/plugins/siem/server/lib/exceptions/task.ts b/x-pack/plugins/siem/server/lib/exceptions/task.ts
@@ -20,7 +20,7 @@ const PackagerTaskConstants = {
 };
 
 export const ArtifactConstants = {
-  GLOBAL_ALLOWLIST_NAME: 'global-allowlist',
+  GLOBAL_ALLOWLIST_NAME: 'endpoint-allowlist',
   SAVED_OBJECT_TYPE: 'siem-exceptions-artifact',
   SUPPORTED_OPERATING_SYSTEMS: ['windows'],
   SUPPORTED_SCHEMA_VERSIONS: ['1.0.0'],
@@ -70,7 +70,7 @@ export function setupPackagerTask(context: PackagerTaskContext): PackagerTask {
           encoding: 'xz',
           created: Date.now(),
           body: compressedExceptions.toString(),
-          size: Buffer.from(exceptions).byteLength,
+          size: Buffer.from(JSON.stringify(exceptions)).byteLength,
         };
 
         const resp = await soClient.find({