Merge branch 'master' into search/telemetry

Author: lukasolson

x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts

@@ -16,6 +16,7 @@ import {
 } from '../../common/schemas';
 
 import { getExceptionListClient } from './utils/get_exception_list_client';
+import { endpointDisallowedFields } from './endpoint_disallowed_fields';
 
 export const createExceptionListItemRoute = (router: IRouter): void => {
   router.post(
@@ -70,6 +71,22 @@ export const createExceptionListItemRoute = (router: IRouter): void => {
               statusCode: 409,
             });
           } else {
+            if (exceptionList.type === 'endpoint') {
+              for (const entry of entries) {
+                if (entry.type === 'list') {
+                  return siemResponse.error({
+                    body: `cannot add exception item with entry of type "list" to endpoint exception list`,
+                    statusCode: 400,
+                  });
+                }
+                if (endpointDisallowedFields.includes(entry.field)) {
+                  return siemResponse.error({
+                    body: `cannot add endpoint exception item on field ${entry.field}`,
+                    statusCode: 400,
+                  });
+                }
+              }
+            }
             const createdList = await exceptionLists.createExceptionListItem({
               _tags,
               comments,

x-pack/plugins/lists/server/routes/endpoint_disallowed_fields.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const endpointDisallowedFields = [
+  'file.Ext.quarantine_path',
+  'file.Ext.quarantine_result',
+  'process.entity_id',
+  'process.parent.entity_id',
+  'process.ancestry',
+];

x-pack/plugins/reporting/server/export_types/csv_from_savedobject/execute_job.ts

@@ -10,7 +10,6 @@ import { CONTENT_TYPE_CSV, CSV_FROM_SAVEDOBJECT_JOB_TYPE } from '../../../common
 import { RunTaskFnFactory, ScheduledTaskParams, TaskRunResult } from '../../types';
 import { createGenerateCsv } from '../csv/generate_csv';
 import { JobParamsPanelCsv, SearchPanel } from './types';
-import { getFakeRequest } from './lib/get_fake_request';
 import { getGenerateCsvParams } from './lib/get_csv_job';
 
 /*
@@ -44,19 +43,10 @@ export const runTaskFnFactory: RunTaskFnFactory<ImmediateExecuteFn> = function e
     const { jobParams } = jobPayload;
     const jobLogger = logger.clone([jobId === null ? 'immediate' : jobId]);
     const generateCsv = createGenerateCsv(jobLogger);
-    const { isImmediate, panel, visType } = jobParams as JobParamsPanelCsv & {
-      panel: SearchPanel;
-    };
+    const { panel, visType } = jobParams as JobParamsPanelCsv & { panel: SearchPanel };
 
     jobLogger.debug(`Execute job generating [${visType}] csv`);
 
-    if (isImmediate && req) {
-      jobLogger.info(`Executing job from Immediate API using request context`);
-    } else {
-      jobLogger.info(`Executing job async using encrypted headers`);
-      req = await getFakeRequest(jobPayload, config.get('encryptionKey')!, jobLogger);
-    }
-
     const savedObjectsClient = context.core.savedObjects.client;
 
     const uiConfig = await reporting.getUiSettingsServiceFactory(savedObjectsClient);

x-pack/plugins/reporting/server/export_types/csv_from_savedobject/lib/get_fake_request.ts

@@ -23,6 +23,8 @@ import { BuilderButtonOptions } from './builder_button_options';
 import { getNewExceptionItem, filterExceptionItems } from '../helpers';
 import { ExceptionsBuilderExceptionItem, CreateExceptionListItemBuilderSchema } from '../types';
 import { Loader } from '../../loader';
+// eslint-disable-next-line @kbn/eslint/no-restricted-paths
+import exceptionableFields from '../exceptionable_fields.json';
 
 const MyInvisibleAndBadge = styled(EuiFlexItem)`
   visibility: hidden;
@@ -172,6 +174,17 @@ export const ExceptionBuilder = ({
     );
   }, [exceptions]);
 
+  // Filters index pattern fields by exceptionable fields if list type is endpoint
+  const filterIndexPatterns = useCallback(() => {
+    if (listType === 'endpoint') {
+      return {
+        ...indexPatterns,
+        fields: indexPatterns.fields.filter(({ name }) => exceptionableFields.includes(name)),
+      };
+    }
+    return indexPatterns;
+  }, [indexPatterns, listType]);
+
   // The builder can have existing exception items, or new exception items that have yet
   // to be created (and thus lack an id), this was creating some React bugs with relying
   // on the index, as a result, created a temporary id when new exception items are first
@@ -216,7 +229,7 @@ export const ExceptionBuilder = ({
                 key={getExceptionListItemId(exceptionListItem, index)}
                 exceptionItem={exceptionListItem}
                 exceptionId={getExceptionListItemId(exceptionListItem, index)}
-                indexPattern={indexPatterns}
+                indexPattern={filterIndexPatterns()}
                 isLoading={indexPatternLoading}
                 exceptionItemIndex={index}
                 andLogicIncluded={andLogicIncluded}

x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx

@@ -0,0 +1,127 @@
+[
+  "Endpoint.policy.applied.id",
+  "Target.process.Ext.code_signature.status",
+  "Target.process.Ext.code_signature.subject_name",
+  "Target.process.Ext.code_signature.trusted",
+  "Target.process.Ext.code_signature.valid",
+  "Target.process.Ext.services",
+  "Target.process.Ext.user",
+  "Target.process.command_line",
+  "Target.process.executable",
+  "Target.process.hash.md5",
+  "Target.process.hash.sha1",
+  "Target.process.hash.sha256",
+  "Target.process.hash.sha512",
+  "Target.process.name",
+  "Target.process.parent.Ext.code_signature.status",
+  "Target.process.parent.Ext.code_signature.subject_name",
+  "Target.process.parent.Ext.code_signature.trusted",
+  "Target.process.parent.Ext.code_signature.valid",
+  "Target.process.parent.command_line",
+  "Target.process.parent.executable",
+  "Target.process.parent.hash.md5",
+  "Target.process.parent.hash.sha1",
+  "Target.process.parent.hash.sha256",
+  "Target.process.parent.hash.sha512",
+  "Target.process.parent.name",
+  "Target.process.parent.pgid",
+  "Target.process.parent.working_directory",
+  "Target.process.pe.company",
+  "Target.process.pe.description",
+  "Target.process.pe.file_version",
+  "Target.process.pe.original_file_name",
+  "Target.process.pe.product",
+  "Target.process.pgid",
+  "Target.process.working_directory",
+  "agent.id",
+  "agent.type",
+  "agent.version",
+  "elastic.agent.id",
+  "event.action",
+  "event.category",
+  "event.code",
+  "event.hash",
+  "event.kind",
+  "event.module",
+  "event.outcome",
+  "event.provider",
+  "event.type",
+  "file.Ext.code_signature.status",
+  "file.Ext.code_signature.subject_name",
+  "file.Ext.code_signature.trusted",
+  "file.Ext.code_signature.valid",
+  "file.attributes",
+  "file.device",
+  "file.directory",
+  "file.drive_letter",
+  "file.extension",
+  "file.gid",
+  "file.group",
+  "file.hash.md5",
+  "file.hash.sha1",
+  "file.hash.sha256",
+  "file.hash.sha512",
+  "file.inode",
+  "file.mime_type",
+  "file.mode",
+  "file.name",
+  "file.owner",
+  "file.path",
+  "file.pe.company",
+  "file.pe.description",
+  "file.pe.file_version",
+  "file.pe.original_file_name",
+  "file.pe.product",
+  "file.size",
+  "file.target_path",
+  "file.type",
+  "file.uid",
+  "group.Ext.real.id",
+  "group.domain",
+  "group.id",
+  "host.architecture",
+  "host.domain",
+  "host.id",
+  "host.os.Ext.variant",
+  "host.os.family",
+  "host.os.full",
+  "host.os.kernel",
+  "host.os.name",
+  "host.os.platform",
+  "host.os.version",
+  "host.type",
+  "process.Ext.code_signature.status",
+  "process.Ext.code_signature.subject_name",
+  "process.Ext.code_signature.trusted",
+  "process.Ext.code_signature.valid",
+  "process.Ext.services",
+  "process.Ext.user",
+  "process.command_line",
+  "process.executable",
+  "process.hash.md5",
+  "process.hash.sha1",
+  "process.hash.sha256",
+  "process.hash.sha512",
+  "process.name",
+  "process.parent.Ext.code_signature.status",
+  "process.parent.Ext.code_signature.subject_name",
+  "process.parent.Ext.code_signature.trusted",
+  "process.parent.Ext.code_signature.valid",
+  "process.parent.command_line",
+  "process.parent.executable",
+  "process.parent.hash.md5",
+  "process.parent.hash.sha1",
+  "process.parent.hash.sha256",
+  "process.parent.hash.sha512",
+  "process.parent.name",
+  "process.parent.pgid",
+  "process.parent.working_directory",
+  "process.pe.company",
+  "process.pe.description",
+  "process.pe.file_version",
+  "process.pe.original_file_name",
+  "process.pe.product",
+  "process.pgid",
+  "process.working_directory",
+  "rule.uuid"
+]

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json

@@ -83,7 +83,7 @@ const NO_LEGEND_DATA: LegendItem[] = [];
 export const AlertsHistogramPanel = memo<AlertsHistogramPanelProps>(
   ({
     chartHeight,
-    defaultStackByOption = alertsHistogramOptions[0],
+    defaultStackByOption = alertsHistogramOptions[8], // signal.rule.name
     deleteQuery,
     filters,
     headerChildren,

x-pack/plugins/security_solution/public/detections/components/alerts_histogram_panel/index.tsx

@@ -5,7 +5,8 @@
  */
 
 import { FormattedMessage } from '@kbn/i18n/react';
-import { EuiText, EuiLink } from '@elastic/eui';
+import { EuiLink } from '@elastic/eui';
+import styled from 'styled-components';
 import React from 'react';
 
 import { ML_TYPE_DESCRIPTION } from './translations';
@@ -15,11 +16,15 @@ interface MlCardDescriptionProps {
   hasValidLicense?: boolean;
 }
 
+const SmallText = styled.span`
+  font-size: ${({ theme }) => theme.eui.euiFontSizeS};
+`;
+
 const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
   subscriptionUrl,
   hasValidLicense = false,
 }) => (
-  <EuiText size="s">
+  <SmallText>
     {hasValidLicense ? (
       ML_TYPE_DESCRIPTION
     ) : (
@@ -38,7 +43,7 @@ const MlCardDescriptionComponent: React.FC<MlCardDescriptionProps> = ({
         }}
       />
     )}
-  </EuiText>
+  </SmallText>
 );
 
 MlCardDescriptionComponent.displayName = 'MlCardDescriptionComponent';

x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/ml_card_description.tsx

@@ -18,6 +18,7 @@ export const stepAboutDefaultValue: AboutStepRule = {
   author: [],
   name: '',
   description: '',
+  isAssociatedToEndpointList: false,
   isBuildingBlock: false,
   isNew: true,
   severity: { value: 'low', mapping: [] },

x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts

@@ -165,6 +165,7 @@ describe('StepAboutRuleComponent', () => {
     await wait();
     const expected: Omit<AboutStepRule, 'isNew'> = {
       author: [],
+      isAssociatedToEndpointList: false,
       isBuildingBlock: false,
       license: '',
       ruleNameOverride: '',
@@ -223,6 +224,7 @@ describe('StepAboutRuleComponent', () => {
     await wait();
     const expected: Omit<AboutStepRule, 'isNew'> = {
       author: [],
+      isAssociatedToEndpointList: false,
       isBuildingBlock: false,
       license: '',
       ruleNameOverride: '',