forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[EDR Workflows] Crowdstrike - add support to responder (elastic#184217)
- Loading branch information
Showing
12 changed files
with
521 additions
and
78 deletions.
There are no files selected for viewing
120 changes: 120 additions & 0 deletions
120
...ution/public/detections/components/endpoint_responder/get_external_edr_agent_info.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { getSentinelOneAgentId } from '../../../common/utils/sentinelone_alert_check'; | ||
import { getCrowdstrikeAgentId } from '../../../common/utils/crowdstrike_alert_check'; | ||
import { getExternalEdrAgentInfo } from './get_external_edr_agent_info'; | ||
|
||
jest.mock('../../../common/utils/sentinelone_alert_check'); | ||
jest.mock('../../../common/utils/crowdstrike_alert_check'); | ||
|
||
describe('getExternalEdrAgentInfo', () => { | ||
const mockEventData = [ | ||
{ | ||
category: 'event', | ||
field: 'event.module', | ||
values: ['sentinel_one'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'host', | ||
field: 'host.name', | ||
values: ['test-host'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'host', | ||
field: 'host.os.name', | ||
values: ['Windows'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'host', | ||
field: 'host.os.family', | ||
values: ['windows'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'host', | ||
field: 'host.os.version', | ||
values: ['10'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'kibana', | ||
field: 'kibana.alert.last_detected', | ||
values: ['2023-05-01T12:34:56Z'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'crowdstrike', | ||
field: 'crowdstrike.event.HostName', | ||
values: ['test-crowdstrike-host'], | ||
isObjectArray: false, | ||
}, | ||
{ | ||
category: 'crowdstrike', | ||
field: 'crowdstrike.event.Platform', | ||
values: ['linux'], | ||
isObjectArray: false, | ||
}, | ||
]; | ||
|
||
beforeEach(() => { | ||
(getSentinelOneAgentId as jest.Mock).mockReturnValue('sentinel-one-agent-id'); | ||
(getCrowdstrikeAgentId as jest.Mock).mockReturnValue('crowdstrike-agent-id'); | ||
}); | ||
|
||
afterEach(() => { | ||
jest.clearAllMocks(); | ||
}); | ||
|
||
it('should return correct info for sentinel_one agent type', () => { | ||
const result = getExternalEdrAgentInfo(mockEventData, 'sentinel_one'); | ||
expect(result).toEqual({ | ||
agent: { | ||
id: 'sentinel-one-agent-id', | ||
type: 'sentinel_one', | ||
}, | ||
host: { | ||
name: 'test-host', | ||
os: { | ||
name: 'Windows', | ||
family: 'windows', | ||
version: '10', | ||
}, | ||
}, | ||
lastCheckin: '2023-05-01T12:34:56Z', | ||
}); | ||
}); | ||
|
||
it('should return correct info for crowdstrike agent type', () => { | ||
const result = getExternalEdrAgentInfo(mockEventData, 'crowdstrike'); | ||
expect(result).toEqual({ | ||
agent: { | ||
id: 'crowdstrike-agent-id', | ||
type: 'crowdstrike', | ||
}, | ||
host: { | ||
name: 'test-crowdstrike-host', | ||
os: { | ||
name: '', | ||
family: 'linux', | ||
version: '', | ||
}, | ||
}, | ||
lastCheckin: '2023-05-01T12:34:56Z', | ||
}); | ||
}); | ||
|
||
it('should throw an error for unsupported agent type', () => { | ||
expect(() => { | ||
// @ts-expect-error testing purpose | ||
getExternalEdrAgentInfo(mockEventData, 'unsupported_agent_type'); | ||
}).toThrow('Unsupported agent type: unsupported_agent_type'); | ||
}); | ||
}); |
70 changes: 70 additions & 0 deletions
70
...y_solution/public/detections/components/endpoint_responder/get_external_edr_agent_info.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { TimelineEventsDetailsItem } from '@kbn/timelines-plugin/common'; | ||
import type { ResponseActionAgentType } from '../../../../common/endpoint/service/response_actions/constants'; | ||
import type { ThirdPartyAgentInfo } from '../../../../common/types'; | ||
import { getSentinelOneAgentId } from '../../../common/utils/sentinelone_alert_check'; | ||
import { getFieldValue } from '../host_isolation/helpers'; | ||
import { getCrowdstrikeAgentId } from '../../../common/utils/crowdstrike_alert_check'; | ||
|
||
export const getExternalEdrAgentInfo = ( | ||
eventData: TimelineEventsDetailsItem[], | ||
agentType: ResponseActionAgentType | ||
): ThirdPartyAgentInfo => { | ||
switch (agentType) { | ||
case 'sentinel_one': | ||
return { | ||
agent: { | ||
id: getSentinelOneAgentId(eventData) || '', | ||
type: getFieldValue( | ||
{ category: 'event', field: 'event.module' }, | ||
eventData | ||
) as ResponseActionAgentType, | ||
}, | ||
host: { | ||
name: getFieldValue({ category: 'host', field: 'host.name' }, eventData), | ||
os: { | ||
name: getFieldValue({ category: 'host', field: 'host.os.name' }, eventData), | ||
family: getFieldValue({ category: 'host', field: 'host.os.family' }, eventData), | ||
version: getFieldValue({ category: 'host', field: 'host.os.version' }, eventData), | ||
}, | ||
}, | ||
lastCheckin: getFieldValue( | ||
{ category: 'kibana', field: 'kibana.alert.last_detected' }, | ||
eventData | ||
), | ||
}; | ||
case 'crowdstrike': | ||
return { | ||
agent: { | ||
id: getCrowdstrikeAgentId(eventData) || '', | ||
type: agentType, | ||
}, | ||
host: { | ||
name: getFieldValue( | ||
{ category: 'crowdstrike', field: 'crowdstrike.event.HostName' }, | ||
eventData | ||
), | ||
os: { | ||
name: '', | ||
family: getFieldValue( | ||
{ category: 'crowdstrike', field: 'crowdstrike.event.Platform' }, | ||
eventData | ||
), | ||
version: '', | ||
}, | ||
}, | ||
lastCheckin: getFieldValue( | ||
{ category: 'kibana', field: 'kibana.alert.last_detected' }, | ||
eventData | ||
), | ||
}; | ||
default: | ||
throw new Error(`Unsupported agent type: ${agentType}`); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.