diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index b6a0724faebed..4fd1b00ae3bee 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -21,6 +21,7 @@ export const allowedExperimentalValues = Object.freeze({ uebaEnabled: false, disableIsolationUIPendingStatuses: false, riskyHostsEnabled: false, + pendingActionResponsesWithAck: true, }); type ExperimentalConfigKeys = Array; diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.test.ts index a8592f02691aa..e4dc9b049e2ba 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.test.ts @@ -87,7 +87,10 @@ describe('Endpoint Action Status', () => { logFactory: loggingSystemMock.create(), service: endpointAppContextService, config: () => Promise.resolve(createMockConfig()), - experimentalFeatures: parseExperimentalConfigValue(createMockConfig().enableExperimental), + experimentalFeatures: { + ...parseExperimentalConfigValue(createMockConfig().enableExperimental), + pendingActionResponsesWithAck: true, + }, }); getPendingStatus = async (reqParams?: any): Promise> => { @@ -451,4 +454,321 @@ describe('Endpoint Action Status', () => { }); }); }); + + describe('response (when pendingActionResponsesWithAck is FALSE)', () => { + let endpointAppContextService: EndpointAppContextService; + + // convenience for calling the route and handler for action status + let getPendingStatus: (reqParams?: any) => Promise>; + // convenience for injecting mock responses for actions index and responses + let havingActionsAndResponses: ( + actions: MockAction[], + responses: MockResponse[], + endpointResponses?: MockEndpointResponse[] + ) => void; + + beforeEach(() => { + const esClientMock = elasticsearchServiceMock.createScopedClusterClient(); + const routerMock = httpServiceMock.createRouter(); + endpointAppContextService = new EndpointAppContextService(); + endpointAppContextService.setup(createMockEndpointAppContextServiceSetupContract()); + endpointAppContextService.start(createMockEndpointAppContextServiceStartContract()); + + registerActionStatusRoutes(routerMock, { + logFactory: loggingSystemMock.create(), + service: endpointAppContextService, + config: () => Promise.resolve(createMockConfig()), + experimentalFeatures: { + ...parseExperimentalConfigValue(createMockConfig().enableExperimental), + pendingActionResponsesWithAck: false, + }, + }); + + getPendingStatus = async (reqParams?: any): Promise> => { + const req = httpServerMock.createKibanaRequest(reqParams); + const mockResponse = httpServerMock.createResponseFactory(); + const [, routeHandler]: [ + RouteConfig, + RequestHandler + ] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(ACTION_STATUS_ROUTE))!; + await routeHandler( + createRouteHandlerContext(esClientMock, savedObjectsClientMock.create()), + req, + mockResponse + ); + + return mockResponse; + }; + + havingActionsAndResponses = ( + actions: MockAction[], + responses: MockResponse[], + endpointResponses?: MockEndpointResponse[] + ) => { + esClientMock.asCurrentUser.search = jest.fn().mockImplementation((req) => { + const size = req.size ? req.size : 10; + const items: any[] = + req.index === '.fleet-actions' + ? actions.splice(0, size) + : req.index === '.logs-endpoint.action.responses' && !!endpointResponses + ? endpointResponses + : responses.splice(0, size); + + if (items.length > 0) { + return Promise.resolve(mockSearchResult(items.map((x) => x.build()))); + } else { + return Promise.resolve(mockSearchResult()); + } + }); + }; + }); + + afterEach(() => { + endpointAppContextService.stop(); + }); + + it('should include total counts for large (more than a page) action counts', async () => { + const mockID = 'XYZABC-000'; + const actions = []; + for (let i = 0; i < 1400; i++) { + // putting more than a single page of results in + actions.push(aMockAction().withAgent(mockID)); + } + havingActionsAndResponses(actions, []); + + const response = await getPendingStatus({ + query: { + agent_ids: [mockID], + }, + }); + + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockID); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate).toEqual( + 0 + ); + }); + it('should include a total count of a pending action', async () => { + const mockID = 'XYZABC-000'; + havingActionsAndResponses( + [ + aMockAction().withAgent(mockID).withAction('isolate'), + aMockAction().withAgent(mockID).withAction('isolate'), + ], + [] + ); + const response = await getPendingStatus({ + query: { + agent_ids: [mockID], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockID); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate).toEqual( + 0 + ); + }); + it('should show multiple pending actions, and their counts', async () => { + const mockID = 'XYZABC-000'; + havingActionsAndResponses( + [ + aMockAction().withAgent(mockID).withAction('isolate'), + aMockAction().withAgent(mockID).withAction('isolate'), + aMockAction().withAgent(mockID).withAction('isolate'), + aMockAction().withAgent(mockID).withAction('unisolate'), + aMockAction().withAgent(mockID).withAction('unisolate'), + ], + [] + ); + const response = await getPendingStatus({ + query: { + agent_ids: [mockID], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockID); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate).toEqual( + 0 + ); + expect( + (response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.unisolate + ).toEqual(0); + }); + it('should calculate correct pending counts from grouped/bulked actions', async () => { + const mockID = 'XYZABC-000'; + havingActionsAndResponses( + [ + aMockAction() + .withAgents([mockID, 'IRRELEVANT-OTHER-AGENT', 'ANOTHER-POSSIBLE-AGENT']) + .withAction('isolate'), + aMockAction().withAgents([mockID, 'YET-ANOTHER-AGENT-ID']).withAction('isolate'), + aMockAction().withAgents(['YET-ANOTHER-AGENT-ID']).withAction('isolate'), // one WITHOUT our agent-under-test + ], + [] + ); + const response = await getPendingStatus({ + query: { + agent_ids: [mockID], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockID); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate).toEqual( + 0 + ); + }); + + it('should exclude actions that have responses from the pending count', async () => { + const mockAgentID = 'XYZABC-000'; + const actionID = 'some-known-actionid'; + havingActionsAndResponses( + [ + aMockAction().withAgent(mockAgentID).withAction('isolate'), + aMockAction().withAgent(mockAgentID).withAction('isolate').withID(actionID), + ], + [aMockResponse(actionID, mockAgentID)] + ); + (endpointAppContextService.getEndpointMetadataService as jest.Mock) = jest + .fn() + .mockReturnValue({ + findHostMetadataForFleetAgents: jest.fn().mockResolvedValue([]), + }); + const response = await getPendingStatus({ + query: { + agent_ids: [mockAgentID], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockAgentID); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate).toEqual( + 0 + ); + }); + it('should have accurate counts for multiple agents, bulk actions, and responses', async () => { + const agentOne = 'XYZABC-000'; + const agentTwo = 'DEADBEEF'; + const agentThree = 'IDIDIDID'; + + const actionTwoID = 'ID-TWO'; + havingActionsAndResponses( + [ + aMockAction().withAgents([agentOne, agentTwo, agentThree]).withAction('isolate'), + aMockAction() + .withAgents([agentTwo, agentThree]) + .withAction('isolate') + .withID(actionTwoID), + aMockAction().withAgents([agentThree]).withAction('isolate'), + ], + [aMockResponse(actionTwoID, agentThree)] + ); + (endpointAppContextService.getEndpointMetadataService as jest.Mock) = jest + .fn() + .mockReturnValue({ + findHostMetadataForFleetAgents: jest.fn().mockResolvedValue([]), + }); + const response = await getPendingStatus({ + query: { + agent_ids: [agentOne, agentTwo, agentThree], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(3); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toContainEqual({ + agent_id: agentOne, + pending_actions: { + isolate: 0, + }, + }); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toContainEqual({ + agent_id: agentTwo, + pending_actions: { + isolate: 0, + }, + }); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toContainEqual({ + agent_id: agentThree, + pending_actions: { + isolate: 0, + }, + }); + }); + + describe('with endpoint response index', () => { + it('should include a total count of a pending action response', async () => { + const mockAgentId = 'XYZABC-000'; + const actionIds = ['action_id_0', 'action_id_1']; + havingActionsAndResponses( + [ + aMockAction().withAgent(mockAgentId).withAction('isolate').withID(actionIds[0]), + aMockAction().withAgent(mockAgentId).withAction('isolate').withID(actionIds[1]), + ], + [ + aMockResponse(actionIds[0], mockAgentId, true), + aMockResponse(actionIds[1], mockAgentId, true), + ] + ); + (endpointAppContextService.getEndpointMetadataService as jest.Mock) = jest + .fn() + .mockReturnValue({ + findHostMetadataForFleetAgents: jest.fn().mockResolvedValue([]), + }); + const response = await getPendingStatus({ + query: { + agent_ids: [mockAgentId], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockAgentId); + expect( + (response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate + ).toEqual(0); + }); + + it('should show multiple pending action responses, and their counts', async () => { + const mockAgentID = 'XYZABC-000'; + const actionIds = ['ack_0', 'ack_1', 'ack_2', 'ack_3', 'ack_4']; + havingActionsAndResponses( + [ + aMockAction().withAgent(mockAgentID).withAction('isolate').withID(actionIds[0]), + aMockAction().withAgent(mockAgentID).withAction('isolate').withID(actionIds[1]), + aMockAction().withAgent(mockAgentID).withAction('isolate').withID(actionIds[2]), + aMockAction().withAgent(mockAgentID).withAction('unisolate').withID(actionIds[3]), + aMockAction().withAgent(mockAgentID).withAction('unisolate').withID(actionIds[4]), + ], + [ + aMockResponse(actionIds[0], mockAgentID, true), + aMockResponse(actionIds[1], mockAgentID, true), + aMockResponse(actionIds[2], mockAgentID, true), + aMockResponse(actionIds[3], mockAgentID, true), + aMockResponse(actionIds[4], mockAgentID, true), + ] + ); + (endpointAppContextService.getEndpointMetadataService as jest.Mock) = jest + .fn() + .mockReturnValue({ + findHostMetadataForFleetAgents: jest.fn().mockResolvedValue([]), + }); + const response = await getPendingStatus({ + query: { + agent_ids: [mockAgentID], + }, + }); + expect(response.ok).toBeCalled(); + expect((response.ok.mock.calls[0][0]?.body as any)?.data).toHaveLength(1); + expect((response.ok.mock.calls[0][0]?.body as any)?.data[0].agent_id).toEqual(mockAgentID); + expect( + (response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.isolate + ).toEqual(0); + expect( + (response.ok.mock.calls[0][0]?.body as any)?.data[0].pending_actions.unisolate + ).toEqual(0); + }); + }); + }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts index 4ba03bf220c21..32c709aef2b87 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts @@ -50,7 +50,8 @@ export const actionStatusRequestHandler = function ( const response = await getPendingActionCounts( esClient, endpointContext.service.getEndpointMetadataService(), - agentIDs + agentIDs, + endpointContext.experimentalFeatures.pendingActionResponsesWithAck ); return res.ok({ diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions.ts index 5dcaca6c2c4cc..4dbfd700496f5 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/actions.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/actions.ts @@ -186,7 +186,8 @@ export const getPendingActionCounts = async ( esClient: ElasticsearchClient, metadataService: EndpointMetadataService, /** The Fleet Agent IDs to be checked */ - agentIDs: string[] + agentIDs: string[], + isPendingActionResponsesWithAckEnabled: boolean ): Promise => { // retrieve the unexpired actions for the given hosts const recentActions = await esClient @@ -254,11 +255,17 @@ export const getPendingActionCounts = async ( pending_actions: pendingActions .map((a) => a.data.command) .reduce((acc, cur) => { - if (cur in acc) { - acc[cur] += 1; + if (!isPendingActionResponsesWithAckEnabled) { + acc[cur] = 0; // set pending counts to 0 when FF is disabled } else { - acc[cur] = 1; + // else do the usual counting + if (cur in acc) { + acc[cur] += 1; + } else { + acc[cur] = 1; + } } + return acc; }, {} as EndpointPendingActions['pending_actions']), }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts index fbc51aa0360ce..918d3aadfd6e8 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts @@ -209,7 +209,8 @@ export const getHostEndpoint = async ( ? getPendingActionCounts( esClient.asInternalUser, endpointContext.service.getEndpointMetadataService(), - [fleetAgentId] + [fleetAgentId], + endpointContext.experimentalFeatures.pendingActionResponsesWithAck ) .then((results) => { return results[0].pending_actions;