[Osquery] Add Osquery results to Case #139909
Conversation
# Conflicts: # x-pack/plugins/osquery/public/plugin.ts # x-pack/plugins/osquery/public/routes/live_queries/details/index.tsx # x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx # x-pack/plugins/osquery/public/types.ts
tomsonpl
added
v8.5.0
release_note:feature
…poc-cases # Conflicts: # x-pack/plugins/osquery/public/routes/live_queries/details/index.tsx
tomsonpl
requested review from
cnasikas,
jonathan-buttner and
patrykkopycinski
|
|
||
| return getAddToTimelineButton({ | ||
| dataProvider: providerA, | ||
| field: value, | ||
| dataProvider: providers, |
There was a problem hiding this comment.
This change is required for us to add multiple actions to time at once. Is this a proper approach?
The functionality itself is not used yet, but I am hoping to use it still for 8.5
|
@elasticmachine merge upstream |
| }, | ||
| async (context, request, response) => { | ||
| // this is to skip validation eg. for analysts in cases attachments so they can see the results despite not having permissions | ||
| const { isSystemRequest } = request; | ||
| if (!isSystemRequest) { |
There was a problem hiding this comment.
@elastic/kibana-security please keep me honest here. The system request header should NOT be used to skip authorization checks. The existence of the system request header is only intended to allow us to determine whether or not the user's session should be extended as a result of a HTTP request being made.
There was a problem hiding this comment.
Ok, the inner circle agreed to revert this changes and just show permission denied info.
Thanks @kobelb for your input 👍
There was a problem hiding this comment.
Thanks for pinging us @kobelb! Yes, you're absolutely correct, isSystemRequest == request that wasn't initiated by the user and shouldn't be treated as the user activity.
| const { cases } = useKibana().services; | ||
|
|
||
| const casePermissions = cases.helpers.canUseCases(); | ||
| const hasReadPermissions = casePermissions.read && casePermissions.update && casePermissions.push; |
There was a problem hiding this comment.
nit: maybe rename this to hasCasesPermissions, the permissions being checked here indicate there are more than just read.
| <EuiToolTip | ||
| content={ | ||
| <EuiFlexItem> | ||
| {i18n.translate('xpack.osquery.cases.addToCaseText', { |
There was a problem hiding this comment.
Can we use the ADD_TO_CASE variable here?
| import OsqueryLogo from '../../components/osquery_icon/osquery.svg'; | ||
|
|
||
| // TODO waiting for Metadata to add "add to timeline" in here | ||
| // const AttachmentActions: React.FC = () => ( |
There was a problem hiding this comment.
Reminder to remove commented out code
| type: 'regular', | ||
| event: 'attached Osquery results', | ||
| timelineAvatar: <EuiAvatar name="osquery" color="subdued" iconType={OsqueryLogo} />, | ||
| // actions: <AttachmentActions />, |
| const addToTimeline = useCallback( | ||
| (payload) => { | ||
| if (!actionId || !addToTimelineButton) { | ||
| return <></>; |
There was a problem hiding this comment.
Just checking, can this be null? or does that mess with how the parent component is rendered?
There was a problem hiding this comment.
Null would mess up. I will refactor these 2 - addToTimeline and addToCases buttons within OSquery during FF, or for 8.6. There is a few new things we learnt during preparation for 8.5.
| }, | ||
| async (context, request, response) => { | ||
| let agent; | ||
| // this is to skip validation eg. for analysts in cases attachments so they can see the results despite not having permissions | ||
| const { isSystemRequest } = request; | ||
| if (!isSystemRequest) { |
There was a problem hiding this comment.
Hey! Don't forget to remove this logic from all routes.
|
Great progress on this feature! Here are a few things I noted while testing before the instance went down 😢 : There is empty space on the overflow actions button Extra padding in actions menu
Rerendering the osquery attachment causes the case to flicker and jump. I'm not sure if this is related to how Cases performs the rerendering, or maybe the animation of populating results in the osquery component. This appears to only happen in the Stack Cases, so maybe it's our fault 😆 FlickeringScreen.Recording.2022-09-15.at.1.03.30.PM.mov |
|
@elasticmachine merge upstream |
1 similar comment
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
Nice work! I left a few minor questions and text changes.
I tested:
- user with no osquery permissions cannot view the attachment within cases ✅
- user with no cases permissions results in the add to case button being disabled ✅
- user without superuser permissions can view the attachment within cases (this works after adding
readto theallfeature` ✅ - user without indices permissions cannot view the attachment within cases ✅
- attaching to timeline, viewing in lens, and viewing in discover from within cases works ✅
| body={ | ||
| <FormattedMessage | ||
| id="xpack.osquery.cases.permissionDenied" | ||
| defaultMessage=" To access this results, ask your administrator for {osquery} Kibana |
There was a problem hiding this comment.
Minor change: To access these...
| <CasesContext owner={CASES_OWNER} permissions={casePermissions}> | ||
| <EuiTabbedContent | ||
| // TODO: extend the EuiTabbedContent component to support EuiTabs props | ||
| // bottomBorder={false} |
There was a problem hiding this comment.
nit: remove commented out code
There was a problem hiding this comment.
I'd leave the TODO, maybe there's gonna be time to take care of it soon
| <AddToCaseButton | ||
| queryId={payload.queryId} | ||
| agentIds={agentIds} | ||
| actionId={liveQueryActionId || ''} |
There was a problem hiding this comment.
How likely is it for the liveQueryActionId to be undefined? aka setting actionId to an empty string? Should we disable the button if it undefined?
I think I tracked the code and it'll just result in the live query not running so maybe we'll just show an empty component within cases.
There was a problem hiding this comment.
You're right, empty string doesn't make sense. I'll add a check if we have livequeryActionId before rendering Button. We should have it after running a query, before getting results - I would risk a statement that it's obligatory.
|
Also I tested closing the osquery indices and that results in the attachments within cases looking like:
Seems fine to me 👍 Or maybe we could say something like |
|
The indices error is definitely something we should take a closer look into, thanks for the suggestion. 👍 and the whole review thing, you were very helpful @jonathan-buttner and @cnasikas thanks 👍 |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @tomsonpl |
This PR adds a functionality to add Osquery Results to Cases with help of
CasesUi.hooks.All types of Cases are supported - Security, Observability, Stack Management.
To Do:
[+] - Live queries + live query details
[+] - O11y Host metrics flyout
[+] - Alert flyout
[+] - Comment should include agentId details and query results
[+] - Change icon on the left side of comments
[+] - Adding packs
[] - Action item on the right side of the comment ( arrow-right ) should add whole result to Timeline
[+] - Add to timeline in case comment's result