[Security Solution][Hosts] Fix Host Events flyout and remove the Endp…

…oint Host Isolation `Take Action` button (only valid for Alerts) (#103784) (#103807) * Fix bug in `endpointAlertCheck` to ensure events are not looked at * Fix data/type Co-authored-by: Paul Tavares <[email protected]>
elastic · Jun 30, 2021 · 40f5350 · 40f5350
1 parent f50f676
commit 40f5350
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 19 deletions.
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts b/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts
@@ -9,7 +9,7 @@ import { TimelineEventsDetailsItem } from '../../../common/search_strategy';
 
 export const mockDetailItemDataId = 'Y-6TfmcB0WOhS6qyMv3s';
 
-export const mockDetailItemData: TimelineEventsDetailsItem[] = [
+export const generateMockDetailItemData = (): TimelineEventsDetailsItem[] => [
   {
     field: '_id',
     originalValue: 'pEMaMmkBUV60JmNWmWVi',
@@ -137,3 +137,5 @@ export const mockDetailItemData: TimelineEventsDetailsItem[] = [
     isObjectArray: false,
   },
 ];
+
+export const mockDetailItemData: TimelineEventsDetailsItem[] = generateMockDetailItemData();
diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts
@@ -6,26 +6,48 @@
  */
 
 import _ from 'lodash';
-import { mockDetailItemData } from '../mock';
+import { generateMockDetailItemData } from '../mock';
 import { endpointAlertCheck } from './endpoint_alert_check';
 
-describe('utils', () => {
-  describe('endpointAlertCheck', () => {
-    it('should return false if detections data does not come from endpoint rule', () => {
-      expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
-    });
-    it('should return true if detections data comes from an endpoint rule', () => {
-      _.remove(mockDetailItemData, function (o) {
-        return o.field === 'agent.type';
-      });
-      const mockEndpointDetailItemData = _.concat(mockDetailItemData, {
+describe('Endpoint Alert Check Utility', () => {
+  let mockDetailItemData: ReturnType<typeof generateMockDetailItemData>;
+
+  beforeEach(() => {
+    mockDetailItemData = generateMockDetailItemData();
+
+    // Remove the filebeat agent type from the mock
+    _.remove(mockDetailItemData, { field: 'agent.type' });
+
+    mockDetailItemData.push(
+      // Must be an Alert
+      {
+        field: 'signal.rule.id',
+        category: 'signal',
+        originalValue: 'endpoint',
+        values: ['endpoint'],
+        isObjectArray: false,
+      },
+      // Must be from an endpoint agent
+      {
         field: 'agent.type',
         originalValue: 'endpoint',
         values: ['endpoint'],
         isObjectArray: false,
-      });
+      }
+    );
+  });
+
+  it('should return true if detections data comes from an endpoint rule', () => {
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBe(true);
+  });
+
+  it('should return false if it is not an Alert (ex. maybe an event)', () => {
+    _.remove(mockDetailItemData, { field: 'signal.rule.id' });
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
+  });
 
-      expect(endpointAlertCheck({ data: mockEndpointDetailItemData })).toBeTruthy();
-    });
+  it('should return false if it is not an endpoint agent', () => {
+    _.remove(mockDetailItemData, { field: 'agent.type' });
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
   });
 });
diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts
@@ -5,10 +5,21 @@
  * 2.0.
  */
 
-import { find } from 'lodash/fp';
-import { TimelineEventsDetailsItem } from '../../../common/search_strategy';
+import { find, some } from 'lodash/fp';
+import { TimelineEventsDetailsItem } from '../../../../timelines/common';
+
+/**
+ * Checks to see if the given set of Timeline event detail items includes data that indicates its
+ * an endpoint Alert. Note that it will NOT match on Events - only alerts
+ * @param data
+ */
+export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => {
+  const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, data);
+
+  if (!isAlert) {
+    return false;
+  }
 
-export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] | null }) => {
   const findEndpointAlert = find({ field: 'agent.type' }, data)?.values;
   return findEndpointAlert ? findEndpointAlert[0] === 'endpoint' : false;
 };
diff --git a/.../plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/.../plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
@@ -95,7 +95,7 @@ const EventDetailsPanelComponent: React.FC<EventDetailsPanelProps> = ({
   const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData);
 
   const isEndpointAlert = useMemo(() => {
-    return endpointAlertCheck({ data: detailsData });
+    return endpointAlertCheck({ data: detailsData || [] });
   }, [detailsData]);
 
   const agentId = useMemo(() => {