From 9109fd5afed8197b328a8b21d1c8e241873c4b68 Mon Sep 17 00:00:00 2001 From: Konrad Szwarc Date: Mon, 20 Feb 2023 12:22:28 +0100 Subject: [PATCH] [Defend Workflows] Live queries with parameters on timelines' events (#151317) Closes https://github.com/elastic/security-team/issues/5999 ![test](https://user-images.githubusercontent.com/29123534/219058689-f2c423b8-b239-4ec0-b946-7b2e350749e3.gif) **BUG*** "Take action" > "Run osquery" on timeline event that is not an alert won't substitute params. **CAUSE** Lack of context connection in the component that carries `alertData` --- .../public/live_queries/form/index.tsx | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/osquery/public/live_queries/form/index.tsx b/x-pack/plugins/osquery/public/live_queries/form/index.tsx index 2449195300910..7868c1bb3a471 100644 --- a/x-pack/plugins/osquery/public/live_queries/form/index.tsx +++ b/x-pack/plugins/osquery/public/live_queries/form/index.tsx @@ -8,10 +8,14 @@ import { EuiButton, EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import type { ECSMapping } from '@kbn/osquery-io-ts-types'; -import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import React, { useCallback, useContext, useEffect, useMemo, useState } from 'react'; import { useForm as useHookForm, FormProvider } from 'react-hook-form'; import { isEmpty, find, pickBy } from 'lodash'; +import { + containsDynamicQuery, + replaceParamsQuery, +} from '../../../common/utils/replace_params_query'; import { PLUGIN_NAME as OSQUERY_PLUGIN_NAME } from '../../../common'; import { QueryPackSelectable } from './query_pack_selectable'; import type { SavedQuerySOFormData } from '../../saved_queries/form/use_saved_query_form'; @@ -26,6 +30,7 @@ import { LiveQueryQueryField } from './live_query_query_field'; import { AgentsTableField } from './agents_table_field'; import { savedQueryDataSerializer } from '../../saved_queries/form/use_saved_query_form'; import { PackFieldWrapper } from '../../shared_components/osquery_response_action_type/pack_field_wrapper'; +import { AlertAttachmentContext } from '../../common/contexts'; export interface LiveQueryFormFields { alertIds?: string[]; @@ -66,6 +71,8 @@ const LiveQueryFormComponent: React.FC = ({ enabled = true, hideAgentsField = false, }) => { + const alertAttachmentContext = useContext(AlertAttachmentContext); + const { application, appName } = useKibana().services; const permissions = application.capabilities.osquery; const canRunPacks = useMemo( @@ -138,11 +145,17 @@ const LiveQueryFormComponent: React.FC = ({ const onSubmit = useCallback( async (values: LiveQueryFormFields) => { + // Temporary, frontend solution for params substitution. To be removed once alert_ids refactored in create_live_query_route + const query = + values.query && containsDynamicQuery(values.query) && alertAttachmentContext + ? replaceParamsQuery(values.query, alertAttachmentContext).result + : values.query; + const serializedData = pickBy( { agentSelection: values.agentSelection, saved_query_id: values.savedQueryId, - query: values.query, + query, alert_ids: values.alertIds, pack_id: values?.packId?.length ? values?.packId[0] : undefined, ecs_mapping: values.ecs_mapping, @@ -152,7 +165,7 @@ const LiveQueryFormComponent: React.FC = ({ await mutateAsync(serializedData); }, - [mutateAsync] + [alertAttachmentContext, mutateAsync] ); const serializedData: SavedQuerySOFormData = useMemo(